package checker

import (
	"context"
	"fmt"

	sdk "git.happydns.org/checker-sdk-go/checker"
)

// tlsHandshakeRule flags reachable endpoints on which the TLS handshake
// failed. STARTTLS-specific shortfalls (server not advertising the upgrade)
// are surfaced by starttlsAdvertisedRule / starttlsSupportedRule instead,
// so this rule skips them.
type tlsHandshakeRule struct{}

func (r *tlsHandshakeRule) Name() string { return "tls.handshake" }
func (r *tlsHandshakeRule) Description() string {
	return "Verifies the TLS handshake completes on every reachable endpoint."
}

func (r *tlsHandshakeRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
	data, errSt := loadData(ctx, obs)
	if errSt != nil {
		return []sdk.CheckState{*errSt}
	}
	if len(data.Probes) == 0 {
		return []sdk.CheckState{emptyCaseState("tls.handshake.no_endpoints")}
	}

	var out []sdk.CheckState
	for _, ref := range sortedRefs(data) {
		p := data.Probes[ref]
		if p.TCPError != "" {
			continue // reachability covers this.
		}
		if p.STARTTLSNotOffered || p.STARTTLSUnsupportedProto {
			continue // starttls-specific rules cover these.
		}
		if p.TLSHandshakeOK {
			continue
		}
		if p.HandshakeError == "" {
			continue
		}
		out = append(out, sdk.CheckState{
			Status:  sdk.StatusCrit,
			Code:    "tls.handshake.failed",
			Subject: subjectOf(p),
			Message: fmt.Sprintf("TLS handshake failed on %s: %s", p.Endpoint, p.HandshakeError),
			Meta:    metaOf(p),
		})
	}
	if len(out) == 0 {
		return []sdk.CheckState{passState(
			"tls.handshake.ok",
			"TLS handshake succeeded on every reachable endpoint.",
		)}
	}
	return out
}