RubyGems - sensu-plugins-ssl - Versions diffs - 1.3.1 → 1.4.0 - Mend

sensu-plugins-ssl 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -2
data/README.md +19 -0
data/bin/check-ssl-anchor.rb +101 -0
data/lib/sensu-plugins-ssl/version.rb +2 -2
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 38aee874f86178e7ea8be52e0856bd678b05ff57
-  data.tar.gz: a86b4dadf3d7c19effdf38dca39a8661b9780f0d
+  metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
+  data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
 SHA512:
-  metadata.gz: cb791eaf20f5af33e4e955de621c3a4f0d77db5a276070c0a39286e33781ef935d058c002093a2b6cb602c61cb8e2e00412af91529c12f7effdeffd9161c802c
-  data.tar.gz: a89a11c728c9967c5c5f568101948cb23d5fbd42ecd2af0347403130b18a1afd0c7bff97c54c3de48101736455aad7d50313cf059d6f5e0a9d63a538ade4e007
+  metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
+  data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311

data/CHANGELOG.md CHANGED Viewed

@@ -1,9 +1,15 @@
-#Change Log
+# Change Log
 This project adheres to [Semantic Versioning](http://semver.org/).
 This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
 ## [Unreleased]
+## [1.4.0] - 2017-06-20
+### Added
+- `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
+- `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
 ## [1.3.1] - 2017-05-30
 ### Fixed
 - `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
@@ -72,7 +78,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ### Added
 - initial release
-[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...HEAD
+[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
+[1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
 [1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
 [1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
 [1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0

data/README.md CHANGED Viewed

@@ -10,6 +10,7 @@
 ## Files
  * bin/check-java-keystore-cert.rb
+ * bin/check-ssl-anchor.rb
  * bin/check-ssl-crl.rb
  * bin/check-ssl-cert.rb
  * bin/check-ssl-host.rb
@@ -17,6 +18,14 @@
 ## Usage
+### `bin/check-ssl-anchor.rb`
+Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
+```
+./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+```
 ### `bin/check-ssl-crl.rb`
 Checks a CRL has not or is not expiring by inspecting it's next update value.
@@ -39,4 +48,14 @@ Critical and Warning thresholds are specified in minutes.
 [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
+## Testing
+To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
+    bundle install
+    bundle update
+    bundle exec rake
 ## Notes
+`bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.

data/bin/check-ssl-anchor.rb ADDED Viewed

@@ -0,0 +1,101 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-anchor
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
+#       ./check-ssl-anchor.rb \
+#           -u example.com \
+#           -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+#
+# NOTES:
+#   This is basically a ruby wrapper around the following openssl command.
+#
+#       openssl s_client -connect example.com:443 -servername example.com
+#
+#
+#
+#   Use the -s flag if you need to override SNI (Server Name Indication). If you
+#   are seeing discrepencies between `openssl s_client` and browser, that's a good
+#   indication to use this flag.
+#
+# LICENSE:
+#   Copyright 2017 Phil Porada <philporada@gmail.com>
+#
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+require 'sensu-plugin/check/cli'
+#
+# Check certificate is anchored to a specific root
+#
+class CheckSSLAnchor < Sensu::Plugin::Check::CLI
+  option :host,
+         description: 'Host to check',
+         short: '-h',
+         long: '--host HOST',
+         required: true
+  option :anchor,
+         description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
+         short: '-a',
+         long: '--anchor ANCHOR_VAL',
+         required: true
+  option :servername,
+         description: 'Set the TLS SNI (Server Name Indication) extension',
+         short: '-s',
+         long: '--servername SERVER'
+  option :port,
+         description: 'Port on server to check',
+         short: '-p',
+         long: '--port PORT',
+         default: 443
+  def validate_opts
+    config[:servername] = config[:host] unless config[:servername]
+  end
+  # Do the actual work and massage some data
+  def anchor_information
+    data = `openssl s_client \
+                -connect #{config[:host]}:#{config[:port]} \
+                -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
+    data = data.reject(&:empty?)
+    unless data[0] =~ /0 s:\/CN=.*/m
+      data = 'NOTOK'
+    end
+    data
+  end
+  def run
+    validate_opts
+    data = anchor_information
+    if data == 'NOTOK'
+      critical 'An error was encountered while trying to retrieve the certificate chain.'
+    end
+    if data[-1] == config[:anchor].to_s
+      ok 'Root anchor has been found.'
+    else
+      critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
+    end
+  end
+end

data/lib/sensu-plugins-ssl/version.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 module SensuPluginsSSL
   module Version
     MAJOR = 1
-    MINOR = 3
-    PATCH = 1
+    MINOR = 4
+    PATCH = 0
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-05-31 00:00:00.000000000 Z
+date: 2017-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -171,6 +171,7 @@ description: |-
 email: "<sensu-users@googlegroups.com>"
 executables:
 - check-java-keystore-cert.rb
+- check-ssl-anchor.rb
 - check-ssl-cert.rb
 - check-ssl-crl.rb
 - check-ssl-host.rb
@@ -182,6 +183,7 @@ files:
 - LICENSE
 - README.md
 - bin/check-java-keystore-cert.rb
+- bin/check-ssl-anchor.rb
 - bin/check-ssl-cert.rb
 - bin/check-ssl-crl.rb
 - bin/check-ssl-host.rb