From 47e55a33bcf60e88e0c8ac4250bb524efc31e211 Mon Sep 17 00:00:00 2001 From: "Sascha L. Teichmann" Date: Wed, 2 Aug 2023 22:44:44 +0200 Subject: [PATCH 1/3] Add support for client certificates and extra headers to aggregator --- cmd/csaf_aggregator/config.go | 120 +++++++++++++++++++++++++++------- 1 file changed, 96 insertions(+), 24 deletions(-) diff --git a/cmd/csaf_aggregator/config.go b/cmd/csaf_aggregator/config.go index b4205a4c..8e79021c 100644 --- a/cmd/csaf_aggregator/config.go +++ b/cmd/csaf_aggregator/config.go @@ -20,6 +20,7 @@ import ( "github.com/ProtonMail/gopenpgp/v2/crypto" "github.com/csaf-poc/csaf_distribution/v2/csaf" + "github.com/csaf-poc/csaf_distribution/v2/internal/certs" "github.com/csaf-poc/csaf_distribution/v2/internal/filter" "github.com/csaf-poc/csaf_distribution/v2/internal/options" "github.com/csaf-poc/csaf_distribution/v2/util" @@ -52,6 +53,15 @@ type provider struct { // IgnorePattern is a list of patterns of advisory URLs to be ignored. IgnorePattern []string `toml:"ignorepattern"` + + // ExtraHeader adds extra HTTP header fields to client + ExtraHeader http.Header `toml:"header"` + + ClientCert *string `toml:"client_cert"` + ClientKey *string `toml:"client_key"` + ClientPassphrase *string `toml:"client_passphrase"` + + clientCerts []tls.Certificate ignorePattern filter.PatternMatcher } @@ -74,6 +84,10 @@ type config struct { Passphrase *string `toml:"passphrase"` AllowSingleProvider bool `toml:"allow_single_provider"` + ClientCert *string `toml:"client_cert"` + ClientKey *string `toml:"client_key"` + ClientPassphrase *string `toml:"client_passphrase"` + // LockFile tries to lock to a given file. LockFile *string `toml:"lock_file"` @@ -97,13 +111,18 @@ type config struct { // IgnorePattern is a list of patterns of advisory URLs to be ignored. IgnorePattern []string `toml:"ignorepattern"` - ignorePattern filter.PatternMatcher + + // ExtraHeader adds extra HTTP header fields to client + ExtraHeader http.Header `toml:"header"` Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"` keyMu sync.Mutex key *crypto.Key keyErr error + + clientCerts []tls.Certificate + ignorePattern filter.PatternMatcher } // configPaths are the potential file locations of the config file. @@ -217,20 +236,44 @@ func (c *config) privateOpenPGPKey() (*crypto.Key, error) { func (c *config) httpClient(p *provider) util.Client { hClient := http.Client{} + + var tlsConfig tls.Config if p.Insecure != nil && *p.Insecure || c.Insecure != nil && *c.Insecure { - hClient.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - } + tlsConfig.InsecureSkipVerify = true } - var client util.Client + // Use client certs if needed. + switch { + // Provider has precedence over global. + case len(p.clientCerts) != 0: + tlsConfig.Certificates = p.clientCerts + case len(c.clientCerts) != 0: + tlsConfig.Certificates = c.clientCerts + } + + hClient.Transport = &http.Transport{ + TLSClientConfig: &tlsConfig, + } + + client := util.Client(&hClient) + + // Add extra headers. + switch { + // Provider has precedence over global. + case len(p.ExtraHeader) > 0: + client = &util.HeaderClient{ + Client: client, + Header: p.ExtraHeader, + } + case len(c.ExtraHeader) > 0: + client = &util.HeaderClient{ + Client: client, + Header: c.ExtraHeader, + } + } if c.Verbose { - client = &util.LoggingClient{Client: &hClient} - } else { - client = &hClient + client = &util.LoggingClient{Client: client} } if p.Rate == nil && c.Rate == nil { @@ -325,7 +368,7 @@ func (c *config) setDefaults() { func (p *provider) compileIgnorePatterns() error { pm, err := filter.NewPatternMatcher(p.IgnorePattern) if err != nil { - return err + return fmt.Errorf("invalid ignore patterns for %q: %w", p.Name, err) } p.ignorePattern = pm return nil @@ -342,30 +385,59 @@ func (c *config) compileIgnorePatterns() error { // Compile the patterns of the providers. for _, p := range c.Providers { if err := p.compileIgnorePatterns(); err != nil { - return fmt.Errorf("invalid ignore patterns for %q: %w", p.Name, err) + return err } } return nil } -// prepare prepares internal state of a loaded configuration. -func (c *config) prepare() error { - - if len(c.Providers) == 0 { - return errors.New("no providers given in configuration") +// prepareCertificates loads the provider specific client side certificates +// used by the HTTP client. +func (p *provider) prepareCertificates() error { + cert, err := certs.LoadCertificate( + p.ClientCert, p.ClientKey, p.ClientPassphrase) + if err != nil { + return fmt.Errorf("invalid certificates for %q: %w", p.Name, err) } + p.clientCerts = cert + return nil +} - if err := c.compileIgnorePatterns(); err != nil { +// prepareCertificates loads the client side certificates used by the HTTP client. +func (c *config) prepareCertificates() error { + // Global certificates + cert, err := certs.LoadCertificate( + c.ClientCert, c.ClientKey, c.ClientPassphrase) + if err != nil { return err } - - if err := c.Aggregator.Validate(); err != nil { - return err + c.clientCerts = cert + // Provider certificates + for _, p := range c.Providers { + if err := p.prepareCertificates(); err != nil { + return err + } } + return nil +} - if err := c.checkProviders(); err != nil { - return err +// prepare prepares internal state of a loaded configuration. +func (c *config) prepare() error { + + if len(c.Providers) == 0 { + return errors.New("no providers given in configuration") } - return c.checkMirror() + for _, prepare := range []func() error{ + c.prepareCertificates, + c.compileIgnorePatterns, + c.Aggregator.Validate, + c.checkProviders, + c.checkMirror, + } { + if err := prepare(); err != nil { + return err + } + } + return nil } From b0b3852e996ab08d5ec1b3501972aa61c9a665ab Mon Sep 17 00:00:00 2001 From: JanHoefelmeyer Date: Thu, 3 Aug 2023 10:04:51 +0200 Subject: [PATCH 2/3] Add documentation for client_cert, client_key and client_passphrase for csaf_aggregator --- docs/csaf_aggregator.md | 9 +++++++++ docs/examples/aggregator.toml | 3 +++ 2 files changed, 12 insertions(+) diff --git a/docs/csaf_aggregator.md b/docs/csaf_aggregator.md index 2a9e4829..43cdc465 100644 --- a/docs/csaf_aggregator.md +++ b/docs/csaf_aggregator.md @@ -95,6 +95,9 @@ interim_years // limiting the years for which interim documents are se verbose // print more diagnostic output, e.g. https requests (default false) allow_single_provider // debugging option (default false) ignorepattern // patterns of advisory URLs to be ignored +client_cert // path to client certificate to access access-protected advisories +client_key // path to client key to access access-protected advisories +client_passphrase // client passphrase to access access-protected advisories ``` Next we have two TOML _tables_: @@ -125,6 +128,9 @@ update_interval create_service_document categories ignorepattern +client_cert +client_key +client_passphrase ``` Where valid `name` and `domain` settings are required. @@ -196,6 +202,9 @@ insecure = true # rate = 1.2 # insecure = true write_indices = true + client_cert = "./../devca1/testclient1.crt" + client_key = "./../devca1/testclient1-key.pem" +# client_passphrase = [[providers]] name = "local-dev-provider3" diff --git a/docs/examples/aggregator.toml b/docs/examples/aggregator.toml index 80f9b8a9..25d236e0 100644 --- a/docs/examples/aggregator.toml +++ b/docs/examples/aggregator.toml @@ -38,6 +38,9 @@ insecure = true # rate = 1.2 # insecure = true write_indices = true + client_cert = "./../devca1/testclient1.crt" + client_key = "./../devca1/testclient1-key.pem" +# client_passphrase = [[providers]] name = "local-dev-provider3" From 38dfabde1a8f9952981f33c5e6d8cdc681bb794c Mon Sep 17 00:00:00 2001 From: JanHoefelmeyer Date: Thu, 3 Aug 2023 11:20:17 +0200 Subject: [PATCH 3/3] Add documentation for extra headers for csaf_aggregator --- docs/csaf_aggregator.md | 3 +++ docs/examples/aggregator.toml | 1 + 2 files changed, 4 insertions(+) diff --git a/docs/csaf_aggregator.md b/docs/csaf_aggregator.md index 43cdc465..c94dd90f 100644 --- a/docs/csaf_aggregator.md +++ b/docs/csaf_aggregator.md @@ -98,6 +98,7 @@ ignorepattern // patterns of advisory URLs to be ignored client_cert // path to client certificate to access access-protected advisories client_key // path to client key to access access-protected advisories client_passphrase // client passphrase to access access-protected advisories +header // adds extra HTTP header fields to the client ``` Next we have two TOML _tables_: @@ -131,6 +132,7 @@ ignorepattern client_cert client_key client_passphrase +header ``` Where valid `name` and `domain` settings are required. @@ -205,6 +207,7 @@ insecure = true client_cert = "./../devca1/testclient1.crt" client_key = "./../devca1/testclient1-key.pem" # client_passphrase = +# header = [[providers]] name = "local-dev-provider3" diff --git a/docs/examples/aggregator.toml b/docs/examples/aggregator.toml index 25d236e0..4abbba3a 100644 --- a/docs/examples/aggregator.toml +++ b/docs/examples/aggregator.toml @@ -41,6 +41,7 @@ insecure = true client_cert = "./../devca1/testclient1.crt" client_key = "./../devca1/testclient1-key.pem" # client_passphrase = +# header = [[providers]] name = "local-dev-provider3"