mirror of
https://github.com/TecharoHQ/anubis.git
synced 2025-08-03 17:59:24 -04:00
865d513e35
* feat(lib/policy): add support for CEL checkers
This adds the ability for administrators to use Common Expression
Language[0] (CEL) for more advanced check logic than Anubis previously
offered.
These can be as simple as:
```yaml
- name: allow-api-routes
action: ALLOW
expression:
and:
- '!(method == "HEAD" || method == "GET")'
- path.startsWith("/api/")
```
or get as complicated as:
```yaml
- name: allow-git-clients
action: ALLOW
expression:
and:
- userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
- >
"Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
```
Internally these are compiled and evaluated with cel-go[1]. This also
leaves room for extensibility should that be desired in the future. This
will intersect with #338 and eventually intersect with TLS fingerprints
as in #337.
[0]: https://cel.dev/
[1]: https://github.com/google/cel-go
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(data/apps): add API route allow rule for non-HEAD/GET
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: document expression syntax
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix: fixes in review
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
76 lines
1.6 KiB
Go
76 lines
1.6 KiB
Go
package expressions
|
|
|
|
import (
|
|
"net/http"
|
|
"reflect"
|
|
"strings"
|
|
|
|
"github.com/google/cel-go/common/types"
|
|
"github.com/google/cel-go/common/types/ref"
|
|
"github.com/google/cel-go/common/types/traits"
|
|
)
|
|
|
|
// HTTPHeaders is a type wrapper to expose HTTP headers into CEL programs.
|
|
type HTTPHeaders struct {
|
|
http.Header
|
|
}
|
|
|
|
func (h HTTPHeaders) ConvertToNative(typeDesc reflect.Type) (any, error) {
|
|
return nil, ErrNotImplemented
|
|
}
|
|
|
|
func (h HTTPHeaders) ConvertToType(typeVal ref.Type) ref.Val {
|
|
switch typeVal {
|
|
case types.MapType:
|
|
return h
|
|
case types.TypeType:
|
|
return types.MapType
|
|
}
|
|
|
|
return types.NewErr("can't convert from %q to %q", types.MapType, typeVal)
|
|
}
|
|
|
|
func (h HTTPHeaders) Equal(other ref.Val) ref.Val {
|
|
return types.Bool(false) // We don't want to compare header maps
|
|
}
|
|
|
|
func (h HTTPHeaders) Type() ref.Type {
|
|
return types.MapType
|
|
}
|
|
|
|
func (h HTTPHeaders) Value() any { return h }
|
|
|
|
func (h HTTPHeaders) Find(key ref.Val) (ref.Val, bool) {
|
|
k, ok := key.(types.String)
|
|
if !ok {
|
|
return nil, false
|
|
}
|
|
|
|
if _, ok := h.Header[string(k)]; !ok {
|
|
return nil, false
|
|
}
|
|
|
|
return types.String(strings.Join(h.Header.Values(string(k)), ",")), true
|
|
}
|
|
|
|
func (h HTTPHeaders) Contains(key ref.Val) ref.Val {
|
|
_, ok := h.Find(key)
|
|
return types.Bool(ok)
|
|
}
|
|
|
|
func (h HTTPHeaders) Get(key ref.Val) ref.Val {
|
|
result, ok := h.Find(key)
|
|
if !ok {
|
|
return types.ValOrErr(result, "no such key: %v", key)
|
|
}
|
|
return result
|
|
}
|
|
|
|
func (h HTTPHeaders) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
|
|
|
|
func (h HTTPHeaders) IsZeroValue() bool {
|
|
return len(h.Header) == 0
|
|
}
|
|
|
|
func (h HTTPHeaders) Size() ref.Val { return types.Int(len(h.Header)) }
|