package checker

import (
	"time"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// Version is the checker version reported in CheckerDefinition.Version.
// Overridden at link time by the binary/plugin entrypoints.
var Version = "built-in"

// Definition returns the CheckerDefinition for the Kerberos checker.
func (p *kerberosProvider) Definition() *sdk.CheckerDefinition {
	return &sdk.CheckerDefinition{
		ID:      "kerberos",
		Name:    "Kerberos Realm Tester",
		Version: Version,
		Availability: sdk.CheckerAvailability{
			ApplyToService:  true,
			LimitToServices: []string{"abstract.Kerberos"},
		},
		HasHTMLReport:   true,
		ObservationKeys: []sdk.ObservationKey{ObservationKeyKerberos},
		Options: sdk.CheckerOptionsDocumentation{
			RunOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:          "realm",
					Type:        "string",
					Label:       "Kerberos realm",
					Placeholder: "EXAMPLE.COM",
					AutoFill:    sdk.AutoFillDomainName,
					Required:    true,
					Description: "DNS domain advertising the realm (the realm name itself is derived in uppercase).",
				},
				{
					Id:          "principal",
					Type:        "string",
					Label:       "Principal (optional)",
					Placeholder: "user@EXAMPLE.COM",
					Description: "Supply to run an authenticated round-trip. Leave blank for anonymous probes only.",
				},
				{
					Id:          "password",
					Type:        "string",
					Label:       "Password (optional)",
					Secret:      true,
					Description: "Password for the principal above. Used once per run; never stored by the checker.",
				},
				{
					Id:          "targetService",
					Type:        "string",
					Label:       "Service to request (TGS)",
					Placeholder: "host/host.example.com",
					Default:     "",
					Description: "SPN requested via TGS-REQ once a TGT is acquired. Defaults to krbtgt (realm self-test).",
				},
			},
			AdminOpts: []sdk.CheckerOptionDocumentation{
				{
					Id:      "timeout",
					Type:    "number",
					Label:   "Per-probe timeout (seconds)",
					Default: 5,
				},
				{
					Id:          "requireStrongEnctypes",
					Type:        "bool",
					Label:       "Require strong enctypes",
					Default:     true,
					Description: "Flag realms that only advertise DES/RC4 as CRIT.",
				},
				{
					Id:          "maxClockSkew",
					Type:        "number",
					Label:       "Max tolerated clock skew (seconds)",
					Default:     300,
					Description: "Default Kerberos tolerance is 300s; tighter values surface drift earlier.",
				},
			},
		},
		Rules: Rules(),
		Interval: &sdk.CheckIntervalSpec{
			Min:     5 * time.Minute,
			Max:     7 * 24 * time.Hour,
			Default: 24 * time.Hour,
		},
	}
}