Make check:certificate simpler

flavioheleno · Sep 18, 2023 · 0926d74 · 0926d74
1 parent 851aba0
commit 0926d74
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 109 deletions.
diff --git a/src/Console/Commands/Check/CheckAllCommand.php b/src/Console/Commands/Check/CheckAllCommand.php
@@ -47,57 +47,33 @@ protected function configure(): void {
         InputOption::VALUE_NONE,
         'Skips all certificate related validations'
       )
-      ->addOption(
-        'skip-certificate-expiration-date',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate expiration date validation'
-      )
       ->addOption(
         'certificate-expiration-threshold',
         null,
         InputOption::VALUE_REQUIRED,
-        'Number of days left to certificate expiration that will trigger an error',
+        'Number of days until the certification expiration date',
         5
       )
       ->addOption(
-        'skip-certificate-fingerprint',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate Fingerprint validation'
-      )
-      ->addOption(
-        'certificate-fingerprint',
+        'fingerprint',
         null,
         InputOption::VALUE_REQUIRED,
-        'Certificate\'s Fingerprint'
+        'Match the certificate SHA-256 Fingerprint'
       )
       ->addOption(
-        'skip-certificate-serial-number',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate Serial Number validation'
-      )
-      ->addOption(
-        'certificate-serial-number',
+        'serial-number',
         null,
         InputOption::VALUE_REQUIRED,
-        'Certificate\'s Serial Number'
+        'Match the certificate Serial Number'
       )
       ->addOption(
-        'skip-certificate-issuer-name',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate issuer name validation'
-      )
-      ->addOption(
-        'certificate-issuer-name',
+        'issuer-name',
         null,
         InputOption::VALUE_REQUIRED,
-        'Certificate Authority that issued the TLS Certificate'
+        'Match the Certificate Authority (CA) that issued the TLS Certificate'
       )
       ->addOption(
-        'skip-certificate-ocsp-revoked',
+        'skip-ocsp-revoked',
         null,
         InputOption::VALUE_NONE,
         'Skip Certificate OCSP revocation validation'
@@ -116,19 +92,26 @@ protected function configure(): void {
   }
 
   protected function execute(InputInterface $input, OutputInterface $output): int {
+    // check:domain options
     $domainExpirationThreshold = (int)$input->getOption('domain-expiration-threshold');
     $registrarName = (string)$input->getOption('registrar-name');
     $statusCodes = (array)$input->getOption('status-codes');
 
+    // check:certificate options
+    $certificateExpirationThreshold = (int)$input->getOption('certificate-expiration-threshold');
+    $fingerprint = (string)$input->getOption('fingerprint');
+    $serialNumber = (string)$input->getOption('serial-number');
+    $issuerName = (string)$input->getOption('issuer-name');
+
     $checks = [
       'domainExpirationDate' => $domainExpirationThreshold > 0,
       'domainRegistrarName' => $registrarName !== '',
       'domainStatusCodes' => $statusCodes !== [],
-      'certificateExpirationDate' => (bool)$input->getOption('skip-certificate-expiration-date') === false,
-      'certificateFingerprint' => (bool)$input->getOption('skip-certificate-fingerprint') === false,
-      'certificateSerialNumber' => (bool)$input->getOption('skip-certificate-serial-number') === false,
-      'certificateIssuerName' => (bool)$input->getOption('skip-certificate-issuer-name') === false,
-      'certificateOcspRevoked' => (bool)$input->getOption('skip-certificate-ocsp-revoked') === false
+      'certificateExpirationDate' => $certificateExpirationThreshold > 0,
+      'certificateFingerprint' => $fingerprint !== '',
+      'certificateSerialNumber' => $serialNumber !== '',
+      'certificateIssuerName' => $issuerName !== '',
+      'certificateOcspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
     ];
 
     // skips all domain related validations
@@ -157,10 +140,6 @@ protected function execute(InputInterface $input, OutputInterface $output): int
       $checks['certificateOcspRevoked'] = false;
     }
 
-    $certificateExpirationThreshold = (int)$input->getOption('certificate-expiration-threshold');
-    $certificateFingerprint = (string)$input->getOption('certificate-fingerprint');
-    $certificateSerialNumber = (string)$input->getOption('certificate-serial-number');
-    $certificateIssuerName = (string)$input->getOption('certificate-issuer-name');
 
     $failFast = (bool)$input->getOption('fail-fast');
     $domain = $input->getArgument('domain');
@@ -205,15 +184,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int
           'command' => 'check:certificate',
           'domain' => $domain,
           '--fail-fast' => $failFast,
-          '--skip-expiration-date' => !$checks['certificateExpirationDate'],
-          '--skip-fingerprint' => !$checks['certificateFingerprint'],
-          '--skip-serial-number' => !$checks['certificateSerialNumber'],
-          '--skip-issuer-name' => !$checks['certificateIssuerName'],
           '--skip-ocsp-revoked' => !$checks['certificateOcspRevoked'],
           '--expiration-threshold' => $certificateExpirationThreshold,
-          '--fingerprint' => $certificateFingerprint,
-          '--serial-number' => $certificateSerialNumber,
-          '--issuer-name' => $certificateIssuerName
+          '--fingerprint' => $fingerprint,
+          '--serial-number' => $serialNumber,
+          '--issuer-name' => $issuerName
         ]
       );
 

diff --git a/src/Console/Commands/Check/CheckCertificateCommand.php b/src/Console/Commands/Check/CheckCertificateCommand.php
@@ -36,64 +36,40 @@ final class CheckCertificateCommand extends Command {
 
   protected function configure(): void {
     $this
-      ->addOption(
-        'skip-expiration-date',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate expiration date validation'
-      )
       ->addOption(
         'expiration-threshold',
-        null,
+        'e',
         InputOption::VALUE_REQUIRED,
-        'Number of days left to certificate expiration that will trigger an error',
+        'Number of days until the certification expiration date',
         5
       )
-      ->addOption(
-        'skip-fingerprint',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate Fingerprint validation'
-      )
       ->addOption(
         'fingerprint',
-        null,
+        'p',
         InputOption::VALUE_REQUIRED,
-        'Certificate\'s Fingerprint'
-      )
-      ->addOption(
-        'skip-serial-number',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate Serial Number validation'
+        'Match the certificate SHA-256 Fingerprint'
       )
       ->addOption(
         'serial-number',
-        null,
+        's',
         InputOption::VALUE_REQUIRED,
-        'Certificate\'s Serial Number'
-      )
-      ->addOption(
-        'skip-issuer-name',
-        null,
-        InputOption::VALUE_NONE,
-        'Skip Certificate issuer name validation'
+        'Match the certificate Serial Number'
       )
       ->addOption(
         'issuer-name',
-        null,
+        'i',
         InputOption::VALUE_REQUIRED,
-        'Certificate Authority that issued the TLS Certificate'
+        'Match the Certificate Authority (CA) that issued the TLS Certificate'
       )
       ->addOption(
         'skip-ocsp-revoked',
-        null,
+        'o',
         InputOption::VALUE_NONE,
         'Skip Certificate OCSP revocation validation'
       )
       ->addOption(
         'fail-fast',
-        null,
+        'f',
         InputOption::VALUE_NONE,
         'Exit immediately when a check fails instead of running all checks'
       )
@@ -105,19 +81,19 @@ protected function configure(): void {
     }
 
   protected function execute(InputInterface $input, OutputInterface $output): int {
-    $checks = [
-      'expirationDate' => (bool)$input->getOption('skip-expiration-date') === false,
-      'fingerprint' => (bool)$input->getOption('skip-fingerprint') === false,
-      'serialNumber' => (bool)$input->getOption('skip-serial-number') === false,
-      'issuerName' => (bool)$input->getOption('skip-issuer-name') === false,
-      'ocspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
-    ];
-
     $expirationThreshold = (int)$input->getOption('expiration-threshold');
     $fingerprint = (string)$input->getOption('fingerprint');
     $serialNumber = (string)$input->getOption('serial-number');
     $issuerName = (string)$input->getOption('issuer-name');
 
+    $checks = [
+      'expirationDate' => $expirationThreshold > 0,
+      'fingerprint' => $fingerprint !== '',
+      'serialNumber' => $serialNumber !== '',
+      'issuerName' => $issuerName !== '',
+      'ocspRevoked' => (bool)$input->getOption('skip-ocsp-revoked') === false
+    ];
+
     $failFast = (bool)$input->getOption('fail-fast');
     $domain = $input->getArgument('domain');
 
@@ -130,23 +106,28 @@ protected function execute(InputInterface $input, OutputInterface $output): int
           [
             [
               'Expiration Date',
-              ($checks['expirationDate'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
+              ($checks['expirationDate'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
+              $expirationThreshold > 0 ? "{$expirationThreshold} days" : '-'
             ],
             [
-              'Fingerprint',
-              ($checks['fingerprint'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
+              'SHA-256 Fingerprint',
+              ($checks['fingerprint'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
+              $fingerprint ?: '-'
             ],
             [
               'Serial Number',
-              ($checks['serialNumber'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
+              ($checks['serialNumber'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
+              $serialNumber ?: '-'
             ],
             [
               'Issuer Name',
-              ($checks['issuerName'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
+              ($checks['issuerName'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
+              $issuerName ?: '-'
             ],
             [
               'OCSP Revoked',
-              ($checks['ocspRevoked'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>')
+              ($checks['ocspRevoked'] ? '<fg=green>enabled</>' : '<fg=red>disabled</>'),
+              '-'
             ]
           ]
         )
@@ -156,19 +137,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
     }
 
     $errors = [];
-    if ($checks['fingerprint'] === true && trim($fingerprint) === '') {
-      $errors[] = '<options=bold>--fingerprint</> option is required unless <options=bold>--skip-fingerprint</> is set';
-    }
-
-    if ($checks['serialNumber'] === true && trim($serialNumber) === '') {
-      $errors[] = '<options=bold>--serial-number</> option is required unless <options=bold>--skip-serial-number</> is set';
-    }
-
-    if ($checks['issuerName'] === true && trim($issuerName) === '') {
-      $errors[] = '<options=bold>--issuer-name</> option is required unless <options=bold>--skip-issuer-name</> is set';
-    }
-
-    if (filter_var($domain, FILTER_VALIDATE_DOMAIN, ['flags' => FILTER_FLAG_HOSTNAME]) === false) {
+    if (
+      strpos($domain, '.') === false ||
+      filter_var($domain, FILTER_VALIDATE_DOMAIN, ['flags' => FILTER_FLAG_HOSTNAME]) === false
+    ) {
       $errors[] = 'argument <options=bold>domain</> contains an invalid domain name';
     }
 
@@ -187,6 +159,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int
     );
 
     if ($needCertificate === false) {
+      $output->writeln(
+        'All certificate verifications are disabled, leaving',
+        OutputInterface::VERBOSITY_VERBOSE
+      );
+
       return Command::SUCCESS;
     }