Initial commit

checker/rule.go

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: MIT
+
+package checker
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// Rules returns the full rule set evaluated against a DNSVizData observation.
+// Subject is the zone FQDN so a fault at the TLD is never silently merged with a leaf fault.
+func Rules() []sdk.CheckRule {
+	return []sdk.CheckRule{
+		&overallStatusRule{},
+		&perZoneStatusRule{},
+		&zoneErrorsRule{},
+		&zoneWarningsRule{},
+		&commonFailuresRule{},
+	}
+}
+
+func loadData(ctx context.Context, obs sdk.ObservationGetter, code string) (*DNSVizData, []sdk.CheckState) {
+	var data DNSVizData
+	if err := obs.Get(ctx, ObservationKeyDNSViz, &data); err != nil {
+		return nil, []sdk.CheckState{{
+			Status:  sdk.StatusError,
+			Code:    code,
+			Message: fmt.Sprintf("Failed to load DNSViz observation: %v", err),
+		}}
+	}
+	return &data, nil
+}
+
+func orderedZones(data *DNSVizData) []string {
+	if len(data.Order) > 0 {
+		return data.Order
+	}
+	keys := make([]string, 0, len(data.Zones))
+	for k := range data.Zones {
+		keys = append(keys, k)
+	}
+	sort.Slice(keys, func(i, j int) bool {
+		return labelDepth(keys[i]) > labelDepth(keys[j])
+	})
+	return keys
+}
+
+func statusFromGrok(s string) sdk.Status {
+	switch strings.ToUpper(strings.TrimSpace(s)) {
+	case "SECURE":
+		return sdk.StatusOK
+	case "INSECURE":
+		// "INSECURE" means "no DNSSEC and no parent DS": informational, not
+		// a failure. Rules elsewhere can still flag a missing chain.
+		return sdk.StatusInfo
+	case "BOGUS":
+		return sdk.StatusCrit
+	case "INDETERMINATE":
+		return sdk.StatusWarn
+	case "NON_EXISTENT":
+		return sdk.StatusInfo
+	case "NOERROR":
+		// DNS-level OK with no DNSSEC chain status reported. The zone
+		// resolves but isn't signed (or grok didn't classify it).
+		return sdk.StatusInfo
+	case "":
+		return sdk.StatusUnknown
+	default:
+		return sdk.StatusUnknown
+	}
+}