package checker import ( "encoding/json" "fmt" "html/template" "sort" "strings" "time" sdk "git.happydns.org/checker-sdk-go/checker" ) type reportFix struct { Severity string Code string Message string Fix string Endpoint string } type reportEndpoint struct { Mode string ModeLabel string SRVPrefix string Target string Port uint16 Address string IsIPv6 bool DirectTLS bool TCPConnected bool StreamOpened bool STARTTLSOffered bool STARTTLSRequired bool STARTTLSUpgraded bool TLSVersion string TLSCipher string SASLMechanisms []string DialbackOffered bool SASLExternal bool StreamFrom string ElapsedMS int64 Error string // TLS posture (from a related tls_probes observation, when available). TLSPosture *reportTLSPosture // Rendering helpers. AnyFail bool StatusLabel string StatusClass string } type reportTLSPosture struct { CheckedAt time.Time ChainValid *bool HostnameMatch *bool NotAfter time.Time Issues []reportFix } type reportSRVEntry struct { Prefix string Target string Port uint16 Priority uint16 Weight uint16 IPv4 []string IPv6 []string } type reportData struct { Domain string RunAt string StatusLabel string StatusClass string HasIssues bool Fixes []reportFix SRV []reportSRVEntry FallbackProbed bool JabberLegacy bool Endpoints []reportEndpoint HasIPv4 bool HasIPv6 bool WorkingC2S bool WorkingS2S bool HasTLSPosture bool } var reportTpl = template.Must(template.New("xmpp").Funcs(template.FuncMap{ "hasPrefix": strings.HasPrefix, "deref": func(b *bool) bool { return b != nil && *b }, }).Parse(` XMPP Report: {{.Domain}}

XMPP: {{.Domain}}

{{.StatusLabel}}
{{if .WorkingC2S}}c2s OK{{else}}c2s FAIL{{end}} {{if .WorkingS2S}}s2s OK{{else}}s2s FAIL{{end}} {{if .HasIPv4}}IPv4{{end}} {{if .HasIPv6}}IPv6{{end}}
Checked {{.RunAt}}
{{if .HasIssues}}

What to fix

{{range .Fixes}}
{{.Code}}{{if .Endpoint}} · {{.Endpoint}}{{end}}
{{.Message}}
{{if .Fix}}
→ {{.Fix}}
{{end}}
{{end}}
{{end}}

DNS / SRV

{{if .FallbackProbed}}

No SRV records published; fell back to probing the bare domain on default ports.

{{else if .SRV}} {{range .SRV}} {{end}}
RecordTargetPortPrio/WeightIPv4IPv6
{{.Prefix}} {{.Target}} {{.Port}} {{.Priority}}/{{.Weight}} {{range .IPv4}}{{.}} {{end}} {{range .IPv6}}{{.}} {{end}}
{{else}}

No SRV records found.

{{end}} {{if .JabberLegacy}}

⚠ Obsolete _jabber._tcp records are still published.

{{end}}
{{if .Endpoints}}

Endpoints ({{len .Endpoints}})

{{range .Endpoints}} {{.ModeLabel}} · {{.Address}}{{if .DirectTLS}} · direct-TLS{{end}} {{.StatusLabel}}
SRV
{{.SRVPrefix}}{{.Target}}:{{.Port}}
Family
{{if .IsIPv6}}IPv6{{else}}IPv4{{end}}
TCP
{{if .TCPConnected}}✓ connected{{else}}✗ failed{{end}}
Stream
{{if .StreamOpened}}✓ opened{{if .StreamFrom}} (from={{.StreamFrom}}){{end}}{{else}}✗ not opened{{end}}
{{if not .DirectTLS}}
STARTTLS
{{if .STARTTLSOffered}}✓ offered{{else}}✗ not offered{{end}} {{if .STARTTLSRequired}} · required{{else if .STARTTLSOffered}} · not required{{end}}
{{end}}
TLS
{{if .STARTTLSUpgraded}}✓ {{.TLSVersion}}{{if .TLSCipher}} — {{.TLSCipher}}{{end}}{{else}}✗ no TLS{{end}}
{{if eq .Mode "c2s"}}
SASL
{{if .SASLMechanisms}}
{{range .SASLMechanisms}}{{.}}{{end}}
{{else}}none advertised{{end}}
{{end}} {{if eq .Mode "s2s"}}
Federation
{{if .DialbackOffered}}✓ dialback{{else}}✗ no dialback{{end}} · {{if .SASLExternal}}✓ SASL EXTERNAL{{else}}✗ no SASL EXTERNAL{{end}}
{{end}} {{with .TLSPosture}}
TLS cert
{{if .ChainValid}} {{if deref .ChainValid}}✓ chain valid{{else}}✗ chain invalid{{end}} {{end}} {{if .HostnameMatch}} · {{if deref .HostnameMatch}}✓ hostname match{{else}}✗ hostname mismatch{{end}} {{end}} {{if not .NotAfter.IsZero}} · expires {{.NotAfter.Format "2006-01-02"}} {{end}} {{if not .CheckedAt.IsZero}}
TLS checked {{.CheckedAt.Format "2006-01-02 15:04 MST"}}
{{end}} {{range .Issues}}
{{.Code}}
{{.Message}}
{{if .Fix}}
→ {{.Fix}}
{{end}}
{{end}}
{{end}}
Duration
{{.ElapsedMS}} ms
{{if .Error}}
Error
{{.Error}}
{{end}}
{{end}}
{{end}}

{{if .HasTLSPosture}}Certificate posture above comes from the TLS checker, which probed the same endpoints after we discovered them.{{else}}For certificate chain, SAN match, expiry, and cipher posture, run the TLS checker on the same ports.{{end}}

`)) // GetHTMLReport implements sdk.CheckerHTMLReporter. It folds in related TLS // observations so the XMPP service page shows cert posture directly, without // the user having to open a separate TLS report. // // The hint/fix section is driven exclusively by ctx.States(): it is the host // that has already evaluated every rule and handed us the resulting // CheckStates. The report never re-derives issues from the raw observation // so there is no duplicated judgment logic. When States() is empty (for // example a standalone render with no rule run), we still show the raw // facts (SRV table, endpoint details) but drop the actionable hints. func (p *xmppProvider) GetHTMLReport(rctx sdk.ReportContext) (string, error) { var d XMPPData if err := json.Unmarshal(rctx.Data(), &d); err != nil { return "", fmt.Errorf("unmarshal xmpp observation: %w", err) } view := buildReportData(&d, rctx.Related(TLSRelatedKey), rctx.States()) return renderReport(view) } func renderReport(view reportData) (string, error) { var buf strings.Builder if err := reportTpl.Execute(&buf, view); err != nil { return "", fmt.Errorf("render xmpp report: %w", err) } return buf.String(), nil } func buildReportData(d *XMPPData, related []sdk.RelatedObservation, states []sdk.CheckState) reportData { tlsByAddr := indexTLSByAddress(related) // Fix list comes exclusively from the CheckStates the host evaluated. // When no states were supplied (standalone renders, one-off tests), // the hint section is skipped entirely: we show raw facts only, // never re-judge the observation here. fixes := fixesFromStates(states) hasStates := len(states) > 0 view := reportData{ Domain: d.Domain, RunAt: d.RunAt, FallbackProbed: d.SRV.FallbackProbed, JabberLegacy: len(d.SRV.Jabber) > 0, HasIPv4: d.Coverage.HasIPv4, HasIPv6: d.Coverage.HasIPv6, WorkingC2S: d.Coverage.WorkingC2S, WorkingS2S: d.Coverage.WorkingS2S, HasIssues: len(fixes) > 0, HasTLSPosture: len(tlsByAddr) > 0, } // Status banner: driven by the worst CheckState when available, // otherwise a neutral label (data-only render). if !hasStates { view.StatusLabel = "DATA" view.StatusClass = "muted" } else { worst := sdk.StatusOK for _, s := range states { if s.Status > worst { worst = s.Status } } switch worst { case sdk.StatusCrit, sdk.StatusError: view.StatusLabel = "FAIL" view.StatusClass = "fail" case sdk.StatusWarn: view.StatusLabel = "WARN" view.StatusClass = "warn" case sdk.StatusInfo: view.StatusLabel = "INFO" view.StatusClass = "muted" case sdk.StatusUnknown: view.StatusLabel = "UNKNOWN" view.StatusClass = "muted" default: view.StatusLabel = "OK" view.StatusClass = "ok" } } // Fix list: sort crit → warn → info, preserving order within each severity. sevRank := func(s string) int { switch s { case SeverityCrit: return 0 case SeverityWarn: return 1 default: return 2 } } sort.SliceStable(fixes, func(i, j int) bool { return sevRank(fixes[i].Severity) < sevRank(fixes[j].Severity) }) view.Fixes = fixes // SRV rows. addSRV := func(prefix string, records []SRVRecord) { for _, r := range records { view.SRV = append(view.SRV, reportSRVEntry{ Prefix: prefix, Target: r.Target, Port: r.Port, Priority: r.Priority, Weight: r.Weight, IPv4: r.IPv4, IPv6: r.IPv6, }) } } addSRV("_xmpp-client._tcp", d.SRV.Client) addSRV("_xmpp-server._tcp", d.SRV.Server) addSRV("_xmpps-client._tcp", d.SRV.ClientSecure) addSRV("_xmpps-server._tcp", d.SRV.ServerSecure) addSRV("_jabber._tcp", d.SRV.Jabber) // Endpoint rows. for _, ep := range d.Endpoints { re := reportEndpoint{ Mode: string(ep.Mode), ModeLabel: modeLabel(ep.Mode), SRVPrefix: ep.SRVPrefix, Target: ep.Target, Port: ep.Port, Address: ep.Address, IsIPv6: ep.IsIPv6, DirectTLS: ep.DirectTLS, TCPConnected: ep.TCPConnected, StreamOpened: ep.StreamOpened, STARTTLSOffered: ep.STARTTLSOffered, STARTTLSRequired: ep.STARTTLSRequired, STARTTLSUpgraded: ep.STARTTLSUpgraded, TLSVersion: ep.TLSVersion, TLSCipher: ep.TLSCipher, SASLMechanisms: ep.SASLMechanisms, DialbackOffered: ep.DialbackOffered, SASLExternal: ep.SASLExternal, StreamFrom: ep.StreamFrom, ElapsedMS: ep.ElapsedMS, Error: ep.Error, } if meta, hit := tlsByAddr[ep.Address]; hit { re.TLSPosture = meta } else if meta, hit := tlsByAddr[endpointKey(ep.Target, ep.Port)]; hit { re.TLSPosture = meta } ok := ep.TCPConnected && ep.STARTTLSUpgraded if ep.Mode == ModeServer { ok = ok && (ep.DialbackOffered || ep.SASLExternal) } if ep.Mode == ModeClient { ok = ok && len(ep.SASLMechanisms) > 0 } re.AnyFail = !ok if ok { re.StatusLabel = "OK" re.StatusClass = "ok" } else if ep.TCPConnected { re.StatusLabel = "partial" re.StatusClass = "warn" } else { re.StatusLabel = "unreachable" re.StatusClass = "fail" } view.Endpoints = append(view.Endpoints, re) } return view } // fixesFromStates turns CheckStates handed to us by the host into the // severity-tagged entries rendered in the "What to fix" section. It is // intentionally the only source of hints on the report: the raw // observation is never re-judged here. func fixesFromStates(states []sdk.CheckState) []reportFix { var out []reportFix for _, s := range states { var sev string switch s.Status { case sdk.StatusCrit, sdk.StatusError: sev = SeverityCrit case sdk.StatusWarn: sev = SeverityWarn case sdk.StatusInfo: sev = SeverityInfo default: // OK / Unknown: not an actionable finding. continue } fix := "" if s.Meta != nil { if v, ok := s.Meta["fix"].(string); ok { fix = v } } out = append(out, reportFix{ Severity: sev, Code: s.Code, Message: s.Message, Fix: fix, Endpoint: s.Subject, }) } return out } func modeLabel(m XMPPMode) string { switch m { case ModeClient: return "client" case ModeServer: return "server" default: return string(m) } } // indexTLSByAddress returns a map keyed by "host:port" (and by the SRV // target:port when host is the target) pointing at a reportTLSPosture. // This lets the template match a related observation to the right endpoint. func indexTLSByAddress(related []sdk.RelatedObservation) map[string]*reportTLSPosture { out := map[string]*reportTLSPosture{} for _, r := range related { v := parseTLSRelated(r) if v == nil { continue } addr := v.address() if addr == "" { continue } posture := &reportTLSPosture{ CheckedAt: r.CollectedAt, ChainValid: v.ChainValid, HostnameMatch: v.HostnameMatch, NotAfter: v.NotAfter, } for _, is := range v.Issues { sev := strings.ToLower(is.Severity) if sev != SeverityCrit && sev != SeverityWarn && sev != SeverityInfo { continue } posture.Issues = append(posture.Issues, reportFix{ Severity: sev, Code: is.Code, Message: is.Message, Fix: is.Fix, }) } out[addr] = posture } return out }