167 lines
5.2 KiB
Go
167 lines
5.2 KiB
Go
//go:build standalone
|
|
|
|
package checker
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/miekg/dns"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
tls "git.happydns.org/checker-tls/checker"
|
|
)
|
|
|
|
// tlsaLookup fetches TLSA records for owner via the system resolver.
|
|
// It is a package variable so tests can swap it for a fixture.
|
|
var tlsaLookup = lookupTLSA
|
|
|
|
// RenderForm lets a human run this checker standalone. The form only
|
|
// collects the endpoint coordinates; the expected TLSA records are read
|
|
// from DNS by ParseForm and the live certificate is fetched in-process by
|
|
// the SDK running checker-tls as a sibling (see RelatedProviders).
|
|
func (p *daneProvider) RenderForm() []sdk.CheckerOptionField {
|
|
return []sdk.CheckerOptionField{
|
|
{Id: OptionDomain, Type: "string", Label: "Domain", Placeholder: "example.com", Required: true},
|
|
{Id: "port", Type: "uint", Label: "Port", Default: float64(443), Required: true},
|
|
{Id: "proto", Type: "string", Label: "Protocol", Choices: []string{"tcp", "udp"}, Default: "tcp"},
|
|
{
|
|
Id: "starttls",
|
|
Type: "string",
|
|
Label: "STARTTLS override",
|
|
Description: "Leave empty to auto-derive from port (25→smtp, 587→submission, 143→imap, …).",
|
|
},
|
|
{
|
|
Id: OptionProbeTimeoutMs,
|
|
Type: "uint",
|
|
Label: "Probe timeout (ms)",
|
|
Default: float64(tls.DefaultProbeTimeoutMs),
|
|
Description: "Forwarded to checker-tls for the live probe.",
|
|
},
|
|
}
|
|
}
|
|
|
|
// ParseForm turns the submitted endpoint into the same CheckerOptions
|
|
// shape happyDomain would feed Collect. The TLSA RRset expected by
|
|
// Collect is resolved live from DNS at _<port>._<proto>.<domain>; if
|
|
// nothing is published there, no validation is possible and the form is
|
|
// re-rendered with the error.
|
|
func (p *daneProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
|
|
domain := strings.TrimSuffix(strings.TrimSpace(r.FormValue(OptionDomain)), ".")
|
|
if domain == "" {
|
|
return nil, errors.New("domain is required")
|
|
}
|
|
portStr := strings.TrimSpace(r.FormValue("port"))
|
|
if portStr == "" {
|
|
return nil, errors.New("port is required")
|
|
}
|
|
port64, err := strconv.ParseUint(portStr, 10, 16)
|
|
if err != nil || port64 == 0 {
|
|
return nil, fmt.Errorf("invalid port %q: must be 1-65535", portStr)
|
|
}
|
|
port := uint16(port64)
|
|
proto := strings.TrimSpace(r.FormValue("proto"))
|
|
if proto == "" {
|
|
proto = "tcp"
|
|
}
|
|
if proto != "tcp" && proto != "udp" {
|
|
return nil, fmt.Errorf("invalid protocol %q: must be tcp or udp", proto)
|
|
}
|
|
|
|
owner := tlsaOwnerName(port, proto, domain)
|
|
records, err := tlsaLookup(owner)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("TLSA lookup for %s: %w", owner, err)
|
|
}
|
|
if len(records) == 0 {
|
|
return nil, fmt.Errorf("no TLSA records found at %s", owner)
|
|
}
|
|
|
|
tlsaEntries := make([]map[string]any, 0, len(records))
|
|
for _, t := range records {
|
|
tlsaEntries = append(tlsaEntries, map[string]any{
|
|
"Hdr": map[string]any{"Name": owner},
|
|
"Usage": t.Usage,
|
|
"Selector": t.Selector,
|
|
"MatchingType": t.MatchingType,
|
|
"Certificate": strings.ToLower(t.Certificate),
|
|
})
|
|
}
|
|
body, err := json.Marshal(map[string]any{"tlsa": tlsaEntries})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("marshal TLSAs service: %w", err)
|
|
}
|
|
|
|
opts := sdk.CheckerOptions{
|
|
OptionDomain: domain,
|
|
OptionService: serviceMessage{
|
|
Type: serviceType,
|
|
Domain: domain,
|
|
Service: body,
|
|
},
|
|
}
|
|
|
|
if s := strings.TrimSpace(r.FormValue("starttls")); s != "" {
|
|
opts[OptionSTARTTLS] = map[string]string{
|
|
starttlsKey(port, proto): s,
|
|
}
|
|
}
|
|
if v := strings.TrimSpace(r.FormValue(OptionProbeTimeoutMs)); v != "" {
|
|
if n, err := strconv.Atoi(v); err == nil && n > 0 {
|
|
opts[OptionProbeTimeoutMs] = float64(n)
|
|
}
|
|
}
|
|
return opts, nil
|
|
}
|
|
|
|
// RelatedProviders declares checker-tls as the sibling the SDK should run
|
|
// in-process during the interactive flow. The SDK harvests the discovery
|
|
// entries this checker publishes via DiscoverEntries and auto-fills
|
|
// checker-tls's OptionEndpoints (the option tagged
|
|
// sdk.AutoFillDiscoveryEntries in its definition), so the probe map the
|
|
// rule reads via GetRelated is populated with live data.
|
|
func (p *daneProvider) RelatedProviders() []sdk.ObservationProvider {
|
|
return []sdk.ObservationProvider{tls.Provider()}
|
|
}
|
|
|
|
// lookupTLSA queries the system resolver for TLSA records at owner.
|
|
// Falls back to 1.1.1.1 when /etc/resolv.conf is unreadable.
|
|
func lookupTLSA(owner string) ([]*dns.TLSA, error) {
|
|
resolver, err := interactiveResolver()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
msg := new(dns.Msg)
|
|
msg.SetQuestion(dns.Fqdn(owner), dns.TypeTLSA)
|
|
msg.RecursionDesired = true
|
|
msg.SetEdns0(4096, true)
|
|
|
|
c := new(dns.Client)
|
|
in, _, err := c.Exchange(msg, resolver)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if in.Rcode != dns.RcodeSuccess && in.Rcode != dns.RcodeNameError {
|
|
return nil, fmt.Errorf("rcode %s", dns.RcodeToString[in.Rcode])
|
|
}
|
|
var out []*dns.TLSA
|
|
for _, rr := range in.Answer {
|
|
if t, ok := rr.(*dns.TLSA); ok {
|
|
out = append(out, t)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func interactiveResolver() (string, error) {
|
|
cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
|
|
if err != nil || len(cfg.Servers) == 0 {
|
|
return net.JoinHostPort("1.1.1.1", "53"), nil
|
|
}
|
|
return net.JoinHostPort(cfg.Servers[0], cfg.Port), nil
|
|
}
|