50 lines
1.7 KiB
Go
50 lines
1.7 KiB
Go
// Package checker implements the CAA compliance checker for happyDomain.
|
|
//
|
|
// It consumes observations published by checker-tls (the "tls_probes" key)
|
|
// and cross-references each observed certificate issuer against the CAA
|
|
// policy declared by the domain's svcs.CAAPolicy service. No network
|
|
// probes are performed here.
|
|
package checker
|
|
|
|
// ObservationKeyCAA is the observation key this checker writes. Its
|
|
// payload is a pass-through of the zone-side CAA records; the
|
|
// checker does not re-query DNS.
|
|
const ObservationKeyCAA = "caa_policy"
|
|
|
|
// TLSRelatedKey is the observation key this checker reads from other
|
|
// checkers via ObservationGetter.GetRelated. Matches the key
|
|
// published by checker-tls.
|
|
const TLSRelatedKey = "tls_probes"
|
|
|
|
// Severity values used in Issue.Severity (lowercase, ascii). Kept in
|
|
// sync with the other happyDomain checkers so aggregators can merge
|
|
// severities by string.
|
|
const (
|
|
SeverityCrit = "crit"
|
|
SeverityWarn = "warn"
|
|
SeverityInfo = "info"
|
|
)
|
|
|
|
// Rule code values surfaced by CheckState.Code.
|
|
const (
|
|
CodeOK = "caa_ok"
|
|
CodeNoTLS = "caa_no_tls"
|
|
CodeNotAuthorized = "caa_not_authorized"
|
|
CodeIssuanceDisallowed = "caa_issuance_disallowed"
|
|
CodeIssuerUnknown = "caa_issuer_unknown"
|
|
CodeObservationError = "caa_observation_error"
|
|
CodeUnknownCritical = "caa_unknown_critical"
|
|
)
|
|
|
|
// CAAData is the payload written under ObservationKeyCAA.
|
|
type CAAData struct {
|
|
Domain string `json:"domain,omitempty"`
|
|
Records []CAARecord `json:"records,omitempty"`
|
|
RunAt string `json:"run_at,omitempty"`
|
|
}
|
|
|
|
type CAARecord struct {
|
|
Flag uint8 `json:"flag"`
|
|
Tag string `json:"tag"`
|
|
Value string `json:"value"`
|
|
}
|