158 lines
4.4 KiB
Go
158 lines
4.4 KiB
Go
package checker
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// TLSRelatedKey is the observation key a TLS checker publishes for the
|
|
// endpoints we discover. Matches the convention used by checker-xmpp and
|
|
// documented in the happyDomain plan.
|
|
const TLSRelatedKey sdk.ObservationKey = "tls_probes"
|
|
|
|
// tlsProbeView is the permissive local view of a TLS checker payload.
|
|
type tlsProbeView struct {
|
|
Host string `json:"host,omitempty"`
|
|
Port uint16 `json:"port,omitempty"`
|
|
Endpoint string `json:"endpoint,omitempty"`
|
|
TLSVersion string `json:"tls_version,omitempty"`
|
|
CipherSuite string `json:"cipher_suite,omitempty"`
|
|
HostnameMatch *bool `json:"hostname_match,omitempty"`
|
|
ChainValid *bool `json:"chain_valid,omitempty"`
|
|
NotAfter time.Time `json:"not_after,omitempty"`
|
|
Issues []struct {
|
|
Code string `json:"code"`
|
|
Severity string `json:"severity"`
|
|
Message string `json:"message,omitempty"`
|
|
Fix string `json:"fix,omitempty"`
|
|
} `json:"issues,omitempty"`
|
|
}
|
|
|
|
// address returns the canonical "host:port" used as the matching key.
|
|
func (v *tlsProbeView) address() string {
|
|
if v.Endpoint != "" {
|
|
return v.Endpoint
|
|
}
|
|
if v.Host != "" && v.Port != 0 {
|
|
return net.JoinHostPort(v.Host, strconv.Itoa(int(v.Port)))
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// parseTLSRelated decodes a RelatedObservation as a TLS probe, tolerating
|
|
// the two payload shapes the TLS checker produces ({"probes": {<ref>:…}}
|
|
// or a single top-level object).
|
|
func parseTLSRelated(r sdk.RelatedObservation) *tlsProbeView {
|
|
var keyed struct {
|
|
Probes map[string]tlsProbeView `json:"probes"`
|
|
}
|
|
if err := json.Unmarshal(r.Data, &keyed); err == nil && keyed.Probes != nil {
|
|
if p, ok := keyed.Probes[r.Ref]; ok {
|
|
return &p
|
|
}
|
|
return nil
|
|
}
|
|
var v tlsProbeView
|
|
if err := json.Unmarshal(r.Data, &v); err != nil {
|
|
return nil
|
|
}
|
|
return &v
|
|
}
|
|
|
|
// tlsIssuesFromRelated converts downstream TLS observations into Issue
|
|
// entries that slot into our own aggregation. See the matching function
|
|
// in checker-xmpp for the design rationale.
|
|
func tlsIssuesFromRelated(related []sdk.RelatedObservation) []Issue {
|
|
var out []Issue
|
|
for _, r := range related {
|
|
v := parseTLSRelated(r)
|
|
if v == nil {
|
|
continue
|
|
}
|
|
addr := v.address()
|
|
if len(v.Issues) > 0 {
|
|
for _, is := range v.Issues {
|
|
sev := strings.ToLower(is.Severity)
|
|
switch sev {
|
|
case SeverityCrit, SeverityWarn, SeverityInfo:
|
|
default:
|
|
continue
|
|
}
|
|
code := is.Code
|
|
if code == "" {
|
|
code = "tls.unknown"
|
|
}
|
|
out = append(out, Issue{
|
|
Code: "smtp.tls." + code,
|
|
Severity: sev,
|
|
Message: strings.TrimSpace("TLS on " + addr + ": " + is.Message),
|
|
Fix: is.Fix,
|
|
Endpoint: addr,
|
|
})
|
|
}
|
|
continue
|
|
}
|
|
sev := v.worstSeverity()
|
|
if sev == "" {
|
|
continue
|
|
}
|
|
msg := "TLS issue reported on " + addr
|
|
switch {
|
|
case v.ChainValid != nil && !*v.ChainValid:
|
|
msg = "Invalid certificate chain on " + addr
|
|
case v.HostnameMatch != nil && !*v.HostnameMatch:
|
|
msg = "Certificate does not cover the MX hostname on " + addr
|
|
case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0:
|
|
msg = "Certificate expired on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")"
|
|
case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour:
|
|
msg = "Certificate expiring soon on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")"
|
|
}
|
|
out = append(out, Issue{
|
|
Code: "smtp.tls.probe",
|
|
Severity: sev,
|
|
Message: msg,
|
|
Fix: "See the TLS checker report for details.",
|
|
Endpoint: addr,
|
|
})
|
|
}
|
|
return out
|
|
}
|
|
|
|
// worstSeverity returns "crit" > "warn" > "info" across the TLS issues.
|
|
func (v *tlsProbeView) worstSeverity() string {
|
|
worst := ""
|
|
for _, is := range v.Issues {
|
|
switch strings.ToLower(is.Severity) {
|
|
case SeverityCrit:
|
|
return SeverityCrit
|
|
case SeverityWarn:
|
|
if worst != SeverityCrit {
|
|
worst = SeverityWarn
|
|
}
|
|
case SeverityInfo:
|
|
if worst == "" {
|
|
worst = SeverityInfo
|
|
}
|
|
}
|
|
}
|
|
if v.ChainValid != nil && !*v.ChainValid {
|
|
return SeverityCrit
|
|
}
|
|
if v.HostnameMatch != nil && !*v.HostnameMatch {
|
|
return SeverityCrit
|
|
}
|
|
if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0 {
|
|
return SeverityCrit
|
|
}
|
|
if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour {
|
|
if worst != SeverityCrit {
|
|
return SeverityWarn
|
|
}
|
|
}
|
|
return worst
|
|
}
|