#!/bin/sh

# Small script to survey CRL
# GPL v3+

# Default values
# Warning : 10 days - 10 years
RANGE_WARNING="864000:315360000"
# Critical : 4 days
RANGE_CRITICAL="345600:"

# Output
OUTPUT_EXIT_STATUS=0
OUTPUT_DETAIL_WARNING=""
OUTPUT_DETAIL_CRITICAL=""

# Stop at the first non-catched error
set -e

#
# Help function
#
usage() {
	cat <<EOF
Usage :
  $0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...

Ranges are in seconds.

Note: Since the file is checked against the lastest ranges given, order
      of the arguments are important.

Default values:
	warning_range:	$RANGE_WARNING
	critical_range:	$RANGE_CRITICAL
EOF
}

# TODO: manage non-integer values
# Args :
# - value
# - range warning
# - range critical
# Return:
# 0: ok
# 8: syntax error in range
# 9: higher threshold lower than lower threshold
check_range_syntax() {
	local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD

	# Check syntax
	REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
	test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8

	# Check that lower limit is lower than higher limit :)
	LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
	HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
	if test -z "$LOWER_THRESHOLD"; then
		LOWER_THRESHOLD=0
	fi
	if test -z "$HIGHER_THRESHOLD"; then
		HIGHER_THRESHOLD='~'
	fi
	if [ "$LOWER_THRESHOLD" != "~" ]; then
		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
			return 9
		fi
	fi

	printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
	return 0
}

# Args :
# - value
# - range
# Return :
# 0: ok
# 1: not in range
# 8-15: see check_range_syntax()
# 16: function call problem
check_range() {
	local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
	# ranges can be empty
	test -n "$1" || return 16
	VALUE="$1"
	RANGE="$2"

	# Analyze range
	LINE=$( check_range_syntax "$RANGE" )
	RET="$?"
	test $RET -eq 0 || return $RET
	LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
	HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"

	# Check value
	if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
		# Normal comparison
		if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
			return 1
		fi
		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
			return 1
		fi
	else
		# Invert range (inside, inclusive)
		if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
			if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
				return 1
			fi
		fi
	fi

	return 0
}

# Some early checks
if ! which openssl >/dev/null 2>&1 ; then
	echo "UNKNOWN 'openssl' not found."
	exit 1
fi

#
# Parameters management
#
while getopts hw:c:f: OPT; do
	case "$OPT" in
		'h')
			usage
			exit
			;;

		'w')
			if check_range_syntax "$OPTARG" >/dev/null; then
				RANGE_WARNING="$OPTARG"
			else
				echo "UNKNOWN: invalid range."
				exit 3
			fi
			;;

		'c')
			if check_range_syntax "$OPTARG" >/dev/null; then
				RANGE_CRITICAL="$OPTARG"
			else
				echo "UNKNOWN: invalid range."
				exit 3
			fi
			;;

		'f')
			# I'm not very proud of this one : aesthetically speaking, treatments
			# should not be done during params management :)
			CRL_FILE="$OPTARG"
			if [ ! -f "$CRL_FILE" ]; then
				echo "UNKNOWN: inexistent file."
				exit 3
			fi

			# Extract time left, in seconds
			EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
			if [ -z "$EXPIRATION_DATE" ]; then
				echo "UNKNOWN: couldn't get expiration date."
				exit 3
			fi
			TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))

			# Check time left against range
			if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
				OUTPUT_EXIT_STATUS=2
				OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
			elif ! check_range "$CPT" "$RANGE_WARNING"; then
				if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
					OUTPUT_EXIT_STATUS=1
				fi
				OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
			fi
			;;

		\?)
			usage
			exit 1
			;;
	esac
done

case "$OUTPUT_EXIT_STATUS" in
	'0')
		printf "OK"
		;;
	'1')
		printf "WARNING %s" "$OUTPUT_DETAIL_WARNING"
		;;
	'2')
		printf "CRITICAL %s" "$OUTPUT_DETAIL_CRITICAL"
		;;
	*)
		printf "UNKNOWN"
		;;
esac

# on supprime les retours à la ligne
exit $RETURN_STATUS