73 lines
2.7 KiB
Go
73 lines
2.7 KiB
Go
// Package checker implements a TLS checker for happyDomain. See README for
|
|
// the payload shape and consumer contract.
|
|
package checker
|
|
|
|
import "time"
|
|
|
|
// ObservationKeyTLSProbes is the observation key this checker writes.
|
|
const ObservationKeyTLSProbes = "tls_probes"
|
|
|
|
// Option ids on CheckerOptions.
|
|
const (
|
|
OptionEndpoints = "endpoints"
|
|
OptionProbeTimeoutMs = "probeTimeoutMs"
|
|
)
|
|
|
|
// Defaults shared between the definition's Default field and the runtime
|
|
// fallback when probeTimeoutMs is unset or invalid.
|
|
const (
|
|
DefaultProbeTimeoutMs = 10000
|
|
// MaxConcurrentProbes caps parallel probes per collect run to avoid
|
|
// exhausting file descriptors on domains with many endpoints.
|
|
MaxConcurrentProbes = 32
|
|
)
|
|
|
|
// Severity values used in Issue.Severity (lowercase, ascii).
|
|
const (
|
|
SeverityCrit = "crit"
|
|
SeverityWarn = "warn"
|
|
SeverityInfo = "info"
|
|
)
|
|
|
|
// TLSData is the full collected payload written under ObservationKeyTLSProbes.
|
|
type TLSData struct {
|
|
Probes map[string]TLSProbe `json:"probes"`
|
|
CollectedAt time.Time `json:"collected_at"`
|
|
}
|
|
|
|
// TLSProbe captures the outcome of probing a single endpoint. Field names
|
|
// mirror what consumers already parse (checker-xmpp's tlsProbeView).
|
|
type TLSProbe struct {
|
|
Host string `json:"host"`
|
|
Port uint16 `json:"port"`
|
|
Endpoint string `json:"endpoint"`
|
|
Type string `json:"type"`
|
|
SNI string `json:"sni,omitempty"`
|
|
TLSVersion string `json:"tls_version,omitempty"`
|
|
CipherSuite string `json:"cipher_suite,omitempty"`
|
|
HostnameMatch *bool `json:"hostname_match,omitempty"`
|
|
ChainValid *bool `json:"chain_valid,omitempty"`
|
|
NotAfter time.Time `json:"not_after,omitempty"`
|
|
Issuer string `json:"issuer,omitempty"`
|
|
// IssuerDN is the leaf's issuer as an RFC 2253 DN string, suitable for
|
|
// matching the CCADB CAA Identifiers CSV "Subject" column when the AKI
|
|
// lookup misses.
|
|
IssuerDN string `json:"issuer_dn,omitempty"`
|
|
// IssuerAKI is the uppercase hex of the leaf's Authority Key Identifier
|
|
// extension (i.e. the issuer cert's SKI). This is the primary lookup key
|
|
// into the CCADB CAA Identifiers CSV ("Subject Key Identifier (Hex)").
|
|
IssuerAKI string `json:"issuer_aki,omitempty"`
|
|
Subject string `json:"subject,omitempty"`
|
|
DNSNames []string `json:"dns_names,omitempty"`
|
|
ElapsedMS int64 `json:"elapsed_ms,omitempty"`
|
|
Error string `json:"error,omitempty"`
|
|
Issues []Issue `json:"issues,omitempty"`
|
|
}
|
|
|
|
// Issue is a single TLS finding surfaced to the consumer.
|
|
type Issue struct {
|
|
Code string `json:"code"`
|
|
Severity string `json:"severity"`
|
|
Message string `json:"message,omitempty"`
|
|
Fix string `json:"fix,omitempty"`
|
|
}
|