RubyGems - sensu-plugins-ssl - Versions diffs - 1.0.0 → 1.1.0 - Mend

sensu-plugins-ssl 1.0.0 → 1.1.0

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -1
data/README.md +22 -2
data/bin/check-java-keystore-cert.rb +87 -0
data/bin/check-ssl-crl.rb +76 -0
data/bin/check-ssl-host.rb +40 -6
data/bin/check-ssl-qualys.rb +10 -2
data/lib/sensu-plugins-ssl/version.rb +1 -1
metadata +22 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd6139788580da152ea21011bcf673388d067cf2
-  data.tar.gz: 96c53d56a691211326adc84b967e0282bf31c7fc
+  metadata.gz: ad7f900ae9946ad4bb040d4e7968761847ca38f6
+  data.tar.gz: f7485dfc07f15d1789ef4000455a60e3b32c78d8
 SHA512:
-  metadata.gz: 9aa9628fc76a95b28c8cd070cc5676e834ee950e7a69edc1569dd117dd5397300ee1ce7e9561f2c025172b121eb71f53d8283e1e6c760ed575fd83d071b0fa1f
-  data.tar.gz: f2fdde4418085c7167972c88e44e3728e15d9a69cb9506da3f9149a5e119ab4231984f2648a70a48aa0d3a15d56fac1fec3f9e5d451274c8f22c110dd49a14d9
+  metadata.gz: 2c2a81176f56ca91455c54ffa18e62f34e26d9fb1cc29cbdd53e9fa421aa5e7552f251e799fd4191ff806dbe228e3b29b9261d7a3bd4f76b449b89f4a544d405
+  data.tar.gz: 17e6353a089229402fb90abc4a2729a0221e43f4fd820aa3b402d32da60318e1c9e8207a18cdaf870c170ddc1258b432c0f7aefd114a6de607adc0a203dc962f

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,20 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ## [Unreleased]
+## [1.1.0] - 2017-02-28
+### Added
+- `check-ssl-host.rb`: Add optional `address` command line parameter for specifying the address of the server to
+   connect to, to override the `hostname` parameter (which is still used for verification/SNI) (@advance512)
+- `check-ssl-host.rb`: Better error message when unable to connect to target host (@johntdyer)
+- `check-ssl-host.rb`: Add support for client certificates (@modax)
+- `check-ssl-host.rb`: Add basic IMAP STARTTLS negotiation (@lobeck)
+- `check-java-keystore-cert.rb`: Add new check to verify a certificate in a Java Keystore has not expired. (@joerayme)
+- `check-ssl-crl.rb`: Add check for expiring CRL (@shoekstra)
+### Fixed
+- `check-ssl-qualys.rb`: Handle API errors with status unknown instead of unhandled "Check failed to run". (@11mariom)
+- `check-ssl-qualys.rb`: Handle nil grade_rank as critical not rated (@11mariom)
 ## [1.0.0]
 ### Changed
 - Updated Rubocop to 0.40, applied auto-correct
@@ -47,7 +61,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ### Added
 - initial release
-[unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.0.0...HEAD
+[unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...HEAD
+[1.1.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.0.0...1.1.0
 [1.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.6...1.0.0
 [0.0.6]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.5...0.0.6
 [0.0.5]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.4...0.0.5

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
-## Sensu-Plugins-ssl
+## Sensu-Plugins-SSL
-[ ![Build Status](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl.svg?branch=master)](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl)
+[![Build Status](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl.svg?branch=master)](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl)
 [![Gem Version](https://badge.fury.io/rb/sensu-plugins-ssl.svg)](http://badge.fury.io/rb/sensu-plugins-ssl)
 [![Code Climate](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/gpa.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Test Coverage](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/coverage.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
@@ -9,12 +9,32 @@
 ## Functionality
 ## Files
+ * bin/check-java-keystore-cert.rb
+ * bin/check-ssl-crl.rb
  * bin/check-ssl-cert.rb
  * bin/check-ssl-host.rb
  * bin/check-ssl-qualys.rb
 ## Usage
+### `bin/check-ssl-crl.rb`
+Checks a CRL has not or is not expiring by inspecting it's next update value.
+You can check against a CRL file on disk:
+```
+./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl
+```
+or an online CRL:
+```
+./bin/check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
+```
+Critical and Warning thresholds are specified in minutes.
 ## Installation
 [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)

data/bin/check-java-keystore-cert.rb ADDED Viewed

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+#
+#   check-java-keystore-cert
+#
+# DESCRIPTION:
+#   Check when a certificate stored in a Java Keystore will expire
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   example commands
+#
+# NOTES:
+#   Does it behave differently on specific platforms, specific use cases, etc
+#
+require 'date'
+require 'sensu-plugin/check/cli'
+class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
+  option :path,
+         long: '--path PATH',
+         description: '',
+         required: true
+  option :alias,
+         long: '--alias ALIAS',
+         description: '',
+         required: true
+  option :password,
+         long: '--password PASSWORD',
+         description: '',
+         required: true
+  option :warning,
+         long: '--warning DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+  option :critical,
+         long: '--critical DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+  def certificate_expiration_date
+    result = `keytool -keystore #{config[:path]} \
+                      -export -alias #{config[:alias]} \
+                      -storepass #{config[:password]} 2>&1 | \
+              openssl x509 -enddate -inform der -noout 2>&1`
+    # rubocop:disable Style/SpecialGlobalVars
+    unknown 'could not get certificate from keystore' unless $?.success?
+    # rubocop:enable Style/SpecialGlobalVars
+    Date.parse(result.split('=').last)
+  end
+  def validate_opts
+    unknown 'warning cannot be less than critical' if config[:warning] < config[:critical]
+  end
+  def run
+    validate_opts
+    days_until = (certificate_expiration_date - Date.today).to_i
+    if days_until < 0
+      critical "Expired #{days_until.abs} days ago"
+    elsif days_until < config[:critical]
+      critical "#{days_until} days left"
+    elsif days_until < config[:warning]
+      warning "#{days_until} days left"
+    end
+    ok "#{days_until} days left"
+  end
+end

data/bin/check-ssl-crl.rb ADDED Viewed

@@ -0,0 +1,76 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-crl
+#
+# DESCRIPTION:
+#   Check in minutes when a certificate revocation list will expire.
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-ssl-crl -c 300 -w 600 -u /path/to/crl
+#   ./check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
+#
+# LICENSE:
+#   Stephen Hoekstra <shoekstra@schubergphilis.com>
+#
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+require 'open-uri'
+require 'openssl'
+require 'sensu-plugin/check/cli'
+require 'time'
+#
+# Check SSL Cert
+#
+class CheckSSLCRL < Sensu::Plugin::Check::CLI
+  option :critical,
+         description: 'Numbers of minutes left',
+         short: '-c',
+         long: '--critical MINUTES',
+         proc: proc { |v| v.to_i },
+         required: true
+  option :url,
+         description: 'URL (or path) to CRL file',
+         short: '-u',
+         long: '--url URL',
+         required: true
+  option :warning,
+         description: 'Numbers of minutes left',
+         short: '-w',
+         long: '--warning MINUTES',
+         proc: proc { |v| v.to_i },
+         required: true
+  def seconds_to_minutes(seconds)
+    (seconds / 60).to_i
+  end
+  def validate_opts
+    unknown 'warning cannot be less than critical' if config[:warning] < config[:critical]
+  end
+  def run
+    validate_opts
+    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update
+    minutes_until = seconds_to_minutes(Time.parse(next_update.to_s) - Time.now)
+    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0
+    critical "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:critical].to_i
+    warning "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:warning].to_i
+    ok "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}"
+  end
+end

data/bin/check-ssl-host.rb CHANGED Viewed

@@ -42,7 +42,7 @@ require 'socket'
 # Check SSL Host
 #
 class CheckSSLHost < Sensu::Plugin::Check::CLI
-  STARTTLS_PROTOS = %w(smtp).freeze
+  STARTTLS_PROTOS = %w(smtp imap).freeze
   check_name 'check_ssl_host'
@@ -62,7 +62,8 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          default: 14
   option :host,
-         description: 'Hostname of server to check',
+         description: 'Hostname of the server certificate to check, by default used as the server address if none ' \
+                      'is given',
          short: '-h',
          long: '--host HOST',
          required: true
@@ -73,6 +74,20 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          long: '--port PORT',
          default: 443
+  option :address,
+         description: 'Address of server to check. This is used instead of the host argument for the TCP connection, ' \
+                      'however the server hostname is still used for the TLS/SSL context.',
+         short: '-a',
+         long: '--address ADDRESS'
+  option :client_cert,
+         description: 'Path to the client certificate in DER/PEM format',
+         long: '--client-cert CERT'
+  option :client_key,
+         description: 'Path to the client RSA key in DER/PEM format',
+         long: '--client-key KEY'
   option :skip_hostname_verification,
          description: 'Disables hostname verification',
          long: '--skip-hostname-verification',
@@ -88,13 +103,18 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
                       "(#{STARTTLS_PROTOS.join(', ')})",
          long: '--starttls PROTO'
-  def get_cert_chain(host, port)
-    tcp_client = TCPSocket.new(host, port)
+  def get_cert_chain(host, port, address, client_cert, client_key)
+    tcp_client = TCPSocket.new(address ? address : host, port)
     handle_starttls(config[:starttls], tcp_client) if config[:starttls]
     ssl_context = OpenSSL::SSL::SSLContext.new
+    ssl_context.cert = OpenSSL::X509::Certificate.new File.read(client_cert) if client_cert
+    ssl_context.key = OpenSSL::PKey::RSA.new File.read(client_key) if client_key
     ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client, ssl_context)
-    # SNI
+    # If the OpenSSL version in use supports Server Name Indication (SNI, RFC 3546), then we set the hostname we
+    # received to request that certificate.
     ssl_client.hostname = host if ssl_client.respond_to? :hostname=
     ssl_client.connect
     certs = ssl_client.peer_cert_chain
     ssl_client.close
@@ -122,6 +142,18 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
     critical "#{config[:host]} - did not receive SMTP 220 in response to STARTTLS"
   end
+  def starttls_imap(socket)
+    status = socket.readline
+    unless /^* OK / =~ status
+      critical "#{config[:host]} - did not receive initial * OK"
+    end
+    socket.puts 'a001 STARTTLS'
+    status = socket.readline
+    return if /^a001 OK Begin TLS negotiation now/ =~ status
+    critical "#{config[:host]} - did not receive OK Begin TLS negotiation now"
+  end
   def verify_expiry(cert)
     # Expiry check
     days = (cert.not_after.to_date - Date.today).to_i
@@ -154,9 +186,11 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
   end
   def run
-    chain = get_cert_chain(config[:host], config[:port])
+    chain = get_cert_chain(config[:host], config[:port], config[:address], config[:client_cert], config[:client_key])
     verify_hostname(chain[0]) unless config[:skip_hostname_verification]
     verify_certificate_chain(chain) unless config[:skip_chain_verification]
     verify_expiry(chain[0])
+  rescue Errno::ECONNRESET => e
+    critical "#{e.class} - #{e.message}"
   end
 end

data/bin/check-ssl-qualys.rb CHANGED Viewed

@@ -90,8 +90,12 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   def ssl_api_request(from_cache)
     params = { host: config[:domain] }
     params[:startNew] = 'on' unless from_cache
-    r = RestClient.get("#{config[:api_url]}analyze", params: params)
-    warning "HTTP#{r.code} recieved from API" unless r.code == 200
+    begin
+      r = RestClient.get("#{config[:api_url]}analyze", params: params)
+      warning "HTTP#{r.code} recieved from API" unless r.code == 200
+    rescue RestClient::ExceptionWithResponse => e
+      unknown e.response
+    end
     JSON.parse(r.body)
   end
@@ -122,6 +126,10 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   def run
     grade = lowest_grade
+    unless grade
+      message "#{config[:domain]} not rated"
+      critical
+    end
     message "#{config[:domain]} rated #{grade}"
     grade_rank = GRADE_OPTIONS.index(grade)
     if grade_rank > config[:critical]

data/lib/sensu-plugins-ssl/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module SensuPluginsSSL
   module Version
     MAJOR = 1
-    MINOR = 0
+    MINOR = 1
     PATCH = 0
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-06-20 00:00:00.000000000 Z
+date: 2017-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -164,13 +164,29 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.0
 description: |-
   This plugin provides native SSL instrumentation
                                 for monitoring, including: hostname and chain
-                                verification, cert expiry, and Qualys SSL Labs reporting
+                                verification, cert and crl expiry, and Qualys SSL Labs reporting
 email: "<sensu-users@googlegroups.com>"
 executables:
+- check-java-keystore-cert.rb
 - check-ssl-cert.rb
+- check-ssl-crl.rb
 - check-ssl-host.rb
 - check-ssl-qualys.rb
 extensions: []
@@ -179,7 +195,9 @@ files:
 - CHANGELOG.md
 - LICENSE
 - README.md
+- bin/check-java-keystore-cert.rb
 - bin/check-ssl-cert.rb
+- bin/check-ssl-crl.rb
 - bin/check-ssl-host.rb
 - bin/check-ssl-qualys.rb
 - lib/sensu-plugins-ssl.rb
@@ -210,9 +228,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: Sensu plugins for SSL
 test_files: []
-has_rdoc: