happyDomain/checker-dav
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
checker-dav/README.md
Pierre-Olivier Mercier 7d5535fddf Initial commit 
CalDAV and CardDAV checkers sharing a single Go module. Discovery follows
RFC 6764 (/.well-known + SRV/TXT), authenticated probes cover principal,
home-set, collections and a minimal REPORT query on top of go-webdav.
Common shape in internal/dav/; CalDAV adds a scheduling rule.

Surfaces its context URL (and each secure-SRV target) as TLS endpoints via
the EndpointDiscoverer interface, so the dedicated TLS checker can pick
them up without re-parsing observations.

HTML report foregrounds common misconfigs (well-known returning 200,
missing SRV, plaintext-only SRV, missing DAV capability, skipped auth
phase) as action-item callouts before the full phase breakdown.
2026-04-26 21:47:40 +07:00

3 KiB
Raw Permalink Blame History

checker-dav

happyDomain checkers for CalDAV (RFC 4791) and CardDAV (RFC 6352) servers. Discovery (RFC 6764) + OPTIONS + authenticated PROPFIND/REPORT probes, with an opinionated HTML report that foregrounds common misconfigs.

Two binaries are produced from this module:

Binary Checker ID Entrypoint
checker-caldav caldav ./cmd/checker-caldav
checker-carddav carddav ./cmd/checker-carddav

Shared code lives in internal/dav/: discovery, OPTIONS parsing, raw-XML PROPFIND helpers, the rule set, and the HTML template.

Build

make                   # builds both binaries
make checker-caldav    # one binary
make plugin            # .so plugins for in-process loading
make docker            # both Docker images
make test              # unit tests

Run

./checker-caldav -listen :8080

The SDK exposes /definition, /collect, /evaluate, /report, and /health as usual. Pass Accept: text/html on /report to get the HTML view; the default is a JSON metrics dump.

Options

Both checkers accept the same options:

  • domain_name (auto-filled): required
  • username, password: optional Basic credentials; unlock authenticated checks (principal, home-set, collections, REPORT probe)
  • context_url: optional explicit override, bypasses /.well-known + SRV
  • timeout_seconds: per-request HTTP timeout, default 10

What is checked

  1. Discovery: /.well-known/{caldav,carddav} (must 3xx, not 200), _caldavs._tcp / _carddavs._tcp SRV, TXT path= hint.
  2. Transport: HTTPS reachable. TLS certificate validation is deliberately out of scope; a dedicated TLS checker covers that.
  3. OPTIONS: DAV: advertises calendar-access or addressbook; Allow includes PROPFIND and REPORT; auth schemes captured for info.
  4. Principal: PROPFIND current-user-principal (auth required).
  5. Home-set: calendar-home-set / addressbook-home-set.
  6. Collections: enumerate, record properties (supported-calendar-component-set, supported-address-data, display name, description, max size).
  7. REPORT probe: issue a minimal calendar-query / addressbook-query against the first collection.
  8. Scheduling (CalDAV only): if calendar-schedule is advertised, verify schedule-inbox-URL and schedule-outbox-URL on the principal.

The HTML report surfaces the most common failures at the top as callouts:

  • /.well-known returns 200 instead of 301/302
  • No SRV and no well-known → service unreachable
  • Plaintext SRV record without secure counterpart
  • Server does not advertise the required DAV class (wrong endpoint or stripping proxy)
  • No credentials supplied → authenticated phase skipped

Dependencies