stojg/check.diff

## check.diff
commit e7e69bb9a04803cd503cbe32ee9829aebd8dad18
Author: Stig Lindqvist <stig@silverstripe.com>
Date:   Thu Apr 2 12:47:29 2015 +1300

    check x509 certificates expiry time at 9:01 and email ops

diff --git a/cwp/manifests/manager.pp b/cwp/manifests/manager.pp
old mode 100755
new mode 100644
index 0a26a99..cabee8f
--- a/cwp/manifests/manager.pp
+++ b/cwp/manifests/manager.pp
@@ -7,12 +7,26 @@ class cwp::manager {
 	cwp::shorewall { 'manager': }

 	include cwp::csync::bare
-        file { "/etc/csync2/post-receive.d/20manager":
-                content => template("cwp/manager/csync_postreceive_20manager.erb"),
-                owner => "root",
-                group => "root",
-                mode => 700,
-        }
+	file { "/etc/csync2/post-receive.d/20manager":
+		content => template("cwp/manager/csync_postreceive_20manager.erb"),
+		owner   => "root",
+		group   => "root",
+		mode    => 700,
+	}

+	file { "/usr/bin/check_cert.php":
+		content => template("cwp/manager/check_cert.php"),
+		owner   => "root",
+		group   => "root",
+		mode    => 555,
+	}
+
+	file { "/etc/cron.d/check_certificates":
+		content => "1 9 * * * root find /var/lib/puppet/custom_data/certificate/ -iname \"*.crt\" -exec /usr/bin/check_cert.php ops@silverstripe.com {} \\;\n",
+		owner   => "root",
+		group   => "root",
+		mode    => 644,
+		require => File[ "/usr/bin/check_cert.php" ],
+	}
 }

diff --git a/cwp/templates/manager/check_cert.php b/cwp/templates/manager/check_cert.php
new file mode 100755
index 0000000..58baf16
--- /dev/null
+++ b/cwp/templates/manager/check_cert.php
@@ -0,0 +1,68 @@
+#!/usr/bin/env php
+<?php
+/**
+ * check_cert.php
+ *
+ * #### This file is managed by puppet ####
+ *
+ * This script checks and warns if a x509 certificate is about to expire.
+ *
+ * Will send a first warning when the expiry date is 60 days and continuously
+ * when the expiry days is within 50 days.
+ *
+ * Usage: check_cert.php warning-days ./path/to/x509.crt
+ *
+ * Example:
+ *
+ *    $ check_cert.php ops@test.com ./saml.crt
+ */
+
+define("FIRST_WARNING_DAYS", 60);
+define("WARNING_DAYS", 50);
+
+// report all errors, notices and stricts.
+error_reporting(-1);
+
+if(count($argv) < 3) {
+	echo "usage: {$argv[0]} ops@test.com ./path/to/x509.crt ".PHP_EOL;
+	exit(2);
+}
+
+$warningEmail = $argv[1];
+$certFile = $argv[2];
+
+$certFile = realpath($certFile);
+
+if(!is_readable($certFile)) {
+	echo "Could not read certification file '{$certFile}'".PHP_EOL;
+	exit(2);
+}
+
+$certData = file_get_contents($certFile);
+$data = openssl_x509_parse($certData);
+
+if(!$data) {
+	echo "Could not parse '{$certFile}' for x509 certificate data.".PHP_EOL;
+	exit(2);
+}
+
+if(empty($data['validTo_time_t'])) {
+	echo "Could not find validTo_time_t in '{$certFile}'".PHP_EOL;
+	exit(2);
+}
+
+$secondsLeft = $data['validTo_time_t'] - time();
+$daysLeft = floor(($secondsLeft / (60 * 60 * 24)));
+
+if($daysLeft < WARNING_DAYS || $daysLeft == FIRST_WARNING_DAYS) {
+	$expiryDate = date("Y-m-d H:i:s", $data['validTo_time_t']);
+	$subject = "X509 Certificate '{$certFile }' will expire in {$daysLeft} days";
+	$message = "check_cert.php on " . gethostname() . " have noticed that the x509 certificate ";
+	$message.= "'{$certFile}' will expire at {$expiryDate} (in {$daysLeft} days).".PHP_EOL.PHP_EOL;
+	$message.= "See https://sites.google.com/a/silverstripe.com/cwp/infrastructure/saml-x509-certificate-regeneration ";
+	$message.= "for more information.".PHP_EOL;
+	$headers = 'From: cert_checker@'. gethostname() . "\r\n" . 'X-Mailer: PHP/' . phpversion();
+	mail($warningEmail, $subject, $message, $headers);
+	echo $message;
+	exit(2);
+}
	commit e7e69bb9a04803cd503cbe32ee9829aebd8dad18
	Author: Stig Lindqvist <stig@silverstripe.com>
	Date: Thu Apr 2 12:47:29 2015 +1300

	check x509 certificates expiry time at 9:01 and email ops

	diff --git a/cwp/manifests/manager.pp b/cwp/manifests/manager.pp
	old mode 100755
	new mode 100644
	index 0a26a99..cabee8f
	--- a/cwp/manifests/manager.pp
	+++ b/cwp/manifests/manager.pp
	@@ -7,12 +7,26 @@ class cwp::manager {
	cwp::shorewall { 'manager': }

	include cwp::csync::bare
	- file { "/etc/csync2/post-receive.d/20manager":
	- content => template("cwp/manager/csync_postreceive_20manager.erb"),
	- owner => "root",
	- group => "root",
	- mode => 700,
	- }
	+ file { "/etc/csync2/post-receive.d/20manager":
	+ content => template("cwp/manager/csync_postreceive_20manager.erb"),
	+ owner => "root",
	+ group => "root",
	+ mode => 700,
	+ }

	+ file { "/usr/bin/check_cert.php":
	+ content => template("cwp/manager/check_cert.php"),
	+ owner => "root",
	+ group => "root",
	+ mode => 555,
	+ }
	+
	+ file { "/etc/cron.d/check_certificates":
	+ content => "1 9 * * * root find /var/lib/puppet/custom_data/certificate/ -iname \"*.crt\" -exec /usr/bin/check_cert.php ops@silverstripe.com {} \\;\n",
	+ owner => "root",
	+ group => "root",
	+ mode => 644,
	+ require => File[ "/usr/bin/check_cert.php" ],
	+ }
	}

	diff --git a/cwp/templates/manager/check_cert.php b/cwp/templates/manager/check_cert.php
	new file mode 100755
	index 0000000..58baf16
	--- /dev/null
	+++ b/cwp/templates/manager/check_cert.php
	@@ -0,0 +1,68 @@
	+#!/usr/bin/env php
	+<?php
	+/**
	+ * check_cert.php
	+ *
	+ * #### This file is managed by puppet ####
	+ *
	+ * This script checks and warns if a x509 certificate is about to expire.
	+ *
	+ * Will send a first warning when the expiry date is 60 days and continuously
	+ * when the expiry days is within 50 days.
	+ *
	+ * Usage: check_cert.php warning-days ./path/to/x509.crt
	+ *
	+ * Example:
	+ *
	+ * $ check_cert.php ops@test.com ./saml.crt
	+ */
	+
	+define("FIRST_WARNING_DAYS", 60);
	+define("WARNING_DAYS", 50);
	+
	+// report all errors, notices and stricts.
	+error_reporting(-1);
	+
	+if(count($argv) < 3) {
	+ echo "usage: {$argv[0]} ops@test.com ./path/to/x509.crt ".PHP_EOL;
	+ exit(2);
	+}
	+
	+$warningEmail = $argv[1];
	+$certFile = $argv[2];
	+
	+$certFile = realpath($certFile);
	+
	+if(!is_readable($certFile)) {
	+ echo "Could not read certification file '{$certFile}'".PHP_EOL;
	+ exit(2);
	+}
	+
	+$certData = file_get_contents($certFile);
	+$data = openssl_x509_parse($certData);
	+
	+if(!$data) {
	+ echo "Could not parse '{$certFile}' for x509 certificate data.".PHP_EOL;
	+ exit(2);
	+}
	+
	+if(empty($data['validTo_time_t'])) {
	+ echo "Could not find validTo_time_t in '{$certFile}'".PHP_EOL;
	+ exit(2);
	+}
	+
	+$secondsLeft = $data['validTo_time_t'] - time();
	+$daysLeft = floor(($secondsLeft / (60 * 60 * 24)));
	+
	+if($daysLeft < WARNING_DAYS \|\| $daysLeft == FIRST_WARNING_DAYS) {
	+ $expiryDate = date("Y-m-d H:i:s", $data['validTo_time_t']);
	+ $subject = "X509 Certificate '{$certFile }' will expire in {$daysLeft} days";
	+ $message = "check_cert.php on " . gethostname() . " have noticed that the x509 certificate ";
	+ $message.= "'{$certFile}' will expire at {$expiryDate} (in {$daysLeft} days).".PHP_EOL.PHP_EOL;
	+ $message.= "See https://sites.google.com/a/silverstripe.com/cwp/infrastructure/saml-x509-certificate-regeneration ";
	+ $message.= "for more information.".PHP_EOL;
	+ $headers = 'From: cert_checker@'. gethostname() . "\r\n" . 'X-Mailer: PHP/' . phpversion();
	+ mail($warningEmail, $subject, $message, $headers);
	+ echo $message;
	+ exit(2);
	+}