Merge pull request #873 from ripienaar/check_credentials

Adds server check credentials that can monitor cred files

Author: ripienaar

cli/server_check_command.go

@@ -18,16 +18,19 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/url"
+	"os"
 	"regexp"
 	"strconv"
 	"time"
 
 	"github.com/choria-io/fisk"
 	"github.com/nats-io/jsm.go"
 	"github.com/nats-io/jsm.go/api"
+	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nats-server/v2/server"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/natscli/monitor"
+	"github.com/nats-io/nkeys"
 )
 
 type SrvCheckCmd struct {
@@ -86,10 +89,14 @@ type SrvCheckCmd struct {
 	msgRegexp   *regexp.Regexp
 	msgBodyAsTs bool
 
-	kvBucket     string
-	kvValuesCrit int
-	kvValuesWarn int
-	kvKey        string
+	kvBucket                 string
+	kvValuesCrit             int
+	kvValuesWarn             int
+	kvKey                    string
+	credentialValidityCrit   time.Duration
+	credentialValidityWarn   time.Duration
+	credentialRequiresExpire bool
+	credential               string
 }
 
 func configureServerCheckCommand(srv *fisk.CmdClause) {
@@ -170,6 +177,12 @@ func configureServerCheckCommand(srv *fisk.CmdClause) {
 	kv.Flag("values-critical", "Critical threshold for number of values in the bucket").Default("-1").IntVar(&c.kvValuesCrit)
 	kv.Flag("values-warn", "Warning threshold for number of values in the bucket").Default("-1").IntVar(&c.kvValuesWarn)
 	kv.Flag("key", "Requires a key to have any non-delete value set").StringVar(&c.kvKey)
+
+	cred := check.Command("credential", "Checks the validity of a NATS credential file").Action(c.checkCredentialAction)
+	cred.Flag("credential", "The file holding the NATS credential").Required().StringVar(&c.credential)
+	cred.Flag("validity-warn", "Warning threshold for time before expiry").DurationVar(&c.credentialValidityWarn)
+	cred.Flag("validity-critical", "Critical threshold for time before expiry").DurationVar(&c.credentialValidityCrit)
+	cred.Flag("require-expiry", "Requires the credential to have expiry set").Default("true").BoolVar(&c.credentialRequiresExpire)
 }
 
 var (
@@ -986,3 +999,61 @@ func (c *SrvCheckCmd) checkConnection(_ *fisk.ParseContext) error {
 
 	return nil
 }
+
+func (c *SrvCheckCmd) checkCredential(check *monitor.Result) error {
+	ok, err := fileAccessible(c.credential)
+	if err != nil {
+		check.Critical("credential not accessible: %v", err)
+		return nil
+	}
+
+	if !ok {
+		check.Critical("credential not accessible")
+		return nil
+	}
+
+	cb, err := os.ReadFile(c.credential)
+	if err != nil {
+		check.Critical("credential not accessible: %v", err)
+		return nil
+	}
+
+	token, err := nkeys.ParseDecoratedJWT(cb)
+	if err != nil {
+		check.Critical("invalid credential: %v", err)
+		return nil
+	}
+
+	claims, err := jwt.Decode(token)
+	if err != nil {
+		check.Critical("invalid credential: %v", err)
+	}
+
+	now := time.Now().UTC().Unix()
+	cd := claims.Claims()
+	until := cd.Expires - now
+	crit := int64(c.credentialValidityCrit.Seconds())
+	warn := int64(c.credentialValidityWarn.Seconds())
+
+	check.Pd(&monitor.PerfDataItem{Help: "Expiry time in seconds", Name: "expiry", Value: float64(until), Warn: float64(warn), Crit: float64(crit), Unit: "s"})
+
+	switch {
+	case cd.Expires == 0 && c.credentialRequiresExpire:
+		check.Critical("never expires")
+	case c.credentialValidityCrit > 0 && (until <= crit):
+		check.Critical("expires sooner than %s", f(c.credentialValidityCrit))
+	case c.credentialValidityWarn > 0 && (until <= warn):
+		check.Warn("expires sooner than %s", f(c.credentialValidityWarn))
+	default:
+		check.Ok("expires in %s", time.Unix(cd.Expires, 0).UTC())
+	}
+
+	return nil
+}
+
+func (c *SrvCheckCmd) checkCredentialAction(_ *fisk.ParseContext) error {
+	check := &monitor.Result{Name: "Credential", Check: "credential", OutFile: checkRenderOutFile, NameSpace: opts.PrometheusNamespace, RenderFormat: checkRenderFormat}
+	defer check.GenericExit()
+
+	return c.checkCredential(check)
+}

cli/server_check_command_test.go

@@ -765,6 +765,97 @@ func TestCheckVarz(t *testing.T) {
 	})
 }
 
+func TestCheckCredential(t *testing.T) {
+	noExpiry := `-----BEGIN NATS USER JWT-----
+eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJBSUdIM0I2TEFGQkMzNktaSFJCSFI1QVZaTVFHQkdDS0NRTlNXRFBMN0U1NE5SM0I1SkxRIiwiaWF0IjoxNjk1MzY5NjU1LCJpc3MiOiJBRFFCT1haQTZaWk5MMko0VFpZNTZMUVpUN1FCVk9DNDVLVlQ3UDVNWkZVWU1LSVpaTUdaSE02QSIsIm5hbWUiOiJib2IiLCJzdWIiOiJVQkhPVDczREVGN1dZWUZUS1ZVSDZNWDNFUUVZSlFWWUNBRUJXUFJaSDNYR0E2WDdLRDNGUkFYSCIsIm5hdHMiOnsicHViIjp7fSwic3ViIjp7fSwic3VicyI6LTEsImRhdGEiOi0xLCJwYXlsb2FkIjotMSwidHlwZSI6InVzZXIiLCJ2ZXJzaW9uIjoyfX0.kGsxvI3NNNp60unItd-Eo1Yw6B9T3rBOeq7lvRY_klP5yTaBZwhCTKUNYdr_n2HNkCNB44fyW2_pmBhDki_CDQ
+------END NATS USER JWT------
+
+************************* IMPORTANT *************************
+NKEY Seed printed below can be used to sign and prove identity.
+NKEYs are sensitive and should be treated as secrets.
+
+-----BEGIN USER NKEY SEED-----
+SUAIQJDZJGYOJN4NBOLYRRENCNTPXZ7PPVQW7RWEXWJUNBAFDRPDO27JWA
+------END USER NKEY SEED------
+
+*************************************************************`
+
+	expires2100 := `-----BEGIN NATS USER JWT-----
+eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJleHAiOjQxMDI0NDQ4MDAsImp0aSI6IlhRQkNTUUo3M0c3STRWR0JVUUNNQjdKRVlDWlVNUzdLUzJPU0Q1Skk3WjY0NEE0TU40SUEiLCJpYXQiOjE2OTUzNzA4OTcsImlzcyI6IkFERU5CTlBZSUwzTklXVkxCMjJVUU5FR0NMREhGSllNSUxEVEFQSlk1SFlQV05LQVZQNzJXREFSIiwibmFtZSI6ImJvYiIsInN1YiI6IlVCTTdYREtRUzRRQVBKUEFCSllWSU5RR1lETko2R043MjZNQ01DV0VZRDJTTU9GQVZOQ1E1M09IIiwibmF0cyI6eyJwdWIiOnt9LCJzdWIiOnt9LCJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJ0eXBlIjoidXNlciIsInZlcnNpb24iOjJ9fQ.3ytewtkFoRLKNeRJjPGOyNWeeQKqKdfHmyRL2ofaUiqj_OoN2LAmg_Ms2zpU-A_2xAiUH7VsMIRJxw1cx3bwAg
+------END NATS USER JWT------
+
+************************* IMPORTANT *************************
+NKEY Seed printed below can be used to sign and prove identity.
+NKEYs are sensitive and should be treated as secrets.
+
+-----BEGIN USER NKEY SEED-----
+SUAKYITMHPMSYUGPNQBLLPGOPFQN44XNCGXHNSHLJJVMD3IKYGBOLAI7TI
+------END USER NKEY SEED------
+
+*************************************************************`
+
+	writeCred := func(t *testing.T, cred string) string {
+		tf, err := os.CreateTemp("", "")
+		assertNoError(t, err)
+
+		tf.Write([]byte(cred))
+		tf.Close()
+
+		return tf.Name()
+	}
+
+	t.Run("no expiry", func(t *testing.T) {
+		cmd := &SrvCheckCmd{}
+		cmd.credential = writeCred(t, noExpiry)
+		defer func(f string) { os.Remove(f) }(cmd.credential)
+
+		cmd.credentialRequiresExpire = true
+
+		check := &monitor.Result{}
+		assertNoError(t, cmd.checkCredential(check))
+		assertListEquals(t, check.Criticals, "never expires")
+		assertListIsEmpty(t, check.Warnings)
+
+		cmd.credential = writeCred(t, expires2100)
+		defer func(f string) { os.Remove(f) }(cmd.credential)
+
+		check = &monitor.Result{}
+		assertNoError(t, cmd.checkCredential(check))
+		assertListIsEmpty(t, check.Criticals)
+		assertListIsEmpty(t, check.Warnings)
+		assertListEquals(t, check.OKs, "expires in 2100-01-01 00:00:00 +0000 UTC")
+	})
+
+	t.Run("critical", func(t *testing.T) {
+		cmd := &SrvCheckCmd{}
+		cmd.credential = writeCred(t, expires2100)
+
+		defer os.Remove(cmd.credential)
+
+		check := &monitor.Result{}
+		cmd.credentialValidityCrit = 100 * 24 * 365 * time.Hour
+
+		assertNoError(t, cmd.checkCredential(check))
+		assertListEquals(t, check.Criticals, "expires sooner than 100y0d0h0m0s")
+		assertListIsEmpty(t, check.Warnings)
+		assertListIsEmpty(t, check.OKs)
+	})
+
+	t.Run("warning", func(t *testing.T) {
+		cmd := &SrvCheckCmd{}
+		cmd.credential = writeCred(t, expires2100)
+		defer os.Remove(cmd.credential)
+
+		check := &monitor.Result{}
+		cmd.credentialValidityWarn = 100 * 24 * 365 * time.Hour
+
+		assertNoError(t, cmd.checkCredential(check))
+		assertListEquals(t, check.Warnings, "expires sooner than 100y0d0h0m0s")
+		assertListIsEmpty(t, check.Criticals)
+		assertListIsEmpty(t, check.OKs)
+	})
+
+}
 func TestCheckJSZ(t *testing.T) {
 	cmd := &SrvCheckCmd{}
 

cli/util_test.go

@@ -47,13 +47,13 @@ func assertListIsEmpty(t *testing.T, list []string) {
 	}
 }
 
-func assertListEquals(t *testing.T, list []string, crits ...string) {
+func assertListEquals(t *testing.T, list []string, vals ...string) {
 	t.Helper()
 
 	sort.Strings(list)
-	sort.Strings(crits)
+	sort.Strings(vals)
 
-	if !cmp.Equal(list, crits) {
+	if !cmp.Equal(list, vals) {
 		t.Fatalf("invalid items: %v", list)
 	}
 }