diff --git a/database/mysql/mode/passwordexpiration.pm b/database/mysql/mode/passwordexpiration.pm new file mode 100644 index 000000000..a2d9b3d3d --- /dev/null +++ b/database/mysql/mode/passwordexpiration.pm @@ -0,0 +1,223 @@ +# +# Copyright 2020 Centreon (http://www.centreon.com/) +# +# Centreon is a full-fledged industry-strength solution that meets +# the needs in IT infrastructure and application monitoring for +# service performance. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package database::mysql::mode::passwordexpiration; + +use base qw(centreon::plugins::templates::counter); + +use strict; +use warnings; +use DateTime; +use centreon::plugins::misc; +use centreon::plugins::statefile; +use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng); + +sub custom_status_output { + my ($self, %options) = @_; + + return sprintf( + "[user: %s] [password updated: %s] [expired: %s] expire in: %s", + $self->{result_values}->{user}, + scalar(localtime($self->{result_values}->{password_last_changed})), + $self->{result_values}->{expire} eq 'never' ? $self->{result_values}->{expire} : $self->{result_values}->{expire} . ' days', + centreon::plugins::misc::change_seconds(value => $self->{result_values}->{expire_time}) + ); +} + +sub set_counters { + my ($self, %options) = @_; + + $self->{maps_counters_type} = [ + { name => 'users', type => 2, format_output => '%s user(s) detected', display_counter_problem => { label => 'users', min => 0 }, + group => [ { name => 'user', skipped_code => { -11 => 1 } } ] + } + ]; + + $self->{maps_counters}->{user} = [ + { label => 'status', type => 2, critical_default => '%{expire} ne "never" and %{expire_time} == 0', set => { + key_values => [ + { name => 'user' }, { name => 'expire' }, + { name => 'expire_time' }, { name => 'password_last_changed' } + ], + closure_custom_output => $self->can('custom_status_output'), + closure_custom_perfdata => sub { return 0; }, + closure_custom_threshold_check => \&catalog_status_threshold_ng + } + } + ]; +} + +sub new { + my ($class, %options) = @_; + my $self = $class->SUPER::new(package => __PACKAGE__, %options); + bless $self, $class; + + $options{options}->add_options(arguments => { + }); + + return $self; +} + +sub get_database_timezone { + my ($self, %options) = @_; + + $options{sql}->query( + query => q{SELECT @@GLOBAL.time_zone, @@system_time_zone} + ); + my @row = $options{sql}->fetchrow_array(); + my $timezone = $row[0]; + if ($row[0] eq 'SYSTEM') { + $timezone = $row[1]; + } + return $timezone; +} + +sub get_expire_time { + my ($self, %options) = @_; + + my $current_time = time(); + my $dt = DateTime->from_epoch(epoch => $options{epoch}, time_zone => $options{timezone}); + $dt->add(days => $options{days}); + my $expire_in = $dt->epoch() - time(); + $expire_in = 0 if ($expire_in < 0); + return $expire_in; +} + +sub get_password_mariadb { + my ($self, %options) = @_; + + my $timezone = $self->get_database_timezone(sql => $options{sql}); + $options{sql}->query( + query => q{show variables like 'default_password_lifetime'} + ); + my ($name, $default_password_lifetime) = $options{sql}->fetchrow_array(); + + my $query = q{ + SELECT Host, User, + JSON_EXTRACT(Priv, '$.password_last_changed') as password_last_changed, + JSON_EXTRACT(Priv, '$.password_lifetime') as password_lifetime + FROM mysql.global_priv + }; + $options{sql}->query(query => $query); + my $i = 1; + while ((my @row = $options{sql}->fetchrow_array())) { + my $expire = 'never'; + if ((!defined($row[3]) || $row[3] == -1) && $default_password_lifetime > 0) { + $expire = $default_password_lifetime; + } elsif (defined($row[3]) && $row[3] > 0) { + $expire = $row[3]; + } + my $expire_time = 0; + if ($expire ne 'never') { + $expire_time = $self->get_expire_time( + epoch => $row[2], + days => $expire, + timezone => $timezone + ); + } + $self->{users}->{global}->{user}->{$i} = { + user => $row[0] . '@' . $row[1], + password_last_changed => $row[2], + expire => $expire, + expire_time => $expire_time + }; + $i++; + } +} + +sub get_password_mysql { + my ($self, %options) = @_; + + my $timezone = $self->get_database_timezone(sql => $options{sql}); + $options{sql}->query( + query => q{show variables like 'default_password_lifetime'} + ); + my ($name, $default_password_lifetime) = $options{sql}->fetchrow_array(); + + my $query = q{ + SELECT User, Host, UNIX_TIMESTAMP(password_last_changed), password_lifetime + FROM mysql.user + }; + $options{sql}->query(query => $query); + my $i = 1; + while ((my @row = $options{sql}->fetchrow_array())) { + my $expire = 'never'; + if (!defined($row[3]) && $default_password_lifetime > 0) { + $expire = $default_password_lifetime; + } elsif (defined($row[3]) && $row[3] > 0) { + $expire = $row[3]; + } + my $expire_time = 0; + if ($expire ne 'never') { + $expire_time = $self->get_expire_time( + epoch => $row[2], + days => $expire, + timezone => $timezone + ); + } + $self->{users}->{global}->{user}->{$i} = { + user => $row[0] . '@' . $row[1], + password_last_changed => $row[2], + expire => $expire, + expire_time => $expire_time + }; + $i++; + } +} + +sub manage_selection { + my ($self, %options) = @_; + + $self->{users}->{global} = { user => {} }; + + $options{sql}->connect(); + if ($options{sql}->is_mariadb() && $options{sql}->is_version_minimum(version => '10.4.3')) { + $self->get_password_mariadb(sql => $options{sql}); + } elsif (!$options{sql}->is_mariadb() && $options{sql}->is_version_minimum(version => '5.7.4')) { + $self->get_password_mysql(sql => $options{sql}); + } else { + $self->{output}->add_option_msg(short_msg => 'unsupported password policy.'); + $self->{output}->option_exit(); + } +} + +1; + +__END__ + +=head1 MODE + +Check user password expiration. + +=over 8 + +=item B<--warning-status> + +Set warning threshold for status. +Can used special variables like: %{user}, %{expire}, %{expire_time} + +=item B<--critical-status> + +Set critical threshold for status (Default: '%{expire} ne "never" and %{expire_time} == 0'). +Can used special variables like: %{user}, %{expire}, %{expire_time} + +=back + +=cut diff --git a/database/mysql/plugin.pm b/database/mysql/plugin.pm index 09693038f..23086971d 100644 --- a/database/mysql/plugin.pm +++ b/database/mysql/plugin.pm @@ -37,6 +37,7 @@ sub new { 'long-queries' => 'database::mysql::mode::longqueries', 'myisam-keycache-hitrate' => 'database::mysql::mode::myisamkeycachehitrate', 'open-files' => 'database::mysql::mode::openfiles', + 'password-expiration' => 'database::mysql::mode::passwordexpiration', 'qcache-hitrate' => 'database::mysql::mode::qcachehitrate', 'queries' => 'database::mysql::mode::queries', 'replication' => 'database::mysql::mode::replication',