#!/bin/bash

# Default thresholds (in days)
WARN_DAYS=30
CRIT_DAYS=15

# Nagios Exit Codes
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

usage() {
    echo "Usage: $0 -p <path1,path2> [-w <warn_days>] [-c <crit_days>]"
    exit $STATE_UNKNOWN
}

# Parse arguments
while getopts "p:w:c:" opt; do
    case $opt in
        p) IFS=',' read -ra PATHS <<< "$OPTARG" ;;
        w) WARN_DAYS=$OPTARG ;;
        c) CRIT_DAYS=$OPTARG ;;
        *) usage ;;
    esac
done

if [[ -z "${PATHS[*]}" ]]; then usage; fi

# Variables to track overall status
final_status=$STATE_OK
output_msg=""

for search_path in "${PATHS[@]}"; do
    if [[ ! -d "$search_path" ]]; then
        output_msg+="Path $search_path not found; "
        final_status=$STATE_UNKNOWN
        continue
    fi

    # Find common cert extensions
    certs=$(find "$search_path" -type f \( -name "*.crt" -o -name "*.pem" \))

    for cert in $certs; do
        # Extract expiration date using openssl
        expiry_date=$(openssl x509 -enddate -noout -in "$cert" 2>/dev/null | cut -d= -f2)
        
        if [[ -z "$expiry_date" ]]; then continue; fi

        # Convert dates to seconds for comparison
        expiry_epoch=$(date -d "$expiry_date" +%s)
        now_epoch=$(date +%s)
        expiry_diff=$(( (expiry_epoch - now_epoch) / 86400 ))

        # Logic for Nagios status
        if [[ $expiry_diff -le $CRIT_DAYS ]]; then
            output_msg+="$(basename "$cert") EXPIRES IN $expiry_diff DAYS; "
            final_status=$STATE_CRITICAL
        elif [[ $expiry_diff -le $WARN_DAYS ]]; then
            output_msg+="$(basename "$cert") expires in $expiry_diff days; "
            [[ $final_status -lt $STATE_WARNING ]] && final_status=$STATE_WARNING
        fi
    done
done

# Final Output
if [[ $final_status -eq $STATE_OK ]]; then
    echo "OK: All certificates are valid for more than $WARN_DAYS days."
else
    echo "STATUS: $output_msg"
fi

exit $final_status