package checker import ( "encoding/json" "strings" "time" sdk "git.happydns.org/checker-sdk-go/checker" ) // TLSRelatedKey is the observation key the downstream TLS checker // publishes. Same value as the XMPP checker uses, by cross-checker // convention. const TLSRelatedKey sdk.ObservationKey = "tls_probes" // tlsProbeView is our permissive view of a TLS checker's payload, we // read only the fields we need. type tlsProbeView struct { Host string `json:"host,omitempty"` Port uint16 `json:"port,omitempty"` Endpoint string `json:"endpoint,omitempty"` TLSVersion string `json:"tls_version,omitempty"` CipherSuite string `json:"cipher_suite,omitempty"` HostnameMatch *bool `json:"hostname_match,omitempty"` ChainValid *bool `json:"chain_valid,omitempty"` NotAfter time.Time `json:"not_after,omitempty"` Issues []struct { Code string `json:"code"` Severity string `json:"severity"` Message string `json:"message,omitempty"` Fix string `json:"fix,omitempty"` } `json:"issues,omitempty"` } // address returns "host:port" used as our matching key against SIP // endpoints. Falls back to Endpoint when host/port are unset. func (v *tlsProbeView) address() string { if v.Endpoint != "" { return v.Endpoint } if v.Host != "" && v.Port != 0 { return endpointKey(v.Host, v.Port) } return "" } func parseTLSRelated(r sdk.RelatedObservation) *tlsProbeView { var v tlsProbeView if err := json.Unmarshal(r.Data, &v); err != nil { return nil } return &v } // tlsIssuesFromRelated converts downstream TLS observations into Issue // entries for the SIP aggregation. Structured issues from the TLS // checker are forwarded with a "sip.tls." prefix so origin is obvious; // flag-only payloads are summarised into one synthesised issue. func tlsIssuesFromRelated(related []sdk.RelatedObservation) []Issue { var out []Issue for _, r := range related { v := parseTLSRelated(r) if v == nil { continue } addr := v.address() if len(v.Issues) > 0 { for _, is := range v.Issues { sev := strings.ToLower(is.Severity) switch sev { case SeverityCrit, SeverityWarn, SeverityInfo: default: continue } code := is.Code if code == "" { code = "tls.unknown" } out = append(out, Issue{ Code: "sip.tls." + code, Severity: sev, Message: strings.TrimSpace("TLS on " + addr + ": " + is.Message), Fix: is.Fix, Endpoint: addr, }) } continue } // Flag-only payload: synthesise a summary issue. sev := v.worstSeverity() if sev == "" { continue } msg := "TLS issue reported on " + addr switch { case v.ChainValid != nil && !*v.ChainValid: msg = "Invalid certificate chain on " + addr case v.HostnameMatch != nil && !*v.HostnameMatch: msg = "Certificate does not cover the SIP host on " + addr case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0: msg = "Certificate expired on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")" case !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour: msg = "Certificate expiring soon on " + addr + " (" + v.NotAfter.Format(time.RFC3339) + ")" } out = append(out, Issue{ Code: "sip.tls.probe", Severity: sev, Message: msg, Fix: "See the TLS checker report for details.", Endpoint: addr, }) } return out } func (v *tlsProbeView) worstSeverity() string { if v.ChainValid != nil && !*v.ChainValid { return SeverityCrit } if v.HostnameMatch != nil && !*v.HostnameMatch { return SeverityCrit } if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 0 { return SeverityCrit } if !v.NotAfter.IsZero() && time.Until(v.NotAfter) < 14*24*time.Hour { return SeverityWarn } return "" }