check_dig: add -E/--require-flags and -X/--forbid-flags (#2165)

* check_dig: Add feature to require or forbid dig DNS flags -E, -X.
Introduced helper functions for flag parsing.

 -E, --require-flags=LIST
    Comma-separated dig flags that must be present (e.g. 'aa,qr')
 -X, --forbid-flags=LIST
    Comma-separated dig flags that must NOT be present

plugins/check_dig.c

@@ -3,7 +3,7 @@
  * Monitoring check_dig plugin
  *
  * License: GPL
- * Copyright (c) 2002-2024 Monitoring Plugins Development Team
+ * Copyright (c) 2002-2025 Monitoring Plugins Development Team
  *
  * Description:
  *
@@ -33,9 +33,10 @@
  *  because on some architectures those strings are in non-writable memory */
 
 const char *progname = "check_dig";
-const char *copyright = "2002-2024";
+const char *copyright = "2002-2025";
 const char *email = "devel@monitoring-plugins.org";
 
+#include <ctype.h>
 #include "common.h"
 #include "netutils.h"
 #include "utils.h"
@@ -56,6 +57,12 @@ void print_usage(void);
 
 static int verbose = 0;
 
+/* helpers for flag parsing */
+static flag_list parse_flags_line(const char *line);
+static flag_list split_csv_trim(const char *csv);
+static bool flag_list_contains(const flag_list *list, const char *needle);
+static void free_flag_list(flag_list *list);
+
 int main(int argc, char **argv) {
 	setlocale(LC_ALL, "");
 	bindtextdomain(PACKAGE, LOCALEDIR);
@@ -101,13 +108,35 @@ int main(int argc, char **argv) {
 	output chld_out;
 	output chld_err;
 	char *msg = NULL;
+	flag_list dig_flags = {.items = NULL, .count = 0};
 	mp_state_enum result = STATE_UNKNOWN;
+
 	/* run the command */
 	if (np_runcmd(command_line, &chld_out, &chld_err, 0) != 0) {
 		result = STATE_WARNING;
 		msg = (char *)_("dig returned an error status");
 	}
 
+	/* extract ';; flags: ...' from stdout (first occurrence) */
+	for (size_t i = 0; i < chld_out.lines; i++) {
+		if (strstr(chld_out.line[i], "flags:")) {
+			if (verbose) {
+				printf("Raw flags line: %s\n", chld_out.line[i]);
+			}
+
+			dig_flags = parse_flags_line(chld_out.line[i]);
+
+			if (verbose && dig_flags.count > 0) {
+				printf(_("Parsed flags:"));
+				for (size_t k = 0; k < dig_flags.count; k++) {
+					printf(" %s", dig_flags.items[k]);
+				}
+				printf("\n");
+			}
+			break;
+		}
+	}
+
 	for (size_t i = 0; i < chld_out.lines; i++) {
 		/* the server is responding, we just got the host name... */
 		if (strstr(chld_out.line[i], ";; ANSWER SECTION:")) {
@@ -174,6 +203,44 @@ int main(int argc, char **argv) {
 		result = STATE_WARNING;
 	}
 
+	/* Optional: evaluate dig flags only if -E/-X were provided */
+	if ((config.require_flags.count > 0) || (config.forbid_flags.count > 0)) {
+		if (dig_flags.count > 0) {
+			for (size_t r = 0; r < config.require_flags.count; r++) {
+				if (!flag_list_contains(&dig_flags, config.require_flags.items[r])) {
+					result = STATE_CRITICAL;
+					if (!msg) {
+						xasprintf(&msg, _("Missing required DNS flag: %s"),
+								  config.require_flags.items[r]);
+					} else {
+						char *newmsg = NULL;
+						xasprintf(&newmsg, _("%s; missing required DNS flag: %s"), msg,
+								  config.require_flags.items[r]);
+						msg = newmsg;
+					}
+				}
+			}
+
+			for (size_t r = 0; r < config.forbid_flags.count; r++) {
+				if (flag_list_contains(&dig_flags, config.forbid_flags.items[r])) {
+					result = STATE_CRITICAL;
+					if (!msg) {
+						xasprintf(&msg, _("Forbidden DNS flag present: %s"),
+								  config.forbid_flags.items[r]);
+					} else {
+						char *newmsg = NULL;
+						xasprintf(&newmsg, _("%s; forbidden DNS flag present: %s"), msg,
+								  config.forbid_flags.items[r]);
+						msg = newmsg;
+					}
+				}
+			}
+		}
+	}
+
+	/* cleanup flags buffer */
+	free_flag_list(&dig_flags);
+
 	printf("DNS %s - %.3f seconds response time (%s)|%s\n", state_text(result), elapsed_time,
 		   msg ? msg : _("Probably a non-existent host/domain"),
 		   fperfdata("time", elapsed_time, "s", (config.warning_interval > UNDEFINED),
@@ -190,6 +257,8 @@ check_dig_config_wrapper process_arguments(int argc, char **argv) {
 									   {"critical", required_argument, 0, 'c'},
 									   {"timeout", required_argument, 0, 't'},
 									   {"dig-arguments", required_argument, 0, 'A'},
+									   {"require-flags", required_argument, 0, 'E'},
+									   {"forbid-flags", required_argument, 0, 'X'},
 									   {"verbose", no_argument, 0, 'v'},
 									   {"version", no_argument, 0, 'V'},
 									   {"help", no_argument, 0, 'h'},
@@ -212,7 +281,8 @@ check_dig_config_wrapper process_arguments(int argc, char **argv) {
 
 	int option = 0;
 	while (true) {
-		int option_index = getopt_long(argc, argv, "hVvt:l:H:w:c:T:p:a:A:46", longopts, &option);
+		int option_index =
+			getopt_long(argc, argv, "hVvt:l:H:w:c:T:p:a:A:E:X:46", longopts, &option);
 
 		if (option_index == -1 || option_index == EOF) {
 			break;
@@ -263,6 +333,12 @@ check_dig_config_wrapper process_arguments(int argc, char **argv) {
 		case 'A': /* dig arguments */
 			result.config.dig_args = strdup(optarg);
 			break;
+		case 'E': /* require flags */
+			result.config.require_flags = split_csv_trim(optarg);
+			break;
+		case 'X': /* forbid flags */
+			result.config.forbid_flags = split_csv_trim(optarg);
+			break;
 		case 'v': /* verbose */
 			verbose++;
 			break;
@@ -343,6 +419,10 @@ void print_help(void) {
 	printf("    %s\n", _("was in -l"));
 	printf(" %s\n", "-A, --dig-arguments=STRING");
 	printf("    %s\n", _("Pass STRING as argument(s) to dig"));
+	printf(" %s\n", "-E, --require-flags=LIST");
+	printf("    %s\n", _("Comma-separated dig flags that must be present (e.g. 'aa,qr')"));
+	printf(" %s\n", "-X, --forbid-flags=LIST");
+	printf("    %s\n", _("Comma-separated dig flags that must NOT be present"));
 	printf(UT_WARN_CRIT);
 	printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
 	printf(UT_VERBOSE);
@@ -359,5 +439,185 @@ void print_usage(void) {
 	printf("%s\n", _("Usage:"));
 	printf("%s -l <query_address> [-H <host>] [-p <server port>]\n", progname);
 	printf(" [-T <query type>] [-w <warning interval>] [-c <critical interval>]\n");
-	printf(" [-t <timeout>] [-a <expected answer address>] [-v]\n");
+	printf(" [-t <timeout>] [-a <expected answer address>] [-E <flags>] [-X <flags>] [-v]\n");
+}
+
+/* helpers */
+
+/**
+ * parse_flags_line - Parse a dig output line and extract DNS header flags.
+ *
+ * Input:
+ *   line - NUL terminated dig output line, e.g. ";; flags: qr rd ra; ..."
+ *
+ * Returns:
+ *   flag_list where:
+ *     - items: array of NUL terminated flag strings (heap allocated)
+ *     - count: number of entries in items
+ *   On parse failure or if no flags were found, count is 0 and items is NULL.
+ */
+static flag_list parse_flags_line(const char *line) {
+	flag_list result = {.items = NULL, .count = 0};
+
+	if (!line) {
+		return result;
+	}
+
+	/* Locate start of DNS header flags in dig output */
+	const char *p = strstr(line, "flags:");
+	if (!p) {
+		return result;
+	}
+	p += 6; /* skip literal "flags:" */
+
+	/* Skip whitespace after "flags:" */
+	while (*p && isspace((unsigned char)*p)) {
+		p++;
+	}
+
+	/* Flags are terminated by the next semicolon e.g. "qr rd ra;" */
+	const char *q = strchr(p, ';');
+	if (!q) {
+		return result;
+	}
+
+	/* Extract substring containing the flag block */
+	size_t len = (size_t)(q - p);
+	if (len == 0) {
+		return result;
+	}
+
+	char *buf = (char *)malloc(len + 1);
+	if (!buf) {
+		return result;
+	}
+	memcpy(buf, p, len);
+	buf[len] = '\0';
+
+	/* Tokenize flags separated by whitespace */
+	char **arr = NULL;
+	size_t cnt = 0;
+	char *saveptr = NULL;
+	char *tok = strtok_r(buf, " \t", &saveptr);
+
+	while (tok) {
+		/* Expand array for the next flag token */
+		char **tmp = (char **)realloc(arr, (cnt + 1) * sizeof(char *));
+		if (!tmp) {
+			/* On allocation failure keep what we have and return it */
+			break;
+		}
+		arr = tmp;
+		arr[cnt++] = strdup(tok);
+		tok = strtok_r(NULL, " \t", &saveptr);
+	}
+
+	free(buf);
+
+	result.items = arr;
+	result.count = cnt;
+	return result;
+}
+
+/**
+ * split_csv_trim - Split a comma separated string into trimmed tokens.
+ *
+ * Input:
+ *   csv - NUL terminated string, e.g. "aa, qr , rd"
+ *
+ * Returns:
+ *   flag_list where:
+ *     - items: array of NUL terminated tokens (heap allocated, whitespace trimmed)
+ *     - count: number of tokens
+ *   On empty input, count is 0 and items is NULL
+ */
+static flag_list split_csv_trim(const char *csv) {
+	flag_list result = {.items = NULL, .count = 0};
+
+	if (!csv || !*csv) {
+		return result;
+	}
+
+	char *tmp = strdup(csv);
+	if (!tmp) {
+		return result;
+	}
+
+	char *s = tmp;
+	char *token = NULL;
+
+	/* Split CSV by commas, trimming whitespace on each token */
+	while ((token = strsep(&s, ",")) != NULL) {
+		/* trim leading whitespace */
+		while (*token && isspace((unsigned char)*token)) {
+			token++;
+		}
+
+		/* trim trailing whitespace */
+		char *end = token + strlen(token);
+		while (end > token && isspace((unsigned char)end[-1])) {
+			*--end = '\0';
+		}
+
+		if (*token) {
+			/* Expand the items array and append the token */
+			char **arr = (char **)realloc(result.items, (result.count + 1) * sizeof(char *));
+			if (!arr) {
+				/* Allocation failed, stop and return what we have */
+				break;
+			}
+			result.items = arr;
+			result.items[result.count++] = strdup(token);
+		}
+	}
+
+	free(tmp);
+	return result;
+}
+
+/**
+ * flag_list_contains - Case-insensitive membership test in a flag_list.
+ *
+ * Input:
+ *   list   - pointer to a flag_list
+ *   needle - NUL terminated string to search for
+ *
+ * Returns:
+ *   true  if needle is contained in list (strcasecmp)
+ *   false otherwise
+ */
+static bool flag_list_contains(const flag_list *list, const char *needle) {
+	if (!list || !needle || !*needle) {
+		return false;
+	}
+
+	for (size_t i = 0; i < list->count; i++) {
+		if (strcasecmp(list->items[i], needle) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+
+/**
+ * free_flag_list - Release all heap allocations held by a flag_list.
+ *
+ * Input:
+ *   list - pointer to a flag_list whose items were allocated by
+ *          parse_flags_line() or split_csv_trim().
+ *
+ * After this call list->items is NULL and list->count is 0.
+ */
+static void free_flag_list(flag_list *list) {
+	if (!list || !list->items) {
+		return;
+	}
+
+	for (size_t i = 0; i < list->count; i++) {
+		free(list->items[i]);
+	}
+	free(list->items);
+
+	list->items = NULL;
+	list->count = 0;
 }

plugins/check_dig.d/config.h

@@ -7,6 +7,11 @@
 #define DEFAULT_PORT  53
 #define DEFAULT_TRIES 2
 
+typedef struct {
+	char **items;
+	size_t count;
+} flag_list;
+
 typedef struct {
 	char *query_address;
 	char *record_type;
@@ -19,6 +24,8 @@ typedef struct {
 
 	double warning_interval;
 	double critical_interval;
+	flag_list require_flags;
+	flag_list forbid_flags;
 } check_dig_config;
 
 check_dig_config check_dig_config_init() {
@@ -34,7 +41,8 @@ check_dig_config check_dig_config_init() {
 
 		.warning_interval = UNDEFINED,
 		.critical_interval = UNDEFINED,
-
+		.require_flags = {.count = 0, .items = NULL},
+		.forbid_flags = {.count = 0, .items = NULL},
 	};
 	return tmp;
 }