commit 869830ffb3f51c812da10d2f0b43a807eef50b56 Author: Knut Ahlers Date: Sat Oct 17 17:43:28 2020 +0200 Initial version diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c5d0288 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.env +mondash-checkgpg diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..583cf8e --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2020- Knut Ahlers + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/README.md b/README.md new file mode 100644 index 0000000..8a03e78 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +[![Go Report Card](https://goreportcard.com/badge/github.com/Luzifer/mondash-checkgpg)](https://goreportcard.com/report/github.com/Luzifer/mondash-checkgpg) +![](https://badges.fyi/github/license/Luzifer/mondash-checkgpg) +![](https://badges.fyi/github/downloads/Luzifer/mondash-checkgpg) +![](https://badges.fyi/github/latest-release/Luzifer/mondash-checkgpg) +![](https://knut.in/project-status/mondash-checkgpg) + +# Luzifer / mondash-checkgpg + +`mondash-checkgpg` is intended to watch over GPG keys uploaded to a keyserver and inform about their expiry using a [MonDash](https://mondash.org/) dashboard. + +## Usage + +```console +# ./mondash-checkgpg --help +Usage of ./mondash-checkgpg: + -c, --crit-at duration Switch state to critical if key expires within X (default 168h0m0s) + -k, --key strings List of keys to check + --key-server string Lookup path to retrieve the key from (default "http://keyserver.ubuntu.com/pks/lookup") + --log-level string Log level (debug, info, warn, error, fatal) (default "info") + --mondash-board string ID of the Mondash board to send to + --mondash-metric string ID of the metric to submit to (default "checkgpg") + --mondash-metric-expiry duration Time in seconds when to remove the metric if there is no update (default 168h0m0s) + --mondash-metric-freshness duration Time in seconds when to switch to stale state of there is no update (default 168h0m0s) + --mondash-token string Token with write access to the board + --version Prints current version and exits + -w, --warn-at duration Switch state to warning if key expires within X (default 336h0m0s) + +# ./mondash-checkgpg --mondash-board --mondash-token --key 0x43A4CD1C19DAE8558D40088E0066F03ED215AD7D +``` diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..2e320c7 --- /dev/null +++ b/go.mod @@ -0,0 +1,11 @@ +module github.com/Luzifer/mondash-checkgpg + +go 1.15 + +require ( + github.com/Luzifer/mondash v2.2.3+incompatible + github.com/Luzifer/rconfig/v2 v2.2.1 + github.com/pkg/errors v0.9.1 + github.com/sirupsen/logrus v1.7.0 + golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..5ee7329 --- /dev/null +++ b/go.sum @@ -0,0 +1,29 @@ +github.com/Luzifer/mondash v1.14.2 h1:q4rX5PsVdzESwpT05d3Sc5qi+EyL3kYsw29CmhH2Jks= +github.com/Luzifer/mondash v2.2.3+incompatible h1:zzI7MX4gHnWg1A+zAkfpOUV3wqZhtlLyctxNSfL18sI= +github.com/Luzifer/mondash v2.2.3+incompatible/go.mod h1:lUN6Mag+P6SgIn9YK3WJoRW5l2AWX7Qcs5XZ1Tt1HBo= +github.com/Luzifer/rconfig v1.2.0 h1:waD1sqasGVSQSrExpLrQ9Q1JmMaltrS391VdOjWXP/I= +github.com/Luzifer/rconfig/v2 v2.2.1 h1:zcDdLQlnlzwcBJ8E0WFzOkQE1pCMn3EbX0dFYkeTczg= +github.com/Luzifer/rconfig/v2 v2.2.1/go.mod h1:OKIX0/JRZrPJ/ZXXWklQEFXA6tBfWaljZbW37w+sqBw= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee h1:4yd7jl+vXjalO5ztz6Vc1VADv+S/80LGJmyl1ROJ2AI= +golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/validator.v2 v2.0.0-20180514200540-135c24b11c19 h1:WB265cn5OpO+hK3pikC9hpP1zI/KTwmyMFKloW9eOVc= +gopkg.in/validator.v2 v2.0.0-20180514200540-135c24b11c19/go.mod h1:o4V0GXN9/CAmCsvJ0oXYZvrZOe7syiDZSN1GWGZTGzc= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/gpg.go b/gpg.go new file mode 100644 index 0000000..3450ed6 --- /dev/null +++ b/gpg.go @@ -0,0 +1,136 @@ +package main + +import ( + "context" + "fmt" + "net/http" + "net/url" + "time" + + "github.com/pkg/errors" + log "github.com/sirupsen/logrus" + "golang.org/x/crypto/openpgp" + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/packet" + + mondash "github.com/Luzifer/mondash/client" +) + +func getKeyFromKeyserver(ctx context.Context, keyID string) (*openpgp.Entity, error) { + uri, err := url.Parse(cfg.KeyServer) + if err != nil { + return nil, errors.Wrap(err, "parse keyserver lookup url") + } + + params := url.Values{ + "op": []string{"get"}, + "search": []string{keyID}, + } + + uri.RawQuery = params.Encode() + + req, _ := http.NewRequestWithContext(ctx, http.MethodGet, uri.String(), nil) + resp, err := http.DefaultClient.Do(req) + if err != nil { + return nil, errors.Wrap(err, "execute http request") + } + defer resp.Body.Close() + + if resp.StatusCode == http.StatusNotFound { + return nil, errors.New("key not found") + } + + block, err := armor.Decode(resp.Body) + if err != nil { + return nil, errors.Wrap(err, "parse armored key") + } + + ent, err := openpgp.ReadEntity(packet.NewReader(block.Body)) + if err != nil { + return nil, errors.Wrap(err, "parse entity") + } + + return ent, nil +} + +func processKey(ctx context.Context, key string) (string, mondash.Status) { + logger := log.WithField("key", key) + + e, err := getKeyFromKeyserver(ctx, key) + if err != nil { + return "Key retrieval failed", mondash.StatusUnknown + } + + if l := len(e.Revocations); l > 0 { + return fmt.Sprintf("Key has %d revocation signature(s)", l), mondash.StatusCritical + } + + var expiry *time.Time + for n, id := range e.Identities { + logger.Debugf("%s %#v", n, id) + + if id.SelfSignature.KeyLifetimeSecs != nil { + idSelfSigExpiry := e.PrimaryKey.CreationTime.Add(time.Duration(*id.SelfSignature.KeyLifetimeSecs) * time.Second) + logger.WithField("id", n).Debugf("Selfsig: Identity expires: %s", idSelfSigExpiry) + + if s := checkExpiry(idSelfSigExpiry); s != mondash.StatusOK { + return fmt.Sprintf("Identity self-signature for %q has key-expiry in %dh", n, time.Until(idSelfSigExpiry)/time.Hour), s + } + + if expiry == nil || expiry.After(idSelfSigExpiry) { + expiry = &idSelfSigExpiry + } + } + + for _, sig := range id.Signatures { + if sig.KeyLifetimeSecs == nil { + continue + } + + idSigExpiry := e.PrimaryKey.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second) + logger.WithField("id", n).Debugf("Sig: Identity expires: %s", idSigExpiry) + + if s := checkExpiry(idSigExpiry); s != mondash.StatusOK { + return fmt.Sprintf("Identity signature for %q has key-expiry in %dh", n, time.Until(idSigExpiry)/time.Hour), s + } + + if expiry == nil || expiry.After(idSigExpiry) { + expiry = &idSigExpiry + } + } + } + + for _, sk := range e.Subkeys { + if sk.Sig.KeyLifetimeSecs == nil { + continue + } + + skExp := sk.PublicKey.CreationTime.Add(time.Duration(*sk.Sig.KeyLifetimeSecs) * time.Second) + logger.Debugf("Subkey signature expires: %s", skExp) + + if s := checkExpiry(skExp); s != mondash.StatusOK { + return fmt.Sprintf("Subkey signature has key-expiry in %dh", time.Until(skExp)/time.Hour), s + } + + if expiry == nil || expiry.After(skExp) { + expiry = &skExp + } + } + + if expiry != nil { + return fmt.Sprintf("Key looks good (expires in %dh)", time.Until(*expiry)/time.Hour), mondash.StatusOK + } + + return "Key looks good (does not expire)", mondash.StatusOK +} + +func checkExpiry(ex time.Time) mondash.Status { + switch { + case time.Until(ex) < cfg.CritAt: + return mondash.StatusCritical + case time.Until(ex) < cfg.WarnAt: + return mondash.StatusWarning + default: + return mondash.StatusOK + } +} diff --git a/main.go b/main.go new file mode 100644 index 0000000..b6da0c1 --- /dev/null +++ b/main.go @@ -0,0 +1,99 @@ +package main + +import ( + "context" + "fmt" + "os" + "strings" + "time" + + log "github.com/sirupsen/logrus" + + mondash "github.com/Luzifer/mondash/client" + "github.com/Luzifer/rconfig/v2" +) + +var ( + cfg = struct { + CritAt time.Duration `flag:"crit-at,c" default:"168h" description:"Switch state to critical if key expires within X"` + Keys []string `flag:"key,k" description:"List of keys to check"` + KeyServer string `flag:"key-server" default:"http://keyserver.ubuntu.com/pks/lookup" description:"Lookup path to retrieve the key from"` + LogLevel string `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"` + MondashBoard string `flag:"mondash-board" default:"" description:"ID of the Mondash board to send to" validate:"nonzero"` + MondashMetric string `flag:"mondash-metric" default:"checkgpg" description:"ID of the metric to submit to"` + MondashMetricExpiry time.Duration `flag:"mondash-metric-expiry" default:"168h" description:"Time in seconds when to remove the metric if there is no update"` + MondashMetricFreshness time.Duration `flag:"mondash-metric-freshness" default:"168h" description:"Time in seconds when to switch to stale state of there is no update"` + MondashToken string `flag:"mondash-token" default:"" description:"Token with write access to the board" validate:"nonzero"` + VersionAndExit bool `flag:"version" default:"false" description:"Prints current version and exits"` + WarnAt time.Duration `flag:"warn-at,w" default:"336h" description:"Switch state to warning if key expires within X"` + }{} + + version = "dev" +) + +func init() { + rconfig.AutoEnv(true) + if err := rconfig.ParseAndValidate(&cfg); err != nil { + log.Fatalf("Unable to parse commandline options: %s", err) + } + + if cfg.VersionAndExit { + fmt.Printf("mondash-checkgpg %s\n", version) + os.Exit(0) + } + + if l, err := log.ParseLevel(cfg.LogLevel); err != nil { + log.WithError(err).Fatal("Unable to parse log level") + } else { + log.SetLevel(l) + } +} + +func main() { + var ( + overallStatus = mondash.StatusUnknown + statusMessages []string + ) + + for _, key := range cfg.Keys { + msg, state := processKey(context.Background(), key) + overallStatus = calcStatus(overallStatus, state) + statusMessages = append(statusMessages, fmt.Sprintf("0x%s: %s", + key[len(key)-8:], + msg, + )) + } + + if err := mondash.New(cfg.MondashBoard, cfg.MondashToken). + PostMetric(&mondash.PostMetricInput{ + MetricID: cfg.MondashMetric, + Title: "GPG Key Status", + Description: strings.Join(statusMessages, "\n"), + Status: overallStatus, + Expires: int64(cfg.MondashMetricExpiry / time.Second), + Freshness: int64(cfg.MondashMetricFreshness / time.Second), + IgnoreMAD: true, + HideMAD: true, + HideValue: true, + }); err != nil { + log.WithError(err).Fatal("Unable to submit metric") + } +} + +func calcStatus(o, n mondash.Status) mondash.Status { + scores := map[mondash.Status]int{ + mondash.StatusUnknown: 0, + mondash.StatusOK: 1, + mondash.StatusWarning: 2, //nolint: gomnd // Makes no sense to extract to a constant + mondash.StatusCritical: 3, //nolint: gomnd // Makes no sense to extract to a constant + } + + switch { + case o == n: + return o + case scores[o] < scores[n]: + return n + default: + return o + } +}