diff options
Diffstat (limited to 'contrib/dirauth-tools')
| -rwxr-xr-x | contrib/dirauth-tools/add-tor | 115 | ||||
| -rwxr-xr-x | contrib/dirauth-tools/nagios-check-tor-authority-cert | 86 |
2 files changed, 201 insertions, 0 deletions
diff --git a/contrib/dirauth-tools/add-tor b/contrib/dirauth-tools/add-tor new file mode 100755 index 0000000000..5a12abca80 --- /dev/null +++ b/contrib/dirauth-tools/add-tor @@ -0,0 +1,115 @@ +#!/usr/bin/ruby + +# add-tor - Add a tor fingerprint line to the approved-routers file +# +# Tor's approved-routers file is expected to be versioned using RCS. +# This script checks for uncommitted changes, does a checkout of the +# file, adds the new fingerprint with a comment stating the server's +# operator, and commits the file to RCS again (using -u so that the +# working copy is not removed. +# +# Operator and fingerprint line are read from stdin. +# +# Before adding a fingerprint line, approved-routers is checked for +# rough syntactical correctness. This script also checks that the +# nickname and fingerprint to be added do not already exist in the +# binding list. + + +# Copyright (c) 2006 by Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +BINDING = '/etc/tor/approved-routers' + +def mysys(cmd) + unless system(cmd) + STDERR.puts "ERROR: #{cmd} failed" + exit 1 + end +end + +def check_nick(n) + n =~ /^[a-zA-Z0-9]+$/ +end + +def check_fpr(fpr) + fpr =~ /^([0-9A-F]{4} ){9}[0-9A-F]{4}$/ +end + +def parse_fprline(fprline) + n = fprline[0 ... fprline.index(' ')] + f = fprline[fprline.index(' ') + 1 .. -1 ] + unless check_nick(n) and check_fpr(f) + STDERR.puts "Invalid fpr syntax '#{fprline}'" + exit 1 + end + [n, f] +end + + + +unless system("rcsdiff -q -u #{BINDING}") + STDERR.puts "Uncommitted changes in #{BINDING}. Aborting." + exit 1 +end + +puts "Checking out #{BINDING}..." +mysys("co -l #{BINDING}") + +print "Operator: " +@operator = readline.chop +unless @operator.index('@') + STDERR.puts "ERROR: No @ found" + exit 1 +end + +print "FPR Line: " +@fprline = readline.chop +(@nickname, @fpr) = parse_fprline(@fprline) + +binding = File.new(BINDING, "r+") +binding.readlines.each do |line| + line.chop! + next if line[0..0] == "#" + (n,f) = parse_fprline(line) + if (n == @nickname) + STDERR.puts + STDERR.puts "ERROR: Nickname #{n} already exists in #{BINDING} (fpr: #{f})" + exit 1 + end + if (f == @fpr) + STDERR.puts + STDERR.puts "ERROR: Fpr #{f} already exists in #{BINDING} (nickname: #{n})" + exit 1 + end +end + +puts +puts '| # ' + @operator +puts '| ' + @fprline +puts + +binding.puts '# '+@operator +binding.puts @fprline +binding.close + +puts "Committing #{BINDING}..." +mysys("ci -u -m'Add #{@nickname}' #{BINDING}") diff --git a/contrib/dirauth-tools/nagios-check-tor-authority-cert b/contrib/dirauth-tools/nagios-check-tor-authority-cert new file mode 100755 index 0000000000..46dc7284b7 --- /dev/null +++ b/contrib/dirauth-tools/nagios-check-tor-authority-cert @@ -0,0 +1,86 @@ +#!/bin/bash + +# nagios-check-tor-authority-cert - check certificate expiry time + +# A nagios check for Tor v3 directory authorities: +# - Checks the current certificate expiry time +# +# Usage: nagios-check-tor-authority-cert <authority identity fingerprint> +# e.g.: nagios-check-tor-authority-cert A9AC67E64B200BBF2FA26DF194AC0469E2A948C6 + +# Copyright (c) 2008 Peter Palfrader <peter@palfrader.org> +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +set -e +set -u + +if [ -z "${1:-}" ]; then + echo "Usage: $0 <authority identity fingerprint>" 2>&1 + exit 3 +fi + +identity="$1" + +DIRSERVERS="" +DIRSERVERS="$DIRSERVERS 86.59.21.38:80" # tor26 +DIRSERVERS="$DIRSERVERS 128.31.0.34:9031" # moria1 +DIRSERVERS="$DIRSERVERS 216.224.124.114:9030" # ides +DIRSERVERS="$DIRSERVERS 80.190.246.100:80" # gabelmoo +#DIRSERVERS="$DIRSERVERS 140.247.60.64:80" # lefkada +DIRSERVERS="$DIRSERVERS 194.109.206.212:80" # dizum +DIRSERVERS="$DIRSERVERS 213.73.91.31:80" # dannenberg + +TMPFILE="`tempfile`" +trap 'rm -f "$TMPFILE"' 0 + +for dirserver in $DIRSERVERS; do + wget -q -O "$TMPFILE" "http://$dirserver/tor/keys/fp/$identity" + if [ "$?" = 0 ]; then + break + else + cat /dev/null > "$TMPFILE" + continue + fi +done + +if ! [ -s "$TMPFILE" ] ; then + echo "UNKNOWN: Downloading certificate for $identity failed." + exit 3 +fi + +expirydate="$(awk '$1=="dir-key-expires" {printf "%s %s", $2, $3}' < "$TMPFILE")" +expiryunix=$(TZ=UTC date -d "$expirydate" +%s) +now=$(date +%s) + +if [ "$now" -ge "$expiryunix" ]; then + echo "CRITICAL: Certificate expired $expirydate (authority $identity)." + exit 2 +elif [ "$(( $now + 7*24*60*60 ))" -ge "$expiryunix" ]; then + echo "CRITICAL: Certificate expires $expirydate (authority $identity)." + exit 2 +elif [ "$(( $now + 30*24*60*60 ))" -ge "$expiryunix" ]; then + echo "WARNING: Certificate expires $expirydate (authority $identity)." + exit 1 +else + echo "OK: Certificate expires $expirydate (authority $identity)." + exit 0 +fi |