From c6400c7773d3ede713252e1f2e081a6c55d539ec Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Fri, 15 May 2026 18:44:21 +0800 Subject: [PATCH] feat: publish tls.endpoint.v1 discovery entry to enable GetRelated --- README.md | 19 ++++--------------- checker/discover.go | 26 ++++++++++++++++++++++++++ go.mod | 1 + go.sum | 2 ++ 4 files changed, 33 insertions(+), 15 deletions(-) create mode 100644 checker/discover.go diff --git a/README.md b/README.md index 7f72fb6..838cda5 100644 --- a/README.md +++ b/README.md @@ -25,22 +25,11 @@ Identifiers" mapping. - compares the observed identifiers against the `issue` / `issuewild` allow list (or flags a `DisallowIssue` violation). -## Observation payload +## Rules -This checker does not publish endpoints or add a new observation -schema. Under its own observation key `caa_policy` it returns a -pass-through view of the zone-side CAA records: - -```json -{ - "domain": "example.net", - "records": [ - { "flag": 0, "tag": "issue", "value": "letsencrypt.org" }, - { "flag": 0, "tag": "issuewild", "value": ";" } - ], - "run_at": "2026-04-22T12:34:56Z" -} -``` +| Code | Description | Severity | +|--------------------|----------------------------------------------------------------------------------------------------------------------|----------| +| `caa_compliance` | Cross-references TLS certificates observed on the domain against its CAA `issue`/`issuewild` policy, mapping each observed issuer to its CCADB-published CAA identifier. | CRITICAL | ## Rule outcomes diff --git a/checker/discover.go b/checker/discover.go new file mode 100644 index 0000000..76dadbf --- /dev/null +++ b/checker/discover.go @@ -0,0 +1,26 @@ +package checker + +import ( + sdk "git.happydns.org/checker-sdk-go/checker" + tlscontract "git.happydns.org/checker-tls/contract" +) + +// DiscoverEntries publishes one tls.endpoint.v1 entry for the domain's HTTPS +// endpoint so checker-tls probes it. Implements sdk.DiscoveryPublisher. +// On the next checker-tls run the engine will store a DiscoveryObservationRef +// linking its snapshot back to this checker; GetRelated("tls_probes") in the +// rule will then return the observed certificates. +func (p *caaProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) { + d, ok := data.(*CAAData) + if !ok || d == nil || d.Domain == "" { + return nil, nil + } + entry, err := tlscontract.NewEntry(tlscontract.TLSEndpoint{ + Host: d.Domain, + Port: 443, + }) + if err != nil { + return nil, err + } + return []sdk.DiscoveryEntry{entry}, nil +} diff --git a/go.mod b/go.mod index b75831c..aad28fc 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.25.0 require ( git.happydns.org/checker-sdk-go v1.5.0 + git.happydns.org/checker-tls v0.6.2 github.com/miekg/dns v1.1.72 ) diff --git a/go.sum b/go.sum index 2a80023..d4ff867 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY= git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= +git.happydns.org/checker-tls v0.6.2 h1:8oKia1XlD+tklyqrwzmUgFH1Kw8VLSLLF9suZ7Qr14E= +git.happydns.org/checker-tls v0.6.2/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=