From 5e1f2092e8419ce8ea64d49bf504225f8aa3ef10 Mon Sep 17 00:00:00 2001 From: Fadi Abbud <39081670+Fadiabb@users.noreply.github.com> Date: Wed, 23 Mar 2022 19:48:05 +0100 Subject: [PATCH] add setup options to provider docs * Add a first description of the config options for csaf_provider. * Change option name from `domain` to `canonical_prefix_url` to make the usage more intuitively. Use`https` in the default, if unset. resolve #32 Co-authored-by: Bernhard E. Reiter Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> --- cmd/csaf_provider/actions.go | 5 ++-- cmd/csaf_provider/config.go | 6 ++--- cmd/csaf_provider/create.go | 4 +-- cmd/csaf_provider/transaction.go | 2 +- docs/provider-setup.md | 44 +++++++++++++++++++++++++++----- 5 files changed, 47 insertions(+), 14 deletions(-) diff --git a/cmd/csaf_provider/actions.go b/cmd/csaf_provider/actions.go index 41a91b9e..60c1ee5e 100644 --- a/cmd/csaf_provider/actions.go +++ b/cmd/csaf_provider/actions.go @@ -219,7 +219,8 @@ func (c *controller) upload(r *http.Request) (interface{}, error) { } feedURL := csaf.JSONURL( - c.cfg.Domain + "/.well-known/csaf/" + ts + "/" + feedName) + c.cfg.CanonicalURLPrefix + + "/.well-known/csaf/" + ts + "/" + feedName) tlpLabel := csaf.TLPLabel(strings.ToUpper(ts)) @@ -241,7 +242,7 @@ func (c *controller) upload(r *http.Request) (interface{}, error) { year := strconv.Itoa(ex.InitialReleaseDate.Year()) - csafURL := c.cfg.Domain + + csafURL := c.cfg.CanonicalURLPrefix + "/.well-known/csaf/" + ts + "/" + year + "/" + newCSAF e := rolie.EntryByID(ex.ID) diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go index a01bf3b8..29af9493 100644 --- a/cmd/csaf_provider/config.go +++ b/cmd/csaf_provider/config.go @@ -39,7 +39,7 @@ type config struct { TLPs []tlp `toml:"tlps"` UploadSignature bool `toml:"upload_signature"` OpenPGPURL string `toml:"openpgp_url"` - Domain string `toml:"domain"` + CanonicalURLPrefix string `toml:"canonical_url_prefix"` NoPassphrase bool `toml:"no_passphrase"` NoValidation bool `toml:"no_validation"` NoWebUI bool `toml:"no_web_ui"` @@ -148,8 +148,8 @@ func loadConfig() (*config, error) { cfg.Web = defaultWeb } - if cfg.Domain == "" { - cfg.Domain = "http://" + os.Getenv("SERVER_NAME") + if cfg.CanonicalURLPrefix == "" { + cfg.CanonicalURLPrefix = "https://" + os.Getenv("SERVER_NAME") } if cfg.TLPs == nil { diff --git a/cmd/csaf_provider/create.go b/cmd/csaf_provider/create.go index b4bf281e..2ea751f6 100644 --- a/cmd/csaf_provider/create.go +++ b/cmd/csaf_provider/create.go @@ -95,7 +95,7 @@ func createSecurity(c *config, wellknown string) error { } fmt.Fprintf( f, "CSAF: %s/.well-known/csaf/provider-metadata.json\n", - c.Domain) + c.CanonicalURLPrefix) return f.Close() } return err @@ -113,7 +113,7 @@ func createProviderMetadata(c *config, wellknownCSAF string) error { if !os.IsNotExist(err) { return err } - pm := csaf.NewProviderMetadataDomain(c.Domain, c.modelTLPs()) + pm := csaf.NewProviderMetadataDomain(c.CanonicalURLPrefix, c.modelTLPs()) pm.Publisher = c.Publisher // Set OpenPGP key. diff --git a/cmd/csaf_provider/transaction.go b/cmd/csaf_provider/transaction.go index 60996842..f395c198 100644 --- a/cmd/csaf_provider/transaction.go +++ b/cmd/csaf_provider/transaction.go @@ -30,7 +30,7 @@ func doTransaction( f, err := os.Open(metadata) if err != nil { if os.IsNotExist(err) { - return csaf.NewProviderMetadataDomain(cfg.Domain, cfg.modelTLPs()), nil + return csaf.NewProviderMetadataDomain(cfg.CanonicalURLPrefix, cfg.modelTLPs()), nil } return nil, err } diff --git a/docs/provider-setup.md b/docs/provider-setup.md index 13d72baf..f054ba1e 100644 --- a/docs/provider-setup.md +++ b/docs/provider-setup.md @@ -7,19 +7,22 @@ The following instructions are for an Debian 11 server setup. ```(shell) apt-get install nginx fcgiwrap cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf +``` +Check if the CGI server and the fcgiwrap Socket active (running): +```bash systemctl status fcgiwrap.service systemctl status fcgiwrap.socket systemctl is-enabled fcgiwrap.service systemctl is-enabled fcgiwrap.socket ``` - +Change the group ownership and the permissions of `/var/www`: ```(shell) cd /var/www chgrp -R www-data . chmod -R g+w . ``` -Content of `/etc/nginx/fcgiwrap.conf` +Modify the content of `/etc/nginx/fcgiwrap.conf` like following: ``` # Include this file on your nginx.conf to support debian cgi-bin scripts using @@ -53,7 +56,8 @@ Add to `/etc/nginx/sites-enabled/default`: ``` server { - + # Other config + # ... location / { # Other config # ... @@ -72,8 +76,10 @@ server { ``` Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu). -Place the binary under `/usr/lib/cgi-bin/csaf_provider.go`. -Make sure `/usr/lib/cgi-bin/` exists. +Create `cgi-bin` folder if not exists `mkdir -p /usr/lib/cgi-bin/`. + +Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`. + Create configuarion file under `/usr/lib/csaf/config.toml`: @@ -82,15 +88,41 @@ Create configuarion file under `/usr/lib/csaf/config.toml`: # key = "/usr/lib/csaf/public.asc" key = "/usr/lib/csaf/private.asc" #tlps = ["green", "red"] -domain = "http://192.168.56.102" +canonical_url_prefix = "http://192.168.56.102" #no_passphrase = true ``` with suitable replacements (This configurations-example assumes that the private/public keys are available under `/usr/lib/csaf/`). +with suitable [replacements](#provider-options). Create the folders: ```(shell) curl http://192.168.56.102/cgi-bin/csaf_provider.go/create ``` +Or using the uploader: +```(shell) +./csaf_uploader -a create -u http://192.168.56.102/cgi-bin/csaf_provider.go +``` + +## Provider options +Provider has many config options described as following: + + - password: Authentication password for accessing the CSAF provider. + - key: The private OpenPGP key. + - folder: Specify the root folder. Default: `/var/www/`. + - web: Specify the web folder. Default: `/var/www/html`. + - tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red"). + The "csaf" selection lets the provider takes the value from the CSAF document. + These affects the list items in the web interface. + Default: `["csaf", "white", "amber", "green", "red"]`. + - upload_signature: Send signature with the request, an additional input-field in the web interface will be shown to let user enter an ascii armored signature. Default: `false`. + - openpgp_url: URL to OpenPGP key-server. Default: `https://openpgp.circl.lu`. + - canonical_url_prefix: start of the URL where contents shall be accessible from the internet. Default: `https://$SERVER_NAME`. + - no_passphrase: Let user send password with the request, if set to true the input-field in the web interface will be disappeared. Default: `false`. + - no_validation: Validate the uploaded CSAF document against the JSON schema. Default: `false`. + - no_web_ui: Disable the web interface. Default: `false`. + - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`. + - publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`. + - upload_limit: Set the upload limit size of the file. Default: `50 MiB`.