#!/opt/vdops/bin/perl

# This script queries CISCO-IPSEC-FLOW-MONITOR-MIB for parameters related to 
# the health of IPSec tunnels and produces a report, optionally sending e-mail 
# to interested parties

# V      Who       When        What
# ---------------------------------------------------------------------------
# 1.1.0  skendric  2011-02-21  Upgrade to Netops 1.4.0
# 1.0.2  skendric  2010-12-30  Add @insane to report
# 1.0.1  skendric  2010-12-17  Futz with owner/owner_backup
# 1.0.0  skendric  2010-05-14  First Version
#
#
# Author:  Stuart Kendrick, sbk {put at sign here} skendric {put dot here} com
#
# Source:  http://www.skendric.com/device
#
# This software is available under the GNU GENERAL PUBLIC LICENSE, see
# http://www.fsf.org/licenses/gpl.html
#

#
# This script takes the following approach:
#     -Parses the hosts table for a list of targets (or accepts a command-
#      line list)
#     -Queries a bunch of CISCO-ENVMON-MIB specific variables
#     -Produces a report
#
#
# Requirements:
#      -The target(s) must be pingable
#
#      -The following MIB modules stashed in /opt/vdops/share/snmp/mibs,
#       or wherever it is that you store MIB modules:
#       CISCO-PRODUCTS-MIB.my
#
#     -PERL modules:  the WI::Netops collection
#
#
# Assumptions:
#
#
# Tested on:
#     -perl-5.12.2
#     -net-snmp-5.6
#
#
# Instructions:
#     -Customize the script for your site:  find the 'user-configurable
#      variables' section and modify as appropriate
#     -Try it out
#
#
# Caveats:
#
#
# Known Bugs:
#
#
# To do:
#     -Add support for SNMPv3
#

# Begin script

# Load modules
use strict;
use warnings;
use feature 'say';
use feature 'switch';
use Carp qw(carp cluck croak confess);
use Data::Dumper;
use English qw( -no_match_vars );
use Getopt::Std;
use List::MoreUtils qw(first_index);
use WI::Netops::CiscoTools 1.4.3;
use WI::Netops::HostTools 1.0.4;
use WI::Netops::NetopsTools 2.2.3;
use WI::Netops::NetopsData 1.4.0;
use WI::Netops::PingTools 1.1.7;
use WI::Netops::SNMPTools 1.5.3;
use WI::Netops::Utilities 1.4.4;

# Declare global variables.  All hashes keyed by target
my %active_tunnels;             # cikeGlobalActiveTunnels
my %no_sa_fails;                # cipSecGlobalNoSaFails
my %out_encrypt_fails;          # cipSecGlobalOutEncryptFails
my %out_auth_fails;             # cipSecGlobalOutAuthFails
my %out_drops;                  # cipSecGlobalOutDrops
my %protocol_use_fails;         # cipSecGlobalProtocolUseFails
my %sys_cap_fails;              # cipSecGlobalSysCapFails
my %total_tunnels;              # cikeGlobalTotalTunnels


# Define global variables
$program_name = 'tunnel-alarm';
$usage = 'Usage:  tunnel-alarm -s {yes|no} [-d {integer}] [-r] [-a | -e {expr} | -f {filename} | target1 target2 target3 ...]'; 
$version = '1.1.0';


# Grab arguments
getopts('ad:e:f:rs:', \%option); 
@target = @ARGV;

# Domain-specific stuff
$option{s} = 'yes' unless defined $option{s};
@target = qw/mmz-a-rtr mmz-b-rtr/ unless @target > 0;


# Set mode
if      ($option{r})            { $mode = 'report'      }
elsif   (-t STDIN)              { $mode = 'interactive' }
else                            { $mode = 'batch'       }


### Begin Main Program ###############################################
{
  check_args();                   # Check arguments

  read_config();                  # Read Netops config file

  compile_mibs();                 # Compile MIB files

  build_target();                 # Populate @target
  
  target_check();                 # Look for errors in @target

  basic_info();                   # Gather information

  sanity_check();                 # Check for error conditions

  do_the_work();                  # Do it

  identify_alarms();              # Count devices with alarms

  write_alarm_log();              # Record issues

  print_report();                 # Print report

  notify_staff();                 # Mail report
}

##### End Main Program #################################################



########################################################################
# Query variables
########################################################################
sub do_the_work {

  # Debug trace
  trace_location('begin') if $debug;

  # Notify operator
  print_it('Querying targets...');
  unless ($dome) {
    sleep $short;
    return 1;
  }

  # Loop through the list of targets
  for my $target (@target) {
    my (%arg, $val);
    say "Processing $target" if $debug;

    # Acquire cikeGlobalInitTunnels.0
    %arg = ( host => $target, oid => 'cikeGlobalInitTunnels.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= 0;
    say "  $target has initiated $val tunnels" if $debug;
    $total_tunnels{$target} = $val;

    # Acquire cikeGlobalActiveTunnels.0
    say 'Getting cikeGlobalActiveTunnels.0' if $debug > 3;
    $val = snmpGet( {host => $target, oid => 'cikeGlobalActiveTunnels.0'} );
    $val //= 0;
    say "  $target is hosting $val active tunnels" if $debug;
    $active_tunnels{$target} = $val;

    # cipSecGlobalSysCapFails
    %arg = (host=>$target, oid=>'cipSecGlobalSysCapFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalSysCapFails = $val");
    }
    $sys_cap_fails{$target} = $val;

    # cipSecGlobalNoSaFails
    %arg = (host => $target, oid => 'cipSecGlobalNoSaFails.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    log_it("cipSecGlobalNoSaFails = $val");
    $no_sa_fails{$target} = $val;

    # cipSecGlobalProtocolUseFails
    %arg = (host=>$target, oid=>'cipSecGlobalProtocolUseFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalProtocolUseFails = $val");
    }
    $protocol_use_fails{$target} = $val;

    # cipSecGlobalOutEncryptFails 
    %arg = (host=>$target, oid=>'cipSecGlobalOutEncryptFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalOutEncryptFails = $val");
    }
    $out_encrypt_fails{$target} = $val;

    # cipSecGlobalOutAuthFails 
    %arg = (host=>$target, oid=>'cipSecGlobalOutAuthFails.0', translate=>0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    unless ($val eq '0') {
      $alarm_count{$target}++;
      log_it("cipSecGlobalOutAuthFails = $val");
    }
    $out_auth_fails{$target} = $val;

    # cipSecGlobalOutDrops
    %arg = ( host => $target, oid => 'cipSecGlobalOutDrops.0', translate => 0);
    $val = snmpGet(\%arg);
    $val //= $QUERY;
    $out_drops{$target} = $val;


    # Entertain operator
    print $BANG if $mode eq 'interactive';
  }

  # Debug info
  if ($debug > 2) {
    for my $target (@target) {
      if (defined $alarm_count{$target} and $alarm_count{$target} > 0) {
        say "alarm_count{$target} = $alarm_count{$target}";
      }
    }
  }

  # Make things look pretty
  say "\n" if $mode eq 'interactive';

  # Debug trace
  trace_location('end') if $debug;

  return 1;  
}




########################################################################
# Tell the operator what I discovered
########################################################################
sub print_report {
  my $handle;
  my $total = @target;
  my $now = get_now();

  # If we are running in test mode, skip this routine
  unless ($dome) {
    print_it("Running in test mode, cannot print a meaningful report\n");
    return 1;
  }

  # Debug trace
  trace_location('begin') if $debug;

  # Direct output to screen or to file
  if ($mode eq 'interactive') {
    $handle = *STDOUT;
  }
  else {
    open $handle, '>', $report_file or die "Cannot open $report_file: $!\n";
  }


print {$handle} <<EOF;
# Title:           $report_subject
#
# Institution:     $institution
#
# Date of Report:  $now
#
# Description:     This report describes the status of the IPSec function
#
#                  Look through syslog for the details of alarms:
#                       grep $program_name /var/log/syslog
#
# Active:          $total
#
# Alarm Count:     $shit_happens
#
# In Alarm:        @alarm_list
# 
# Questions:       If you have questions or comments regarding this
#                  report, please mail them to $report_queries.
#
# Notes:           This report global parameters relevant to IPSec 
#                  tunnel health, extracted from CISCO-IPSEC-FLOW-MONITOR-MIB
#                  All parameters are global, meaning they are summed across 
#                  all tunnels.
#
# Capacity         System Capacity Failures
# NoSa             No Security Associations
# ProtUse          Protocol Use Fails
# OutEncr          Outbound Encryption Fails
# OutAuth          Outbound Authentication Fails
# OutDrops         Outbound Drops (packets dropped during processing)
#
# This script alarms on values above zero for Capacity, ProtUse, OutEncr, and 
# OutAuth
#
target        Total Active Capacity NoSa     ProtUse  OutEncr  OutAuth  OutDrops
------------- ----- ------ -------- -------- -------- -------- -------- --------
EOF
  for my $target (@target) {
    printf {$handle} 
      "%-13s %5.5s %6.6s %8.8s %8.8s %8.8s %8.8s %8.8s %8.8s\n",
      $target, $total_tunnels{$target}, $active_tunnels{$target},
      $sys_cap_fails{$target}, $no_sa_fails{$target}, 
      $protocol_use_fails{$target}, $out_encrypt_fails{$target}, 
      $out_auth_fails{$target}, $out_drops{$target};
  }

  # Add silent devices to the report
  for my $silent (sort @silent) {
    printf {$handle} "%-15s  Not answering pings\n", $silent;
  }

  # Add unresponsive devices to the report
  for my $unresponsive (sort @unresponsive) {
    printf {$handle} "%-15s  Not answering SNMP GETs\n", $unresponsive;
  }

  # Add insane devices to the report
  for my $insane (sort @insane) {
    printf {$handle} "%-15s  Insane\n", $insane;
  }

  # Clean up
  unless ($handle =~ /STDOUT/) {
    close $handle or warn "Cannot close $report_file: $!\n";
  }

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}




########################################################################
# Sanity check
########################################################################
sub sanity_check {
  my @remove;

  # Debug trace
  trace_location('begin') if $debug;

  # Notify operator
  print_it('Sanity check...');

  # Loop through targets, looking for problems
  for my $target (@target) {
    my $cip;

    # Identify presence of Cisco Environmental Monitoring function
    $cip = snmpGet( {host => $target, oid => 'cipSecMibLevel.0'} );
    unless (defined $cip) {
      say "\n$target does not support CISCO-IPSEC-FLOW-MONITOR-MIB, skipping" if $debug;
      push @remove, $target;
      print $DOT if $mode eq 'interactive';
    }
    else {
      print $BANG if $mode eq 'interactive';
    }

  }

  # Remove entries which failed checks
  prune_basic(@remove);
  @insane = @remove;

  # Make things look pretty
  say "\n" if $mode eq 'interactive';

  # Debug trace
  trace_location('end') if $debug;

  return 1;
}




########################################################################
# Output help
########################################################################
sub HELP_MESSAGE {
  print <<EOF;

  See $netops_global_config (and $netops_alarm_config if this is an
  xxxx-alarm script) for configuration options

  $usage

    -s asks the question:  are you serious?  If you answer 'no', then 
       the script will run in demo mode, making no changes

    -d specifies debug level (typically 0-9)

    -r determines whether or not the script writes its report to disk

    -a instructs the script to filter the hosts table using its internally
       defined suffixes variable to produce a list of targets

    -e requires a regex as its argument, with which the script filters
       the hosts table to produce a list of targets.  Enclose the regex in 
       quotes to protect special characters from the shell

    -f points the script to a file containing the list of targets

    target1 target2 target3 ... is the command-line list of targets you
      have specified, in lieu of the -a, -e, or -f options

EOF

  return 1;
}




########################################################################
# Output version
########################################################################
sub VERSION_MESSAGE {
  say "$program_name v$version";
  return 1;
}