From 6f7a36a38e3bd750b40c1949055914f0c596147d Mon Sep 17 00:00:00 2001
From: Colin Darie <colin@darie.eu>
Date: Thu, 5 Jul 2018 16:02:58 +0200
Subject: [PATCH] SSL: accept wildcard domains matching

---
 app/services/ssl/parser.rb                      | 10 ++++++++--
 test/fixtures/files/ssl/wildcard.domain.org.txt |  1 +
 test/services/ssl/parser_test.rb                | 16 ++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 test/fixtures/files/ssl/wildcard.domain.org.txt

diff --git a/app/services/ssl/parser.rb b/app/services/ssl/parser.rb
index 68dffe8..b7acb1b 100644
--- a/app/services/ssl/parser.rb
+++ b/app/services/ssl/parser.rb
@@ -33,8 +33,14 @@ module SSL
       raise
     end
 
-    def match_domain?(raw)
-      raw.match(/\b#{domain}\b/).present?
+    def match_domain?(raw, tested_domain = domain)
+      return true if raw.match(/\b#{tested_domain}\b/).present?
+      parts = tested_domain.split(".")
+
+      return false if parts.count <= 2
+
+      parts.shift
+      match_domain?(raw, parts.join("."))
     end
 
     def build_response(match)
diff --git a/test/fixtures/files/ssl/wildcard.domain.org.txt b/test/fixtures/files/ssl/wildcard.domain.org.txt
new file mode 100644
index 0000000..cc7a8d1
--- /dev/null
+++ b/test/fixtures/files/ssl/wildcard.domain.org.txt
@@ -0,0 +1 @@
+OK - Certificate 'domain.org' will expire on Sat 10 Jun 2028 09:14:18 AM GMT +0000.
diff --git a/test/services/ssl/parser_test.rb b/test/services/ssl/parser_test.rb
index 05566d6..0b1dffa 100644
--- a/test/services/ssl/parser_test.rb
+++ b/test/services/ssl/parser_test.rb
@@ -31,7 +31,23 @@ module SSL
       assert_raises DomainNotMatchError do
         parser.parse(output)
       end
+    test "should accept responses for wildcard certificates" do
+      parser = Parser.new("ssl1.domain.org")
+      output = file_fixture("ssl/wildcard.domain.org.txt").read
+
+      response = parser.parse(output)
+
+      assert_equal Time.new(2028, 6, 10, 9, 14, 18, 0), response.expire_at
+      assert response.expire_at.utc?
+
+      parser = Parser.new("deep.ssl1.domain.org")
+      output = file_fixture("ssl/wildcard.domain.org.txt").read
+
+      response = parser.parse(output)
+
+      assert_equal Time.new(2028, 6, 10, 9, 14, 18, 0), response.expire_at
     end
+
     test "should raises InvalidResponseError when check response is not matched" do
       parser = Parser.new("ssl100.invalid.org")
       output = file_fixture("ssl/ssl100.invalid.org.txt").read