Class: Riemann::Tools::TLSCheck::TLSCheckResult

Inherits:
Object
  • Object
show all
Includes:
Utils
Defined in:
lib/riemann/tools/tls_check.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Utils

#distance_of_time_in_words_to_utcnow, #pluralize_string, #reverse_numeric_sort_with_header, #utcnow, #when_from_utcnow

Constructor Details

#initialize(uri, address, tls_socket, checker) ⇒ TLSCheckResult

Returns a new instance of TLSCheckResult.



73
74
75
76
77
78
# File 'lib/riemann/tools/tls_check.rb', line 73

def initialize(uri, address, tls_socket, checker)
  @uri = uri
  @address = address
  @tls_socket = tls_socket
  @checker = checker
end

Instance Attribute Details

#addressObject (readonly)

Returns the value of attribute address.



71
72
73
# File 'lib/riemann/tools/tls_check.rb', line 71

def address
  @address
end

#tls_socketObject (readonly)

Returns the value of attribute tls_socket.



71
72
73
# File 'lib/riemann/tools/tls_check.rb', line 71

def tls_socket
  @tls_socket
end

#uriObject (readonly)

Returns the value of attribute uri.



71
72
73
# File 'lib/riemann/tools/tls_check.rb', line 71

def uri
  @uri
end

Instance Method Details

#acceptable_identitiesObject



96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/riemann/tools/tls_check.rb', line 96

def acceptable_identities
  res = []

  peer_cert.extensions.each do |ext|
    next unless ext.oid == 'subjectAltName'

    ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
    sequence = OpenSSL::ASN1.decode(ostr.value)
    res = sequence.value.map(&:value)
  end

  res << peer_cert.subject.to_s unless res.any?

  res
end

#check_ocsp_statusObject



180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'lib/riemann/tools/tls_check.rb', line 180

def check_ocsp_status
  subject = peer_cert
  issuer = peer_cert_chain[1]

  return '' unless issuer

  digest = OpenSSL::Digest.new('SHA1')
  certificate_id = OpenSSL::OCSP::CertificateId.new(subject, issuer, digest)

  request = OpenSSL::OCSP::Request.new
  request.add_certid(certificate_id)

  request.add_nonce

  authority_info_access = subject.extensions.find do |extension|
    extension.oid == 'authorityInfoAccess'
  end

  return '' unless authority_info_access

  descriptions = authority_info_access.value.split("\n")
  ocsp = descriptions.find do |description|
    description.start_with? 'OCSP'
  end

  ocsp_uri = URI(ocsp[/URI:(.*)/, 1])

  http_response = ::Net::HTTP.start(ocsp_uri.hostname, ocsp_uri.port) do |http|
    ocsp_uri.path = '/' if ocsp_uri.path.empty?
    http.post(ocsp_uri.path, request.to_der, 'content-type' => 'application/ocsp-request')
  end

  response = OpenSSL::OCSP::Response.new http_response.body
  response_basic = response.basic

  return '' unless response_basic&.verify([issuer], @checker.store)

  response.status_string
end

#exceptionObject



88
89
90
# File 'lib/riemann/tools/tls_check.rb', line 88

def exception
  tls_socket.exception if tls_socket.respond_to?(:exception)
end

#expire_soonish?Boolean

Returns:

  • (Boolean)


152
153
154
# File 'lib/riemann/tools/tls_check.rb', line 152

def expire_soonish?
  utcnow + (2 * renewal_duration / 3) > not_after
end

#expired?Boolean

Returns:

  • (Boolean)


156
157
158
# File 'lib/riemann/tools/tls_check.rb', line 156

def expired?
  utcnow > not_after
end

#expired_or_expire_soon?Boolean

Returns:

  • (Boolean)


148
149
150
# File 'lib/riemann/tools/tls_check.rb', line 148

def expired_or_expire_soon?
  utcnow + (renewal_duration / 3) > not_after
end

#not_afterObject



116
117
118
# File 'lib/riemann/tools/tls_check.rb', line 116

def not_after
  peer_cert.not_after
end

#not_after_agoObject



120
121
122
# File 'lib/riemann/tools/tls_check.rb', line 120

def not_after_ago
  not_after - utcnow
end

#not_after_ago_in_wordsObject



124
125
126
# File 'lib/riemann/tools/tls_check.rb', line 124

def not_after_ago_in_words
  when_from_utcnow(not_after)
end

#not_beforeObject



128
129
130
# File 'lib/riemann/tools/tls_check.rb', line 128

def not_before
  peer_cert.not_before
end

#not_before_awayObject



132
133
134
# File 'lib/riemann/tools/tls_check.rb', line 132

def not_before_away
  utcnow - not_before
end

#not_before_away_in_wordsObject



136
137
138
# File 'lib/riemann/tools/tls_check.rb', line 136

def not_before_away_in_words
  when_from_utcnow(not_before)
end

#not_valid_yet?Boolean

Returns:

  • (Boolean)


112
113
114
# File 'lib/riemann/tools/tls_check.rb', line 112

def not_valid_yet?
  utcnow < not_before
end

#ocsp?Boolean

Returns:

  • (Boolean)


172
173
174
# File 'lib/riemann/tools/tls_check.rb', line 172

def ocsp?
  !ocsp_status.empty?
end

#ocsp_statusObject



168
169
170
# File 'lib/riemann/tools/tls_check.rb', line 168

def ocsp_status
  @ocsp_status ||= check_ocsp_status
end

#peer_certObject



80
81
82
# File 'lib/riemann/tools/tls_check.rb', line 80

def peer_cert
  tls_socket.peer_cert
end

#peer_cert_chainObject



84
85
86
# File 'lib/riemann/tools/tls_check.rb', line 84

def peer_cert_chain
  tls_socket.peer_cert_chain
end

#renewal_durationObject



144
145
146
# File 'lib/riemann/tools/tls_check.rb', line 144

def renewal_duration
  [validity_duration * @checker.opts[:renewal_duration_ratio], @checker.opts[:renewal_duration_days] * 3600 * 24].min
end

#trusted?Boolean

Returns:

  • (Boolean)


164
165
166
# File 'lib/riemann/tools/tls_check.rb', line 164

def trusted?
  verify_result == OpenSSL::X509::V_OK
end

#valid_identity?Boolean

Returns:

  • (Boolean)


92
93
94
# File 'lib/riemann/tools/tls_check.rb', line 92

def valid_identity?
  OpenSSL::SSL.verify_certificate_identity(peer_cert, uri.host)
end

#valid_ocsp?Boolean

Returns:

  • (Boolean)


176
177
178
# File 'lib/riemann/tools/tls_check.rb', line 176

def valid_ocsp?
  ocsp_status == 'successful'
end

#validity_durationObject



140
141
142
# File 'lib/riemann/tools/tls_check.rb', line 140

def validity_duration
  not_after - not_before
end

#verify_resultObject



160
161
162
# File 'lib/riemann/tools/tls_check.rb', line 160

def verify_result
  tls_socket.verify_result
end