#!/usr/bin/env python3

import sys
import socket
import ssl
import tempfile
import os
from datetime import datetime
import argparse

EXIT_OK = 0
EXIT_WARNING = 1
EXIT_CRITICAL = 2
EXIT_UNKNOWN = 3

def get_cert_expiry(ip, port=443, timeout=5):
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE

    with socket.create_connection((ip, port), timeout=timeout) as sock:
        with context.wrap_socket(sock, server_hostname=None) as ssock:
            der_cert = ssock.getpeercert(binary_form=True)
            pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)

            with tempfile.NamedTemporaryFile(delete=False, mode='w', suffix='.pem') as tmp_file:
                tmp_file.write(pem_cert)
                tmp_filename = tmp_file.name

            try:
                decoded = ssl._ssl._test_decode_cert(tmp_filename)
                not_after = decoded.get('notAfter')

                subject = decoded.get('subject', [])
                common_name = None
                for tup in subject:
                    if isinstance(tup, tuple):
                        for key, value in tup:
                            if key == 'commonName':
                                common_name = value
                                break
                    if common_name:
                        break

                if not not_after:
                    raise ValueError("Brak daty ważności w certyfikacie")

                expiry_date = datetime.strptime(not_after, '%b %d %H:%M:%S %Y %Z')
                return expiry_date, common_name
            finally:
                os.remove(tmp_filename)

def main():
    parser = argparse.ArgumentParser(description='Sprawdza datę wygaśnięcia domyślnego certyfikatu SSL na IP')
    parser.add_argument('--ip', required=True, help='Adres IP serwera')
    parser.add_argument('--port', '-p', type=int, default=443, help='Port serwera (domyślnie 443)')
    parser.add_argument('--warning', '-w', type=int, default=30, help='Liczba dni do ostrzeżenia (WARNING)')
    parser.add_argument('--critical', '-c', type=int, default=10, help='Liczba dni do alarmu (CRITICAL)')
    args = parser.parse_args()

    try:
        expiry_date, cert_name = get_cert_expiry(args.ip, args.port)
        now = datetime.utcnow()
        days_left = (expiry_date - now).days

        base_msg = f"Wygasajacy certyfikat default na adresie IP: {args.ip} (dla domeny: {cert_name})"

        if days_left < 0:
            print(f"CRITICAL: {base_msg} wygasł {-days_left} dni temu")
            sys.exit(EXIT_CRITICAL)
        elif days_left <= args.critical:
            print(f"CRITICAL: {base_msg} w ciągu {days_left} dni")
            sys.exit(EXIT_CRITICAL)
        elif days_left <= args.warning:
            print(f"WARNING: {base_msg} w ciągu {days_left} dni")
            sys.exit(EXIT_WARNING)
        else:
            print(f"OK: {base_msg} ważny jeszcze {days_left} dni")
            sys.exit(EXIT_OK)

    except Exception as e:
        print(f"UNKNOWN: Błąd podczas sprawdzania certyfikatu: {e}")
        sys.exit(EXIT_UNKNOWN)

if __name__ == '__main__':
    main()