summaryrefslogtreecommitdiff
path: root/lib/custodian/protocoltest
AgeCommit message (Collapse)Author
2017-08-08Moved case statement outside timeout block.13-catch-bogus-dnsSteve Kemp
Also removed a redudant `begin`.
2017-08-08Use a case-statement for both kinds of IP-matching.Steve Kemp
2017-08-08Sanity-check DNS on a per-protocol basis.Steve Kemp
When a failure occurs in looking up IPv4 addresses we confirm that, similarly when/if IPv6 lookups fail we confirm that before raising the alert.
2017-08-08Updated to move ignore-dns-failure code into routine.Steve Kemp
That is then tested when resolve-errors are handled.
2017-08-08Ignore bogus DNS results.Steve Kemp
We've had a problem for the past few weeks (?) where we see false DNS errors when making http/https requests with `curb`/`libcurl`. To resolve these issues properly we're going to have to rewrite the code to avoid the current gem. However that is considerable work because of the hole we've back ourself into - wanting to test both IPv4 and IPv6 "properly". We'll have to duplicate that work if we use `net/http`, or even mroe so if we use `open3` and exec `curl -4|-6 ..` For the moment this commit changes how things are handled to deal with the issue we see - which doesn't solve the problem but will mask it. When custodian runs a test it will return a status-code: * Custodian::TestResult::TEST_FAILED * The test failed, such that an alert should be raised. * Custodian::TestResult::TEST_PASSED * The test succeeded, such that any previous alert should be cleared. * Custodian::TestResult::TEST_SKIPPED * Nothing should be done. As the failure we see is very very specific - an exception is thrown of the type `Curl::Err::HostResolutionError` - we can catch that and return `TEST_SKIPPED`. That means that there will be no (urgent) alert. Obviously the potential risk of swallowing all DNS-failures is that a domain might expire and we'd never know. So we'll do a little better than merely skipping the test if there are DNS failures: * If we see a DNS failure. * Then we try to lookup the host as an A & AAAA record. * If that succeeds we decide the issue was bogus. * If that fails then the host legitimately doesn't resolve so we raise an alert. To recap: * If a host fails normally - bogus status-code, or missing text - we behave as we did in the past. * Only in the case of a DNS-error from curb/curl do we go down this horrid path. * Where we try to confirm the error, and swallow it if false. This closes #13.
2017-07-13Alert in more detail on DNS failures.Steve Kemp
2017-07-11Updated to log the exact DNS error.13-log-dns-errorsSteve Kemp
This is part of #13.
2017-04-10Remove username/password prior to testing URL with curb.Steve Kemp
2017-04-10Use standard URL username/password holders.10-support-http-basic-authSteve Kemp
Rather than: with auth 'username:password' We use: http://user:pass@example.com/
2017-03-28Support HTTP BASIC-AUthentication.Steve Kemp
Supply this like so: http://example.com/ must run http with auth 'username:passw0rd' with status 200 otherwise 'failure'
2017-03-27First stab at allowing custom SSL expiry daysJames Hannah
2016-12-19Show host/port when TCP timeout occurs.Steve Kemp
This is a failure case which is not 100% clear. This closes #4.
2016-11-03Send the server-name-indicator (SNI) when falling back to legacy.3-send-sni-when-falling-back-to-opensslSteve Kemp
If ruby-based SSL negotiation fails then we fallback to invoking (horridly!) openssl directly. Until now this didn't send the SNI hostname to connect to, so it could only test the first/default SSL site that was listening upon a given IP address. This commit updates things such that we send the correct hostname, from the URL under-test.
2016-07-18Fallback to using `openssl` if we can't get certificates.Steve Kemp
Since the ruby version available to wheezy doesn't support TLS 1.2 fetching the certificate from remote HTTPS servers will fail, if that is all that is available. If we hit that condition, and only that one, we'll fall back to invoking `openssl` natively. This will allow us to monitor expiration-time for remote SSL certificates, but the downside is that we no longr receive the bundle that the remote server might send - so we cannot validate the signature chain. This closes #2.
2016-07-13Update error message for validation-failuSteve Kemp
2016-07-13Retry SSL checks on negotiation failure.release-0.29Steve Kemp
This prevents an endless loop.
2016-04-22More updates to silence rubocop style-guides.Steve Kemp
These warnings were largely whitespace-based.
2016-04-22Simplified the parsing of the TFTP URI.Steve Kemp
2016-04-21added tftp protocol testJames F. Carter
2016-02-10Don't allow limiting protocl on HTTP/HTTPS tests.root
We cannot allow HTTP/HTTPS to be limited by protocol, such as IPv4-only or IPv6-only. Raise an error in the parser if this is attempted. Added test-case to confirm, and this closes #12488.
2016-02-10Adjusted greediness of regex in http with contentPatrick J Cherry
It should match the next occurrence of the opening quote type, not the last.
2016-02-10Adjusted http with content string parsing.Patrick J Cherry
It now matches "can't match" and 'he said "ha!"'. Added tests.
2016-01-11Allow expected-test to be double-quoted.Steve Kemp
This changes the parser from only allowing this: http://example.com/ must run http with content 'reserved'. To allowing both of these: http://example.com/ must run http with content "reservered". http://example.com/ must run http with content 'reserved'.
2015-11-30Don't do SHA1 signature testing by default.Steve Kemp
2015-10-29Allow testng for weak certificate signing algorithms.Steve Kemp
This is a good thing to do, as Chrome will apaprently be refusing to show sites with SHA-1 in use over SHA-256. This closes #12358.
2015-08-26Catch "RecvErr" exceptions from curb.Steve Kemp
This prevents a slightly ugly backtrace instead of a genuinely useful report.
2015-08-04Override the alert-test-type for the SSL-expiry check.Steve Kemp
This allows better alerting.
2015-07-29Loosen teh grammar on tcp-tests.Steve Kemp
In the past we needed to write: must run tcp on 3306. Now we can add the "port" to match the rest of the tests: must run tcp on port 3306.
2015-07-29Added handler for running RDP-tests.Steve Kemp
This just does a TCP-connection to port 3389.
2015-04-16Updated test-handler for new API.Steve Kemp
This update consists of two changes: * No longer return "true" or "false" instead return "TEST_FAILED", or "TEST_SUCCEEDED". * Removed the testing of test-inversion from the class, now it lives in the base-class where it should have done all along.
2015-04-16Removed SMTP-relay test entirelySteve Kemp
2015-04-16Ensure we load our base-class.Steve Kemp
2015-04-16Fixed to be valid.Steve Kemp
Due to some sloppy edits this module was not correct.
2015-04-16Fixed syntax error.Steve Kemp
2015-03-09Show error-message clearly on connection-failure.Steve Kemp
This was failing because '$ERROR_INFO' is only available if you require 'English'
2015-03-09Updated to test for more whitespace issues.Steve Kemp
2015-03-09Removed trailing whitespace from the codeSteve Kemp
2015-03-09Remove spaces inside blocks.Steve Kemp
2015-03-09More minor space fixupsSteve Kemp
2015-03-09Whitespace fixups.Steve Kemp
These were all identified and suggested by rubocop.
2015-03-09Removed spaces inside parenthesis.Steve Kemp
2015-03-09Prefer single-quotes when you don't need interpolation.Steve Kemp
So "foo" is less good than 'foo'.
2015-03-09 Prefer single-quoted strings inside interpolations.Steve Kemp
2015-03-09Do not terminate expressions with ";".Steve Kemp
Ruby is not Perl, much as I sometimes wish it were.
2015-03-09Avoid redudent returns.Steve Kemp
The last expression of a method is the return value. So: def foo; false ; end Is the same as: def foo; return false; end
2015-03-09Don't use parenthesis aroudn conditions in an if.Steve Kemp
2015-03-09Do not use parentheses for method calls with no arguments.Steve Kemp
This is neater. Flagged by rubocop
2015-03-09Avoid "Array.new" and "Hash.new"Steve Kemp
Instead use {} + ().
2015-03-09Removed bogus period.Steve Kemp
2015-03-09Minor indentation fixup.Steve Kemp