Skip to content

Commit

Permalink
Added probe_tls_certificate_info metric with basic certificate details
Browse files Browse the repository at this point in the history
Signed-off-by: Daniel Jolly <[email protected]>
  • Loading branch information
djcode committed Jul 22, 2022
1 parent d26fcc6 commit 9408983
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 3 deletions.
9 changes: 9 additions & 0 deletions prober/grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,13 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
},
[]string{"version"},
)

probeTLSCertInformation = prometheus.NewGaugeVec(prometheus.GaugeOpts{
Name: "probe_tls_certificate_info",
Help: "Returns the information about the certificate",
},
[]string{"subject", "issuer", "subjectalternative"},
)
)

for _, lv := range []string{"resolve"} {
Expand All @@ -120,6 +127,7 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
registry.MustRegister(healthCheckResponseGaugeVec)
registry.MustRegister(probeSSLEarliestCertExpiryGauge)
registry.MustRegister(probeTLSVersion)
registry.MustRegister(probeTLSCertInformation)

if !strings.HasPrefix(target, "http://") && !strings.HasPrefix(target, "https://") {
target = "http://" + target
Expand Down Expand Up @@ -202,6 +210,7 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
isSSLGauge.Set(float64(1))
probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(&tlsInfo.State).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&tlsInfo.State)).Set(1)
probeTLSCertInformation.WithLabelValues(getSubject(&tlsInfo.State), getIssuer(&tlsInfo.State), getDNSNames(&tlsInfo.State)).Set(1)
} else {
isSSLGauge.Set(float64(0))
}
Expand Down
11 changes: 10 additions & 1 deletion prober/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,14 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
[]string{"version"},
)

probeTLSCertInformation = prometheus.NewGaugeVec(
prometheus.GaugeOpts{
Name: "probe_tls_certificate_info",
Help: "Returns the information about the certificate",
},
[]string{"subject", "issuer", "subjectalternative"},
)

probeHTTPVersionGauge = prometheus.NewGauge(prometheus.GaugeOpts{
Name: "probe_http_version",
Help: "Returns the version of HTTP of the probe response",
Expand Down Expand Up @@ -642,9 +650,10 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr

if resp.TLS != nil {
isSSLGauge.Set(float64(1))
registry.MustRegister(probeSSLEarliestCertExpiryGauge, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
registry.MustRegister(probeSSLEarliestCertExpiryGauge, probeTLSVersion, probeTLSCertInformation, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(resp.TLS).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(resp.TLS)).Set(1)
probeTLSCertInformation.WithLabelValues(getSubject(resp.TLS), getIssuer(resp.TLS), getDNSNames(resp.TLS)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(resp.TLS).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(resp.TLS)).Set(1)
if httpConfig.FailIfSSL {
Expand Down
13 changes: 11 additions & 2 deletions prober/tcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,13 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
},
[]string{"version"},
)
probeTLSCertInformation := prometheus.NewGaugeVec(
prometheus.GaugeOpts{
Name: "probe_tls_certificate_info",
Help: "Returns the information about the certificate",
},
[]string{"subject", "issuer", "subjectalternative"},
)
probeFailedDueToRegex := prometheus.NewGauge(prometheus.GaugeOpts{
Name: "probe_failed_due_to_regex",
Help: "Indicates if probe failed due to regex",
Expand All @@ -135,9 +142,10 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
}
if module.TCP.TLS {
state := conn.(*tls.Conn).ConnectionState()
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeTLSCertInformation, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
probeTLSCertInformation.WithLabelValues(getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(&state)).Set(1)
}
Expand Down Expand Up @@ -201,9 +209,10 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry

// Get certificate expiry.
state := tlsConn.ConnectionState()
registry.MustRegister(probeSSLEarliestCertExpiry, probeSSLLastChainExpiryTimestampSeconds)
registry.MustRegister(probeSSLEarliestCertExpiry, probeSSLLastChainExpiryTimestampSeconds, probeTLSCertInformation)
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
probeTLSCertInformation.WithLabelValues(getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(&state)).Set(1)
}
Expand Down
2 changes: 2 additions & 0 deletions prober/tcp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ func TestTCPConnectionWithTLS(t *testing.T) {
"probe_ssl_earliest_cert_expiry": float64(certExpiry.Unix()),
"probe_ssl_last_chain_info": 1,
"probe_tls_version_info": 1,
"probe_tls_certificate_info": 1,
}
checkRegistryResults(expectedResults, mfs, t)
}
Expand Down Expand Up @@ -322,6 +323,7 @@ func TestTCPConnectionWithTLSAndVerifiedCertificateChain(t *testing.T) {
"probe_ssl_last_chain_expiry_timestamp_seconds": float64(serverCertExpiry.Unix()),
"probe_ssl_last_chain_info": 1,
"probe_tls_version_info": 1,
"probe_tls_certificate_info": 1,
}
checkRegistryResults(expectedResults, mfs, t)
}
Expand Down
16 changes: 16 additions & 0 deletions prober/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"crypto/sha256"
"crypto/tls"
"encoding/hex"
"strings"
"time"
)

Expand All @@ -36,6 +37,21 @@ func getFingerprint(state *tls.ConnectionState) string {
return hex.EncodeToString(fingerprint[:])
}

func getSubject(state *tls.ConnectionState) string {
cert := state.PeerCertificates[0]
return cert.Subject.CommonName
}

func getIssuer(state *tls.ConnectionState) string {
cert := state.PeerCertificates[0]
return cert.Issuer.CommonName
}

func getDNSNames(state *tls.ConnectionState) string {
cert := state.PeerCertificates[0]
return strings.Join(cert.DNSNames, ",")
}

func getLastChainExpiry(state *tls.ConnectionState) time.Time {
lastChainExpiry := time.Time{}
for _, chain := range state.VerifiedChains {
Expand Down
1 change: 1 addition & 0 deletions prober/utils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ func generateCertificateTemplate(expiry time.Time, IPAddressSAN bool) *x509.Cert
SubjectKeyId: []byte{1},
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "Example",
Organization: []string{"Example Org"},
},
NotBefore: time.Now(),
Expand Down

0 comments on commit 9408983

Please sign in to comment.