[checkmk-commits] #2668 FIX jar_signature: Handle case correctly where certificate is already expired

Module: check_mk Branch: master Commit: 28eb7e4ae1e0c5b76f11d8a4d5f75dc35dc45079 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=28eb7e4ae1e0c5… Author: Mathias Kettner &lt;mk(a)mathias-kettner.de&gt; Date: Sun Oct 25 13:55:02 2015 +0100 #2668 FIX jar_signature: Handle case correctly where certificate is already expired --- .werks/2668 | 9 ++++++++ ChangeLog | 1 + checks/jar_signature | 53 ++++++++++++++++++++++++++++++++++------------ modules/check_mk_base.py | 5 ++--- 4 files changed, 52 insertions(+), 16 deletions(-) diff --git a/.werks/2668 b/.werks/2668 new file mode 100644 index 0000000..4c85ed7 --- /dev/null +++ b/.werks/2668 @@ -0,0 +1,9 @@ +Title: jar_signature: Handle case correctly where certificate is already expired +Level: 1 +Component: checks +Compatible: compat +Version: 1.2.7i4 +Date: 1445777668 +Class: fix + + diff --git a/ChangeLog b/ChangeLog index 52df68d..9a5b7c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ * 1296 FIX: aix_memory: Check can now handle systems without swap partition * 2690 FIX: ps: Fixed processing of old inventory_processes rules in discovery function... * 2236 FIX: cups_queues: Correct not working discovery after werk #2504... + * 2668 FIX: jar_signature: Handle case correctly where certificate is already expired Multisite: * 2684 Added icons for downloading agent data / walks of hosts... diff --git a/checks/jar_signature b/checks/jar_signature index cbe0440..58d04a3 100644 --- a/checks/jar_signature +++ b/checks/jar_signature @@ -24,7 +24,25 @@ # to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, # Boston, MA 02110-1301 USA. -import datetime +# Example output from agent +# <<<jar_signature>>> +# [[[bluecove-1.2.3-signed.jar]]] +# sm 308 Fri May 11 01:42:04 CEST 2007 javax/microedition/io/StreamConnectionNotifier.class +# +# X.509, CN=MicroEmulator Team +# [certificate expired on 2/10/12 6:19 PM] +# +# +# s = signature was verified +# m = entry is listed in manifest +# k = at least one certificate was found in keystore +# i = at least one certificate was found in identity scope +# +# jar verified. +# +# Warning: +# This jar contains entries whose signer certificate has expired. + def inventory_jar_signature(info): inventory = [] @@ -34,7 +52,7 @@ def inventory_jar_signature(info): inventory.append((f, {})) return inventory -def check_jar_signature(item, params, info): +def check_jar_signature(item, _no_params, info): in_block = False details = [] in_cert = False @@ -60,24 +78,33 @@ def check_jar_signature(item, params, info): # [certificate is valid from 3/26/12 11:26 AM to 3/26/17 11:36 AM] # [certificate will expire on 7/4/13 4:13 PM] + # [certificate expired on 2/10/12 6:19 PM] if "will expire on " in cert_valid: - to = cert_valid.split("will expire on ", 1)[1][:-1] + expiry_date_text = cert_valid.split("will expire on ", 1)[1][:-1] + elif "expired on" in cert_valid: + expiry_date_text = cert_valid.split("expired on ", 1)[1][:-1] else: - to = cert_valid.split("to ", 1)[1][:-1] - to_dt = datetime.datetime(*time.strptime(to, '%m/%d/%y %I:%M %p')[:6]) + expiry_date_text = cert_valid.split("to ", 1)[1][:-1] + expiry_date = time.mktime(time.strptime(expiry_date_text, '%m/%d/%y %I:%M %p')) + expired_since = time.time() - expiry_date - warn, crit = 60, 30 + warn, crit = 60 * 86400, 30 * 86400 state = 0 - status_txt = "" - if to_dt < datetime.datetime.now() + datetime.timedelta(days = crit): + if expired_since >= 0: state = 2 - status_txt = " (less than %d days)" % crit - elif to_dt < datetime.datetime.now() + datetime.timedelta(days = warn): - state = 1 - status_txt = " (less than %d days)" % warn + status_text = "Certificate expired on %s (%s ago) " % (expiry_date_text, get_age_human_readable(expired_since)) + else: + status_text = "Certificate will expire on %s (in %s)" % (expiry_date_text, get_age_human_readable(-expired_since)) + if -expired_since <= crit: + state = 2 + status_txt = "(less than %s)" % (get_age_human_readable(crit)) + elif -expired_since <= warn: + state = 1 + status_txt = "(less than %s)" % (get_age_human_readable(warn)) + + return state, status_text - return state, "Certificate expires on %s%s (%s)" % (to, status_txt, cert_dn) check_info['jar_signature'] = { "service_description" : "Jar-Signature %s", diff --git a/modules/check_mk_base.py b/modules/check_mk_base.py index 9cc0afe..cb61385 100644 --- a/modules/check_mk_base.py +++ b/modules/check_mk_base.py @@ -51,6 +51,7 @@ import signal import math import tempfile import traceback +import subprocess # PLANNED CLEANUP: # - central functions for outputting verbose information and bailing @@ -769,9 +770,7 @@ def get_agent_info(hostname, ipaddress, max_cache_age): def get_agent_info_program(commandline): exepath = commandline.split()[0] # for error message, hide options! - import subprocess - if opt_verbose: - sys.stderr.write("Calling external program %s\n" % commandline) + vverbose("Calling external program %s\n" % commandline) try: p = subprocess.Popen(commandline, shell = True, stdout = subprocess.PIPE, stderr = subprocess.PIPE) stdout, stderr = p.communicate()