#!/usr/bin/perl

# Copyright 2023, Mark Schouten <mark@tuxis.nl>, Tuxis B.V.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

use strict;
use warnings;
use PVE::APIClient::LWP;
use Monitoring::Plugin;
use PVE::AccessControl;
use PVE::INotify;
use JSON;


# Create the Monitoring::Plugin object
my $np = Monitoring::Plugin->new(
    version => '1.0',
    usage => "Usage: %s [ -v|--verbose ] [-t <timeout>] "
        . "[ -c|--critical=<threshold> ] [ -w|--warning=<threshold> ]",
);

$np->getopts;

sub get_local_cert_fingerprint {
    my ($node) = @_;

    my $cert_path = "/etc/pve/nodes/$node/pve-ssl.pem";
    my $custom_cert_path = "/etc/pve/nodes/$node/pveproxy-ssl.pem";

    $cert_path = $custom_cert_path if -f $custom_cert_path;

    my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
    my $cert = Net::SSLeay::PEM_read_bio_X509($bio);
    Net::SSLeay::BIO_free($bio);

    my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    die "got empty fingerprint" if !defined($fp) || ($fp eq '');

    return $fp;
}

my $hostname = PVE::INotify::read_file("hostname");
my $ticket = PVE::AccessControl::assemble_ticket('root@pam');
my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token('root@pam');
my $local_fingerprint = get_local_cert_fingerprint($hostname);

my $conn = PVE::APIClient::LWP->new(
    ticket => $ticket,
    host => $hostname,
    csrftoken => $csrftoken,
    cached_fingerprints => {
        $local_fingerprint => 1,
    }
);

foreach my $res (@{$conn->get("/cluster/status", {})}) {
    if ($res->{'type'} eq 'cluster') {
        if ($res->{'quorate'} != 1) {
            $np->add_message(CRITICAL, "Cluster is not in quorum");
        } else {
            $np->add_message(OK, "Cluster is in quorum");
        }
    } elsif ($res->{'type'} eq 'node') {
        if ($res->{'online'} == 0) {
            $np->add_message(CRITICAL, "Node $res->{'name'} is offline")
        } else {
            $np->add_message(OK, "Node $res->{'name'} is online")
        }
    }
}

my ($code, $message) = $np->check_messages();
$np->plugin_exit($code, $message);
