anubis

mirror of https://github.com/TecharoHQ/anubis.git synced 2025-08-03 17:59:24 -04:00

Author	SHA1	Message	Date
Xe Iaso	e3826df3ab	feat: implement a client for Thoth, the IP reputation database for Anubis (#637 ) * feat(internal): add Thoth client and simple ASN checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): cached ip to asn checker Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: go mod tidy Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): minor testing fixups, ensure ASNChecker is Checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): make ASNChecker instances Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): add GeoIP checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): store a thoth client in a context Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: refactor Checker type to its own package Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): add thoth mocking package, ignore context deadline exceeded errors Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): pre-cache private ranges Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(lib/policy/config): enable thoth ASNs and GeoIP checker parsing Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(thoth): refactor to move checker creation to the checker files Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(policy): enable thoth checks Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thothmock): test helper function for loading a mock thoth instance Signed-off-by: Xe Iaso <me@xeiaso.net> * feat: wire up Thoth, make thoth checks part of the default config Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): mend staticcheck errors Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(admin): add Thoth docs Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(policy): update Thoth links in error messages Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(docs/manifest): enable Thoth Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: add THOTH_INSECURE for contacting Thoth over plain TCP in extreme circumstances Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): use mock thoth when credentials aren't detected in the environment Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(cmd/anubis): better warnings for half-configured Thoth setups Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(botpolicies): link to Thoth geoip docs Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-06-16 11:57:32 -04:00
dependabot[bot]	988fc0941b	build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 (#650 ) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-11 16:52:10 +00:00
dependabot[bot]	6eaf0e13a2	build(deps): bump the gomod group with 2 updates (#634 ) Bumps the gomod group with 2 updates: [github.com/a-h/templ](https://github.com/a-h/templ) and [golang.org/x/net](https://github.com/golang/net). Updates `github.com/a-h/templ` from 0.3.887 to 0.3.898 - [Release notes](https://github.com/a-h/templ/releases) - [Changelog](https://github.com/a-h/templ/blob/main/.goreleaser.yaml) - [Commits](https://github.com/a-h/templ/compare/v0.3.887...v0.3.898) Updates `golang.org/x/net` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/net/compare/v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: github.com/a-h/templ dependency-version: 0.3.898 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/net dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-08 20:44:25 -04:00
Jason Cameron	9539668049	style: Some minor fixes (#548 ) * chore(deps): update dependencies in go.mod and go.sum Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor: rename variables for clarity in anubis.go and main.go Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(checker): handle error when inserting IP range in ranger Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(tests): simplify boolean checks in header and URL value tests Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor(api): remove unused /test-error endpoint and restrict /make-challenge to development Signed-off-by: Jason Cameron <git@jasoncameron.dev> * build(deps): update golang-set to v2.8.0 in go.sum Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Update metadata check-spelling run (pull_request) for json/stuff Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>	2025-06-07 18:21:22 +00:00
dependabot[bot]	b496c90e86	build(deps): bump github.com/a-h/templ in the gomod group (#601 ) Bumps the gomod group with 1 update: [github.com/a-h/templ](https://github.com/a-h/templ). Updates `github.com/a-h/templ` from 0.3.865 to 0.3.887 - [Release notes](https://github.com/a-h/templ/releases) - [Changelog](https://github.com/a-h/templ/blob/main/.goreleaser.yaml) - [Commits](https://github.com/a-h/templ/compare/v0.3.865...v0.3.887) --- updated-dependencies: - dependency-name: github.com/a-h/templ dependency-version: 0.3.887 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-01 23:39:42 -04:00
Xe Iaso	3bc9040a96	chore: bump yeet to v0.6.0 Gives us many nice things like: * Windows support for yeet (modulo TecharoHQ/yeet#29) * Removes the dependency on /bin/sh or /bin/bash thanks to mvdan.cc/sh/v3 * Checksum-compliant reproducible builds by default Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-06-01 16:33:08 -04:00
dependabot[bot]	6c247cdec8	build(deps): bump k8s.io/apimachinery in the gomod group (#524 ) Bumps the gomod group with 1 update: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/apimachinery` from 0.33.0 to 0.33.1 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.33.0...v0.33.1) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-version: 0.33.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-28 09:41:25 -04:00
Xe Iaso	a0805cad16	chore(go.mod): move yeet to be a go tool (#485 ) This means that yeet's version will be managed by `go.mod` and auto-bumped with dependabot. This removes human error from the equation and ensures that Anubis is always built with the newest version of yeet. This also makes it trivial to make your own local packages for testing: ```text go tool yeet ``` Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-05-09 18:33:44 +00:00
dependabot[bot]	2e54e839f1	build(deps): bump the gomod group across 1 directory with 4 updates (#457 ) * build(deps): bump the gomod group across 1 directory with 4 updates Bumps the gomod group with 4 updates in the / directory: [github.com/a-h/templ](https://github.com/a-h/templ), [github.com/playwright-community/playwright-go](https://github.com/playwright-community/playwright-go), [golang.org/x/net](https://github.com/golang/net) and [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `github.com/a-h/templ` from 0.3.857 to 0.3.865 - [Release notes](https://github.com/a-h/templ/releases) - [Changelog](https://github.com/a-h/templ/blob/main/.goreleaser.yaml) - [Commits](https://github.com/a-h/templ/compare/v0.3.857...v0.3.865) Updates `github.com/playwright-community/playwright-go` from 0.5101.0 to 0.5200.0 - [Release notes](https://github.com/playwright-community/playwright-go/releases) - [Commits](https://github.com/playwright-community/playwright-go/compare/v0.5101.0...v0.5200.0) Updates `golang.org/x/net` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/net/compare/v0.39.0...v0.40.0) Updates `k8s.io/apimachinery` from 0.32.3 to 0.33.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.3...v0.33.0) --- updated-dependencies: - dependency-name: github.com/a-h/templ dependency-version: 0.3.865 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/playwright-community/playwright-go dependency-version: 0.5200.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/net dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: k8s.io/apimachinery dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * chore: go mod tidy && npm run assets Signed-off-by: Xe Iaso <me@xeiaso.net> * ci: use playwright managed by npm Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-05-07 17:48:10 -04:00
Xe Iaso	16412a8bf9	ci: add govulncheck (#456 ) This is intended to catch low-hanging fruit. Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-05-06 14:07:55 +00:00
Xe Iaso	865d513e35	feat(checker): add CEL for matching complicated expressions (#421 ) * feat(lib/policy): add support for CEL checkers This adds the ability for administrators to use Common Expression Language[0] (CEL) for more advanced check logic than Anubis previously offered. These can be as simple as: ```yaml - name: allow-api-routes action: ALLOW expression: and: - '!(method == "HEAD" \|\| method == "GET")' - path.startsWith("/api/") ``` or get as complicated as: ```yaml - name: allow-git-clients action: ALLOW expression: and: - userAgent.startsWith("git/") \|\| userAgent.contains("libgit") \|\| userAgent.startsWith("go-git") \|\| userAgent.startsWith("JGit/") \|\| userAgent.startsWith("JGit-") - > "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" ``` Internally these are compiled and evaluated with cel-go[1]. This also leaves room for extensibility should that be desired in the future. This will intersect with #338 and eventually intersect with TLS fingerprints as in #337. [0]: https://cel.dev/ [1]: https://github.com/google/cel-go Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(data/apps): add API route allow rule for non-HEAD/GET Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document expression syntax Signed-off-by: Xe Iaso <me@xeiaso.net> * fix: fixes in review Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-05-03 14:26:54 -04:00
Jason Cameron	301c7a42bd	refactor(lib): Split up anubis.go into some smaller files. (#379 ) * refactor(logging): centralize logger creation in GetLogger function Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor(logging): rename GetLogger to GetRequestLogger for clarity Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor: streamline error handling and response methods Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor(lib): Split anubis.go up into some smaller specialized methods Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor(http): simplify error response handling by using respondWithStatus Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore(lib): run goimports Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-27 13:36:39 +00:00
Xe Iaso	d40b5cfdab	lib: move config to yaml (#307 ) * lib: move config to yaml Signed-off-by: Xe Iaso <me@xeiaso.net> * web: run go generate Signed-off-by: Xe Iaso <me@xeiaso.net> * Add Haiku to known instances (#304) Signed-off-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> * Add headers bot rule (#300) * Closes #291: add headers support to bot policy rules * Fix config validator * update docs for JSON -> YAML Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document http header based actions Signed-off-by: Xe Iaso <me@xeiaso.net> * lib: add missing test Signed-off-by: Xe Iaso <me@xeiaso.net> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> Co-authored-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> Co-authored-by: Neur0toxine <pashok9825@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-04-21 00:09:27 +00:00
dependabot[bot]	2ebce26709	build(deps): bump the gomod group with 3 updates (#265 ) * build(deps): bump the gomod group with 3 updates Bumps the gomod group with 3 updates: [github.com/playwright-community/playwright-go](https://github.com/playwright-community/playwright-go), [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) and [golang.org/x/net](https://github.com/golang/net). Updates `github.com/playwright-community/playwright-go` from 0.5001.0 to 0.5101.0 - [Release notes](https://github.com/playwright-community/playwright-go/releases) - [Commits](https://github.com/playwright-community/playwright-go/compare/v0.5001.0...v0.5101.0) Updates `github.com/prometheus/client_golang` from 1.21.1 to 1.22.0 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.21.1...v1.22.0) Updates `golang.org/x/net` from 0.38.0 to 0.39.0 - [Commits](https://github.com/golang/net/compare/v0.38.0...v0.39.0) --- updated-dependencies: - dependency-name: github.com/playwright-community/playwright-go dependency-version: 0.5101.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/prometheus/client_golang dependency-version: 1.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/net dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * internal/test: bump playwright version Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-15 05:55:50 -04:00
dependabot[bot]	0928c3c830	build(deps): bump the gomod group across 1 directory with 2 updates (#233 ) * build(deps): bump the gomod group across 1 directory with 2 updates Bumps the gomod group with 2 updates in the / directory: [github.com/a-h/templ](https://github.com/a-h/templ) and [golang.org/x/net](https://github.com/golang/net). Updates `github.com/a-h/templ` from 0.3.833 to 0.3.857 - [Release notes](https://github.com/a-h/templ/releases) - [Changelog](https://github.com/a-h/templ/blob/main/.goreleaser.yaml) - [Commits](https://github.com/a-h/templ/compare/v0.3.833...v0.3.857) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: github.com/a-h/templ dependency-version: 0.3.857 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> * run go generate Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-07 14:21:29 +00:00
Xe Iaso	95416dfe82	Makefile: fix subtle logic bug (#228 ) Closes #226 Makefile dependencies are backwards, apparently. Also add staticcheck as a `go tool` dependency.	2025-04-06 00:28:08 -04:00
dependabot[bot]	9d68e73d03	build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#89 ) Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md) - [Commits](https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-22 21:18:02 -04:00
Valentin Anger	af6f05554f	internal/test: introduce integration tests using Playwright (#81 )	2025-03-22 16:36:27 -04:00
dependabot[bot]	c66305904b	build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#74 ) Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.1 to 5.2.2. - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2) --- updated-dependencies: - dependency-name: github.com/golang-jwt/jwt/v5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-21 20:41:19 -04:00
Xe Iaso	07e6695430	cmd/anubis: set X-Real-Ip based on X-Forwarded-For (#63 ) This triggers a SHAME release[0]. [0]: https://pridever.org/	2025-03-21 16:45:33 -04:00
Remilia Da Costa Faro	d6d879133e	Allow filtering by remote addresses (#52 ) * Added the possibility to define rules for remote addresses * Added change in changelog * Added check for X-Real-Ip and X-Forwarded-For when checking for remote address filtering * cmd/anubis: refine IP filtering logic * Optimize the configuration so that the IP trie is created once at application start instead of dynamically being created every request. * Document the changes in the changelog and docs site. * Allow pure IP range filtering. * Allow user agent based IP range filtering. * Allow path based IP range filtering. * Create --debug-x-real-ip-default flag for testing Anubis locally without a HTTP load balancer. --------- Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-03-21 15:39:34 -04:00
Xe Iaso	9923878c5c	initial import from /x/ monorepo Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-03-17 19:33:07 -04:00

22 Commits