Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test embedding an encoded JSON payload at tail end of LongServiceOutput content #960

Open
atc0005 opened this issue Oct 3, 2024 · 3 comments
Open

Test embedding an encoded JSON payload at tail end of LongServiceOutput content #960

atc0005 opened this issue Oct 3, 2024 · 3 comments
Assignees
@atc0005
Labels
config enhancement New feature or request output/extended Long Service Output (aka, "extended" or "detailed") plugin/check_cert question Further information is requested
Milestone
v0.20.0

Comments

@atc0005
Copy link
Owner

atc0005 commented Oct 3, 2024
edited
Loading

Overview

There may be better ways to handle this, but I want to make sure that the certificate chain captured by the monitoring plugin is exposed to the monitoring system.

The current plugin API permits passing human readable information back for display in a web UI or notifications and metrics for calculations & other data manipulation purposes, but AFAIK does not permit passing something like a JSON payload between plugin and the monitoring system.

My particular use case is accessing this information via the Nagios XI API, but I'd like to see this implemented in a way that's usable to others using the plugin from other monitoring systems.

I'd also like to see this implemented in an opt-in manner so that it's off by default.

While ideally the additional info would be available via a dedicated field of some kind, I'm considering whether it's a workable solution to provide a small, customized JSON payload in an encoded format (able to safely pass default sanitization requirements) that can be accessed later from the LongServiceOutput field.

I've not yet checked to confirm that the base64 encoding format would pass the illegal_macro_output_chars requirements, but assuming that it would, we'd still be limited by the default 4K plugin output requirements.

References

See also:
@atc0005 atc0005 added enhancement New feature or request question Further information is requested config plugin/check_cert output/extended Long Service Output (aka, "extended" or "detailed") labels Oct 3, 2024
@atc0005 atc0005 added this to the Future milestone Oct 3, 2024
@atc0005 atc0005 self-assigned this Oct 3, 2024
@atc0005
Copy link
Owner Author

atc0005 commented Oct 4, 2024

May need to also update the atc0005/go-nagios project to provide some helper functionality.

@atc0005 atc0005 modified the milestones: Future, v0.20.0 Oct 5, 2024
@atc0005 atc0005 mentioned this issue Oct 8, 2024
Open
atc0005 added a commit to atc0005/go-nagios that referenced this issue Oct 15, 2024
@atc0005
Add support for embedded/encoded payloads
f64b513 
OVERVIEW

Add support for embedding an encoded payload within and later
extracting the payload from plugin output.

The current Nagios plugin API permits returning human readable
information to Nagios for display in a web UI or notifications and
metrics for calculations & other data manipulation purposes. As far as
I know, Nagios does not permit passing something like a JSON payload
directly between the plugin and the monitoring system.

This new (optional) support provides a way for plugins to safely &
reliably embed content (e.g., JSON data) within the generated output
which can later be extracted by other tools.

Due to current Nagios plugin output length restrictions (8192 bytes),
the use of encoded payloads should be used sparingly.

CHANGES

- add standalone functions for encoding/decoding payload content
- add new `Plugin` methods for adding (append or overwrite behavior)
  content to be encoded and embedded as a payload
- add new `Plugin` methods to override behavior
  - opt out of using delimiters (NOT RECOMMENDED)
  - use custom delimiters
  - set custom payload section label
- minor README updates
  - note new functionality
  - refresh overview & status sections
- add test coverage for new functionality
- add numerous testdata input files
- add basic examples
  - extract and decode an embedded payload from (previous) plugin
    output
  - add encoded payload

CREDIT

I consulted ChatGPT when planning the implementation. While later
iterations of the code differed significantly, ChatGPT provided
code samples that acted as a starting point for the initial
encoding/decoding functionality.

Discussions with ChatGPT proved very helpful when deciding between
using the base64 encoding format (more common, but less efficient) and
the base85 (aka, "Ascii85") encoding format (more efficient). Those
discussions also covered concerns such as adhering to the default
`illegal_macro_output_chars` requirements that Nagios imposes for
plugin output.

REFERENCES

- refs #251
- refs atc0005/check-cert#960
@atc0005 atc0005 mentioned this issue Oct 15, 2024
Merged
atc0005 added a commit that referenced this issue Oct 15, 2024
@atc0005
Update atc0005/go-nagios dep to v0.17.0-alpha.1
767a6e2 
Prepare for testing latest pre-release changes.

- refs atc0005/go-nagios#251
- refs #960
This was referenced Oct 15, 2024
Merged
Closed
Open
@atc0005
Copy link
Owner Author

atc0005 commented Nov 4, 2024

May need to also update the atc0005/go-nagios project to provide some helper functionality.

The v0.17.0 release of that project will provide the necessary support for encoding/decoding embedded payloads.

The https://github.com/atc0005/cert-payload project will provide a cert payload type for encoding/decoding the JSON data.

@atc0005
Copy link
Owner Author

atc0005 commented Nov 4, 2024

Current prototyping efforts are going well enough with most evaluated certificate chains falling below the 8K plugin output cutoff. However, there is one certificate chain I'm testing against which has 73 SANs entries. Listing all of them in the plugin output exceeds the 8k "budget".

Some debug output generated by the prototype:

[go-nagios] 2024/11/04 04:33:04 222 bytes plugin ServiceOutput content written to buffer
[go-nagios] 2024/11/04 04:33:04 3914 bytes plugin LongServiceOutput content written to buffer
[go-nagios] 2024/11/04 04:33:04 6251 bytes plugin EncodedPayload content written to buffer
[go-nagios] 2024/11/04 04:33:04 273 bytes plugin performance data content written to buffer
[go-nagios] 2024/11/04 04:33:04 10660 bytes total plugin output to write

For contrast, here is the debug output when evaluating the certificate used by www.google.com:

[go-nagios] 2024/11/04 04:43:16 217 bytes plugin ServiceOutput content written to buffer
[go-nagios] 2024/11/04 04:43:16 1602 bytes plugin LongServiceOutput content written to buffer
[go-nagios] 2024/11/04 04:43:16 272 bytes plugin performance data content written to buffer
[go-nagios] 2024/11/04 04:43:16 2091 bytes total plugin output to write

For the former cert chain, we'll need this flag to be implemented to bring the content down below the 8k plugin output limit:

@atc0005 atc0005 mentioned this issue Nov 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
config enhancement New feature or request output/extended Long Service Output (aka, "extended" or "detailed") plugin/check_cert question Further information is requested
Projects
None yet
Milestone
v0.20.0
Development

No branches or pull requests
1 participant
@atc0005