#!/usr/bin/env bash
# Check SSL certificates for key domains
#
# Run: ./validity.sh

VERSION="v0.9"

red="\033[1;31m"
greenbold="\033[1;32m"
green="\033[0;32m"
yellow="\033[0;33m"
yellowbold="\033[1;33m"
bold="\033[1m"
italic="\033[3m"
#bold_under="\033[1;4m"
underline="\033[4m"
reset="\033[0m"

#echo | openssl s_client -servername maboiteverte.fr -connect maboiteverte.fr:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

#export PATH="/usr/local/bin:$PATH"
# run by cron $PATH=/usr/bin:/bin

#command -v showcert >/dev/null 2>&1 || { echo -e "${bold}showcert${reset} is not installed ${italic}(pip install showcert)${reset}. Aborting..." >&2; exit 1; }

curl -Is https://www.apple.com | head -1 | grep 200 1>/dev/null
if [ $? -eq 1 ]; then
	echo -e "\n${red}No Internet connection !${reset}"
	echo -e "Exit !"
	exit 1
fi

hosts=("maboiteverte.fr" "sur-le-sentier.fr" "photos-nas.ovh" "clicclac.info")
#hosts=("maboiteverte.fr")
port=443
# Days left before notification
nday=15
# Choose the notification
notif="pushover"

dotenv () {
  set -a
  # shellcheck disable=SC1091
  [ -f "$HOME/.env" ] && . "$HOME/.env" ||  echo -e "${red}\nNo .env file found ! No token for gotify.${reset}"
  set +a
}

dotenv

send_gotify_notification() {
	# Enabled HSTS & created default WebSocket records in the DSM 7.2 reverse proxy window and it solved itself.
	
	now=$(date +"%d-%m-%Y %T")
	gotify_server="https://gotify.maboiteverte.fr"
	gotify_token="$GOTIFY_BASH"
	TITLE="$1"
	MESSAGE="**A new version of Pi-hole is available:**\n\n $msg_md\n\n $infos\n\n Please run *pihole -up* on $host to update !"
	PRIORITY=8
	URL="$gotify_server/message?token=$gotify_token&?format=markdown"
	
	echo -e "Sending notification to $gotify_server ..."
	# -S, --show-error         Show error even when -s is used
	# -s, --silent             Silent mode
	# -v                       Verbose

	curl -s -S --output /dev/null --data '{"message": "'"${MESSAGE}"'", "title": "'"${TITLE}"'", "priority":'"${PRIORITY}"', "extras": {"client::display": {"contentType": "text/markdown"}}}' -H 'Content-Type: application/json' "$URL"

	[ $? -eq 0 ] && echo -e "${greenbold}Gotify notification sent successfully !${reset}" || echo -e "${redbold}error sending Gotify notification !${reset}"
}

send_pushover_notification() {
	echo -e "Sending Pushover notification ..."
    curl -S -s -o /dev/null -F "token=$BASH_APP" \
    -F "user=$USER_KEY" \
    -F "title=$1" \
    -F priority=2 \
    -F html=1 \
    -F retry=60 \
    -F expire=86400 \
    -F "message=$2" https://api.pushover.net/1/messages.json
    
    [ $? -eq 0 ] && echo -e "${greenbold}Pushover notification sent successfully !${reset}" || echo -e "${redbold}error sending Pushover notification !${reset}"
}


for host in "${hosts[@]}"; do
	if command -v showcertif >/dev/null 2>&1; then
		cert=$(showcert $host)
		
		ip=$(echo "$cert" | grep IP | awk -F": " '{print $2}') 
		names=$(echo "$cert" | grep Names | awk -F": " '{print $2}') 
		issuer=$(echo "$cert" | grep Issuer | awk -F": " '{print $2}') 
    	start=$(echo "$cert" | grep Before | awk -F": " '{print $2}')     
    	end=$(echo "$cert" | grep notAfter | awk -F": " '{print $2}')
    	left=$(echo "$end" | awk -F" " '{split($3, arr, "[()]"); print arr[2]}')

		# maboiteverte.fr
		# IP: 212.227.191.167
		# Names: *.maboiteverte.fr maboiteverte.fr
		# notBefore: 2024-01-08 00:00:00 (298 days old)
		# notAfter: 2025-01-27 23:59:59 (87 days left)
		# Issuer: C=US O=DigiCert Inc OU=www.digicert.com CN=Encryption Everywhere DV TLS CA - G2
		# Tags: [CHAIN-VERIFIED]
		
		h="$host ($ip)"  
    	n="Names: $names"
   	 	i="Issuer: $issuer"
    	s="Date début: $start"
    	e="Date fin: $end"

	else
		echo "$host"
		cert=`echo |
                openssl s_client -connect $host:$port 2>/dev/null |
                openssl x509 -issuer -subject -dates -noout`
        
        issuer=$(echo "$cert" | grep issuer | awk -F"issuer=" '{print $2}')
        subject=$(echo "$cert" | grep subject | awk -F"subject=" '{print $2}') 
    	start=$(echo "$cert" | grep Before | awk -F"=" '{print $2}')     
    	end=$(echo "$cert" | grep notAfter | awk -F"=" '{print $2}')
    	timestamp_current=$(date +"%s")
    	timestamp_end=$(date --date="$end" +"%s")
    	left=$(($((timestamp_end - timestamp_current))/(60*60*24)))
    	end="$end ($left days left)"
    	
        ip=$(dig +short $host)
        # issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2
		# subject=CN=*.maboiteverte.fr
		# notBefore=Jan  8 00:00:00 2024 GMT
		# notAfter=Jan 27 23:59:59 2025 GMT
		
		h="$host ($ip)"
		n="Subject: $subject"
		i="Issuer: $issuer"
    	s="Date début: $start"
    	e="Date fin: $end"
    	
	fi
		
    echo -e "${bold}$h${reset}"
    echo -e "$n"
    echo -e "$i"
    echo -e "$s"
    
    if [ $left -lt $nday ]; then
   		echo -e "${red}$e${reset}"
 		
   		# Run by cron
		if [ "$notif" == "gotify" ];then
			msg_md="**$h**\n\n $n\n\n $i\n\n $s\n\n $e"
			send_gotify_notification "$host certificat will expire in $left day !" "$msg_md"
		elif  [ "$notif" == "pushover" ];then
			msg_html="$h<br />$n<br />$i<br />$s<br />$e"
			send_pushover_notification "$host certificat will expire in $left day !" "$msg_html"
			#pushover -a "bash" -m "A new version of Pi-hole is available: <br /> $msg_html <br /> $infos_html <br /> Please run <b>pihole -up</b> on $host to update" -p 2 -f 1
		fi

   	else
   		echo -e "${green}$e${reset}" 
   	fi
   	
    echo -e "\n"
    sleep 1
done