#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# +------------------------------------------------------------------+
# |             ____ _               _        __  __ _  __           |
# |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
# |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
# |           | |___| | | |  __/ (__|   <    | |  | | . \            |
# |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
# |                                                                  |
# | Copyright Mathias Kettner 2014             mk@mathias-kettner.de |
# +------------------------------------------------------------------+
#
# This file is part of Check_MK.
# The official homepage is at http://mathias-kettner.de/check_mk.
#
# check_mk is free software;  you can redistribute it and/or modify it
# under the  terms of the  GNU General Public License  as published by
# the Free Software Foundation in version 2.  check_mk is  distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
# out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
# PARTICULAR PURPOSE. See the  GNU General Public License for more de-
# ails.  You should have  received  a copy of the  GNU  General Public
# License along with GNU Make; see the file  COPYING.  If  not,  write
# to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
# Boston, MA 02110-1301 USA.


def parse_cisco_secure(info):
    parsed = []
    # l[1] = Name, l[2] = Portstate
    names = dict([ (l[0], ( l[1], l[2] )) for l in info[0]] )
    for num, enabled, status, violationCount, lastmac in info[1]:
        mac = ":".join(["%02s" % hex(ord(m))[2:] for m in lastmac]).replace(' ', '0')
        # violationCount is initialized with 0 when security is enabled. When not, the
        # value is reported as empty string. saveint() makes life easier here.
        parsed.append((names[num][0], int(names[num][1]), int(enabled), int(status), saveint(violationCount), mac))
    return parsed


def inventory_cisco_secure(parsed):
    # search for at least one port with security
    for name, op_state, enabled, status, violationCount, lastmac in parsed:
        # if portsecurity enabled and port up OR currently there is sercurity issue`
        if ( enabled == 1 and op_state == 1) or status == 3:
            return [ (None, None) ]


def check_cisco_secure(item, params, parsed):
    secure_states = {
        1 : "full Operational",
        2 : "could not be enabled due to certain reasons",
        3 : "shutdown due to security violation"
    }

    failed = []
    at_least_one_problem = False
    for name, op_state, enabled, status, violationCount, lastmac in parsed:
        message = "Port %s: %s (Violation Count: %s, Last Mac: %s)" % \
        ( name, secure_states[status], violationCount, lastmac )

        # If port cant be enabled and is up and has violations -> WARN
        if status == 2 and op_state == 1 and int(violationCount) > 0:
            yield 1, message
            at_least_one_problem = True
        # Security issue -> CEIT
        elif status == 3:
            yield 2, message
            at_least_one_problem = True

    if not at_least_one_problem:
        yield 0, "No port security violation"


check_info["cisco_secure"] = {
    "parse_function"        : parse_cisco_secure,
    "check_function"        : check_cisco_secure,
    "inventory_function"    : inventory_cisco_secure,
    "service_description"   : "Port Security",
    "snmp_scan_function"    : lambda oid: "cisco" in oid(".1.3.6.1.2.1.1.1.0").lower() and \
                              oid(".1.3.6.1.4.1.9.9.315.1.2.1.1.1.*"),
    "snmp_info"		    : [ (".1.3.6.1.2.1.2.2.1", [OID_END, 2, 8 ] ),
                                ( ".1.3.6.1.4.1.9.9.315.1.2.1.1",
			                        [
                                                   OID_END,
                                                  "1", # cpsIfPortSecurityEnable
			                          "2", # cpsIfPortSecurityStatus
			                          "9", # cpsIfViolationCount
			                          "10", # cpsIfSecureLastMacAddress
			                        ] ),
                              ]
}

