check.diff

commit e7e69bb9a04803cd503cbe32ee9829aebd8dad18
Author: Stig Lindqvist <[email protected]>
Date:   Thu Apr 2 12:47:29 2015 +1300

    check x509 certificates expiry time at 9:01 and email ops

diff --git a/cwp/manifests/manager.pp b/cwp/manifests/manager.pp
old mode 100755
new mode 100644
index 0a26a99..cabee8f
--- a/cwp/manifests/manager.pp
+++ b/cwp/manifests/manager.pp
@@ -7,12 +7,26 @@ class cwp::manager {
 	cwp::shorewall { 'manager': }
 
 	include cwp::csync::bare
-        file { "/etc/csync2/post-receive.d/20manager":
-                content => template("cwp/manager/csync_postreceive_20manager.erb"),
-                owner => "root",
-                group => "root",
-                mode => 700,
-        }
+	file { "/etc/csync2/post-receive.d/20manager":
+		content => template("cwp/manager/csync_postreceive_20manager.erb"),
+		owner   => "root",
+		group   => "root",
+		mode    => 700,
+	}
 
+	file { "/usr/bin/check_cert.php":
+		content => template("cwp/manager/check_cert.php"),
+		owner   => "root",
+		group   => "root",
+		mode    => 555,
+	} 
+
+	file { "/etc/cron.d/check_certificates":
+		content => "1 9 * * * root find /var/lib/puppet/custom_data/certificate/ -iname \"*.crt\" -exec /usr/bin/check_cert.php [email protected] {} \\;\n",
+		owner   => "root",
+		group   => "root",
+		mode    => 644,
+		require => File[ "/usr/bin/check_cert.php" ],
+	}
 }
 
diff --git a/cwp/templates/manager/check_cert.php b/cwp/templates/manager/check_cert.php
new file mode 100755
index 0000000..58baf16
--- /dev/null
+++ b/cwp/templates/manager/check_cert.php
@@ -0,0 +1,68 @@
+#!/usr/bin/env php
+<?php
+/**
+ * check_cert.php
+ * 
+ * #### This file is managed by puppet ####
+ *
+ * This script checks and warns if a x509 certificate is about to expire.
+ *
+ * Will send a first warning when the expiry date is 60 days and continuously
+ * when the expiry days is within 50 days.
+ *
+ * Usage: check_cert.php warning-days ./path/to/x509.crt
+ *
+ * Example:
+ *
+ *    $ check_cert.php [email protected] ./saml.crt
+ */
+
+define("FIRST_WARNING_DAYS", 60);
+define("WARNING_DAYS", 50);
+
+// report all errors, notices and stricts.
+error_reporting(-1);
+
+if(count($argv) < 3) {
+	echo "usage: {$argv[0]} [email protected] ./path/to/x509.crt ".PHP_EOL;
+	exit(2);
+}
+
+$warningEmail = $argv[1];
+$certFile = $argv[2];
+
+$certFile = realpath($certFile);
+
+if(!is_readable($certFile)) {
+	echo "Could not read certification file '{$certFile}'".PHP_EOL;
+	exit(2);
+}
+
+$certData = file_get_contents($certFile);
+$data = openssl_x509_parse($certData);
+
+if(!$data) {
+	echo "Could not parse '{$certFile}' for x509 certificate data.".PHP_EOL;
+	exit(2);
+}
+
+if(empty($data['validTo_time_t'])) {
+	echo "Could not find validTo_time_t in '{$certFile}'".PHP_EOL;
+	exit(2);
+}
+
+$secondsLeft = $data['validTo_time_t'] - time();
+$daysLeft = floor(($secondsLeft / (60 * 60 * 24)));
+
+if($daysLeft < WARNING_DAYS || $daysLeft == FIRST_WARNING_DAYS) {
+	$expiryDate = date("Y-m-d H:i:s", $data['validTo_time_t']);
+	$subject = "X509 Certificate '{$certFile }' will expire in {$daysLeft} days";
+	$message = "check_cert.php on " . gethostname() . " have noticed that the x509 certificate ";
+	$message.= "'{$certFile}' will expire at {$expiryDate} (in {$daysLeft} days).".PHP_EOL.PHP_EOL;
+	$message.= "See https://sites.google.com/a/silverstripe.com/cwp/infrastructure/saml-x509-certificate-regeneration ";
+	$message.= "for more information.".PHP_EOL;
+	$headers = 'From: cert_checker@'. gethostname() . "\r\n" . 'X-Mailer: PHP/' . phpversion();
+	mail($warningEmail, $subject, $message, $headers);
+	echo $message;
+	exit(2);
+}