#!/usr/bin/env python3
# -*- coding: utf-8; py-indent-offset: 4 -*-
#
# Author:  Linuxfabrik GmbH, Zurich, Switzerland
# Contact: info (at) linuxfabrik (dot) ch
#          https://www.linuxfabrik.ch/
# License: The Unlicense, see LICENSE file.

# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md

"""See the check's README for more details.
"""

import argparse  # pylint: disable=C0413
import re  # pylint: disable=C0413
import sys  # pylint: disable=C0413

import lib.base  # pylint: disable=C0413
import lib.shell  # pylint: disable=C0413
from lib.globals import (STATE_OK, STATE_UNKNOWN,  # pylint: disable=C0413
                          STATE_WARN)

__author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
__version__ = '2025061901'

DESCRIPTION = 'Checks the ownership (owner and group, both have to be names) of a list of files.'

command = 'stat {path}'

# sorted by path
DEFAULT_FILES = [
    'root:root,/boot/grub/grub.conf',
    'root:root,/boot/grub2/grub.cfg',
    'root:root,/boot/grub2/grubenv',
    'root:root,/boot/grub2/user.cfg',
    'root:root,/etc/anacrontab',
    'root:root,/etc/at.allow',
    'root:root,/etc/cron.allow',
    'root:root,/etc/cron.d',
    'root:root,/etc/cron.daily',
    'root:root,/etc/cron.hourly',
    'root:root,/etc/cron.monthly',
    'root:root,/etc/cron.weekly',
    'root:root,/etc/crontab',
    'graylog:graylog,/etc/graylog/certs',
    'root:root,/etc/group',
    'root:root,/etc/group-',
    #'root:root,/etc/gshadow',      different on Debian and Ubuntu
    #'root:root,/etc/gshadow-',     different on Debian and Ubuntu
    'root:root,/etc/hosts.allow',
    'root:root,/etc/hosts.deny',
    'root:root,/etc/issue',
    'root:root,/etc/issue.net',
    'lool:lool,/etc/loolwsd/loolwsd.xml',
    'root:root,/etc/motd',
    'root:named,/etc/named.conf',
    'root:root,/etc/passwd',
    'root:root,/etc/passwd-',
    #'root:root,/etc/shadow',       different on Debian and Ubuntu
    #'root:root,/etc/shadow-',      different on SLES (15)
    'root:root,/etc/ssh/sshd_config',
    'root:root,/etc/sssd/sssd.conf',
    'vdsm:kvm,/home/ovirt',
    'root:root,/tmp',
    'icinga:icinga,/tmp/linuxfabrik-monitoring-plugins-sqlite.db',
    'hnet:hnet,/var/hnet',
    'unbound:unbound,/var/lib/unbound/root.key',
    'ldap:ldap,/var/run/openldap',
]


def parse_args():
    """Parse command line arguments using argparse.
    """
    parser = argparse.ArgumentParser(description=DESCRIPTION)

    parser.add_argument(
        '-V', '--version',
        action='version',
        version='{0}: v{1} by {2}'.format('%(prog)s', __version__, __author__)
    )

    parser.add_argument(
        '--filename',
        help='File to be checked, in the format `owner:group,path` (repeatable).',
        action='append',
        dest='FILES',
        default=DEFAULT_FILES,
    )

    return parser.parse_args()


def main():
    """The main function. Hier spielt die Musik.
    """

    # parse the command line, exit with UNKNOWN if it fails
    try:
        args = parse_args()
    except SystemExit:
        sys.exit(STATE_UNKNOWN)

    state = STATE_OK
    msg = ''
    cnt = 0
    table_values = []

    for file in args.FILES:
        if not file:
            continue
        try:
            file = file.split(',')
            path = file[1]
        except:
            lib.base.cu('--filename parameter seems to be in the wrong format.')
        try:
            expected_owner, expected_group = file[0].split(':')
        except:
            lib.base.cu('--filename parameter seems to be in the wrong format.')

        cmd = command.format(path=path)
        # execute the shell command and return its result and exit code
        stdout, stderr, retc = lib.base.coe(lib.shell.shell_exec(cmd))

        for line in stdout.splitlines():
            if not line.startswith('Access: ('):
                continue
            # Access: (0644/-rw-r--r--)  Uid: (  982/ unbound)   Gid: (  981/ unbound)
            # Access: (0600/-rw-------)  Uid: ( 1000/markus.frei)   Gid: ( 1000/markus.frei)
            found_owner = re.search(r'Uid: .*?\/(.*)\).*Gid:', line).group(1).strip()
            found_group = re.search(r'Gid: .*\/(.*)\)', line).group(1).strip()
            if expected_owner != found_owner or expected_group != found_group:
                file_state = STATE_WARN
            else:
                file_state = STATE_OK
            cnt += 1

            state = lib.base.get_worst(file_state, state)
            table_values.append({
                'file': path,
                'expected': '{}:{}'.format(expected_owner, expected_group),
                'found': '{}:{}{}'.format(found_owner, found_group, lib.base.state2str(file_state, prefix=' ')),
                })

    # create output
    if cnt == 0:
        lib.base.oao('No files checked.', state)

    if state == STATE_OK:
        msg = 'Everything is ok.\n\n'
    else:
        msg = 'One or more problems with owners or groups.\n\n'
    if len(table_values) > 0:
        msg += lib.base.get_table(
            table_values,
            ['file', 'expected', 'found'],
            header=['Path', 'Expected', 'Found'],
            )

    # over and out
    lib.base.oao(msg, state)


if __name__ == '__main__':
    try:
        main()
    except Exception:   # pylint: disable=W0703
        lib.base.cu()
