package checker

import (
	"fmt"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

func Provider() sdk.ObservationProvider {
	return &srvProvider{}
}

type srvProvider struct{}

func (p *srvProvider) Key() sdk.ObservationKey {
	return ObservationKeySRV
}

func (p *srvProvider) Definition() *sdk.CheckerDefinition {
	return Definition()
}

// directTLSPorts lists TCP ports where clients speak TLS immediately upon
// connection (as opposed to STARTTLS upgrades). A dedicated TLS checker
// consumes these endpoints to validate certificates.
var directTLSPorts = map[uint16]bool{
	443:  true, // HTTPS
	465:  true, // SMTPS
	563:  true, // NNTPS
	636:  true, // LDAPS
	853:  true, // DoT
	989:  true, // FTPS data
	990:  true, // FTPS control
	992:  true, // Telnet/TLS
	993:  true, // IMAPS
	995:  true, // POP3S
	5061: true, // SIPS
	5223: true, // XMPP client TLS
	5349: true, // STUN/TURN/TLS
	6697: true, // IRCS
	8443: true, // HTTPS alt
}

// DiscoverEndpoints is invoked by the host right after Collect. It declares
// (host, port) pairs worth testing by other checkers — here: TLS endpoints
// whose SRV target points at a well-known direct-TLS port.
//
// STARTTLS SRVs (e.g. _xmpp-server._tcp on 5269, _sips._tcp notwithstanding)
// are intentionally not emitted yet: a dedicated "smtp-starttls" / "xmpp-starttls"
// endpoint type will be defined when the TLS checker grows that capability.
func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) {
	d, ok := data.(*SRVData)
	if !ok {
		return nil, fmt.Errorf("unexpected data type %T", data)
	}
	var out []sdk.DiscoveredEndpoint
	for _, r := range d.Records {
		if r.IsNullTarget || r.Target == "" {
			continue
		}
		if !directTLSPorts[r.Port] {
			continue
		}
		out = append(out, sdk.DiscoveredEndpoint{
			Type: "tls",
			Host: r.Target,
			Port: r.Port,
			SNI:  r.Target,
		})
	}
	return out, nil
}