# HG changeset patch
# User pesch
# Date 1463002459 -7200
# Node ID 10fc0d468fecc9aaafc515e002229908c617c34c
# Parent  3ae3e79ee9369ae451040c3293c3f9bdea890381
changed some things

diff -r 3ae3e79ee936 -r 10fc0d468fec check_tlsa
--- a/check_tlsa	Mon May 02 23:12:13 2016 +0200
+++ b/check_tlsa	Wed May 11 23:34:19 2016 +0200
@@ -1,20 +1,4 @@
 #! /usr/bin/perl
-#dig TLSA _25._tcp.ssl.schlittermann.de +dnssec +m
-#dig TLSA _25._tcp.hh.schlittermann.de
-# http://search.cpan.org/~nierlein/Monitoring-Plugin-0.39/lib/Monitoring/Plugin.pm
-# http://perldoc.perl.org/File/Basename.html
-# needs debian packet: libmonitoring-plugin-perl
-#TLSA Record generieren
-# openssl x509 -in <servername>.crt -outform DER | openssl sha256
-# neben sha256 gibt's noch sha1 sha224 sha256 sha384 sha512
-# sowie md2 md5 rmd160 (wobei ich diese nicht in betracht ziehe)
-# ssl certifikat von einem remote server anfordern
-# openssl s_client -showcerts -connect ssl.schlittermann.de:443 < /dev/null
-# https://github.com/monitoring-plugins
-# https://github.com/monitoring-plugins/monitoring-plugin-perl/blob/master/t/check_stuff.pl
-
-#openssl s_client -starttls smtp -connect ssl.schlittermann.de:25 | openssl x509  -pubkey | openssl rsa -pubin -inform PEM -outform DER | openssl sha256
-#openssl s_client -starttls smtp -connect ssl.schlittermann.de:25 | openssl x509  -outform DER | openssl sha256
 
 use strict;
 use warnings;
@@ -24,76 +8,85 @@
 use Monitoring::Plugin;
 use File::Basename;
 
-#devel
-use Data::Dumper;
 
+my $ME      = basename $0;
 my $VERSION = '0.1';
-my $blurb   = 'This Plugin is intendet to check TLSA Record';
-my $url     = 'https://schlittermann.de';
+my $blurb   = 'This Plugin is intendet to check validity of TLSA Record';
+my $url     = 'http://www.schlittermann.de';
 my $author  = 'Heike Yvonne Pesch';
 my $email   = '<pesch@schlittermann.de>';
+my $usage   = 'Usage: %s [ -v|--verbose ] [-H <host>] [-t <timeout>] '
+            . '[ -c|--critical=<critical threshold> ] '
+            . '[ -w|--warning=<warning threshold> ] '
+            . '[ -p|--port=<portnumber> ] '
+            . '[ -q|--queryserver=<DNS-Server-IP> ] ';
 my $extra   = <<_;
+
+NOTICE
+If you want to use a Hostlist, you have to put entrys like this:
+
+host
+host:port
+
+
+EXAMPLES
+$ME -H ssl.schlittermann.de 
+$ME -H hh.schlittermann.de -p25
+$ME -H hh.schlittermann.de:25
+$ME -f hostlist.txt
+
 Author: $author $email
 For more information visit $url
 _
-my $license = 'GPLv3';
-my $usage =
-    'Usage: %s [ -v|--verbose ] [-H <host>] [-t <timeout>] '
-  . '[ -c|--critical=<critical threshold> ] '
-  . '[ -w|--warning=<warning threshold> ] '
-  . '[ -p|--port=<portnumber> ] '
-  . '[ -q|--queryserver=<DNS-Server-IP> ] ';
 
 my $check_tlsa = Monitoring::Plugin->new(
-    usage   => $usage,
-    version => $VERSION,
-    blurb   => $blurb,
-    extra   => $extra,
-    url     => $url,
-    license => $license,
-    plugin  => basename $0,
-    timeout => 60,
+  usage   => $usage,
+  version => $VERSION,
+  blurb   => $blurb,
+  extra   => $extra,
+  url     => $url,
+  plugin  => $ME,
+  timeout => 120,
 );
 
 $check_tlsa->add_arg(
-    spec     => 'host|H=s',
-    help     => q|Host/Domain to check|,
-    required => 0,
+  spec     => 'host|H=s',
+  help     => q|Host/Domain to check|,
+  required => 0,
 );
 
 $check_tlsa->add_arg(
-    spec     => 'hostlist|f=s',
-    help     => q|Host/Domainlist in file to check|,
-    required => 0,
+  spec     => 'hostlist|f=s',
+  help     => q|Host/Domainlist in file to check|,
+  required => 0,
 );
 
 $check_tlsa->add_arg(
-    spec     => 'expiry|e',
-    help     => q|check expiry of Certificate|,
-    required => 0,
+  spec     => 'expiry|e',
+  help     => q|check expiry of Certificate|,
+  required => 0,
 );
 
 $check_tlsa->add_arg(
-    spec     => 'port|p=i',
-    help     => q|Port of Domain to check the TLSA (default: 443)|,
-    required => 0,
-    default  => 443,
+  spec     => 'port|p=i',
+  help     => q|Port of Domain to check the TLSA (default: 443)|,
+  required => 0,
+  default  => 443,
 );
 
 $check_tlsa->add_arg(
-    spec => 'queryserver|q=s',
-    help =>
-      q|DNS Server to ask to check the TLSA (default: defined in resolve.conf)|,
-    required => 0,
+  spec     => 'queryserver|q=s',
+  required => 0,
+  help     =>
+  q|DNS Server to ask to check the TLSA (default: defined in resolve.conf)|,
 
-    #default => '8.8.8.8',
 );
 
 $check_tlsa->add_arg(
-    spec     => 'protocol|P=s',
-    help     => q|DNS Server to ask to check the TLSA (default: tcp)|,
-    required => 0,
-    default  => 'tcp',
+  spec     => 'protocol|P=s',
+  help     => q|Protocol to ask to check the TLSA record of domain (default: tcp)|,
+  required => 0,
+  default  => 'tcp',
 );
 
 $check_tlsa->getopts;
@@ -102,10 +95,11 @@
 my $domainlist = $check_tlsa->opts->hostlist;
 my $expiry     = $check_tlsa->opts->expiry;
 
+
 if (!$domain && !$domainlist) {
     my $script = basename $0;
     my $excuse = "Please set -H <domain> or -f <domainlist>\n"
-      . "For all options try $script --help";
+    . "For all options try $script --help";
 
     say $excuse;
     exit 1;
@@ -114,11 +108,19 @@
 my $port;
 my $cert;
 my $check_date;
+my $pattern = '^(?<domain>\S*\.[a-z]{2,4}?):{0,1}(?<port>[0-9]*$)';
 
-if (defined $domainlist && -e $domainlist) {
-    print get_domains();
+# @TODO find better way
+# nearly the same check is defined in get_domains
+if ( defined $domain && $domain =~ /$pattern/) {
+  $domain = $+{domain};
+  $port   = $+{port};
 }
-else { print check_tlsa(); }
+
+if ( defined $domainlist && $domainlist ne '' && -e $domainlist) {
+    say get_domains();
+}
+else { say check_tlsa(); }
 
 sub check_tlsa {
     my $protocol = $check_tlsa->opts->protocol;
@@ -127,23 +129,24 @@
 
     if ("$port" eq '25') {
         $cert = "openssl s_client -starttls smtp -connect $domain:$port "
-          . '< /dev/null 2>/dev/null';
+        . '< /dev/null 2>/dev/null';
     }
     else {
-        #$port           = $check_tlsa->opts->port;
         $cert = "openssl s_client -connect $domain:$port "
-          . '< /dev/null 2>/dev/null';
+        . '< /dev/null 2>/dev/null';
     }
 
-    my $digquery  = "dig TLSA _$port._$protocol.$domain +short";
-    my $diganswer = qx($digquery);
-    my $dig       = substr($diganswer, 6,);
-    $dig =~ s/(\S*)\s+(\S*)$/$1$2/;
+    my $digquery        = "dig TLSA _$port._$protocol.$domain +short";
+    my $diganswer       = qx($digquery);
     my $tlsa_usage      = substr($diganswer, 0, 1);
     my $tlsa_selector   = substr($diganswer, 2, 1);
     my $tlsa_match_type = substr($diganswer, 4, 1);
+    my $dig_tlsa        = substr($diganswer, 6,);
+    my $valid_date      = '';
     my $hashit;
 
+    $dig_tlsa =~ s/(\S*)\s+(\S*)$/$1$2/;
+
     for ($tlsa_match_type) {
         when ('0') { die 'certs will be compared directly' }
         when ('1') { $hashit = 'sha256' }
@@ -151,10 +154,9 @@
         default { $hashit = 'sha256' }
     }
 
-    my $gentlsa =
-        'openssl x509  -pubkey | '
-      . 'openssl rsa -pubin -inform PEM -outform DER 2>/dev/null| '
-      . "openssl $hashit";
+    my $gentlsa = 'openssl x509  -pubkey | '
+       . 'openssl rsa -pubin -inform PEM -outform DER 2>/dev/null| '
+       . "openssl $hashit";
     my $certtlsa = "$cert | $gentlsa";
 
     $check_date = 'openssl x509 -noout -startdate -enddate';
@@ -167,22 +169,27 @@
     $tlsa_record = uc($tlsa_record);
 
     if (defined $expiry) {
-        print check_cert_expiry();
+        $valid_date = check_cert_expiry();
+    }
+
+    if ($valid_date ne '') {
+      $valid_date = "\n$valid_date";
     }
 
-    if ("$tlsa_record" eq "$dig") {
+    if ("$tlsa_record" eq "$dig_tlsa") {
 
-        #$return = "TLSA record is $tlsa_record and valid";
-        #funktioniert nich nicht optimal mit  hostliste
-        $return = $check_tlsa->plugin_exit(OK, "$domain: TLSA record is valid")
-          . "$domain: TLSA record is valid\n";
+      #this way the script exit when file is given :(
+      #$return = $check_tlsa->plugin_exit(OK, "$domain: TLSA record is valid")
+      #  . "$domain: TLSA record is valid";
+
+      #this way it's behaves like I want it to
+      $return = "OK, $domain: TLSA record is valid $valid_date";
     }
     else {
-        $check_tlsa->plugin_exit(CRITICAL, "$domain: TLSA record NOT valid");
+      #$check_tlsa->plugin_exit(CRITICAL, "$domain: TLSA record NOT valid");
+      $return = "CRITICAL, $domain: TLSA record is NOT valid";
     }
-    return $return;
-
-    #return $cert;
+    say $return;
 }
 
 sub get_domains {
@@ -193,26 +200,15 @@
     while (<$filehandle>) {
         if (/$pattern/ig) {
             $domain = $+{domain};
-            $port   = $+{port};
 
-           #print "nunu,file ok",LF,"port: $+{port}",LF,"domain: $+{domain}",LF;
+            if ("$+{port}" =~ /^\s*$/) { $port = '443'; }
+            else { $port   = $+{port}; }
             $domain2check{$domain} = $port;
 
-            #print check_tlsa();
+            check_tlsa($domain, $port);
         }
         else {
-            die "wrong content";
-        }
-
-        foreach my $key (%domain2check) {
-            $domain = $key;
-            $port   = $domain2check{$key};
-            print $domain, ' ', $port, "\n";
-
-            if ("$port" =~ /^\s*$/) { $port = '443'; }
-            print $domain, ' ', $port, "\n";
-
-            check_tlsa($domain, $port);
+            die "$domainlist has wrong or malformed content\n";
         }
 
     }
@@ -222,4 +218,3 @@
     my $return = qx($check_date);
     return $return;
 }
-