92 lines
3 KiB
Go
92 lines
3 KiB
Go
package checker
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net"
|
|
"strconv"
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// tlsProbeView is the local, permissive view of a single checker-tls
|
|
// probe payload. We decode only what the CAA rule needs; unknown fields
|
|
// are ignored so the TLS checker can evolve its schema independently.
|
|
//
|
|
// The IssuerAKI / IssuerDN fields are the cross-checker contract the
|
|
// CAA rule depends on. They were added to checker-tls so each probe
|
|
// carries the issuer identity in a form that maps directly to the
|
|
// CCADB "CAA Identifiers" CSV.
|
|
type tlsProbeView struct {
|
|
Host string `json:"host,omitempty"`
|
|
Port uint16 `json:"port,omitempty"`
|
|
Endpoint string `json:"endpoint,omitempty"`
|
|
Type string `json:"type,omitempty"`
|
|
Issuer string `json:"issuer,omitempty"`
|
|
IssuerDN string `json:"issuer_dn,omitempty"`
|
|
IssuerAKI string `json:"issuer_aki,omitempty"`
|
|
NotAfter time.Time `json:"not_after,omitempty"`
|
|
ChainValid *bool `json:"chain_valid,omitempty"`
|
|
}
|
|
|
|
// address returns "host:port" as a human-readable identifier for
|
|
// Issue.Endpoint when the upstream Endpoint field is missing.
|
|
func (v *tlsProbeView) address() string {
|
|
if v.Endpoint != "" {
|
|
return v.Endpoint
|
|
}
|
|
if v.Host != "" && v.Port != 0 {
|
|
return net.JoinHostPort(v.Host, strconv.FormatUint(uint64(v.Port), 10))
|
|
}
|
|
return v.Host
|
|
}
|
|
|
|
// parseTLSRelated decodes a single RelatedObservation into a list of
|
|
// probes. Two payload shapes are supported to match the dual-shape
|
|
// contract checker-xmpp already consumes:
|
|
//
|
|
// 1. {"probes": {"<ref>": <probe>, …}}: the current checker-tls
|
|
// format. When r.Ref is set and present in the map, only that
|
|
// entry is returned; otherwise all probes are returned so a rule
|
|
// operating at domain scope can still see them.
|
|
// 2. <probe>: a single top-level probe, kept for back-compat.
|
|
//
|
|
// Returns nil when the payload is not a recognizable probe shape.
|
|
func parseTLSRelated(r sdk.RelatedObservation) []*tlsProbeView {
|
|
var keyed struct {
|
|
Probes map[string]tlsProbeView `json:"probes"`
|
|
}
|
|
if err := json.Unmarshal(r.Data, &keyed); err == nil && keyed.Probes != nil {
|
|
if r.Ref != "" {
|
|
if p, ok := keyed.Probes[r.Ref]; ok {
|
|
cp := p
|
|
return []*tlsProbeView{&cp}
|
|
}
|
|
}
|
|
out := make([]*tlsProbeView, 0, len(keyed.Probes))
|
|
for _, p := range keyed.Probes {
|
|
cp := p
|
|
out = append(out, &cp)
|
|
}
|
|
return out
|
|
}
|
|
var v tlsProbeView
|
|
if err := json.Unmarshal(r.Data, &v); err != nil {
|
|
return nil
|
|
}
|
|
if v.Host == "" && v.IssuerAKI == "" && v.IssuerDN == "" {
|
|
return nil
|
|
}
|
|
return []*tlsProbeView{&v}
|
|
}
|
|
|
|
// parseAllTLSRelated flattens a slice of RelatedObservations into the
|
|
// full set of probe views they carry. This is the input the rule works
|
|
// from; one entry per endpoint, not per observation.
|
|
func parseAllTLSRelated(related []sdk.RelatedObservation) []*tlsProbeView {
|
|
var out []*tlsProbeView
|
|
for _, r := range related {
|
|
out = append(out, parseTLSRelated(r)...)
|
|
}
|
|
return out
|
|
}
|