package checker

import (
	"context"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// handshakeOKRule reports whether the TLS handshake succeeded on every
// endpoint that has been probed. A failing handshake means DANE cannot be
// validated regardless of what TLSA records are published.
type handshakeOKRule struct{}

func (r *handshakeOKRule) Name() string { return "dane.handshake_ok" }
func (r *handshakeOKRule) Description() string {
	return "Verifies the TLS handshake succeeds on every DANE endpoint so the presented chain can be compared to TLSA records."
}

func (r *handshakeOKRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	rc := loadRuleContext(ctx, obs)
	if rc.err != nil {
		return []sdk.CheckState{observationErrorState(rc.err)}
	}
	var out []sdk.CheckState
	tested := 0
	for _, t := range rc.data.Targets {
		probe := rc.probes[t.Ref]
		if probe == nil {
			continue // covered by probeAvailableRule
		}
		tested++
		if !probeUsable(probe) {
			out = append(out, sdk.CheckState{
				Status:  sdk.StatusCrit,
				Code:    "dane_handshake_failed",
				Subject: targetSubject(t),
				Message: "TLS handshake failed, cannot validate DANE: " + probe.Error,
				Meta:    targetMeta(t),
			})
		}
	}
	if len(out) == 0 {
		if tested == 0 {
			return []sdk.CheckState{{
				Status:  sdk.StatusUnknown,
				Code:    "dane_handshake_ok_skipped",
				Message: "No probed endpoint to evaluate (waiting for checker-tls).",
			}}
		}
		return []sdk.CheckState{{
			Status:  sdk.StatusOK,
			Code:    "dane_handshake_ok",
			Message: "TLS handshake succeeds on every probed endpoint.",
		}}
	}
	return out
}