diff --git a/changes.md b/changes.md index 5804cf7..f327db8 100644 --- a/changes.md +++ b/changes.md @@ -1,12 +1,8 @@ # change log -## version 0.3.3 2023-08-04 - -* fix starttls behaviour with Python 3.11 - ## version 0.3.2 2021-03-07 -* remove broken CA certificate statistics +* remove brokebn CA certificate statistics ## version 0.3.1 2019-06-23 diff --git a/check_xmppng b/check_xmppng index 150540e..0d08786 100755 --- a/check_xmppng +++ b/check_xmppng @@ -33,6 +33,7 @@ import nagiosplugin __author__ = "Jan Dittberner" __version__ = "0.3.2" + NS_IETF_XMPP_SASL = 'urn:ietf:params:xml:ns:xmpp-sasl' NS_IETF_XMPP_TLS = 'urn:ietf:params:xml:ns:xmpp-tls' NS_IETF_XMPP_STREAMS = 'urn:ietf:params:xml:ns:xmpp-streams' @@ -54,14 +55,10 @@ class XmppException(Exception): Custom exception class. """ - def __init__(self, message): self.message = message super(XmppException, self).__init__() - def __str__(self): - return self.message - class XmppStreamError(object): """ @@ -72,7 +69,7 @@ class XmppStreamError(object): text = None other_elements = {} - def __str__(self): + def str(self): if self.text: return "{condition}: {text}".format( condition=self.condition, text=self.text) @@ -87,13 +84,12 @@ class XmppResponseHandler(ContentHandler): seen_elements = set() mechanisms = [] starttls = False - tls_required = False + tlsrequired = False capabilities = {} state = XMPP_STATE_NEW - stream_info = None - error_instance = None + streaminfo = None - in_elem = [] + inelem = [] level = 0 def __init__(self, expect_starttls): @@ -101,35 +97,35 @@ class XmppResponseHandler(ContentHandler): super(XmppResponseHandler, self).__init__() def startElementNS(self, name, qname, attrs): - self.in_elem.append(name) + self.inelem.append(name) self.seen_elements.add(name) if name == (NS_ETHERX_STREAMS, 'stream'): self.state = XMPP_STATE_STREAM_START - self.stream_info = dict([ + self.streaminfo = dict([ (qname, attrs.getValueByQName(qname)) for qname in attrs.getQNames()]) elif name == (NS_IETF_XMPP_TLS, 'starttls'): self.starttls = True elif ( - self.in_elem[-2] == (NS_IETF_XMPP_TLS, 'starttls') and - name == (NS_IETF_XMPP_TLS, 'required') + self.inelem[-2] == (NS_IETF_XMPP_TLS, 'starttls') and + name == (NS_IETF_XMPP_TLS, 'required') ): - self.tls_required = True + self.tlsrequired = True _LOG.info("info other side requires TLS") elif name == (NS_JABBER_CAPS, 'c'): for qname in attrs.getQNames(): self.capabilities[qname] = attrs.getValueByQName(qname) elif name == (NS_ETHERX_STREAMS, 'error'): self.state = XMPP_STATE_ERROR - self.error_instance = XmppStreamError() + self.errorinstance = XmppStreamError() elif ( - self.state == XMPP_STATE_ERROR and - name != (NS_IETF_XMPP_STREAMS, 'text') + self.state == XMPP_STATE_ERROR and + name != (NS_IETF_XMPP_STREAMS, 'text') ): if name[0] == NS_IETF_XMPP_STREAMS: - self.error_instance.condition = name[1] + self.errorinstance.condition = name[1] else: - self.error_instance.other_elements[name] = {'attrs': dict([ + self.errorinstance.other_elements[name] = {'attrs': dict([ (qname, attrs.getValueByQName(qname)) for qname in attrs.getQNames() ])} @@ -142,25 +138,25 @@ class XmppResponseHandler(ContentHandler): self.state = XMPP_STATE_FINISHED elif name == (NS_ETHERX_STREAMS, 'error'): raise XmppException("XMPP stream error: {error}".format( - error=self.error_instance)) + error=self.errorinstance)) elif name == (NS_IETF_XMPP_TLS, 'proceed'): self.state = XMPP_STATE_PROCEED_STARTTLS elif name == (NS_IETF_XMPP_TLS, 'failure'): raise XmppException("starttls initiation failed") _LOG.debug('end %s', name) - del self.in_elem[-1] + del self.inelem[-1] def characters(self, content): - elem = self.in_elem[-1] + elem = self.inelem[-1] if elem == (NS_IETF_XMPP_SASL, 'mechanism'): self.mechanisms.append(content) elif self.state == XMPP_STATE_ERROR: if elem == (NS_IETF_XMPP_STREAMS, 'text'): - self.error_instance.text = content + self.errorinstance.text = content else: - self.error_instance.other_elements[elem]['text'] = content + self.errorinstance.other_elements[elem]['text'] = content else: - _LOG.warning('ignored content in %s: %s', self.in_elem, content) + _LOG.warning('ignored content in %s: %s', self.inelem, content) def is_valid_start(self): if not self.state == XMPP_STATE_RECEIVED_FEATURES: @@ -168,43 +164,14 @@ class XmppResponseHandler(ContentHandler): if self.expect_starttls is True and self.starttls is False: raise XmppException('expected STARTTLS capable service') if ( - 'version' not in self.stream_info or - self.stream_info['version'] != '1.0' + 'version' not in self.streaminfo or + self.streaminfo['version'] != '1.0' ): _LOG.warning( - 'unknown stream version %s', self.stream_info['version']) + 'unknown stream version %s', self.streaminfo['version']) return True -def open_socket(addrinfo): - """ - Open a client socket based on information in the addrinfo list of - tuples. - - """ - new_socket = None - - for res in addrinfo: - af, socktype, proto, canonname, sa = res - try: - new_socket = socket.socket(af, socktype, proto) - except socket.error: - new_socket = None - continue - try: - new_socket.connect(sa) - except socket.error: - new_socket.close() - new_socket = None - continue - break - - if new_socket is None: - raise XmppException("could not open socket") - - return new_socket - - class Xmpp(nagiosplugin.Resource): """ Xmpp resource. @@ -213,13 +180,11 @@ class Xmpp(nagiosplugin.Resource): state = nagiosplugin.Unknown cause = None socket = None - days_left = None - parser = None - content_handler = None + daysleft = None def __init__( - self, host_address, port, ipv6, is_server, starttls, - servername, checkcerts, caroots + self, host_address, port, ipv6, is_server, starttls, + servername, checkcerts, caroots ): self.address = host_address self.port = port @@ -227,8 +192,8 @@ class Xmpp(nagiosplugin.Resource): self.is_server = is_server self.starttls = starttls self.servername = servername - self.check_certs = checkcerts - self.ca_roots = caroots + self.checkcerts = checkcerts + self.caroots = caroots self.make_parser() self.set_content_handler() @@ -245,28 +210,53 @@ class Xmpp(nagiosplugin.Resource): Set the XMPP SAX content handler. """ - self.content_handler = XmppResponseHandler( + self.contenthandler = XmppResponseHandler( expect_starttls=self.starttls) - self.parser.setContentHandler(self.content_handler) + self.parser.setContentHandler(self.contenthandler) - def get_addr_info(self): + def get_addrinfo(self): """ Perform the DNS lookup and return a list of potential socket address tuples as returned by :py:method:`socket.getaddrinfo`. """ if self.ipv6 is None: - addr_family = 0 + addrfamily = 0 elif self.ipv6 is True: - addr_family = socket.AF_INET6 + addrfamily = socket.AF_INET6 else: - addr_family = socket.AF_INET + addrfamily = socket.AF_INET return socket.getaddrinfo( - self.address, self.port, addr_family, socket.SOCK_STREAM, + self.address, self.port, addrfamily, socket.SOCK_STREAM, socket.IPPROTO_TCP) + self.result = nagiosplugin.Critical + + def open_socket(self, addrinfo): + """ + Open a client socket based on information in the addrinfo list of + tuples. + + """ + for res in addrinfo: + af, socktype, proto, canonname, sa = res + try: + s = socket.socket(af, socktype, proto) + except socket.error: + s = None + continue + try: + s.connect(sa) + except socket.error: + s.close() + s = None + continue + break + if s is None: + raise XmppException("could not open socket") + return s def handle_xmpp_stanza( - self, message_str, timeout=0.1, expected_state=None + self, message_str, timeout=0.1, expected_state=None ): """ Handle a single XMPP message. @@ -293,28 +283,37 @@ class Xmpp(nagiosplugin.Resource): chunks.append(data) else: break - xml_text = b''.join(chunks).decode('utf-8') - _LOG.debug("read %s", xml_text) - self.parser.feed(xml_text) + xmltext = b''.join(chunks).decode('utf-8') + _LOG.debug("read %s", xmltext) + self.parser.feed(xmltext) if ( - expected_state is not None and - self.content_handler.state != expected_state + expected_state is not None and + self.contenthandler.state != expected_state ): raise XmppException( - "unexpected state %s" % self.content_handler.state) + "unexpected state %s" % self.contenthandler.state) def start_stream(self): """ Start a XMPP conversation with the server. """ - namespace = "jabber:server" if self.is_server else "jabber:client" - - self.handle_xmpp_stanza( - f"", - expected_state=XMPP_STATE_RECEIVED_FEATURES - ) + if self.is_server: + self.handle_xmpp_stanza(( + "" + ).format(servername=self.servername), + expected_state=XMPP_STATE_RECEIVED_FEATURES) + else: + self.handle_xmpp_stanza(( + "" + ).format(servername=self.servername), + expected_state=XMPP_STATE_RECEIVED_FEATURES) def setup_ssl_context(self): """ @@ -322,16 +321,17 @@ class Xmpp(nagiosplugin.Resource): """ context = ssl.create_default_context() - if not self.check_certs: + context.options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 + if not self.checkcerts: context.check_hostname = False context.verify_mode = ssl.CERT_NONE else: context.verify_mode = ssl.CERT_REQUIRED - if self.ca_roots: - if os.path.isfile(self.ca_roots): - kwargs = {'cafile': self.ca_roots} + if self.caroots: + if os.path.isfile(self.caroots): + kwargs = {'cafile': self.caroots} else: - kwargs = {'capath': self.ca_roots} + kwargs = {'capath': self.caroots} context.load_verify_locations(**kwargs) else: context.load_default_certs() @@ -346,22 +346,21 @@ class Xmpp(nagiosplugin.Resource): """ _LOG.debug("start initiate_tls()") self.handle_xmpp_stanza( - f"", - timeout=0.5, + "".format(xmlns=NS_IETF_XMPP_TLS), expected_state=XMPP_STATE_PROCEED_STARTTLS) sslcontext = self.setup_ssl_context() try: self.socket = sslcontext.wrap_socket( self.socket, server_hostname=self.servername) _LOG.info("TLS socket setup successful") - except ssl.CertificateError as certificate_error: - raise XmppException("Certificate error %s" % certificate_error) - except ssl.SSLError as ssl_error: - raise XmppException("SSL error %s" % ssl_error.strerror) + except ssl.SSLError as ssle: + raise XmppException("SSL error %s" % ssle.strerror) + except ssl.CertificateError as certerr: + raise XmppException("Certificate error %s" % certerr) self.starttls = False # reset infos retrieved previously as written in RFC 3920 sec. 5. self.parser.reset() - if self.check_certs: + if self.checkcerts: certinfo = self.socket.getpeercert() _LOG.debug("got the following certificate info: %s", certinfo) _LOG.info( @@ -369,12 +368,12 @@ class Xmpp(nagiosplugin.Resource): certinfo['notBefore'], certinfo['notAfter']) enddate = ssl.cert_time_to_seconds(certinfo['notAfter']) remaining = datetime.fromtimestamp(enddate) - datetime.now() - self.days_left = remaining.days + self.daysleft = remaining.days # start new parsing self.make_parser() self.set_content_handler() self.start_stream() - if not self.content_handler.is_valid_start(): + if not self.contenthandler.is_valid_start(): raise XmppException("no valid response to XMPP client request") _LOG.debug("end initiate_tls()") @@ -385,9 +384,9 @@ class Xmpp(nagiosplugin.Resource): """ _LOG.debug("start handle_xmpp()") self.start_stream() - if not self.content_handler.is_valid_start(): + if not self.contenthandler.is_valid_start(): raise XmppException("no valid response to XMPP client request") - if self.starttls is True or self.content_handler.tls_required: + if self.starttls is True or self.contenthandler.tlsrequired: self.initiate_tls() self.handle_xmpp_stanza("") _LOG.debug("end handle_xmpp()") @@ -401,8 +400,8 @@ class Xmpp(nagiosplugin.Resource): start = datetime.now() _LOG.debug("start probe() at %s", start) try: - addrinfo = self.get_addr_info() - self.socket = open_socket(addrinfo) + addrinfo = self.get_addrinfo() + self.socket = self.open_socket(addrinfo) try: self.handle_xmpp() finally: @@ -423,7 +422,7 @@ class Xmpp(nagiosplugin.Resource): _LOG.debug("end probe() at %s", end) yield nagiosplugin.Metric( 'time', (end - start).total_seconds(), 's', min=0) - yield nagiosplugin.Metric('daysleft', self.days_left, 'd') + yield nagiosplugin.Metric('daysleft', self.daysleft, 'd') class XmppContext(nagiosplugin.ScalarContext): @@ -452,8 +451,8 @@ class DaysValidContext(nagiosplugin.Context): fmt_hint = "less than {value} days" def __init__( - self, name, warndays=0, critdays=0, - fmt_metric='certificate valid for {value} days' + self, name, warndays=0, critdays=0, + fmt_metric='certificate valid for {value} days' ): super(DaysValidContext, self).__init__(name, fmt_metric=fmt_metric) self.warning = nagiosplugin.Range('@%d:' % warndays) @@ -462,7 +461,7 @@ class DaysValidContext(nagiosplugin.Context): self.critdays = critdays def evaluate(self, metric, resource): - if resource.check_certs and metric.value is not None: + if resource.checkcerts and metric.value is not None: if self.critical.match(metric.value): return nagiosplugin.Result( nagiosplugin.Critical, @@ -478,7 +477,7 @@ class DaysValidContext(nagiosplugin.Context): return nagiosplugin.Result(nagiosplugin.Ok) def performance(self, metric, resource): - if resource.check_certs and metric.value is not None: + if resource.checkcerts and metric.value is not None: return nagiosplugin.Performance('daysvalid', metric.value, '') return None diff --git a/debian/changelog b/debian/changelog index 3503b4b..1524379 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,3 @@ -nagios-check-xmppng (0.3.3-1) unstable; urgency=medium - - * New upstream version - - -- Jan Dittberner Fri, 04 Aug 2023 20:14:49 +0200 - nagios-check-xmppng (0.3.2-3) unstable; urgency=medium * Source only upload for migration to testing diff --git a/icingaexchange.yml b/icingaexchange.yml index 514fe16..048a9c9 100644 --- a/icingaexchange.yml +++ b/icingaexchange.yml @@ -7,29 +7,6 @@ target: Messaging type: Plugin license: gplv3 releases: - - name: 0.3.3 - description: "fix CA certificate check" - files: - - - name: check_xmppng - url: "file:///check_xmppng" - description: "Check command" - checksum: fdf942cb5c778aaa395a0ed1eba6dcda - - - name: COPYING - url: "file:///COPYING" - description: "GPL 3.0 license text" - checksum: d32239bcb673463ab874e80d47fae504 - - - name: README.md - url: "file:///README.md" - description: "documentation" - checksum: 701ad7a882406a1f552a118d471a0b45 - - - name: changes.md - url: "file:///changes.md" - description: "change log" - checksum: 0e23c919b413a4214c323b1953909c14 - name: 0.3.2 description: "fix CA certificate check" files: