Merge 1ef2170 into 97c51ac

cisagov · Mar 11, 2019 · 3dace41 · 3dace41
2 parents 97c51ac + 1ef2170
commit 3dace41
Show file tree

Hide file tree

Showing 5 changed files with 534 additions and 109 deletions.
diff --git a/pshtt/__init__.py b/pshtt/__init__.py
@@ -1 +1 @@
-__version__ = '0.5.4'
+__version__ = '0.6.0'
diff --git a/pshtt/cli.py b/pshtt/cli.py
@@ -3,7 +3,7 @@
 """pshtt ("pushed") is a tool to test domains for HTTPS best practices.
 
 Usage:
-  pshtt (INPUT ...) [--output OUTFILE] [--sorted] [--json] [--markdown] [--debug] [--timeout TIMEOUT] [--user-agent AGENT] [--cache-third-parties DIR] [--ca-file PATH]
+  pshtt (INPUT ...) [--output OUTFILE] [--sorted] [--json] [--markdown] [--debug] [--timeout TIMEOUT] [--user-agent AGENT] [--cache-third-parties DIR] [--ca-file PATH] [--pt-int-ca-file PATH]
   pshtt (-h | --help)
 
 Options:
@@ -17,6 +17,7 @@
   -t --timeout=TIMEOUT          Override timeout (in seconds).
   -c --cache-third-parties=DIR  Cache third party data, and what directory to cache it in.
   -f --ca-file=PATH             Specify custom CA bundle (PEM format)
+  -p --pt-int-ca-file=PATH       Specify public trust CA bundle with intermediates (PEM format)
 
 Notes:
   If the first INPUT ends with .csv, domains will be read from CSV.
@@ -49,7 +50,7 @@ def to_csv(results, out_filename):
             row = [result[header] for header in pshtt.HEADERS]
             writer.writerow(row)
 
-    logging.warn("Wrote results to %s.", out_filename)
+    logging.warning("Wrote results to %s.", out_filename)
 
 
 def to_json(results, out_filename):
@@ -62,7 +63,7 @@ def to_json(results, out_filename):
         out_file.write(json_content + '\n')
 
         if out_file is not sys.stdout:
-            logging.warn("Wrote results to %s.", out_filename)
+            logging.warning("Wrote results to %s.", out_filename)
 
 
 def to_markdown(results, out_filename):
@@ -106,7 +107,8 @@ def main():
         'user_agent': args['--user-agent'],
         'timeout': args['--timeout'],
         'cache-third-parties': args['--cache-third-parties'],
-        'ca_file': args['--ca-file']
+        'ca_file': args['--ca-file'],
+        'pt_int_ca_file': args['--pt-int-ca-file']
     }
 
     # Do the domain inspections

diff --git a/pshtt/models.py b/pshtt/models.py
@@ -36,8 +36,12 @@ def __init__(self, protocol, host, base_domain):
         self.headers = {}  # will be replaced with a requests.structures.CaseInsensitiveDict
         self.status = None
         self.live = None
+        self.ip = None
         self.redirect = None
+        self.server_header = None
+        self.server_version = None
         self.unknown_error = False
+        self.notes = ""
 
         # If an endpoint redirects, characterize the redirect behavior
         self.redirect_immediately_to = None
@@ -55,11 +59,17 @@ def __init__(self, protocol, host, base_domain):
         # Only HTTPS endpoints have these.
         # Initialize all of them to None, so that it's
         # discernible if they don't get explicitly set.
+        self.https_full_connection = None
+        self.https_client_auth_required = False
         self.https_valid = None
+        self.https_public_trusted = None
+        self.https_custom_trusted = None
         self.https_bad_chain = None
         self.https_bad_hostname = None
         self.https_expired_cert = None
         self.https_self_signed_cert = None
+        self.https_cert_chain_len = None
+        self.https_missing_intermediate_cert = None
         self.hsts = None
         self.hsts_header = None
         self.hsts_max_age = None
@@ -81,6 +91,7 @@ def to_object(self):
             'url': self.url,
             'headers': dict(self.headers),
             'status': self.status,
+            'ip': self.ip,
             'live': self.live,
             'redirect': self.redirect,
             'redirect_eventually_to': self.redirect_eventually_to,
@@ -94,15 +105,24 @@ def to_object(self):
             'redirect_eventually_to_http': self.redirect_eventually_to_http,
             'redirect_eventually_to_external': self.redirect_eventually_to_external,
             'redirect_eventually_to_subdomain': self.redirect_eventually_to_subdomain,
+            'server_header': self.server_header,
+            'server_version': self.server_version,
+            'notes': self.notes,
             'unknown_error': self.unknown_error,
         }
 
         if self.protocol == "https":
+            obj['https_full_connection'] = self.https_full_connection
+            obj['https_client_auth_required'] = self.https_client_auth_required
             obj['https_valid'] = self.https_valid
+            obj['https_public_trusted'] = self.https_public_trusted
+            obj['https_custom_trusted'] = self.https_custom_trusted
             obj['https_bad_chain'] = self.https_bad_chain
             obj['https_bad_hostname'] = self.https_bad_hostname
             obj['https_expired_cert'] = self.https_expired_cert
             obj['https_self_signed_cert'] = self.https_self_signed_cert
+            obj['https_cert_chain_len'] = self.https_cert_chain_len
+            obj['https_missing_intermediate_cert'] = self.https_missing_intermediate_cert
             obj['hsts'] = self.hsts
             obj['hsts_header'] = self.hsts_header
             obj['hsts_max_age'] = self.hsts_max_age