package checker import ( "strconv" sdk "git.happydns.org/checker-sdk-go/checker" ) func Provider() sdk.ObservationProvider { return &xmppProvider{} } type xmppProvider struct{} func (p *xmppProvider) Key() sdk.ObservationKey { return ObservationKeyXMPP } // Definition implements sdk.CheckerDefinitionProvider. func (p *xmppProvider) Definition() *sdk.CheckerDefinition { return Definition() } // DiscoverEndpoints implements sdk.EndpointDiscoverer. // // It publishes the (host, port) pairs of every SRV target we found, so a // downstream TLS checker can verify the certificate chain / SAN / expiry on // each one without re-doing the SRV lookup. The XMPP checker itself does not // perform certificate verification — that posture lives in the TLS checker. // // SNI is set to the bare JID domain rather than the SRV target, because XMPP // certificates must be valid for the source domain (RFC 6120 §13.7.2.1), // which is typically different from the SRV target hostname. func (p *xmppProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) { d, ok := data.(*XMPPData) if !ok || d == nil { return nil, nil } // Carry over the STARTTLS-required posture observed during probing. starttlsRequired := map[string]bool{} for _, ep := range d.Endpoints { if ep.STARTTLSRequired { starttlsRequired[endpointKey(ep.Target, ep.Port)] = true } } var out []sdk.DiscoveredEndpoint emit := func(epType string, recs []SRVRecord, directTLS bool) { for _, r := range recs { ep := sdk.DiscoveredEndpoint{ Type: epType, Host: r.Target, Port: r.Port, SNI: d.Domain, } if !directTLS { mode := "opportunistic" if starttlsRequired[endpointKey(r.Target, r.Port)] { mode = "required" } ep.Meta = map[string]any{"starttls": mode} } out = append(out, ep) } } emit("starttls-xmpp-client", d.SRV.Client, false) emit("starttls-xmpp-server", d.SRV.Server, false) emit("tls", d.SRV.ClientSecure, true) emit("tls", d.SRV.ServerSecure, true) return out, nil } func endpointKey(host string, port uint16) string { return host + ":" + strconv.Itoa(int(port)) }