Harden contract validation, STARTTLS edge cases, and rule output

contract/contract.go

@@ -16,6 +16,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
 )
@@ -58,10 +59,27 @@ type TLSEndpoint struct {
 	RequireSTARTTLS bool `json:"require,omitempty"`
 }
 
+// Validate rejects endpoints that cannot be probed: empty Host or zero Port.
+// STARTTLS dialect is intentionally not checked here (the checker surfaces
+// unsupported dialects at runtime via the tls.starttls_dialect_supported
+// rule), and SNI defaults to Host downstream.
+func (ep TLSEndpoint) Validate() error {
+	if strings.TrimSpace(strings.TrimSuffix(ep.Host, ".")) == "" {
+		return fmt.Errorf("contract: TLSEndpoint.Host is required")
+	}
+	if ep.Port == 0 {
+		return fmt.Errorf("contract: TLSEndpoint.Port must be 1-65535")
+	}
+	return nil
+}
+
 // NewEntry wraps ep in an sdk.DiscoveryEntry with Type, a deterministic Ref
 // derived from ep, and a marshaled Payload. The returned entry can be
 // returned as-is from a DiscoveryPublisher implementation.
 func NewEntry(ep TLSEndpoint) (sdk.DiscoveryEntry, error) {
+	if err := ep.Validate(); err != nil {
+		return sdk.DiscoveryEntry{}, err
+	}
 	payload, err := json.Marshal(ep)
 	if err != nil {
 		return sdk.DiscoveryEntry{}, fmt.Errorf("contract: marshal TLSEndpoint: %w", err)
@@ -95,7 +113,7 @@ func Ref(ep TLSEndpoint) string {
 		req = "1"
 	}
 	canonical := fmt.Sprintf("%s|%d|%s|%s|%s", ep.Host, ep.Port, sni, ep.STARTTLS, req)
-	sum := sha1.Sum([]byte(canonical))
+	sum := sha1.Sum([]byte(canonical)) // #nosec G401 G505 -- non-cryptographic stable key; see doc comment above
 	return hex.EncodeToString(sum[:8])
 }
 
@@ -109,6 +127,9 @@ func ParseEntry(e sdk.DiscoveryEntry) (TLSEndpoint, error) {
 	if err := json.Unmarshal(e.Payload, &ep); err != nil {
 		return TLSEndpoint{}, fmt.Errorf("contract: unmarshal TLSEndpoint: %w", err)
 	}
+	if err := ep.Validate(); err != nil {
+		return TLSEndpoint{}, err
+	}
 	return ep, nil
 }