sensu-plugins · majormoses · Jun 26, 2020 · Jun 24, 2020 · Jun 24, 2020 · Jun 24, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,13 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
 ### Added
 - Travis build automation to generate Sensu Asset tarballs that can be used n conjunction with Sensu provided ruby runtime assets and the Bonsai Asset Index
 - Require latest sensu-plugin for [Sensu Go support](https://github.com/sensu-plugins/sensu-plugin#sensu-go-enablement)
+- New option to treat anchor argument as a regexp
+
+### Changed
+- `check-ssl-anchor.rb` uses regexp to test for present of certificates in cert chain that works with both openssl 1.0 and 1.1 formatting
+
+### Fixed
+- ssl-anchor test now uses regexp
 
 ## [2.0.1] - 2018-05-30
 ### Fixed

diff --git a/bin/check-ssl-anchor.rb b/bin/check-ssl-anchor.rb
@@ -57,6 +57,14 @@ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
          long: '--anchor ANCHOR_VAL',
          required: true
 
+  option :regexp,
+         description: 'Treat the anchor as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
   option :servername,
          description: 'Set the TLS SNI (Server Name Indication) extension',
          short: '-s',
@@ -79,7 +87,7 @@ def anchor_information
                 -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
     data = data.reject(&:empty?)
 
-    unless data[0] =~ /0 s:\/CN=.*/m
+    unless data[0] =~ /0 s:\/?CN ?=.*/m
       data = 'NOTOK'
     end
     data
@@ -91,11 +99,22 @@ def run
     if data == 'NOTOK'
       critical 'An error was encountered while trying to retrieve the certificate chain.'
     end
-
-    if data[-1] == config[:anchor].to_s
-      ok 'Root anchor has been found.'
+    puts config[:regexp]
+    # rubocop:disable Style/IfInsideElse
+    if config[:regexp]
+      anchor_regexp = Regexp.new(config[:anchor].to_s)
+      if data[-1] =~ anchor_regexp
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match regexp /' + config[:anchor].to_s + "/\nFound \"" + data[-1] + '" instead.'
+      end
     else
-      critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
+      if data[-1] == config[:anchor].to_s
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match string "' + config[:anchor].to_s + "\"\nFound \"" + data[-1] + '" instead.'
+      end
     end
+    # rubocop:enable Style/IfInsideElse
   end
 end
diff --git a/sensu-plugins-ssl.gemspec b/sensu-plugins-ssl.gemspec
@@ -33,7 +33,7 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency 'sensu-plugin', '~> 4.0'
 
-  s.add_development_dependency 'bundler',                   '~> 1.7'
+  s.add_development_dependency 'bundler',                   '~> 2.1'
   s.add_development_dependency 'codeclimate-test-reporter', '~> 0.4'
   s.add_development_dependency 'github-markup',             '~> 3.0'
   s.add_development_dependency 'pry',                       '~> 0.10'

diff --git a/test/check-ssl-anchor_spec.rb b/test/check-ssl-anchor_spec.rb
@@ -7,7 +7,7 @@
   end
 
   let(:check) do
-    CheckSSLAnchor.new ['-h', 'philporada.com', '-a', 'i:/O=Digital Signature Trust Co./CN=DST Root CA X3']
+    CheckSSLAnchor.new ['-h', 'philporada.com', '-a', 'i:\/?O ?= ?Digital Signature Trust Co.,? ?\/?CN ?= ?DST Root CA X3', '-r']
   end
 
   it 'should pass check if the root anchor matches what the users -a flag' do
@@ -17,6 +17,7 @@
 
   it 'should pass check if the root anchor matches what the users -a flag' do
     check.config[:anchor] = 'testdata'
+    check.config[:regexp] = false
     expect(check).to receive(:critical).and_raise SystemExit
     expect { check.run }.to raise_error SystemExit
   end

diff --git a/test/check-ssl-hsts-preloadable_spec.rb b/test/check-ssl-hsts-preloadable_spec.rb
@@ -19,11 +19,18 @@
     expect { check.run }.to raise_error SystemExit
   end
 
-  it 'should pass check if the domain is preloadedable but has warnings' do
-    check.config[:domain] = 'oskuro.net'
-    expect(check).to receive(:warning).and_raise SystemExit
-    expect { check.run }.to raise_error SystemExit
-  end
+  ##
+  # Disabled 2020/06/24 JDS
+  # Reason:  the hsts-preloadable check depends on a domain lookup from https://hstspreload.org/
+  #          There's no way to assure that an indexed domain at hstspreload.org will have a warning
+  #          The previously tested domain 'oskuro.net' no longer issues a warning
+  #          as its now incompliance with the hsts preload requirements.
+  ##
+  #  it 'should pass check if the domain is preloadedable but has warnings' do
+  #    check.config[:domain] = 'oskuro.net'
+  #    expect(check).to receive(:warning).and_raise SystemExit
+  #    expect { check.run }.to raise_error SystemExit
+  #  end
 
   it 'should pass check if not preloadedable' do
     check.config[:domain] = 'example.com'