Support availability checking for url with path

cageyv · web-flow · commit f2597c348442 · 2021-08-26T17:44:55.000+02:00
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ Please use `build_in_docker = true` and build inside docker for avoid nassl prob
 | certificate_expiration_notice_days | Days prior to the notification of the expired certificate. | `string` | `"7"` | no |
 | cloudwatch_logs_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `14` | no |
 | function_name | Lambda function name. | `string` | `"ssl-checker"` | no |
-| hostnames | The list of DNS names that should be monitored. e.g.: [\"example.com\"]. | `list(string)` | | yes |
+| hostnames | The list of DNS names that should be monitored. Path is also supported. e.g.: [\"example.com\",\"example.com/api\"]. | `list(string)` | | yes |
 | health_check_matcher | The response HTTP codes to use when checking for a healthy responses from a hostnames. e.g.: \"200,201,202-399\". | `string` | `"200-399"` | no |
 | scan_commands | List of scan commands types witch will run against hostnames. Any type supported by [SSLyze](https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html). | `list(string)` | `["certificate_info", "robot", "tls_compression", "tls_fallback_scsv", "heartbleed","http_headers", "openssl_ccs_injection", "session_renegotiation", "tls_1_1_cipher_suites","tls_1_2_cipher_suites", "tls_1_3_cipher_suites"]` | no |
 | schedule_expression | The scheduling expression. How often check hostnames. For example, `cron(0/5 * * * ? *)` or `rate(5 minutes)`. | `string` | `"cron(0/5 * * * ? *)"` | no |
@@ -65,3 +65,14 @@ Configuration is done via env variables
 # Example message
 
 ![Example](doc/example.jpg)
+
+# Development
+
+```
+bash setup.sh
+source env/bin/activate
+export SCAN_COMMANDS="certificate_info,robot,tls_compression,tls_fallback_scsv,heartbleed,http_headers,openssl_ccs_injection,session_renegotiation,tls_1_1_cipher_suites,tls_1_2_cipher_suites,tls_1_3_cipher_suites"
+export CERTIFICATE_EXPIRATION_NOTICE_DAYS=7
+export HEALTH_CHECK_MATCHER=200-399
+HOOK_URL="opa" DEBUG=true HOSTNAMES="google.com,g00gle.com" python3 ssl-check-to-slack.py
+```
diff --git a/ssl-check-to-slack.py b/ssl-check-to-slack.py
@@ -11,6 +11,7 @@
 from sslyze import ServerScanRequest
 from sslyze import ScanCommand
 from datetime import datetime
+from urllib.parse import urlparse
 
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
@@ -26,9 +27,9 @@ def read_env_variable_or_die(env_var_name):
     return value
 
 
-def get_response_status(hostname):
+def get_response_status(hostname,endpoint):
     connection = http.client.HTTPSConnection(hostname)
-    connection.request("GET", "/")
+    connection.request("GET", endpoint)
     response = connection.getresponse()
     return response.status
 
@@ -101,19 +102,31 @@ def main(event, context):
                                        'tls_1_1_cipher_suites,tls_1_2_cipher_suites,tls_1_3_cipher_suites'
                                        ).replace(' ', '').split(',')).union({'certificate_info'})
     logger.info('Configuration is OK')
+    logger.info(f'Going to check: {hostnames}')
     servers_to_scan = []
     # First validate that we can connect to the servers we want to scan
     for hostname in hostnames:
         # DNS check. Try to resolve hostname.
         try:
-            logger.debug(f'DNS: {hostname} - Testing...')
-            server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(hostname, 443)
-            logger.debug(f'DNS: {hostname} - OK')
+            # for urlparse to correctly parse the address it needs a scheme in fron of the domain name
+            # otherwise it might get confused
+            hostname_with_scheme = hostname
+            if not hostname_with_scheme.startswith('https://'):
+                hostname_with_scheme = f'https://{hostname}'
+                logger.debug(f'prepend scheme to {hostname} so it is {hostname_with_scheme}')
+            hostname_parsed = urlparse(hostname_with_scheme)
+            logger.debug(f'hostname pasrsing result: {hostname_parsed}')
+            path = "/" if hostname_parsed.path == "" else hostname_parsed.path
+            host = hostname_parsed.netloc
+            logger.debug(f'parsed {hostname} to host {host} and path {path}')
+            logger.debug(f'DNS: {host} - Testing...')
+            server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(host, 443)
+            logger.debug(f'DNS: {host} - OK')
             # Connection check. Try to connect to hostname.
             try:
                 logger.debug(f'Connect: {hostname} - Testing...')
                 server_info = ServerConnectivityTester().perform(server_location)
-                response_status = get_response_status(hostname)
+                response_status = get_response_status(host, path)
                 if response_status not in health_check_matcher:
                     raise ConnectionToServerFailed(server_info.server_location, server_info.network_configuration,
                                                    error_message=f'HTTP Error. Status code: {response_status}')
