sensu-plugins-ssl 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
-  data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
+  metadata.gz: 7e23f7f9bda17a902a794ba2b392db1fab95bc18
+  data.tar.gz: dcfb2876610019130353b96e5eeee56ce760b7bf
 SHA512:
-  metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
-  data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311
+  metadata.gz: 055dd188beb7356eb2c10edfab2db5432343910d4548a6ab4f911860bd27d93814b8e896ea02a54d240c265140ded0edf1209433f1d49c30ad1c45f6f78af200
+  data.tar.gz: 9724710d3b54fb0d20538232cefb3992fa1ef7c707489c4cb6bc15de62a9e098cebb983016396344ee6ca6781af5a87f647ba76e9d6dcee92786ee3041422593

data/CHANGELOG.md

@@ -1,10 +1,23 @@
 # Change Log
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
+This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins/community/blob/master/HOW_WE_CHANGELOG.md).
 
 ## [Unreleased]
 
+## [1.5.0] - 2017-09-26
+### Added
+- Ruby 2.4.1 testing
+- `check-ssl-hsts-preload.rb`: Added check for testing preload status of HSTS (@rwky)
+- `check-ssl-hsts-preloadable.rb`: Added check for testing if a domain can be HSTS preloaded (@rwky)
+
+### Changed
+- updated CHANGELOG guidelines location (@majormoses)
+
+### Fixed
+- `check-java-keystore-cert.rb`: Export cert in PEM format to fix tests that broke going from Precise to Trusty travis workers (@eheydrick)
+- fixed spelling in github pr template (@majormoses)
+
 ## [1.4.0] - 2017-06-20
 ### Added
 - `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
@@ -78,7 +91,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 ### Added
 - initial release
 
-[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
+[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.5.0...HEAD
+[1.5.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...1.5.0
 [1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
 [1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
 [1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0

data/README.md

@@ -14,6 +14,8 @@
  * bin/check-ssl-crl.rb
  * bin/check-ssl-cert.rb
  * bin/check-ssl-host.rb
+ * bin/check-ssl-hsts-preload.rb
+ * bin/check-ssl-hsts-preloadable.rb
  * bin/check-ssl-qualys.rb
 
 ## Usage

data/bin/check-java-keystore-cert.rb

@@ -56,8 +56,8 @@ class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
   def certificate_expiration_date
     result = `keytool -keystore #{Shellwords.escape(config[:path])} \
                       -export -alias #{Shellwords.escape(config[:alias])} \
-                      -storepass #{Shellwords.escape(config[:password])} 2>&1 | \
-              openssl x509 -enddate -inform der -noout 2>&1`
+                      -storepass #{Shellwords.escape(config[:password])} -rfc 2>&1 | \
+              openssl x509 -enddate -noout 2>&1`
 
     # rubocop:disable Style/SpecialGlobalVars
     unknown 'could not get certificate from keystore' unless $?.success?

data/bin/check-ssl-hsts-preloadable.rb

@@ -0,0 +1,79 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+#  check-ssl-hsts-preloadable.rb
+#
+# DESCRIPTION:
+#   Checks a domain against the chromium HSTS API returning errors/warnings if the domain is preloadable
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   # Basic usage
+#   check-ssl-hsts-preloadable.rb -d <domain_name>
+#
+# LICENSE:
+#   Copyright 2017 Rowan Wookey <admin@rwky.net>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE for
+#   details.
+#
+#   Inspired by https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-qualys.rb Copyright 2015 William Cooke <will@bruisyard.eu>
+#
+
+require 'sensu-plugin/check/cli'
+require 'json'
+require 'net/http'
+
+class CheckSSLHSTSPreloadable < Sensu::Plugin::Check::CLI
+  option :domain,
+         description: 'The domain to run the test against',
+         short: '-d DOMAIN',
+         long: '--domain DOMAIN',
+         required: true
+
+  option :api_url,
+         description: 'The URL of the API to run against',
+         long: '--api-url URL',
+         default: 'https://hstspreload.org/api/v2/preloadable'
+
+  def fetch(uri, limit = 10)
+    if limit == 0
+      return nil
+    end
+
+    response = Net::HTTP.get_response(uri)
+
+    case response
+    when Net::HTTPSuccess then
+      response
+    when Net::HTTPRedirection then
+      location = URI(response['location'])
+      fetch(location, limit - 1)
+    end
+  end
+
+  def run
+    uri       = URI(config[:api_url])
+    uri.query = URI.encode_www_form(domain: config[:domain])
+    response = fetch(uri)
+    if response.nil?
+      return warning 'Bad response recieved from API'
+    end
+    body = JSON.parse(response.body)
+    if !body['errors'].empty?
+      critical body['errors'].map { |u| u['summary'] }.join(', ')
+    elsif !body['warnings'].empty?
+      warning body['warnings'].map { |u| u['summary'] }.join(', ')
+    else
+      ok
+    end
+  end
+end
+
+# vim: set tabstop=2 shiftwidth=2 expandtab:

data/bin/check-ssl-hsts-status.rb

@@ -0,0 +1,101 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+#  check-ssl-hsts-preload.rb
+#
+# DESCRIPTION:
+#   Checks a domain against the chromium HSTS API reporting on the preload status of the domain
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   # Basic usage
+#   check-ssl-hsts-preload.rb -d <domain_name>
+#   # Specify the CRITICAL and WARNING alerts to either unknown (not in the database), pending or preloaded
+#   check-ssl-hsts-preload.rb -d <domain_name> -c <critical_alert> -w <warning_alert>
+#
+# LICENSE:
+#   Copyright 2017 Rowan Wookey <admin@rwky.net>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE for
+#   details.
+#
+#   Inspired by https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-qualys.rb Copyright 2015 William Cooke <will@bruisyard.eu>
+#
+
+require 'sensu-plugin/check/cli'
+require 'json'
+require 'net/http'
+
+class CheckSSLHSTSStatus < Sensu::Plugin::Check::CLI
+  STATUSES = %w(unknown pending preloaded).freeze
+
+  option :domain,
+         description: 'The domain to run the test against',
+         short: '-d DOMAIN',
+         long: '--domain DOMAIN',
+         required: true
+
+  option :warn,
+         short: '-w STATUS',
+         long: '--warn STATUS',
+         description: 'WARNING if this status or worse',
+         in: STATUSES,
+         default: 'pending'
+
+  option :critical,
+         short: '-c STATUS',
+         long: '--critical STATUS',
+         description: 'CRITICAL if this status or worse',
+         in: STATUSES,
+         default: 'unknown'
+
+  option :api_url,
+         description: 'The URL of the API to run against',
+         long: '--api-url URL',
+         default: 'https://hstspreload.org/api/v2/status'
+
+  def fetch(uri, limit = 10)
+    if limit == 0
+      return nil
+    end
+
+    response = Net::HTTP.get_response(uri)
+
+    case response
+    when Net::HTTPSuccess then
+      response
+    when Net::HTTPRedirection then
+      location = URI(response['location'])
+      fetch(location, limit - 1)
+    end
+  end
+
+  def run
+    uri       = URI(config[:api_url])
+    uri.query = URI.encode_www_form(domain: config[:domain])
+    response  = fetch(uri)
+    if response.nil?
+      return warning 'Bad response recieved from API'
+    end
+    body = JSON.parse(response.body)
+    unless STATUSES.include? body['status']
+      warning 'Invalid status returned ' + body['status']
+    end
+
+    if STATUSES.index(body['status']) <= STATUSES.index(config[:critical])
+      critical body['status']
+    elsif STATUSES.index(body['status']) <= STATUSES.index(config[:warn])
+      warning body['status']
+    else
+      ok
+    end
+  end
+end
+
+# vim: set tabstop=2 shiftwidth=2 expandtab:

data/lib/sensu-plugins-ssl/version.rb

@@ -1,7 +1,7 @@
 module SensuPluginsSSL
   module Version
     MAJOR = 1
-    MINOR = 4
+    MINOR = 5
     PATCH = 0
 
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-21 00:00:00.000000000 Z
+date: 2017-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -175,6 +175,8 @@ executables:
 - check-ssl-cert.rb
 - check-ssl-crl.rb
 - check-ssl-host.rb
+- check-ssl-hsts-preloadable.rb
+- check-ssl-hsts-status.rb
 - check-ssl-qualys.rb
 extensions: []
 extra_rdoc_files: []
@@ -187,6 +189,8 @@ files:
 - bin/check-ssl-cert.rb
 - bin/check-ssl-crl.rb
 - bin/check-ssl-host.rb
+- bin/check-ssl-hsts-preloadable.rb
+- bin/check-ssl-hsts-status.rb
 - bin/check-ssl-qualys.rb
 - lib/sensu-plugins-ssl.rb
 - lib/sensu-plugins-ssl/version.rb
@@ -216,7 +220,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: Sensu plugins for SSL