From 845626ee452398011481df9556a5c85b4c586efc Mon Sep 17 00:00:00 2001 From: aeris Date: Fri, 6 Jan 2017 21:10:26 +0100 Subject: [PATCH] Refactor some checks --- lib/cryptcheck/status.rb | 22 ++++++++++++++++------ lib/cryptcheck/tls.rb | 16 +++++++++------- lib/cryptcheck/tls/fixture.rb | 6 ++++-- lib/cryptcheck/tls/grade.rb | 21 ++++++++------------- lib/cryptcheck/tls/server.rb | 4 ++-- spec/cryptcheck/status_spec.rb | 12 ++++++++++++ 6 files changed, 51 insertions(+), 30 deletions(-) diff --git a/lib/cryptcheck/status.rb b/lib/cryptcheck/status.rb index c31111b..31d69e8 100644 --- a/lib/cryptcheck/status.rb +++ b/lib/cryptcheck/status.rb @@ -3,24 +3,34 @@ module CryptCheck LEVELS = %i(critical error warning good perfect best).freeze PROBLEMS = %i(critical error warning).freeze + extend Enumerable + def self.each(&block) + LEVELS.each &block + end + def self.status(statuses) - statuses = self.collect statuses - self.select LEVELS, statuses + statuses = self.convert statuses + self.min LEVELS, statuses + end + + class << self + alias_method :'[]', :status end def self.problem(statuses) - statuses = self.collect statuses - self.select PROBLEMS, statuses + statuses = self.convert statuses + self.min PROBLEMS, statuses end private - def self.collect(statuses) + def self.convert(statuses) + statuses = [ statuses ] unless statuses.respond_to? :first first = statuses.first statuses = statuses.collect &:status if first.respond_to? :status statuses end - def self.select(levels, statuses) + def self.min(levels, statuses) return nil if statuses.empty? (levels & statuses).first end diff --git a/lib/cryptcheck/tls.rb b/lib/cryptcheck/tls.rb index 3751221..7e29a6f 100644 --- a/lib/cryptcheck/tls.rb +++ b/lib/cryptcheck/tls.rb @@ -19,13 +19,15 @@ module CryptCheck def self.key_to_s(key) size, color = case key.type - when :ecc - ["#{key.group.curve_name} #{key.size}", :good] - when :dh - [key.size, :warning] - when :dsa - [key.size, :critical] - end + when :ecc + ["#{key.group.curve_name} #{key.size}", :good] + when :rsa + [key.size, nil] + when :dsa + [key.size, :critical] + when :dh + [key.size, :warning] + end "#{key.type.to_s.upcase.colorize color} #{size.to_s.colorize key.status} bits" end end diff --git a/lib/cryptcheck/tls/fixture.rb b/lib/cryptcheck/tls/fixture.rb index 7ea8f9d..083419a 100644 --- a/lib/cryptcheck/tls/fixture.rb +++ b/lib/cryptcheck/tls/fixture.rb @@ -74,7 +74,8 @@ class ::OpenSSL::PKey::EC :error when 192...256 :warning - when 384...::Float::INFINITY + when 256...364 + else :good end end @@ -99,7 +100,8 @@ class ::OpenSSL::PKey::RSA :critical when 1024...2048 :error - when 4096...::Float::INFINITY + when 2048...4096 + else :good end end diff --git a/lib/cryptcheck/tls/grade.rb b/lib/cryptcheck/tls/grade.rb index 083091c..51f5dec 100644 --- a/lib/cryptcheck/tls/grade.rb +++ b/lib/cryptcheck/tls/grade.rb @@ -17,7 +17,7 @@ module CryptCheck when 'B', 'B+' :perfect when 'C', 'C+' - nil + :good when 'E' :warning when 'F' @@ -30,16 +30,9 @@ module CryptCheck Logger.info { "Grade : #{self.grade.colorize color }" } Logger.info { '' } - [ - ['Critical', :critical], - ['Error', :error], - ['Warning', :warning], - ['Good', :good], - ['Perfect', :perfect], - ['Best', :best], - ].each do |text, color| + Status.each do |color| states = @states[color] - Logger.info { "#{text} : #{states.collect { |s| s.to_s.colorize color }.join ' '}" } unless states.empty? + Logger.info { "#{color.to_s.capitalize} : #{states.collect { |s| s.to_s.colorize color }.join ' '}" } unless states.empty? end end @@ -78,10 +71,10 @@ module CryptCheck CHECKS = [ # Keys [:dss_sign, Proc.new { |s| s.dss_sig? }, :critical], - [:weak_key, Proc.new { |s| %i(critical error warning) & [s.key.status] } ], + [:weak_key, Proc.new { |s| Status.problem s.key_status } ], # DH - [:weak_dh, Proc.new { |s| (%i(critical error warning) & s.dh.collect(&:status).uniq).first } ], + [:weak_dh, Proc.new { |s| Status.problem s.dh_status } ], # Certificates [:md2_sign, Proc.new { |s| s.md2_sig? }, :critical], @@ -111,6 +104,8 @@ module CryptCheck [:no_pfs, Proc.new { |s| not s.pfs_only? }, :warning], [:pfs, Proc.new { |s| s.pfs? }, :good], [:pfs_only, Proc.new { |s| s.pfs_only? }, :perfect], + + [:no_ecdhe, Proc.new { |s| not s.ecdhe? }, :warning], [:ecdhe, Proc.new { |s| s.ecdhe? }, :good], [:ecdhe_only, Proc.new { |s| s.ecdhe_only? }, :perfect], @@ -130,7 +125,7 @@ module CryptCheck end def calculate_states - states = { critical: [], error: [], warning: [], good: [], perfect: [], best: [] } + states = Status.collect { |s| [s, []] }.to_h @checks.each do |name, check, status| result = check.call @server if result diff --git a/lib/cryptcheck/tls/server.rb b/lib/cryptcheck/tls/server.rb index 4225f84..206e422 100644 --- a/lib/cryptcheck/tls/server.rb +++ b/lib/cryptcheck/tls/server.rb @@ -9,6 +9,7 @@ module CryptCheck SSL_TIMEOUT = 2*TCP_TIMEOUT EXISTING_METHODS = %i(TLSv1_2 TLSv1_1 TLSv1 SSLv3 SSLv2) SUPPORTED_METHODS = ::OpenSSL::SSL::SSLContext::METHODS + class TLSException < ::StandardError end class TLSNotAvailableException < TLSException @@ -360,13 +361,12 @@ module CryptCheck end end end - - Logger.info { '' } unless supported_ciphers.empty? @supported_ciphers[method] = supported_ciphers end end def check_fallback_scsv + Logger.info { '' } @fallback_scsv = false methods = @prefered_ciphers.reject { |_, v| v.nil? }.keys diff --git a/spec/cryptcheck/status_spec.rb b/spec/cryptcheck/status_spec.rb index aa4a523..2147a8b 100644 --- a/spec/cryptcheck/status_spec.rb +++ b/spec/cryptcheck/status_spec.rb @@ -11,6 +11,7 @@ describe CryptCheck::Status do [:critical, :critical] => :critical, [:critical, :error] => :critical, [:critical, :warning] => :critical, + [:critical, nil] => :critical, [:critical, :good] => :critical, [:critical, :perfect] => :critical, [:critical, :best] => :critical, @@ -18,6 +19,7 @@ describe CryptCheck::Status do [:error, :critical] => :critical, [:error, :error] => :error, [:error, :warning] => :error, + [:error, nil] => :error, [:error, :good] => :error, [:error, :perfect] => :error, [:error, :best] => :error, @@ -25,6 +27,7 @@ describe CryptCheck::Status do [:warning, :critical] => :critical, [:warning, :error] => :error, [:warning, :warning] => :warning, + [:warning, nil] => :warning, [:warning, :good] => :warning, [:warning, :perfect] => :warning, [:warning, :best] => :warning, @@ -32,6 +35,7 @@ describe CryptCheck::Status do [:good, :critical] => :critical, [:good, :error] => :error, [:good, :warning] => :warning, + [:good, nil] => :good, [:good, :good] => :good, [:good, :perfect] => :good, [:good, :best] => :good, @@ -39,6 +43,7 @@ describe CryptCheck::Status do [:perfect, :critical] => :critical, [:perfect, :error] => :error, [:perfect, :warning] => :warning, + [:perfect, nil] => :perfect, [:perfect, :good] => :good, [:perfect, :perfect] => :perfect, [:perfect, :best] => :perfect, @@ -46,6 +51,7 @@ describe CryptCheck::Status do [:best, :critical] => :critical, [:best, :error] => :error, [:best, :warning] => :warning, + [:best, nil] => :best, [:best, :good] => :good, [:best, :perfect] => :perfect, [:best, :best] => :best @@ -68,6 +74,7 @@ describe CryptCheck::Status do [:critical, :critical] => :critical, [:critical, :error] => :critical, [:critical, :warning] => :critical, + [:critical, nil] => :critical, [:critical, :good] => :critical, [:critical, :perfect] => :critical, [:critical, :best] => :critical, @@ -75,6 +82,7 @@ describe CryptCheck::Status do [:error, :critical] => :critical, [:error, :error] => :error, [:error, :warning] => :error, + [:error, nil] => :error, [:error, :good] => :error, [:error, :perfect] => :error, [:error, :best] => :error, @@ -82,6 +90,7 @@ describe CryptCheck::Status do [:warning, :critical] => :critical, [:warning, :error] => :error, [:warning, :warning] => :warning, + [:warning, nil] => :warning, [:warning, :good] => :warning, [:warning, :perfect] => :warning, [:warning, :best] => :warning, @@ -89,6 +98,7 @@ describe CryptCheck::Status do [:good, :critical] => :critical, [:good, :error] => :error, [:good, :warning] => :warning, + [:good, nil] => nil, [:good, :good] => nil, [:good, :perfect] => nil, [:good, :best] => nil, @@ -96,6 +106,7 @@ describe CryptCheck::Status do [:perfect, :critical] => :critical, [:perfect, :error] => :error, [:perfect, :warning] => :warning, + [:perfect, nil] => nil, [:perfect, :good] => nil, [:perfect, :perfect] => nil, [:perfect, :best] => nil, @@ -103,6 +114,7 @@ describe CryptCheck::Status do [:best, :critical] => :critical, [:best, :error] => :error, [:best, :warning] => :warning, + [:best, nil] => nil, [:best, :good] => nil, [:best, :perfect] => nil, [:best, :best] => nil