#!/bin/sh

# Check that debian-admin is in /etc/aliases for root.
# Peter Palfrader, 2008

#my %ERRORS = ( OK => 0, WARNING => 1, CRITICAL => 2, UNKNOWN => -1 );

set -e
err=0

log() {
	if [ "$0" = "ok" ] && [ "$err" = 0 ]; then
		err=0
	elif [ "$1" = "warn" ] && [ "$err" -lt 1 ]; then
		err=1
	elif [ "$1" = "critical" ] && [ "$err" -lt 2 ]; then
		err=2
	elif [ "$1" = "unknown" ] && [ "$err" = 0 ]; then
		err=3
	fi
	if [ "`eval echo \\$$1`" = "" ]; then
		eval $1="\"$2\""
	else
		eval $1="\"`eval echo \\$$1`; $2\""
	fi
}


check_aliases() {
	if ! [ -e /etc/aliases ]; then
		log unknown "/etc/aliases not found"
		return
	fi

	if egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
		log ok "debian-admin found in aliases"
		return
	fi

	log warn "debian-admin not found in root entry in aliases"
}

check_ldap_conf() {
	if ! [ -e /etc/ldap/ldap.conf ]; then
		log unknown "/etc/ldap/ldap.conf not found"
		return
	fi

	if egrep '^URI.*ldap://db.debian.org' /etc/ldap/ldap.conf > /dev/null &&
	   egrep '^BASE.*dc=debian,dc=org' /etc/ldap/ldap.conf > /dev/null &&
	   egrep '^TLS_CACERT.*/etc/ssl/servicecerts/db.debian.org.crt' /etc/ldap/ldap.conf > /dev/null &&
	   egrep '^TLS_REQCERT.*hard' /etc/ldap/ldap.conf > /dev/null ; then
		log ok "ldap.conf configured properly"
		return
	fi

	log warn "ldap.conf does not have URI, BASE, TLS_CACERT, TLS_REQCERT all configured correctly"
}

check_ssh_hostkeys() {
	if [ -e /etc/ssh/ssh_host_ed25519_key ] ; then
		if ! [ -e /etc/ssh/ssh_host_ed25519_key.pub ]; then
			log warn "Have /etc/ssh/ssh_host_ed25519_key without .pub"
			return
		fi
		if cat /etc/ssh/ssh_known_hosts | awk -v hostname=$(hostname -f) '{split($1,a,","); if (a[1] == hostname) { print } }' | grep -q -F -f /etc/ssh/ssh_host_ed25519_key.pub; then
			log ok "ed25519 host key in known_hosts"
			return
		else
			log warn "ed25519 host key missing from known_hosts"
			return
		fi
	else
		log ok "no ed25519 host key."
		return
	fi
}


check_aliases
check_ldap_conf
check_ssh_hostkeys

[ "$critical" = "" ] || echo -n "Critical: $critical; "
[ "$warn" = "" ] || echo -n "Warning: $warn; "
[ "$unknown" = "" ] || echo -n "Unknown: $unknown; "
[ "$ok" = "" ] || echo -n "OK: $ok"
echo
exit $err