#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# +------------------------------------------------------------------+
# |             ____ _               _        __  __ _  __           |
# |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
# |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
# |           | |___| | | |  __/ (__|   <    | |  | | . \            |
# |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
# |                                                                  |
# | Copyright Mathias Kettner 2014             mk@mathias-kettner.de |
# +------------------------------------------------------------------+
#
# This file is part of Check_MK.
# The official homepage is at http://mathias-kettner.de/check_mk.
#
# check_mk is free software;  you can redistribute it and/or modify it
# under the  terms of the  GNU General Public License  as published by
# the Free Software Foundation in version 2.  check_mk is  distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
# out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
# PARTICULAR PURPOSE. See the  GNU General Public License for more de-
# tails. You should have  received  a copy of the  GNU  General Public
# License along with GNU Make; see the file  COPYING.  If  not,  write
# to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
# Boston, MA 02110-1301 USA.


def parse_cisco_secure(info):

    parsed = []
    # l[1] = Name, l[2] = Portstate
    names = {l[0]: (l[1], l[2]) for l in info[0]}
    for num, is_enabled, status, violationCount, lastmac in info[1]:
        mac = ":".join(["%02s" % hex(ord(m))[2:] for m in lastmac]).replace(' ', '0')
        # violationCount is initialized with 0 when security is enabled. When not, the
        # value is reported as empty string. saveint() makes life easier here.
        parsed.append((names[num][0], int(names[num][1]), {'1': 'yes', '2': 'no'}.get(is_enabled),
                       int(status), saveint(violationCount), mac))
    return parsed


def inventory_cisco_secure(parsed):
    # search for at least one port with security
    for name, op_state, is_enabled, status, violationCount, lastmac in parsed:
        # if portsecurity enabled and port up OR currently there is sercurity issue`
        if status == 3 or (is_enabled != 'no' and op_state == 1):
            return [ (None, None) ]


def check_cisco_secure(item, params, parsed):
    secure_states = {
        1 : "full Operational",
        2 : "could not be enabled due to certain reasons",
        3 : "shutdown due to security violation"
    }

    failed = []
    at_least_one_problem = False
    for name, op_state, is_enabled, status, violationCount, lastmac in parsed:
        message = "Port %s: %s (Violation Count: %s, Last Mac: %s)" % \
        ( name, secure_states[status], violationCount, lastmac )

        if is_enabled is not None:
            # If port cant be enabled and is up and has violations -> WARN
            if status == 2 and op_state == 1 and int(violationCount) > 0:
                yield 1, message
                at_least_one_problem = True
            # Security issue -> CEIT
            elif status == 3:
                yield 2, message
                at_least_one_problem = True
        else:
            yield 3, message + " unknown enabled state"
            at_least_one_problem = True

    if not at_least_one_problem:
        yield 0, "No port security violation"


check_info["cisco_secure"] = {
    "parse_function"        : parse_cisco_secure,
    "check_function"        : check_cisco_secure,
    "inventory_function"    : inventory_cisco_secure,
    "service_description"   : "Port Security",
    "snmp_scan_function"    : lambda oid: "cisco" in oid(".1.3.6.1.2.1.1.1.0").lower() and \
                              oid(".1.3.6.1.4.1.9.9.315.1.2.1.1.1.*"),
    "snmp_info"                    : [ (".1.3.6.1.2.1.2.2.1", [OID_END, 2, 8 ] ),
                                ( ".1.3.6.1.4.1.9.9.315.1.2.1.1",
                                                [
                                                   OID_END,
                                                  "1", # cpsIfPortSecurityEnable
                                                  "2", # cpsIfPortSecurityStatus
                                                  "9", # cpsIfViolationCount
                                                  "10", # cpsIfSecureLastMacAddress
                                                ] ),
                              ]
}

