Adding x509_cert input plugin

[jtyr]

Required for all PRs:

• Signed CLA.
• Associated README.md updated.
• Has appropriate unit tests.

This PR is adding new input plugin which allows to monitor SSL certificates.

[sepetrov]

@jtyr , thanks for the contribution. As requested, I have reviewed the PR and my comments are mostly related to coding standards. Hope the maintainers don't mind that.

[sepetrov]

I can see that some packages in the repository do not conform with the standards described in Effective Go - Package names , but I would suggest to drop the underscore.

ssl_cert -> sslcert

[jtyr]

I will keep the underscore in the package name because the name appears in the config file and I believe that it improves readability of the config file.

[sepetrov]

Seems like this function is not used.

[sepetrov]

You could use fmt.Errorf.

Here is another alternative, which is not using fmt: errors.New("my error message: " + err.Error()). In this case you could remove the fmt package.

[sepetrov]

You could use fmt.Errorf

[sepetrov]

Error messages should not be treated as sentences:

• should not start with uppercase unless the first word has special meaning, i.e. exported method/struct name etc.
• should end with ., !, ? etc.

Think about the recommended error message style: [caller 2 error message]:[caller 1 error message]:[original error message]

See here

[sepetrov]

The package description is missing. The exported package members also do not have any comments. Please see here or here.

[jtyr]

I think this is not that important as it's quite clear what the package is (it's an input plugin) and further description is provided by the Description function.

[sepetrov]

I would recommend adding a check, which makes sure SSLCert implements telegraf.Input.

// make sure SSLCert implements telegraf.Input
var _ telegraf.Input = &SSLCert{}

I would also consider it as a valid point, if someone prefers to have this check performed only in the _test.go file.

[sepetrov]

The error message could provide a little more information: consider including the server details. Currently neither all getRemoteCert possible errors include the server, nor the Gather method.

[sepetrov]

Do not define interfaces on the implementor side of an API "for mocking"; instead, design the API so that it can be tested using the public API of the real implementation.

See here

I see no reason to test if the connection has been closed on your end. Instead I would test the scenarios under which a connection error could occur.

func TestSSLCert_Gather_ConnectionErrors(t *testing.T) {
	pair, err := tls.X509KeyPair([]byte(testCert), []byte(testKey))
	if err != nil {
		t.Fatal(err)
	}
	config := &tls.Config{
		Certificates: []tls.Certificate{pair},
	}

	t.Run("server connection refused", func(t *testing.T) {
		ln, err := tls.Listen("tcp", ":0", config)
		if err != nil {
			t.Fatal(err)
		}
		svr := ln.Addr().String()
		ln.Close()

		sc := SSLCert{
			Servers:   []string{svr},
			Timeout:   5,
		}
		acc := testutil.Accumulator{}
		err = sc.Gather(&acc)
		if err == nil {
			t.Error("got nil; want error")
		}
	})
	t.Run("server closes the connection", func(t *testing.T) {
		ln, err := tls.Listen("tcp", ":0", config)
		if err != nil {
			t.Fatal(err)
		}
		defer ln.Close()
		go func() {
			sconn, err := ln.Accept()
			if err != nil {
				return
			}
			sconn.Close()
		}()

		sc := SSLCert{
			Servers:   []string{ln.Addr().String()},
			Timeout:   5,
		}
		acc := testutil.Accumulator{}
		err = sc.Gather(&acc)
		if err == nil {
			t.Error("got nil; want error")
		}
	})
	t.Run("server closes without handshake", func(t *testing.T) {
		ln, err := tls.Listen("tcp", ":0", config)
		if err != nil {
			t.Fatal(err)
		}
		defer ln.Close()
		go func() {
			sconn, err := ln.Accept()
			if err != nil {
				return
			}
			serverConfig := config.Clone()
			srv := tls.Server(sconn, serverConfig)
			srv.Close()
		}()

		sc := SSLCert{
			Servers:   []string{ln.Addr().String()},
			Timeout:   5,
		}
		acc := testutil.Accumulator{}
		err = sc.Gather(&acc)
		if err == nil {
			t.Error("got nil; want error")
		}
	})
}

[sepetrov]

If there is an error, the test can not continue. You should call t.Fatal(err) instead

[sepetrov]

If there is an error, the test cannot continue. You should call t.Fatal(err) instead

[danielnelson]

Thanks for the pull request @jtyr and also the review @sepetrov (definitely appreciate non-maintainer reviews!). We have a pretty large backlog, but I'll try to take a look at this for 1.7, please nudge me if I don't get to it sometime in the next month. I'll also mention that there is a similar pull request #1762, it may be useful to read over it for ideas.

[jtyr]

@sepetrov Thanks a lot for your review! I have implemented most of your feedback. Please see the latest commit.

[sepetrov]

As I said in #3768 (comment) I would prefer to see black box tests where your tests live in separate package ssl_cert_test, and therefore you test only the public API. But if you have to have access to parts of the package, which change the behaviour, so that more test cases can be covered, then I would recommend the following:

Move the test-specific code outside the configuration struct SSLCert

// SSLCert holds the configuration of the plugin.
type SSLCert struct {
	Servers []string      `toml:"servers"`
	Files   []string      `toml:"files"`
	Timeout time.Duration `toml:"timeout"`
}

// For tests
var (
	closeConn  bool
	unsetCerts bool
)

This way the test-related code does not become part of the public API.

The disadvantage of having global state modifiers for the package by using this approach is that you will not be able to run tests in parallel, which you do not do here anyway.

[jtyr]

Thanks for your review. It should be fixed in the last commit.

[jtyr]

@danielnelson Please could you review it once you have time?

[danielnelson]

Will do, sorry about the delay... once 1.6 is released please ping me again if I still haven't reviewed yet

[sepetrov]

LGTM 👍

[jtyr]

@danielnelson Ping. Please could you review?

[danielnelson]

Let's add a bit more detail about what certificates can be loaded (PEM encoded). Perhaps we can use /etc/ssl/certs/ssl-cert-snakeoil.pem as the default path.

[danielnelson]

We should have examples of the how this variable could look, use example.org as the hostname.

[danielnelson]

I think we should allow the user to specify the network in the configuration, it would then look like servers = ["tcp://example.org:8080"]

[danielnelson]

Do you think the tls.Config could be configurable? We have a feature request for client authentication in #3854 so perhaps we could use the standard set of SSL options:

telegraf/plugins/inputs/apache/apache.go

Lines 43 to 48 in 851efc9

	## Optional TLS Config
	# tls_ca = "/etc/telegraf/ca.pem"
	# tls_cert = "/etc/telegraf/cert.pem"
	# tls_key = "/etc/telegraf/key.pem"
	## Use TLS but skip chain & host verification
	# insecure_skip_verify = false

I think we would need to check what happens if we ignore the error from Handshake(), perhaps we can still get the PeerCertificates? We could also explore a custom tls.Config.VerifyPeerCertificate func.

[danielnelson]

Should we rename the plugin? We don't always do SSL/TLS (in the case of files), maybe it should be x509_cert or certificate?

[danielnelson]

I'm not a big fan of this testing method but I guess it's acceptable. It would be better IMO to use an interface for tls.Client and a mock during tests or to implement the behavior in the tests.

[danielnelson]

For startdate, enddate no need to convert to int

[jtyr]

.Seconds() returns float64 so it's necessary to convert it to int to get only the integer part of the number.

[danielnelson]

Just make the change for startdate, enddate. (All integer fields added are converted to int64 or uint64 in the call to AddFields)

[danielnelson]

Use internal.Duration so we can specify timeout using a string like "5s"

[danielnelson]

Ideally we could also have metrics for if the certificate is valid, including values for common errors such as the hostname not matching the certificate. This is implemented in the related pr #3829, though ideally we could leverage the standard library code for this.

[danielnelson]

Can you update to use the testing certs in testutil/pki, check plugins/inputs/socket_listener/socket_listener_test.go for examples.

[jtyr]

@danielnelson I have implemented all your suggestions. Please review.

[jtyr]

@danielnelson Ping. Please could you review?

[glinton]

I made some slight modifications based on my review (see here). I know the first commit is fine, I agree with sepetrov regarding the test specific variables. Unifying the two get[Local|Remote]Certs is where I feel like danielnelson would have useful input. Feel free to cherry pick those commits, or i can directly push them to your branch, up to you.

[glinton]

Replace errors.New with fmt.Errorf

[glinton]

There isn't a need for test only variables in here, the same can be accomplished without them. (see this commit)

[jtyr]

Thanks for your review, @glinton. I have merged your changes and added few more. Any idea how to further improve test coverage (current coverage is only 92.7%)?

[glinton]

😄 I guess one thing you could do is remove this check if it never gets called (i believe there would be an error on the handshake if there were no certs), but i think you've got plenty of coverage.

[jtyr]

Thanks for the tip, @glinton. I have removed the check but the coverage is still only 94.3%! 😞

[danielnelson]

I think we should drop this field for now. There are various aspects of the certificate which currently we do not take into account, such as hostname and chain of trust. We can add it back in if/when we include these features.

[jtyr]

Fixed.

[danielnelson]

I think default should be an error, but "" could be file, this would avoid schemes like "foo://".

[jtyr]

Fixed.

[danielnelson]

Let's add support for tcp4, tcp6, udp4, udp6?

[jtyr]

Fixed.

[danielnelson]

I'm curious about what happens when a certificate has an invalid hostname or the cert chain is invalid? What I think would be ideal is if we still called acc.AddFields( but with valid=false and potentially with more detailed information. If this is possible, Gather would only return an error if the network connection fails or we can't get any certificates.

[jtyr]

I have removed the valid metric as per your request bellow (line 116).

[danielnelson]

Not required, but would be a nice touch if we used subtests like here https://github.com/influxdata/telegraf/blob/master/plugins/inputs/docker/docker_test.go#L720

[danielnelson]

Let's uncomment this one line since it will almost always need to be changed.

[jtyr]

Fixed.

[danielnelson]

Since this is an internal.Duration, it should be like timeout = "5s"

[jtyr]

Fixed.

[danielnelson]

Aren't these already ints?

[jtyr]

No, it's float64:
https://golang.org/pkg/time/#Duration.Seconds

[jtyr]

@danielnelson All should be fixed in the last commit. Please review it.

[jtyr]

No, it's float64:
https://golang.org/pkg/time/#Duration.Seconds

[jtyr]

Fixed.

[jtyr]

Fixed.

[jtyr]

Fixed.

[jtyr]

Fixed.

[jtyr]

Fixed.

[jtyr]

I have removed the valid metric as per your request bellow (line 116).

[danielnelson]

Add quotes to be valid toml

[danielnelson]

Add quotes to be valid toml