package checker

import (
	"time"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// Version defaults to "built-in"; standalone and plugin builds override
// it via -ldflags "-X .../checker.Version=...".
var Version = "built-in"

// Option ids.
const (
	OptionResolver               = "resolver"
	OptionCertExpiryWarnDays     = "certExpiryWarnDays"
	OptionRequireDNSSEC          = "requireDNSSEC"
	OptionRequireEmailProtection = "requireEmailProtection"
)

// Definition is the package-level helper returned to the host by the
// plugin entrypoint and used by sdk.NewServer via the provider's
// CheckerDefinitionProvider implementation.
func Definition() *sdk.CheckerDefinition {
	return &sdk.CheckerDefinition{
		ID:      "openpgpkey-smimea",
		Name:    "OPENPGPKEY & SMIMEA",
		Version: Version,
		Availability: sdk.CheckerAvailability{
			ApplyToService: true,
			LimitToServices: []string{
				ServiceOpenPGP,
				ServiceSMimeCert,
			},
		},
		ObservationKeys: []sdk.ObservationKey{ObservationKey},
		Options: sdk.CheckerOptionsDocumentation{
			UserOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:          OptionResolver,
					Type:        "string",
					Label:       "DNS resolver",
					Placeholder: "1.1.1.1",
					Description: "Validating resolver to query (comma-separated list accepted). Defaults to the system resolver when empty.",
				},
				{
					Id:          OptionCertExpiryWarnDays,
					Type:        "number",
					Label:       "Expiry warning threshold (days)",
					Description: "Emit a warning when the primary key or S/MIME certificate expires in less than this many days.",
					Default:     float64(30),
				},
				{
					Id:          OptionRequireDNSSEC,
					Type:        "bool",
					Label:       "Require DNSSEC",
					Description: "When enabled, a non-DNSSEC-validated lookup is reported as critical (otherwise as warning). RFC 7929 and RFC 8162 mandate DNSSEC.",
					Default:     true,
				},
				{
					Id:          OptionRequireEmailProtection,
					Type:        "bool",
					Label:       "Require emailProtection EKU",
					Description: "When enabled, an S/MIME certificate without the emailProtection Extended Key Usage is reported as critical.",
					Default:     true,
				},
			},
			DomainOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:       "domain_name",
					Label:    "Zone origin",
					AutoFill: sdk.AutoFillDomainName,
				},
				{
					Id:       "subdomain",
					Label:    "Subdomain",
					AutoFill: sdk.AutoFillSubdomain,
				},
			},
			ServiceOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:       "service",
					Label:    "Service",
					AutoFill: sdk.AutoFillService,
				},
				{
					Id:       "service_type",
					Label:    "Service type",
					AutoFill: sdk.AutoFillServiceType,
					Hide:     true,
				},
			},
		},
		Rules: []sdk.CheckRule{Rule()},
		Interval: &sdk.CheckIntervalSpec{
			Min:     1 * time.Hour,
			Max:     7 * 24 * time.Hour,
			Default: 12 * time.Hour,
		},
	}
}