ansible-base/roles/icinga2_server/files/check_dane

#!/usr/bin/env python3

# Copyright (C) 2014-2016 Felix Geyer <debfx@fobos.de>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 or (at your option)
# version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import argparse
import datetime
import dns.exception
import dns.flags
import dns.rdatatype
import dns.rdtypes.ANY.TLSA
import dns.resolver
import hashlib
import re
import socket
import struct
import ssl
import subprocess
import sys


VERSION = "1.1"


class ProtocolError(Exception):
    pass


def nagios_ok(msg: str) -> None:
    print("DANE OK - " + msg)
    sys.exit(0)


def nagios_warning(msg: str) -> None:
    print("DANE WARNING - " + msg)
    sys.exit(1)


def nagios_critical(msg: str) -> None:
    print("DANE CRITICAL - " + msg)
    sys.exit(2)


def nagios_unknown(msg: str) -> None:
    print("DANE UNKONWN - " + msg)
    sys.exit(3)


def create_resolver(dnssec: bool = True,
                    timeout: int = None,
                    nameserver: str = None) -> dns.resolver.Resolver:
    resolver = dns.resolver.Resolver()

    if timeout and timeout != 0:
        resolver.lifetime = timeout

    if nameserver:
        resolver.nameservers = [nameserver]

    if dnssec:
        resolver.edns = 0
        resolver.payload = 1280
        resolver.ednsflags = dns.flags.DO

    return resolver


def check_dns_response_auth(response: dns.resolver.Answer) -> bool:
    if response.response.flags & dns.flags.AD:
        return True
    else:
        return False


def extract_pubkey(cert_binary: bytes) -> bytes:
    # should really be done with a python 3 module that exposes this openssl api

    # extract public key in pem format
    pubkey_pem = subprocess.check_output(["openssl", "x509", "-pubkey", "-inform", "der", "-noout"], input=cert_binary)
    # conver to binary / der format
    pubkey_binary = subprocess.check_output(["openssl", "pkey", "-pubin", "-outform", "der"], input=pubkey_pem)

    return pubkey_binary


def get_tlsa_records(args: argparse.Namespace) -> dns.resolver.Answer:
    resolver = create_resolver(dnssec=args.dnssec, timeout=args.timeout, nameserver=args.nameserver)

    tlsa_domain = "_{}._tcp.{}".format(args.port, args.host)

    try:
        tlsa_records = resolver.query(tlsa_domain, dns.rdatatype.TLSA)
    except dns.resolver.NXDOMAIN:
        nagios_critical("No DNS TLSA record found: {}".format(tlsa_domain))
    except dns.exception.Timeout:
        nagios_unknown("DNS query timeout: {}".format(tlsa_domain))

    if args.dnssec and not check_dns_response_auth(tlsa_records):
        nagios_unknown("DNS query not DNSSEC validated")

    return tlsa_records


def validate_dane(cert_binary: bytes,
                  pkix_valid: bool,
                  tlsa_record: dns.rdtypes.ANY.TLSA.TLSA) -> bool:
    if tlsa_record.usage == 3:
        pass
    elif tlsa_record.usage == 1 and pkix_valid:
        pass
    else:
        # usage=2 unsupported
        return False

    if tlsa_record.selector == 0:
        data = cert_binary
    elif tlsa_record.selector == 1:
        data = extract_pubkey(cert_binary)
    else:
        return False

    if tlsa_record.mtype == 0:
        hashed = data
    elif tlsa_record.mtype == 1:
        hashed = hashlib.sha256(data).digest()
    elif tlsa_record.mtype == 2:
        hashed = hashlib.sha512(data).digest()
    else:
        return False

    return hashed == tlsa_record.cert


def check_cert_expiry(args: argparse.Namespace,
                      cert: dict,
                      days_warning: int,
                      days_critical: int = None) -> datetime.timedelta:
    not_after = datetime.datetime.strptime(cert["notAfter"], "%b %d %H:%M:%S %Y %Z")
    date_diff = not_after - datetime.datetime.now()

    if days_critical:
        if date_diff <= datetime.timedelta(days_critical):
            nagios_critical("{}:{} cert expires in {} days".format(args.host, args.port, date_diff.days))

    if date_diff <= datetime.timedelta(days_warning):
        nagios_warning("{}:{} cert expires in {} days".format(args.host, args.port, date_diff.days))

    return date_diff


def connect_to_host(connect_host: str,
                    connect_port: int,
                    args: argparse.Namespace,
                    check_cert: bool) -> ssl.SSLSocket:
    if args.timeout == 0:
        socket.setdefaulttimeout(None)
    else:
        socket.setdefaulttimeout(args.timeout)

    context = ssl.create_default_context()
    if not check_cert:
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

    # TODO: use our resolver
    try:
        sock = socket.create_connection((connect_host, connect_port))
    except OSError as e:
        nagios_unknown("Can't establish a connection to {}:{}:\n{}"
                       .format(connect_host, connect_port, str(e)))

    peername = sock.getpeername()[0]
    if ":" in peername:
        peername = "[{}]".format(peername)

    try:
        if args.starttls == "smtp":
            connect_smtp(sock)
        elif args.starttls == "ftp":
            connect_ftp(sock)
        elif args.starttls == "imap":
            connect_imap(sock)
        elif args.starttls == "xmpp":
            connect_xmpp(sock, args.host)
        elif args.starttls == "quassel":
            connect_quassel(sock, args.host)
    except (ProtocolError, OSError) as e:
        nagios_unknown("Failed to initiate STARTTLS to {} ({}:{}):\n{}"
                       .format(connect_host, peername, connect_port, str(e)))

    try:
        return context.wrap_socket(sock, server_hostname=args.host)
    except (ProtocolError, ssl.SSLError, OSError) as e:
        if isinstance(e, ssl.SSLError) and e.reason == "CERTIFICATE_VERIFY_FAILED":
            # pass exceptions concerning certificate validation to the caller
            raise
        else:
            nagios_unknown("Can't establish a TLS connection to {} ({}:{}):\n{}"
                           .format(connect_host, peername, connect_port, str(e)))


def smtp_read_response(sock: socket.socket) -> str:
    response = ""
    line_end = False
    while not line_end:
        line = sock.recv(1024)
        response += line.decode("ASCII")
        if len(line) < 4 or line[3] != "-":
            line_end = True
    return response


def connect_smtp(sock: socket.socket) -> None:
    smtp_read_response(sock)
    sock.sendall(b"EHLO openssl.client.net\r\n")

    response = smtp_read_response(sock)
    if "STARTTLS" not in response:
        raise ProtocolError("Server doesn't support STARTTLS")

    sock.sendall(b"STARTTLS\r\n")

    smtp_read_response(sock)


def connect_ftp(sock: socket.socket) -> None:
    buf = sock.recv(1024)

    sock.sendall(b"AUTH TLS\r\n")

    response = sock.recv(1024).decode("ASCII").strip("\r\n\t ")
    if not re.search(r"^2\d\d", response):
        raise ProtocolError("Server doesn't support STARTTLS ({})".format(response))


def connect_imap(sock: socket.socket) -> None:
    sock.recv(1024)
    sock.sendall(b". CAPABILITY\n")

    response = smtp_read_response(sock)
    if "STARTTLS" not in response:
        raise ProtocolError("Server doesn't support STARTTLS")

    sock.sendall(b". STARTTLS\n")

    smtp_read_response(sock)


def connect_xmpp(sock: socket.socket, host: str) -> None:
    sock.sendall("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
                 "xmlns='jabber:client' to='{}' version='1.0'>".format(host).encode("ASCII"))

    buf = sock.recv(1024)
    if "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'" not in buf.decode("ASCII"):
        raise ProtocolError("Server doesn't support STARTTLS")

    sock.sendall(b"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>")

    buf = sock.recv(1024)
    if "<proceed" not in buf.decode("ASCII"):
        raise ProtocolError("Server doesn't support STARTTLS")


def connect_quassel(sock: socket.socket, host: str) -> None:
    MAGIC = 0x42b33f00
    FEATURE_ENCRYPTION = 0x1
    PROTOCOL_DATAGRAM = 0x2
    PROTOCOL_END = (0x1 << 31)

    sock.sendall(struct.pack("!I", MAGIC | FEATURE_ENCRYPTION))
    sock.sendall(struct.pack("!I", PROTOCOL_DATAGRAM | PROTOCOL_END))

    try:
        response = struct.unpack("!I", sock.recv(4))[0]
    except struct.error:
        raise ProtocolError("No valid response from server")

    protocol_type = (response & 0xff)
    connection_features = (response >> 24)

    if not (protocol_type & PROTOCOL_DATAGRAM):
        raise ProtocolError("Server doesn't support the protocol")

    if not (connection_features & FEATURE_ENCRYPTION):
        raise ProtocolError("Server doesn't support TLS")


def main() -> None:
    parser = argparse.ArgumentParser(description=""" Nagios/Icinga plugin for checking DANE/TLSA records.
                                     It compares the DANE/TLSA record against the TLS certificate provided
                                     by a service.""")

    parser.add_argument("--host", "-H", dest="host", required=True, help="Hostname to check.")
    parser.add_argument("--port", "-p", type=int, required=True, help="TCP port to check.")
    parser.add_argument("--connect-host", "--ip", "-I", dest="connect_host",
                        help="Connect to this host instead of --host.")
    parser.add_argument("--connect-port", dest="connect_port", help="Connect to this port instead of --port.")
    parser.add_argument("--starttls",
                        choices=["smtp", "ftp", "imap", "xmpp", "quassel"],
                        help="Send the protocol-specific messages to enable TLS.")
    parser = argparse.ArgumentParser(description=""" Nagios/Icinga plugin for checking DANE/TLSA records.
                                     It compares the DANE/TLSA record against the TLS certificate provided
                                     by a service.""")

    parser.add_argument("--host", "-H", dest="host", required=True, help="Hostname to check.")
    parser.add_argument("--port", "-p", type=int, required=True, help="TCP port to check.")
    parser.add_argument("--connect-host", "--ip", "-I", dest="connect_host",
                        help="Connect to this host instead of --host.")
    parser.add_argument("--connect-port", dest="connect_port", help="Connect to this port instead of --port.")
    parser.add_argument("--starttls",
                        choices=["smtp", "ftp", "imap", "xmpp", "quassel"],
                        help="Send the protocol-specific messages to enable TLS.")
    parser.add_argument("--check-pkix", action="store_true",
                        help="Additionally perform traditional checks on the certificate "
                             "(ca trust path, hostname, expiry).")
    parser.add_argument("--min-days-valid", help="Minimum number of days a certificate has to be valid. "
                                                 "Format: INTEGER[,INTEGER]. "
                                                 "1st is #days for warning, 2nd is critical.")
    parser.add_argument("--no-dnssec", dest="dnssec", action="store_false",
                        help="Continue even when DNS replies aren't DNSSEC authenticated.")
    parser.add_argument("--nameserver", help="Use a custom nameserver.")
    parser.add_argument("--timeout", type=int, default=10, help="Network timeout in sec. Default: 10")
    parser.add_argument("--version", action="version", version="%(prog)s " + VERSION)
    args = parser.parse_args()

    pyver = sys.version_info
    if pyver[0] < 3 or (pyver[0] == 3 and pyver[1] < 4):
        nagios_unknown("check_dane requires Python >= 3.4")

    if args.port < 1 or args.port > 65535:
        nagios_unknown("Invalid port")

    if args.min_days_valid and not re.search(r"^\d+(,\d+)?$", args.min_days_valid):
        nagios_unknown("--check-cert-expire takes INTEGER[,INTEGER] as arguments")

    if args.timeout < 0:
        nagios_unknown("Invalid timeout argument")

    if args.connect_host:
        connect_host = args.connect_host
    else:
        connect_host = args.host

    if args.connect_port:
        connect_port = args.connect_port
    else:
        connect_port = args.port

    tlsa_records = get_tlsa_records(args)

    has_usage1_tlsa = False
    for record in tlsa_records:
        if record.usage == 1:
            has_usage1_tlsa = True
            break

    initial_check_pkix = (args.check_pkix or has_usage1_tlsa)

    try:
        # validate against PKIX if manually requested or we've found a usage=1 tlsa record
        ssl_sock = connect_to_host(connect_host, connect_port, args, initial_check_pkix)
        pkix_valid = initial_check_pkix
    except (ssl.CertificateError, ssl.SSLError) as e:
        if args.check_pkix:
            nagios_critical(str(e))
        else:
            ssl_sock = connect_to_host(connect_host, connect_port, args, False)
            pkix_valid = False
            pkix_error = str(e)

    cert_binary = ssl_sock.getpeercert(binary_form=True)
    cert_dict = ssl_sock.getpeercert()
    ssl_sock.close()

    dane_valid_cert = False

    for tlsa in tlsa_records:
        if validate_dane(cert_binary, pkix_valid, tlsa):
            dane_valid_cert = True
            break

    if not dane_valid_cert:
        # test if it would match if it were pkix_valid
        additional_msg = ""
        for tlsa in tlsa_records:
            if validate_dane(cert_binary, True, tlsa):
                additional_msg = "\nIt matches a TLSA usage=1 record but fails PKIX validation:\n" + pkix_error
                break

        nagios_critical("Certificate doesn't match TLSA record" + additional_msg)

    if pkix_valid and args.min_days_valid:
        days_parts = args.min_days_valid.split(",")

        if len(days_parts) == 2:
            timedelta_valid = check_cert_expiry(args, cert_dict, int(days_parts[0]), int(days_parts[1]))
        else:
            timedelta_valid = check_cert_expiry(args, cert_dict, int(days_parts[0]))

        expire_str = ", expires in {} days".format(timedelta_valid.days)
    else:
        expire_str = ""

    message = "{}:{} cert matches TLSA record".format(args.host, args.port)
    if not args.dnssec:
        message += " (DNSSEC not validated)"
    message += expire_str

    nagios_ok(message)


if __name__ == "__main__":
    main()


    message = "{}:{} cert matches TLSA record".format(args.host, args.port)
    if not args.dnssec:
        message += " (DNSSEC not validated)"
    message += expire_str

    nagios_ok(message)


if __name__ == "__main__":
    main()

# kate: space-indent on; indent-width 4;