// This file is part of the happyDomain (R) project.
// Copyright (c) 2020-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <https://www.gnu.org/licenses/>.

package checker

import (
	"context"
	"fmt"
	"strings"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// protocolVersionRule flags servers advertising SSH-1.x, which has
// not been safe for decades.
type protocolVersionRule struct{}

func (r *protocolVersionRule) Name() string { return "ssh.protocol_version" }
func (r *protocolVersionRule) Description() string {
	return "Verifies every endpoint advertises SSH-2 and rejects the legacy SSH-1 protocol."
}

func (r *protocolVersionRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	data, errSt := loadSSHData(ctx, obs)
	if errSt != nil {
		return []sdk.CheckState{*errSt}
	}
	if len(data.Endpoints) == 0 {
		return []sdk.CheckState{noEndpointsState("ssh.protocol_version.no_endpoints")}
	}
	var states []sdk.CheckState
	for _, ep := range data.Endpoints {
		if ep.Banner == "" {
			continue
		}
		if !strings.HasPrefix(ep.ProtoVer, "2.") && ep.ProtoVer != "2" {
			states = append(states, sdk.CheckState{
				Status:  sdk.StatusCrit,
				Code:    "ssh_legacy_protocol",
				Subject: ep.Address,
				Message: fmt.Sprintf("Server advertises SSH protocol %q (banner %q). SSH-1 is obsolete and insecure.", ep.ProtoVer, ep.Banner),
				Meta:    map[string]any{"fix": "Disable SSH-1 support; run an sshd that only speaks SSH-2."},
			})
		}
	}
	if len(states) == 0 {
		return []sdk.CheckState{passState("ssh.protocol_version.ok", "Every endpoint advertises SSH-2.")}
	}
	return states
}

// bannerSoftwareRule reports when a server's software identifier does
// not look like a recognised OpenSSH build.
type bannerSoftwareRule struct{}

func (r *bannerSoftwareRule) Name() string { return "ssh.banner_software" }
func (r *bannerSoftwareRule) Description() string {
	return "Flags servers whose banner is not a recognised OpenSSH build (so their maintenance status cannot be inferred)."
}

func (r *bannerSoftwareRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	data, errSt := loadSSHData(ctx, obs)
	if errSt != nil {
		return []sdk.CheckState{*errSt}
	}
	if len(data.Endpoints) == 0 {
		return []sdk.CheckState{noEndpointsState("ssh.banner_software.no_endpoints")}
	}
	var issues []Issue
	for _, ep := range data.Endpoints {
		issues = append(issues, analyseBannerSoftware(ep.Address, ep.Banner, ep.SoftVer)...)
	}
	if len(issues) == 0 {
		return []sdk.CheckState{passState("ssh.banner_software.ok", "All probed servers advertise a recognised OpenSSH build.")}
	}
	return statesFromIssues(issues)
}

// knownVulnsRule maps the observed banner against an OpenSSH CVE
// catalog and emits one state per matched vulnerability.
type knownVulnsRule struct{}

func (r *knownVulnsRule) Name() string { return "ssh.known_vulnerabilities" }
func (r *knownVulnsRule) Description() string {
	return "Matches the advertised OpenSSH version against a curated catalog of remotely-observable CVEs."
}

func (r *knownVulnsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	data, errSt := loadSSHData(ctx, obs)
	if errSt != nil {
		return []sdk.CheckState{*errSt}
	}
	if len(data.Endpoints) == 0 {
		return []sdk.CheckState{noEndpointsState("ssh.known_vulnerabilities.no_endpoints")}
	}
	var issues []Issue
	for _, ep := range data.Endpoints {
		issues = append(issues, analyseBannerVulns(ep.Address, ep.Banner, ep.SoftVer)...)
	}
	if len(issues) == 0 {
		return []sdk.CheckState{passState("ssh.known_vulnerabilities.ok", "No known CVE match against the advertised OpenSSH versions.")}
	}
	return statesFromIssues(issues)
}