Xe Iaso
a4c08687cc
docs: add blogpost for announcing v1.21.1 ( #886 )
...
* docs: add release announcement post for v1.21.1
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(v1.21.1): small fixups
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(v1.21.1): spelling fixes
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(v1.21.1): clarify that Bell is trash
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
check-spelling run (pull_request) for Xe/v1.21.1-blogpost
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
2025-07-22 16:42:58 -04:00
Xe Iaso
f5b3bf81bc
feat: dev container support ( #734 )
...
* chore: add devcontainer for Anubis
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(devcontainer): ensure user can write to $HOME
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(devcontainer): forward ports, add launch config
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(devcontainer): add playwright deps
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: document devcontainer usage
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* ci(devcontainer): fix action references
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(devcontainer): fix ko on arm64
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-06-29 23:41:29 -04:00
Xe Iaso
e3826df3ab
feat: implement a client for Thoth, the IP reputation database for Anubis ( #637 )
...
* feat(internal): add Thoth client and simple ASN checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): cached ip to asn checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: go mod tidy
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(thoth): minor testing fixups, ensure ASNChecker is Checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): make ASNChecker instances
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): add GeoIP checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): store a thoth client in a context
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: refactor Checker type to its own package
Signed-off-by: Xe Iaso <me@xeiaso.net>
* test(thoth): add thoth mocking package, ignore context deadline exceeded errors
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): pre-cache private ranges
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(lib/policy/config): enable thoth ASNs and GeoIP checker parsing
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(thoth): refactor to move checker creation to the checker files
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(policy): enable thoth checks
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thothmock): test helper function for loading a mock thoth instance
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat: wire up Thoth, make thoth checks part of the default config
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(thoth): mend staticcheck errors
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(admin): add Thoth docs
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(policy): update Thoth links in error messages
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: update CHANGELOG
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(docs/manifest): enable Thoth
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: add THOTH_INSECURE for contacting Thoth over plain TCP in extreme circumstances
Signed-off-by: Xe Iaso <me@xeiaso.net>
* test(thoth): use mock thoth when credentials aren't detected in the environment
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(cmd/anubis): better warnings for half-configured Thoth setups
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(botpolicies): link to Thoth geoip docs
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-06-16 11:57:32 -04:00
Xe Iaso
865d513e35
feat(checker): add CEL for matching complicated expressions ( #421 )
...
* feat(lib/policy): add support for CEL checkers
This adds the ability for administrators to use Common Expression
Language[0] (CEL) for more advanced check logic than Anubis previously
offered.
These can be as simple as:
```yaml
- name: allow-api-routes
action: ALLOW
expression:
and:
- '!(method == "HEAD" || method == "GET")'
- path.startsWith("/api/")
```
or get as complicated as:
```yaml
- name: allow-git-clients
action: ALLOW
expression:
and:
- userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
- >
"Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
```
Internally these are compiled and evaluated with cel-go[1]. This also
leaves room for extensibility should that be desired in the future. This
will intersect with #338 and eventually intersect with TLS fingerprints
as in #337 .
[0]: https://cel.dev/
[1]: https://github.com/google/cel-go
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(data/apps): add API route allow rule for non-HEAD/GET
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: document expression syntax
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix: fixes in review
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-05-03 14:26:54 -04:00
