From 338c61183ea080cc7cfcdcdf7b69d378b8089425 Mon Sep 17 00:00:00 2001
From: Paul Collins <paul.collins@canonical.com>
Date: Tue, 30 May 2017 14:47:47 +1200
Subject: [PATCH] add check_vault_version.py, and deploy it

---
 files/nagios/check_vault_version.py | 78 +++++++++++++++++++++++++++++
 reactive/vault.py                   |  7 +++
 2 files changed, 85 insertions(+)
 create mode 100755 files/nagios/check_vault_version.py

diff --git a/files/nagios/check_vault_version.py b/files/nagios/check_vault_version.py
new file mode 100755
index 0000000..e7cf4be
--- /dev/null
+++ b/files/nagios/check_vault_version.py
@@ -0,0 +1,78 @@
+#!/usr/bin/python3
+
+#
+# Copyright 2017 Canonical Ltd.
+#
+# Author:
+#   Paul Collins <paul.collins@canonical.com>
+#
+
+import json
+import socket
+import ssl
+import sys
+
+from textwrap import dedent
+from urllib.request import urlopen
+
+#VAULT_HEALTH_URL = 'https://vault.staging.admin.canonical.com:8200/v1/sys/health'
+#VAULT_VERIFY_SSL = True
+VAULT_HEALTH_URL = 'https://127.0.0.1:8200/v1/sys/health'
+VAULT_VERIFY_SSL = False
+
+SNAPD_INFO_REQUEST = dedent("""\
+    GET /v2/snaps/{snap} HTTP/1.1\r
+    Host:\r
+    \r
+    """)
+
+SNAPD_SOCKET = '/run/snapd.socket'
+
+
+def get_vault_snap_version():
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as snapd:
+        snapd.connect(SNAPD_SOCKET)
+        snapd.sendall(SNAPD_INFO_REQUEST.format(snap='vault').encode('utf-8'))
+        # TODO(pjdc): This should be a loop.
+        info = json.loads(snapd.recv(1024 * 1024).decode('utf-8').split('\n')[-1])
+        version = info['result']['version']
+        if version.startswith('v'):
+            version = version[1:]
+            return version
+
+
+def get_vault_server_version(verify=True):
+    ctx = None
+    if not verify:
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+    with urlopen(VAULT_HEALTH_URL, context=ctx) as health:
+        return json.loads(health.read().decode('utf-8'))['version']
+
+
+if __name__ == '__main__':
+    try:
+        snapv = get_vault_snap_version()
+    except Exception as e:
+        print('CRITICAL: failed to fetch version of '
+              'installed vault snap: {}'.format(e))
+        sys.exit(2)
+
+    try:
+        serverv = get_vault_server_version(verify=VAULT_VERIFY_SSL)
+    except Exception as e:
+        print('CRITICAL: failed to fetch version of '
+              'running vault server: {}'.format(e))
+        sys.exit(2)
+
+    if serverv == snapv:
+        print('OK: running vault ({}) is the same '
+              'as the installed snap ({})'.format(
+                  serverv, snapv))
+        sys.exit(1)
+
+    print('CRITICAL: running vault ({}) is not the same '
+          'as the installed snap ({})'.format(
+              serverv, snapv))
+    sys.exit(2)
diff --git a/reactive/vault.py b/reactive/vault.py
index fd7be84..2abd1e3 100644
--- a/reactive/vault.py
+++ b/reactive/vault.py
@@ -160,6 +160,13 @@ def update_nagios(svc):
     current_unit = get_nagios_unit_name()
     nrpe = NRPE(hostname=hostname)
     add_init_service_checks(nrpe, ['vault'], current_unit)
+    write_file('/usr/lib/nagios/plugins/check_vault_version.py',
+               open('files/nagios/check_vault_version.py', 'rb').read(), perms=0o755)
+    nrpe.add_check(
+        'vault_version',
+        'Check running vault server version is same as installed snap',
+        '/usr/lib/nagios/plugins/check_vault_version.py',
+    )
     nrpe.write()
     set_state('vault.nrpe.configured')
     status_set('active', 'Nagios checks configured')