dom
/
telegraf
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add additional tags for x509 Input Plugin (#6686)

This commit is contained in:
Yong Wen Chua 2019-11-27 02:04:55 +08:00 committed by Daniel Nelson
parent e061376846
commit 6eb21978e6
3 changed files with 91 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
plugins/inputs/x509_cert/README.md
View File

@ -33,6 +33,12 @@ file or network connection.
- province - province
- locality - locality
- verification - verification
- serial_number
- signature_algorithm
- public_key_algorithm
- issuer_common_name
- issuer_serial_number
- san
- fields: - fields:
- verification_code (int) - verification_code (int)
- verification_error (string) - verification_error (string)

44
plugins/inputs/x509_cert/x509_cert.go
View File

@ -5,7 +5,6 @@ import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -136,28 +135,43 @@ func getFields(cert *x509.Certificate, now time.Time) map[string]interface{} {
return fields return fields
} }
func getTags(subject pkix.Name, location string) map[string]string { func getTags(cert *x509.Certificate, location string) map[string]string {
tags := map[string]string{ tags := map[string]string{
"source": location, "source": location,
"common_name": subject.CommonName, "common_name": cert.Subject.CommonName,
"serial_number": cert.SerialNumber.Text(16),
"signature_algorithm": cert.SignatureAlgorithm.String(),
"public_key_algorithm": cert.PublicKeyAlgorithm.String(),
} }
if len(subject.Organization) > 0 { if len(cert.Subject.Organization) > 0 {
tags["organization"] = subject.Organization[0] tags["organization"] = cert.Subject.Organization[0]
} }
if len(subject.OrganizationalUnit) > 0 { if len(cert.Subject.OrganizationalUnit) > 0 {
tags["organizational_unit"] = subject.OrganizationalUnit[0] tags["organizational_unit"] = cert.Subject.OrganizationalUnit[0]
} }
if len(subject.Country) > 0 { if len(cert.Subject.Country) > 0 {
tags["country"] = subject.Country[0] tags["country"] = cert.Subject.Country[0]
} }
if len(subject.Province) > 0 { if len(cert.Subject.Province) > 0 {
tags["province"] = subject.Province[0] tags["province"] = cert.Subject.Province[0]
} }
if len(subject.Locality) > 0 { if len(cert.Subject.Locality) > 0 {
tags["locality"] = subject.Locality[0] tags["locality"] = cert.Subject.Locality[0]
} }
tags["issuer_common_name"] = cert.Issuer.CommonName
tags["issuer_serial_number"] = cert.Issuer.SerialNumber
san := append(cert.DNSNames, cert.EmailAddresses...)
for _, ip := range cert.IPAddresses {
san = append(san, ip.String())
}
for _, uri := range cert.URIs {
san = append(san, uri.String())
}
tags["san"] = strings.Join(san, ",")
return tags return tags
} }
@ -179,7 +193,7 @@ func (c *X509Cert) Gather(acc telegraf.Accumulator) error {
for i, cert := range certs { for i, cert := range certs {
fields := getFields(cert, now) fields := getFields(cert, now)
tags := getTags(cert.Subject, location) tags := getTags(cert, location)
// The first certificate is the leaf/end-entity certificate which needs DNS // The first certificate is the leaf/end-entity certificate which needs DNS
// name validation against the URL hostname. // name validation against the URL hostname.

56
plugins/inputs/x509_cert/x509_cert_test.go
View File

@ -5,6 +5,7 @@ import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"math/big"
"os" "os"
"testing" "testing"
"time" "time"
@ -195,6 +196,61 @@ func TestGatherLocal(t *testing.T) {
} }
} }
func TestTags(t *testing.T) {
cert := fmt.Sprintf("%s\n%s", pki.ReadServerCert(), pki.ReadCACert())
f, err := ioutil.TempFile("", "x509_cert")
if err != nil {
t.Fatal(err)
}
_, err = f.Write([]byte(cert))
if err != nil {
t.Fatal(err)
}
err = f.Close()
if err != nil {
t.Fatal(err)
}
defer os.Remove(f.Name())
sc := X509Cert{
Sources: []string{f.Name()},
}
sc.Init()
acc := testutil.Accumulator{}
err = sc.Gather(&acc)
require.NoError(t, err)
assert.True(t, acc.HasMeasurement("x509_cert"))
assert.True(t, acc.HasTag("x509_cert", "common_name"))
assert.Equal(t, "server.localdomain", acc.TagValue("x509_cert", "common_name"))
assert.True(t, acc.HasTag("x509_cert", "signature_algorithm"))
assert.Equal(t, "SHA256-RSA", acc.TagValue("x509_cert", "signature_algorithm"))
assert.True(t, acc.HasTag("x509_cert", "public_key_algorithm"))
assert.Equal(t, "RSA", acc.TagValue("x509_cert", "public_key_algorithm"))
assert.True(t, acc.HasTag("x509_cert", "issuer_common_name"))
assert.Equal(t, "Telegraf Test CA", acc.TagValue("x509_cert", "issuer_common_name"))
assert.True(t, acc.HasTag("x509_cert", "san"))
assert.Equal(t, "localhost,127.0.0.1", acc.TagValue("x509_cert", "san"))
assert.True(t, acc.HasTag("x509_cert", "serial_number"))
serialNumber := new(big.Int)
_, validSerialNumber := serialNumber.SetString(acc.TagValue("x509_cert", "serial_number"), 16)
if !validSerialNumber {
t.Errorf("Expected a valid Hex serial number but got %s", acc.TagValue("x509_cert", "serial_number"))
}
assert.Equal(t, big.NewInt(1), serialNumber)
}
func TestGatherChain(t *testing.T) { func TestGatherChain(t *testing.T) {
cert := fmt.Sprintf("%s\n%s", pki.ReadServerCert(), pki.ReadCACert()) cert := fmt.Sprintf("%s\n%s", pki.ReadServerCert(), pki.ReadCACert())