centreon-plugins/centreon/plugins/nrpe.pm

511 lines
14 KiB
Perl

#
# Copyright 2021 Centreon (http://www.centreon.com/)
#
# Centreon is a full-fledged industry-strength solution that meets
# the needs in IT infrastructure and application monitoring for
# service performance.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package centreon::plugins::nrpe;
use strict;
use warnings;
use centreon::plugins::misc;
use Convert::Binary::C;
use Digest::CRC 'crc32';
use IO::Socket;
use IO::Socket::INET6;
use IO::Socket::SSL;
use Socket qw(SOCK_STREAM AF_INET6 AF_INET);
sub new {
my ($class, %options) = @_;
my $self = {};
bless $self, $class;
if (!defined($options{output})) {
print "Class NRPE: Need to specify 'output' argument.\n";
exit 3;
}
if (!defined($options{options})) {
$options{output}->add_option_msg(short_msg => "Class NRPE: Need to specify 'options' argument.");
$options{output}->option_exit();
}
if (!defined($options{noptions})) {
$options{options}->add_options(arguments => {
'nrpe-version:s' => { name => 'nrpe_version', default => 2 },
'nrpe-port:s' => { name => 'nrpe_port', default => 5666 },
'nrpe-payload:s' => { name => 'nrpe_payload', default => 1024 },
'nrpe-bindaddr:s' => { name => 'nrpe_bindaddr' },
'nrpe-use-ipv4' => { name => 'nrpe_use_ipv4' },
'nrpe-use-ipv6' => { name => 'nrpe_use_ipv6' },
'nrpe-timeout:s' => { name => 'nrpe_timeout', default => 10 },
'ssl-opt:s@' => { name => 'ssl_opt' },
});
}
$options{options}->add_help(package => __PACKAGE__, sections => 'NRPE CLASS OPTIONS');
$self->{output} = $options{output};
return $self;
}
sub check_options {
my ($self, %options) = @_;
$options{option_results}->{nrpe_version} =~ s/^v//;
if ($options{option_results}->{nrpe_version} !~ /2|3|4/) {
$self->{output}->add_option_msg(short_msg => "Unknown NRPE version.");
$self->{output}->option_exit();
}
$self->{nrpe_version} = $options{option_results}->{nrpe_version};
$self->{nrpe_payload} = $options{option_results}->{nrpe_payload};
%{$self->{nrpe_params}} = (
PeerHost => $options{option_results}->{hostname},
PeerPort => $options{option_results}->{nrpe_port},
Timeout => $options{option_results}->{nrpe_timeout},
);
if ($options{option_results}->{bindaddr}) {
$self->{nrpe_params}->{LocalAddr} = $options{option_results}->{nrpe_bindaddr};
}
if ($options{option_results}->{nrpe_use_ipv4}) {
$self->{nrpe_params}->{Domain} = AF_INET;
} elsif ($options{option_results}->{nrpe_use_ipv6}) {
$self->{nrpe_params}->{Domain} = AF_INET6;
}
$self->{ssl_context} = {};
foreach (@{$options{option_results}->{ssl_opt}}) {
if (/(SSL_[A-Za-z_]+)\s+=>\s*(\S+)/) {
my $value = $2;
$value = $self->assign_eval(eval => $value);
$self->{ssl_context}->{$1} = $value;
}
}
}
sub load_eval {
my ($self) = @_;
my ($code) = centreon::plugins::misc::mymodule_load(
output => $self->{output}, module => 'Safe',
no_quit => 1
);
if ($code == 0) {
$self->{safe} = Safe->new();
$self->{safe}->permit_only(':base_core', 'rv2gv', 'padany');
$self->{safe}->share('$values');
$self->{safe}->share('$assign_var');
$self->{safe}->share_from('IO::Socket::SSL', [
'SSL_VERIFY_NONE', 'SSL_VERIFY_PEER', 'SSL_VERIFY_FAIL_IF_NO_PEER_CERT', 'SSL_VERIFY_CLIENT_ONCE',
'SSL_RECEIVED_SHUTDOWN', 'SSL_SENT_SHUTDOWN',
'SSL_OCSP_NO_STAPLE', 'SSL_OCSP_MUST_STAPLE', 'SSL_OCSP_FAIL_HARD', 'SSL_OCSP_FULL_CHAIN', 'SSL_OCSP_TRY_STAPLE'
]);
}
$self->{safe_test} = 1;
}
sub assign_eval {
my ($self, %options) = @_;
$self->load_eval() if (!defined($self->{safe_test}) || $self->{safe_test} == 0);
our $assign_var;
if (defined($self->{safe})) {
our $values = $options{values};
$self->{safe}->reval("\$assign_var = $options{eval}", 1);
if ($@) {
die 'Unsafe code evaluation: ' . $@;
}
} else {
my $values = $options{values};
eval "\$assign_var = $options{eval}";
}
return $assign_var;
}
sub create_socket {
my ($self, %options) = @_;
my $socket;
if (scalar(keys %{$self->{ssl_context}} > 0)) {
$socket = IO::Socket::SSL->new(%{$self->{nrpe_params}}, %{$self->{ssl_context}});
if (!$socket) {
$self->{output}->add_option_msg(short_msg => "Failed to establish SSL connection: $!, ssl_error=$SSL_ERROR");
$self->{output}->option_exit();
}
} else {
$socket = IO::Socket::INET6->new(Proto => 'tcp', Type => SOCK_STREAM, %{$self->{nrpe_params}});
if (!$socket) {
$self->{output}->add_option_msg(short_msg => "Failed to create socket: $!");
$self->{output}->option_exit();
}
}
return $socket;
}
sub assemble {
my ($self, %options) = @_;
$self->{c} = Convert::Binary::C->new(ByteOrder => 'BigEndian', Alignment => 0);
my $packed;
if ($options{version} eq 2) {
$packed = $self->assemble_v2(%options);
} elsif ($options{version} eq 4) {
$packed = $self->assemble_v4(%options);
} else {
$packed = $self->assemble_v3(%options);
}
return $packed;
}
sub assemble_v4 {
my ($self, %options) = @_;
my $buffer = $options{check};
my $len = length($buffer);
# In order for crc32 calculation to be correct we need to pad the buffer with \0
# It seems that the buffer must be in multiples of 1024 so to achive this we use
# some integer arithmetic to find the next multiple of 1024 that can hold our message
my $pack_len;
{
use integer;
$pack_len = (($len / 1024) * 1024) + 1024;
}
$buffer = pack("Z$pack_len", $buffer);
$len = length($buffer) + 4;
my $unpacked;
$unpacked->{alignment} = 0;
$unpacked->{buffer_length} = $len;
$unpacked->{buffer} = $buffer;
$unpacked->{crc32_value} = "\x00\x00\x00\x00";
$unpacked->{packet_type} = defined($options{type}) ? $options{type} : 1;
$unpacked->{packet_version} = 4;
$unpacked->{result_code} = defined($options{result_code}) ? $options{result_code} : 2324;
$self->{c}->parse(<<PACKET_STRUCT);
struct Packet{
unsigned short packet_version;
unsigned short packet_type;
unsigned int crc32_value;
unsigned short result_code;
unsigned short alignment;
int buffer_length;
char buffer[$len];
};
PACKET_STRUCT
$self->{c}->tag('Packet.buffer', Format => 'String');
my $packed = $self->{c}->pack('Packet', $unpacked);
$unpacked->{crc32_value} = crc32($packed);
$packed = $self->{c}->pack('Packet', $unpacked);
return $packed;
}
sub assemble_v3 {
my ($self, %options) = @_;
my $buffer = $options{check};
my $len = length($buffer);
# In order for crc32 calculation to be correct we need to pad the buffer with \0
# It seems that the buffer must be in multiples of 1024 so to achive this we use
# some integer arithmetic to find the next multiple of 1024 that can hold our message
my $pack_len;
{
use integer;
$pack_len = (($len / 1024) * 1024) + 1024;
}
$buffer = pack("Z$pack_len", $buffer);
$len = length($buffer) + 1;
my $unpacked;
$unpacked->{alignment} = 0;
$unpacked->{buffer_length} = $len;
$unpacked->{buffer} = $buffer;
$unpacked->{crc32_value} = "\x00\x00\x00\x00";
$unpacked->{packet_type} = defined($options{type}) ? $options{type} : 1;
$unpacked->{packet_version} = 3;
$unpacked->{result_code} = defined($options{result_code}) ? $options{result_code} : 2324;
$self->{c}->parse(<<PACKET_STRUCT);
struct Packet{
unsigned short packet_version;
unsigned short packet_type;
unsigned int crc32_value;
unsigned short result_code;
unsigned short alignment;
int buffer_length;
char buffer[$len];
};
PACKET_STRUCT
$self->{c}->tag('Packet.buffer', Format => 'String');
my $packed = $self->{c}->pack('Packet', $unpacked);
$unpacked->{crc32_value} = crc32($packed);
$packed = $self->{c}->pack('Packet', $unpacked);
return $packed;
}
sub assemble_v2 {
my ($self, %options) = @_;
my $len = $options{payload};
my $unpacked;
$unpacked->{buffer} = $options{check};
$unpacked->{crc32_value} = "\x00\x00\x00\x00";
$unpacked->{packet_type} = defined($options{type}) ? $options{type} : 1;
$unpacked->{packet_version} = 2;
$unpacked->{result_code} = defined($options{result_code}) ? $options{result_code} : 2324;
$self->{c}->parse(<<PACKET_STRUCT);
struct Packet{
unsigned short packet_version;
unsigned short packet_type;
unsigned int crc32_value;
unsigned short result_code;
char buffer[$len];
};
PACKET_STRUCT
$self->{c}->tag('Packet.buffer', Format => 'String');
my $packed = $self->{c}->pack('Packet', $unpacked);
$unpacked->{crc32_value} = crc32($packed);
$packed = $self->{c}->pack('Packet', $unpacked);
return $packed;
}
sub validate {
my ($self, $packet) = @_;
my $unpacked = $self->disassemble($packet, 1);
if (!$unpacked->{packet_version}) {
# If version is missing this is probably not an NRPE Packet.
return undef;
}
my $checksum = $unpacked->{crc32_value};
$unpacked->{crc32_value} = "\x00\x00\x00\x00";
my $packed = $self->assemble(
%{
{
check => $unpacked->{buffer},
version => $unpacked->{packet_version},
type => $unpacked->{packet_type},
result_code => $unpacked->{result_code}
}
}
);
if (crc32($packed) != $checksum) {
return undef;
} else {
return 1;
}
}
sub disassemble {
my ($self, $packet, $novalidate) = @_;
if (!$packet) {
$self->{output}->add_option_msg(short_msg => "Could not disassemble packet.");
$self->{output}->option_exit();
}
unless ($novalidate) {
unless ($self->validate($packet)) {
$self->{output}->add_option_msg(short_msg => "Packet had invalid CRC32.");
$self->{output}->option_exit();
}
}
my $version = unpack("n", $packet);
if (!defined($version) || $version eq '') {
$self->{output}->add_option_msg(short_msg => "Could not disassemble packet.");
$self->{output}->option_exit();
}
my $unpacked = {};
if ($version eq 2) {
$unpacked = $self->disassemble_v2($packet);
} else {
$unpacked = $self->disassemble_v3($packet);
}
return $unpacked;
}
sub disassemble_v3 {
my ($self, $packet) = @_;
my @arr = unpack("n2 N n2 N Z*", $packet);
my $unpacked = {};
$unpacked->{packet_version} = $arr[0];
$unpacked->{packet_type} = $arr[1];
$unpacked->{crc32_value} = $arr[2];
$unpacked->{result_code} = $arr[3];
$unpacked->{alignment} = $arr[4];
$unpacked->{buffer_length} = $arr[5];
$unpacked->{buffer} = $arr[6];
return $unpacked;
}
sub disassemble_v2 {
my ($self, $packet) = @_;
my @arr = unpack("n2 N n Z*", $packet);
my $unpacked = {};
$unpacked->{packet_version} = $arr[0];
$unpacked->{packet_type} = $arr[1];
$unpacked->{crc32_value} = $arr[2];
$unpacked->{result_code} = $arr[3];
$unpacked->{buffer} = $arr[4];
return $unpacked;
}
sub request {
my ($self, %options) = @_;
my $check;
if (!defined($options{arg}) || scalar @{$options{arg}} == 0) {
$check = $options{check};
} else {
$check = join('!', $options{check}, @{$options{arg}});
}
my $socket = $self->create_socket(%options);
my $assembled = $self->assemble(
type => 1,
check => $check,
version => $self->{nrpe_version},
payload => $self->{nrpe_payload}
);
my $response;
print $socket $assembled;
while (<$socket>) {
$response .= $_;
}
close($socket);
if (!defined($response) || $response eq '') {
$self->{output}->add_option_msg(short_msg => "No response from remote host.");
$self->{output}->option_exit();
}
my $response_packet = $self->disassemble($response, 1);
if (!defined($response_packet->{packet_version}) || $response_packet->{packet_version} != $self->{nrpe_version}) {
$self->{output}->add_option_msg(short_msg => "Bad response from remote host.");
$self->{output}->option_exit();
}
return $response_packet;
}
sub set_nrpe_connect_params {
my ($self, %options) = @_;
foreach (keys %options) {
$self->{nrpe_params}->{$_} = $options{$_};
}
}
sub set_nrpe_params {
my ($self, %options) = @_;
foreach (keys %options) {
$self->{$_} = $options{$_};
}
}
sub get_hostname {
my ($self) = @_;
my $host = $self->{nrpe_params}->{PeerHost};
$host =~ s/.*://;
return $host;
}
sub get_port {
my ($self) = @_;
return $self->{nrpe_params}->{PeerPort};
}
1;
__END__
=head1 NAME
NRPE global
=head1 SYNOPSIS
NRPE class
=head1 NRPE CLASS OPTIONS
=over 8
=item B<--nrpe-version>
Version: 2 for NRPE v2 (Default), 3 for NRPE v3, 4 for NRPE v4.
=item B<--nrpe-port>
Port (Default: 5666).
=item B<--nrpe-payload>
Buffer payload (For v2 only) (Default: 1024).
=item B<--nrpe-bindaddr>
Bind to local address.
=item B<--nrpe-use-ipv4>
Use IPv4 only
=item B<--nrpe-use-ipv6>
Use IPv6 only
=item B<--nrpe-timeout>
Timeout in secondes (Default: 10).
=item B<--ssl-opt>
Set SSL Options (--ssl-opt="SSL_version => 'TLSv1'" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
--ssl-opt="SSL_cipher_list => 'ALL'").
=back
=head1 DESCRIPTION
B<nrpe>.
=cut