Feature/pure ruby ssl implementation for root certificate issuer check #71
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… output to work with both openssl 1.0 and openssl 1.1 formatting
…ve to check-ssl-anchor.rb
8 tasks
majormoses
reviewed
Jun 24, 2020
majormoses
reviewed
Jun 26, 2020
bin/check-ssl-root-issuer.rb
Outdated
| default: 'RFC2253', | ||
| required: false | ||
|
|
||
| def validate_opts |
There was a problem hiding this comment.
A couple thoughts:
- I think we should we still add validation to the options passed in themselves. if I pass in an invalid value I see no reason to run this code here
- I think we should add conditional logic, if I specify something other than those two options the way the code is written it will attempt to validate with
RFC2253regardless of what is passed in - should we add a qualifier here that this is specific to format or do you intend that we would keep adding more validation to this?
Maybe that should be something we pass in and can try something like this? (not sure if this is valid)
def validate_format_opts(config[:format])
OpenSSL::X509::Name::config[:format]
end
# I am pretty sure this will work but is dangerous and could lead easily to code injection
# that being said if we validate the options beforehand I think that is sufficient mitigation
# (which I would call out in a comment) and will make sense right before the rubocop
# disable as I am sure it will (rightly so) yell at us as its incredibly dangerous but powerful
# if wielded properly
def validate_format_opts(config[:format])
eval "OpenSSL::X509::Name::#{config[:format]}"
endif we cant specify it like that then we could always use if, elif, else or case statements to handle.
There was a problem hiding this comment.
Okay I've updated the logic to use mixin's cli option value validation method.
…ibraries internal validation for allowed values.
|
@jspaleta let me know if you need any help appeasing the cops, in the case of the eval please do indicate in a comment that the validation is done at user input so should be safe in this case. |
|
Rubocop fixed. |
majormoses
approved these changes
Jun 27, 2020
|
@jspaleta do you want to merge this and prep a release or do you want me to? I can probably get to it this evening if you don't get to it sooner. |
phumpal
pushed a commit
to phumpal/sensu-plugins-ssl
that referenced
this pull request
Dec 2, 2022
sensu-plugins#71) * Add option to treat anchor as a regexp. Fix parsing of openssl client output to work with both openssl 1.0 and openssl 1.1 formatting * updates to make travis and rubocop happy * Add pure ruby implementation of check-ssl-root-issuer.rb as alternative to check-ssl-anchor.rb * make rubocop happy * add test for check-ssl-root-issuer * update changelog and README with new plugin information * remove files changed in PR sensu-plugins#70, unrelated to this new feature * Update logic for validating issuer name format options. Using mixin libraries internal validation for allowed values.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
This is to address use of openssl command line tool in the check-ssl-anchor with an alternative implementation of the same logic using pure base ruby packages.
This is an outgrowth of the clean up done in PR #70
Probably should merge PR #70 first.
General
Update Changelog
RuboCop passes
Existing tests pass
New Plugins
Tests
Add the plugin to the README
Purpose
Provide full ruby implementation of similar logic to
check-ssl-anchor.rbwithout requireing openssl cmdline tool.Known Compatibility Issues