Add files for checking certificates in Azure key vault.

2023-10-19 11:02:59 +02:00 · 2023-10-19 11:02:59 +02:00 · 9ec90446a5
commit 9ec90446a5
5 changed files with 163 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+__pycache__
+up.sh
--- a/local/lib/check_mk/base/plugins/agent_based/azure_keyvault.py
+++ b/local/lib/check_mk/base/plugins/agent_based/azure_keyvault.py
@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+
+import json
+from datetime import datetime, timezone
+from cmk.base.plugins.agent_based.agent_based_api.v1 import register, Result, Service, State
+
+
+# Convert JSON entries into dictionaries indexed by certificate name.
+def parse_keyvault(string_table):
+    raw_json = ""
+
+    for row in string_table:
+        raw_json += row[0]
+
+    lookup = {}
+    cert_data = json.loads(raw_json)
+
+    for cert in cert_data:
+        lookup[cert["name"]] = cert
+
+    return lookup
+
+
+register.agent_section(
+    name="azure_keyvault",
+    parse_function=parse_keyvault
+)
+
+
+# Produce a list of certificates based on the parsed output.
+def discover_keyvault(section):
+    for name, details in sorted(section.items()):
+        yield Service(item=name)
+
+
+# Given a specific certificate, look it up in the parsed output, and produce
+# results on that service based upon the certificate's expiry.
+def check_keyvault(item, params, section):
+    warn_days = params.get("warn_days")
+    crit_days = params.get("crit_days")
+
+    cert = section.get(item)
+    if cert is None:
+        return
+
+    expires = datetime.fromisoformat(cert["attributes"]["expires"])
+    now = datetime.now(timezone.utc)
+    remaining_days = (expires - now).days
+
+    state = State.OK
+    if crit_days is not None and remaining_days < crit_days:
+        state = State.CRIT
+    elif warn_days is not None and remaining_days < warn_days:
+        state = State.WARN
+
+    yield Result(state=state, summary="Expires in %d days" % remaining_days)
+
+
+register.check_plugin(
+    name="azure_keyvault",
+    service_name="Azure Keyvault Certificate %s",
+
+    check_function=check_keyvault,
+    check_default_parameters={},
+    check_ruleset_name="azure_keyvault",
+
+    discovery_function=discover_keyvault,
+)
--- a/local/share/check_mk/agents/special/agent_azure_keyvault
+++ b/local/share/check_mk/agents/special/agent_azure_keyvault
@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "<<<azure_keyvault:sep(0)>>>"
+~/az "${@:1}"
--- a/local/share/check_mk/checks/agent_azure_keyvault
+++ b/local/share/check_mk/checks/agent_azure_keyvault
@ -0,0 +1,7 @@
+#!/usr/bin/env python3
+
+
+def agent_azure_keyvault(params, hostname, ipaddress):
+    return ["keyvault", "certificate", "list", "--vault-name", params["vault_name"]]
+
+special_agent_info["azure_keyvault"] = agent_azure_keyvault
--- a/local/share/check_mk/web/plugins/wato/azure_keyvault.py
+++ b/local/share/check_mk/web/plugins/wato/azure_keyvault.py
@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+
+import copy
+from cmk.gui.i18n import _
+from cmk.gui.plugins.wato.utils import (
+    rulespec_registry,
+    HostRulespec,
+    RulespecGroupCheckParametersDiscovery,
+    CheckParameterRulespecWithItem,
+    RulespecGroupCheckParametersApplications,
+)
+from cmk.gui.watolib.rulespecs import Rulespec
+from cmk.gui.valuespec import (
+    Dictionary,
+    Integer,
+)
+
+
+def _valuespec_special_agents_azure_keyvault_check():
+    return Dictionary(
+        title=_("Azure Key Vault Certificate Checks"),
+        optional_keys=["warn_days", "crit_days"],
+        elements=[
+            (
+                "warn_days",
+                Integer(
+                    minvalue=0,
+                    default_value=30,
+                    title=_("Certificate Days to Warn"),
+                    help=_(
+                        "How many days to warn before a certificate in this key vault will expire"
+                    ),
+                ),
+            ),
+            (
+                "crit_days",
+                Integer(
+                    minvalue=0,
+                    default_value=3,
+                    title=_("Certificate Days to Crit"),
+                    help=_(
+                        "How many days to crit before a certificate in this key vault will expire"
+                    ),
+                ),
+            ),
+        ],
+    )
+
+def _valuespec_special_agents_azure_keyvault_discovery():
+    return Dictionary(
+        title=_("Azure Key Vault Certificate Discovery"),
+        elements=[
+            (
+                "vault_name",
+                TextInput(
+                    title=_("Key Vault Name"),
+                    help=_(
+                        "The name of the Azure Key Vault to perform checks on"
+                    ),
+                ),
+            ),
+        ],
+    )
+
+
+rulespec_registry.register(
+    CheckParameterRulespecWithItem(
+        check_group_name="azure_keyvault",
+        group=RulespecGroupCheckParametersApplications,
+        match_type='dict',
+        parameter_valuespec=_valuespec_special_agents_azure_keyvault_check,
+    )
+)
+
+rulespec_registry.register(
+    HostRulespec(
+        group=RulespecGroupCheckParametersDiscovery,
+        match_type='dict',
+        name="special_agents:azure_keyvault",
+        valuespec=_valuespec_special_agents_azure_keyvault_discovery,
+    )
+)