mirror of
https://github.com/TecharoHQ/anubis.git
synced 2025-08-04 10:18:17 -04:00
e3826df3ab
* feat(internal): add Thoth client and simple ASN checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): cached ip to asn checker Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: go mod tidy Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): minor testing fixups, ensure ASNChecker is Checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): make ASNChecker instances Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): add GeoIP checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): store a thoth client in a context Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: refactor Checker type to its own package Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): add thoth mocking package, ignore context deadline exceeded errors Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): pre-cache private ranges Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(lib/policy/config): enable thoth ASNs and GeoIP checker parsing Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(thoth): refactor to move checker creation to the checker files Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(policy): enable thoth checks Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thothmock): test helper function for loading a mock thoth instance Signed-off-by: Xe Iaso <me@xeiaso.net> * feat: wire up Thoth, make thoth checks part of the default config Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): mend staticcheck errors Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(admin): add Thoth docs Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(policy): update Thoth links in error messages Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(docs/manifest): enable Thoth Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: add THOTH_INSECURE for contacting Thoth over plain TCP in extreme circumstances Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): use mock thoth when credentials aren't detected in the environment Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(cmd/anubis): better warnings for half-configured Thoth setups Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(botpolicies): link to Thoth geoip docs Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
69 lines
1.5 KiB
Go
69 lines
1.5 KiB
Go
package thoth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/TecharoHQ/anubis/lib/policy/checker"
|
|
iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
|
|
)
|
|
|
|
func (c *Client) GeoIPCheckerFor(countries []string) checker.Impl {
|
|
countryMap := map[string]struct{}{}
|
|
var sb strings.Builder
|
|
fmt.Fprintln(&sb, "GeoIPChecker")
|
|
for _, cc := range countries {
|
|
countryMap[cc] = struct{}{}
|
|
fmt.Fprintln(&sb, cc)
|
|
}
|
|
|
|
return &GeoIPChecker{
|
|
IPToASN: c.IPToASN,
|
|
Countries: countryMap,
|
|
hash: sb.String(),
|
|
}
|
|
}
|
|
|
|
type GeoIPChecker struct {
|
|
IPToASN iptoasnv1.IpToASNServiceClient
|
|
Countries map[string]struct{}
|
|
hash string
|
|
}
|
|
|
|
func (gipc *GeoIPChecker) Check(r *http.Request) (bool, error) {
|
|
ctx, cancel := context.WithTimeout(r.Context(), 500*time.Millisecond)
|
|
defer cancel()
|
|
|
|
ipInfo, err := gipc.IPToASN.Lookup(ctx, &iptoasnv1.LookupRequest{
|
|
IpAddress: r.Header.Get("X-Real-Ip"),
|
|
})
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, context.DeadlineExceeded):
|
|
slog.Debug("error contacting thoth", "err", err, "actionable", false)
|
|
return false, nil
|
|
default:
|
|
slog.Error("error contacting thoth, please contact support", "err", err, "actionable", true)
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
// If IP is not publicly announced, return false
|
|
if !ipInfo.GetAnnounced() {
|
|
return false, nil
|
|
}
|
|
|
|
_, ok := gipc.Countries[strings.ToLower(ipInfo.GetCountryCode())]
|
|
|
|
return ok, nil
|
|
}
|
|
|
|
func (gipc *GeoIPChecker) Hash() string {
|
|
return gipc.hash
|
|
}
|