#!/usr/bin/perl -w
#
#
# check_crl -f <filename> -w <warn> -c <crit>
#
# Script to check the "Next Update" time of a revocation list within the apache
# webserver (users.crl).
# Warn and crit are the number of days left before the expiration date is reached.
#
# Changes and Modifications
# =========================
# 23.05.2007 - 1.0.0 R. Kaiser autinform
#  Created
#

use Time::Local;
use POSIX;
use strict;
use Getopt::Long;
use vars qw($opt_c $opt_w $opt_f $opt_h $opt_V);
use vars qw($PROGNAME);
use vars qw($REVISION);
use lib "/usr/lib/nagios/plugins" ;
use utils qw($TIMEOUT %ERRORS &print_revision &support &usage);

# Programname and version
$PROGNAME = "check_crl";
$REVISION = "\$Revision: 1.0.0 \$";

# Definition of my defaults
my $def_warn=10;
my $def_crit=4;

sub print_help ();
sub print_usage ();
sub zeit_wandeln_in_sek ();

Getopt::Long::Configure('bundling');
GetOptions
        ("V"   => \$opt_V, "version"     => \$opt_V,
         "h"   => \$opt_h, "help"        => \$opt_h,
         "f=s" => \$opt_f, "file=s"      => \$opt_f,
         "w=i" => \$opt_w, "warning=i"   => \$opt_w,
         "c=i" => \$opt_c, "critical=i"  => \$opt_c);

if ($opt_V) {
        print_revision($PROGNAME,$REVISION);
        exit $ERRORS{'OK'};
}

if ($opt_h) {print_help(); exit 0;}

($opt_f) || ($opt_f = shift) || usage("File not specified\n");
my $datei = $1 if ($opt_f =~ /^([\/-_.A-Za-z0-9]+)$/);
($datei) || usage("Invalid filename: $opt_f\n");

($opt_w) || ($opt_w = shift) || ($opt_w = $def_warn);
my $warn = $1 if ($opt_w =~ /^([0-9]{1,4})$/);
($warn) || usage("Invalid warning threshold: $opt_w\n");

($opt_c) || ($opt_c = shift) || ($opt_c = $def_crit);
my $crit = $1 if ($opt_c =~ /^([0-9]{1,4})$/);
($crit) || usage("Invalid critical threshold: $opt_c\n");


# verify warning is less than critical
unless ( $warn > $crit ) {
       usage("days left: warning ($opt_w) should be greater than critical ($opt_c)\n");
}

# check file access
unless ( -r $datei ) {
       usage("File ($datei) not found or not accessable.\n");
}

# end of params checking


my $state = "OK";
my $answer = undef;
my $res = undef;
my @lines = undef;
my $datum = undef;
my $monat= undef;
my $timesec = undef;

# Just in case of problems, let's not hang Nagios
$SIG{'ALRM'} = sub {
        print "No Answer from Client\n";
        exit $ERRORS{"UNKNOWN"};
};
alarm($TIMEOUT);

########## Action

# Get the "Next Update" line of the crl.
my $crl_zeit = qx(/usr/bin/openssl crl -noout -text -in $datei | /bin/grep " Next Update:");
$crl_zeit =~ s/^ +//g;     # remove leading blanks
$crl_zeit =~ s/\n$//;      # remove trailing linefeed
$crl_zeit =~ s/  / /g;     # remove multiple blanks

my ($nix1, $nix2, $mon, $tag, $zeit, $jahr, $dattyp) = split (/ /, $crl_zeit);

# change month from string to number
my $mon_liste = "JanFebMarAprMayJunJulAugSepOctNovDec";
$monat = (index($mon_liste, $mon) / 3) + 1;

# change to seconds since 01.01.1970
$timesec = zeit_wandeln_in_sek();

# get current time and check the difference
my $act_time = time();
my $SekDiff = $timesec - $act_time;
my $SekRest = $SekDiff;

# make the difference human readable
my $Tage = int($SekRest / (24 * 3600));
$SekRest = $SekRest - ($Tage * 24 * 3600);

my $Stunden = int($SekRest / 3600);
$SekRest = $SekRest - ($Stunden * 3600);

my $Minuten = int($SekRest / 60);
$SekRest = $SekRest - ($Minuten * 60);

#Turn off alarm
alarm(0);

# and now build the answer

my $txt_Tage = "Tage";
my $txt_Stun = "Stunden";
my $txt_Minu = "Minuten";
my $txt_Seku = "Sekunden";
$txt_Tage = "Tag" if ( $Tage == 1 );
$txt_Stun = "Stunde" if ( $Stunden == 1 );
$txt_Minu = "Minute" if ( $Minuten == 1 );
$txt_Seku = "Sekunde" if ( $SekRest == 1 );

$answer = "CRL Restzeit: $Tage $txt_Tage, $Stunden $txt_Stun, $Minuten $txt_Minu und $SekRest $txt_Seku.\n";

# check the time left with warn and crit

if ( $SekDiff <= ($warn * 24 * 3600) ) {
   $state = "WARNING";
}
if ( $SekDiff <= ($crit * 24 * 3600) ) {
   $state = "CRITICAL";
}

print $state." ".$answer;
exit $ERRORS{$state};


############################################################################

sub zeit_wandeln_in_sek () {

   # Den Monat fuer Perl anpassen.
   $monat = $monat - 1;

   # Die Zeitangabe auseinander nehmen.
   my ($stunde,$minute,$sekunde) = split /\:/, $zeit;

   if ( $dattyp eq "GMT" ) {
      my $timesec=timegm($sekunde,$minute,$stunde,$tag,$monat,$jahr);
   }
   elsif ( $dattyp eq "LOC" ) {
         my $timesec=timelocal($sekunde,$minute,$stunde,$tag,$monat,$jahr);
   }
   else {
      $timesec=0;
  }
}

###

sub print_usage () {
        print_revision($PROGNAME,$REVISION);
        print "Usage: $PROGNAME -f <filename> [-w <warn> -c <crit>]\n";
}

###

sub print_help () {
        print "Checking the expiration date (Next Update) of a revocation list.

";
        print_usage();
        print "
-f, --filename=STRING
    name and location of the revocation list file
-w, --warning=INTEGER
    Number of days left (Defaults: $def_warn)
-c, --critical=INTEGER
    Number of days left (Defaults: $def_crit)

";
}