RubyGems - tls-checker - Versions diffs - 1.0.0 → 1.1.0 - Mend

tls-checker 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/.travis.yml +1 -0
data/CHANGELOG.md +16 -0
data/lib/tls-checker.rb +2 -0
data/lib/tls-checker/certificate_checker.rb +10 -12
data/lib/tls-checker/certificate_checker_factory.rb +21 -1
data/lib/tls-checker/tlsa_checker.rb +24 -0
data/lib/tls-checker/tlsa_checker_factory.rb +52 -0
data/lib/tls-checker/version.rb +1 -1
data/tls-checker.gemspec +1 -1
metadata +8 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab14c3e081bec34c6623b35ee52b0e26e544242b21ff50a484c9780d73940585
-  data.tar.gz: 1de5b2c8fae2bb03564a23d751ac04240ea64003a7022cf7d5779d6f61b478e5
+  metadata.gz: 1cdde3a84021818453f8783a575370df091b421bc8ec46b9f37eea6afea7c68d
+  data.tar.gz: f197dbf9cf67fccb5e6f5d757929ea6f145d5fbff77f0ed6adb311b362154e11
 SHA512:
-  metadata.gz: f14c9c95cb25b5e36f5b8a1e1799cc18900e31f66790456704a4c866a65c47f165247a64d5795f9e22de3d87a6d89701d8726a3c4639f5fe5bc0d9bf4ccb07d3
-  data.tar.gz: 413fc601fb7b4d410f6dc8f6518d982056b06f4144625e2d900a1f3c0b300d8b58c8ed039d533d13872b21d8cc7cd92ec73b13e35c651e374203d953c111dddc
+  metadata.gz: 59c569e106f22433b88cfd2480a8aad515b6cecedc1e50eaa533b907bb09711e7e90f58f4ed8ec7ecdb6781e17910eee527a72f903a187bb0f125ec1788314be
+  data.tar.gz: 4771ef041e39cb1da7aaae82f5508fc528dd3980a3f4fab0fa8907e89395f0c788e951d15fb8c0bb9d38b2108760b635661a9dfb4c393da2ea233614089f71be

data/.travis.yml CHANGED

@@ -1,6 +1,7 @@
 ---
 language: ruby
 rvm:
+  - 2.3
   - 2.4
   - 2.5
   - 2.6

data/CHANGELOG.md ADDED

@@ -0,0 +1,16 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.1.0]
+### Added
+- Make it possible to test services using an IP address;
+- Report validity of certificates when a TLSA record is found in the DNS.
+[Unreleased]: https://github.com/smortex/tls-checker/compare/v1.1.0...HEAD
+[1.1.0]: https://github.com/smortex/tls-checker/compare/v1.0.0...v1.1.0

data/lib/tls-checker.rb CHANGED

@@ -3,3 +3,5 @@
 require 'tls-checker/certificate_checker'
 require 'tls-checker/certificate_checker_factory'
 require 'tls-checker/line_oriented_socket'
+require 'tls-checker/tlsa_checker'
+require 'tls-checker/tlsa_checker_factory'

data/lib/tls-checker/certificate_checker.rb CHANGED

@@ -6,8 +6,6 @@ require 'internet_security_event'
 module TLSChecker
   class CertificateChecker
-    include ActionView::Helpers::DateHelper
     def initialize(hostname, address, port, starttls)
       @hostname = hostname
       @address = address
@@ -31,7 +29,7 @@ module TLSChecker
         }
       end.merge(
         service: service,
-        ttl:     3600 * 12,
+        ttl:     12.hours,
         tags:    ['tls-checker'],
       )
     end
@@ -40,10 +38,16 @@ module TLSChecker
       description
     end
-    private
+    def certificate
+      @certificate = OpenSSL::X509::Certificate.new(tls_socket.peer_cert) if @certificate.nil?
+      @certificate
+    rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketRecvTimeout => e
+      @certificate_failure = e.message
+      @certificate = false
+    end
     def service
-      format('X.509/%<hostname>s/%<address>s:%<port>d', hostname: hostname, address: humanized_address, port: port)
+      "X.509/#{hostname}/#{humanized_address}:#{port}"
     end
     def humanized_address
@@ -54,13 +58,7 @@ module TLSChecker
       end
     end
-    def certificate
-      @certificate = OpenSSL::X509::Certificate.new(tls_socket.peer_cert) if @certificate.nil?
-      @certificate
-    rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketRecvTimeout => e
-      @certificate_failure = e.message
-      @certificate = false
-    end
+    private
     def tls_socket
       @tls_socket ||= case starttls

data/lib/tls-checker/certificate_checker_factory.rb CHANGED

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require 'ipaddr'
 module TLSChecker
   class CertificateCheckerFactory
     def initialize
@@ -14,7 +16,25 @@ module TLSChecker
       port ||= port_for(hostname)
       starttls ||= starttls_for(port)
-      @resolver.getaddresses(hostname).map { |ip| CertificateChecker.new(hostname, ip, port, starttls) }
+      begin
+        ip_in_hostname = IPAddr.new(hostname)
+        [
+          CertificateChecker.new(nil, ip_in_hostname, port, starttls),
+        ]
+      rescue IPAddr::InvalidAddressError
+        certificate_checkers = @resolver.getaddresses(hostname).map { |ip| CertificateChecker.new(hostname, ip, port, starttls) }
+        factory = TLSACheckerFactory.new
+        tlsa_checkers = []
+        certificate_checkers.each do |certificate_checker|
+          tlsa_checkers += factory.tlsa_checkers_for(certificate_checker)
+        end
+        certificate_checkers + tlsa_checkers
+      end
     end
     private

data/lib/tls-checker/tlsa_checker.rb ADDED

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module TLSChecker
+  class TLSAChecker < InternetSecurityEvent::TLSAStatus
+    def initialize(record, certificate_checker)
+      super(record, certificate_checker.certificate)
+      @certificate_checker = certificate_checker
+    end
+    def to_e
+      super.merge(
+        service: service,
+        ttl:     12.hours,
+      )
+    end
+    private
+    def service
+      "#{@certificate_checker.service}/TLSA"
+    end
+  end
+end

data/lib/tls-checker/tlsa_checker_factory.rb ADDED

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+module TLSChecker
+  class TLSACheckerFactory
+    def initialize
+      @resolver = Resolv::DNS.new
+    end
+    def tlsa_checkers_for(certificate_checker)
+      res = []
+      each_tlsa_end_entity_record(certificate_checker) do |record|
+        checker = TLSAChecker.new(record, certificate_checker)
+        # Since a single domain may have different certificates on different
+        # addresses, we are not interested in reporting failures here: a server
+        # with 3 certificates on 3 IP addresses is expected to have 3 TLSA
+        # records in the DNS, each one being valid for a different certificate.
+        #
+        # By adding only valid certificates, we can still detect problems when
+        # events expire.
+        next unless checker.certificate_match_tlsa_record?
+        res << checker
+      end
+      res
+    end
+    private
+    def each_tlsa_end_entity_record(certificate_checker)
+      each_tlsa_record(certificate_checker) do |record|
+        next unless record.end_entity?
+        yield(record)
+      end
+    end
+    def each_tlsa_record(certificate_checker)
+      resource = "_#{certificate_checker.port}._tcp.#{certificate_checker.hostname}."
+      @resolver.getresources(resource, Resolv::DNS::Resource::IN::ANY).each do |rr|
+        # XXX: Should we check the RRSIG here, or can we assume that the resolver
+        # should have failed if it could not verify the response?
+        next unless rr.class.name == 'Resolv::DNS::Resource::Generic::Type52_Class1'
+        record = Resolv::DNS::Resource::IN::TLSA.new(rr.data)
+        yield(record)
+      end
+    end
+  end
+end

data/lib/tls-checker/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module TlsChecker
-  VERSION = '1.0.0'
+  VERSION = '1.1.0'
 end

data/tls-checker.gemspec CHANGED

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
-  spec.add_dependency 'internet_security_event', '~> 1.0'
+  spec.add_dependency 'internet_security_event', '~> 1.1'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'midi-smtp-server'

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tls-checker
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Romain Tartière
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-02-19 00:00:00.000000000 Z
+date: 2019-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: internet_security_event
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -105,6 +105,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -117,6 +118,8 @@ files:
 - lib/tls-checker/certificate_checker.rb
 - lib/tls-checker/certificate_checker_factory.rb
 - lib/tls-checker/line_oriented_socket.rb
+- lib/tls-checker/tlsa_checker.rb
+- lib/tls-checker/tlsa_checker_factory.rb
 - lib/tls-checker/version.rb
 - tls-checker.gemspec
 homepage: https://github.com/smortex/tls-checker
@@ -138,8 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.8
+rubygems_version: 3.0.2
 signing_key:
 specification_version: 4
 summary: Report expired/about to expires certificates used in TLS connexions