checker-caa/checker/types.go

// Package checker implements the CAA compliance checker for happyDomain.
//
// It consumes observations published by checker-tls (the "tls_probes" key)
// and cross-references each observed certificate issuer against the CAA
// policy declared by the domain's svcs.CAAPolicy service. No network
// probes are performed here.
package checker

// ObservationKeyCAA is the observation key this checker writes. Its
// payload is a pass-through of the zone-side CAA records; the
// checker does not re-query DNS.
const ObservationKeyCAA = "caa_policy"

// TLSRelatedKey is the observation key this checker reads from other
// checkers via ObservationGetter.GetRelated. Matches the key
// published by checker-tls.
const TLSRelatedKey = "tls_probes"

// Severity values used in Issue.Severity (lowercase, ascii). Kept in
// sync with the other happyDomain checkers so aggregators can merge
// severities by string.
const (
	SeverityCrit = "crit"
	SeverityWarn = "warn"
	SeverityInfo = "info"
)

// Rule code values surfaced by CheckState.Code.
const (
	CodeOK                 = "caa_ok"
	CodeNoTLS              = "caa_no_tls"
	CodeNotAuthorized      = "caa_not_authorized"
	CodeIssuanceDisallowed = "caa_issuance_disallowed"
	CodeIssuerUnknown      = "caa_issuer_unknown"
	CodeObservationError   = "caa_observation_error"
)

// CAAData is the payload written under ObservationKeyCAA. It is a thin
// view over the zone's CAA records; consumers (including our own rule)
// can walk Records to rebuild the allow list without re-parsing the
// service body.
type CAAData struct {
	Domain  string      `json:"domain,omitempty"`
	Records []CAARecord `json:"records,omitempty"`
	RunAt   string      `json:"run_at,omitempty"`
}

// CAARecord is one entry of the zone's CAA policy, flattened to the
// three fields that matter for compliance evaluation.
type CAARecord struct {
	Flag  uint8  `json:"flag"`
	Tag   string `json:"tag"`
	Value string `json:"value"`
}