#!/usr/bin/env bash
#
# $ID$
# $Url$

# Controleer de DNSSEC-status van een groep domeinen
# Casper Gielen, cgielen@uvt.nl, 2011
# GPLv3

DEBUG=0
CACHE=0

CACHEDIR=/var/cache/check_dnssec/				# use cached results to avoid nagios/nrpe timeouts
CHECK=/usr/lib/nagios/plugins/check_zone_rrsig_expiration	# the real nagios plugin
ZONEDIR=/var/lib/unbound/anchors/ 				# dir that contains a file for every zone. content of the file is ignored
TIMEOUT=8s							# time allowed for each zone (eg 7s)
WARNING=2.8							# warn if RRSIGS expire within 2.8 days (3 gives to many hits)


# pretty print
fmt() { printf "%35s %s\n" "$1" "$2" ; }
age() { echo $(( $(date "+%s") - $(stat -c %Y "$1") )) ; }
usage() { 
	echo "usage: $0 [regex]"
	echo "example: $0 [options] '[a-b]*'"
	echo "options:"
	echo "         --writecache Update cache regardless of age."
	echo "         --help       Show this text."
	echo "You should quote the regexp to avoid premature expansion."
}

check_zones()
{
	for zone in $ZONES; 
	do
		# run test
		[ "$DEBUG" = "1" ] && printf "%35s " $zone
		log=$(timeout $TIMEOUT $CHECK -W $WARNING -Z $zone);
		status=$?
		[ "$DEBUG" = "1" ] && echo "$log"

		# timeout, retry
		if [ "$status" = "124" ];
		then
			[ "$DEBUG" = "1" ] && printf "%35s " $zone
			log=$(timeout $(( $TIMEOUT / 2 )) $CHECK -W $WARNING -Z $zone);
			status=$?
			[ "$DEBUG" = "1" ] && echo "$log"
		fi

		# evaluate result
		case $status in
			0)   ;;
			2)   fmt $zone "$log" ;;
			1)   fmt $zone "$log" ;;
			124) fmt $zone "CRITICAL: timeout" ;;
			*)   echo "Unknown status: $status"; exit 1   ;;
		esac
	done
	[ "$DEBUG" = "1" ] && echo -e "\ndone\n"
}


SUBSET='*'
CACHE=0
# handle command line
until [ -z "$*" ];
do
	option="$1"
	shift
	case $option in
		--help)		usage; exit 1;;
		--writecache)	CACHE=1;;	
		*)		SUBSET="$option";;
	esac
done

# select zones
# FIXME: filterlijst verbeteren
ZONES=$(cd /var/lib/unbound/anchors/; ls ${SUBSET}|egrep -v '(_trusted_keys|arpa|root.key|dlv.isc.org.key|uvt-internal)')

# update cache
CACHEFILE=${CACHEDIR}/$(echo $ZONES | md5sum | cut -d ' ' -f 1)
if [ "$CACHE" = "1" ] ||\
   [ ! -e $CACHEFILE ] ||\
   [ $(age $CACHEFILE) -gt 600 ];
then
	log="$(check_zones)"
	cat /dev/null >  $CACHEFILE
	if [ -n "$log" ];
	then
		echo "$log" | grep CRITICAL >> $CACHEFILE	# kritieke dingen bovenaan de logfile zetten
		echo "$log" | grep WARNING >> $CACHEFILE
		echo "$log" | egrep -v "(CRITICAL|WARNING)" >> $CACHEFILE	# zou eigenlijk nooit iets moeten opleveren
	fi
fi

# show result
cat $CACHEFILE

# nagios: 1=WARNING, 2=ERROR
grep -q CRITICAL $CACHEFILE && exit 2
grep -q WARNING $CACHEFILE && exit 1
echo "OK: $SUBSET "
echo "$ZONES"
