mirror of
https://github.com/TecharoHQ/anubis.git
synced 2025-08-03 09:48:08 -04:00
865d513e35
* feat(lib/policy): add support for CEL checkers
This adds the ability for administrators to use Common Expression
Language[0] (CEL) for more advanced check logic than Anubis previously
offered.
These can be as simple as:
```yaml
- name: allow-api-routes
action: ALLOW
expression:
and:
- '!(method == "HEAD" || method == "GET")'
- path.startsWith("/api/")
```
or get as complicated as:
```yaml
- name: allow-git-clients
action: ALLOW
expression:
and:
- userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
- >
"Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
```
Internally these are compiled and evaluated with cel-go[1]. This also
leaves room for extensibility should that be desired in the future. This
will intersect with #338 and eventually intersect with TLS fingerprints
as in #337.
[0]: https://cel.dev/
[1]: https://github.com/google/cel-go
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(data/apps): add API route allow rule for non-HEAD/GET
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: document expression syntax
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix: fixes in review
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
66 lines
2.7 KiB
Modula-2
66 lines
2.7 KiB
Modula-2
module github.com/TecharoHQ/anubis
|
|
|
|
go 1.24
|
|
|
|
require (
|
|
github.com/a-h/templ v0.3.857
|
|
github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
|
|
github.com/golang-jwt/jwt/v5 v5.2.2
|
|
github.com/google/cel-go v0.25.0
|
|
github.com/playwright-community/playwright-go v0.5101.0
|
|
github.com/prometheus/client_golang v1.22.0
|
|
github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a
|
|
github.com/yl2chen/cidranger v1.0.2
|
|
golang.org/x/net v0.39.0
|
|
k8s.io/apimachinery v0.32.3
|
|
)
|
|
|
|
require (
|
|
cel.dev/expr v0.23.1 // indirect
|
|
github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
|
|
github.com/a-h/parse v0.0.0-20250122154542-74294addb73e // indirect
|
|
github.com/andybalholm/brotli v1.1.0 // indirect
|
|
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
|
|
github.com/beorn7/perks v1.0.1 // indirect
|
|
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
|
|
github.com/cespare/xxhash/v2 v2.3.0 // indirect
|
|
github.com/cli/browser v1.3.0 // indirect
|
|
github.com/deckarep/golang-set/v2 v2.6.0 // indirect
|
|
github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect
|
|
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
|
|
github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 // indirect
|
|
github.com/fatih/color v1.16.0 // indirect
|
|
github.com/fsnotify/fsnotify v1.7.0 // indirect
|
|
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
|
|
github.com/go-stack/stack v1.8.1 // indirect
|
|
github.com/kr/text v0.2.0 // indirect
|
|
github.com/mattn/go-colorable v0.1.13 // indirect
|
|
github.com/mattn/go-isatty v0.0.20 // indirect
|
|
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
|
|
github.com/natefinch/atomic v1.0.1 // indirect
|
|
github.com/prometheus/client_model v0.6.1 // indirect
|
|
github.com/prometheus/common v0.62.0 // indirect
|
|
github.com/prometheus/procfs v0.15.1 // indirect
|
|
github.com/stoewer/go-strcase v1.2.0 // indirect
|
|
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
|
|
golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 // indirect
|
|
golang.org/x/mod v0.24.0 // indirect
|
|
golang.org/x/sync v0.13.0 // indirect
|
|
golang.org/x/sys v0.32.0 // indirect
|
|
golang.org/x/text v0.24.0 // indirect
|
|
golang.org/x/tools v0.32.0 // indirect
|
|
google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
|
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
|
|
google.golang.org/protobuf v1.36.5 // indirect
|
|
honnef.co/go/tools v0.6.1 // indirect
|
|
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
|
|
sigs.k8s.io/yaml v1.4.0 // indirect
|
|
)
|
|
|
|
tool (
|
|
github.com/a-h/templ/cmd/templ
|
|
golang.org/x/tools/cmd/goimports
|
|
golang.org/x/tools/cmd/stringer
|
|
honnef.co/go/tools/cmd/staticcheck
|
|
)
|