[pkg-nagios-changes] [Git][nagios-team/monitoring-plugins][master] 2 commits: Adding d/p/10_check_curl_fix_redirects from upstream

[Jan Wagner (@waja)]

Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / monitoring-plugins


Commits:
672d37c1 by Jan Wagner at 2024-08-14T11:26:49+02:00
Adding d/p/10_check_curl_fix_redirects from upstream

https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2010.patch

- - - - -
15760add by Jan Wagner at 2024-08-14T11:29:30+02:00
Adding d/p/11_check_curl_raise_ssl_issue from upstream

https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2011.patch

- - - - -


3 changed files:

- + debian/patches/10_check_curl_fix_redirects
- + debian/patches/11_check_curl_raise_ssl_issue
- debian/patches/series


Changes:

=====================================
debian/patches/10_check_curl_fix_redirects
=====================================
@@ -0,0 +1,164 @@
+From 17549189ae6864203a48a2b2488db35a9e020e0e Mon Sep 17 00:00:00 2001
+From: Sven Nierlein <sven at consol.de>
+Date: Mon, 29 Jul 2024 20:53:32 +0200
+Subject: [PATCH] check_curl: fix relative redirects on non-standard port
+
+Having a webserver respond with a relative redirect as for ex. in `Location: /path/to.html`
+check_curl would use the wrong standard http/https port instead
+of crafting the absolute url using the given scheme/hostname and port.
+
+Adding a new test case for this for check_http and check_curl. check_http did
+it correct already, so no fix necessary there.
+
+before:
+
+    %>./check_curl -H 127.0.0.1 -p 50493 -f follow -u /redirect_rel -s redirected -vvv
+    **** HEADER ****
+    HTTP/1.1 302 Found
+    ...
+    Location: /redirect2
+
+    ...
+    * Seen redirect location /redirect2
+    ** scheme: (null)
+    ** host: (null)
+    ** port: (null)
+    ** path: /redirect2
+    Redirection to http://127.0.0.1:80/redirect2
+
+fixed:
+
+    %>./check_curl -H 127.0.0.1 -p 50493 -f follow -u /redirect_rel -s redirected -vvv
+    **** HEADER ****
+    HTTP/1.1 302 Found
+    ...
+    Location: /redirect2
+
+    ...
+    * Seen redirect location /redirect2
+    ** scheme: (null)
+    ** host: (null)
+    ** port: (null)
+    ** path: /redirect2
+    Redirection to http://127.0.0.1:50493/redirect2
+
+Signed-off-by: Sven Nierlein <sven at nierlein.de>
+---
+ plugins/check_curl.c       | 15 ++++++++++-----
+ plugins/tests/check_curl.t | 14 +++++++++++---
+ plugins/tests/check_http.t | 12 +++++++++++-
+ 3 files changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index c54be5e4f..01e2770e3 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -1285,10 +1285,12 @@ redir (curlhelp_write_curlbuf* header_buf)
+     }
+   }
+ 
+-  if (!uri_strcmp (uri.scheme, "https"))
+-    use_ssl = true;
+-  else
+-    use_ssl = false;
++  if (uri.scheme.first) {
++    if (!uri_strcmp (uri.scheme, "https"))
++      use_ssl = true;
++    else
++      use_ssl = false;
++  }
+ 
+   /* we do a sloppy test here only, because uriparser would have failed
+    * above, if the port would be invalid, we just check for MAX_PORT
+@@ -1306,10 +1308,13 @@ redir (curlhelp_write_curlbuf* header_buf)
+          MAX_PORT, location, display_html ? "</A>" : "");
+ 
+   /* by RFC 7231 relative URLs in Location should be taken relative to
+-   * the original URL, so wy try to form a new absolute URL here
++   * the original URL, so we try to form a new absolute URL here
+    */
+   if (!uri.scheme.first && !uri.hostText.first) {
+     new_host = strdup (host_name ? host_name : server_address);
++    new_port = server_port;
++    if(use_ssl)
++      uri_string (uri.scheme, "https", DEFAULT_BUFFER_SIZE);
+   } else {
+     new_host = strdup (uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
+   }
+diff --git a/plugins/tests/check_curl.t b/plugins/tests/check_curl.t
+index 3c9148308..eaa9f5183 100755
+--- a/plugins/tests/check_curl.t
++++ b/plugins/tests/check_curl.t
+@@ -21,7 +21,7 @@ use FindBin qw($Bin);
+ 
+ $ENV{'LC_TIME'} = "C";
+ 
+-my $common_tests = 73;
++my $common_tests = 75;
+ my $ssl_only_tests = 8;
+ # Check that all dependent modules are available
+ eval "use HTTP::Daemon 6.01;";
+@@ -178,6 +178,11 @@ sub run_server {
+ 				$c->send_basic_header;
+ 				$c->send_crlf;
+ 				$c->send_response(HTTP::Response->new( 200, 'OK', undef, 'redirected' ));
++			} elsif ($r->url->path eq "/redirect_rel") {
++				$c->send_basic_header(302);
++				$c->send_header("Location", "/redirect2" );
++				$c->send_crlf;
++				$c->send_response('moved to /redirect2');
+ 			} elsif ($r->url->path eq "/redir_timeout") {
+ 				$c->send_redirect( "/timeout" );
+ 			} elsif ($r->url->path eq "/timeout") {
+@@ -471,9 +476,12 @@ sub run_common_tests {
+ 	is( $result->return_code, 0, $cmd);
+ 	like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+ 
+-  # These tests may block
+-	print "ALRM\n";
++	$cmd = "$command -f follow -u /redirect_rel -s redirected";
++	$result = NPTest->testCmd( $cmd );
++	is( $result->return_code, 0, $cmd);
++	like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+ 
++	# These tests may block
+ 	# stickyport - on full urlS port is set back to 80 otherwise
+ 	$cmd = "$command -f stickyport -u /redir_external -t 5 -s redirected";
+ 	eval {
+diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t
+index 6078b2745..6eaf85b29 100755
+--- a/plugins/tests/check_http.t
++++ b/plugins/tests/check_http.t
+@@ -13,7 +13,7 @@ use IO::Socket::INET;
+ 
+ $ENV{'LC_TIME'} = "C";
+ 
+-my $common_tests = 71;
++my $common_tests = 73;
+ my $virtual_port_tests = 8;
+ my $ssl_only_tests = 12;
+ my $chunked_encoding_special_tests = 1;
+@@ -199,6 +199,11 @@ sub run_server {
+ 					$c->send_basic_header;
+ 					$c->send_crlf;
+ 					$c->send_response(HTTP::Response->new( 200, 'OK', undef, 'redirected' ));
++			} elsif ($r->url->path eq "/redirect_rel") {
++				$c->send_basic_header(302);
++				$c->send_header("Location", "/redirect2" );
++				$c->send_crlf;
++				$c->send_response('moved to /redirect2');
+ 				} elsif ($r->url->path eq "/redir_timeout") {
+ 					$c->send_redirect( "/timeout" );
+ 				} elsif ($r->url->path eq "/timeout") {
+@@ -515,6 +520,11 @@ sub run_common_tests {
+ 	is( $result->return_code, 0, $cmd);
+ 	like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
+ 
++	$cmd = "$command -f follow -u /redirect_rel -s redirected";
++	$result = NPTest->testCmd( $cmd );
++	is( $result->return_code, 0, $cmd);
++	like( $result->output, '/^HTTP OK: HTTP/1.1 200 OK - \d+ bytes in [\d\.]+ second/', "Output correct: ".$result->output );
++
+   # These tests may block
+ 	print "ALRM\n";
+ 


=====================================
debian/patches/11_check_curl_raise_ssl_issue
=====================================
@@ -0,0 +1,87 @@
+From ca40cf81fb94cf57a82df938ed2aa2843691be3a Mon Sep 17 00:00:00 2001
+From: Yannick Martin <yannick.martin at ovhcloud.com>
+Date: Fri, 9 Aug 2024 12:14:28 +0200
+Subject: [PATCH] check_curl: raise SSL issue when --continue-after-certificate
+ is used
+
+This change aims to raise the worst status between the SSL check and the HTTP check.
+
+before:
+check_curl -H www.google.fr -S --continue-after-certificate --certificate 4000,4000 ; echo $?
+CRITICAL - Certificate '*.google.fr' expires in 74 day(s) (Tue 22 Oct 2024 12:53:52 PM GMT +0000).
+HTTP OK: HTTP/2 200  - 22807 bytes in 0.076 second response time |time=0.075516s;;;0.000000;10.000000 size=22807B;;;0;
+0
+
+after:
+/usr/lib/nagios/ovh/check_curl -H www.google.fr -S --continue-after-certificate --certificate 4000,4000 ; echo $?
+CRITICAL - Certificate '*.google.fr' expires in 74 day(s) (Tue 22 Oct 2024 12:53:52 PM GMT +0000).
+HTTP OK: HTTP/2 200  - 22840 bytes in 0.090 second response time |time=0.090463s;;;0.000000;10.000000 size=22840B;;;0;
+2
+---
+ plugins/check_curl.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index 01e2770e3..4522e6c9f 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -468,6 +468,7 @@ int
+ check_http (void)
+ {
+   int result = STATE_OK;
++  int result_ssl = STATE_OK;
+   int page_len = 0;
+   int i;
+   char *force_host_header = NULL;
+@@ -852,9 +853,9 @@ check_http (void)
+         /* check certificate with OpenSSL functions, curl has been built against OpenSSL
+          * and we actually have OpenSSL in the monitoring tools
+          */
+-        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
++        result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+         if (!continue_after_check_cert) {
+-          return result;
++          return result_ssl;
+         }
+ #else /* USE_OPENSSL */
+         die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
+@@ -898,17 +899,17 @@ check_http (void)
+ 						die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+           }
+           BIO_free (cert_BIO);
+-          result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
++          result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+           if (!continue_after_check_cert) {
+-            return result;
++            return result_ssl;
+           }
+ #else /* USE_OPENSSL */
+           /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
+            * so we use the libcurl CURLINFO data
+            */
+-          result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
++          result_ssl = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
+           if (!continue_after_check_cert) {
+-            return result;
++            return result_ssl;
+           }
+ #endif /* USE_OPENSSL */
+         } else {
+@@ -1176,7 +1177,7 @@ check_http (void)
+     }
+ 
+   /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
+-  die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
++  die (max_state_alt(result, result_ssl), "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
+     state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
+     status_line.http_code, status_line.msg,
+     strlen(msg) > 0 ? " - " : "",
+@@ -1186,7 +1187,7 @@ check_http (void)
+     (show_body ? body_buf.buf : ""),
+     (show_body ? "\n" : "") );
+ 
+-  return result;
++  return max_state_alt(result, result_ssl);
+ }
+ 
+ int


=====================================
debian/patches/series
=====================================
@@ -1,4 +1,6 @@
 02_check_icmp_links
 03_epn
 # commited upstream
+10_check_curl_fix_redirects
+11_check_curl_raise_ssl_issue
 # feature patches



View it on GitLab: https://salsa.debian.org/nagios-team/monitoring-plugins/-/compare/2d414bd2666a753d20080baeb498e7f9a51dece9...15760add883fa12dc41bc4c4c95c1fdd546d47bc

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/monitoring-plugins/-/compare/2d414bd2666a753d20080baeb498e7f9a51dece9...15760add883fa12dc41bc4c4c95c1fdd546d47bc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20240814/9efbab92/attachment-0001.htm>