tls-checker 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ab14c3e081bec34c6623b35ee52b0e26e544242b21ff50a484c9780d73940585
+  data.tar.gz: 1de5b2c8fae2bb03564a23d751ac04240ea64003a7022cf7d5779d6f61b478e5
+SHA512:
+  metadata.gz: f14c9c95cb25b5e36f5b8a1e1799cc18900e31f66790456704a4c866a65c47f165247a64d5795f9e22de3d87a6d89701d8726a3c4639f5fe5bc0d9bf4ccb07d3
+  data.tar.gz: 413fc601fb7b4d410f6dc8f6518d982056b06f4144625e2d900a1f3c0b300d8b58c8ed039d533d13872b21d8cc7cd92ec73b13e35c651e374203d953c111dddc

data/.gitignore

@@ -0,0 +1,5 @@
+Gemfile.lock
+Gemfile.local
+coverage/
+pkg/
+spec/examples.txt

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,12 @@
+---
+language: ruby
+rvm:
+  - 2.4
+  - 2.5
+  - 2.6
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at romain@blogreen.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in tls-checker.gemspec
+gemspec
+
+# rubocop:disable Security/Eval
+#
+# Gemfile.local is ignored in .gitignore.  When hacking this gem, it might be
+# useful to use a pre-release version of some dependency, in this case add them
+# to Gemfile.local:
+#
+# ------------------------------------- 8< -------------------------------------
+# gem 'internet_security_event', path: '../internet_security_event'
+# ------------------------------------- 8< -------------------------------------
+eval(File.read('Gemfile.local'), binding) if File.exist? 'Gemfile.local'
+# rubocop:enable Security/Eval

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Romain Tartière
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,55 @@
+# tls-checker
+
+[![Build Status](https://travis-ci.com/smortex/tls-checker.svg?branch=master)](https://travis-ci.com/smortex/tls-checker)
+[![Maintainability](https://api.codeclimate.com/v1/badges/272ab98a6ec1b28e5f7d/maintainability)](https://codeclimate.com/github/smortex/tls-checker/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/272ab98a6ec1b28e5f7d/test_coverage)](https://codeclimate.com/github/smortex/tls-checker/test_coverage)
+
+Connect to remote services and report certificates status.
+
+## Installation
+
+As simple as:
+
+    $ gem install tls-checker
+
+## Usage
+
+As simple as:
+
+    $ tls-checker example.com ldap.example.com:389:ldap
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake spec` to run the tests. You can also run `bin/console` for an interactive
+prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/smortex/tls-checker. This project is intended to be a safe,
+welcoming space for collaboration, and contributors are expected to adhere to
+the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+1. Fork it (https://github.com/smortex/tls-checker/fork)
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request
+
+## License
+
+The gem is available as open source under the terms of the [MIT
+License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the tls-checker project’s codebases, issue trackers,
+chat rooms and mailing lists is expected to follow the [code of
+conduct](https://github.com/smortex/tls-checker/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'certificate-checker'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/tls-checker

@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'optparse'
+require 'tls-checker'
+
+factory = TLSChecker::CertificateCheckerFactory.new
+
+options = {
+  output: $stdout,
+}
+
+OptionParser.new do |opts|
+  opts.banner = 'Usage: tls-checker [options] specification...'
+
+  opts.on('-o', '--output=FILE', 'Write to FILE') do |f|
+    options[:output] = File.open(f, File::CREAT | File::APPEND | File::LOCK_EX)
+  end
+end.parse!
+
+ARGV.each do |arg|
+  factory.certificate_checkers_for(arg).each do |checker|
+    options[:output].puts checker.to_e.to_json
+  end
+end

data/lib/tls-checker.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require 'tls-checker/certificate_checker'
+require 'tls-checker/certificate_checker_factory'
+require 'tls-checker/line_oriented_socket'

data/lib/tls-checker/certificate_checker.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'resolv'
+require 'internet_security_event'
+
+module TLSChecker
+  class CertificateChecker
+    include ActionView::Helpers::DateHelper
+
+    def initialize(hostname, address, port, starttls)
+      @hostname = hostname
+      @address = address
+      @port = port
+      @starttls = starttls
+
+      @certificate = nil
+      @certificate_failure = nil
+      @tls_socket = nil
+    end
+
+    attr_reader :hostname, :address, :port, :starttls
+
+    def to_e
+      if certificate
+        InternetSecurityEvent::TLSStatus.build(hostname, certificate)
+      else
+        {
+          state:       'critical',
+          description: @certificate_failure || "#{hostname} does not have a valid certificate",
+        }
+      end.merge(
+        service: service,
+        ttl:     3600 * 12,
+        tags:    ['tls-checker'],
+      )
+    end
+
+    def to_s
+      description
+    end
+
+    private
+
+    def service
+      format('X.509/%<hostname>s/%<address>s:%<port>d', hostname: hostname, address: humanized_address, port: port)
+    end
+
+    def humanized_address
+      if @address.is_a?(Resolv::IPv6)
+        "[#{@address}]"
+      else
+        @address.to_s
+      end
+    end
+
+    def certificate
+      @certificate = OpenSSL::X509::Certificate.new(tls_socket.peer_cert) if @certificate.nil?
+      @certificate
+    rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketRecvTimeout => e
+      @certificate_failure = e.message
+      @certificate = false
+    end
+
+    def tls_socket
+      @tls_socket ||= case starttls
+                      when :smtp
+                        smtp_tls_socket
+                      when :imap
+                        imap_tls_socket
+                      when :ldap
+                        ldap_tls_socket
+                      else
+                        raw_tls_socket
+                      end
+    end
+
+    def raw_tls_socket
+      socket = TCPSocket.new(@address.to_s, port)
+
+      tls_handshake(socket)
+    end
+
+    def imap_tls_socket
+      socket = LineOrientedSocket.new(@address.to_s, port)
+      socket.gets_until_match(/^\* OK/)
+      socket.puts('. CAPABILITY')
+      socket.gets_until_match(/^\. OK/)
+      socket.puts('. STARTTLS')
+      socket.gets_until_match(/^\. OK/)
+
+      tls_handshake(socket)
+    end
+
+    def ldap_tls_socket
+      socket = TCPSocket.new(@address.to_s, port)
+      socket.write(['301d02010177188016312e332e362e312e342e312e313436362e3230303337'].pack('H*'))
+      expected_res = ['300c02010178070a010004000400'].pack('H*')
+      res = socket.read(expected_res.length)
+
+      return nil unless res == expected_res
+
+      tls_handshake(socket)
+    end
+
+    def smtp_tls_socket
+      socket = LineOrientedSocket.new(@address.to_s, port)
+      socket.gets_until_match(/^220 /)
+      socket.puts("EHLO #{my_hostname}")
+      socket.gets_until_match(/^250 /)
+      socket.puts('STARTTLS')
+      socket.gets
+
+      tls_handshake(socket)
+    end
+
+    def tls_handshake(raw_socket)
+      tls_socket = OpenSSL::SSL::SSLSocket.new(raw_socket, ssl_context)
+      tls_socket.hostname = hostname
+      begin
+        tls_socket.connect
+      rescue OpenSSL::SSL::SSLError # rubocop:disable Lint/HandleExceptions
+        # This may fail for example if a client certificate is required
+      end
+      tls_socket
+    end
+
+    def my_hostname
+      Socket.gethostbyname(Socket.gethostname).first
+    rescue SocketError
+      Socket.gethostname
+    end
+
+    def ssl_context
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      # We do not care about trust here, only expiration dates.
+
+      #  ____              _ _                                                 _
+      # |  _ \  ___  _ __ ( ) |_    ___ ___  _ __  _   _       _ __   __ _ ___| |_ ___
+      # | | | |/ _ \| '_ \|/| __|  / __/ _ \| '_ \| | | |_____| '_ \ / _` / __| __/ _ \
+      # | |_| | (_) | | | | | |_  | (_| (_) | |_) | |_| |_____| |_) | (_| \__ \ ||  __/
+      # |____/ \___/|_| |_|  \__|  \___\___/| .__/ \__, |     | .__/ \__,_|___/\__\___|
+      #                                     |_|    |___/      |_|
+      #  _   _     _     _
+      # | |_| |__ (_)___| |
+      # | __| '_ \| / __| |
+      # | |_| | | | \__ \_|
+      #  \__|_| |_|_|___(_)
+      #
+      # YOU SHALL  NOT  "COPY-PASTE"  THE FOLLOWING LINE  IN YOUR CODE.  IF YOU
+      # UNDESTAND WHY WE DO TAHT,  YOU KNOW WHY YOU DON'T WANT TO DO THIS.   IF
+      # YOU DO NOT UNDERSTAND WHAT IT DOES,  REALIZE THAT YOUR PROBLEM VANISHED
+      # WHEN YOU PASTE IT AND SHIP IT, FEL FREE TO GET BACK TO ME WHEN YOU WILL
+      # DISCOVER THAT YOU HAVE WAY  MORE PROBLEMS  THAN YOU THOUGH.   I WILL BE
+      # PLEASED TO  EXCHANGE MONEY WITH ADVICES AND ASSISTANCE  FOR FIXING YOUR
+      # PROBLEMS.
+      ssl_context.set_params(tls_options)
+      ssl_context
+    end
+
+    def tls_options
+      {
+        verify_mode: OpenSSL::SSL::VERIFY_NONE,
+      }
+    end
+  end
+end

data/lib/tls-checker/certificate_checker_factory.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module TLSChecker
+  class CertificateCheckerFactory
+    def initialize
+      @resolver = Resolv::DNS.new
+    end
+
+    def certificate_checkers_for(specification)
+      hostname, port, starttls = specification.split(':', 3)
+
+      port = port.to_i if port
+      starttls = starttls.to_sym if starttls
+
+      port ||= port_for(hostname)
+      starttls ||= starttls_for(port)
+      @resolver.getaddresses(hostname).map { |ip| CertificateChecker.new(hostname, ip, port, starttls) }
+    end
+
+    private
+
+    def port_for(hostname)
+      {
+        'smtp.'   => 25,
+        'mx.'     => 25,
+        'imap.'   => 143,
+        'ldap.'   => 389,
+        'puppet.' => 8140,
+      }.each do |prefix, port|
+        return port if hostname.start_with?(prefix)
+      end
+
+      443
+    end
+
+    def starttls_for(port)
+      well_known_starttls = {
+        25  => :smtp,
+        143 => :imap,
+        389 => :ldap,
+      }
+
+      starttls = well_known_starttls[port]
+      starttls ||= :raw
+      starttls
+    end
+  end
+end

data/lib/tls-checker/line_oriented_socket.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'socket'
+
+module TLSChecker
+  class SocketRecvTimeout < RuntimeError
+    def message
+      'Timeout while receiving message from socket'
+    end
+  end
+
+  class LineOrientedSocket < TCPSocket
+    def gets
+      line = ''
+
+      line += timed_getbyte until line.end_with?("\r\n")
+
+      line
+    end
+
+    def gets_until_match(pattern)
+      loop do
+        line = gets
+        break if line.match(pattern)
+      end
+    end
+
+    def puts(data)
+      send("#{data}\r\n", 0)
+    end
+
+    private
+
+    TIMEOUT = 10
+
+    def timed_getbyte
+      recv_nonblock(1)
+    rescue IO::EAGAINWaitReadable
+      if IO.select([self], nil, nil, 10)
+        recv_nonblock(1)
+      else
+        raise SocketRecvTimeout
+      end
+    end
+  end
+end

data/lib/tls-checker/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module TlsChecker
+  VERSION = '1.0.0'
+end

data/tls-checker.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'tls-checker/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'tls-checker'
+  spec.version       = TlsChecker::VERSION
+  spec.authors       = ['Romain Tartière']
+  spec.email         = ['romain@blogreen.org']
+
+  spec.summary       = 'Report expired/about to expires certificates used in TLS connexions'
+  spec.homepage      = 'https://github.com/smortex/tls-checker'
+  spec.license       = 'MIT'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'internet_security_event', '~> 1.0'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'midi-smtp-server'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'simplecov'
+end

metadata

@@ -0,0 +1,146 @@
+--- !ruby/object:Gem::Specification
+name: tls-checker
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Romain Tartière
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-02-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: internet_security_event
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: midi-smtp-server
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- romain@blogreen.org
+executables:
+- tls-checker
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/tls-checker
+- lib/tls-checker.rb
+- lib/tls-checker/certificate_checker.rb
+- lib/tls-checker/certificate_checker_factory.rb
+- lib/tls-checker/line_oriented_socket.rb
+- lib/tls-checker/version.rb
+- tls-checker.gemspec
+homepage: https://github.com/smortex/tls-checker
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.8
+signing_key: 
+specification_version: 4
+summary: Report expired/about to expires certificates used in TLS connexions
+test_files: []