Analyze TLS certificate

replicatedhq · Feb 19, 2021 · 87b4c12 · 87b4c12
1 parent 7647c03
commit 87b4c12
Show file tree

Hide file tree

Showing 10 changed files with 581 additions and 0 deletions.
diff --git a/examples/preflight/host/certificate.yaml b/examples/preflight/host/certificate.yaml
@@ -0,0 +1,30 @@
+apiVersion: troubleshoot.sh/v1beta2
+kind: HostPreflight
+metadata:
+  name: certificate
+spec:
+  collectors:
+    - certificate:
+        certificatePath: /etc/ssl/corp.crt
+        keyPath: /etc/ssl/corp.key
+  analyzers:
+    - certificate:
+        outcomes:
+          - fail:
+              when: "key-pair-missing"
+              message: Certificate key pair not found in /etc/ssl
+          - fail:
+              when: "key-pair-switched"
+              message: Cert and key pair are switched
+          - fail:
+              when: "key-pair-encrypted"
+              message: Private key is encrypted
+          - fail:
+              when: "key-pair-mismatch"
+              message: Cert and key do not match
+          - fail:
+              when: "key-pair-invalid"
+              message: Certificate key pair is invalid
+          - pass:
+              when: "key-pair-valid"
+              message: Certificate key pair is valid
diff --git a/examples/preflight/host/sample.yaml b/examples/preflight/host/sample.yaml
@@ -5,6 +5,9 @@ metadata:
 spec:
   collectors:
     - blockDevices: {}
+    - certificate:
+        certificatePath: /etc/ssl/corp.crt
+        keyPath: /etc/ssl/corp.key
     - cpu: {}
     - diskUsage:
         collectorName: ephemeral
@@ -50,6 +53,26 @@ spec:
               message: Multiple available block devices
           - fail:
               message: No available block devices
+    - certificate:
+        outcomes:
+          - fail:
+              when: "key-pair-missing"
+              message: Certificate key pair not found in /etc/ssl
+          - fail:
+              when: "key-pair-switched"
+              message: Cert and key pair are switched
+          - fail:
+              when: "key-pair-encrypted"
+              message: Private key is encrypted
+          - fail:
+              when: "key-pair-mismatch"
+              message: Cert and key do not match
+          - fail:
+              when: "key-pair-invalid"
+              message: Certificate key pair is invalid
+          - pass:
+              when: "key-pair-valid"
+              message: Certificate key pair is valid
     - cpu:
         outcomes:
           - fail:

diff --git a/pkg/analyze/analyzer.go b/pkg/analyze/analyzer.go
@@ -125,6 +125,13 @@ func HostAnalyze(hostAnalyzer *troubleshootv1beta2.HostAnalyze, getFile getColle
 		}
 		return []*AnalyzeResult{result}, nil
 	}
+	if hostAnalyzer.Certificate != nil {
+		result, err := analyzeHostCertificate(hostAnalyzer.Certificate, getFile)
+		if err != nil {
+			return nil, err
+		}
+		return []*AnalyzeResult{result}, nil
+	}
 
 	return nil, errors.New("invalid analyzer")
 }

diff --git a/pkg/analyze/host_certificate.go b/pkg/analyze/host_certificate.go
@@ -0,0 +1,59 @@
+package analyzer
+
+import (
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	troubleshootv1beta2 "github.com/replicatedhq/troubleshoot/pkg/apis/troubleshoot/v1beta2"
+)
+
+func analyzeHostCertificate(hostAnalyzer *troubleshootv1beta2.CertificateAnalyze, getCollectedFileContents func(string) ([]byte, error)) (*AnalyzeResult, error) {
+	collectorName := hostAnalyzer.CollectorName
+	if collectorName == "" {
+		collectorName = "certificate"
+	}
+	name := filepath.Join("certificate", collectorName+".json")
+	contents, err := getCollectedFileContents(name)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get collected file")
+	}
+	status := string(contents)
+
+	result := AnalyzeResult{}
+
+	title := hostAnalyzer.CheckName
+	if title == "" {
+		title = "Certificate Key Pair"
+	}
+	result.Title = title
+
+	for _, outcome := range hostAnalyzer.Outcomes {
+		if outcome.Fail != nil {
+			if outcome.Fail.When == "" || outcome.Fail.When == status {
+				result.IsFail = true
+				result.Message = outcome.Fail.Message
+				result.URI = outcome.Fail.URI
+
+				return &result, nil
+			}
+		} else if outcome.Warn != nil {
+			if outcome.Warn.When == "" || outcome.Warn.When == status {
+				result.IsWarn = true
+				result.Message = outcome.Warn.Message
+				result.URI = outcome.Warn.URI
+
+				return &result, nil
+			}
+		} else if outcome.Pass != nil {
+			if outcome.Pass.When == "" || outcome.Pass.When == status {
+				result.IsPass = true
+				result.Message = outcome.Pass.Message
+				result.URI = outcome.Pass.URI
+
+				return &result, nil
+			}
+		}
+	}
+
+	return &result, nil
+}