fluent-plugin-ssl-check 2.1.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd66e101f055ca5f4cf4d6ab29d548cb73df7783c9429171f03a397aaddd856f
-  data.tar.gz: 69fd54b23c4a88fa90565cf6bcb8d73990e96e0f42f869fd3fabf1ca16fa5f72
+  metadata.gz: ab7b3def2e942f92cf1b8a1fa46f4c7bafe50fbee692334736e19574849e9911
+  data.tar.gz: 5083966b749ba1407cdce60b33f8952dce4b300c5bd7e33496e1b1e02ae0814a
 SHA512:
-  metadata.gz: 04500e488c04750d2f480037aa80feb16baf8d7a23b9b01f1921bbe201510b3b35a5694703da018a43705786af6d95ce67d7ee40fc0e661cd1df42823b640e4f
-  data.tar.gz: 13da4ca2dd02dd8c9a983570097cfa30b12b0f7e9dd0f573762d440c366fe0e0afc9b67deebf8c735dc87eaf52d8b1915dc3728b3179aa4d3686c5cc9a64c652
+  metadata.gz: fe0d1bd834d8831a510df5754cb488d2e543fbca465bf3b344312b92f236278fbd75cf972efee0d0ffc45838f4550d09f81dba34fbcbf0445810a831b6fda365
+  data.tar.gz: 8cef76bf6831eae2d1053a99699fc07f31077939bd3bc5ab28a402be4d709f9f4eec53ec9c14e954a01cefd5866a399e4d2ceeb373bd0e94d205023bf0375b3a

data/.rubocop.yml

@@ -26,9 +26,6 @@ Metrics/ClassLength:
 Metrics/MethodLength:
   Max: 20
 
-Metrics/ParameterLists:
-  Max: 6
-
 # Naming/MethodParameterName:
 #   Exclude:
 #     - lib/fluent/plugin/in_ssl_check.rb

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-ssl-check (2.1.0)
+    fluent-plugin-ssl-check (2.3.0)
       fluentd (>= 0.14.10, < 2)
 
 GEM

data/README.md

@@ -2,6 +2,7 @@
 
 [Fluentd](https://fluentd.org/) input plugin to check ssl service.
 
+
 ## plugins
 
 ### in - ssl_check
@@ -30,6 +31,10 @@ Options are:
 * interval: check every X seconds
 * ca_path: directory that contains CA files
 * ca_file: specify a CA file directly
+* sni: want the sni support (true)
+* verify_mode: none or peer
+* cert: client cert for ssl connection
+* key: client key associated to client cert for ssl connection
 * timeout: timeout for ssl check execution (5sec)
 * log_events: emit log format (true)
 * metric_events: emit metric format (false)
@@ -38,6 +43,52 @@ Options are:
 
 If no port is specified with host, default port is 443.
 
+
+## output examples
+
+### log output example
+
+``` json
+{
+    "timestamp": "2023-10-03T09:59:41.580+02:00",
+    "status": 1,
+    "host": "www.google.fr",
+    "port": 443,
+    "ssl_version": "TLSv1.2",
+    "ssl_dn": "/CN=*.google.fr",
+    "ssl_not_after": "2023-11-27T08:25:08.000Z",
+    "expire_in_days": 55,
+    "serial": "4e79dbb13c6b57b309780da2d1edbda4"
+}
+```
+
+### metric output example
+
+``` json
+{
+    "timestamp": "2023-10-03T10:06:21.417+02:00",
+    "metric_name": "ssl_status",
+    "metric_value": 1,
+    "host": "www.google.fr",
+    "port": 443,
+    "ssl_dn": "/CN=*.google.fr",
+    "ssl_version": "TLSv1.2",
+    "ssl_not_after": "2023-11-27T08:25:08.000Z",
+    "serial": "4e79dbb13c6b57b309780da2d1edbda4"
+}
+
+{
+    "timestamp": "2023-10-03T10:06:21.417+02:00",
+    "metric_name": "ssl_expirency",
+    "metric_value": 55,
+    "host": "www.google.fr",
+    "port": 443,
+    "ssl_dn": "/CN=*.google.fr",
+    "serial": "4e79dbb13c6b57b309780da2d1edbda4"
+}
+```
+
+
 ## Installation
 
 Manual install, by executing:

data/fluent-plugin-ssl-check.gemspec

@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name    = 'fluent-plugin-ssl-check'
-  spec.version = '2.1.0'
+  spec.version = '2.3.0'
   spec.authors = ['Thomas Tych']
   spec.email   = ['thomas.tych@gmail.com']
 

data/lib/fluent/plugin/in_ssl_check.rb

@@ -33,10 +33,10 @@ module Fluent
       Fluent::Plugin.register_input(NAME, self)
 
       DEFAULT_TAG = NAME
-      DEFAULT_HOST = 'localhost'
       DEFAULT_PORT = 443
       DEFAULT_INTERVAL = 600
       DEFAULT_SNI = true
+      DEFAULT_VERIFY_MODE = :peer
       DEFAULT_TIMEOUT = 5
       DEFAULT_LOG_EVENTS = true
       DEFAULT_METRIC_EVENTS = false
@@ -55,6 +55,12 @@ module Fluent
       config_param :ca_file, :string, default: nil
       desc 'SNI support'
       config_param :sni, :bool, default: DEFAULT_SNI
+      desc 'Verify mode'
+      config_param :verify_mode, :enum, list: %i[none peer], default: DEFAULT_VERIFY_MODE
+      desc 'Client Cert'
+      config_param :cert, :string, default: nil
+      desc 'Client Key'
+      config_param :key, :string, default: nil
 
       desc 'Timeout for check'
       config_param :timeout, :integer, default: DEFAULT_TIMEOUT
@@ -70,17 +76,22 @@ module Fluent
 
       helpers :timer
 
-      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
       def configure(conf)
         super
 
         raise Fluent::ConfigError, 'tag can not be empty.' if !tag || tag.empty?
-        raise Fluent::ConfigError, 'hosts can not be empty.' if !hosts || hosts.empty?
+        raise Fluent::ConfigError, 'hosts can not be empty.' unless hosts
         raise Fluent::ConfigError, 'interval can not be < 1.' if !interval || interval < 1
         raise Fluent::ConfigError, 'ca_path should be a dir.' if ca_path && !File.directory?(ca_path)
         raise Fluent::ConfigError, 'ca_file should be a file.' if ca_file && !File.file?(ca_file)
+        raise Fluent::ConfigError, 'cert should be a file.' if cert && !File.file?(cert)
+        raise Fluent::ConfigError, 'key should be a file.' if key && !File.file?(key)
+        raise Fluent::ConfigError, 'cert and key should be specified.' if !!cert ^ !!key
+
+        log.warn("#{NAME}: hosts is empty, nothing to process") if hosts.empty?
       end
-      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
 
       def start
         super
@@ -107,7 +118,9 @@ module Fluent
         ssl_client = SslClient.new(
           host: host, port: port,
           ca_path: ca_path, ca_file: ca_file,
-          sni: sni, timeout: timeout
+          sni: sni, verify_mode: ssl_verify_mode,
+          cert: cert, key: key,
+          timeout: timeout
         )
         ssl_client.ssl_info
       end
@@ -121,7 +134,8 @@ module Fluent
           'ssl_version' => ssl_info.ssl_version,
           'ssl_dn' => ssl_info.subject_s,
           'ssl_not_after' => ssl_info.not_after,
-          'expire_in_days' => ssl_info.expire_in_days
+          'expire_in_days' => ssl_info.expire_in_days,
+          'serial' => ssl_info.serial
         }
         record.update('error_class' => ssl_info.error_class) if ssl_info.error_class
         router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
@@ -141,7 +155,8 @@ module Fluent
           "#{event_prefix}port" => ssl_info.port,
           "#{event_prefix}ssl_dn" => ssl_info.subject_s,
           "#{event_prefix}ssl_version" => ssl_info.ssl_version,
-          "#{event_prefix}ssl_not_after" => ssl_info.not_after
+          "#{event_prefix}ssl_not_after" => ssl_info.not_after,
+          "#{event_prefix}serial" => ssl_info.serial
         }
         router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
       end
@@ -155,11 +170,20 @@ module Fluent
           'metric_value' => ssl_info.expire_in_days,
           "#{event_prefix}host" => ssl_info.host,
           "#{event_prefix}port" => ssl_info.port,
-          "#{event_prefix}ssl_dn" => ssl_info.subject_s
+          "#{event_prefix}ssl_dn" => ssl_info.subject_s,
+          "#{event_prefix}serial" => ssl_info.serial
         }
         router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
       end
 
+      private
+
+      def ssl_verify_mode
+        return OpenSSL::SSL::VERIFY_PEER if verify_mode == :peer
+
+        OpenSSL::SSL::VERIFY_NONE
+      end
+
       # ssl info
       #  to encapsulate extracted ssl information
       class SslInfo
@@ -198,6 +222,10 @@ module Fluent
           cert.not_after.iso8601(3)
         end
 
+        def serial
+          cert&.serial&.to_s(16)&.downcase
+        end
+
         def status
           return KO if error
 
@@ -214,16 +242,23 @@ module Fluent
       # ssl client
       #  to check ssl status
       class SslClient
-        attr_reader :host, :port, :ca_path, :ca_file, :sni, :timeout
+        attr_reader :host, :port, :ca_path, :ca_file, :sni, :verify_mode, :cert, :key, :timeout
 
-        def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, timeout: 5)
+        # rubocop:disable Metrics/ParameterLists
+        def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                       cert: nil, key: nil,
+                       timeout: 5)
           @host = host
           @port = port
           @ca_path = ca_path
           @ca_file = ca_file
           @sni = sni
+          @verify_mode = verify_mode
+          @cert = cert
+          @key = key
           @timeout = timeout
         end
+        # rubocop:enable Metrics/ParameterLists
 
         def ssl_info
           info = SslInfo.new(host: host, port: port)
@@ -257,10 +292,12 @@ module Fluent
 
         def ssl_context
           OpenSSL::SSL::SSLContext.new.tap do |ssl_context|
-            ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+            ssl_context.verify_mode = verify_mode
             ssl_context.cert_store = store
             ssl_context.min_version = nil
             ssl_context.max_version = OpenSSL::SSL::TLS1_2_VERSION
+            ssl_context.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
+            ssl_context.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
           end
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-ssl-check
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Thomas Tych
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 2023-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bump