Initial commit

2026-04-24 12:56:46 +07:00 · 2026-04-24 12:56:46 +07:00 · beca2fd7eb
commit beca2fd7eb
21 changed files with 2698 additions and 0 deletions
--- a/checker/rules.go
+++ b/checker/rules.go
@ -0,0 +1,107 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// Rules returns the full list of CheckRules exposed by the LDAP checker.
+// Each rule covers one concern (SRV discovery, StartTLS posture, anonymous
+// access, …) and produces its CheckStates by scanning raw LDAPData fields
+// directly -- there is no shared pre-derived Issues slice in between.
+func Rules() []sdk.CheckRule {
+	return []sdk.CheckRule{
+		&srvDiscoveryRule{},
+		&endpointReachableRule{},
+		&encryptedTransportRule{},
+		&startTLSSupportedRule{},
+		&ldapsHandshakeRule{},
+		&startTLSOnLDAPSRule{},
+		&refusesPlainBindRule{},
+		&anonymousSearchBlockedRule{},
+		&rootDSEReadableRule{},
+		&saslMechanismsRule{},
+		&protocolVersionRule{},
+		&ipv6ReachableRule{},
+		&bindCredentialsRule{},
+		&baseDNReadRule{},
+		&tlsQualityRule{},
+	}
+}
+
+// loadLDAPData fetches the LDAP observation. On error, returns a CheckState
+// the caller should emit to short-circuit its rule.
+func loadLDAPData(ctx context.Context, obs sdk.ObservationGetter) (*LDAPData, *sdk.CheckState) {
+	var data LDAPData
+	if err := obs.Get(ctx, ObservationKeyLDAP, &data); err != nil {
+		return nil, &sdk.CheckState{
+			Status:  sdk.StatusError,
+			Message: fmt.Sprintf("failed to load LDAP observation: %v", err),
+			Code:    "ldap.observation_error",
+		}
+	}
+	return &data, nil
+}
+
+// critState builds a StatusCrit state with an optional fix hint encoded in
+// Meta["fix"] so report.go's fixesFromStates can surface it.
+func critState(code, message, subject, fix string) sdk.CheckState {
+	return stateWithFix(sdk.StatusCrit, code, message, subject, fix)
+}
+
+func warnState(code, message, subject, fix string) sdk.CheckState {
+	return stateWithFix(sdk.StatusWarn, code, message, subject, fix)
+}
+
+func infoState(code, message, subject, fix string) sdk.CheckState {
+	return stateWithFix(sdk.StatusInfo, code, message, subject, fix)
+}
+
+func stateWithFix(status sdk.Status, code, message, subject, fix string) sdk.CheckState {
+	st := sdk.CheckState{
+		Status:  status,
+		Message: message,
+		Code:    code,
+		Subject: subject,
+	}
+	if fix != "" {
+		st.Meta = map[string]any{"fix": fix}
+	}
+	return st
+}
+
+func passState(code, message string) sdk.CheckState {
+	return sdk.CheckState{
+		Status:  sdk.StatusOK,
+		Message: message,
+		Code:    code,
+	}
+}
+
+func notTestedState(code, message string) sdk.CheckState {
+	return sdk.CheckState{
+		Status:  sdk.StatusUnknown,
+		Message: message,
+		Code:    code,
+	}
+}
+
+func optString(opts sdk.CheckerOptions, key string) string {
+	v, _ := opts[key].(string)
+	return strings.TrimSpace(v)
+}
+
+// ldapsReachable reports whether at least one LDAPS endpoint accepted TCP.
+// Used to soften severity of unreachable plain-LDAP endpoints when modern
+// clients would use LDAPS anyway.
+func ldapsReachable(data *LDAPData) bool {
+	for _, ep := range data.Endpoints {
+		if ep.Mode == ModeLDAPS && ep.TCPConnected {
+			return true
+		}
+	}
+	return false
+}