blacklist: add domain reputation check via checker-blacklist

Integrates the checker-blacklist module behind a new POST /blacklist/domain endpoint that aggregates reputation/blocklist sources for a given domain, plus a SvelteKit UI under /blacklist/domain mirroring the existing IP blacklist flow. Per-source credentials (VirusTotal, Safe Browsing) are exposed as CLI flags; free sources run unconditionally. Closes: #96
2026-06-04 18:38:45 +09:00 · 2026-06-04 18:38:45 +09:00 · f14209d4fa
commit f14209d4fa
parent d53c1b1e00
13 changed files with 655 additions and 21 deletions
--- a/internal/api/handlers.go
+++ b/internal/api/handlers.go
@ -22,6 +22,7 @@
 package api

 import (
+	"context"
 	"fmt"
 	"net/http"
 	"time"
@ -30,8 +31,10 @@ import (
 	"github.com/google/uuid"
 	openapi_types "github.com/oapi-codegen/runtime/types"

+	sdk "git.happydns.org/checker-sdk-go/checker"
 	"git.happydns.org/happyDeliver/internal/config"
 	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/reputation"
 	"git.happydns.org/happyDeliver/internal/storage"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"git.happydns.org/happyDeliver/internal/version"
@ -47,19 +50,21 @@ type EmailAnalyzer interface {

 // APIHandler implements the ServerInterface for handling API requests
 type APIHandler struct {
-	storage   storage.Storage
-	config    *config.Config
-	analyzer  EmailAnalyzer
-	startTime time.Time
+	storage           storage.Storage
+	config            *config.Config
+	analyzer          EmailAnalyzer
+	blacklistProvider sdk.ObservationProvider
+	startTime         time.Time
 }

 // NewAPIHandler creates a new API handler
-func NewAPIHandler(store storage.Storage, cfg *config.Config, analyzer EmailAnalyzer) *APIHandler {
+func NewAPIHandler(store storage.Storage, cfg *config.Config, analyzer EmailAnalyzer, blacklistProvider sdk.ObservationProvider) *APIHandler {
 	return &APIHandler{
-		storage:   store,
-		config:    cfg,
-		analyzer:  analyzer,
-		startTime: time.Now(),
+		storage:           store,
+		config:            cfg,
+		analyzer:          analyzer,
+		blacklistProvider: blacklistProvider,
+		startTime:         time.Now(),
 	}
 }

@ -339,6 +344,7 @@ func (h *APIHandler) TestDomain(c *gin.Context) {
 		Score:      score,
 		Grade:      responseGrade,
 		DnsResults: *dnsResults,
+		Blacklist:  h.runDomainBlacklist(c.Request.Context(), request.Domain),
 	}

 	c.JSON(http.StatusOK, response)
@ -383,6 +389,32 @@ func (h *APIHandler) CheckBlacklist(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }

+// runDomainBlacklist runs the checker-blacklist aggregation against a domain.
+// It returns nil (and logs nothing fatal) when the check cannot be run, so the
+// surrounding domain analysis still succeeds.
+func (h *APIHandler) runDomainBlacklist(ctx context.Context, domain string) *model.DomainBlacklistResult {
+	opts := h.config.Analysis.Blacklist.AsCheckerOptions()
+	// "domain_name" is the option key the checker-blacklist provider reads
+	// (see checker/collect.go in the checker-blacklist module).
+	opts["domain_name"] = domain
+
+	// Cap the aggregation: sources run concurrently, each with its own
+	// timeouts; this is the host-side ceiling.
+	timeout := h.config.Analysis.HTTPTimeout
+	if timeout <= 0 {
+		timeout = 30 * time.Second
+	}
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	raw, err := h.blacklistProvider.Collect(ctx, opts)
+	if err != nil {
+		return nil
+	}
+
+	return reputation.FromObservation(raw)
+}
+
 // ListTests returns a paginated list of test summaries
 // (GET /tests)
 func (h *APIHandler) ListTests(c *gin.Context, params ListTestsParams) {