File check_gpg of Package monitoring-plugins-gpg

#!/bin/bash
#
# Nagios plugin that checks whether a key ID has expired, or will expire within
# a certain time.
#
# note: the plugin will issue a critical state if the required key has been
# revoked.
#
# usage: check_gpg [--no-refresh] [-w <num_days>] [-c <num_days>] [--gnupg-homedir <path>] <key_id>
#
# <key_id> is any PGP key ID that GnuPG accepts with "gpg --list-key <key_id>"
#
# The option -w parameter lets you specify the number of days within which key
# expiry will trigger a warning. e.g. if <key_id> expires within <num_days>
# days, make nagios issue a warning.
#
# The option -c parameter lets you specify the number of days within which key
# expiry will set the check to critical. e.g. if <key_id> expires within <num_days>
# days, make nagios flag the check as critical.
#
# num_days must be an integer value
#
# optionally, if the keyring directory you want GPG to use is not located in
# the user's ~/.gnupg, you can specify the path to the keyring directory with
# the --gnupg-homedir parameter. With the parameter --no-refresh you can disable
# refreshing key from keyservers and just validate local keyring.
#
# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that
# made up most of the core of this plugin.
#
# Copyleft Gabriel Filion
#
# This plugin is released under the GPL v3+ license. To get a copy of the
# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt
#
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

SECS_IN_DAY=86400

function debug () {
  if [ -n "$DEBUG" ]; then
      echo "$1" >&2
  fi
}

function showUsage () {
  echo "Usage: $0 [--no-refresh] [-w <num_days>] [-c <num_days>] [--gnupg-homedir <path>] <key_id>"
}

debug "got args: $*"

now=$(date +%s)
debug "current timestamp: $now"

warning_threshold=
warning_days=
critical_threshold=
critical_days=
homedir=
refresh=1
for arg in $*; do
    case $arg in
        "-w")
            if [ -z "$2" ]; then
                echo "UNKNOWN: argument -w got no value. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
                echo "UNKNOWN: invalid value '$2' passed to -w. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
	    warning_days=$2
            warning_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
            debug "setting warning_threshold to '$warning_threshold'"

            shift 2
        ;;
        "-c")
            if [ -z "$2" ]; then
                echo "UNKNOWN: argument -c got no value. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
                echo "UNKNOWN: invalid value '$2' passed to -c. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
	    critical_days=$2
            critical_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
            debug "setting critical_threshold to '$critical_threshold'"

            shift 2
        ;;
        "--no-refresh")
            refresh=0
            shift 1
        ;;
        "--gnupg-homedir")
            if [ -z "$2" ]; then
                echo "UNKNOWN: argument --gnupg-homedir got no value. path needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            if [ ! -d "$2" ]; then
                echo "UNKNOWN: homedir '$2' does not exist or is not a directory"
                showUsage
                exit $STATE_UNKNOWN
            fi
            homedir="--homedir $2"
            debug "setting homedir to '$homedir'"

            shift 2
        ;;
        "-h"|"--help")
            showUsage
            exit $STATE_OK
        ;;
        -*)
            echo "UNKNOWN: invalid parameter \"$arg\""
            showUsage
            exit $STATE_UNKNOWN
        ;;
    esac
done

if [ -z "$1" ]; then
    echo "UNKNOWN: must provide a key ID"
    showUsage
    exit $STATE_UNKNOWN
fi
key="$1"

# GPG is too stupid to error out when asked to refresh a key that's not in the
# local keyring so we need to perform another call to verify this first.
output=$( gpg $homedir --list-key -- "$key" 2>&1 >/dev/null )
if [ $? -ne 0 ]; then
    echo "UNKNOWN: $output"
    exit $STATE_UNKNOWN
fi

# Refresh key if not disabled
if [ $refresh -eq 1 ]; then
    output=$( gpg $homedir --refresh -- "$key" 2>&1 >/dev/null )
    if [ $? -ne 0 ]; then
        echo "UNKNOWN: $output"
        exit $STATE_UNKNOWN
    fi
fi

if [ "$(gpg $homedir --check-sig -- "$key" 2>/dev/null | grep "^rev!")" != "" ]; then
    echo "CRITICAL: key '$key' has been revoked!"
    exit $STATE_CRITICAL
fi

perf=
result=$STATE_OK
owner=$(gpg $homedir --with-colons --fixed-list-mode --list-key -- "$key" 2>/dev/null | awk -F: '/^uid:/{ print $10 }')
text="OK: key '$key' '$owner' has not expired."

for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key -- "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }');
do
    debug "expiry value: $expiry"
    remaining=$(( ($expiry-$now) / $SECS_IN_DAY ))
    perf="remain=$remaining;$warning_days;$critical_days;0;"

    if [ "$now" -gt "$expiry" ]; then
	text=$(printf "CRITICAL: %s %s has expired on %s\n" "$key" "$owner" "$(date -d "@$expiry")")
	result=$STATE_CRITICAL
	break
    fi
    if [ -n "$critical_threshold" ] && [ "$critical_threshold" -gt "$expiry" ]; then
	text=$(printf "CRITICAL: %s %s expires in %s days\n" "$key" "$owner" "$remaining")
	result=$STATE_CRITICAL
	break
    fi
    if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then
	text=$(printf "WARNING: %s %s expires in %s days\n" "$key" "$owner" "$remaining")
	result=$STATE_WARNING
    fi
done

echo -n "$text"
test -n "$perf" && echo -n "|$perf"
echo

exit $result