feat(strongswan-connections): add --match and --ignore filter parameters

Adds --match (include filter) and --ignore (exclude filter), both
Python regex, case-sensitive by default (use (?i) for
case-insensitive matching), both repeatable. Include-first,
exclude-second semantics match the disk-usage plugin and the
lib.args canonical --match / --ignore convention.

Typical use cases on a strongSwan VPN gateway:

- --ignore='^RA_' to hide transient remote-access clients and
  keep a single Icinga service for all permanent site-to-site
  peers
- --match='^S2S_SITE-XY$' to pin a dedicated Icinga service to
  one specific site-to-site peer (per-site granularity, named
  alerts)

The filter applies to both the "configured" and the "active"
connection lists before the "configured but not active"
comparison, so an ignored connection that happens to be down
does not trigger the warning.

Along the way the test mode was fixed: format_sas_data() and
format_child_data() now accept both VICI bytes and JSON strings,
which uncovered that the existing unit tests were passing only
because the pre-existing fixture-load path triggered a swallowed
exception and left state at STATE_OK, asserting only the trivial
"Everything is ok." fallback. With the fix, fixtures actually
drive the plugin through format_sas_data / format_child_data and
the assertions can check real rendered output.

Other polish in the same commit: dedupe
get_possible_connection_keys / get_active_connection_keys via a
_collect_keys helper, fix a socket leak (try/finally + close),
narrow a bare except Exception on socket.connect to OSError with
a descriptive error message, replace an O(n*m) sas[key] probe
loop with items() + set lookup, move import json to module
scope, drop an unused import lib.shell, delete a vestigial
1173-char OrderedDict-repr comment, delete the vestigial "do not
call the command" comment on the --test else branch.

Closes #738

Author: markuslf

CHANGELOG.md

@@ -55,6 +55,7 @@ Monitoring Plugins:
 * scanrootkit: add 41 signatures for modern Linux rootkits, backdoors and implants, including BPFDoor, Drovorub, Ebury 1.7/1.8, FontOnLake, HiddenWasp, Kaiji, Kobalos, Lightning Framework, Medusa, Nuk3Gh0st, OrBit, perfctl, PUMAKIT, Pygmy Goat, Reptile, RotaJakiro, sedexp, Skidmap, SSHdoor, Symbiote, Syslogk, TripleCross, UNC3886, Winnti for Linux, Adore-NG, Azazel, BEURK, Father, Honey Pot Bears and Umbra. Sourced from public vendor and threat-research IoC reports (ESET, Sandfly, Intezer, Elastic, Mandiant, Sophos, NCSC UK, fkie-cad/linux-rootkit-iocs, etc.)
 * scanrootkit: each finding now shows the year the rootkit was first publicly disclosed when known, e.g. `* CiNIK Worm (2002): /tmp/.cinik (File)`. Old rkhunter-era signatures and the new 2019+ signatures have all been dated where a reliable public source exists; signatures without a confirmed year are shown without the suffix as before
 * sensors-temperatures: add `--ignore` parameter to filter out sensors by regex ([#965](https://github.com/Linuxfabrik/monitoring-plugins/issues/965))
+* strongswan-connections: add `--match` and `--ignore` parameters to filter configured and active VICI connections by regex. Useful for gateways that mix permanent site-to-site peers with transient remote-access clients: admins can either hide the RA clients via `--ignore='^RA_'` (and keep a single Icinga service for all S2S peers) or pin a dedicated Icinga service to a single site via `--match='^S2S_SITE-XY$'`. Include-first, exclude-second semantics, same as the `disk-usage` plugin; both parameters follow the `lib.args` canonical convention (case-sensitive by default, `(?i)` opt-in, appending). As part of this work the test-mode code path was fixed so fixtures stop silently matching the trivial "Everything is ok." fallback via a swallowed exception ([#738](https://github.com/Linuxfabrik/monitoring-plugins/issues/738))
 * statuspal: also detect 'emergency-maintenance' state
 * valkey-status: support user and password credentials [PR #954](https://github.com/Linuxfabrik/monitoring-plugins/pull/954), thanks to [Claudio Kuenzler](https://github.com/Napsty)
 

check-plugins/strongswan-connections/README.md

@@ -34,19 +34,41 @@ Checks IPSec connection states on a strongSwan VPN gateway by connecting to the
 ## Help
 
 ```text
-usage: strongswan-connections [-h] [-V] [--always-ok] [--lengthy]
-                              [--socket SOCKET] [--test TEST]
+usage: strongswan-connections [-h] [-V] [--always-ok] [--ignore IGNORE]
+                              [--lengthy] [--match MATCH] [--socket SOCKET]
+                              [--test TEST]
 
 Checks IPSec connection states on a strongSwan VPN gateway. Connects to the
 charon daemon via the VICI interface to retrieve IKE SA and CHILD SA states.
-Alerts on connections that are not in the expected established state. Requires
+Alerts on connections that are not in the expected established state.
+Connection names can be filtered out with --ignore, which is useful for
+gateways that mix permanent site-to-site peers with transient remote-access
+clients where only the site-to-site peers should drive the alert. Requires
 root or sudo.
 
 options:
   -h, --help       show this help message and exit
   -V, --version    show program's version number and exit
   --always-ok      Always returns OK.
+  --ignore IGNORE  Ignore connections whose VICI key matches this Python
+                   regular expression. Case-sensitive by default; use `(?i)`
+                   for case-insensitive matching. Can be specified multiple
+                   times. Example: `--ignore="^RA_"` to skip transient remote-
+                   access clients on a VPN gateway that also carries permanent
+                   site-to-site peers. Example: `--ignore="(?i)test"` (case-
+                   insensitive) to skip any connection with "test" in its
+                   name. Default: None
   --lengthy        Extended reporting.
+  --match MATCH    Only check connections whose VICI key matches this Python
+                   regular expression. Case-sensitive by default; use `(?i)`
+                   for case-insensitive matching. Can be specified multiple
+                   times. If both `--match` and `--ignore` are given, a
+                   connection must match `--match` AND not match `--ignore` to
+                   be checked (include first, exclude second). Example:
+                   `--match="^S2S_SITE-XY$"` to pin an Icinga service to one
+                   specific site-to-site peer. Example: `--match="(?i)^s2s_"`
+                   (case-insensitive) to check every site-to-site peer on a
+                   gateway. Default: None
   --socket SOCKET  Path to the Versatile IKE Control Interface (VICI) socket.
                    Default: /run/strongswan/charon.vici
   --test TEST      For unit tests. Needs "path-to-stdout-file,path-to-stderr-

check-plugins/strongswan-connections/icingaweb2-module-director/strongswan-connections.json

@@ -5,9 +5,17 @@
                 "--always-ok": {
                     "set_if": "$strongswan_connections_always_ok$"
                 },
+                "--ignore": {
+                    "value": "$strongswan_connections_ignore$",
+                    "repeat_key": true
+                },
                 "--lengthy": {
                     "set_if": "$strongswan_connections_lengthy$"
                 },
+                "--match": {
+                    "value": "$strongswan_connections_match$",
+                    "repeat_key": true
+                },
                 "--socket": {
                     "value": "$strongswan_connections_socket$"
                 }
@@ -29,6 +37,16 @@
                     "datafield_id": 3,
                     "is_required": "n",
                     "var_filter": null
+                },
+                {
+                    "datafield_id": 4,
+                    "is_required": "n",
+                    "var_filter": null
+                },
+                {
+                    "datafield_id": 5,
+                    "is_required": "n",
+                    "var_filter": null
                 }
             ],
             "imports": [],
@@ -72,7 +90,7 @@
                 "tpl-service-generic"
             ],
             "max_check_attempts": 5,
-            "notes": "Checks IPSec connection states on a strongSwan VPN gateway. Connects to the charon daemon via the VICI interface to retrieve IKE SA and CHILD SA states. Alerts on connections that are not in the expected established state. Requires root or sudo.",
+            "notes": "Checks IPSec connection states on a strongSwan VPN gateway. Connects to the charon daemon via the VICI interface to retrieve IKE SA and CHILD SA states. Alerts on connections that are not in the expected established state. Connection names can be filtered out with --ignore, which is useful for gateways that mix permanent site-to-site peers with transient remote-access clients where only the site-to-site peers should drive the alert. Requires root or sudo.",
             "notes_url": "https://linuxfabrik.github.io/monitoring-plugins/check-plugins/strongswan-connections/",
             "object_name": "tpl-service-strongswan-connections",
             "object_type": "template",
@@ -84,7 +102,9 @@
             "vars": {
                 "criticality": "C",
                 "strongswan_connections_always_ok": false,
+                "strongswan_connections_ignore": [],
                 "strongswan_connections_lengthy": false,
+                "strongswan_connections_match": [],
                 "strongswan_connections_socket": "/run/strongswan/charon.vici"
             },
             "volatile": null,
@@ -103,6 +123,17 @@
             "uuid": "584d20e3-6a37-49bd-8775-e659107932ea"
         },
         "2": {
+            "varname": "strongswan_connections_ignore",
+            "caption": "Strongswan Connections: Ignore",
+            "description": "Ignore connections whose VICI key matches this Python regular expression. Case-sensitive by default; use `(?i)` for case-insensitive matching. Can be specified multiple times. Example: `--ignore=\"^RA_\"` to skip transient remote-access clients on a VPN gateway that also carries permanent site-to-site peers. Example: `--ignore=\"(?i)test\"` (case-insensitive) to skip any connection with \"test\" in its name.",
+            "datatype": "Icinga\\Module\\Director\\DataType\\DataTypeArray",
+            "format": null,
+            "settings": {
+                "visibility": "visible"
+            },
+            "uuid": "aa407e77-234d-4bd0-ace0-81c21fe71a9d"
+        },
+        "3": {
             "varname": "strongswan_connections_lengthy",
             "caption": "Strongswan Connections: Lengthy?",
             "description": "Extended reporting.",
@@ -111,7 +142,18 @@
             "settings": {},
             "uuid": "a59704e1-8a80-4f5a-a8f5-e7ed09ef73ab"
         },
-        "3": {
+        "4": {
+            "varname": "strongswan_connections_match",
+            "caption": "Strongswan Connections: Match",
+            "description": "Only check connections whose VICI key matches this Python regular expression. Case-sensitive by default; use `(?i)` for case-insensitive matching. Can be specified multiple times. If both `--match` and `--ignore` are given, a connection must match `--match` AND not match `--ignore` to be checked (include first, exclude second). Example: `--match=\"^S2S_SITE-XY$\"` to pin an Icinga service to one specific site-to-site peer. Example: `--match=\"(?i)^s2s_\"` (case-insensitive) to check every site-to-site peer on a gateway.",
+            "datatype": "Icinga\\Module\\Director\\DataType\\DataTypeArray",
+            "format": null,
+            "settings": {
+                "visibility": "visible"
+            },
+            "uuid": "003dbb6e-6dd0-40f7-892c-e61871dd5e7c"
+        },
+        "5": {
             "varname": "strongswan_connections_socket",
             "caption": "Strongswan Connections: Socket",
             "description": "Path to the Versatile IKE Control Interface (VICI) socket.",