RubyGems - sensu-plugins-ssl - Versions diffs - 1.0.0 → 1.1.0 - Mend

sensu-plugins-ssl 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -1
data/README.md +22 -2
data/bin/check-java-keystore-cert.rb +87 -0
data/bin/check-ssl-crl.rb +76 -0
data/bin/check-ssl-host.rb +40 -6
data/bin/check-ssl-qualys.rb +10 -2
data/lib/sensu-plugins-ssl/version.rb +1 -1
metadata +22 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd6139788580da152ea21011bcf673388d067cf2
-  data.tar.gz: 96c53d56a691211326adc84b967e0282bf31c7fc
+  metadata.gz: ad7f900ae9946ad4bb040d4e7968761847ca38f6
+  data.tar.gz: f7485dfc07f15d1789ef4000455a60e3b32c78d8
 SHA512:
-  metadata.gz: 9aa9628fc76a95b28c8cd070cc5676e834ee950e7a69edc1569dd117dd5397300ee1ce7e9561f2c025172b121eb71f53d8283e1e6c760ed575fd83d071b0fa1f
-  data.tar.gz: f2fdde4418085c7167972c88e44e3728e15d9a69cb9506da3f9149a5e119ab4231984f2648a70a48aa0d3a15d56fac1fec3f9e5d451274c8f22c110dd49a14d9
+  metadata.gz: 2c2a81176f56ca91455c54ffa18e62f34e26d9fb1cc29cbdd53e9fa421aa5e7552f251e799fd4191ff806dbe228e3b29b9261d7a3bd4f76b449b89f4a544d405
+  data.tar.gz: 17e6353a089229402fb90abc4a2729a0221e43f4fd820aa3b402d32da60318e1c9e8207a18cdaf870c170ddc1258b432c0f7aefd114a6de607adc0a203dc962f

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,20 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ## [Unreleased]
+## [1.1.0] - 2017-02-28
+### Added
+- `check-ssl-host.rb`: Add optional `address` command line parameter for specifying the address of the server to
+   connect to, to override the `hostname` parameter (which is still used for verification/SNI) (@advance512)
+- `check-ssl-host.rb`: Better error message when unable to connect to target host (@johntdyer)
+- `check-ssl-host.rb`: Add support for client certificates (@modax)
+- `check-ssl-host.rb`: Add basic IMAP STARTTLS negotiation (@lobeck)
+- `check-java-keystore-cert.rb`: Add new check to verify a certificate in a Java Keystore has not expired. (@joerayme)
+- `check-ssl-crl.rb`: Add check for expiring CRL (@shoekstra)
+### Fixed
+- `check-ssl-qualys.rb`: Handle API errors with status unknown instead of unhandled "Check failed to run". (@11mariom)
+- `check-ssl-qualys.rb`: Handle nil grade_rank as critical not rated (@11mariom)
 ## [1.0.0]
 ### Changed
 - Updated Rubocop to 0.40, applied auto-correct
@@ -47,7 +61,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ### Added
 - initial release
-[unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.0.0...HEAD
+[unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...HEAD
+[1.1.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.0.0...1.1.0
 [1.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.6...1.0.0
 [0.0.6]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.5...0.0.6
 [0.0.5]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/0.0.4...0.0.5

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
-## Sensu-Plugins-ssl
+## Sensu-Plugins-SSL
-[ ![Build Status](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl.svg?branch=master)](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl)
+[![Build Status](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl.svg?branch=master)](https://travis-ci.org/sensu-plugins/sensu-plugins-ssl)
 [![Gem Version](https://badge.fury.io/rb/sensu-plugins-ssl.svg)](http://badge.fury.io/rb/sensu-plugins-ssl)
 [![Code Climate](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/gpa.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Test Coverage](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/coverage.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
@@ -9,12 +9,32 @@
 ## Functionality
 ## Files
+ * bin/check-java-keystore-cert.rb
+ * bin/check-ssl-crl.rb
  * bin/check-ssl-cert.rb
  * bin/check-ssl-host.rb
  * bin/check-ssl-qualys.rb
 ## Usage
+### `bin/check-ssl-crl.rb`
+Checks a CRL has not or is not expiring by inspecting it's next update value.
+You can check against a CRL file on disk:
+```
+./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl
+```
+or an online CRL:
+```
+./bin/check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
+```
+Critical and Warning thresholds are specified in minutes.
 ## Installation
 [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)

data/bin/check-java-keystore-cert.rb ADDED Viewed

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+#
+#   check-java-keystore-cert
+#
+# DESCRIPTION:
+#   Check when a certificate stored in a Java Keystore will expire
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   example commands
+#
+# NOTES:
+#   Does it behave differently on specific platforms, specific use cases, etc
+#
+require 'date'
+require 'sensu-plugin/check/cli'
+class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
+  option :path,
+         long: '--path PATH',
+         description: '',
+         required: true
+  option :alias,
+         long: '--alias ALIAS',
+         description: '',
+         required: true
+  option :password,
+         long: '--password PASSWORD',
+         description: '',
+         required: true
+  option :warning,
+         long: '--warning DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+  option :critical,
+         long: '--critical DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+  def certificate_expiration_date
+    result = `keytool -keystore #{config[:path]} \
+                      -export -alias #{config[:alias]} \
+                      -storepass #{config[:password]} 2>&1 | \
+              openssl x509 -enddate -inform der -noout 2>&1`
+    # rubocop:disable Style/SpecialGlobalVars
+    unknown 'could not get certificate from keystore' unless $?.success?
+    # rubocop:enable Style/SpecialGlobalVars
+    Date.parse(result.split('=').last)
+  end
+  def validate_opts
+    unknown 'warning cannot be less than critical' if config[:warning] < config[:critical]
+  end
+  def run
+    validate_opts
+    days_until = (certificate_expiration_date - Date.today).to_i
+    if days_until < 0
+      critical "Expired #{days_until.abs} days ago"
+    elsif days_until < config[:critical]
+      critical "#{days_until} days left"
+    elsif days_until < config[:warning]
+      warning "#{days_until} days left"
+    end
+    ok "#{days_until} days left"
+  end
+end

data/bin/check-ssl-crl.rb ADDED Viewed

@@ -0,0 +1,76 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-crl
+#
+# DESCRIPTION:
+#   Check in minutes when a certificate revocation list will expire.
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-ssl-crl -c 300 -w 600 -u /path/to/crl
+#   ./check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
+#
+# LICENSE:
+#   Stephen Hoekstra <shoekstra@schubergphilis.com>
+#
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+require 'open-uri'
+require 'openssl'
+require 'sensu-plugin/check/cli'
+require 'time'
+#
+# Check SSL Cert
+#
+class CheckSSLCRL < Sensu::Plugin::Check::CLI
+  option :critical,
+         description: 'Numbers of minutes left',
+         short: '-c',
+         long: '--critical MINUTES',
+         proc: proc { |v| v.to_i },
+         required: true
+  option :url,
+         description: 'URL (or path) to CRL file',
+         short: '-u',
+         long: '--url URL',
+         required: true
+  option :warning,
+         description: 'Numbers of minutes left',
+         short: '-w',
+         long: '--warning MINUTES',
+         proc: proc { |v| v.to_i },
+         required: true
+  def seconds_to_minutes(seconds)
+    (seconds / 60).to_i
+  end
+  def validate_opts
+    unknown 'warning cannot be less than critical' if config[:warning] < config[:critical]
+  end
+  def run
+    validate_opts
+    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update
+    minutes_until = seconds_to_minutes(Time.parse(next_update.to_s) - Time.now)
+    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0
+    critical "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:critical].to_i
+    warning "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:warning].to_i
+    ok "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}"
+  end
+end

data/bin/check-ssl-host.rb CHANGED Viewed

@@ -42,7 +42,7 @@ require 'socket'
 # Check SSL Host
 #
 class CheckSSLHost < Sensu::Plugin::Check::CLI
-  STARTTLS_PROTOS = %w(smtp).freeze
+  STARTTLS_PROTOS = %w(smtp imap).freeze
   check_name 'check_ssl_host'
@@ -62,7 +62,8 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          default: 14
   option :host,
-         description: 'Hostname of server to check',
+         description: 'Hostname of the server certificate to check, by default used as the server address if none ' \
+                      'is given',
          short: '-h',
          long: '--host HOST',
          required: true
@@ -73,6 +74,20 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          long: '--port PORT',
          default: 443
+  option :address,
+         description: 'Address of server to check. This is used instead of the host argument for the TCP connection, ' \
+                      'however the server hostname is still used for the TLS/SSL context.',
+         short: '-a',
+         long: '--address ADDRESS'
+  option :client_cert,
+         description: 'Path to the client certificate in DER/PEM format',
+         long: '--client-cert CERT'
+  option :client_key,
+         description: 'Path to the client RSA key in DER/PEM format',
+         long: '--client-key KEY'
   option :skip_hostname_verification,
          description: 'Disables hostname verification',
          long: '--skip-hostname-verification',
@@ -88,13 +103,18 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
                       "(#{STARTTLS_PROTOS.join(', ')})",
          long: '--starttls PROTO'
-  def get_cert_chain(host, port)
-    tcp_client = TCPSocket.new(host, port)
+  def get_cert_chain(host, port, address, client_cert, client_key)
+    tcp_client = TCPSocket.new(address ? address : host, port)
     handle_starttls(config[:starttls], tcp_client) if config[:starttls]
     ssl_context = OpenSSL::SSL::SSLContext.new
+    ssl_context.cert = OpenSSL::X509::Certificate.new File.read(client_cert) if client_cert
+    ssl_context.key = OpenSSL::PKey::RSA.new File.read(client_key) if client_key
     ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client, ssl_context)
-    # SNI
+    # If the OpenSSL version in use supports Server Name Indication (SNI, RFC 3546), then we set the hostname we
+    # received to request that certificate.
     ssl_client.hostname = host if ssl_client.respond_to? :hostname=
     ssl_client.connect
     certs = ssl_client.peer_cert_chain
     ssl_client.close
@@ -122,6 +142,18 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
     critical "#{config[:host]} - did not receive SMTP 220 in response to STARTTLS"
   end
+  def starttls_imap(socket)
+    status = socket.readline
+    unless /^* OK / =~ status
+      critical "#{config[:host]} - did not receive initial * OK"
+    end
+    socket.puts 'a001 STARTTLS'
+    status = socket.readline
+    return if /^a001 OK Begin TLS negotiation now/ =~ status
+    critical "#{config[:host]} - did not receive OK Begin TLS negotiation now"
+  end
   def verify_expiry(cert)
     # Expiry check
     days = (cert.not_after.to_date - Date.today).to_i
@@ -154,9 +186,11 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
   end
   def run
-    chain = get_cert_chain(config[:host], config[:port])
+    chain = get_cert_chain(config[:host], config[:port], config[:address], config[:client_cert], config[:client_key])
     verify_hostname(chain[0]) unless config[:skip_hostname_verification]
     verify_certificate_chain(chain) unless config[:skip_chain_verification]
     verify_expiry(chain[0])
+  rescue Errno::ECONNRESET => e
+    critical "#{e.class} - #{e.message}"
   end
 end

data/bin/check-ssl-qualys.rb CHANGED Viewed

@@ -90,8 +90,12 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   def ssl_api_request(from_cache)
     params = { host: config[:domain] }
     params[:startNew] = 'on' unless from_cache
-    r = RestClient.get("#{config[:api_url]}analyze", params: params)
-    warning "HTTP#{r.code} recieved from API" unless r.code == 200
+    begin
+      r = RestClient.get("#{config[:api_url]}analyze", params: params)
+      warning "HTTP#{r.code} recieved from API" unless r.code == 200
+    rescue RestClient::ExceptionWithResponse => e
+      unknown e.response
+    end
     JSON.parse(r.body)
   end
@@ -122,6 +126,10 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
   def run
     grade = lowest_grade
+    unless grade
+      message "#{config[:domain]} not rated"
+      critical
+    end
     message "#{config[:domain]} rated #{grade}"
     grade_rank = GRADE_OPTIONS.index(grade)
     if grade_rank > config[:critical]

data/lib/sensu-plugins-ssl/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module SensuPluginsSSL
   module Version
     MAJOR = 1
-    MINOR = 0
+    MINOR = 1
     PATCH = 0
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-06-20 00:00:00.000000000 Z
+date: 2017-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -164,13 +164,29 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.0
 description: |-
   This plugin provides native SSL instrumentation
                                 for monitoring, including: hostname and chain
-                                verification, cert expiry, and Qualys SSL Labs reporting
+                                verification, cert and crl expiry, and Qualys SSL Labs reporting
 email: "<sensu-users@googlegroups.com>"
 executables:
+- check-java-keystore-cert.rb
 - check-ssl-cert.rb
+- check-ssl-crl.rb
 - check-ssl-host.rb
 - check-ssl-qualys.rb
 extensions: []
@@ -179,7 +195,9 @@ files:
 - CHANGELOG.md
 - LICENSE
 - README.md
+- bin/check-java-keystore-cert.rb
 - bin/check-ssl-cert.rb
+- bin/check-ssl-crl.rb
 - bin/check-ssl-host.rb
 - bin/check-ssl-qualys.rb
 - lib/sensu-plugins-ssl.rb
@@ -210,9 +228,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: Sensu plugins for SSL
 test_files: []
-has_rdoc: