feat: publish tls.endpoint.v1 discovery entry to enable GetRelated

2026-05-15 18:44:21 +08:00 · 2026-05-15 18:44:21 +08:00 · c6400c7773
commit c6400c7773
parent 97b2545e2d
4 changed files with 34 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -25,22 +25,11 @@ Identifiers" mapping.
   - compares the observed identifiers against the `issue` /
     `issuewild` allow list (or flags a `DisallowIssue` violation).

-## Observation payload
+## Rules

-This checker does not publish endpoints or add a new observation
-schema. Under its own observation key `caa_policy` it returns a
-pass-through view of the zone-side CAA records:
-
-```json
-{
-  "domain": "example.net",
-  "records": [
-    { "flag": 0, "tag": "issue",     "value": "letsencrypt.org" },
-    { "flag": 0, "tag": "issuewild", "value": ";" }
-  ],
-  "run_at": "2026-04-22T12:34:56Z"
-}
-```
+| Code               | Description                                                                                                          | Severity |
+|--------------------|----------------------------------------------------------------------------------------------------------------------|----------|
+| `caa_compliance`   | Cross-references TLS certificates observed on the domain against its CAA `issue`/`issuewild` policy, mapping each observed issuer to its CCADB-published CAA identifier. | CRITICAL |

 ## Rule outcomes

--- a/checker/discover.go
+++ b/checker/discover.go
@ -0,0 +1,26 @@
+package checker
+
+import (
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tlscontract "git.happydns.org/checker-tls/contract"
+)
+
+// DiscoverEntries publishes one tls.endpoint.v1 entry for the domain's HTTPS
+// endpoint so checker-tls probes it. Implements sdk.DiscoveryPublisher.
+// On the next checker-tls run the engine will store a DiscoveryObservationRef
+// linking its snapshot back to this checker; GetRelated("tls_probes") in the
+// rule will then return the observed certificates.
+func (p *caaProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) {
+	d, ok := data.(*CAAData)
+	if !ok || d == nil || d.Domain == "" {
+		return nil, nil
+	}
+	entry, err := tlscontract.NewEntry(tlscontract.TLSEndpoint{
+		Host: d.Domain,
+		Port: 443,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return []sdk.DiscoveryEntry{entry}, nil
+}
--- a/go.mod
+++ b/go.mod
@ -4,6 +4,7 @@ go 1.25.0

 require (
 	git.happydns.org/checker-sdk-go v1.5.0
+	git.happydns.org/checker-tls v0.6.2
 	github.com/miekg/dns v1.1.72
 )

--- a/go.sum
+++ b/go.sum
@ -1,5 +1,7 @@
 git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
 git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
+git.happydns.org/checker-tls v0.6.2 h1:8oKia1XlD+tklyqrwzmUgFH1Kw8VLSLLF9suZ7Qr14E=
+git.happydns.org/checker-tls v0.6.2/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=