Initial commit

checker/types.go

@@ -0,0 +1,50 @@
+// Package checker implements the CAA compliance checker for happyDomain.
+//
+// It consumes observations published by checker-tls (the "tls_probes" key)
+// and cross-references each observed certificate issuer against the CAA
+// policy declared by the domain's svcs.CAAPolicy service. No network
+// probes are performed here.
+package checker
+
+// ObservationKeyCAA is the observation key this checker writes. Its
+// payload is a pass-through of the zone-side CAA records; the
+// checker does not re-query DNS.
+const ObservationKeyCAA = "caa_policy"
+
+// TLSRelatedKey is the observation key this checker reads from other
+// checkers via ObservationGetter.GetRelated. Matches the key
+// published by checker-tls.
+const TLSRelatedKey = "tls_probes"
+
+// Severity values used in Issue.Severity (lowercase, ascii). Kept in
+// sync with the other happyDomain checkers so aggregators can merge
+// severities by string.
+const (
+	SeverityCrit = "crit"
+	SeverityWarn = "warn"
+	SeverityInfo = "info"
+)
+
+// Rule code values surfaced by CheckState.Code.
+const (
+	CodeOK                 = "caa_ok"
+	CodeNoTLS              = "caa_no_tls"
+	CodeNotAuthorized      = "caa_not_authorized"
+	CodeIssuanceDisallowed = "caa_issuance_disallowed"
+	CodeIssuerUnknown      = "caa_issuer_unknown"
+	CodeObservationError   = "caa_observation_error"
+	CodeUnknownCritical    = "caa_unknown_critical"
+)
+
+// CAAData is the payload written under ObservationKeyCAA.
+type CAAData struct {
+	Domain  string      `json:"domain,omitempty"`
+	Records []CAARecord `json:"records,omitempty"`
+	RunAt   string      `json:"run_at,omitempty"`
+}
+
+type CAARecord struct {
+	Flag  uint8  `json:"flag"`
+	Tag   string `json:"tag"`
+	Value string `json:"value"`
+}