# HG changeset patch # User pesch # Date 1464720652 -7200 # Node ID a8b89fc55a3081cc00cdd3c80076e5c540605cf8 # Parent f5593514ab448fc83e6c76b4dfdee59e70b94338 first tests + Warnings when no SSL-Cert is available or dig does not return TLSA diff -r f5593514ab44 -r a8b89fc55a30 lib/Nagios/Check/DNS/check_tlsa_record.pm --- a/lib/Nagios/Check/DNS/check_tlsa_record.pm Tue May 31 16:47:06 2016 +0200 +++ b/lib/Nagios/Check/DNS/check_tlsa_record.pm Tue May 31 20:50:52 2016 +0200 @@ -35,6 +35,10 @@ my $protocol = shift // 'tcp'; my $query = "dig tlsa _$port._$protocol.$domain +short"; my $dig_return = qx($query); + + if ($dig_return eq '') { + $dig_return = "No TLSA Record for $domain:$port"; + } return $dig_return; } @@ -52,7 +56,7 @@ $query = "openssl s_client -connect $domain:$port"; } - my $same = "< /dev/null 2>/dev/null | openssl x509 -out $tempfile"; + my $same = "< /dev/null 2>/dev/null | openssl x509 -out $tempfile 2>&1"; $query = "$query $same"; $cert = qx($query); @@ -126,12 +130,21 @@ my $protocol = shift; my $cert = get_cert($domain, $port); my $dig_return = dig_tlsa($domain, $port, $protocol); + + if ($cert =~ /.*unable to load certificate.*/) { + return "WARNING: No SSL-Certificate for $domain:$port"; + } + if ($dig_return =~ /no tlsa.*$/gi) { + return "WARNING: $dig_return"; + } + my $dig_tlsa = get_dig_tlsa_record($dig_return); my $cert_tlsa = get_tlsa_from_cert($cert); if ("$dig_tlsa" ne "$cert_tlsa") { return "CRITICAL: TLSA Record for $domain:$port is not valid"; } + return "OK: TLSA Record for $domain:$port is valid"; } diff -r f5593514ab44 -r a8b89fc55a30 t/check_tlsa_record.t --- a/t/check_tlsa_record.t Tue May 31 16:47:06 2016 +0200 +++ b/t/check_tlsa_record.t Tue May 31 20:50:52 2016 +0200 @@ -3,27 +3,29 @@ use strict; use warnings; use Test::More qw(no_plan); -use Test::Exception; + +BEGIN { use_ok('Nagios::Check::DNS::check_tlsa_record') }; + +require_ok('Nagios::Check::DNS::check_tlsa_record'); -BEGIN { use_ok 'Nagios::Check::DNS::check_tlsa_record' => qw(dig_tlsa) }; +my $domain = 'ssl.schlittermann.de'; + +#Test main() +my $test_main_no_port = Nagios::Check::DNS::check_tlsa_record::main(($domain)); +like($test_main_no_port, qr(OK: .* is valid), 'main() no port'); -dies_ok { dig_tlsa('ssl.schlittermann.de') } 'dies on missing port number'; +my $test_main_no_tlsa = Nagios::Check::DNS::check_tlsa_record::main(('hh.schlittermann.de')); +like($test_main_no_tlsa, qr(WARNING: .*), 'main() no SSL-Cert or no tlsa to dig'); -foreach (['ssl.schlittermann.de' => 443], ['mx1.mailbox.org' => 25]) { - my ($host, $port) = @$_; - is dig_tlsa($host, $port), `dig tlsa _$port._tcp.$host +short` => "TLSA for _$port._tcp.$host"; -} +my $test_main_domain_and_port = Nagios::Check::DNS::check_tlsa_record::main(('hh.schlittermann.de', 25)); +like($test_main_domain_and_port, qr(OK: .* is valid), 'main() domain and port'); + +my $test_main_domain_protocol_port = Nagios::Check::DNS::check_tlsa_record::main(('hh.schlittermann.de', 25, 'tcp')); +like($test_main_domain_protocol_port, qr(OK: .* is valid), 'main() domain, protocol and port'); + + #@TODO write tests -#my $return = Nagios::Check::DNS::check_tlsa_record::main(($domain, $port)); -#say $return; - -#my $return = Nagios::Check::DNS::check_tlsa_record::main(); -#say $return; - -#my $return5 = Nagios::Check::DNS::check_tlsa_record::main(qw(hh.schlittermann.de 25 tcp)); -#say $return5; - #my $return2 = Nagios::Check::DNS::check_tlsa_record::dig_tlsa(qw(hh.schlittermann.de 25 udp)); #say $return2; #