Merge pull request #25 from chooper/fix24-check-host-match

Fix24 check host match

lib/elbping/cli.rb

@@ -114,6 +114,7 @@ def self.main
           break if not run
 
           status = ElbPing::HttpPinger.ping_node(node,
+            elb_uri.host,
             elb_uri.port,
             (elb_uri.path == "") ? "/" : elb_uri.path,
             (elb_uri.scheme == 'https'),

lib/elbping/display.rb

@@ -49,9 +49,10 @@ def self.response(status)
       exc = status[:exception]
       sslSubject = status[:sslSubject].join(',') if status[:sslSubject]
       sslExpires = status[:sslExpires]
+      sslHostMatch = status[:sslHostMatch]
 
       exc_display = exc ? "exception=#{exc}" : ''
-      ssl_display = (sslSubject and sslExpires) ? "ssl cn=#{sslSubject} expires=#{sslExpires}" : ''
+      ssl_display = (sslSubject and sslExpires) ? "ssl cn=#{sslSubject} match=#{sslHostMatch} expires=#{sslExpires}" : ''
 
       self.out "Response from: #{node.rjust(15)}: code=#{code.to_s} time=#{duration}ms #{ssl_display} #{exc_display}"
     end

lib/elbping/pinger.rb

@@ -22,17 +22,28 @@ def self.cert_name(x509_subject)
       cn_bucket
     end
 
+    # Check if a given host matches a cert's pattern
+    #
+    # Arguments:
+    # * cert: (object) of X.509 certificate
+    # * host: (string) of a hostname to compare
+
+    def self.cert_matches?(cert, host)
+      File.fnmatch(cert_name(cert.subject).first, host)
+    end
+
     # Make HTTP request to given node using custom request method and measure response time
     #
     # Arguments:
     # * node: (string) of node IP
+    # * host: (string) of hostname, used for checking SSL cert match
     # * port: (string || Fixnum) of positive integer [1, 65535]
     # * path: (string) of path to request, e.g. "/"
     # * use_ssl: (boolean) Whether or not this is HTTPS
     # * verb_len: (Fixnum) of positive integer, how long the custom HTTP verb should be
     # * timeout: (Fixnum) of positive integer, how many _seconds_ for connect and read timeouts
 
-    def self.ping_node(node, port, path, use_ssl, verb_len, timeout)
+    def self.ping_node(node, host, port, path, use_ssl, verb_len, timeout)
       ##
       # Build request class
       ping_request = Class.new(Net::HTTPRequest) do
@@ -86,8 +97,11 @@ def self.ping_node(node, port, path, use_ssl, verb_len, timeout)
       ssl_status = {}
       if use_ssl
         raise "No cert when SSL enabled?!" unless cert
-        ssl_status = {:sslSubject => cert_name(cert.subject),
-          :sslExpires => cert.not_after}
+        ssl_status = {
+          :sslSubject => cert_name(cert.subject),
+          :sslExpires => cert.not_after,
+          :sslHostMatch => cert_matches?(cert, host)
+        }
       end
 
       {:code => error || response.code,

test/test_pinger.rb

@@ -2,6 +2,7 @@
 require 'elbping/pinger.rb'
 
 DEFAULT_NODE    = ENV['TEST_NODE']     || '127.0.0.1'
+DEFAULT_HOST    = ENV['TEST_HOST']     || 'localhost'
 DEFAULT_PORT    = ENV['TEST_PORT']     || '80'
 DEFAULT_PATH    = ENV['TEST_PATH']     || '/'
 DEFAULT_SSL     = ENV['TEST_SSL']      || false
@@ -16,6 +17,7 @@ def test_ping_node
     assert_nothing_raised do
       resp = ElbPing::HttpPinger.ping_node(
         DEFAULT_NODE,
+        DEFAULT_HOST,
         DEFAULT_PORT,
         DEFAULT_PATH,
         DEFAULT_SSL,
@@ -33,3 +35,22 @@ def test_ping_node
   end
 end
 
+require 'openssl'
+class TestCertMatches
+  def test_wildcard
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.parse "/CN=*.example.com"
+
+    assert ElbPing::HttpPinger.cert_matches?(cert, "www.example.com")
+    assert_false ElbPing::HttpPinger.cert_matches?(cert, "www.example.org")
+  end
+
+  def test_static
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.parse "/CN=www.example.com"
+
+    assert ElbPing::HttpPinger.cert_matches?(cert, "www.example.com")
+    assert_false ElbPing::HttpPinger.cert_matches?(cert, "www.example.org")
+  end
+end
+