config

package
v0.17.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 21, 2024 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package config provides types and functions to collect, validate and apply user-provided settings.

Index

Constants

View Source
const (

	// This flag uses "ignore" wording to make clear that the validation check
	// is still applied, but the results ignored when determining overall
	// certificate chain validation state.
	IgnoreHostnameVerificationFailureIfEmptySANsListFlag string = "ignore-hostname-verification-if-empty-sans"

	IgnoreExpiredIntermediateCertificatesFlag string = "ignore-expired-intermediate-certs"
	IgnoreExpiredRootCertificatesFlag         string = "ignore-expired-root-certs"

	VersionFlagLong  string = "version"
	VerboseFlagLong  string = "verbose"
	VerboseFlagShort string = "v"
	BrandingFlag     string = "branding"
	ServerFlagLong   string = "server"
	ServerFlagShort  string = "s"
	PortFlagLong     string = "port"
	PortFlagShort    string = "p"
	DNSNameFlagLong  string = "dns-name"
	DNSNameFlagShort string = "dn"

	// Flags used for specifying a list of keywords used to explicitly ignore
	// or apply validation check results when determining final plugin state.
	IgnoreValidationResultFlag string = "ignore-validation-result"
	ApplyValidationResultFlag  string = "apply-validation-result"

	ListIgnoredErrorsFlag             string = "list-ignored-errors"
	FilenameFlagLong                  string = "filename"
	EmitCertTextFlagLong              string = "text"
	TimeoutFlagLong                   string = "timeout"
	TimeoutFlagShort                  string = "t"
	LogLevelFlagLong                  string = "log-level"
	LogLevelFlagShort                 string = "ll"
	TimeoutPortScanFlagLong           string = "scan-timeout"
	TimeoutPortScanFlagShort          string = "st"
	HostsFlagLong                     string = "hosts"
	HostsFlagAlt                      string = "ips"
	ScanRateLimitFlagLong             string = "scan-rate-limit"
	ScanRateLimitFlagShort            string = "srl"
	AppTimeoutFlagLong                string = "app-timeout"
	AppTimeoutFlagShort               string = "at"
	PortsFlagLong                     string = "ports"
	PortsFlagShort                    string = "p"
	ShowPortScanResultsFlagLong       string = "show-port-scan-results"
	ShowPortScanResultsFlagShort      string = "spsr"
	ShowHostsWithClosedPortsFlagLong  string = "show-closed-ports"
	ShowHostsWithClosedPortsFlagShort string = "scp"
	ShowHostsWithValidCertsFlagLong   string = "show-hosts-with-valid-certs"
	ShowHostsWithValidCertsFlagShort  string = "shwvc"
	ShowValidCertsFlagLong            string = "show-valid-certs"
	ShowValidCertsFlagShort           string = "svc"
	ShowOverviewFlagLong              string = "show-overview"
	ShowOverviewFlagShort             string = "so"
	SANsEntriesFlagLong               string = "sans-entries"
	SANsEntriesFlagShort              string = "se"
	AgeWarningFlagLong                string = "age-warning"
	AgeWarningFlagShort               string = "w"
	AgeCriticalFlagLong               string = "age-critical"
	AgeCriticalFlagShort              string = "c"
)

Flag names for consistent references. Exported so that they're available from tests.

View Source
const (
	ValidationKeywordExpiration string = "expiration"
	ValidationKeywordHostname   string = "hostname"
	ValidationKeywordSANsList   string = "sans"
)

Validation keywords used when explicitly ignoring or applying validation check results to determine final plugin state.

NOTE: These need to be manually kept in sync with Flag Help Text.

View Source
const (

	// LogLevelDisabled maps to zerolog.Disabled logging level
	LogLevelDisabled string = "disabled"

	// LogLevelPanic maps to zerolog.PanicLevel logging level
	LogLevelPanic string = "panic"

	// LogLevelFatal maps to zerolog.FatalLevel logging level
	LogLevelFatal string = "fatal"

	// LogLevelError maps to zerolog.ErrorLevel logging level
	LogLevelError string = "error"

	// LogLevelWarn maps to zerolog.WarnLevel logging level
	LogLevelWarn string = "warn"

	// LogLevelInfo maps to zerolog.InfoLevel logging level
	LogLevelInfo string = "info"

	// LogLevelDebug maps to zerolog.DebugLevel logging level
	LogLevelDebug string = "debug"

	// LogLevelTrace maps to zerolog.TraceLevel logging level
	LogLevelTrace string = "trace"
)
View Source
const ExitCodeCatchall int = 1

ExitCodeCatchall indicates a general or miscellaneous error has occurred. This exit code is not directly used by monitoring plugins in this project. See https://tldp.org/LDP/abs/html/exitcodes.html for additional details.

View Source
const SkipSANSCheckKeyword string = "SKIPSANSCHECKS"

SkipSANSCheckKeyword is used as the sole argument to SANsEntriesFlagLong if the user wishes to ignore SANs entry validation check results. This seemingly illogical option allows defining the SANsEntriesFlagLong flag in a command definition used by a group-based service check even though some systems targeted by that service check may use a certificate which does not have any SANs entries present.

Variables

View Source
var ErrVersionRequested = errors.New("version information requested")

ErrVersionRequested indicates that the user requested application version information.

Functions

func Branding

func Branding(msg string) func() string

Branding accepts a message and returns a function that concatenates that message with version information. This function is intended to be called as a final step before application exit after any other output has already been emitted.

func Version

func Version() string

Version emits application name, version and repo location.

Types

type AppType

type AppType struct {

	// Scanner represents an application intended for bulk operations across a
	// range of hosts.
	Scanner bool

	// Plugin represents an application used as a Nagios plugin.
	Plugin bool

	// Inspector represents an application used for one-off or isolated
	// checks. Unlike a Nagios plugin which is focused on specific attributes
	// resulting in a severity-based outcome, an Inspector application is
	// intended for examining a small set of targets for
	// informational/troubleshooting purposes.
	Inspector bool
}

AppType represents the type of application that is being configured/initialized. Not all application types will use the same features and as a result will not accept the same flags. Unless noted otherwise, each of the application types are incompatible with each other, though some flags are common to all types.

type Config

type Config struct {

	// SANsEntries is the list of Subject Alternate Names (SANs) to verify are
	// present on the examined certificate. This value is provided as a
	// comma-separated list.
	SANsEntries multiValueStringFlag

	// Filename is the fully-qualified path to a file containing one or more
	// certificates.
	Filename string

	// Server is the fully-qualified domain name of the system running a
	// certificate-enabled service.
	Server string

	// ScanRateLimit is the maximum number of concurrent port scan attempts.
	ScanRateLimit int

	// DNSName is the fully-qualified domain name associated with the
	// certificate. This is usually specified when the FQDN or IP used to make
	// the connection is different than the Common Name or Subject Alternate
	// Names entries associated with the certificate.
	DNSName string

	// Port is the TCP port used by the certificate-enabled service.
	Port int

	// LoggingLevel is the supported logging level for this application.
	LoggingLevel string

	// AgeWarning is the number of days remaining before certificate
	// expiration when this application will flag the NotAfter certificate
	// field as a WARNING state.
	AgeWarning int

	// AgeCritical is the number of days remaining before certificate
	// expiration when this application will flag the NotAfter certificate
	// field as a CRITICAL state.
	AgeCritical int

	// EmitBranding controls whether "generated by" text is included at the
	// bottom of application output. This output is included in the Nagios
	// dashboard and notifications. This output may not mix well with branding
	// output from other tools such as atc0005/send2teams which also insert
	// their own branding output.
	EmitBranding bool

	// VerboseOutput controls whether detailed certificate metadata is emitted
	// along with standard certificate details.
	VerboseOutput bool

	// EmitCertText controls whether x509 TLS certificates are printed to
	// stdout using an OpenSSL-inspired text format. There is a good bit of
	// output text, so this setting defaults to false.
	EmitCertText bool

	// ShowVersion is a flag indicating whether the user opted to display only
	// the version string and then immediately exit the application.
	ShowVersion bool

	// ShowHostsWithClosedPorts indicates whether hosts without any open ports
	// are included in the port scan results summary output.
	ShowHostsWithClosedPorts bool

	// ShowHostsWithValidCerts indicates whether hosts with valid certificates
	// are included in the overview summary output.
	ShowHostsWithValidCerts bool

	// ShowValidCerts indicates whether all certificates are included in
	// output summary, even certificates which have passed all validity
	// checks.
	ShowValidCerts bool

	// ShowOverview indicates whether a brief overview of certificate scan
	// findings is provided, or whether the detailed certificate results list
	// is shown at the end of scanning specified hosts.
	ShowOverview bool

	// ShowResultsDuringScan indicates whether host scan results should be
	// shown during a port scan. See also ShowHostsWithClosedPorts. Enabling
	// either of these options results in live scan result details being
	// shown.
	ShowPortScanResults bool

	// IgnoreHostnameVerificationFailureIfEmptySANsList indicates whether
	// hostname verification failure should be ignored if a certificate has an
	// empty SANs list.
	//
	// Go 1.17 removed support for the legacy behavior of treating the
	// CommonName field on X.509 certificates as a host name when no Subject
	// Alternative Names are present. Go 1.17 also removed support for
	// re-enabling the behavior by way of adding the value x509ignoreCN=0 to
	// the GODEBUG environment variable.
	//
	// This setting is provided in order to still allow validating a
	// certificate's expiration date for older certificates when a SANs list
	// is empty and would otherwise result in validation check results
	// failure.
	IgnoreHostnameVerificationFailureIfEmptySANsList bool

	// IgnoreExpiredIntermediateCertificates indicates whether expired
	// intermediate certificates should be ignored.
	IgnoreExpiredIntermediateCertificates bool

	// IgnoreExpiredRootCertificates indicates whether expired root
	// certificates should be ignored.
	IgnoreExpiredRootCertificates bool

	// ListIgnoredValidationCheckResultErrors indicates whether validation
	// check result errors should be included in the final plugin report
	// output. By default, ignored errors are not included as this may prove
	// confusing (e.g., when all results are either successful or ignored).
	ListIgnoredValidationCheckResultErrors bool

	// Log is an embedded zerolog Logger initialized via config.New().
	Log zerolog.Logger
	// contains filtered or unexported fields
}

Config represents the application configuration as specified via command-line flags.

func New

func New(appType AppType) (*Config, error)

New is a factory function that produces a new Config object based on user provided flag and config file values. It is responsible for validating user-provided values and initializing the logging settings used by this application.

func (Config) ApplyCertExpirationValidationResults added in v0.8.0

func (c Config) ApplyCertExpirationValidationResults() bool

ApplyCertExpirationValidationResults indicates whether certificate expiration check results should be applied when performing final plugin state evaluation. Precedence is given for explicit request to ignore this validation result.

func (Config) ApplyCertHostnameValidationResults added in v0.8.0

func (c Config) ApplyCertHostnameValidationResults() bool

ApplyCertHostnameValidationResults indicates whether certificate hostname validation check results should be applied when performing final plugin state evaluation. Precedence is given for explicit request to ignore this validation result.

func (Config) ApplyCertSANsListValidationResults added in v0.8.0

func (c Config) ApplyCertSANsListValidationResults() bool

ApplyCertSANsListValidationResults indicates whether certificate SANs list validation check results should be applied when performing final plugin state evaluation. Precedence is given for explicit request to ignore this validation result.

func (Config) CertPorts

func (c Config) CertPorts() []int

CertPorts returns the user-specified list of ports to check for certificates or the default value if not specified.

func (Config) Hosts added in v0.7.0

func (c Config) Hosts() []netutils.HostPattern

Hosts returns a list of individual IP Addresses expanded from any user-specified IP Addresses (single or ranges) and hostnames or FQDNs that passed name resolution checks.

func (Config) Timeout

func (c Config) Timeout() time.Duration

Timeout converts the user-specified connection timeout value in seconds to an appropriate time duration value for use with setting net.Dial timeout.

func (Config) TimeoutAppInactivity

func (c Config) TimeoutAppInactivity() time.Duration

TimeoutAppInactivity converts the user-specified application inactivity timeout value in seconds to an appropriate time duration value for use with setting automatic context cancellation.

func (Config) TimeoutPortScan

func (c Config) TimeoutPortScan() time.Duration

TimeoutPortScan converts the user-specified port scan timeout value in milliseconds to an appropriate time duration value for use with setting net.Dial timeout.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL