Initial commit
This commit is contained in:
commit
5a632a3b30
24 changed files with 2901 additions and 0 deletions
97
checker/rules_common.go
Normal file
97
checker/rules_common.go
Normal file
|
|
@ -0,0 +1,97 @@
|
|||
package checker
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"sort"
|
||||
|
||||
sdk "git.happydns.org/checker-sdk-go/checker"
|
||||
)
|
||||
|
||||
const (
|
||||
hintKey = "hint"
|
||||
codeKey = "code"
|
||||
)
|
||||
|
||||
// defaults centralised so Definition's docs and runtime reads cannot drift.
|
||||
const (
|
||||
defaultNSEC3IterationsMax = 0 // RFC 9276 §3.1
|
||||
defaultNSEC3IterationsSeverityWarn = "warn"
|
||||
defaultSignatureFreshnessDays = 7
|
||||
defaultSignatureFreshnessCrit = 1
|
||||
defaultMinRSAKeySize = 2048
|
||||
defaultRequireSEP = true
|
||||
defaultDNSKEYTTLMinSec = 3600
|
||||
)
|
||||
|
||||
func defaultAllowedAlgorithms() []uint8 { return []uint8{8, 13, 14, 15, 16} }
|
||||
func defaultForbiddenAlgorithms() []uint8 { return []uint8{1, 3, 5, 6, 7, 12} }
|
||||
|
||||
func loadDNSSEC(ctx context.Context, obs sdk.ObservationGetter) (*DNSSECData, []sdk.CheckState) {
|
||||
var data DNSSECData
|
||||
if err := obs.Get(ctx, ObservationKeyDNSSEC, &data); err != nil {
|
||||
return nil, []sdk.CheckState{{
|
||||
Status: sdk.StatusError,
|
||||
Message: fmt.Sprintf("failed to read dnssec observation: %v", err),
|
||||
}}
|
||||
}
|
||||
return &data, nil
|
||||
}
|
||||
|
||||
func skipped(reason string) []sdk.CheckState {
|
||||
return []sdk.CheckState{{
|
||||
Status: sdk.StatusUnknown,
|
||||
Message: "skipped: " + reason,
|
||||
}}
|
||||
}
|
||||
|
||||
func okState(subject, message string) []sdk.CheckState {
|
||||
return []sdk.CheckState{{
|
||||
Status: sdk.StatusOK,
|
||||
Subject: subject,
|
||||
Message: message,
|
||||
}}
|
||||
}
|
||||
|
||||
func withMeta(s sdk.CheckState, hint, code string) sdk.CheckState {
|
||||
if hint == "" && code == "" {
|
||||
return s
|
||||
}
|
||||
if s.Meta == nil {
|
||||
s.Meta = map[string]any{}
|
||||
}
|
||||
if hint != "" {
|
||||
s.Meta[hintKey] = hint
|
||||
}
|
||||
if code != "" {
|
||||
s.Meta[codeKey] = code
|
||||
s.Code = code
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
// sortedServers returns the servers map keys in stable order so per-server
|
||||
// rule output is reproducible across runs.
|
||||
func sortedServers(d *DNSSECData) []string {
|
||||
keys := make([]string, 0, len(d.Servers))
|
||||
for k := range d.Servers {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
sort.Strings(keys)
|
||||
return keys
|
||||
}
|
||||
|
||||
// hasAnyDNSKEY returns true when at least one server returned at least one
|
||||
// DNSKEY: a coarse "is the zone signed at all" probe.
|
||||
func hasAnyDNSKEY(d *DNSSECData) bool {
|
||||
for _, v := range d.Servers {
|
||||
if len(v.DNSKEYs) > 0 {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func optionUint(opts sdk.CheckerOptions, key string, def uint) uint {
|
||||
return uint(sdk.GetIntOption(opts, key, int(def)))
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue