nagios/check_crl: review and debug

2019-08-08 01:32:29 +02:00 · 2019-08-08 01:32:29 +02:00 · 273b6c8631
commit 273b6c8631
parent 7cadcce088
1 changed files with 41 additions and 95 deletions
--- a/nagios/check_crl.sh
+++ b/nagios/check_crl.sh
@ -4,19 +4,27 @@
 # GPL v3+
 # Default values
-# Warning : 10 days - 10 years
+# Warning : 7 days - 10 years
-RANGE_WARNING="864000:315360000"
+# (juste because more than 10 years is really far stretched and might be a manipulation error)
-# Critical : 4 days
+RANGE_WARNING="7:3650"
-RANGE_CRITICAL="345600:"
+# Critical : 3 days
 RANGE_CRITICAL="3:"
 # Output
 OUTPUT_EXIT_STATUS=0
 OUTPUT_DETAIL_WARNING=""
 OUTPUT_DETAIL_CRITICAL=""
 #OUTPUT_PERFDATA=""
 PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
 REVISION="0.2"
 # Stop at the first non-catched error
 set -e
 # Include check_range()
 . $PROGPATH/utils.sh
 #
 # Help function
 #
@ -25,7 +33,7 @@ usage() {
 Usage :
  $0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
-Ranges are in seconds.
+Thresholds in days.
 Note: Since the file is checked against the lastest ranges given, order
      of the arguments are important.
@ -36,88 +44,18 @@ Default values:
 EOF
 }
 # TODO: manage non-integer values
 # Args :
 # - value
 # - range warning
 # - range critical
 # Return:
 # 0: ok
 # 8: syntax error in range
 # 9: higher threshold lower than lower threshold
 check_range_syntax() {
-	local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
+	check_range 0 "$1" >/dev/null 2>&1
-
+	if [ "$?" -eq "2" ]; then
-	# Check syntax
+		return 1
 	REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
 	test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
 	# Check that lower limit is lower than higher limit :)
 	LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
 	HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
 	if test -z "$LOWER_THRESHOLD"; then
 		LOWER_THRESHOLD=0
 	fi
 	if test -z "$HIGHER_THRESHOLD"; then
 		HIGHER_THRESHOLD='~'
 	fi
 	if [ "$LOWER_THRESHOLD" != "~" ]; then
 		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
 			return 9
 		fi
 	fi
 	printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
 	return 0
 }
 # Args :
 # - value
 # - range
 # Return :
 # 0: ok
 # 1: not in range
 # 8-15: see check_range_syntax()
 # 16: function call problem
 check_range() {
 	local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
 	# ranges can be empty
 	test -n "$1" || return 16
 	VALUE="$1"
 	RANGE="$2"
 	# Analyze range
 	LINE=$( check_range_syntax "$RANGE" )
 	RET="$?"
 	test $RET -eq 0 || return $RET
 	LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
 	HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
 	# Check value
 	if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
 		# Normal comparison
 		if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
 			return 1
 		fi
 		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
 			return 1
 		fi
 	else
 		# Invert range (inside, inclusive)
 		if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
 			if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
 				return 1
 			fi
 		fi
 	fi
 	return 0
 }
 # Some early checks
 if ! which openssl >/dev/null 2>&1 ; then
 	echo "UNKNOWN 'openssl' not found."
-	exit 1
+	exit $STATE_UNKNOWN
 fi
 #
@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
 			if check_range_syntax "$OPTARG" >/dev/null; then
 				RANGE_WARNING="$OPTARG"
 			else
-				echo "UNKNOWN: invalid range."
+				echo "UNKNOWN: invalid range : $OPTARG"
-				exit 3
+				exit $STATE_UNKNOWN
 			fi
 			;;
@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
 			if check_range_syntax "$OPTARG" >/dev/null; then
 				RANGE_CRITICAL="$OPTARG"
 			else
-				echo "UNKNOWN: invalid range."
+				echo "UNKNOWN: invalid range : $OPTARG"
-				exit 3
+				exit $STATE_UNKNOWN
 			fi
 			;;
@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
 			# should not be done during params management :)
 			CRL_FILE="$OPTARG"
 			if [ ! -f "$CRL_FILE" ]; then
-				echo "UNKNOWN: inexistent file."
+				echo "UNKNOWN: inexistent file : $CRL_FILE"
-				exit 3
+				exit $STATE_UNKNOWN
 			fi
 			# Extract time left, in seconds
 			EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
 			if [ -z "$EXPIRATION_DATE" ]; then
 				echo "UNKNOWN: couldn't get expiration date."
-				exit 3
+				exit $STATE_UNKNOWN
 			fi
-			TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
+			TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
 			# Check time left against range
-			if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
+			if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
-				OUTPUT_EXIT_STATUS=2
+				OUTPUT_EXIT_STATUS=$STATE_CRITICAL
-				OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
+				OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
-			elif ! check_range "$CPT" "$RANGE_WARNING"; then
+			elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
 				if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
-					OUTPUT_EXIT_STATUS=1
+					OUTPUT_EXIT_STATUS=$STATE_WARNING
 				fi
-				OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
+				OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
 			fi
 			;;
@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
 	esac
 done
 if [ -z "$CRL_FILE" ]; then
 	echo "UNKNOWN: no file tested."
 	exit $STATE_UNKNOWN
 fi
 case "$OUTPUT_EXIT_STATUS" in
 	'0')
 		printf "OK"
@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
 		;;
 esac
-# on supprime les retours à la ligne
+# Perfdata
-exit $RETURN_STATUS
+#printf "|%s\n" "$OUTPUT_PERFDATA"
 printf "\n"
 # Exit with return status
 exit $OUTPUT_EXIT_STATUS