diff --git a/src/network/fortinet/fortigate/restapi/mode/certificates.pm b/src/network/fortinet/fortigate/restapi/mode/certificates.pm new file mode 100644 index 000000000..c13c2636a --- /dev/null +++ b/src/network/fortinet/fortigate/restapi/mode/certificates.pm @@ -0,0 +1,199 @@ +# +# Copyright 2025 Centreon (http://www.centreon.com/) +# +# Centreon is a full-fledged industry-strength solution that meets +# the needs in IT infrastructure and application monitoring for +# service performance. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package network::fortinet::fortigate::restapi::mode::certificates; + +use base qw(centreon::plugins::templates::counter); + +use strict; +use warnings; +use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng); +use centreon::plugins::misc; +use POSIX; + +my $unitdiv = { s => 1, w => 604800, d => 86400, h => 3600, m => 60 }; +my $unitdiv_long = { s => 'seconds', w => 'weeks', d => 'days', h => 'hours', m => 'minutes' }; + +sub custom_expires_perfdata { + my ($self, %options) = @_; + + $self->{output}->perfdata_add( + nlabel => $self->{nlabel} . '.' . $unitdiv_long->{ $self->{instance_mode}->{option_results}->{unit} }, + unit => $self->{instance_mode}->{option_results}->{unit}, + instances => $self->{result_values}->{name}, + value => floor($self->{result_values}->{expires_seconds} / $unitdiv->{ $self->{instance_mode}->{option_results}->{unit} }), + warning => $self->{perfdata}->get_perfdata_for_output(label => 'warning-' . $self->{thlabel}), + critical => $self->{perfdata}->get_perfdata_for_output(label => 'critical-' . $self->{thlabel}), + min => 0 + ); +} + +sub custom_expires_threshold { + my ($self, %options) = @_; + + return $self->{perfdata}->threshold_check( + value => floor($self->{result_values}->{expires_seconds} / $unitdiv->{ $self->{instance_mode}->{option_results}->{unit} }), + threshold => [ + { label => 'critical-' . $self->{thlabel}, exit_litteral => 'critical' }, + { label => 'warning-'. $self->{thlabel}, exit_litteral => 'warning' }, + { label => 'unknown-'. $self->{thlabel}, exit_litteral => 'unknown' } + ] + ); +} + +sub custom_status_output { + my ($self, %options) = @_; + + return 'status: ' . $self->{result_values}->{status}; +} + +sub prefix_certificate_output { + my ($self, %options) = @_; + + return sprintf( + "Certificate '%s' ", + $options{instance_value}->{name} + ); +} + +sub set_counters { + my ($self, %options) = @_; + + $self->{maps_counters_type} = [ + { name => 'certificates', type => 1, cb_prefix_output => 'prefix_certificate_output', message_multiple => 'All certificates are ok', skipped_code => { -10 => 1 } } + ]; + + $self->{maps_counters}->{certificates} = [ + { label => 'status', type => 2, critical_default => '%{status} =~ /expired/i', set => { + key_values => [ { name => 'name' }, { name => 'status' } ], + closure_custom_output => $self->can('custom_status_output'), + closure_custom_perfdata => sub { return 0; }, + closure_custom_threshold_check => \&catalog_status_threshold_ng + } + }, + { label => 'expires', nlabel => 'certificate.expires', set => { + key_values => [ { name => 'expires_seconds' }, { name => 'expires_human' }, { name => 'name' } ], + output_template => 'expires in %s', + output_use => 'expires_human', + closure_custom_perfdata => $self->can('custom_expires_perfdata'), + closure_custom_threshold_check => $self->can('custom_expires_threshold') + } + } + ]; +} + +sub new { + my ($class, %options) = @_; + my $self = $class->SUPER::new(package => __PACKAGE__, %options, force_new_perfdata => 1); + bless $self, $class; + + $options{options}->add_options(arguments => { + 'filter-name:s' => { name => 'filter_name' }, + 'unit:s' => { name => 'unit', default => 's' } + }); + + return $self; +} + +sub check_options { + my ($self, %options) = @_; + $self->SUPER::check_options(%options); + + if ($self->{option_results}->{unit} eq '' || !defined($unitdiv->{$self->{option_results}->{unit}})) { + $self->{option_results}->{unit} = 's'; + } +} + +sub add_certificate { + my ($self, %options) = @_; + + return if (!defined($options{entry}->{status})); + return if (defined($self->{option_results}->{filter_name}) && $self->{option_results}->{filter_name} ne '' && + $options{name} !~ /$self->{option_results}->{filter_name}/); + + $self->{certificates}->{ $options{name} } = { + name => $options{name}, + status => $options{entry}->{status} + }; + if (defined($options{entry}->{valid_to})) { + $self->{certificates}->{ $options{name} }->{expires_seconds} = $options{entry}->{valid_to} - time(); + $self->{certificates}->{ $options{name} }->{expires_seconds} = 0 if ($self->{certificates}->{ $options{name} }->{expires_seconds} < 0); + $self->{certificates}->{ $options{name} }->{expires_human} = centreon::plugins::misc::change_seconds( + value => $self->{certificates}->{ $options{name} }->{expires_seconds} + ); + } +} + +sub manage_selection { + my ($self, %options) = @_; + + my $certificates = $options{custom}->request_api( + endpoint => '/api/v2/monitor/system/available-certificates' + ); + + $self->{certificates} = {}; + + foreach my $certificate (@{ $certificates->{results} }) { + if (defined($certificate->{name}) and defined($certificate->{valid_to}) and defined($certificate->{status})) { + $self->add_certificate(name => $certificate->{name}, entry => $certificate); + } + } +} + +1; + +__END__ + +=head1 MODE + +Check certificates. + +=over 8 + +=item B<--filter-name> + +Filter certificates by name (can be a regexp). + +=item B<--warning-status> + +Define the conditions to match for the status to be WARNING. +You can use the following variables: %{name}, %{status}. + +=item B<--critical-status> + +Define the conditions to match for the status to be CRITICAL (Default: '%{status} =~ /expired/i'). +You can use the following variables: %{name}, %{status}. + +=item B<--unit> + +Select the unit for expires threshold. May be 's' for seconds, 'm' for minutes, +'h' for hours, 'd' for days, 'w' for weeks. Default is seconds. + +=item B<--warning-expires> + +Thresholds. + +=item B<--critical-expires> + +Thresholds. + +=back + +=cut diff --git a/src/network/fortinet/fortigate/restapi/plugin.pm b/src/network/fortinet/fortigate/restapi/plugin.pm index c8d05fa03..20214d5ee 100644 --- a/src/network/fortinet/fortigate/restapi/plugin.pm +++ b/src/network/fortinet/fortigate/restapi/plugin.pm @@ -1,5 +1,5 @@ # -# Copyright 2024 Centreon (http://www.centreon.com/) +# Copyright 2025 Centreon (http://www.centreon.com/) # # Centreon is a full-fledged industry-strength solution that meets # the needs in IT infrastructure and application monitoring for @@ -33,6 +33,7 @@ sub new { 'ha' => 'network::fortinet::fortigate::restapi::mode::ha', 'health' => 'network::fortinet::fortigate::restapi::mode::health', 'licenses' => 'network::fortinet::fortigate::restapi::mode::licenses', + 'certificates' => 'network::fortinet::fortigate::restapi::mode::certificates', 'system' => 'network::fortinet::fortigate::restapi::mode::system' }; diff --git a/tests/network/fortinet/fortigate/restapi/certificates.json b/tests/network/fortinet/fortigate/restapi/certificates.json new file mode 100644 index 000000000..ed1e8b48d --- /dev/null +++ b/tests/network/fortinet/fortigate/restapi/certificates.json @@ -0,0 +1,92 @@ +{ + "uuid": "61d0b4e2-a95f-445e-aa64-1dd52294dbcb", + "lastMigration": 32, + "name": "Certificates", + "endpointPrefix": "", + "latency": 0, + "port": 3003, + "hostname": "", + "folders": [], + "routes": [ + { + "uuid": "471baca7-c9b0-491e-899c-5a2f3f2d9e30", + "type": "http", + "documentation": "", + "method": "get", + "endpoint": "api/v2/monitor/system/available-certificates", + "responses": [ + { + "uuid": "ba67a507-8afd-4a7f-8e3e-19503ae5e0d4", + "body": "{\r\n \"action\": \"\",\r\n \"build\": 1577,\r\n \"http_method\": \"GET\",\r\n \"name\": \"available-certificates\",\r\n \"path\": \"system\",\r\n \"results\": [\r\n {\r\n \"cert_protocol\": \"none\",\r\n \"comments\": \"This is the default CA certificate the SSL Inspection will use when generating new server certificates.\",\r\n \"exists\": true,\r\n \"ext\": [\r\n {\r\n \"critical\": false,\r\n \"data\": \"CA:TRUE\",\r\n \"name\": \"X509v3 Basic Constraints\"\r\n }\r\n ],\r\n \"fingerprint\": \"F2:79:B7:F6:F2:79:B7:F6\",\r\n \"has_valid_cert_key\": true,\r\n \"is_built_in\": true,\r\n \"is_ca\": true,\r\n \"is_deep_inspection_cert\": true,\r\n \"is_default_local\": false,\r\n \"is_general_allowable_cert\": true,\r\n \"is_local_ca_cert\": true,\r\n \"is_proxy_ssl_cert\": true,\r\n \"is_ssl_client_cert\": true,\r\n \"is_ssl_server_cert\": true,\r\n \"is_wifi_cert\": false,\r\n \"issuer\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"issuer_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"key_size\": 2048,\r\n \"key_type\": \"RSA\",\r\n \"name\": \"Fortinet_CA_SSL1\",\r\n \"q_name\": \"local\",\r\n \"q_path\": \"vpn.certificate\",\r\n \"q_ref\": 6,\r\n \"q_static\": true,\r\n \"q_type\": 168,\r\n \"range\": \"global\",\r\n \"serial_number\": \"04:66:A8:A8:04:66:A8:A8\",\r\n \"signature_algorithm\": \"SHA256\",\r\n \"source\": \"factory\",\r\n \"status\": \"valid\",\r\n \"subject\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"subject_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"type\": \"local-ca\",\r\n \"valid_from\": 1636382833,\r\n \"valid_from_raw\": \"2021-11-08 14:47:13 GMT\",\r\n \"valid_to\": 1952002033,\r\n \"valid_to_raw\": \"2031-11-09 14:47:13 GMT\",\r\n \"version\": 3\r\n },\r\n {\r\n \"cert_protocol\": \"none\",\r\n \"comments\": \"This is the default CA certificate the SSL Inspection will use when generating new server certificates.\",\r\n \"exists\": true,\r\n \"ext\": [\r\n {\r\n \"critical\": false,\r\n \"data\": \"CA:TRUE\",\r\n \"name\": \"X509v3 Basic Constraints\"\r\n }\r\n ],\r\n \"fingerprint\": \"F2:79:B7:F6:F2:79:B7:F6\",\r\n \"has_valid_cert_key\": true,\r\n \"is_built_in\": true,\r\n \"is_ca\": true,\r\n \"is_deep_inspection_cert\": true,\r\n \"is_default_local\": false,\r\n \"is_general_allowable_cert\": true,\r\n \"is_local_ca_cert\": true,\r\n \"is_proxy_ssl_cert\": true,\r\n \"is_ssl_client_cert\": true,\r\n \"is_ssl_server_cert\": true,\r\n \"is_wifi_cert\": false,\r\n \"issuer\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"issuer_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"key_size\": 2048,\r\n \"key_type\": \"RSA\",\r\n \"name\": \"Fortinet_CA_SSL\",\r\n \"q_name\": \"local\",\r\n \"q_path\": \"vpn.certificate\",\r\n \"q_ref\": 6,\r\n \"q_static\": true,\r\n \"q_type\": 168,\r\n \"range\": \"global\",\r\n \"serial_number\": \"04:66:A8:A8:04:66:A8:A8\",\r\n \"signature_algorithm\": \"SHA256\",\r\n \"source\": \"factory\",\r\n \"status\": \"valid\",\r\n \"subject\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"subject_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"type\": \"local-ca\",\r\n \"valid_from\": 1732824780,\r\n \"valid_from_raw\": \"2024-11-28 20:13:00 GMT\",\r\n \"valid_to\": 1804104780,\r\n \"valid_to_raw\": \"2027-03-03 20:13:00 GMT\",\r\n \"version\": 3\r\n },\r\n {\r\n \"cert_protocol\": \"none\",\r\n \"comments\": \"This is the default CA certificate the SSL Inspection will use when generating new server certificates.\",\r\n \"exists\": true,\r\n \"ext\": [\r\n {\r\n \"critical\": false,\r\n \"data\": \"CA:TRUE\",\r\n \"name\": \"X509v3 Basic Constraints\"\r\n }\r\n ],\r\n \"fingerprint\": \"F2:79:B7:F6:F2:79:B7:F6\",\r\n \"has_valid_cert_key\": true,\r\n \"is_built_in\": true,\r\n \"is_ca\": true,\r\n \"is_deep_inspection_cert\": true,\r\n \"is_default_local\": false,\r\n \"is_general_allowable_cert\": true,\r\n \"is_local_ca_cert\": true,\r\n \"is_proxy_ssl_cert\": true,\r\n \"is_ssl_client_cert\": true,\r\n \"is_ssl_server_cert\": true,\r\n \"is_wifi_cert\": false,\r\n \"issuer\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"issuer_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"key_size\": 2048,\r\n \"key_type\": \"RSA\",\r\n \"name\": \"Fortinet_CA_SSL2\",\r\n \"q_name\": \"local\",\r\n \"q_path\": \"vpn.certificate\",\r\n \"q_ref\": 6,\r\n \"q_static\": true,\r\n \"q_type\": 168,\r\n \"range\": \"global\",\r\n \"serial_number\": \"04:66:A8:A8:04:66:A8:A8\",\r\n \"signature_algorithm\": \"SHA256\",\r\n \"source\": \"factory\",\r\n \"status\": \"valid\",\r\n \"subject\": {\r\n \"C\": \"US\",\r\n \"CN\": \"FGSNXXXXXXXXXXXX\",\r\n \"emailAddress\": \"support@fortinet.com\",\r\n \"L\": \"Sunnyvale\",\r\n \"O\": \"Fortinet\",\r\n \"OU\": \"Certificate Authority\",\r\n \"ST\": \"California\"\r\n },\r\n \"subject_raw\": \"C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGSNXXXXXXXXXXXX, emailAddress = support@fortinet.com\",\r\n \"type\": \"local-ca\",\r\n \"valid_from\": 1732824775,\r\n \"valid_from_raw\": \"2024-11-28 20:12:55 GMT\",\r\n \"valid_to\": 1804104775,\r\n \"valid_to_raw\": \"2027-03-03 20:12:55 GMT\",\r\n \"version\": 3\r\n }\r\n ],\r\n \"serial\": \"FGSNXXXXXXXXXXXX\",\r\n \"status\": \"success\",\r\n \"vdom\": \"root\",\r\n \"version\": \"v7.2.0\"\r\n}", + "latency": 0, + "statusCode": 200, + "label": "", + "headers": [], + "bodyType": "INLINE", + "filePath": "", + "databucketID": "", + "sendFileAsBody": false, + "rules": [], + "rulesOperator": "OR", + "disableTemplating": false, + "fallbackTo404": false, + "default": true, + "crudKey": "id", + "callbacks": [] + } + ], + "responseMode": null + } + ], + "rootChildren": [ + { + "type": "route", + "uuid": "471baca7-c9b0-491e-899c-5a2f3f2d9e30" + } + ], + "proxyMode": false, + "proxyHost": "", + "proxyRemovePrefix": false, + "tlsOptions": { + "enabled": false, + "type": "CERT", + "pfxPath": "", + "certPath": "", + "keyPath": "", + "caPath": "", + "passphrase": "" + }, + "cors": true, + "headers": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "Access-Control-Allow-Origin", + "value": "*" + }, + { + "key": "Access-Control-Allow-Methods", + "value": "GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS" + }, + { + "key": "Access-Control-Allow-Headers", + "value": "Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With" + } + ], + "proxyReqHeaders": [ + { + "key": "", + "value": "" + } + ], + "proxyResHeaders": [ + { + "key": "", + "value": "" + } + ], + "data": [], + "callbacks": [] +} \ No newline at end of file diff --git a/tests/network/fortinet/fortigate/restapi/certificates.robot b/tests/network/fortinet/fortigate/restapi/certificates.robot new file mode 100644 index 000000000..12f9a390b --- /dev/null +++ b/tests/network/fortinet/fortigate/restapi/certificates.robot @@ -0,0 +1,35 @@ +*** Settings *** + +Resource ${CURDIR}${/}..${/}..${/}..${/}..${/}resources/import.resource + +Suite Setup Start Mockoon ${MOCKOON_JSON} +Suite Teardown Stop Mockoon +Test Timeout 120s + +** Variables *** +${MOCKOON_JSON} ${CURDIR}${/}certificates.json + +${CMD} ${CENTREON_PLUGINS} +... --plugin=network::fortinet::fortigate::restapi::plugin +... --mode=certificates +... --hostname=${HOSTNAME} +... --proto='http' +... --access-token=mokoon-token +... --port=${APIPORT} + +*** Test Cases *** +certificates ${tc} + [Tags] network fortinet fortigate restapi + ${command} Catenate + ... ${CMD} + ... ${extra_options} + + + Ctn Run Command And Check Result As Regexp ${command} ${expected_result} + + Examples: tc extra_options expected_result -- + ... 1 --filter-name='Fortinet_CA_SSL' OK: All certificates are ok \\\| 'Fortinet_CA_SSL#certificate.expires.seconds=\\\d+;;;0; 'Fortinet_CA_SSL1#certificate.expires.seconds=\\\d+;;;0; 'Fortinet_CA_SSL2#certificate.expires.seconds=\\\d+;;;0; + ... 2 --warning-status='\\\%{status} =~ /valid/i' WARNING: Certificate 'Fortinet_CA_SSL' status: valid - Certificate 'Fortinet_CA_SSL1' status: valid - Certificate 'Fortinet_CA_SSL2' status: valid \\\| 'Fortinet_CA_SSL#certificate.expires.seconds'=\d+;;;0; 'Fortinet_CA_SSL1#certificate.expires.seconds'=\d+;;;0; 'Fortinet_CA_SSL2#certificate.expires.seconds'=\d+;;;0; + ... 3 --critical-status='\\\%{status} =~ /valid/i' CRITICAL: Certificate 'Fortinet_CA_SSL' status: valid - Certificate 'Fortinet_CA_SSL1' status: valid - Certificate 'Fortinet_CA_SSL2' status: valid \\\| 'Fortinet_CA_SSL#certificate.expires.seconds'=\d+;;;0; 'Fortinet_CA_SSL1#certificate.expires.seconds'=\d+;;;0; 'Fortinet_CA_SSL2#certificate.expires.seconds'=\d+;;;0; + ... 4 --unit='m' OK: All certificates are ok \\\| 'Fortinet_CA_SSL#certificate.expires.minutes'=\d+;;;0; 'Fortinet_CA_SSL1#certificate.expires.minutes'=\d+;;;0; 'Fortinet_CA_SSL2#certificate.expires.minutes'=\d+;;;0; + ... 5 --warning-expires='60' --critical-expires='30' --unit='d' CRITICAL: Certificate 'Fortinet_CA_SSL' expires in (\\\\d+y)?\\\\s?(\\\\d+M)?\\\\s?(\\\\d+w)?\\\\s?(\\\\d+d)?\\\\s?(\\\\d+h)?\\\\s?(\\\\d+m)?\\\\s?(\\\\d+s)? - Certificate 'Fortinet_CA_SSL1' expires in (\\\\d+y)?\\\\s?(\\\\d+M)?\\\\s?(\\\\d+w)?\\\\s?(\\\\d+d)?\\\\s?(\\\\d+h)?\\\\s?(\\\\d+m)?\\\\s?(\\\\d+s)? - Certificate 'Fortinet_CA_SSL2' expires in (\\\\d+y)?\\\\s?(\\\\d+M)?\\\\s?(\\\\d+w)?\\\\s?(\\\\d+d)?\\\\s?(\\\\d+h)?\\\\s?(\\\\d+m)?\\\\s?(\\\\d+s)? \\\| 'Fortinet_CA_SSL#certificate.expires.days'=\d+;0:60;0:30;0; 'Fortinet_CA_SSL1#certificate.expires.days'=\d+;0:60;0:30;0; 'Fortinet_CA_SSL2#certificate.expires.days'=\d+;0:60;0:30;0; \ No newline at end of file