#!/bin/sh
 
# sslname.sh v2
# 
# Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
# check Xymon does using a built-in (probably https, but also things like imaps)
# 
# After getting this list, we go through each one looking for the common-
# name that the certificate responded with, verifying that it matched the
# url we were trying to reach in the originating test. Normally this means
# the address for the http test, but it could be just the hostname in the event
# of another SSL service.
# 
# Japheth Cleaver <cleaver@terabithia.org>
# No warranty. YMMV. Use at your own risk.
# 
# First pass: 2010-08-02
# http://xymonton.org/monitors:sslname.sh
# 
# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify" 
# instead of our own status

 
 [ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*

# Set some defaults - I'm running this from xymonlaunch, YMMV
 [ -z "$TESTNAME" ] 	&& TESTNAME=sslname
 [ -z "$XYMSRV" ] 	&& XYMSRV=0.0.0.0
 [ -z "$COLOR" ] 	&& COLOR="clear"
 [ -z "$XYMON" ] 	&& XYMON=/usr/bin/xymon

# Modify the sslcert test result, or create our own?
# MODIFY=1
 
# Get a list of all valid sslcert tests
 SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
 [ -z "$SSLHOSTS" ] && exit 0
 
 
# Loop over them and compare the common name with any URL we can find
 for THISHOST in $SSLHOSTS ; do
 
   # Return the details of this host's sslcert data, unescaping on the way
    SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`"
    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`"
 
   # Find the common name...
   # TODO: We should loop over all common names and try to figure out what the relevant URLs are below
   #   For now, we sort and take the first one.
    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
    if [ -z "$COMMONNAME" ] ; then
	echo "Couldn't find a 'common name' for $THISHOST..." >&2
	continue
    fi
    # echo " -- Common name for $THISHOST is '$COMMONNAME'"
 
 
   # Isolate what hostname we were trying to access and store as URL,
   # if found. The HUMANURL is the full string, including any port number
    export URL="`echo \"$SSLDATA\" | grep -c https://`"
    if [ $URL -eq 1 ] ; then
	# Great, a simple https address to look at
   	URL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*https://([\w\.\-]+)(:\d+)?/.*$#\1#'`"
   	HUMANURL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*(https://[\w\.\-]+(:\d+)?/).*$#\1#'`"
    else
	URL=$THISHOST
	HUMANURL=$THISHOST
    fi
 
    ISMATCH="`echo $URL | grep -cE $COMMONNAME`"

    # Check if we're just modifying the existing status
    if [ -n "$MODIFY" ] ; then
	[ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
	continue
    fi

   # Build our Xymon report
    if [ $ISMATCH -eq 1 ] ; then
	STATUS="SSL cert ok"
	COLOR="green"
	BODY="&green $HUMANURL matches certificate $COMMONNAME"
    else
	STATUS="SSL cert name MISMATCH"
	COLOR="red"
	BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
 
<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" 
    fi
 
    # Send results to Xymon
    $XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}
${BODY}"
 
done
 
 
# fin
exit 0