#!/bin/bash
# Retrieve X.509 certificate expiry information for a given host and port
#
# Copyright (C) 2021 Mike Gerwitz
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# This will produce `x509_expire_seconds`, `x509_expire_success`, and
#`x509_expire_scrape_duration_seconds`.
#
# WARNING: This script assumes trusted input and does not perform escaping
# of label values.

set -uo pipefail

cd "$(dirname "$0")"


main()
{
  local host="${1?Missing domain}"
  local -i port="${2?Missing port}"

  local -ri start=$( date +%s%3N )

  local expire_date expire_ts=0 ok=0
  expire_date=$( openssl s_client -showcerts \
                       -connect "$host":"$port" \
                       2>/dev/null \
                       </dev/null \
                 | openssl x509 -noout -dates \
                 | grep ^notAfter \
                 | cut -d= -f2 )
  ok=$(( PIPESTATUS[0] == 0 ))

  (( ok == 1 )) && expire_ts=$( date --date="$expire_date" +%s )
  local -i expire_in=$(( expire_ts - EPOCHSECONDS ))

  local -ri end=$( date +%s%3N )
  local -ri duration_s=$(( ( end - start ) / 1000 ))
  local -ri duration_ms=$(( ( end - start ) % 1000 ))

  # Note that this does not perform any escaping; it assumes trusted input.
  local labels=$( printf 'domain="%s", port="%d"' "$host" "$port" )

  if [[ "$ok" == 1 ]]; then
    echo -n '# HELP x509_expire_seconds '
    echo    'Number of seconds until X.509 certificate reaches its "not after" date.'
    echo '# TYPE x509_expire_seconds gauge'
    printf 'x509_expire_seconds{%s} %d\n' "$labels" "$expire_in"
  fi

  echo -n '# HELP x509_expire_success '
  echo    'Whether the certificate was successfully retrieved and parsed.'
  echo '# TYPE x509_expire_success gauge'
  printf 'x509_expire_success{%s} %d\n' "$labels" "$ok"

  echo -n '# HELP x509_expire_scrape_duration_seconds '
  echo    'Number of seconds spent retrieving and parsing certificate expiry data.'
  echo '# TYPE x509_expire_scrape_duration_seconds gauge'
  printf 'x509_expire_scrape_duration_seconds{%s} %0.3f\n' \
         "$labels" \
         "$duration_s.$duration_ms"
}

main "$@"