diff -r a2ce47570096 -r ebb775c59021 check_tlsa
--- a/check_tlsa	Wed May 11 23:41:32 2016 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,218 +0,0 @@
-#! /usr/bin/perl
-
-use strict;
-use warnings;
-use feature qw(switch say);
-use if $^V >= v5.020 => (experimental => qw(smartmatch));
-use experimental qw(smartmatch);
-use Monitoring::Plugin;
-use File::Basename;
-
-
-my $ME      = basename $0;
-my $VERSION = '0.1';
-my $blurb   = 'This Plugin is intendet to check validity of TLSA Record';
-my $url     = 'http://www.schlittermann.de';
-my $author  = 'Heike Yvonne Pesch';
-my $email   = '<pesch@schlittermann.de>';
-my $usage   = 'Usage: %s [ -v|--verbose ] [-H <host>] [-t <timeout>] '
-            . '[ -c|--critical=<critical threshold> ] '
-            . '[ -w|--warning=<warning threshold> ] '
-            . '[ -p|--port=<portnumber> ] '
-            . '[ -q|--queryserver=<DNS-Server-IP> ] ';
-my $extra   = <<_;
-
-NOTICE
-If you want to use a Hostlist, you have to put entrys like this:
-
-host
-host:port
-
-
-EXAMPLES
-$ME -H ssl.schlittermann.de 
-$ME -H hh.schlittermann.de -p25
-$ME -H hh.schlittermann.de:25
-$ME -f hostlist.txt
-
-Author: $author $email
-For more information visit $url
-_
-
-my $check_tlsa = Monitoring::Plugin->new(
-  usage   => $usage,
-  version => $VERSION,
-  blurb   => $blurb,
-  extra   => $extra,
-  url     => $url,
-  plugin  => $ME,
-  timeout => 120,
-);
-
-$check_tlsa->add_arg(
-  spec     => 'host|H=s',
-  help     => q|Host/Domain to check|,
-  required => 0,
-);
-
-$check_tlsa->add_arg(
-  spec     => 'hostlist|f=s',
-  help     => q|Host/Domainlist in file to check|,
-  required => 0,
-);
-
-$check_tlsa->add_arg(
-  spec     => 'expiry|e',
-  help     => q|check expiry of Certificate|,
-  required => 0,
-);
-
-$check_tlsa->add_arg(
-  spec     => 'port|p=i',
-  help     => q|Port of Domain to check the TLSA (default: 443)|,
-  required => 0,
-  default  => 443,
-);
-
-$check_tlsa->add_arg(
-  spec     => 'queryserver|q=s',
-  required => 0,
-  help     =>
-  q|DNS Server to ask to check the TLSA (default: defined in resolve.conf)|,
-
-);
-
-$check_tlsa->add_arg(
-  spec     => 'protocol|P=s',
-  help     => q|Protocol to ask to check the TLSA record of domain (default: tcp)|,
-  required => 0,
-  default  => 'tcp',
-);
-
-$check_tlsa->getopts;
-
-my $domain     = $check_tlsa->opts->host;
-my $domainlist = $check_tlsa->opts->hostlist;
-my $expiry     = $check_tlsa->opts->expiry;
-
-
-if (!$domain && !$domainlist) {
-    my $script = basename $0;
-    my $excuse = "Please set -H <domain> or -f <domainlist>\n"
-    . "For all options try $script --help";
-
-    say $excuse;
-    exit 1;
-}
-
-my $port;
-my $cert;
-my $check_date;
-my $pattern = '^(?<domain>\S*\.[a-z]{2,4}?):{0,1}(?<port>[0-9]*$)';
-
-# @TODO find better way
-# nearly the same check is defined in get_domains
-if ( defined $domain && $domain =~ /$pattern/) {
-  $domain = $+{domain};
-  $port   = $+{port};
-}
-
-if ( defined $domainlist && $domainlist ne '' && -e $domainlist) {
-    say get_domains();
-}
-else { say check_tlsa(); }
-
-sub check_tlsa {
-    my $protocol = $check_tlsa->opts->protocol;
-
-    $port = $check_tlsa->opts->port unless $port;
-
-    if ("$port" eq '25') {
-        $cert = "openssl s_client -starttls smtp -connect $domain:$port "
-        . '< /dev/null 2>/dev/null';
-    }
-    else {
-        $cert = "openssl s_client -connect $domain:$port "
-        . '< /dev/null 2>/dev/null';
-    }
-
-    my $digquery        = "dig TLSA _$port._$protocol.$domain +short";
-    my $diganswer       = qx($digquery);
-    my $tlsa_usage      = substr($diganswer, 0, 1);
-    my $tlsa_selector   = substr($diganswer, 2, 1);
-    my $tlsa_match_type = substr($diganswer, 4, 1);
-    my $dig_tlsa        = substr($diganswer, 6,);
-    my $valid_date      = '';
-    my $hashit;
-
-    $dig_tlsa =~ s/(\S*)\s+(\S*)$/$1$2/;
-
-    for ($tlsa_match_type) {
-        when ('0') { die 'certs will be compared directly' }
-        when ('1') { $hashit = 'sha256' }
-        when ('2') { $hashit = 'sha512' }
-        default { $hashit = 'sha256' }
-    }
-
-    my $gentlsa = 'openssl x509  -pubkey | '
-       . 'openssl rsa -pubin -inform PEM -outform DER 2>/dev/null| '
-       . "openssl $hashit";
-    my $certtlsa = "$cert | $gentlsa";
-
-    $check_date = 'openssl x509 -noout -startdate -enddate';
-    $check_date = "$cert|$check_date";
-
-    my $return;
-
-    my $tlsa_record = qx($certtlsa) or die "nothing found!\n";
-    $tlsa_record =~ s/^.*= (.*$)/$1/gi;
-    $tlsa_record = uc($tlsa_record);
-
-    if (defined $expiry) {
-        $valid_date = check_cert_expiry();
-    }
-
-    if ($valid_date ne '') {
-      $valid_date = "\n$valid_date";
-    }
-
-    if ("$tlsa_record" eq "$dig_tlsa") {
-
-      #this way the script exit when file is given :(
-      #$return = $check_tlsa->plugin_exit(OK, "$domain: TLSA record is valid")
-      #  . "$domain: TLSA record is valid";
-
-      #this way it's behaves like I want it to
-      $return = "OK, $domain: TLSA record is valid $valid_date";
-    }
-    else {
-      #$check_tlsa->plugin_exit(CRITICAL, "$domain: TLSA record NOT valid");
-      $return = "CRITICAL, $domain: TLSA record is NOT valid";
-    }
-    say $return;
-}
-
-sub get_domains {
-    open(my $filehandle, '<', $domainlist);
-
-    my $pattern = '^(?<domain>\S*\.[a-z]{2,4}?):{0,1}(?<port>[0-9]*$)';
-    while (<$filehandle>) {
-        if (/$pattern/ig) {
-            $domain = $+{domain};
-
-            if ("$+{port}" =~ /^\s*$/) { $port = '443'; }
-            else { $port   = $+{port}; }
-
-            check_tlsa($domain, $port);
-        }
-        else {
-            die "$domainlist has wrong or malformed content\n";
-        }
-
-    }
-}
-
-sub check_cert_expiry {
-    my $return = qx($check_date);
-    return $return;
-}