Skip to content

Commit

Permalink
Complete requirement 4 (ROLIE) (#391)
Browse files Browse the repository at this point in the history
* Create dummy structure to uniquely identify each advisory

* Remove dummy values, remove unused variable for now

* Formatting

* Add Evaluation of whether a white Advisory is access protected and add it to the respective slice, implement functionality

* Initialize p.whiteAdvisories before using it, stop sorting if no Client was used

* Ammend rules to include requirement 4, warning instead of error if white advisory is found protected, use badWhitePermissions.use()

* Formatting

* Fix typo: avaible -> available

* Improve check on whether building identifier failed

* Move extracting of tlp labels and related functions from processor to roliecheck

* Create Labelchecker and check access of white advisories regardless of whether ROLIE feeds exist. Only check Ranks if ROLIE feeds are used

* Formatting

* Do not use label checker as a pointer.

* Rename label checker

* Add XXX to questionable code.

* Simplify checking white advisories.

* Improve error message if no checks for accessibility of white advisories were done

* Extract TLP label directly without extractTLP function, consistent plural in error message

* Add comments and check type assertion in tlp label extraction.

* Move check for white advisories to label checker.

* Improve methods naming an comments.

* Address a few review questions.

* Move functionality of checkProtection fully into evaluateTLP

* Add comments and warn only if we are in a white feed or in a dirlisting.

---------

Co-authored-by: JanHoefelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
  • Loading branch information
4 people authored Jul 13, 2023
1 parent f05bcd3 commit de27a66
Show file tree
Hide file tree
Showing 4 changed files with 183 additions and 118 deletions.
79 changes: 34 additions & 45 deletions cmd/csaf_checker/processor.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ type processor struct {
pmd256 []byte
pmd any
keys *crypto.KeyRing
labelChecker *rolieLabelChecker
labelChecker labelChecker

invalidAdvisories topicMessages
badFilenames topicMessages
Expand Down Expand Up @@ -190,6 +190,10 @@ func newProcessor(opts *options) (*processor, error) {
expr: util.NewPathEval(),
ageAccept: ageAccept(opts),
validator: validator,
labelChecker: labelChecker{
advisories: map[csaf.TLPLabel]util.Set[string]{},
whiteAdvisories: map[identifier]bool{},
},
}, nil
}

Expand Down Expand Up @@ -241,7 +245,7 @@ func (p *processor) clean() {
p.badROLIECategory.reset()
p.badWhitePermissions.reset()
p.badAmberRedPermissions.reset()
p.labelChecker = nil
p.labelChecker.reset()
}

// run calls checkDomain function for each domain in the given "domains" parameter.
Expand Down Expand Up @@ -361,6 +365,7 @@ func (p *processor) domainChecks(domain string) []func(*processor, string) error
(*processor).checkMissing,
(*processor).checkInvalid,
(*processor).checkListing,
(*processor).checkWhitePermissions,
)

return checks
Expand Down Expand Up @@ -735,28 +740,7 @@ func (p *processor) integrity(
}
}

// Extract the tlp level of the entry
if tlpa, err := p.expr.Eval(
`$.document`, doc); err != nil {
p.badROLIEFeed.error(
"Extracting 'tlp level' from %s failed: %v", u, err)
} else {
tlpe := extractTLP(tlpa)
// If the client has no authorization it shouldn't be able
// to access TLP:AMBER or TLP:RED advisories
if !p.opts.protectedAccess() &&
(tlpe == csaf.TLPLabelAmber || tlpe == csaf.TLPLabelRed) {

p.badAmberRedPermissions.use()
p.badAmberRedPermissions.error(
"Advisory %s of TLP level %v is not access protected.",
u, tlpe)
}
// check if current feed has correct or all of their tlp levels entries.
if p.labelChecker != nil {
p.labelChecker.check(p, tlpe, u)
}
}
p.labelChecker.check(p, doc, u)

// Check if file is in the right folder.
p.badFolders.use()
Expand Down Expand Up @@ -870,25 +854,6 @@ func (p *processor) integrity(
return nil
}

// extractTLP tries to extract a valid TLP label from an advisory
// Returns "UNLABELED" if it does not exist, the label otherwise
func extractTLP(tlpa any) csaf.TLPLabel {
if document, ok := tlpa.(map[string]any); ok {
if distri, ok := document["distribution"]; ok {
if distribution, ok := distri.(map[string]any); ok {
if tlp, ok := distribution["tlp"]; ok {
if label, ok := tlp.(map[string]any); ok {
if labelstring, ok := label["label"].(string); ok {
return csaf.TLPLabel(labelstring)
}
}
}
}
}
}
return csaf.TLPLabelUnlabeled
}

// checkIndex fetches the "index.txt" and calls "checkTLS" method for HTTPS checks.
// It extracts the file names from the file and passes them to "integrity" function.
// It returns error if fetching/reading the file(s) fails, otherwise nil.
Expand Down Expand Up @@ -946,7 +911,7 @@ func (p *processor) checkIndex(base string, mask whereType) error {
}

// Block rolie checks.
p.labelChecker = nil
p.labelChecker.feedLabel = ""

return p.integrity(files, base, mask, p.badIndices.add)
}
Expand Down Expand Up @@ -1041,7 +1006,7 @@ func (p *processor) checkChanges(base string, mask whereType) error {
}

// Block rolie checks.
p.labelChecker = nil
p.labelChecker.feedLabel = ""

return p.integrity(files, base, mask, p.badChanges.add)
}
Expand Down Expand Up @@ -1215,6 +1180,30 @@ func (p *processor) checkListing(string) error {
return nil
}

// checkWhitePermissions checks if the TLP:WHITE advisories are
// available with unprotected access.
func (p *processor) checkWhitePermissions(string) error {

var ids []string
for id, open := range p.labelChecker.whiteAdvisories {
if !open {
ids = append(ids, id.String())
}
}

if len(ids) == 0 {
return nil
}

sort.Strings(ids)

p.badWhitePermissions.error(
"TLP:WHITE advisories with ids %s are only available access-protected.",
strings.Join(ids, ", "))

return nil
}

// checkProviderMetadata checks provider-metadata.json. If it exists,
// decodes, and validates against the JSON schema.
// According to the result, the respective error messages added to
Expand Down
2 changes: 1 addition & 1 deletion cmd/csaf_checker/reporters.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (r *tlsReporter) report(p *processor, domain *Domain) {
func (r *tlpWhiteReporter) report(p *processor, domain *Domain) {
req := r.requirement(domain)
if !p.badWhitePermissions.used() {
req.message(InfoType, "No advisories labeled TLP:WHITE tested for accessibility.")
req.message(InfoType, "No access-protected advisories labeled TLP:WHITE found.")
return
}
if len(p.badWhitePermissions) == 0 {
Expand Down
Loading

0 comments on commit de27a66

Please sign in to comment.