#!/bin/ash

# check_opkg - check for available upgrades on OpenWRT (https://openwrt.org/) or LEDE (https://lede-project.org/)
# prerequisites: make sure you have NRPE up and running, so you can call this script from your
#                remote nagios/icinga instance
#
# check goes WARNING, if there are any packages to be upgraded
# check goes CRITICAL, if one of the packages in $CRITICAL_PACKAGES is not up to date

EXIT=3
MESSAGE="UNKNOWN"
UPGRADABLE_CRITICAL=""
UPGRADABLE_NORMAL=""
CRITICAL_PACKAGES="iptables
dropbear
nrpe
"

# just make sure package database is updated
OPKG_UPDATE_OUTPUT=$(opkg --verbosity=0 update 2>&1)
OPKG_UPDATE_EXIT_CODE=$?

if [[ "$OPKG_UPDATE_EXIT_CODE" -ne "0" ]]; then
	echo -e "CRITICAL - package database could not be updated.\nReason: $OPKG_UPDATE_OUTPUT"
	exit 2
fi

UPGRADABLE_PACKAGES=$(opkg list-upgradable | cut -d" " -f1)

if [[ -z "$UPGRADABLE_PACKAGES" ]]; then
	echo "OK - there are no upgrades available"
	exit 0
else
	for PKG in $UPGRADABLE_PACKAGES; do
		for CRIT_PKG in $CRITICAL_PACKAGES; do
			if [[ "$PKG" == "$CRIT_PKG" ]]; then
				UPGRADABLE_CRITICAL="$PKG\n$UPGRADABLE_CRITICAL"
			else
				UPGRADABLE_NORMAL="$PKG\n$UPGRADABLE_NORMAL"
			fi
		done
	done
fi

UPGRADABLE_CRITICAL=$(echo -e $UPGRADABLE_CRITICAL | uniq)
UPGRADABLE_NORMAL=$(echo -e $UPGRADABLE_NORMAL | uniq)

if [[ -z "$UPGRADABLE_CRITICAL" ]]; then
	EXIT=1
	MESSAGE="WARNING - the following packages are not up to date: $UPGRADABLE_NORMAL"
else
	EXIT=2
	MESSAGE="CRITICAL - the following packages are not up to date and are defined to be critical for overall system security: $UPGRADABLE_CRITICAL"
	if [[ -n "$UPGRADABLE_NORMAL" ]]; then
		MESSAGE="$MESSAGE. All packages that have updates: $UPGRADABLE_NORMAL"
	fi
fi
echo $MESSAGE
exit $EXIT