package checker

import (
	"context"
	"fmt"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

type cnameDnssecRule struct{}

func (cnameDnssecRule) Name() string { return "cname_dnssec" }
func (cnameDnssecRule) Description() string {
	return "Verifies that, in a DNSSEC-signed zone, the CNAME at Owner carries an RRSIG."
}

func (cnameDnssecRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	data, errState := loadAlias(ctx, obs)
	if errState != nil {
		return errState
	}
	if !apexKnown(data) {
		return skipped("apex lookup failed")
	}
	if !data.ZoneSigned {
		return skipped("zone not DNSSEC-signed")
	}
	if !data.OwnerHasCNAME {
		return skipped("owner has no CNAME")
	}
	if !data.CNAMESigCheckDone {
		return skipped("DO-bit CNAME probe did not complete")
	}
	if data.CNAMESigned {
		return okState(data.Owner, fmt.Sprintf("CNAME at %s is DNSSEC-signed", data.Owner))
	}
	return []sdk.CheckState{withHint(sdk.CheckState{
		Status:  sdk.StatusCrit,
		Subject: data.Owner,
		Message: fmt.Sprintf("zone %s is DNSSEC-signed but CNAME at %s has no RRSIG", data.Apex, data.Owner),
	}, "Re-sign the zone or verify your signer covers the alias RRset; unsigned answers in a signed zone SERVFAIL at validating resolvers.")}
}