From 2482950e267a752b37d696c10ea091dc62d6d8a7 Mon Sep 17 00:00:00 2001 From: Barak Shohat Date: Tue, 6 Apr 2021 16:35:20 +0300 Subject: Updated check_curl.c to display a specific human-readable error message where possible --- plugins/t/check_curl.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 4bff538a..cc65f037 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -46,7 +46,7 @@ $res = NPTest->testCmd( ); cmp_ok( $res->return_code, '==', 2, "Webserver $host_nonresponsive not responding" ); # was CRITICAL only, but both check_curl and check_http print HTTP CRITICAL (puzzle?!) -cmp_ok( $res->output, 'eq', "HTTP CRITICAL - Invalid HTTP response received from host on port 80: cURL returned 28 - Timeout was reached", "Output OK"); +like( $res->output, "/HTTP CRITICAL - Invalid HTTP response received from host on port 80: cURL returned 28 - Connection timed out after/", "Output OK"); $res = NPTest->testCmd( "./$plugin $hostname_invalid -wt 1 -ct 2" @@ -56,7 +56,7 @@ cmp_ok( $res->return_code, '==', 2, "Webserver $hostname_invalid not valid" ); # On Debian, it is Name or service not known, on Darwin, it is No address associated with nodename # Is also possible to get a socket timeout if DNS is not responding fast enough # cURL gives us consistent strings from it's own 'lib/strerror.c' -like( $res->output, "/cURL returned 6 - Couldn't resolve host name/", "Output OK"); +like( $res->output, "/cURL returned 6 - Could not resolve host:/", "Output OK"); # host header checks $res = NPTest->testCmd("./$plugin -v -H $host_tcp_http"); -- cgit v1.2.3-74-g34f1 From 6993c216955a54845d98dc568534613334c0b545 Mon Sep 17 00:00:00 2001 From: Barak Shohat Date: Wed, 7 Apr 2021 12:34:46 +0300 Subject: Add an option to check_curl to verify the peer certificate & host using the system CA's --- plugins/check_curl.c | 17 ++++++++++++++--- plugins/t/check_curl.t | 5 ++++- 2 files changed, 18 insertions(+), 4 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 8f274c26..19f80b74 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -195,6 +195,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; char *client_cert = NULL; char *client_privkey = NULL; char *ca_cert = NULL; +int verify_peer_and_host = FALSE; int is_openssl_callback = FALSE; #if defined(HAVE_SSL) && defined(USE_OPENSSL) X509 *cert = NULL; @@ -489,9 +490,11 @@ check_http (void) if (client_privkey) handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); if (ca_cert) { + handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); + } + if (ca_cert || verify_peer_and_host) { /* per default if we have a CA verify both the peer and the * hostname in the certificate, can be switched off later */ - handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); } else { @@ -1159,6 +1162,7 @@ process_arguments (int argc, char **argv) {"client-cert", required_argument, 0, 'J'}, {"private-key", required_argument, 0, 'K'}, {"ca-cert", required_argument, 0, CA_CERT_OPTION}, + {"verify-cert", no_argument, 0, 'D'}, {"useragent", required_argument, 0, 'A'}, {"header", required_argument, 0, 'k'}, {"no-body", no_argument, 0, 'N'}, @@ -1193,7 +1197,7 @@ process_arguments (int argc, char **argv) server_url = strdup(DEFAULT_SERVER_URL); while (1) { - c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option); + c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NE", longopts, &option); if (c == -1 || c == EOF || c == 1) break; @@ -1332,6 +1336,11 @@ process_arguments (int argc, char **argv) test_file(optarg); ca_cert = optarg; goto enable_ssl; +#endif +#ifdef LIBCURL_FEATURE_SSL + case 'D': /* verify peer certificate & host */ + verify_peer_and_host = TRUE; + goto enable_ssl; #endif case 'S': /* use SSL */ #ifdef LIBCURL_FEATURE_SSL @@ -1703,6 +1712,8 @@ print_help (void) printf (" %s\n", _("matching the client certificate")); printf (" %s\n", "--ca-cert=FILE"); printf (" %s\n", _("CA certificate file to verify peer against")); + printf (" %s\n", "-D, --verify-cert"); + printf (" %s\n", _("Verify the peer's SSL certificate and hostname")); #endif printf (" %s\n", "-e, --expect=STRING"); @@ -1836,7 +1847,7 @@ print_usage (void) { printf ("%s\n", _("Usage:")); printf (" %s -H | -I [-u ] [-p ]\n",progname); - printf (" [-J ] [-K ] [--ca-cert ]\n"); + printf (" [-J ] [-K ] [--ca-cert ] [-D]\n"); printf (" [-w ] [-c ] [-t ] [-L] [-E] [-a auth]\n"); printf (" [-b proxy_auth] [-f ]\n"); printf (" [-e ] [-d string] [-s string] [-l] [-r | -R ]\n"); diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 4bff538a..55577add 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -9,7 +9,7 @@ use Test::More; use POSIX qw/mktime strftime/; use NPTest; -plan tests => 57; +plan tests => 58; my $successOutput = '/OK.*HTTP.*second/'; @@ -94,6 +94,9 @@ SKIP: { $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); + + $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -p 443"); + like( $res->output, '/(^Host: '.$host_tls_http.'\s*$)|(cURL returned 60)/ms', "Host Header OK" ); }; SKIP: { -- cgit v1.2.3-74-g34f1 From 5ab03a70950cecf5fe4ab52a3c4f9b0f6ac98939 Mon Sep 17 00:00:00 2001 From: Aksel Sjögren Date: Wed, 28 Apr 2021 15:48:20 +0200 Subject: Fix conditional tests for check_http, check_curl Set correct number of tests in skip- blocks to avoid the error "Bad plan. You planned 50 tests but ran 55" when run with/without /usr/bin/faketime and NP_INTERNET_ACCESS=yes/no. --- plugins/t/check_curl.t | 4 ++-- plugins/t/check_http.t | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index a4f1dfb3..4f4124b3 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -84,7 +84,7 @@ like( $res->output, '/^Host: testhost:8001\s*$/ms', "Host Header OK" ); like( $res->output, '/CURLOPT_URL: http:\/\/'.$host_tcp_http.':80\//ms', "Url OK" ); SKIP: { - skip "No internet access", 3 if $internet_access eq "no"; + skip "No internet access", 4 if $internet_access eq "no"; $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -S"); like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); @@ -120,7 +120,7 @@ SKIP: { cmp_ok( $res->return_code, "==", 0, "And also when not found"); } SKIP: { - skip "No internet access", 16 if $internet_access eq "no"; + skip "No internet access", 28 if $internet_access eq "no"; $res = NPTest->testCmd( "./$plugin --ssl $host_tls_http" diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t index e92681e9..c137f7b4 100644 --- a/plugins/t/check_http.t +++ b/plugins/t/check_http.t @@ -103,7 +103,7 @@ SKIP: { cmp_ok( $res->return_code, "==", 0, "And also when not found"); } SKIP: { - skip "No internet access", 16 if $internet_access eq "no"; + skip "No internet access", 23 if $internet_access eq "no"; $res = NPTest->testCmd( "./$plugin --ssl $host_tls_http" @@ -135,7 +135,7 @@ SKIP: { # run some certificate checks with faketime SKIP: { - skip "No faketime binary found", 12 if !$faketime; + skip "No faketime binary found", 7 if !$faketime; $res = NPTest->testCmd("LC_TIME=C TZ=UTC ./$plugin -C 1 $host_tls_http"); like($res->output, qr/OK - Certificate '$host_tls_cert' will expire on/, "Catch cert output"); is( $res->return_code, 0, "Catch cert output exit code" ); -- cgit v1.2.3-74-g34f1 From ae2fe683e3a5e2254473777b0249efe66f24d26c Mon Sep 17 00:00:00 2001 From: Jacob Hansen Date: Tue, 18 May 2021 15:19:43 +0200 Subject: check_curl.t: Adjust test to use -f curl It appears that `-f follow` doesn't work correctly in `check_curl` at the moment. Test adjusted to use `-f curl` instead. Issue for the above created: https://github.com/monitoring-plugins/monitoring-plugins/issues/1685 Signed-off-by: Jacob Hansen --- plugins/t/check_curl.t | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 4f4124b3..45ee5339 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -193,8 +193,7 @@ SKIP: { ); cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" ); - - $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f follow" ); + $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f curl" ); is( $res->return_code, 0, "Redirection based on location is okay"); $res = NPTest->testCmd( "./$plugin -H www.mozilla.com --extended-perfdata" ); -- cgit v1.2.3-74-g34f1 From 63cb7ecfcf8d5b6c9f2be704eee7fa7cd9216f88 Mon Sep 17 00:00:00 2001 From: Barak Shohat Date: Mon, 24 May 2021 13:42:43 +0300 Subject: check_curl.c: bugfix: verify certificates option should not force SSL to be used --- plugins/check_curl.c | 2 +- plugins/t/check_curl.t | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 3e0a6f94..d29db0a6 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1346,7 +1346,7 @@ process_arguments (int argc, char **argv) #ifdef LIBCURL_FEATURE_SSL case 'D': /* verify peer certificate & host */ verify_peer_and_host = TRUE; - goto enable_ssl; + break; #endif case 'S': /* use SSL */ #ifdef LIBCURL_FEATURE_SSL diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 45ee5339..ada6a045 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -95,7 +95,7 @@ SKIP: { $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); - $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -p 443"); + $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -S -p 443"); like( $res->output, '/(^Host: '.$host_tls_http.'\s*$)|(cURL returned 60)/ms', "Host Header OK" ); }; -- cgit v1.2.3-74-g34f1 From 65fc7064295ac70d1388fa4db4d4d2cddd531e24 Mon Sep 17 00:00:00 2001 From: Lorenz <12514511+RincewindsHat@users.noreply.github.com> Date: Wed, 20 Jul 2022 13:33:49 +0200 Subject: Remove check_http and check_curl test which are somehow always failing (#1777) * Remove failing checks for check_http * Remove failing checks for check_curl --- plugins/t/check_curl.t | 7 +------ plugins/t/check_http.t | 8 +------- 2 files changed, 2 insertions(+), 13 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index ada6a045..693f4b25 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -9,7 +9,7 @@ use Test::More; use POSIX qw/mktime strftime/; use NPTest; -plan tests => 58; +plan tests => 57; my $successOutput = '/OK.*HTTP.*second/'; @@ -188,11 +188,6 @@ SKIP: { like ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' ); like ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' ); - $res = NPTest->testCmd( - "./$plugin --ssl -H www.e-paycobalt.com" - ); - cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" ); - $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f curl" ); is( $res->return_code, 0, "Redirection based on location is okay"); diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t index c137f7b4..0c866229 100644 --- a/plugins/t/check_http.t +++ b/plugins/t/check_http.t @@ -9,7 +9,7 @@ use Test::More; use POSIX qw/mktime strftime/; use NPTest; -plan tests => 50; +plan tests => 49; my $successOutput = '/OK.*HTTP.*second/'; @@ -166,12 +166,6 @@ SKIP: { like ( $res->output, '/time_connect=[\d\.]+/', 'Extended Performance Data Output OK' ); like ( $res->output, '/time_ssl=[\d\.]+/', 'Extended Performance Data SSL Output OK' ); - $res = NPTest->testCmd( - "./$plugin --ssl -H www.e-paycobalt.com" - ); - cmp_ok( $res->return_code, "==", 0, "Can read https for www.e-paycobalt.com (uses AES certificate)" ); - - $res = NPTest->testCmd( "./$plugin -H www.mozilla.com -u /firefox -f follow" ); is( $res->return_code, 0, "Redirection based on location is okay"); -- cgit v1.2.3-74-g34f1 From 4a5ddd201119260028db6a4f27027d72aa9a160a Mon Sep 17 00:00:00 2001 From: Lorenz <12514511+RincewindsHat@users.noreply.github.com> Date: Mon, 7 Nov 2022 17:48:28 +0100 Subject: Check curl detect ipv6 (#1809) * If server_address is an IPv6 address surround it with brackets * If the message is too short, we should not have an underflow * Add simple conditional test case available if IPv6 is --- .github/workflows/test.yml | 2 +- plugins/check_curl.c | 22 ++++++++++++++++++---- plugins/t/check_curl.t | 39 ++++++++++++++++++++++++++++----------- 3 files changed, 47 insertions(+), 16 deletions(-) (limited to 'plugins/t/check_curl.t') diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d2785a41..80d49f7e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,7 +40,7 @@ jobs: ${{ matrix.distro }} \ /bin/sh -c '${{ matrix.prepare }} && \ tools/setup && \ - ./configure --enable-libtap --with-ipv6=no && \ + ./configure --enable-libtap --with-ipv6=no && \ make && \ make test' docker container prune -f diff --git a/plugins/check_curl.c b/plugins/check_curl.c index a69854a8..2ad373c0 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -476,6 +476,18 @@ check_http (void) printf ("* curl CURLOPT_RESOLVE: %s\n", dnscache); } + // If server_address is an IPv6 address it must be surround by square brackets + struct in6_addr tmp_in_addr; + if (inet_pton(AF_INET6, server_address, &tmp_in_addr) == 1) { + char *new_server_address = malloc(strlen(server_address) + 3); + if (new_server_address == NULL) { + die(STATE_UNKNOWN, "HTTP UNKNOWN - Unable to allocate memory\n"); + } + snprintf(new_server_address, strlen(server_address)+3, "[%s]", server_address); + free(server_address); + server_address = new_server_address; + } + /* compose URL: use the address we want to connect to, set Host: header later */ snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s", use_ssl ? "https" : "http", @@ -999,10 +1011,12 @@ GOT_FIRST_CERT: result = max_state_alt(get_status(total_time, thlds), result); /* Cut-off trailing characters */ - if(msg[strlen(msg)-2] == ',') - msg[strlen(msg)-2] = '\0'; - else - msg[strlen(msg)-3] = '\0'; + if (strlen(msg) >= 2) { + if(msg[strlen(msg)-2] == ',') + msg[strlen(msg)-2] = '\0'; + else + msg[strlen(msg)-3] = '\0'; + } /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */ die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s", diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 693f4b25..eae98cc1 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -1,15 +1,22 @@ #! /usr/bin/perl -w -I .. # -# HyperText Transfer Protocol (HTTP) Test via check_http +# HyperText Transfer Protocol (HTTP) Test via check_curl # # use strict; use Test::More; use POSIX qw/mktime strftime/; -use NPTest; -plan tests => 57; +use vars qw($tests $has_ipv6); + +BEGIN { + use NPTest; + $has_ipv6 = NPTest::has_ipv6(); + $tests = $has_ipv6 ? 59 : 57; + plan tests => $tests; +} + my $successOutput = '/OK.*HTTP.*second/'; @@ -18,6 +25,7 @@ my $plugin = 'check_http'; $plugin = 'check_curl' if $0 =~ m/check_curl/mx; my $host_tcp_http = getTestParameter("NP_HOST_TCP_HTTP", "A host providing the HTTP Service (a web server)", "localhost"); +my $host_tcp_http_ipv6 = getTestParameter("NP_HOST_TCP_HTTP_IPV6", "An IPv6 address providing a HTTP Service (a web server)", "::1"); my $host_tls_http = getTestParameter("NP_HOST_TLS_HTTP", "A host providing the HTTPS Service (a tls web server)", "localhost"); my $host_tls_cert = getTestParameter("NP_HOST_TLS_CERT", "the common name of the certificate.", "localhost"); my $host_nonresponsive = getTestParameter("NP_HOST_NONRESPONSIVE", "The hostname of system not responsive to network requests", "10.0.0.1"); @@ -31,26 +39,35 @@ my $faketime = -x '/usr/bin/faketime' ? 1 : 0; $res = NPTest->testCmd( - "./$plugin $host_tcp_http -wt 300 -ct 600" - ); + "./$plugin $host_tcp_http -wt 300 -ct 600" + ); cmp_ok( $res->return_code, '==', 0, "Webserver $host_tcp_http responded" ); like( $res->output, $successOutput, "Output OK" ); +if ($has_ipv6) { + # Test for IPv6 formatting + $res = NPTest->testCmd( + "./$plugin -I $host_tcp_http_ipv6 -wt 300 -ct 600" + ); + cmp_ok( $res->return_code, '==', 0, "IPv6 URL formatting is working" ); + like( $res->output, $successOutput, "Output OK" ); +} + $res = NPTest->testCmd( - "./$plugin $host_tcp_http -wt 300 -ct 600 -v -v -v -k 'bob:there' -k 'carl:frown'" - ); + "./$plugin $host_tcp_http -wt 300 -ct 600 -v -v -v -k 'bob:there' -k 'carl:frown'" + ); like( $res->output, '/bob:there\r\ncarl:frown\r\n/', "Got headers with multiple -k options" ); $res = NPTest->testCmd( - "./$plugin $host_nonresponsive -wt 1 -ct 2 -t 3" - ); + "./$plugin $host_nonresponsive -wt 1 -ct 2 -t 3" + ); cmp_ok( $res->return_code, '==', 2, "Webserver $host_nonresponsive not responding" ); # was CRITICAL only, but both check_curl and check_http print HTTP CRITICAL (puzzle?!) like( $res->output, "/HTTP CRITICAL - Invalid HTTP response received from host on port 80: cURL returned 28 - Connection timed out after/", "Output OK"); $res = NPTest->testCmd( - "./$plugin $hostname_invalid -wt 1 -ct 2" - ); + "./$plugin $hostname_invalid -wt 1 -ct 2" + ); cmp_ok( $res->return_code, '==', 2, "Webserver $hostname_invalid not valid" ); # The first part of the message comes from the OS catalogue, so cannot check this. # On Debian, it is Name or service not known, on Darwin, it is No address associated with nodename -- cgit v1.2.3-74-g34f1