package checker

import (
	"time"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

var Version = "built-in"

func Definition() *sdk.CheckerDefinition {
	def := &sdk.CheckerDefinition{
		ID:      "dnssec",
		Name:    "DNSSEC operational hygiene",
		Version: Version,
		Availability: sdk.CheckerAvailability{
			ApplyToDomain: true,
		},
		ObservationKeys: []sdk.ObservationKey{ObservationKeyDNSSEC},
		Options: sdk.CheckerOptionsDocumentation{
			AdminOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:          "resolver",
					Type:        "string",
					Label:       "Bootstrap resolver (host:port)",
					Description: "Recursive resolver used to discover the apex name servers and to look up the parent DS. Defaults to /etc/resolv.conf.",
				},
			},
			UserOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:          "nsec3IterationsMax",
					Type:        "uint",
					Label:       "Maximum NSEC3 iterations",
					Description: "RFC 9276 §3.1 sets the recommended ceiling at 0. Increase only if your signer cannot publish 0 yet.",
					Default:     defaultNSEC3IterationsMax,
				},
				{
					Id:          "nsec3IterationsSeverity",
					Type:        "choice",
					Label:       "Severity when NSEC3 iterations exceed the ceiling",
					Choices:     []string{"warn", "crit"},
					Default:     defaultNSEC3IterationsSeverityWarn,
					Description: "Use 'crit' to enforce RFC 9276 strictly.",
				},
				{
					Id:          "signatureFreshness",
					Type:        "uint",
					Label:       "RRSIG freshness WARN threshold (days)",
					Description: "Warn when the closest RRSIG expires in fewer than this many days.",
					Default:     defaultSignatureFreshnessDays,
				},
				{
					Id:          "signatureFreshnessCrit",
					Type:        "uint",
					Label:       "RRSIG freshness CRIT threshold (days)",
					Default:     defaultSignatureFreshnessCrit,
				},
				{
					Id:          "minRSAKeySize",
					Type:        "uint",
					Label:       "Minimum RSA modulus size (bits)",
					Default:     defaultMinRSAKeySize,
				},
				{
					Id:          "requireSEP",
					Type:        "bool",
					Label:       "Require a KSK (DNSKEY with SEP bit)",
					Default:     defaultRequireSEP,
				},
				{
					Id:          "dnskeyTTLMin",
					Type:        "uint",
					Label:       "Minimum DNSKEY TTL (seconds)",
					Default:     defaultDNSKEYTTLMinSec,
				},
			},
			DomainOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:       "domain_name",
					Label:    "Zone apex",
					AutoFill: sdk.AutoFillDomainName,
				},
			},
		},
		Rules: []sdk.CheckRule{
			zoneSignedRule{},
			dnskeyConsistentRule{},
			dnskeyQueryOKRule{},

			algorithmAllowedRule{},
			algorithmModernRule{},
			rsaKeySizeRule{},
			kskPresentRule{},
			dnskeyCountRule{},

			rrsigPresentDNSKEYRule{},
			rrsigPresentSOARule{},
			rrsigValidityWindowRule{},
			rrsigFreshnessRule{},

			denialUsesNSEC3Rule{},
			nsec3IterationsRule{},
			nsec3SaltEmptyRule{},
			nsec3OptOutRule{},
			denialConsistentRule{},

			dnskeyTTLMinRule{},
		},
		HasHTMLReport: true,
		Interval: &sdk.CheckIntervalSpec{
			Min:     5 * time.Minute,
			Max:     24 * time.Hour,
			Default: 1 * time.Hour,
		},
	}
	def.BuildRulesInfo()
	return def
}