Merge pull request #4 from ericmakesstuff/feature-ssl-certificate-monitor

Add Monitor: SSL Certificate Validation

Author: eblount

README.md

@@ -6,7 +6,7 @@
 [![Quality Score](https://img.shields.io/scrutinizer/g/ericmakesstuff/laravel-server-monitor.svg?style=flat-square)](https://scrutinizer-ci.com/g/ericmakesstuff/laravel-server-monitor)
 [![Total Downloads](https://img.shields.io/packagist/dt/ericmakesstuff/laravel-server-monitor.svg?style=flat-square)](https://packagist.org/packages/ericmakesstuff/laravel-server-monitor)
 
-This Laravel 5 package will periodically monitor the health of your server. Currently, it provides healthy/alarm status notifications for Disk Usage, as well as an HTTP Ping function to monitor the health of external services.
+This Laravel 5 package will periodically monitor the health of your server and website. Currently, it provides healthy/alarm status notifications for Disk Usage, an HTTP Ping function to monitor the health of external services, and a validation/expiration monitor for SSL Certificates.
 
 Once installed, monitoring your server is very easy. Just issue this artisan command:
 
@@ -17,8 +17,8 @@ php artisan monitor:run
 You can run only certain monitors at a time:
 
 ``` bash
-php artisan monitor:run DiskUsage
-php artisan monitor:run DiskUsage,HttpPing
+php artisan monitor:run HttpPing
+php artisan monitor:run SSLCertificate,DiskUsage
 ```
 
 ## Installation and usage
@@ -77,6 +77,20 @@ The default monitor configurations are:
             'allowRedirects' => false,
         ],
     ],
+    /*
+     * SSLCertificate will download the SSL Certificate for the URL and validate that the domain
+     * is covered and that it is not expired. Additionally, it can warn when the certificate is
+     * approaching expiration.
+     */
+    'SSLCertificate' => [
+        [
+            'url' => 'https://www.example.com/',
+        ],
+        [
+            'url' => 'https://www.example.com/',
+            'alarmDaysBeforeExpiration' => [14, 7],
+        ],
+    ],
 ```
 
 ## Scheduling

config/server-monitor.php

@@ -41,6 +41,20 @@
                 'allowRedirects' => false,
             ],
         ],
+        /*
+         * SSLCertificate will download the SSL Certificate for the URL and validate that the domain
+         * is covered and that it is not expired. Additionally, it can warn when the certificate is
+         * approaching expiration.
+         */
+        'SSLCertificate' => [
+            [
+                'url' => 'https://www.example.com/',
+            ],
+            [
+                'url' => 'https://www.example.com/',
+                'alarmDaysBeforeExpiration' => [14, 7],
+            ],
+        ],
     ],
 
     'notifications' => [
@@ -57,10 +71,13 @@
          * Slack requires the installation of the maknz/slack package.
          */
         'events' => [
-            'whenDiskUsageHealthy' => ['log'],
-            'whenDiskUsageAlarm'   => ['log', 'mail'],
-            'whenHttpPingUp'       => ['log'],
-            'whenHttpPingDown'     => ['log', 'mail'],
+            'whenDiskUsageHealthy'       => ['log'],
+            'whenDiskUsageAlarm'         => ['log', 'mail'],
+            'whenHttpPingUp'             => ['log'],
+            'whenHttpPingDown'           => ['log', 'mail'],
+            'whenSSLCertificateValid'    => ['log'],
+            'whenSSLCertificateInvalid'  => ['log', 'mail'],
+            'whenSSLCertificateExpiring' => ['log', 'mail'],
         ],
 
         /*

src/Events/SSLCertificateExpiring.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace EricMakesStuff\ServerMonitor\Events;
+
+use EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor;
+
+class SSLCertificateExpiring
+{
+    /**  @var \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor|null */
+    public $sslCertificateMonitor;
+
+    /**
+     * @param \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor|null $sslCertificateMonitor
+     */
+    public function __construct(SSLCertificateMonitor $sslCertificateMonitor = null)
+    {
+        $this->sslCertificateMonitor = $sslCertificateMonitor;
+    }
+}

src/Events/SSLCertificateInvalid.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace EricMakesStuff\ServerMonitor\Events;
+
+use EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor;
+
+class SSLCertificateInvalid
+{
+    /**  @var \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor|null */
+    public $sslCertificateMonitor;
+
+    /**
+     * @param \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor|null $sslCertificateMonitor
+     */
+    public function __construct(SSLCertificateMonitor $sslCertificateMonitor = null)
+    {
+        $this->sslCertificateMonitor = $sslCertificateMonitor;
+    }
+}

src/Events/SSLCertificateValid.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace EricMakesStuff\ServerMonitor\Events;
+
+use EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor;
+
+class SSLCertificateValid
+{
+    /**  @var \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor|null */
+    public $sslCertificateMonitor;
+
+    /**
+     * @param \EricMakesStuff\ServerMonitor\Monitors\SSLCertificateMonitor $sslCertificateMonitor
+     */
+    public function __construct(SSLCertificateMonitor $sslCertificateMonitor)
+    {
+        $this->sslCertificateMonitor = $sslCertificateMonitor;
+    }
+}

src/Exceptions/InvalidConfiguration.php

@@ -17,6 +17,21 @@ public static function cannotFindMonitor($monitorName)
 
     public static function noUrlConfigured()
     {
-        return new static ("No URL Configured.");
+        return new static("No URL Configured.");
+    }
+
+    public static function urlNotSecure()
+    {
+        return new static("URL Not Secure");
+    }
+
+    public static function urlCouldNotBeParsed()
+    {
+        return new static("URL Could Not Be Parsed");
+    }
+
+    public static function urlCouldNotBeDownloaded()
+    {
+        return new static("URL Could Not Be Downloaded");
     }
 }

src/Monitors/SSLCertificateMonitor.php

@@ -0,0 +1,182 @@
+<?php
+
+namespace EricMakesStuff\ServerMonitor\Monitors;
+
+use Carbon\Carbon;
+use EricMakesStuff\ServerMonitor\Events\SSLCertificateExpiring;
+use EricMakesStuff\ServerMonitor\Events\SSLCertificateInvalid;
+use EricMakesStuff\ServerMonitor\Events\SSLCertificateValid;
+use EricMakesStuff\ServerMonitor\Exceptions\InvalidConfiguration;
+
+class SSLCertificateMonitor extends BaseMonitor
+{
+    /**  @var array */
+    protected $certificateInfo;
+
+    /**  @var string */
+    protected $certificateExpiration;
+
+    /**  @var string */
+    protected $certificateDomain;
+
+    /**  @var array */
+    protected $certificateAdditionalDomains = [];
+
+    /**  @var int */
+    protected $certificateDaysUntilExpiration;
+
+    /**  @var string */
+    protected $url;
+
+    /**  @var array */
+    protected $alarmDaysBeforeExpiration = [28, 14, 7, 3, 2, 1, 0];
+
+    /**
+     * @param array $config
+     */
+    public function __construct(array $config)
+    {
+        if (!empty($config['url'])) {
+            $this->url = $config['url'];
+        }
+
+        if (!empty($config['alarmDaysBeforeExpiration'])) {
+            $this->alarmDaysBeforeExpiration = $config['alarmDaysBeforeExpiration'];
+        }
+    }
+
+    /**
+     * @throws InvalidConfiguration
+     */
+    public function runMonitor()
+    {
+        $urlParts = $this->parseUrl($this->url);
+
+        try {
+            $this->certificateInfo = $this->downloadCertificate($urlParts);
+        } catch (\ErrorException $e) {
+            event(new SSLCertificateInvalid($this));
+            return false;
+        } catch (\Exception $e) {
+            throw InvalidConfiguration::urlCouldNotBeDownloaded();
+        }
+
+        $this->processCertificate($this->certificateInfo);
+
+        if ($this->certificateDaysUntilExpiration < 0
+            || ! $this->hostCoveredByCertificate($urlParts['host'], $this->certificateDomain, $this->certificateAdditionalDomains)) {
+            event(new SSLCertificateInvalid($this));
+        } elseif (in_array($this->certificateDaysUntilExpiration, $this->alarmDaysBeforeExpiration)) {
+            event(new SSLCertificateExpiring($this));
+        } else {
+            event(new SSLCertificateValid($this));
+        }
+    }
+
+    protected function downloadCertificate($urlParts)
+    {
+        $streamContext = stream_context_create([
+            "ssl" => [
+                "capture_peer_cert" => TRUE
+            ]
+        ]);
+
+        $streamClient = stream_socket_client("ssl://{$urlParts['host']}:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $streamContext);
+
+        $certificateContext = stream_context_get_params($streamClient);
+
+        return openssl_x509_parse($certificateContext['options']['ssl']['peer_certificate']);
+    }
+
+    public function processCertificate($certificateInfo)
+    {
+        if (!empty($certificateInfo['subject']) && !empty($certificateInfo['subject']['CN'])) {
+            $this->certificateDomain = $certificateInfo['subject']['CN'];
+        }
+
+        if (!empty($certificateInfo['validTo_time_t'])) {
+            $validTo = Carbon::createFromTimestampUTC($certificateInfo['validTo_time_t']);
+            $this->certificateExpiration = $validTo->toDateString();
+            $this->certificateDaysUntilExpiration = - $validTo->diffInDays(Carbon::now(), false);
+        }
+
+        if (!empty($certificateInfo['extensions']) && !empty($certificateInfo['extensions']['subjectAltName'])) {
+            $this->certificateAdditionalDomains = [];
+            $domains = explode(', ', $certificateInfo['extensions']['subjectAltName']);
+            foreach ($domains as $domain) {
+                $this->certificateAdditionalDomains[] = str_replace('DNS:', '', $domain);
+            }
+        }
+    }
+
+    public function hostCoveredByCertificate($host, $certificateHost, array $certificateAdditionalDomains = [])
+    {
+        if ($host == $certificateHost) {
+            return true;
+        }
+
+        // Determine if wildcard domain covers the host domain
+        if ($certificateHost[0] == '*' && substr_count($host, '.') > 1) {
+            $certificateHost = substr($certificateHost, 1);
+            $host = substr($host, strpos($host, '.'));
+            return $certificateHost == $host;
+        }
+
+        // Determine if the host domain is in the certificate's additional domains
+        return in_array($host, $certificateAdditionalDomains);
+    }
+
+    protected function parseUrl($url)
+    {
+        if (empty($url)) {
+            throw InvalidConfiguration::noUrlConfigured();
+        }
+
+        $urlParts = parse_url($url);
+
+        if (!$urlParts) {
+            throw InvalidConfiguration::urlCouldNotBeParsed();
+        }
+
+        if (empty($urlParts['scheme']) || $urlParts['scheme'] != 'https') {
+            throw InvalidConfiguration::urlNotSecure();
+        }
+
+        return $urlParts;
+    }
+
+    public function getUrl()
+    {
+        return $this->url;
+    }
+
+    public function getCertificateInfo()
+    {
+        return $this->certificateInfo;
+    }
+
+    public function getCertificateExpiration()
+    {
+        return $this->certificateExpiration;
+    }
+
+    public function getCertificateDomain()
+    {
+        return $this->certificateDomain;
+    }
+
+    public function getCertificateDaysUntilExpiration()
+    {
+        return $this->certificateDaysUntilExpiration;
+    }
+
+    public function getAlarmDaysBeforeExpiration()
+    {
+        return $this->alarmDaysBeforeExpiration;
+    }
+
+    public function getCertificateAdditionalDomains()
+    {
+        return $this->certificateAdditionalDomains;
+    }
+}