Skip to content

Commit

Permalink
Make check:certificate simpler
Browse files Browse the repository at this point in the history
  • Loading branch information
flavioheleno committed Sep 18, 2023
1 parent 851aba0 commit 0926d74
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 109 deletions.
71 changes: 23 additions & 48 deletions src/Console/Commands/Check/CheckAllCommand.php
Original file line number Diff line number Diff line change
Expand Up @@ -47,57 +47,33 @@ protected function configure(): void {
InputOption::VALUE_NONE,
'Skips all certificate related validations'
)
->addOption(
'skip-certificate-expiration-date',
null,
InputOption::VALUE_NONE,
'Skip Certificate expiration date validation'
)
->addOption(
'certificate-expiration-threshold',
null,
InputOption::VALUE_REQUIRED,
'Number of days left to certificate expiration that will trigger an error',
'Number of days until the certification expiration date',
5
)
->addOption(
'skip-certificate-fingerprint',
null,
InputOption::VALUE_NONE,
'Skip Certificate Fingerprint validation'
)
->addOption(
'certificate-fingerprint',
'fingerprint',
null,
InputOption::VALUE_REQUIRED,
'Certificate\'s Fingerprint'
'Match the certificate SHA-256 Fingerprint'
)
->addOption(
'skip-certificate-serial-number',
null,
InputOption::VALUE_NONE,
'Skip Certificate Serial Number validation'
)
->addOption(
'certificate-serial-number',
'serial-number',
null,
InputOption::VALUE_REQUIRED,
'Certificate\'s Serial Number'
'Match the certificate Serial Number'
)
->addOption(
'skip-certificate-issuer-name',
null,
InputOption::VALUE_NONE,
'Skip Certificate issuer name validation'
)
->addOption(
'certificate-issuer-name',
'issuer-name',
null,
InputOption::VALUE_REQUIRED,
'Certificate Authority that issued the TLS Certificate'
'Match the Certificate Authority (CA) that issued the TLS Certificate'
)
->addOption(
'skip-certificate-ocsp-revoked',
'skip-ocsp-revoked',
null,
InputOption::VALUE_NONE,
'Skip Certificate OCSP revocation validation'
Expand All @@ -116,19 +92,26 @@ protected function configure(): void {
}

protected function execute(InputInterface $input, OutputInterface $output): int {
// check:domain options
$domainExpirationThreshold = (int)$input->getOption('domain-expiration-threshold');
$registrarName = (string)$input->getOption('registrar-name');
$statusCodes = (array)$input->getOption('status-codes');

// check:certificate options
$certificateExpirationThreshold = (int)$input->getOption('certificate-expiration-threshold');
$fingerprint = (string)$input->getOption('fingerprint');
$serialNumber = (string)$input->getOption('serial-number');
$issuerName = (string)$input->getOption('issuer-name');

$checks = [
'domainExpirationDate' => $domainExpirationThreshold > 0,
'domainRegistrarName' => $registrarName !== '',
'domainStatusCodes' => $statusCodes !== [],
'certificateExpirationDate' => (bool)$input->getOption('skip-certificate-expiration-date') === false,
'certificateFingerprint' => (bool)$input->getOption('skip-certificate-fingerprint') === false,
'certificateSerialNumber' => (bool)$input->getOption('skip-certificate-serial-number') === false,
'certificateIssuerName' => (bool)$input->getOption('skip-certificate-issuer-name') === false,
'certificateOcspRevoked' => (bool)$input->getOption('skip-certificate-ocsp-revoked') === false
'certificateExpirationDate' => $certificateExpirationThreshold > 0,
'certificateFingerprint' => $fingerprint !== '',
'certificateSerialNumber' => $serialNumber !== '',
'certificateIssuerName' => $issuerName !== '',
'certificateOcspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
];

// skips all domain related validations
Expand Down Expand Up @@ -157,10 +140,6 @@ protected function execute(InputInterface $input, OutputInterface $output): int
$checks['certificateOcspRevoked'] = false;
}

$certificateExpirationThreshold = (int)$input->getOption('certificate-expiration-threshold');
$certificateFingerprint = (string)$input->getOption('certificate-fingerprint');
$certificateSerialNumber = (string)$input->getOption('certificate-serial-number');
$certificateIssuerName = (string)$input->getOption('certificate-issuer-name');

$failFast = (bool)$input->getOption('fail-fast');
$domain = $input->getArgument('domain');
Expand Down Expand Up @@ -205,15 +184,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int
'command' => 'check:certificate',
'domain' => $domain,
'--fail-fast' => $failFast,
'--skip-expiration-date' => !$checks['certificateExpirationDate'],
'--skip-fingerprint' => !$checks['certificateFingerprint'],
'--skip-serial-number' => !$checks['certificateSerialNumber'],
'--skip-issuer-name' => !$checks['certificateIssuerName'],
'--skip-ocsp-revoked' => !$checks['certificateOcspRevoked'],
'--expiration-threshold' => $certificateExpirationThreshold,
'--fingerprint' => $certificateFingerprint,
'--serial-number' => $certificateSerialNumber,
'--issuer-name' => $certificateIssuerName
'--fingerprint' => $fingerprint,
'--serial-number' => $serialNumber,
'--issuer-name' => $issuerName
]
);

Expand Down
99 changes: 38 additions & 61 deletions src/Console/Commands/Check/CheckCertificateCommand.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,64 +36,40 @@ final class CheckCertificateCommand extends Command {

protected function configure(): void {
$this
->addOption(
'skip-expiration-date',
null,
InputOption::VALUE_NONE,
'Skip Certificate expiration date validation'
)
->addOption(
'expiration-threshold',
null,
'e',
InputOption::VALUE_REQUIRED,
'Number of days left to certificate expiration that will trigger an error',
'Number of days until the certification expiration date',
5
)
->addOption(
'skip-fingerprint',
null,
InputOption::VALUE_NONE,
'Skip Certificate Fingerprint validation'
)
->addOption(
'fingerprint',
null,
'p',
InputOption::VALUE_REQUIRED,
'Certificate\'s Fingerprint'
)
->addOption(
'skip-serial-number',
null,
InputOption::VALUE_NONE,
'Skip Certificate Serial Number validation'
'Match the certificate SHA-256 Fingerprint'
)
->addOption(
'serial-number',
null,
's',
InputOption::VALUE_REQUIRED,
'Certificate\'s Serial Number'
)
->addOption(
'skip-issuer-name',
null,
InputOption::VALUE_NONE,
'Skip Certificate issuer name validation'
'Match the certificate Serial Number'
)
->addOption(
'issuer-name',
null,
'i',
InputOption::VALUE_REQUIRED,
'Certificate Authority that issued the TLS Certificate'
'Match the Certificate Authority (CA) that issued the TLS Certificate'
)
->addOption(
'skip-ocsp-revoked',
null,
'o',
InputOption::VALUE_NONE,
'Skip Certificate OCSP revocation validation'
)
->addOption(
'fail-fast',
null,
'f',
InputOption::VALUE_NONE,
'Exit immediately when a check fails instead of running all checks'
)
Expand All @@ -105,19 +81,19 @@ protected function configure(): void {
}

protected function execute(InputInterface $input, OutputInterface $output): int {
$checks = [
'expirationDate' => (bool)$input->getOption('skip-expiration-date') === false,
'fingerprint' => (bool)$input->getOption('skip-fingerprint') === false,
'serialNumber' => (bool)$input->getOption('skip-serial-number') === false,
'issuerName' => (bool)$input->getOption('skip-issuer-name') === false,
'ocspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
];

$expirationThreshold = (int)$input->getOption('expiration-threshold');
$fingerprint = (string)$input->getOption('fingerprint');
$serialNumber = (string)$input->getOption('serial-number');
$issuerName = (string)$input->getOption('issuer-name');

$checks = [
'expirationDate' => $expirationThreshold > 0,
'fingerprint' => $fingerprint !== '',
'serialNumber' => $serialNumber !== '',
'issuerName' => $issuerName !== '',
'ocspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
];

$failFast = (bool)$input->getOption('fail-fast');
$domain = $input->getArgument('domain');

Expand All @@ -130,23 +106,28 @@ protected function execute(InputInterface $input, OutputInterface $output): int
[
[
'Expiration Date',
($checks['expirationDate'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
($checks['expirationDate'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
$expirationThreshold > 0 ? "{$expirationThreshold} days" : '-'
],
[
'Fingerprint',
($checks['fingerprint'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
'SHA-256 Fingerprint',
($checks['fingerprint'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
$fingerprint ?: '-'
],
[
'Serial Number',
($checks['serialNumber'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
($checks['serialNumber'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
$serialNumber ?: '-'
],
[
'Issuer Name',
($checks['issuerName'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
($checks['issuerName'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
$issuerName ?: '-'
],
[
'OCSP Revoked',
($checks['ocspRevoked'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
($checks['ocspRevoked'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
'-'
]
]
)
Expand All @@ -156,19 +137,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
}

$errors = [];
if ($checks['fingerprint'] === true && trim($fingerprint) === '') {
$errors[] = '<options=bold>--fingerprint</> option is required unless <options=bold>--skip-fingerprint</> is set';
}

if ($checks['serialNumber'] === true && trim($serialNumber) === '') {
$errors[] = '<options=bold>--serial-number</> option is required unless <options=bold>--skip-serial-number</> is set';
}

if ($checks['issuerName'] === true && trim($issuerName) === '') {
$errors[] = '<options=bold>--issuer-name</> option is required unless <options=bold>--skip-issuer-name</> is set';
}

if (filter_var($domain, FILTER_VALIDATE_DOMAIN, ['flags' => FILTER_FLAG_HOSTNAME]) === false) {
if (
strpos($domain, '.') === false ||
filter_var($domain, FILTER_VALIDATE_DOMAIN, ['flags' => FILTER_FLAG_HOSTNAME]) === false
) {
$errors[] = 'argument <options=bold>domain</> contains an invalid domain name';
}

Expand All @@ -187,6 +159,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int
);

if ($needCertificate === false) {
$output->writeln(
'All certificate verifications are disabled, leaving',
OutputInterface::VERBOSITY_VERBOSE
);

return Command::SUCCESS;
}

Expand Down

0 comments on commit 0926d74

Please sign in to comment.