#!/bin/bash

# Copyright (c) 2008 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#

CONFIG_FILE=/etc/sysconfig/rhn/rhn-ssl-cert-check

unset ADMIN EXPIRATION CHECK

# Source the config file
[ -f $CONFIG_FILE ] && . $CONFIG_FILE

# Valid variables to be set in the config file:
# CHECK=no                  # will disable checking
# ADMIN=user@example.org    # send notifications to this e-mail address
# EXPIRATION=30             # change the default warning policy (60 days)

# Was SSL checking turned off in the config file?
[ "$CHECK" == "no" ] && exit 0

EXPIRATION=${EXPIRATION:-60}

RHN_CONF_FILE=/etc/rhn/rhn.conf
SSL_HTTPD_CONF_FILE=/etc/httpd/conf.d/ssl.conf
SSL_CERT_CHECK=/usr/share/ssl/ssl-cert-check
REMOTE_HOSTS=/etc/sysconfig/rhn/ssl-hosts.conf

# If the admin email address is not set and RHN_CONF_FILE could not be found,
# there's no point in moving forward
[ -z "$ADMIN" -a ! -f $RHN_CONF_FILE ] && exit 0


# Retrieve a setting from rhn.conf
get_rhn_conf() {
    local component="$1"
    local conf="$2"
    grep "^$conf" $RHN_CONF_FILE | awk -F= '{print $2}'
}

# Return path to the SSL certificate
get_ssl_cert_file() {
    grep ^SSLCertificateFile $SSL_HTTPD_CONF_FILE | awk '{print $2}'
}

get_rhn_component() {
    # Identify the RHN component
    if rpm -q spacewalk-proxy-management >& /dev/null; then
        echo "proxy.broker"
        return
    elif  rpm -q spacewalk-java >& /dev/null; then
        echo "server.satellite"
        return
    fi
}

# main
component=$(get_rhn_component)

if [ -z "$ADMIN" -a -n "$component" ]; then
    ADMIN=$(get_rhn_conf $component traceback_mail)
    # Replace commas with spaces
    ADMIN=${ADMIN//,/ }
    # Trim leading spaces
    shopt -s extglob
    ADMIN=${ADMIN/#+( )/}
fi

if [ -z "$ADMIN" ]; then
    # Unable to read the admin's e-mail address
    echo "Unable to read the admin e-mail address in /etc/rhn/rhn.conf"
    echo
    echo "To disable monitoring, add CHECK=no in $CONFIG_FILE"
    echo "Otherwise, you will have to add a valid email address to receive"
    echo "expiration notifications, either in $RHN_CONF_FILE (traceback_mail)"
    echo "or set ADMIN in $CONFIG_FILE"
    exit 0
fi

# Parse remote hosts file
if [ -f "$REMOTE_HOSTS" ]; then
    # Get rid of comments
    grep -v "^[[:blank:]]*#" $REMOTE_HOSTS | 
        while IFS=: read server port; do
            if [ -n "$server" ]; then
                if [ -z "$port" ]; then
                    port=443
                fi
                $SSL_CERT_CHECK -x $EXPIRATION -a -e "$ADMIN" -q -s $server -p $port
            fi
        done
fi

SSL_CERT_FILE=$(get_ssl_cert_file)
if [ -f "$SSL_CERT_FILE" ]; then
    $SSL_CERT_CHECK -x $EXPIRATION -c $SSL_CERT_FILE -a -e "$ADMIN" -q
fi
