TheCloud/anubis
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2025-09-08 20:29:48 -04:00
Code Issues Packages Projects Releases Wiki Activity
anubis/yeetfile.js
Xe Iaso 865d513e35
feat(checker): add CEL for matching complicated expressions (#421) 
* feat(lib/policy): add support for CEL checkers

This adds the ability for administrators to use Common Expression
Language[0] (CEL) for more advanced check logic than Anubis previously
offered.

These can be as simple as:

```yaml
- name: allow-api-routes
  action: ALLOW
  expression:
    and:
    - '!(method == "HEAD" || method == "GET")'
    - path.startsWith("/api/")
```

or get as complicated as:

```yaml
- name: allow-git-clients
  action: ALLOW
  expression:
    and:
    - userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
    - >
      "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
```

Internally these are compiled and evaluated with cel-go[1]. This also
leaves room for extensibility should that be desired in the future. This
will intersect with #338 and eventually intersect with TLS fingerprints
as in #337.

[0]: https://cel.dev/
[1]: https://github.com/google/cel-go

Signed-off-by: Xe Iaso <me@xeiaso.net>

* feat(data/apps): add API route allow rule for non-HEAD/GET

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: document expression syntax

Signed-off-by: Xe Iaso <me@xeiaso.net>

* fix: fixes in review

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-05-03 14:26:54 -04:00

80 lines
2.9 KiB
JavaScript
Raw Blame History

$`npm run assets`;
["amd64", "arm64", "riscv64"].forEach(goarch => {
[deb, rpm, tarball].forEach(method => method.build({
name: "anubis",
description: "Anubis weighs the souls of incoming HTTP requests and uses a sha256 proof-of-work challenge in order to protect upstream resources from scraper bots.",
homepage: "https://anubis.techaro.lol",
license: "MIT",
goarch,
documentation: {
"./README.md": "README.md",
"./LICENSE": "LICENSE",
"./data/botPolicies.json": "botPolicies.json",
"./data/botPolicies.yaml": "botPolicies.yaml",
},
build: ({ bin, etc, systemd, doc }) => {
$`go build -o ${bin}/anubis -ldflags '-s -w -extldflags "-static" -X "github.com/TecharoHQ/anubis.Version=${git.tag()}"' ./cmd/anubis`;
file.install("./run/anubis@.service", `${systemd}/anubis@.service`);
file.install("./run/default.env", `${etc}/default.env`);
$`mkdir -p ${doc}/docs`
$`cp -a docs/docs ${doc}`;
$`find ${doc} -name _category_.json -delete`;
$`mkdir -p ${doc}/data`;
$`cp -a data/apps ${doc}/data/apps`;
$`cp -a data/bots ${doc}/data/bots`;
$`cp -a data/clients ${doc}/data/clients`;
$`cp -a data/common ${doc}/data/common`;
$`cp -a data/crawlers ${doc}/data/crawlers`;
},
}));
});
// NOTE(Xe): Fixes #217. This is a "half baked" tarball that includes the harder
// parts for deterministic distros already done. Distributions like NixOS, Gentoo
// and *BSD ports have a difficult time fitting the square peg of their dependency
// model into the bazarr of round holes that various modern languages use. Needless
// to say, this makes adoption easier.
tarball.build({
name: "anubis-src-vendor",
license: "MIT",
// XXX(Xe): This is needed otherwise go will be very sad.
platform: yeet.goos,
goarch: yeet.goarch,
build: ({ out }) => {
// prepare clean checkout in $out
$`git archive --format=tar HEAD | tar xC ${out}`;
// vendor Go dependencies
$`cd ${out} && go mod vendor`;
// write VERSION file
$`echo ${git.tag()} > ${out}/VERSION`;
},
mkFilename: ({ name, version }) => `${name}-${version}`,
});
tarball.build({
name: "anubis-src-vendor-npm",
license: "MIT",
// XXX(Xe): This is needed otherwise go will be very sad.
platform: yeet.goos,
goarch: yeet.goarch,
build: ({ out }) => {
// prepare clean checkout in $out
$`git archive --format=tar HEAD | tar xC ${out}`;
// vendor Go dependencies
$`cd ${out} && go mod vendor`;
// build NPM-bound dependencies
$`cd ${out} && npm ci && npm run assets && rm -rf node_modules`
// write VERSION file
$`echo ${git.tag()} > ${out}/VERSION`;
},
mkFilename: ({ name, version }) => `${name}-${version}`,
});
Reference in New Issue View Git Blame Copy Permalink