ius/nagios/nagios-plugin-tlsa: comparison check

equal deleted inserted replaced

-:523934592a76
+:10ee65f99a7d
 my $VERSION = '0.1';
 my $blurb   = 'This Plugin is intendet to check TLSA Record';
 my $url     = 'https://schlittermann.de';
 my $author  = 'Heike Yvonne Pesch';
 my $email   = '<pesch@schlittermann.de>';
-my $extra   = LF.'Author: '.$author.' '.$email.LF
+my $extra =
-. 'For more information visit '.$url;
+LF
+. 'Author: '
+. $author . ' '
+. $email
+. LF
+. 'For more information visit '
+. $url;
 my $license = 'GPLv3';
-my $usage   = 'Usage: %s [ -v|--verbose ] [-H <host>] [-t <timeout>] '
+my $usage =
-. '[ -c|--critical=<critical threshold> ] '
+'Usage: %s [ -v|--verbose ] [-H <host>] [-t <timeout>] '
-. '[ -w|--warning=<warning threshold> ] '
+. '[ -c|--critical=<critical threshold> ] '
-. '[ -p|--port=<portnumber> ] '
+. '[ -w|--warning=<warning threshold> ] '
-. '[ -q|--queryserver=<DNS-Server-IP> ] ';
+. '[ -p|--port=<portnumber> ] '
+. '[ -q|--queryserver=<DNS-Server-IP> ] ';
 my $check_tlsa = Monitoring::Plugin->new(
 usage   => $usage,
 version => $VERSION,
 blurb   => $blurb,
 extra   => $extra,
 url     => $url,
 license => $license,
 plugin  => basename $0,
 timeout => 60,
 );
 $check_tlsa->add_arg(
-spec => 'host|H=s',
+spec     => 'host|H=s',
-help => q|Host/Domain to check|,
+help     => q|Host/Domain to check|,
 required => 0,
 );
 $check_tlsa->add_arg(
-spec => 'hostlist|f=s',
+spec     => 'hostlist|f=s',
-help => q|Host/Domainlist in file to check|,
+help     => q|Host/Domainlist in file to check|,
 required => 0,
 );
 $check_tlsa->add_arg(
-spec => 'expiry|e',
+spec     => 'expiry|e',
-help => q|check expiry of Certificate|,
+help     => q|check expiry of Certificate|,
 required => 0,
 );
 $check_tlsa->add_arg(
-spec      => 'port|p=i',
+spec     => 'port|p=i',
-help      => q|Port of Domain to check the TLSA (default: 443)|,
+help     => q|Port of Domain to check the TLSA (default: 443)|,
-required  => 0,
+required => 0,
-default   => 443,
+default  => 443,
 );
 $check_tlsa->add_arg(
 spec => 'queryserver|q=s',
-help => q|DNS Server to ask to check the TLSA (default: defined in resolve.conf)|,
+help =>
-required => 0,
+q|DNS Server to ask to check the TLSA (default: defined in resolve.conf)|,
-#default => '8.8.8.8',
+required => 0,
-);
+#default => '8.8.8.8',
-$check_tlsa->add_arg(
+);
-spec => 'protocol|P=s',
-help => q|DNS Server to ask to check the TLSA (default: tcp)|,
+$check_tlsa->add_arg(
-required => 0,
+spec     => 'protocol|P=s',
-default => 'tcp',
+help     => q|DNS Server to ask to check the TLSA (default: tcp)|,
+required => 0,
+default  => 'tcp',
 );
 $check_tlsa->getopts;
 my $domain     = $check_tlsa->opts->host;
 my $domainlist = $check_tlsa->opts->hostlist;
 my $expiry     = $check_tlsa->opts->expiry;
 if (!$domain && !$domainlist) {
-my $script  = basename $0;
+my $script = basename $0;
-my $excuse  = "Please set -H <domain> or -f <domainlist>\n"
+my $excuse = "Please set -H <domain> or -f <domainlist>\n"
 . "For all options try $script --help";
-print $excuse,LF;
+print $excuse, LF;
 exit 1;
 }
+my $port;
-my $port;
+my $cert;
-my $cert;
+my $check_date;
-my $check_date;
+if (defined $domainlist && -e $domainlist) {
-if ( defined $domainlist && -e $domainlist){
+print get_domains();
-print get_domains();
+}
-}
+else { print check_tlsa(); }
-else { print check_tlsa(); }
 sub check_tlsa {
-my $protocol    = $check_tlsa->opts->protocol;
+my $protocol = $check_tlsa->opts->protocol;
-$port = $check_tlsa->opts->port unless $port ;
+$port = $check_tlsa->opts->port unless $port;
 if ("$port" eq '25') {
-$cert  = "openssl s_client -starttls smtp -connect $domain:$port "
+$cert = "openssl s_client -starttls smtp -connect $domain:$port "
 . '< /dev/null 2>/dev/null';
 }
 else {
 #$port           = $check_tlsa->opts->port;
-$cert   = "openssl s_client -connect $domain:$port "
+$cert = "openssl s_client -connect $domain:$port "
 . '< /dev/null 2>/dev/null';
 }
-my $digquery        = "dig TLSA _$port._$protocol.$domain +short";
+my $digquery  = "dig TLSA _$port._$protocol.$domain +short";
-my $diganswer       = qx($digquery);
+my $diganswer = qx($digquery);
-my $dig             = substr($diganswer, 6, );
+my $dig       = substr($diganswer, 6,);
-$dig             =~ s/(\S*)\s+(\S*)$/$1$2/;
+$dig =~ s/(\S*)\s+(\S*)$/$1$2/;
 my $tlsa_usage      = substr($diganswer, 0, 1);
 my $tlsa_selector   = substr($diganswer, 2, 1);
 my $tlsa_match_type = substr($diganswer, 4, 1);
 my $hashit;
 for ($tlsa_match_type) {
-when('0') { die 'certs will be compared directly'}
+when ('0') { die 'certs will be compared directly' }
-when('1') {$hashit = 'sha256'}
+when ('1') { $hashit = 'sha256' }
-when('2') {$hashit = 'sha512'}
+when ('2') { $hashit = 'sha512' }
-default {$hashit = 'sha256'}
+default { $hashit = 'sha256' }
-};
+}
-my $gentlsa     = 'openssl x509  -pubkey | '
+my $gentlsa =
-. 'openssl rsa -pubin -inform PEM -outform DER 2>/dev/null| '
+'openssl x509  -pubkey | '
-. "openssl $hashit";
+. 'openssl rsa -pubin -inform PEM -outform DER 2>/dev/null| '
-my $certtlsa    = "$cert | $gentlsa";
+. "openssl $hashit";
+my $certtlsa = "$cert | $gentlsa";
-$check_date  = 'openssl x509 -noout -startdate -enddate';
-$check_date  = "$cert|$check_date";
+$check_date = 'openssl x509 -noout -startdate -enddate';
+$check_date = "$cert|$check_date";
 my $return;
 my $tlsa_record = qx($certtlsa) or die "nothing found!\n";
 $tlsa_record =~ s/^.*= (.*$)/$1/gi;
 $tlsa_record = uc($tlsa_record);
 if (defined $expiry) {
 print check_cert_expiry();
 }
 if ("$tlsa_record" eq "$dig") {
-#$return = "TLSA record is $tlsa_record and valid";
-#funktioniert nich nicht optimal mit  hostliste
+#$return = "TLSA record is $tlsa_record and valid";
-$return = $check_tlsa->plugin_exit(OK, "$domain: TLSA record is valid")
+#funktioniert nich nicht optimal mit  hostliste
-. "$domain: TLSA record is valid\n";
+$return = $check_tlsa->plugin_exit(OK, "$domain: TLSA record is valid")
-}
+. "$domain: TLSA record is valid\n";
-else {
+}
-$check_tlsa->plugin_exit(CRITICAL, "$domain: TLSA record NOT valid");
+else {
-}
+$check_tlsa->plugin_exit(CRITICAL, "$domain: TLSA record NOT valid");
-return $return;
+}
-#return $cert;
+return $return;
-}
+#return $cert;
+}
 sub get_domains {
 open(my $filehandle, '<', $domainlist);
 my $pattern = '^(?<domain>\S*\.[a-z]{2,4}?):{0,1}(?<port>[0-9]*$)';
 my %domain2check;
-while(<$filehandle>) {
+while (<$filehandle>) {
 if (/$pattern/ig) {
 $domain = $+{domain};
 $port   = $+{port};
-#print "nunu,file ok",LF,"port: $+{port}",LF,"domain: $+{domain}",LF;
-$domain2check{$domain} = $port;
+#print "nunu,file ok",LF,"port: $+{port}",LF,"domain: $+{domain}",LF;
+$domain2check{$domain} = $port;
+#print check_tlsa();
+}
+else {
-#print check_tlsa();
+die "wrong content";
 }
-else {
-die "wrong content";
+foreach my $key (%domain2check) {
-}
+$domain = $key;
+$port   = $domain2check{$key};
-foreach my $key (%domain2check)
+print $domain, ' ', $port, "\n";
-{
-$domain = $key;
+if ("$port" =~ /^\s*$/) { $port = '443'; }
-$port = $domain2check{$key};
+print $domain, ' ', $port, "\n";
-print $domain, ' ', $port,"\n";
+check_tlsa($domain, $port);
+}
-if ( "$port" =~ /^\s*$/) { $port = '443'; }
-print $domain, ' ', $port,"\n";
+}
-check_tlsa($domain,$port);
-}
-}
 }
 sub check_cert_expiry {
 my $return = qx($check_date);
 return $return;
 }

changeset 3	10ee65f99a7d
parent 2	523934592a76
child 4	6b7f69be290a