promcertcheck/main.go

package main // import "github.com/Luzifer/promcertcheck"

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"os"
	"path/filepath"
	"strings"
	"time"

	"github.com/Luzifer/rconfig"
	"github.com/gorilla/mux"
	"github.com/prometheus/client_golang/prometheus"
	"github.com/robfig/cron"
	log "github.com/sirupsen/logrus"
)

var (
	cfg struct {
		ExpireWarning  time.Duration `flag:"expire-warning" default:"744h" description:"When to warn about a soon expiring certificate"`
		RootsDir       string        `flag:"roots-dir" default:"" description:"Directory to load custom RootCA certs from to be trusted (*.pem)"`
		LogLevel       string        `flag:"log-level" default:"info" description:"Verbosity of logs to use (debug, info, warning, error, ...)"`
		Probes         []string      `flag:"probe" default:"" description:"URLs to check for certificate issues"`
		VersionAndExit bool          `flag:"version" default:"false" description:"Print program version and exit"`
	}

	version = "dev"

	probeMonitors = map[string]*probeMonitor{}
	rootPool      *x509.CertPool

	redirectFoundError = errors.New("Found a redirect")
)

type probeMonitor struct {
	IsValid     prometheus.Gauge `json:"-"`
	Expires     prometheus.Gauge `json:"-"`
	Status      probeResult
	Certificate *x509.Certificate
}

func init() {
	if err := rconfig.Parse(&cfg); err != nil {
		log.Fatalf("Unable to parse CLI parameters: %s", err)
	}

	if cfg.VersionAndExit {
		fmt.Printf("promcertcheck %s\n", version)
		os.Exit(0)
	}

	if logLevel, err := log.ParseLevel(cfg.LogLevel); err == nil {
		log.SetLevel(logLevel)
	} else {
		log.Fatalf("Unable to parse log level: %s", err)
	}
}

func main() {
	http.DefaultClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
		return redirectFoundError
	}
	http.DefaultClient.Transport = &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}

	var err error
	if rootPool, err = x509.SystemCertPool(); err != nil {
		log.WithError(err).Fatal("Unable to load system RootCA pool")
	}

	if err = loadAdditionalRootCAPool(); err != nil {
		log.WithError(err).Fatal("Could not load intermediate certificates")
	}

	registerProbes()
	refreshCertificateStatus()

	fmt.Printf("PromCertcheck %s...\nStarting to listen on 0.0.0.0:3000\n", version)

	c := cron.New()
	c.AddFunc("0 0 * * * *", refreshCertificateStatus)
	c.Start()

	r := mux.NewRouter()
	r.Handle("/metrics", prometheus.Handler())
	r.HandleFunc("/", htmlHandler)
	r.HandleFunc("/httpStatus", httpStatusHandler)
	r.HandleFunc("/results.json", jsonHandler)
	http.ListenAndServe(":3000", r)
}

func loadAdditionalRootCAPool() error {
	if cfg.RootsDir == "" {
		// Nothing specified, not loading anything but sys certs
		return nil
	}

	return filepath.Walk(cfg.RootsDir, func(path string, info os.FileInfo, err error) error {
		if err != nil {
			return err
		}

		if !strings.HasSuffix(path, ".pem") || info.IsDir() {
			// Likely not a certificate, ignore
			return nil
		}

		pem, err := ioutil.ReadFile(path)
		if err != nil {
			return err
		}

		if ok := rootPool.AppendCertsFromPEM(pem); !ok {
			return fmt.Errorf("Failed to load certificate %q", path)
		}

		log.WithFields(log.Fields{"path": path}).Debug("Loaded RootCA certificate")

		return nil
	})
}

func registerProbes() {
	for _, probe := range cfg.Probes {
		probeURL, _ := url.Parse(probe)

		monitors := &probeMonitor{}
		monitors.Expires = prometheus.NewGauge(prometheus.GaugeOpts{
			Name: "certcheck_expires",
			Help: "Expiration date in unix timestamp (UTC)",
			ConstLabels: prometheus.Labels{
				"host": probeURL.Host,
			},
		})
		monitors.IsValid = prometheus.NewGauge(prometheus.GaugeOpts{
			Name: "certcheck_valid",
			Help: "Validity of the certificate (0/1)",
			ConstLabels: prometheus.Labels{
				"host": probeURL.Host,
			},
		})

		prometheus.MustRegister(monitors.Expires)
		prometheus.MustRegister(monitors.IsValid)

		probeMonitors[probeURL.Host] = monitors
	}
}

func refreshCertificateStatus() {
	for _, probe := range cfg.Probes {
		probeURL, _ := url.Parse(probe)
		verificationResult, verifyCert := checkCertificate(probeURL)

		probeLog := log.WithFields(log.Fields{
			"host":   probeURL.Host,
			"result": verificationResult,
		})
		if verifyCert != nil {
			probeLog = probeLog.WithFields(log.Fields{
				"version":   verifyCert.Version,
				"serial":    verifyCert.SerialNumber,
				"subject":   verifyCert.Subject.CommonName,
				"expires":   verifyCert.NotAfter,
				"issuer":    verifyCert.Issuer.CommonName,
				"alt_names": strings.Join(verifyCert.DNSNames, ", "),
			})
		}
		probeLog.Debug("Probe finished")

		if verifyCert != nil {
			probeMonitors[probeURL.Host].Expires.Set(float64(verifyCert.NotAfter.UTC().Unix()))
		}

		switch verificationResult {
		case certificateExpiresSoon, certificateOK:
			probeMonitors[probeURL.Host].IsValid.Set(1)
		case certificateInvalid, certificateNotFound:
			probeMonitors[probeURL.Host].IsValid.Set(0)
		default:
			probeMonitors[probeURL.Host].IsValid.Set(0)
		}
		probeMonitors[probeURL.Host].Status = verificationResult
		probeMonitors[probeURL.Host].Certificate = verifyCert
	}
}

func inSlice(slice []string, needle string) bool {
	for _, i := range slice {
		if i == needle {
			return true
		}
	}

	return false
}