Active Check for remaining validity of Certificate Revocation Lists#331
Active Check for remaining validity of Certificate Revocation Lists#331OguzhanCicek wants to merge 4 commits into
Conversation
|
One of the unit tests fail because it cant find the manpage for this check. Im not sure why its not being found. |
|
Hi, |
|
We just had an internal discussion about this and it turned out that we should definitely consider merging this. I will take a closer look at the code itself soon. |
|
One thing: I think the version of the plugin itself which you uploaded here is not the latest one, this one seems to be newer: https://github.com/RaymiiOrg/nagios/blob/master/check_crl/check_crl.py |
…cts the remaining time in minutes. Had to add a addition try-except block in line 59 to make it work. -now works with remaining minutes and not hours.
|
|
||
|
|
||
| def check_crl_arguments(params): | ||
| return "-u {} -w {} -c {}".format(params.get("url"), params.get("minutes")[0], params.get("minutes")[1]) |
There was a problem hiding this comment.
This line is incorrect: if "minutes" is not in params, you will end up with the expression None[0], which will of course crash. This should never happen, since the valuespec below has no optional keys, so please use params["url"] etc.
| help=_("These levels make the check go warning or critical whenever the " | ||
| "remaining validity of the monitored CRL is too low."), | ||
| elements=[ | ||
| Integer(title=_("warning at"), unit=u"Minutes", default_value=2880), |
There was a problem hiding this comment.
Please use the valuespec Age here. In checks/check_crl, the actual value will then be seconds, so you have to transform there to what the Nagios plugin expects.
| try: | ||
| inform = 'DER' | ||
| crlfile = open(tmpcrl, "r") | ||
| try: |
There was a problem hiding this comment.
Do you know why and when this is necessary? Probably, this PR is related:
RaymiiOrg/nagios#6
I am not saying that you should include this PR here, I am just trying to understand under what conditions this will fail and if this could be avoided by using for example open(..., mode="rb") or something.
There was a problem hiding this comment.
Here, we still need some clarification
There was a problem hiding this comment.
Here, we still need some clarification
| @@ -0,0 +1,141 @@ | |||
| #!/usr/bin/python3 | |||
|
|
||
| def main(): | ||
| try: | ||
| opts, args = getopt.getopt(sys.argv[1:], "hu:w:c:", ["help", "url=", "warning=", "critical="]) |
There was a problem hiding this comment.
Please transform this to argparse
| import tempfile | ||
| import urllib.request, urllib.parse, urllib.error | ||
|
|
||
| def check_crl(url, warn, crit): |
| minutes = (eol - today) / 60 | ||
| if abs(minutes) < 4 * 60: | ||
| expires = minutes | ||
| unit = "minutes" |
There was a problem hiding this comment.
Please take a look at cmk.utils.render.Age for this
There was a problem hiding this comment.
Please check cmk.utils.render.Age
There was a problem hiding this comment.
Please check cmk.utils.render.Age
jherbel
left a comment
jherbel
left a comment
There was a problem hiding this comment.
The Nagios plugin still needs some work. First of all, please move it to active_checks/check_crl. Next, we need to bring it to a maintainable state. I know that you did not write the plugin, however, since we port it into our codebase, we will have to maintain it in the future.
ok. I will try to update this PR within the coming week. Please dont close this for inactivity. |
-uses valuespec Age now -uses now checkmk file headers -changes the main() call -uses argpase now
jherbel
left a comment
jherbel
left a comment
There was a problem hiding this comment.
Already much better. Please also add a unit test similar to tests/unit/checks/test_check_sftp.py
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument("--url", "-u", required=True) |
There was a problem hiding this comment.
Please add type=str here for clarity
| import urllib.request, urllib.parse, urllib.error | ||
|
|
||
| def output_check_result(rc, s): | ||
| stxt = ['OK', 'WARN', 'CRIT', 'UNKNOWN'][rc] |
There was a problem hiding this comment.
I don't think you need stxt, since in Checkmk, you anyway see the check result in a separate column, so there is no need to add it here as a text.
| @@ -0,0 +1,140 @@ | |||
| #!/usr/bin/env python3 | |||
| # -*- coding: utf-8 -*- | |||
| # Copyright (C) 2013 - Remy van Elst | |||
| output = '%s - %s' % (stxt, s) | ||
| sys.stdout.write('%s\n' % output) | ||
|
|
||
| def check_crl(url: str, warn: int, crit: int): |
| minutes = (eol - today) / 60 | ||
| if abs(minutes) < 4 * 60: | ||
| expires = minutes | ||
| unit = "minutes" |
There was a problem hiding this comment.
Please check cmk.utils.render.Age
|
|
||
|
|
||
| def check_crl_description(params): | ||
| return "CRL: {}".format(params["url"]) |
There was a problem hiding this comment.
Please use an f-string here
|
|
||
|
|
||
| def check_crl_arguments(params): | ||
| return "-u {} -w {} -c {}".format(params["url"], params["time"][0], params["time"][1]) |
There was a problem hiding this comment.
Please use an f-string here
| return "CRL: {}".format(params["url"]) | ||
|
|
||
|
|
||
| active_check_info["check_crl"] = { |
| HostRulespec( | ||
| group=RulespecGroupActiveChecks, | ||
| match_type="all", | ||
| name="active_checks:check_crl", |
| )) | ||
|
|
||
|
|
||
| def _valuespec_active_checks_crl(): |
-renames the active check from check_crl to crl
jherbel
left a comment
jherbel
left a comment
There was a problem hiding this comment.
Still some issues + the new unit tests of course needs to pass.
| @@ -0,0 +1,140 @@ | |||
| #!/usr/bin/env python3 | |||
| # -*- coding: utf-8 -*- | |||
| # Copyright (C) 2013 - Remy van Elst | |||
| try: | ||
| inform = 'DER' | ||
| crlfile = open(tmpcrl, "r") | ||
| try: |
There was a problem hiding this comment.
Here, we still need some clarification
| minutes = (eol - today) / 60 | ||
| if abs(minutes) < 4 * 60: | ||
| expires = minutes | ||
| unit = "minutes" |
There was a problem hiding this comment.
Please check cmk.utils.render.Age
|
|
||
|
|
||
| @pytest.mark.parametrize("params,expected_args", [ | ||
| (("foo", 222, 111, "bar", {}), ["--url=foo", "--warn=222", "--crit=111"]), |
There was a problem hiding this comment.
According to the valuespec, you expect a dict here, not a tuple. Accordingly, this test failed in the last travis run.
|
Closed this due to inactivity. |
2 participants
This PR adds a active check to monitor the remaining hours of validity of a given CRL. To check this the following nagios plugin is being used:
https://raymii.org/s/software/Nagios_plugin_to_check_CRL_expiry.html