Class: Riemann::Tools::TLSCheck::TLSCheckResult
- Inherits:
-
Object
- Object
- Riemann::Tools::TLSCheck::TLSCheckResult
show all
- Includes:
- Utils
- Defined in:
- lib/riemann/tools/tls_check.rb
Instance Attribute Summary collapse
Instance Method Summary
collapse
Methods included from Utils
#distance_of_time_in_words_to_utcnow, #pluralize_string, #reverse_numeric_sort_with_header, #utcnow, #when_from_utcnow
Constructor Details
#initialize(uri, address, tls_socket, checker) ⇒ TLSCheckResult
Returns a new instance of TLSCheckResult.
73
74
75
76
77
78
|
# File 'lib/riemann/tools/tls_check.rb', line 73
def initialize(uri, address, tls_socket, checker)
@uri = uri
@address = address
@tls_socket = tls_socket
@checker = checker
end
|
Instance Attribute Details
#address ⇒ Object
Returns the value of attribute address.
71
72
73
|
# File 'lib/riemann/tools/tls_check.rb', line 71
def address
@address
end
|
#tls_socket ⇒ Object
Returns the value of attribute tls_socket.
71
72
73
|
# File 'lib/riemann/tools/tls_check.rb', line 71
def tls_socket
@tls_socket
end
|
#uri ⇒ Object
Returns the value of attribute uri.
71
72
73
|
# File 'lib/riemann/tools/tls_check.rb', line 71
def uri
@uri
end
|
Instance Method Details
#acceptable_identities ⇒ Object
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
# File 'lib/riemann/tools/tls_check.rb', line 96
def acceptable_identities
res = []
peer_cert.extensions.each do |ext|
next unless ext.oid == 'subjectAltName'
ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
sequence = OpenSSL::ASN1.decode(ostr.value)
res = sequence.value.map(&:value)
end
res << peer_cert.subject.to_s unless res.any?
res
end
|
#check_ocsp_status ⇒ Object
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
# File 'lib/riemann/tools/tls_check.rb', line 180
def check_ocsp_status
subject = peer_cert
issuer = peer_cert_chain[1]
return '' unless issuer
digest = OpenSSL::Digest.new('SHA1')
certificate_id = OpenSSL::OCSP::CertificateId.new(subject, issuer, digest)
request = OpenSSL::OCSP::Request.new
request.add_certid(certificate_id)
request.add_nonce
authority_info_access = subject.extensions.find do |extension|
extension.oid == 'authorityInfoAccess'
end
return '' unless authority_info_access
descriptions = authority_info_access.value.split("\n")
ocsp = descriptions.find do |description|
description.start_with? 'OCSP'
end
ocsp_uri = URI(ocsp[/URI:(.*)/, 1])
http_response = ::Net::HTTP.start(ocsp_uri.hostname, ocsp_uri.port) do |http|
ocsp_uri.path = '/' if ocsp_uri.path.empty?
http.post(ocsp_uri.path, request.to_der, 'content-type' => 'application/ocsp-request')
end
response = OpenSSL::OCSP::Response.new http_response.body
response_basic = response.basic
return '' unless response_basic&.verify([issuer], @checker.store)
response.status_string
end
|
#exception ⇒ Object
88
89
90
|
# File 'lib/riemann/tools/tls_check.rb', line 88
def exception
tls_socket.exception if tls_socket.respond_to?(:exception)
end
|
#expire_soonish? ⇒ Boolean
152
153
154
|
# File 'lib/riemann/tools/tls_check.rb', line 152
def expire_soonish?
utcnow + (2 * renewal_duration / 3) > not_after
end
|
#expired? ⇒ Boolean
156
157
158
|
# File 'lib/riemann/tools/tls_check.rb', line 156
def expired?
utcnow > not_after
end
|
#expired_or_expire_soon? ⇒ Boolean
148
149
150
|
# File 'lib/riemann/tools/tls_check.rb', line 148
def expired_or_expire_soon?
utcnow + (renewal_duration / 3) > not_after
end
|
#not_after ⇒ Object
116
117
118
|
# File 'lib/riemann/tools/tls_check.rb', line 116
def not_after
peer_cert.not_after
end
|
#not_after_ago ⇒ Object
120
121
122
|
# File 'lib/riemann/tools/tls_check.rb', line 120
def not_after_ago
not_after - utcnow
end
|
#not_after_ago_in_words ⇒ Object
124
125
126
|
# File 'lib/riemann/tools/tls_check.rb', line 124
def not_after_ago_in_words
when_from_utcnow(not_after)
end
|
#not_before ⇒ Object
128
129
130
|
# File 'lib/riemann/tools/tls_check.rb', line 128
def not_before
peer_cert.not_before
end
|
#not_before_away ⇒ Object
132
133
134
|
# File 'lib/riemann/tools/tls_check.rb', line 132
def not_before_away
utcnow - not_before
end
|
#not_before_away_in_words ⇒ Object
136
137
138
|
# File 'lib/riemann/tools/tls_check.rb', line 136
def not_before_away_in_words
when_from_utcnow(not_before)
end
|
#not_valid_yet? ⇒ Boolean
112
113
114
|
# File 'lib/riemann/tools/tls_check.rb', line 112
def not_valid_yet?
utcnow < not_before
end
|
#ocsp? ⇒ Boolean
172
173
174
|
# File 'lib/riemann/tools/tls_check.rb', line 172
def ocsp?
!ocsp_status.empty?
end
|
#ocsp_status ⇒ Object
168
169
170
|
# File 'lib/riemann/tools/tls_check.rb', line 168
def ocsp_status
@ocsp_status ||= check_ocsp_status
end
|
#peer_cert ⇒ Object
80
81
82
|
# File 'lib/riemann/tools/tls_check.rb', line 80
def peer_cert
tls_socket.peer_cert
end
|
#peer_cert_chain ⇒ Object
84
85
86
|
# File 'lib/riemann/tools/tls_check.rb', line 84
def peer_cert_chain
tls_socket.peer_cert_chain
end
|
#renewal_duration ⇒ Object
144
145
146
|
# File 'lib/riemann/tools/tls_check.rb', line 144
def renewal_duration
[validity_duration * @checker.opts[:renewal_duration_ratio], @checker.opts[:renewal_duration_days] * 3600 * 24].min
end
|
#trusted? ⇒ Boolean
164
165
166
|
# File 'lib/riemann/tools/tls_check.rb', line 164
def trusted?
verify_result == OpenSSL::X509::V_OK
end
|
#valid_identity? ⇒ Boolean
92
93
94
|
# File 'lib/riemann/tools/tls_check.rb', line 92
def valid_identity?
OpenSSL::SSL.verify_certificate_identity(peer_cert, uri.host)
end
|
#valid_ocsp? ⇒ Boolean
176
177
178
|
# File 'lib/riemann/tools/tls_check.rb', line 176
def valid_ocsp?
ocsp_status == 'successful'
end
|
#validity_duration ⇒ Object
140
141
142
|
# File 'lib/riemann/tools/tls_check.rb', line 140
def validity_duration
not_after - not_before
end
|
#verify_result ⇒ Object
160
161
162
|
# File 'lib/riemann/tools/tls_check.rb', line 160
def verify_result
tls_socket.verify_result
end
|