internet_security_event 1.0.2 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c45d13b633f75d73835bc5df4366f4c7dc778637124b04dfcca841d170062bb8
-  data.tar.gz: 51012612ff7d23ae2019471663f7c16b50d04665f467efad9a13abd377662cbc
+  metadata.gz: 3df07baf6dbb78e612229fee0043e79a955c01f7f1655c8e77a6a142340d4114
+  data.tar.gz: 53bd006f3735a68a8d8255e5c83245f636eb69bd9957c581fa65a6d094c0e0ea
 SHA512:
-  metadata.gz: ba96b78855a50ce723f9f26c869d9b65a4f0261d79730139c16bac20c56ffd9bfd01921f3152cd94c10648d7ae262474cadda190f5c433e48913a00f9a6b62ab
-  data.tar.gz: c77cf433031d25d2c61089e098db1a097853432449060bd1600e66ef5d2a6c37a0a3065182ffb2dcb623222da708898dfe6ffb5b5ccc5a59301adbc1308a7446
+  metadata.gz: 2f3cdfec986f3112a037f78eb7579f6adca58b09361cfeea297a0c1d941409871312524cd14cf1bfa2534c50b255f7ebb4ec2e0d82085413d6096d5783f444ec
+  data.tar.gz: e49b5770d869368c49786ad8997cf85f4178f7cf52fef2eac957018db45c0ebeb0210d0bd225fc1339dc4bb215acacf52d37b55c9b0d5f205049d98b70de6621

data/.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+          bundler-cache: true
+      - name: Run static code analysis
+        run: bundle exec rubocop
+  unit:
+    runs-on: ubuntu-latest
+    needs: rubocop
+    strategy:
+      matrix:
+        ruby:
+          - "2.6"
+          - "2.7"
+          - "3.0"
+          - "3.1"
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Run tests without uploading code coverage
+        if: ${{ matrix.ruby != '3.0' }}
+        run: bundle exec rake
+      - name: Run tests and upload coverage to Code Climate
+        if: ${{ matrix.ruby == '3.0' }}
+        uses: paambaati/codeclimate-action@v3.0.0
+        env:
+          CC_TEST_REPORTER_ID: ${{ secrets.CODECLIMATE_TOKEN }}
+        with:
+          coverageCommand: bundle exec rake

data/.rspec

@@ -1,3 +1 @@
---format documentation
---color
 --require spec_helper

data/.rubocop.yml

@@ -0,0 +1,25 @@
+AllCops:
+  AllowSymlinksInCacheRootDirectory: true
+
+require:
+  - rubocop-rake
+  - rubocop-rspec
+
+Layout/HashAlignment:
+  EnforcedColonStyle: table
+  EnforcedHashRocketStyle: table
+
+Metrics/LineLength:
+  Max: 160
+
+Style/Documentation:
+  Enabled: false
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma

data/CHANGELOG.md

@@ -0,0 +1,38 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.2.1] - 2022-07-15
+
+### Changed
+- Emit a `warning` state instead of a `warn` state to match Riemann wording.
+
+## [1.2.0] - 2019-02-28
+
+### Changed
+- Rely on `OpenSSL::SSL.verify_certificate_identity` to check that a certificate
+  is valid for the provided hostname.
+
+## [1.1.0] - 2019-02-21
+
+### Added
+- Add basic suport for TLSA events.
+
+## [1.0.2] - 2019-02-21
+
+### Changed
+- Fix checking of TLS hostnames with wildcard certificates.
+
+## [1.0.1] - 2019-02-18
+
+### Changed
+- Improve the way TLS certificates state is computed.
+
+[Unreleased]: https://github.com/smortex/internet_security_event/compare/v1.2.0...HEAD
+[1.2.0]: https://github.com/smortex/internet_security_event/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/smortex/internet_security_event/compare/v1.0.2...v1.1.0
+[1.0.2]: https://github.com/smortex/internet_security_event/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/smortex/internet_security_event/compare/v1.0.0...v1.0.1

data/README.md

@@ -1,6 +1,6 @@
 # InternetSecurityEvent
 
-[![Build Status](https://travis-ci.com/smortex/internet_security_event.svg?branch=master)](https://travis-ci.com/smortex/internet_security_event)
+[![Build Status](https://github.com/smortex/internet_security_event/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/smortex/internet_security_event/actions/workflows/ci.yml)
 [![Maintainability](https://api.codeclimate.com/v1/badges/bc64fb4f1c1088c15b8c/maintainability)](https://codeclimate.com/github/smortex/internet_security_event/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/bc64fb4f1c1088c15b8c/test_coverage)](https://codeclimate.com/github/smortex/internet_security_event/test_coverage)
 
@@ -38,7 +38,7 @@ certificate = OpenSSL::X509::Certificate.new(...)
 
 event = InternetSecurityEvent::X509Status.build(certificate)
 
-event[:state]       #=> 'ok', 'warn', 'critical'
+event[:state]       #=> 'ok', 'warning', 'critical'
 event[:description] #=> Human readable state
 event[:metric]      #=> an optional Float
 ```
@@ -81,4 +81,4 @@ License](https://opensource.org/licenses/MIT).
 
 Everyone interacting in the InternetSecurityEvent project’s codebases, issue
 trackers, chat rooms and mailing lists is expected to follow the [code of
-conduct](https://github.com/smortex/internet_security_event/blob/master/CODE_OF_CONDUCT.md).
+conduct](https://github.com/smortex/internet_security_event/blob/main/CODE_OF_CONDUCT.md).

data/internet_security_event.gemspec

@@ -13,6 +13,7 @@ Gem::Specification.new do |spec|
   spec.summary       = 'Build events describing the status of various internet services'
   spec.homepage      = 'https://github.com/smortex/internet_security_event'
   spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -23,11 +24,13 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'actionview', '~> 5.2'
   spec.add_dependency 'activesupport', '~> 5.2'
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rake'
+  spec.add_development_dependency 'rubocop-rspec'
   spec.add_development_dependency 'simplecov'
 end

data/lib/internet_security_event/tls_status.rb

@@ -33,36 +33,7 @@ module InternetSecurityEvent
     def hostname_is_valid_for_this_certificate?
       return true if hostname.nil?
 
-      hostname_match_subject? || hostname_match_subject_alternative_name?
-    end
-
-    def hostname_match_subject?
-      name_match_patern(hostname, common_name)
-    end
-
-    def hostname_match_subject_alternative_name?
-      return false unless certificate
-
-      san = certificate.extensions.select { |ext| ext.oid == 'subjectAltName' }.first
-
-      if san
-        alt_names = san.value.split(', ').map { |name| name.sub(/\ADNS:/, '') }
-        return true if alt_names.any? { |alt_name| name_match_patern(hostname, alt_name) }
-      end
-
-      false
-    end
-
-    def name_match_patern(hostname, pattern)
-      re = Regexp.new('\A' + pattern.split('*').map do |st|
-        Regexp.escape(st)
-      end.join('[^.]*') + '\z')
-
-      re.match(hostname)
-    end
-
-    def common_name
-      certificate.subject.to_a.select { |data| data[0] == 'CN' }.map { |data| data[1] }.first if certificate
+      OpenSSL::SSL.verify_certificate_identity(certificate, hostname)
     end
   end
 end

data/lib/internet_security_event/tlsa_status.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'resolv'
+
+module InternetSecurityEvent
+  class TLSAStatus
+    attr_reader :record, :certificate
+
+    def initialize(record, certificate)
+      @record = record
+      @certificate = certificate
+
+      @resolv = Resolv::DNS.new
+    end
+
+    def self.build(record, certificate)
+      obj = new(record, certificate)
+      obj.to_e
+    end
+
+    def to_e
+      {
+        state:       state,
+        description: description,
+      }
+    end
+
+    def certificate_association_data(selector, matching_type)
+      certificate_association_data_digest(certificate_association_data_certificate_bytes(selector), matching_type)
+    end
+
+    def certificate_match_tlsa_record?
+      certificate_association_data(record.selector, record.matching_type) == record.certificate_association_data
+    end
+
+    private
+
+    def certificate_association_data_certificate_bytes(selector)
+      case selector
+      when Resolv::DNS::Resource::IN::TLSA::Selector::CERT
+        certificate.to_der
+      when Resolv::DNS::Resource::IN::TLSA::Selector::SPKI
+        certificate.public_key.to_der
+      end
+    end
+
+    def certificate_association_data_digest(bytes, matching_type)
+      case matching_type
+      when Resolv::DNS::Resource::IN::TLSA::MatchingType::FULL
+        bytes.unpack1('H*')
+      when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_256
+        Digest::SHA256.hexdigest(bytes)
+      when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_512
+        Digest::SHA512.hexdigest(bytes)
+      end
+    end
+
+    def state
+      return 'critical' unless record
+
+      return nil unless record.end_entity?
+
+      return 'ok' if certificate_match_tlsa_record?
+
+      'critical'
+    end
+
+    def description
+      if record.end_entity?
+        if certificate_match_tlsa_record?
+          'certificate match TLSA record'
+        else
+          'certificate does not match TLSA record'
+        end
+      else
+        # FIXME: For now, we only check the certificate, not the CA
+        'Unsupported certificate usage'
+      end
+    end
+  end
+end

data/lib/internet_security_event/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module InternetSecurityEvent
-  VERSION = '1.0.2'
+  VERSION = '1.2.1'
 end

data/lib/internet_security_event/x509_status.rb

@@ -1,13 +1,9 @@
 # frozen_string_literal: true
 
-require 'action_view'
-require 'action_view/helpers'
 require 'active_support/core_ext/numeric/time'
 
 module InternetSecurityEvent
   class X509Status
-    include ActionView::Helpers::DateHelper
-
     attr_reader :certificate, :hostname
 
     def initialize(certificate)
@@ -19,7 +15,7 @@ module InternetSecurityEvent
       obj.to_e
     end
 
-    def to_e
+    def to_e # rubocop:disable Metrics/AbcSize
       {
         state:       state,
         description: description,
@@ -32,6 +28,10 @@ module InternetSecurityEvent
       }
     end
 
+    def renewal_duration
+      [validity_duration / 3, 90.days].min
+    end
+
     private
 
     def description
@@ -45,7 +45,7 @@ module InternetSecurityEvent
       if not_valid_yet? || expired_or_expire_soon?
         'critical'
       elsif expire_soonish?
-        'warn'
+        'warning'
       else
         'ok'
       end
@@ -71,10 +71,6 @@ module InternetSecurityEvent
       now + 2 * renewal_duration / 3 > certificate.not_after
     end
 
-    def renewal_duration
-      [validity_duration / 3, 90.days].min
-    end
-
     def validity_duration
       certificate.not_after - certificate.not_before
     end
@@ -82,5 +78,29 @@ module InternetSecurityEvent
     def now
       Now.instance.now
     end
+
+    # Stolen from ActionView, to avoid pulling a lot of dependencies
+    def distance_of_time_in_words_to_now(to_time) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      distance_in_seconds = (to_time - now).round.abs
+      distance_in_minutes = distance_in_seconds / 60
+
+      case distance_in_minutes
+      when 0                then 'less than 1 minute'
+      when 1...45           then pluralize_string('%d minute', distance_in_minutes)
+      when 45...1440        then pluralize_string('about %d hour', (distance_in_minutes.to_f / 60.0).round)
+        # 24 hours up to 30 days
+      when 1440...43_200    then pluralize_string('%d day', (distance_in_minutes.to_f / 1440.0).round)
+        # 30 days up to 60 days
+      when 43_200...86_400  then pluralize_string('about %d month', (distance_in_minutes.to_f / 43_200.0).round)
+        # 60 days up to 365 days
+      when 86_400...525_600 then pluralize_string('%d month', (distance_in_minutes.to_f / 43_200.0).round)
+      else
+        pluralize_string('about %d year', (distance_in_minutes.to_f / 525_600.0).round)
+      end
+    end
+
+    def pluralize_string(string, number)
+      format(string, number) + (number == 1 ? '' : 's')
+    end
   end
 end

data/lib/internet_security_event.rb

@@ -2,4 +2,6 @@
 
 require 'internet_security_event/now'
 require 'internet_security_event/tls_status'
+require 'internet_security_event/tlsa_status'
 require 'internet_security_event/x509_status'
+require 'resolv/dns/resource/in/tlsa'

data/lib/resolv/dns/resource/in/tlsa.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Resolv
+  class DNS
+    class Resource
+      module IN
+        class TLSA
+          module CertificateUsage
+            PKIX_TA = 0
+            PKIX_EE = 1
+            DANE_TA = 2
+            DANE_EE = 3
+          end
+
+          module Selector
+            CERT = 0
+            SPKI = 1
+          end
+
+          module MatchingType
+            FULL = 0
+            SHA2_256 = 1
+            SHA2_512 = 2
+          end
+
+          def initialize(data)
+            @certificate_usage, @selector, @matching_type, @certificate_association_data = data.unpack('CCCH*')
+          end
+
+          attr_reader :certificate_usage, :selector, :matching_type, :certificate_association_data
+
+          def end_entity?
+            [CertificateUsage::PKIX_EE, CertificateUsage::DANE_EE].include?(certificate_usage)
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: internet_security_event
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.2.1
 platform: ruby
 authors:
 - Romain Tartière
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-02-21 00:00:00.000000000 Z
+date: 2022-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: actionview
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -25,21 +25,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '5.2'
 - !ruby/object:Gem::Dependency
-  name: activesupport
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
-  type: :runtime
+        version: '0'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +67,35 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -94,16 +122,18 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - romain@blogreen.org
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- ".rubocop.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -115,13 +145,15 @@ files:
 - lib/internet_security_event.rb
 - lib/internet_security_event/now.rb
 - lib/internet_security_event/tls_status.rb
+- lib/internet_security_event/tlsa_status.rb
 - lib/internet_security_event/version.rb
 - lib/internet_security_event/x509_status.rb
+- lib/resolv/dns/resource/in/tlsa.rb
 homepage: https://github.com/smortex/internet_security_event
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -129,16 +161,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
-signing_key: 
+rubygems_version: 3.3.17
+signing_key:
 specification_version: 4
 summary: Build events describing the status of various internet services
 test_files: []

data/.travis.yml

@@ -1,12 +0,0 @@
----
-language: ruby
-rvm:
-  - 2.4
-  - 2.5
-  - 2.6
-before_script:
-  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-  - chmod +x ./cc-test-reporter
-  - ./cc-test-reporter before-build
-after_script:
-  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT