add setup options to provider docs

* Add a first description of the config options for csaf_provider. * Change option name from `domain` to `canonical_prefix_url` to make the usage more intuitively. Use`https` in the default, if unset. resolve #32 Co-authored-by: Bernhard E. Reiter <[email protected]> Co-authored-by: tschmidtb51 <[email protected]>
gocsaf · Mar 23, 2022 · 5e1f209 · 5e1f209
1 parent 4fae2ec
commit 5e1f209
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 14 deletions.
diff --git a/cmd/csaf_provider/actions.go b/cmd/csaf_provider/actions.go
@@ -219,7 +219,8 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
 			}
 
 			feedURL := csaf.JSONURL(
-				c.cfg.Domain + "/.well-known/csaf/" + ts + "/" + feedName)
+				c.cfg.CanonicalURLPrefix +
+					"/.well-known/csaf/" + ts + "/" + feedName)
 
 			tlpLabel := csaf.TLPLabel(strings.ToUpper(ts))
 
@@ -241,7 +242,7 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
 
 			year := strconv.Itoa(ex.InitialReleaseDate.Year())
 
-			csafURL := c.cfg.Domain +
+			csafURL := c.cfg.CanonicalURLPrefix +
 				"/.well-known/csaf/" + ts + "/" + year + "/" + newCSAF
 
 			e := rolie.EntryByID(ex.ID)

diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go
@@ -39,7 +39,7 @@ type config struct {
 	TLPs                    []tlp           `toml:"tlps"`
 	UploadSignature         bool            `toml:"upload_signature"`
 	OpenPGPURL              string          `toml:"openpgp_url"`
-	Domain                  string          `toml:"domain"`
+	CanonicalURLPrefix      string          `toml:"canonical_url_prefix"`
 	NoPassphrase            bool            `toml:"no_passphrase"`
 	NoValidation            bool            `toml:"no_validation"`
 	NoWebUI                 bool            `toml:"no_web_ui"`
@@ -148,8 +148,8 @@ func loadConfig() (*config, error) {
 		cfg.Web = defaultWeb
 	}
 
-	if cfg.Domain == "" {
-		cfg.Domain = "http://" + os.Getenv("SERVER_NAME")
+	if cfg.CanonicalURLPrefix == "" {
+		cfg.CanonicalURLPrefix = "https://" + os.Getenv("SERVER_NAME")
 	}
 
 	if cfg.TLPs == nil {

diff --git a/cmd/csaf_provider/create.go b/cmd/csaf_provider/create.go
@@ -95,7 +95,7 @@ func createSecurity(c *config, wellknown string) error {
 			}
 			fmt.Fprintf(
 				f, "CSAF: %s/.well-known/csaf/provider-metadata.json\n",
-				c.Domain)
+				c.CanonicalURLPrefix)
 			return f.Close()
 		}
 		return err
@@ -113,7 +113,7 @@ func createProviderMetadata(c *config, wellknownCSAF string) error {
 	if !os.IsNotExist(err) {
 		return err
 	}
-	pm := csaf.NewProviderMetadataDomain(c.Domain, c.modelTLPs())
+	pm := csaf.NewProviderMetadataDomain(c.CanonicalURLPrefix, c.modelTLPs())
 	pm.Publisher = c.Publisher
 
 	// Set OpenPGP key.

diff --git a/cmd/csaf_provider/transaction.go b/cmd/csaf_provider/transaction.go
@@ -30,7 +30,7 @@ func doTransaction(
 		f, err := os.Open(metadata)
 		if err != nil {
 			if os.IsNotExist(err) {
-				return csaf.NewProviderMetadataDomain(cfg.Domain, cfg.modelTLPs()), nil
+				return csaf.NewProviderMetadataDomain(cfg.CanonicalURLPrefix, cfg.modelTLPs()), nil
 			}
 			return nil, err
 		}

diff --git a/docs/provider-setup.md b/docs/provider-setup.md
@@ -7,19 +7,22 @@ The following instructions are for an Debian 11 server setup.
 ```(shell)
 apt-get install nginx fcgiwrap
 cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
+```
+Check if the CGI server and the fcgiwrap Socket active (running):
+```bash
 systemctl status fcgiwrap.service
 systemctl status fcgiwrap.socket
 systemctl is-enabled fcgiwrap.service
 systemctl is-enabled fcgiwrap.socket
 ```
-
+Change the group ownership and the permissions of `/var/www`:
 ```(shell)
 cd /var/www
 chgrp -R www-data .
 chmod -R g+w .
 ```
 
-Content of `/etc/nginx/fcgiwrap.conf`
+Modify the content of `/etc/nginx/fcgiwrap.conf` like following:
 
 ```
 # Include this file on your nginx.conf to support debian cgi-bin scripts using
@@ -53,7 +56,8 @@ Add to `/etc/nginx/sites-enabled/default`:
 
 ```
 server {
-
+      # Other config
+      # ...
     location / {
         # Other config
         # ...
@@ -72,8 +76,10 @@ server {
 ```
 Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu).
 
-Place the binary under `/usr/lib/cgi-bin/csaf_provider.go`.
-Make sure `/usr/lib/cgi-bin/` exists.
+Create `cgi-bin` folder if not exists `mkdir -p /usr/lib/cgi-bin/`.
+
+Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`.
+
 
 Create configuarion file under `/usr/lib/csaf/config.toml`:
 
@@ -82,15 +88,41 @@ Create configuarion file under `/usr/lib/csaf/config.toml`:
 # key = "/usr/lib/csaf/public.asc"
 key = "/usr/lib/csaf/private.asc"
 #tlps = ["green", "red"]
-domain = "http://192.168.56.102"
+canonical_url_prefix = "http://192.168.56.102"
 #no_passphrase = true
 ```
 with suitable replacements
 (This configurations-example assumes that the private/public keys are available under `/usr/lib/csaf/`).
 
 
+with suitable [replacements](#provider-options).
 
 Create the folders:
 ```(shell)
 curl http://192.168.56.102/cgi-bin/csaf_provider.go/create
 ```
+Or using the uploader:
+```(shell)
+./csaf_uploader -a create -u http://192.168.56.102/cgi-bin/csaf_provider.go
+```
+
+## Provider options
+Provider has many config options described as following:
+
+ - password: Authentication password for accessing the CSAF provider.
+ - key: The private OpenPGP key.
+ - folder: Specify the root folder. Default: `/var/www/`.
+ - web: Specify the web folder. Default: `/var/www/html`.
+ - tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red").             
+   The "csaf" selection lets the provider takes the value from the CSAF document.         
+   These affects the list items in the web interface.      
+   Default: `["csaf", "white", "amber", "green", "red"]`.
+ - upload_signature: Send signature with the request, an additional input-field in the web interface will be shown to let user enter an ascii armored signature. Default: `false`.
+ - openpgp_url: URL to OpenPGP key-server. Default: `https://openpgp.circl.lu`.
+ - canonical_url_prefix: start of the URL where contents shall be accessible from the internet. Default: `https://$SERVER_NAME`.
+ - no_passphrase: Let user send password with the request, if set to true the input-field in the web interface will be disappeared. Default: `false`.
+ - no_validation: Validate the uploaded CSAF document against the JSON schema. Default: `false`.
+ - no_web_ui: Disable the web interface. Default: `false`.
+ - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
+ - publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`.
+ - upload_limit: Set the upload limit  size of the file. Default: `50 MiB`.