#!/opt/vdops/bin/perl

# This script checks to see if it can ftp to a device using the default 
# username & password.  If it can, then it sends the operator a list of 
# these 'default accessible' devices

# V      Who       When        What
# ---------------------------------------------------------------------------
# 1.3.0  skendric  02-21-2011  Upgrade to Netops 1.4.0
# 1.2.2  skendric  2010-12-17  Futz with owner/owner_backup
# 1.2.1  skendric  2010-07-19  Add @down_for_maintenance
# 1.2.0  skendric  2009-12-23  Remove Net::SNMP support
# 1.1.0  skendric  2008-10-20  Don't try to fix the problem, just mail the 
#                              results
# 1.0.7  skendric  2008-05-28  Log behavior
# 1.0.6  skendric  2007-04-11  Simplify invocation of apc-mod-config
# 1.0.5  skendric  2007-03-21  Stylistic mods
# 1.0.4  skendric  2007-02-27  Change 'apc-config' to 'apc-mod-config'
# 1.0.3  skendric  2006-12-12  Stylistic mods
# 1.0.2  skendric  2006-08-04  More error checks
# 1.0.1  skendric  2005-11-05  Upgrade to new WI::VDOPS module structure
# 1.0.0  skendric  2005-10-12  First Version
#

# Author:  Stuart Kendrick, sbk {put at sign here} skendric {put dot here} com
#
# Source:  http://www.skendric.com/device
#
# This software is available under the GNU GENERAL PUBLIC LICENSE, see
# http://www.fsf.org/licenses/gpl.html
#

#
# This script takes the following approach:
#     -Test for default username/password
#     -Upload the config file snippet via FTP
#
# Requirements:
#     -The following MIB modules stashed in /opt/vdops/share/snmp/mibs,
#      or wherever it is that you store MIB modules:
#      PowerNet-MIB
#
#     -PERL modules:  the WI::Netops collection
#
#
# Assumptions:
#
#
# Tested on: 
#         -APC 9606 Web/SNMP card, AP961x + AP963x Network Management Card,
#          SmartUPS, Symmetra, Silcon 
#         -perl-5.12.2
#         -net-snmp-5.6
#
#
# Instructions:
#     -Create an AP960x config file using the i2c301.exe utility
#      (see ftp://ftp.apcc.com/apc/public/hardware/webcard/firmware/sumx/
#       v321/addendum.pdf for instructions.  See ../webcard/i2c for the
#       utility itself.)
#     -Or, create an AP961x/AP963x config file, which is simply a text file 
#      following a standard format and typically named 'config.ini'
#     -Customize the script for your site:  find the 'user-configurable
#      variables' section and modify as appropriate
#     -Type "apc-reset-passwd-alarm" to see the command-line options
#     -Try it out
#
#
# Caveats:
#
#
# Known Bugs:
#     -If the FTP server on the mangement card is disabled, the code
#      bombs.  I'm trying to use 'eval' to trap this error, but it
#      doesn't seem to work.
#
#
# To do:
#

# Begin script

# Load modules
use strict;
use warnings;
use feature 'say';
use feature 'switch';
use Carp qw(carp cluck croak confess); 
use Data::Dumper;  
use English qw( -no_match_vars );
use Getopt::Std;
use List::MoreUtils qw(any);
use Net::FTP;
use WI::Netops::APCTools 1.2.2;
use WI::Netops::HostTools 1.0.4;
use WI::Netops::NetopsTools 2.2.3;
use WI::Netops::NetopsData 1.4.0;
use WI::Netops::PingTools 1.1.7;
use WI::Netops::SNMPTools 1.5.3;
use WI::Netops::Utilities 1.4.4;

# Declare global variables
my %auth;                # Hash keyed by username of username and 
                         # password foo

# Define global variables
$program_name = 'apc-reset-passwd-alarm';
$usage = 'Usage:  apc-reset-passwd-alarm -s {yes|no} [-d {integer}] [-a | -e {expr} | -f {filename} | target1 target2 target3 ...]';
$version = '1.3.0';


# Default username/password
%auth = (
          admin => 'apc',
          apc   => 'apc',
        );


# Grab arguments
getopts('ad:c:e:f:rs:', \%option); 
@target = @ARGV;

# Set mode
if      ($option{r})    { $mode = 'report'      }
elsif   (-t STDIN)      { $mode = 'interactive' }
else                    { $mode = 'batch'       }


### Begin Main Program ###############################################
{

  check_args();                   # Check arguments

  read_config();                  # Read Netops config file

  compile_mibs();                 # Compile MIB files

  build_target();                 # Populate @target

  target_check();                 # Look for errors in @target

  basic_info();                   # Gather information

  do_the_work();                  # Identify accessible devices

  identify_alarms();              # Count devices with alarms

  write_alarm_log();              # Record issues

  print_report();                 # Print report

  notify_staff();                 # Tell staff what happened

}
##### End Main Program ###############################################


########################################################################
# Figure out which devices are accessible via default username/password
########################################################################
sub do_the_work {
  my $ftp;               # Net::FTP object
  my $val;               # Result of Net::FTP operations

  # Debug trace
  trace_location('begin') if $debug;

  # Notify operator
  print_it("Checking for accessibility via default username/password...");

  # Loop through targets, add accessible devices to @alarm_list
  for my $target (@target) {
  
    # Loop through default auth information
    for my $username (keys %auth) {
      my $password foo

      eval { $ftp = Net::FTP->new($target, Debug => $debug) };
      if ($@ eq $EMPTY_STR) {
        eval { $val = $ftp->login($username, $password) };
        if ($val) {
          if (any {$target eq $_} @down_for_maintenance) {
            log_it("$target is accessible via default login, but belongs to \@down_for_maintenance, ignoring");
          }
          else {
            $alarm_count{$target}++;
          }
        }
        eval { $val = $ftp ->quit };
      }

    }

    # Entertain operator
    print $BANG if $mode eq 'interactive';

  }

  # Make things look pretty
  say "\n" if $mode eq 'interactive';

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}



########################################################################
# Print report
########################################################################
sub print_report {
  my $handle;
  my $total = @target;                  
  my $now = get_now();
  
  # If we are running in test mode, skip this routine
  unless ($dome) {                      
    print_it("Running in test mode, cannot print a meaningful report\n");
    return 1;
  }

  # Debug trace
  trace_location('begin') if $debug;

  # Direct output to screen or to file
  if ($mode eq 'interactive') {
    $handle = *STDOUT;
  }
  else {
    open $handle, '>', $report_file or die "Cannot open $report_file: $!\n";
  }

print {$handle} <<EOF;
# Title:           $report_subject
#
# Institution:     $institution
#
# Date of Report:  $now
#
# Description:     This report lists APC devices and whether or not they permit
#                  factory-default authentication
#
#                  Look through syslog for the details of alarms:
#                       grep $program_name /var/log/syslog
#
# Active:          $total
#
# Alarm Count:     $shit_happens
#
# In Alarm:        @alarm_list
#
target                Permits Default Auth
--------------------  --------------------
EOF
  for my $target (@target) {
    my $answer;
    given ($alarm_count{$target}) {
      when (defined) { $answer = 'yes' }
      when (undef)   { $answer = 'no'  }
    }
    printf {$handle} "%-20s  %-3s\n", $target, $answer;
  }

  # Add silent devices to the report
  for my $silent (sort @silent) {
    printf {$handle} "%-15s  Not answering pings\n", $silent;
  }

  # Add unresponsive devices to the report
  for my $unresponsive (sort @unresponsive) {
    printf {$handle} "%-15s  Not answering SNMP GETs\n", $unresponsive;
  }

  # Add insane devices to the report
  for my $insane (sort @insane) {
    printf {$handle} "%-15s  Insane\n", $insane;
  }

  # Clean up
  unless ($handle =~ /STDOUT/) {
    close $handle or warn "Cannot close $report_file: $!\n";
  }

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}




########################################################################
# Output help
########################################################################
sub HELP_MESSAGE {
  print <<EOF;

  See $netops_global_config (and $netops_alarm_config if this is an
  xxxx-alarm script) for configuration options

  $usage

    -s asks the question:  are you serious?  If you answer 'no', then 
       the script will run in demo mode, making no changes

    -d specifies debug level (typically 0-9)

    -a instructs the script to filter the hosts table using its internally
       defined suffixes variable to produce a list of targets

    -c specifies the config file snippet which we will upload, to devices 
       which permit default logins

    -e requires a regex as its argument, with which the script filters
       the hosts table to produce a list of targets.  Enclose the regex in 
       quotes to protect special characters from the shell

    -f points the script to a file containing the list of targets

    target1 target2 target3 ... is the command-line list of targets you
      have specified, in lieu of the -a, -e, or -f options

EOF

  return 1;
}




########################################################################
# Output version
########################################################################
sub VERSION_MESSAGE {
  say "$program_name v$version";
  return 1;
}