ffho-salt-public/icinga2/plugins/check_syncrepl_extended

#!/usr/bin/env python3

#
# Script to check LDAP syncrepl replication state between two servers.
# One server is consider as provider and the other as consumer.
#
# This script can check replication state with two method :
#  - by the fisrt, entryCSN of all entries of LDAP directory will be
#    compare between two servers
#  - by the second, all values of all atributes of all entries will
#    be compare between two servers.
#
# In all case, contextCSN of servers will be compare and entries not
# present in consumer or in provider will be notice. You can decide to
# disable contextCSN verification by using argument --no-check-contextCSN.
#
# This script is also able to "touch" LDAP object on provider to force
# synchronisation of this object. This mechanism consist to add '%%TOUCH%%'
# value to an attribute of this object and remove it just after. The
# touched attribute is specify by parameter --touch. Of course, couple of
# DN and password provided, must have write right on this attribute.
#
# If your prefer, you can use --replace-touch parameter to replace value
# of touched attribute instead of adding the touched value. Use-ful in
# case of single-value attribute.
#
# This script could be use as Nagios plugin (-n argument)
#
# Requirement:
# A single couple of DN and password able to connect to both server
# and without restriction to retrieve objects from servers.
#
# Author: Benjamin Renard <brenard@easter-eggs.com>
# Source: https://gitea.zionetrix.net/bn8/check_syncrepl_extended
# License: GPLv3
#

import argparse
import logging
import sys

import getpass

import ldap
from ldap import LDAPError  # pylint: disable=no-name-in-module
from ldap.controls import SimplePagedResultsControl
from ldap import modlist

VERSION = '0.0'
TOUCH_VALUE = b'%%TOUCH%%'

parser = argparse.ArgumentParser(
    description=(
        "Script to check LDAP syncrepl replication state between "
        "two servers."),
    epilog=(
        'Author: Benjamin Renard <brenard@easter-eggs.com>, '
        f'Version: {VERSION}, '
        'Source: https://gitea.zionetrix.net/bn8/check_syncrepl_extended')
)

parser.add_argument(
    "-p", "--provider",
    dest="provider",
    action="store",
    type=str,
    help="LDAP provider URI (example: ldaps://ldapmaster.foo:636)"
)

parser.add_argument(
    "-c", "--consumer",
    dest="consumer",
    action="store",
    type=str,
    help="LDAP consumer URI (example: ldaps://ldapslave.foo:636)"
)

parser.add_argument(
    "-i", "--serverID",
    dest="serverid",
    action="store",
    type=int,
    help=(
        "Compare contextCSN of a specific master. Useful in MultiMaster "
        "setups where each master has a unique ID and a contextCSN for "
        "each replicated master exists. A valid serverID is a integer "
        "value from 0 to 4095 (limited to 3 hex digits, example: '12' "
        "compares the contextCSN matching '#00C#')"),
    default=False
)

parser.add_argument(
    "-T", "--starttls",
    dest="starttls",
    action="store_true",
    help="Start TLS on LDAP provider/consumers connections",
    default=False
)

parser.add_argument(
    "-D", "--dn",
    dest="dn",
    action="store",
    type=str,
    help="LDAP bind DN (example: uid=nagios,ou=sysaccounts,o=example"
)

parser.add_argument(
    "-P", "--pwd",
    dest="pwd",
    action="store",
    type=str,
    help="LDAP bind password",
    default=None
)

parser.add_argument(
    "-b", "--basedn",
    dest="basedn",
    action="store",
    type=str,
    help="LDAP base DN (example: o=example)"
)

parser.add_argument(
    "-f", "--filter",
    dest="filterstr",
    action="store",
    type=str,
    help="LDAP filter (default: (objectClass=*))",
    default='(objectClass=*)'
)

parser.add_argument(
    "-d", "--debug",
    dest="debug",
    action="store_true",
    help="Debug mode",
    default=False
)

parser.add_argument(
    "-n", "--nagios",
    dest="nagios",
    action="store_true",
    help="Nagios check plugin mode",
    default=False
)

parser.add_argument(
    "-q", "--quiet",
    dest="quiet",
    action="store_true",
    help="Quiet mode",
    default=False
)

parser.add_argument(
    "--no-check-certificate",
    dest="nocheckcert",
    action="store_true",
    help="Don't check the server certificate (Default: False)",
    default=False
)

parser.add_argument(
    "--no-check-contextCSN",
    dest="nocheckcontextcsn",
    action="store_true",
    help="Don't check servers contextCSN (Default: False)",
    default=False
)

parser.add_argument(
    "--only-check-contextCSN",
    dest="onlycheckcontextcsn",
    action="store_true",
    help=(
        "Only check servers root contextCSN (objects check disabled, "
        "default : False)"),
    default=False
)

parser.add_argument(
    "-a", "--attributes",
    dest="attrs",
    action="store_true",
    help="Check attributes values (Default: check only entryCSN)",
    default=False
)

parser.add_argument(
    "--exclude-attributes",
    dest="excl_attrs",
    action="store",
    type=str,
    help="Don't check this attribut (only in attribute check mode)",
    default=None
)

parser.add_argument(
    "--touch",
    dest="touch",
    action="store",
    type=str,
    help=(
        'Touch attribute giving in parameter to force resync a this LDAP '
        f'object from provider. A value "{TOUCH_VALUE.decode()}" will be '
        'add to this attribute and remove after. The user use to connect '
        'to the LDAP directory must have write permission on this '
        'attribute on each object.'
    ),
    default=None
)

parser.add_argument(
    "--replace-touch",
    dest="replacetouch",
    action="store_true",
    help="In touch mode, replace value instead of adding.",
    default=False
)

parser.add_argument(
    "--remove-touch-value",
    dest="removetouchvalue",
    action="store_true",
    help="In touch mode, remove touch value if present.",
    default=False
)

parser.add_argument(
    "--page-size",
    dest="page_size",
    action="store",
    type=int,
    help=(
        "Page size: if defined, paging control using LDAP v3 extended "
        "control will be enabled."),
    default=None
)

options = parser.parse_args()

if options.nocheckcontextcsn and options.onlycheckcontextcsn:
    parser.error(
        "You can't use both --no-check-contextCSN and "
        "--only-check-contextCSN parameters and the same time")
    if options.nagios:
        sys.exit(3)
    sys.exit(1)

if not options.provider or not options.consumer:
    parser.error("You must provide provider and customer URI")
    if options.nagios:
        sys.exit(3)
    sys.exit(1)

if not options.basedn:
    parser.error("You must provide base DN of connection to LDAP servers")
    if options.nagios:
        sys.exit(3)
    sys.exit(1)


if not 0 <= options.serverid <= 4095:
    parser.error(
        "ServerID should be a integer value from 0 to 4095 "
        "(limited to 3 hexadecimal digits).")
    if options.nagios:
        sys.exit(3)
    sys.exit(1)

if options.touch and not options.attrs:
    logging.info('Force option attrs on touch mode')
    options.attrs = True

if options.dn and options.pwd is None:
    options.pwd = getpass.getpass()

excl_attrs = []
if options.excl_attrs:
    for ex in options.excl_attrs.split(','):
        excl_attrs.append(ex.strip())

FORMAT = "%(asctime)s - %(levelname)s: %(message)s"

if options.debug:
    logging.basicConfig(level=logging.DEBUG, format=FORMAT)
    ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0)  # pylint: disable=no-member
elif options.nagios:
    logging.basicConfig(level=logging.ERROR, format=FORMAT)
elif options.quiet:
    logging.basicConfig(level=logging.WARNING, format=FORMAT)
else:
    logging.basicConfig(level=logging.INFO, format=FORMAT)


class LdapServer:

    uri = ""
    dn = ""
    pwd = ""
    start_tls = False

    con = 0

    def __init__(self, uri, dn, pwd, start_tls=False, page_size=None):
        self.uri = uri
        self.dn = dn
        self.pwd = pwd
        self.start_tls = start_tls
        self.page_size = page_size

    def connect(self):
        if self.con == 0:
            try:
                con = ldap.initialize(self.uri)
                # pylint: disable=no-member
                con.protocol_version = ldap.VERSION3
                if self.start_tls:
                    con.start_tls_s()
                if self.dn:
                    con.simple_bind_s(self.dn, self.pwd)
                self.con = con
            except LDAPError:
                logging.error("LDAP Error", exc_info=True)
                return False
        return True

    def getContextCSN(self, basedn=False, serverid=False):
        if not basedn:
            basedn = self.dn
        data = self.search(
            basedn, '(objectclass=*)', attrs=['contextCSN'], scope='base')
        if data:
            contextCSNs = data[0][0][1]['contextCSN']
            logging.debug('Found contextCSNs %s', contextCSNs)
            if serverid is False:
                return contextCSNs[0]
            csnid = str(format(serverid, 'X')).zfill(3)
            sub = str.encode(f'#{csnid}#', encoding="ascii", errors="replace")
            CSN = [s for s in contextCSNs if sub in s]
            if not CSN:
                logging.error(
                    "No contextCSN matching with ServerID %s (=%s) could be "
                    "found.",
                    serverid, sub
                )
                return False
            return CSN[0]
        return False

    @staticmethod
    def get_scope(scope):
        if scope == 'base':
            return ldap.SCOPE_BASE  # pylint: disable=no-member
        if scope == 'one':
            return ldap.SCOPE_ONELEVEL  # pylint: disable=no-member
        if scope == 'sub':
            return ldap.SCOPE_SUBTREE  # pylint: disable=no-member
        raise Exception(f'Unknown LDAP scope "{scope}"')

    def search(self, basedn, filterstr, attrs=None, scope=None):
        if self.page_size:
            return self.paged_search(
                basedn, filterstr, attrs=attrs, scope=scope)
        res_id = self.con.search(
            basedn, self.get_scope(scope if scope else 'sub'),
            filterstr, attrs if attrs else []
        )
        ret = []
        while 1:
            res_type, res_data = self.con.result(res_id, 0)
            if res_data == []:
                break
            if res_type == ldap.RES_SEARCH_ENTRY:  # pylint: disable=no-member
                ret.append(res_data)
        return ret

    def paged_search(self, basedn, filterstr, attrs=None, scope=None):
        ret = []
        page = 0
        pg_ctrl = SimplePagedResultsControl(True, self.page_size, '')
        while page == 0 or pg_ctrl.cookie:
            page += 1
            logging.debug('Page search: loading page %d', page)
            res_id = self.con.search_ext(
                basedn, self.get_scope(scope if scope else 'sub'),
                filterstr, attrs if attrs else [], serverctrls=[pg_ctrl]
            )
            # pylint: disable=unused-variable
            res_type, res_data, res_id, serverctrls = self.con.result3(res_id)
            for serverctrl in serverctrls:
                if serverctrl.controlType == SimplePagedResultsControl.controlType:
                    pg_ctrl.cookie = serverctrl.cookie
                    break
            for item in res_data:
                ret.append([item])
        return ret

    def update_object(self, dn, old, new):
        ldif = modlist.modifyModlist(old, new)
        if not ldif:
            return True
        try:
            logging.debug('Update object %s: %s', dn, ldif)
            self.con.modify_s(dn, ldif)
            return True
        except LDAPError:
            logging.error('Error updating object %s', dn, exc_info=True)
        return False

    @staticmethod
    def get_attr(obj, attr):
        if attr in obj[0][1]:
            return obj[0][1][attr]
        return []

    def touch_object(self, dn, attr, orig_value):
        old = {}
        if orig_value:
            old[attr] = orig_value
        new = {}

        if options.replacetouch:
            if not orig_value or TOUCH_VALUE not in orig_value:
                new[attr] = [TOUCH_VALUE]
        else:
            new[attr] = list(orig_value)
            if orig_value or TOUCH_VALUE in orig_value:
                new[attr].remove(TOUCH_VALUE)
            else:
                new[attr].append(TOUCH_VALUE)
        try:
            logging.info(
                'Touch object "%s" on attribute "%s": %s => %s',
                dn, attr, old, new
            )
            if self.update_object(dn, old, new):
                logging.info(
                    'Restore original value of attribute "%s" of object "%s"',
                    attr, dn)
                if options.removetouchvalue and TOUCH_VALUE in old[attr]:
                    old[attr].remove(TOUCH_VALUE)
                self.update_object(dn=dn, old=new, new=old)
                return True
        except LDAPError:
            logging.error('Error touching object "%s"', dn, exc_info=True)
        return False


if options.nocheckcert:
    # pylint: disable=no-member
    ldap.set_option(
        ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

servers = [options.provider, options.consumer]

LdapServers = {}
LdapObjects = {}
LdapServersCSN = {}

for srv in servers:
    logging.info('Connect to %s', srv)
    LdapServers[srv] = LdapServer(srv, options.dn, options.pwd,
                                  options.starttls,
                                  page_size=options.page_size)

    if not LdapServers[srv].connect():
        if options.nagios:
            print(f'UNKWNON - Failed to connect to {srv}')
            sys.exit(3)
        else:
            sys.exit(1)

    if not options.nocheckcontextcsn:
        LdapServersCSN[srv] = LdapServers[srv].getContextCSN(
            options.basedn, options.serverid)
        logging.info('ContextCSN of %s: %s', srv, LdapServersCSN[srv])

    if not options.onlycheckcontextcsn:
        logging.info('List objects from %s', srv)
        LdapObjects[srv] = {}

        if options.attrs:
            for obj in LdapServers[srv].search(
                options.basedn, options.filterstr, []
            ):
                logging.debug('Found on %s: %s', srv, obj[0][0])
                LdapObjects[srv][obj[0][0]] = obj[0][1]
        else:
            for obj in LdapServers[srv].search(
                options.basedn, options.filterstr, ['entryCSN']
            ):
                logging.debug(
                    'Found on %s: %s / %s',
                    srv, obj[0][0], obj[0][1]['entryCSN'][0]
                )
                LdapObjects[srv][obj[0][0]] = obj[0][1]['entryCSN'][0]

        logging.info('%s objects founds', len(LdapObjects[srv]))


if not options.onlycheckcontextcsn:
    not_found = {}
    not_sync = {}

    for srv in servers:
        not_found[srv] = []
        not_sync[srv] = []

    if options.attrs:
        logging.info(
            "Check if objects a are synchronized (by comparing attributes's "
            "values)")
    else:
        logging.info(
            'Check if objets are synchronized (by comparing entryCSN)')
    for obj in LdapObjects[options.provider]:
        logging.debug('Check obj %s', obj)
        for srv_name, srv in LdapObjects.items():
            if srv_name == options.provider:
                continue
            if obj in srv:
                touch = False
                if LdapObjects[options.provider][obj] != srv[obj]:
                    if options.attrs:
                        attrs_list = []
                        for attr in LdapObjects[options.provider][obj]:
                            if attr in excl_attrs:
                                continue
                            if attr not in srv[obj]:
                                attrs_list.append(attr)
                                logging.debug(
                                    "Obj %s not synchronized: %s not present on %s",
                                    obj, ','.join(attrs_list), srv_name
                                )
                                touch = True
                            else:
                                srv[obj][attr].sort()
                                LdapObjects[options.provider][obj][attr].sort()
                                if srv[obj][attr] != LdapObjects[options.provider][obj][attr]:
                                    attrs_list.append(attr)
                                    logging.debug(
                                        "Obj %s not synchronized: %s not same value(s)",
                                        obj, ','.join(attrs_list)
                                    )
                                    touch = True
                        if attrs_list:
                            not_sync[srv_name].append(f'{obj} ({",".join(attrs_list)})')
                    else:
                        logging.debug(
                            "Obj %s not synchronized: %s <-> %s",
                            obj, LdapObjects[options.provider][obj], srv[obj]
                        )
                        not_sync[srv_name].append(obj)
                if touch and options.touch:
                    orig_value = []
                    if options.touch in LdapObjects[options.provider][obj]:
                        orig_value = LdapObjects[options.provider][obj][options.touch]
                    LdapServers[options.provider].touch_object(
                        obj, options.touch, orig_value)
            else:
                logging.debug('Obj %s: not found on %s', obj, srv_name)
                not_found[srv_name].append(obj)
                if options.touch:
                    orig_value = []
                    if options.touch in LdapObjects[options.provider][obj]:
                        orig_value = LdapObjects[options.provider][obj][options.touch]
                    LdapServers[options.provider].touch_object(
                        obj, options.touch, orig_value)

    for obj in LdapObjects[options.consumer]:
        logging.debug('Check obj %s of consumer', obj)
        if obj not in LdapObjects[options.provider]:
            logging.debug('Obj %s: not found on provider', obj)
            not_found[options.provider].append(obj)

if options.nagios:
    errors = []
    long_output = []

    if not options.nocheckcontextcsn:
        if not LdapServersCSN[options.provider]:
            errors.append('ContextCSN of LDAP server provider could not be found')
        else:
            long_output.append(
                f'ContextCSN on LDAP server provider = {LdapServersCSN[options.provider]}')
            for srv_name, srv_csn in LdapServersCSN.items():
                if srv_name == options.provider:
                    continue
                if not srv_csn:
                    errors.append(f'ContextCSN of {srv_name} not found')
                elif srv_csn != LdapServersCSN[options.provider]:
                    errors.append(
                        f'ContextCSN of {srv_name} not the same of provider')
                    long_output.append(
                        f'ContextCSN on LDAP server {srv_name} = {srv_csn}')

    if not options.onlycheckcontextcsn:
        if not_found[options.consumer]:
            errors.append(
                f'{len(not_found[options.consumer])} not found object(s) on '
                'consumer')
            long_output.append(
                f'Object(s) not found on server {options.consumer} '
                '(consumer):')
            for obj in not_found[options.consumer]:
                long_output.append(f' - {obj}')
        if not_found[options.provider]:
            errors.append(
                f'{len(not_found[options.provider])} not found object(s) on '
                'provider')
            long_output.append(
                f'Object(s) not found on server {options.provider} '
                '(provider):')
            for obj in not_found[options.provider]:
                long_output.append(f' - {obj}')
        if not_sync[options.consumer]:
            errors.append(
                f'{len(not_sync[options.consumer])} not synchronized object(s) '
                'on consumer')
            long_output.append(
                f'Object(s) not synchronized on server {options.consumer} '
                '(consumer):')
            for obj in not_sync[options.consumer]:
                long_output.append(f' - {obj}')
    if errors:
        print(f'CRITICAL: {", ".join(errors)}')
        print('\n\n')
        print("\n".join(long_output))
        sys.exit(2)
    else:
        print('OK: consumer and provider are synchronized')
        sys.exit(0)
else:
    noerror = True
    for srv in servers:
        if not options.nocheckcontextcsn:
            if not LdapServersCSN[options.provider]:
                logging.warning(
                    'ContextCSN of LDAP server provider could not be found')
                noerror = False
            else:
                for srv_name, srv_csn in LdapServersCSN.items():
                    if srv_name == options.provider:
                        continue
                    if not srv_csn:
                        logging.warning('ContextCSN of %s not found', srv_name)
                        noerror = False
                    elif srv_csn != LdapServersCSN[options.provider]:
                        logging.warning(
                            'ContextCSN of %s not the same of provider',
                            srv_name)
                        noerror = False

        if not options.onlycheckcontextcsn:
            if not_found[srv]:
                logging.warning(
                    'Not found objects on %s :\n  - %s',
                    srv, '\n  - '.join(not_found[srv])
                )
                noerror = False
            if not_sync[srv]:
                logging.warning(
                    'Not sync objects on %s: %s',
                    srv, '\n  - '.join(not_sync[srv])
                )
                noerror = False

    if noerror:
        logging.info('No sync problem detected')