sensu-plugins-ssl 1.3.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 38aee874f86178e7ea8be52e0856bd678b05ff57
-  data.tar.gz: a86b4dadf3d7c19effdf38dca39a8661b9780f0d
+SHA256:
+  metadata.gz: 81a09f41b7a0220a938ceee8561f7433321376e5617e4c09fb65454476630d88
+  data.tar.gz: b0ecba81c6266494db6a0f8c9ecb50da9f8302bef75e6f5267ca6a79aa2c17b5
 SHA512:
-  metadata.gz: cb791eaf20f5af33e4e955de621c3a4f0d77db5a276070c0a39286e33781ef935d058c002093a2b6cb602c61cb8e2e00412af91529c12f7effdeffd9161c802c
-  data.tar.gz: a89a11c728c9967c5c5f568101948cb23d5fbd42ecd2af0347403130b18a1afd0c7bff97c54c3de48101736455aad7d50313cf059d6f5e0a9d63a538ade4e007
+  metadata.gz: 7ba079ecb12548b22f684681ee0c077e965ac04a725623554a74b6fc45f009b1a72c3b1657d3ac69dbf58f213497bfee7b3e830dcc769c13c0eeb57fea9c56b9
+  data.tar.gz: 45ecf2194f83c759681b9e167a8c8d08e77a20e4691c2c432dc18b779bcd52d1b089fb148a758dd5a7f9e208cab6de8bf54e41a9c785de9eb5935d2155f3b22e

data/CHANGELOG.md

@@ -1,9 +1,66 @@
-#Change Log
+# Change Log
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
+This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins/community/blob/master/HOW_WE_CHANGELOG.md).
 
 ## [Unreleased]
+
+## [3.0.0] - 2020-08-27
+### Breaking Changes
+- Bump `sensu-plugin` dependency from `~> 1.2` to `~> 4.0` you can read the changelog entries for [4.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#400---2018-02-17), [3.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#300---2018-12-04), and [2.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#v200---2017-03-29)
+- Remove ruby-2.3.0. Upgrade bundler. Fix failing tests (@phumpal).
+
+### Added
+- Travis build automation to generate Sensu Asset tarballs that can be used n conjunction with Sensu provided ruby runtime assets and the Bonsai Asset Index
+- Require latest sensu-plugin for [Sensu Go support](https://github.com/sensu-plugins/sensu-plugin#sensu-go-enablement)
+- New option to treat anchor argument as a regexp
+- New Check plugin `check-ssl-root-issuer.rb` with alternative logic for trust anchor verification.
+
+### Changed
+- `check-ssl-anchor.rb` uses regexp to test for present of certificates in cert chain that works with both openssl 1.0 and 1.1 formatting
+- Upgrade rake and rubocop dependencies
+- Remediate rubocop issues
+
+### Fixed
+- ssl-anchor test now uses regexp
+
+## [2.0.1] - 2018-05-30
+### Fixed
+- `check-ssl-qualys.rb`: Fixed typo and removed timeout `-t` short option replacing it with `--timeout` as per previous changelog. `-t` conflicts with the short option for `--time-between`
+- Fixed typo in changelog
+
+## [2.0.0] - 2018-03-27
+### Breaking Changes
+- `check-ssl-qualys.rb`: when you submit a request with caching enabled it will return back a response including an eta key. Rather than sleeping for some arbitrary number of time we now use this key when its greater than `--time-between` to wait before attempting the next attempt to query. If it is lower or not present we fall back to `--time-between` (@majormoses)
+- `check-ssl-qualys.rb`: new `--timeout` parameter to short circuit slow apis (@majormoses)
+
+### Changed
+- `check-ssl-qualys.rb`: updated `--api-url` to default to `v3` but remains backwards compatible (@jhoblitt) (@majormoses)
+
+### Added
+`check-ssl-qualys.rb`: option `--debug` to enable debug logging (@majormoses)
+
+### Fixed
+- `check-ssl-hsts-preloadable.rb`: Fixed testing warnings for if a domain can be HSTS preloaded (@rwky)
+
+## [1.5.0] - 2017-09-26
+### Added
+- Ruby 2.4.1 testing
+- `check-ssl-hsts-preload.rb`: Added check for testing preload status of HSTS (@rwky)
+- `check-ssl-hsts-preloadable.rb`: Added check for testing if a domain can be HSTS preloaded (@rwky)
+
+### Changed
+- updated CHANGELOG guidelines location (@majormoses)
+
+### Fixed
+- `check-java-keystore-cert.rb`: Export cert in PEM format to fix tests that broke going from Precise to Trusty travis workers (@eheydrick)
+- fixed spelling in github pr template (@majormoses)
+
+## [1.4.0] - 2017-06-20
+### Added
+- `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
+- `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
+
 ## [1.3.1] - 2017-05-30
 ### Fixed
 - `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
@@ -72,7 +129,12 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ### Added
 - initial release
 
-[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...HEAD
+[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/3.0.0...HEAD
+[3.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/2.0.1...3.0.0
+[2.0.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/2.0.0...2.0.1
+[2.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.5.0...2.0.0
+[1.5.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...1.5.0
+[1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
 [1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
 [1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
 [1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0

data/README.md

@@ -5,18 +5,33 @@
 [![Code Climate](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/gpa.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Test Coverage](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/coverage.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Dependency Status](https://gemnasium.com/sensu-plugins/sensu-plugins-ssl.svg)](https://gemnasium.com/sensu-plugins/sensu-plugins-ssl)
+[![Sensu Bonsai Asset](https://img.shields.io/badge/Bonsai-Download%20Me-brightgreen.svg?colorB=89C967&logo=sensu)](https://bonsai.sensu.io/assets/sensu-plugins/sensu-plugins-ssl)
 
+## Sensu Asset
+The Sensu assets packaged from this repository are built against the Sensu Ruby runtime environment. When using these assets as part of a Sensu Go resource (check, mutator or handler), make sure you include the corresponding Sensu Ruby runtime asset in the list of assets needed by the resource. The current ruby-runtime assets can be found [here](https://bonsai.sensu.io/assets/sensu/sensu-ruby-runtime) in the [Bonsai Asset Index](bonsai.sensu.io).
 ## Functionality
 
 ## Files
  * bin/check-java-keystore-cert.rb
+ * bin/check-ssl-anchor.rb
  * bin/check-ssl-crl.rb
  * bin/check-ssl-cert.rb
  * bin/check-ssl-host.rb
+ * bin/check-ssl-hsts-preload.rb
+ * bin/check-ssl-hsts-preloadable.rb
  * bin/check-ssl-qualys.rb
+ * bin/check-ssl-root-issuer.rb
 
 ## Usage
 
+### `bin/check-ssl-anchor.rb`
+
+Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance). Requires the `openssl` commandline tool to be available on the system.
+
+```
+./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+```
+
 ### `bin/check-ssl-crl.rb`
 
 Checks a CRL has not or is not expiring by inspecting it's next update value.
@@ -35,8 +50,33 @@ or an online CRL:
 
 Critical and Warning thresholds are specified in minutes.
 
+### `bin/check-ssl-qualys.rb`
+
+Checks the ssllabs qualysis api for grade of your server, this check can be quite long so it should not be scheduled with a low interval and will probably need to adjust the check `timeout` options per the [check attributes spec](https://docs.sensu.io/sensu-core/1.2/reference/checks/#check-attributes) based on my tests you should expect this to take around 3 minutes.
+```
+./bin/check-ssl-qualys.rb -d google.com
+```
+
+### `bin/check-ssl-root-issuer.rb`
+
+Check that a specific website is chained to a specific root certificate issuer. This is a pure Ruby implementation, does not require the openssl cmdline client tool to be installed.
+
+```
+./bin/check-ssl-root-issuer.rb -u example.com -a "CN=DST Root CA X3,O=Digital Signature Trust Co."
+```
+
 ## Installation
 
 [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
 
+## Testing
+
+To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
+
+    bundle install
+    bundle update
+    bundle exec rake
+
 ## Notes
+
+`bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.

data/bin/check-java-keystore-cert.rb

@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-java-keystore-cert
 #
@@ -56,8 +58,8 @@ class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
   def certificate_expiration_date
     result = `keytool -keystore #{Shellwords.escape(config[:path])} \
                       -export -alias #{Shellwords.escape(config[:alias])} \
-                      -storepass #{Shellwords.escape(config[:password])} 2>&1 | \
-              openssl x509 -enddate -inform der -noout 2>&1`
+                      -storepass #{Shellwords.escape(config[:password])} -rfc 2>&1 | \
+              openssl x509 -enddate -noout 2>&1`
 
     # rubocop:disable Style/SpecialGlobalVars
     unknown 'could not get certificate from keystore' unless $?.success?
@@ -75,7 +77,7 @@ class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
 
     days_until = (certificate_expiration_date - Date.today).to_i
 
-    if days_until < 0
+    if days_until < 0 # rubocop: disable Style/NumericPredicate
       critical "Expired #{days_until.abs} days ago"
     elsif days_until < config[:critical]
       critical "#{days_until} days left"

data/bin/check-ssl-anchor.rb

@@ -0,0 +1,122 @@
+#! /usr/bin/env ruby
+# frozen_string_literal: false
+
+#
+#   check-ssl-anchor
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
+#       ./check-ssl-anchor.rb \
+#           -u example.com \
+#           -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+#
+# NOTES:
+#   This is basically a ruby wrapper around the following openssl command.
+#
+#       openssl s_client -connect example.com:443 -servername example.com
+#
+#
+#
+#   Use the -s flag if you need to override SNI (Server Name Indication). If you
+#   are seeing discrepencies between `openssl s_client` and browser, that's a good
+#   indication to use this flag.
+#
+# LICENSE:
+#   Copyright 2017 Phil Porada <philporada@gmail.com>
+#
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+
+#
+# Check certificate is anchored to a specific root
+#
+class CheckSSLAnchor < Sensu::Plugin::Check::CLI
+  option :host,
+         description: 'Host to check',
+         short: '-h',
+         long: '--host HOST',
+         required: true
+
+  option :anchor,
+         description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
+         short: '-a',
+         long: '--anchor ANCHOR_VAL',
+         required: true
+
+  option :regexp,
+         description: 'Treat the anchor as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
+  option :servername,
+         description: 'Set the TLS SNI (Server Name Indication) extension',
+         short: '-s',
+         long: '--servername SERVER'
+
+  option :port,
+         description: 'Port on server to check',
+         short: '-p',
+         long: '--port PORT',
+         default: 443
+
+  def validate_opts
+    config[:servername] = config[:host] unless config[:servername]
+  end
+
+  # Do the actual work and massage some data
+  def anchor_information
+    data = `openssl s_client \
+                -connect #{config[:host]}:#{config[:port]} \
+                -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
+    data = data.reject(&:empty?)
+
+    unless data[0] =~ /0 s:\/?CN ?=.*/m
+      data = 'NOTOK'
+    end
+    data
+  end
+
+  def run
+    validate_opts
+    data = anchor_information
+    if data == 'NOTOK'
+      critical 'An error was encountered while trying to retrieve the certificate chain.'
+    end
+    puts config[:regexp]
+    # rubocop:disable Style/IfInsideElse
+    if config[:regexp]
+      anchor_regexp = Regexp.new(config[:anchor].to_s)
+      if data[-1] =~ anchor_regexp
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match regexp /' + config[:anchor].to_s + "/\nFound \"" + data[-1] + '" instead.'
+      end
+    else
+      if data[-1] == config[:anchor].to_s
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match string "' + config[:anchor].to_s + "\"\nFound \"" + data[-1] + '" instead.'
+      end
+    end
+    # rubocop:enable Style/IfInsideElse
+  end
+end

data/bin/check-ssl-cert.rb

@@ -1,4 +1,6 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-ssl-cert
 #
@@ -117,7 +119,7 @@ class CheckSSLCert < Sensu::Plugin::Check::CLI
 
     days_until = (Date.parse(expiry.to_s) - Date.today).to_i
 
-    if days_until < 0
+    if days_until < 0 # rubocop:disable Style/NumericPredicate
       critical "Expired #{days_until.abs} days ago"
     elsif days_until < config[:critical].to_i
       critical "#{days_until} days left"

data/bin/check-ssl-crl.rb

@@ -1,4 +1,6 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-ssl-crl
 #
@@ -65,10 +67,10 @@ class CheckSSLCRL < Sensu::Plugin::Check::CLI
   def run
     validate_opts
 
-    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update
+    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update # rubocop:disable Security/Open
     minutes_until = seconds_to_minutes(Time.parse(next_update.to_s) - Time.now)
 
-    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0
+    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0 # rubocop:disable Style/NumericPredicate
     critical "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:critical].to_i
     warning "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:warning].to_i
     ok "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}"

data/bin/check-ssl-host.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
+
 #  check-ssl-host.rb
 #
 # DESCRIPTION:
@@ -42,7 +43,7 @@ require 'socket'
 # Check SSL Host
 #
 class CheckSSLHost < Sensu::Plugin::Check::CLI
-  STARTTLS_PROTOS = %w(smtp imap).freeze
+  STARTTLS_PROTOS = %w[smtp imap].freeze
 
   check_name 'check_ssl_host'
 
@@ -104,7 +105,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          long: '--starttls PROTO'
 
   def get_cert_chain(host, port, address, client_cert, client_key)
-    tcp_client = TCPSocket.new(address ? address : host, port)
+    tcp_client = TCPSocket.new(address ? address : host, port) # rubocop:disable Style/RedundantCondition
     handle_starttls(config[:starttls], tcp_client) if config[:starttls]
     ssl_context = OpenSSL::SSL::SSLContext.new
     ssl_context.cert = OpenSSL::X509::Certificate.new File.read(client_cert) if client_cert
@@ -139,6 +140,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
 
     status = socket.readline
     return if /^220 / =~ status
+
     critical "#{config[:host]} - did not receive SMTP 220 in response to STARTTLS"
   end
 
@@ -151,6 +153,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
 
     status = socket.readline
     return if /^a001 OK Begin TLS negotiation now/ =~ status
+
     critical "#{config[:host]} - did not receive OK Begin TLS negotiation now"
   end
 
@@ -158,7 +161,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
     # Expiry check
     days = (cert.not_after.to_date - Date.today).to_i
     message = "#{config[:host]} - #{days} days until expiry"
-    critical "#{config[:host]} - Expired #{days} days ago" if days < 0
+    critical "#{config[:host]} - Expired #{days} days ago" if days < 0 # rubocop:disable Style/NumericPredicate
     critical message if days < config[:critical]
     warning message if days < config[:warning]
     ok message

data/bin/check-ssl-hsts-preloadable.rb

@@ -0,0 +1,81 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: false
+
+#  check-ssl-hsts-preloadable.rb
+#
+# DESCRIPTION:
+#   Checks a domain against the chromium HSTS API returning errors/warnings if the domain is preloadable
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   # Basic usage
+#   check-ssl-hsts-preloadable.rb -d <domain_name>
+#
+# LICENSE:
+#   Copyright 2017 Rowan Wookey <admin@rwky.net>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE for
+#   details.
+#
+#   Inspired by https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-qualys.rb Copyright 2015 William Cooke <will@bruisyard.eu>
+#
+
+require 'sensu-plugin/check/cli'
+require 'json'
+require 'net/http'
+
+class CheckSSLHSTSPreloadable < Sensu::Plugin::Check::CLI
+  option :domain,
+         description: 'The domain to run the test against',
+         short: '-d DOMAIN',
+         long: '--domain DOMAIN',
+         required: true
+
+  option :api_url,
+         description: 'The URL of the API to run against',
+         long: '--api-url URL',
+         default: 'https://hstspreload.org/api/v2/preloadable'
+
+  def fetch(uri, limit = 10)
+    if limit == 0 # rubocop:disable Style/NumericPredicate
+      return nil
+    end
+
+    response = Net::HTTP.get_response(uri)
+
+    case response
+    when Net::HTTPSuccess
+      response
+    when Net::HTTPRedirection
+      location = URI(response['location'])
+      fetch(location, limit - 1)
+    end
+  end
+
+  def run
+    uri       = URI(config[:api_url])
+    uri.query = URI.encode_www_form(domain: config[:domain])
+    response = fetch(uri)
+    if response.nil?
+      return warning 'Bad response recieved from API'
+    end
+
+    body = JSON.parse(response.body)
+    if !body['errors'].empty?
+      critical body['errors'].map { |u| u['summary'] }.join(', ')
+    elsif !body['warnings'].empty?
+      warning body['warnings'].map { |u| u['summary'] }.join(', ')
+    else
+      ok
+    end
+  end
+end
+
+# vim: set tabstop=2 shiftwidth=2 expandtab:

data/bin/check-ssl-hsts-status.rb

@@ -0,0 +1,103 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: false
+
+#  check-ssl-hsts-preload.rb
+#
+# DESCRIPTION:
+#   Checks a domain against the chromium HSTS API reporting on the preload status of the domain
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   # Basic usage
+#   check-ssl-hsts-preload.rb -d <domain_name>
+#   # Specify the CRITICAL and WARNING alerts to either unknown (not in the database), pending or preloaded
+#   check-ssl-hsts-preload.rb -d <domain_name> -c <critical_alert> -w <warning_alert>
+#
+# LICENSE:
+#   Copyright 2017 Rowan Wookey <admin@rwky.net>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE for
+#   details.
+#
+#   Inspired by https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-qualys.rb Copyright 2015 William Cooke <will@bruisyard.eu>
+#
+
+require 'sensu-plugin/check/cli'
+require 'json'
+require 'net/http'
+
+class CheckSSLHSTSStatus < Sensu::Plugin::Check::CLI
+  STATUSES = %w[unknown pending preloaded].freeze
+
+  option :domain,
+         description: 'The domain to run the test against',
+         short: '-d DOMAIN',
+         long: '--domain DOMAIN',
+         required: true
+
+  option :warn,
+         short: '-w STATUS',
+         long: '--warn STATUS',
+         description: 'WARNING if this status or worse',
+         in: STATUSES,
+         default: 'pending'
+
+  option :critical,
+         short: '-c STATUS',
+         long: '--critical STATUS',
+         description: 'CRITICAL if this status or worse',
+         in: STATUSES,
+         default: 'unknown'
+
+  option :api_url,
+         description: 'The URL of the API to run against',
+         long: '--api-url URL',
+         default: 'https://hstspreload.org/api/v2/status'
+
+  def fetch(uri, limit = 10)
+    if limit == 0 # rubocop:disable Style/NumericPredicate
+      return nil
+    end
+
+    response = Net::HTTP.get_response(uri)
+
+    case response
+    when Net::HTTPSuccess
+      response
+    when Net::HTTPRedirection
+      location = URI(response['location'])
+      fetch(location, limit - 1)
+    end
+  end
+
+  def run
+    uri       = URI(config[:api_url])
+    uri.query = URI.encode_www_form(domain: config[:domain])
+    response  = fetch(uri)
+    if response.nil?
+      return warning 'Bad response recieved from API'
+    end
+
+    body = JSON.parse(response.body)
+    unless STATUSES.include? body['status']
+      warning 'Invalid status returned ' + body['status']
+    end
+
+    if STATUSES.index(body['status']) <= STATUSES.index(config[:critical])
+      critical body['status']
+    elsif STATUSES.index(body['status']) <= STATUSES.index(config[:warn])
+      warning body['status']
+    else
+      ok
+    end
+  end
+end
+
+# vim: set tabstop=2 shiftwidth=2 expandtab:

data/bin/check-ssl-qualys.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
+
 #  check-ssl-qualys.rb
 #
 # DESCRIPTION:
@@ -41,6 +42,7 @@
 require 'sensu-plugin/check/cli'
 require 'json'
 require 'net/http'
+require 'timeout'
 
 # Checks a single DNS entry has a rating above a certain level
 class CheckSSLQualys < Sensu::Plugin::Check::CLI
@@ -56,7 +58,7 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   option :api_url,
          description: 'The URL of the API to run against',
          long: '--api-url URL',
-         default: 'https://api.ssllabs.com/api/v2/'
+         default: 'https://api.ssllabs.com/api/v3/'
 
   option :warn,
          short: '-w GRADE',
@@ -72,6 +74,12 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
          proc: proc { |g| GRADE_OPTIONS.index(g) },
          default: 3 # 'B'
 
+  option :debug,
+         long: '--debug BOOL',
+         description: 'toggles extra debug printing',
+         boolean: true,
+         default: false
+
   option :num_checks,
          short: '-n NUM_CHECKS',
          long: '--number-checks NUM_CHECKS',
@@ -82,17 +90,31 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   option :between_checks,
          short: '-t SECONDS',
          long: '--time-between SECONDS',
-         description: 'The time between each poll of the API',
+         description: 'The fallback time between each poll of the API, when an ETA is given by the previous response and is higher than this value it is used',
          proc: proc { |t| t.to_i },
          default: 10
 
+  option :timeout,
+         long: '--timeout SECONDS',
+         descriptions: 'the amount of seconds that this is allowed to run for',
+         proc: proc(&:to_i),
+         default: 300
+
   def ssl_api_request(from_cache)
     params = { host: config[:domain] }
-    params[:startNew] = 'on' unless from_cache
+    params[:startNew] = if from_cache == true
+                          'off'
+                        else
+                          'on'
+                        end
 
     uri       = URI("#{config[:api_url]}analyze")
     uri.query = URI.encode_www_form(params)
-    response  = Net::HTTP.get_response(uri)
+    begin
+      response = Net::HTTP.get_response(uri)
+    rescue StandardError => e
+      warning e
+    end
 
     warning 'Bad response recieved from API' unless response.is_a?(Net::HTTPSuccess)
 
@@ -107,11 +129,38 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
 
   def ssl_recheck
     1.upto(config[:num_checks]) do |step|
-      json = ssl_check(step != 1)
+      p "step: #{step}" if config[:debug]
+      start_time = Time.now
+      p "start_time: #{start_time}" if config[:debug]
+      json = if step == 1
+               ssl_check(false)
+             else
+               ssl_check(true)
+             end
       return json if json['status'] == 'READY'
-      sleep(config[:between_checks])
+
+      if json['endpoints'] && json['endpoints'].is_a?(Array) # rubocop:disable Style/SafeNavigation
+        p "endpoints: #{json['endpoints']}" if config[:debug]
+        # The api response sometimes has low eta (which seems unrealistic) from
+        # my tests that can be 0 or low numbers which would imply it is done...
+        # Basically we check if present and if its higher than the specified
+        # time to wait between checks. If so we use the eta from the api get
+        # response otherwise we use the time between check values. We have an
+        # overall timeout that protects us from the api telling us to wait for
+        # insanely long time periods. The highest I have seen the eta go was
+        # around 250 seconds but put it in just in case as the api has very
+        # erratic response times.
+        if json['endpoints'].first.is_a?(Hash) && json['endpoints'].first.key?('eta') && json['endpoints'].first['eta'] > config[:between_checks]
+          p "eta: #{json['endpoints'].first['eta']}" if config[:debug]
+          sleep(json['endpoints'].first['eta'])
+        else
+          p "sleeping with default: #{config[:between_checks]}" if config[:debug]
+          sleep(config[:between_checks])
+        end
+      end
+      p "elapsed: #{Time.now - start_time}" if config[:debug]
+      warning 'Timeout waiting for check to finish' if step == config[:num_checks]
     end
-    warning 'Timeout waiting for check to finish'
   end
 
   def ssl_grades
@@ -121,23 +170,25 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   end
 
   def lowest_grade
-    ssl_grades.sort_by! { |g| GRADE_OPTIONS.index(g) } .reverse![0]
+    ssl_grades.sort_by! { |g| GRADE_OPTIONS.index(g) }.reverse![0]
   end
 
   def run
-    grade = lowest_grade
-    unless grade
-      message "#{config[:domain]} not rated"
-      critical
-    end
-    message "#{config[:domain]} rated #{grade}"
-    grade_rank = GRADE_OPTIONS.index(grade)
-    if grade_rank > config[:critical]
-      critical
-    elsif grade_rank > config[:warn]
-      warning
-    else
-      ok
+    Timeout.timeout(config[:timeout]) do
+      grade = lowest_grade
+      unless grade
+        message "#{config[:domain]} not rated"
+        critical
+      end
+      message "#{config[:domain]} rated #{grade}"
+      grade_rank = GRADE_OPTIONS.index(grade)
+      if grade_rank > config[:critical]
+        critical
+      elsif grade_rank > config[:warn]
+        warning
+      else
+        ok
+      end
     end
   end
 end

data/bin/check-ssl-root-issuer.rb

@@ -0,0 +1,128 @@
+#! /usr/bin/env ruby
+# frozen_string_literal: false
+
+#
+#   check-ssl-root-issuer
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate issuer
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate
+#       ./check-ssl-root-issuer.rb \
+#           -u https://example.com \
+#           -i "CN=DST Root CA X3,O=Digital Signature Trust Co."
+#
+# LICENSE:
+#   Copyright Jef Spaleta (jspaleta@gmail.com) 2020
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'openssl'
+require 'uri'
+require 'net/http'
+require 'net/https'
+
+#
+# Check root certificate has specified issuer name
+#
+class CheckSSLRootIssuer < Sensu::Plugin::Check::CLI
+  option :url,
+         description: 'Url to check: Ex "https://google.com"',
+         short: '-u',
+         long: '--url URL',
+         required: true
+
+  option :issuer,
+         description: 'An X509 certificate issuer name, RFC2253 format Ex: "CN=DST Root CA X3,O=Digital Signature Trust Co."',
+         short: '-i',
+         long: '--issuer ISSUER_NAME',
+         required: true
+
+  option :regexp,
+         description: 'Treat the issuer name as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
+  option :format,
+         description: 'optional issuer name format.',
+         short: '-f',
+         long: '--format FORMAT_VAL',
+         default: 'RFC2253',
+         in: %w[RFC2253 ONELINE COMPAT],
+         required: false
+
+  def cert_name_format
+    # Note: because format argument is pre-validated by mixin 'in' logic eval is safe to use
+    eval "OpenSSL::X509::Name::#{config[:format]}" # rubocop:disable Security/Eval, Style/EvalWithLocation
+  end
+
+  def validate_issuer(cert)
+    issuer = cert.issuer.to_s(cert_name_format)
+    if config[:regexp]
+      issuer_regexp = Regexp.new(config[:issuer].to_s)
+      issuer =~ issuer_regexp
+    else
+      issuer == config[:issuer].to_s
+    end
+  end
+
+  def find_root_cert(uri)
+    root_cert = nil
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.open_timeout = 10
+    http.read_timeout = 10
+    http.use_ssl = true
+    http.cert_store = OpenSSL::X509::Store.new
+    http.cert_store.set_default_paths
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+    http.verify_callback = lambda { |verify_ok, store_context|
+      root_cert = store_context.current_cert unless root_cert # rubocop:disable Style/OrAssignment
+      unless verify_ok
+        @failed_cert = store_context.current_cert
+        @failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
+      end
+      verify_ok
+    }
+    http.start {}
+    root_cert
+  end
+
+  # Do the actual work and massage some data
+
+  def run
+    @fail_cert = nil
+    @failed_cert_reason = 'Unknown'
+    uri = URI.parse(config[:url])
+    critical "url protocol must be https, you specified #{url}" if uri.scheme != 'https'
+    root_cert = find_root_cert(uri)
+    if @failed_cert
+      msg = "Certificate verification failed.\n Reason: #{@failed_cert_reason}"
+      critical msg
+    end
+
+    if validate_issuer(root_cert)
+      msg = 'Root certificate in chain has expected issuer name'
+      ok msg
+    else
+      msg = "Root certificate issuer did not match expected name.\nFound: \"#{root_cert.issuer.to_s(config[:issuer_format])}\""
+      critical msg
+    end
+  end
+end

data/lib/sensu-plugins-ssl.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'sensu-plugins-ssl/version'

data/lib/sensu-plugins-ssl/version.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module SensuPluginsSSL
   module Version
-    MAJOR = 1
-    MINOR = 3
-    PATCH = 1
+    MAJOR = 3
+    MINOR = 0
+    PATCH = 0
 
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-31 00:00:00.000000000 Z
+date: 2020-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
@@ -128,52 +128,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: 0.89.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: 0.89.1
 - !ruby/object:Gem::Dependency
-  name: yard
+  name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
-  name: timecop
+  name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '0.8'
 description: |-
   This plugin provides native SSL instrumentation
                                 for monitoring, including: hostname and chain
                                 verification, cert and crl expiry, and Qualys SSL Labs reporting
 email: "<sensu-users@googlegroups.com>"
 executables:
-- check-java-keystore-cert.rb
+- check-ssl-hsts-status.rb
+- check-ssl-root-issuer.rb
 - check-ssl-cert.rb
+- check-java-keystore-cert.rb
 - check-ssl-crl.rb
+- check-ssl-anchor.rb
 - check-ssl-host.rb
+- check-ssl-hsts-preloadable.rb
 - check-ssl-qualys.rb
 extensions: []
 extra_rdoc_files: []
@@ -182,10 +186,14 @@ files:
 - LICENSE
 - README.md
 - bin/check-java-keystore-cert.rb
+- bin/check-ssl-anchor.rb
 - bin/check-ssl-cert.rb
 - bin/check-ssl-crl.rb
 - bin/check-ssl-host.rb
+- bin/check-ssl-hsts-preloadable.rb
+- bin/check-ssl-hsts-status.rb
 - bin/check-ssl-qualys.rb
+- bin/check-ssl-root-issuer.rb
 - lib/sensu-plugins-ssl.rb
 - lib/sensu-plugins-ssl/version.rb
 homepage: https://github.com/sensu-plugins/sensu-plugins-ssl
@@ -206,15 +214,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Sensu plugins for SSL