mirror of
https://github.com/TecharoHQ/anubis.git
synced 2025-08-03 01:38:14 -04:00
e3826df3ab
* feat(internal): add Thoth client and simple ASN checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): cached ip to asn checker Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: go mod tidy Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): minor testing fixups, ensure ASNChecker is Checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): make ASNChecker instances Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): add GeoIP checker Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): store a thoth client in a context Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: refactor Checker type to its own package Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): add thoth mocking package, ignore context deadline exceeded errors Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thoth): pre-cache private ranges Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(lib/policy/config): enable thoth ASNs and GeoIP checker parsing Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(thoth): refactor to move checker creation to the checker files Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(policy): enable thoth checks Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(thothmock): test helper function for loading a mock thoth instance Signed-off-by: Xe Iaso <me@xeiaso.net> * feat: wire up Thoth, make thoth checks part of the default config Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(thoth): mend staticcheck errors Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(admin): add Thoth docs Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(policy): update Thoth links in error messages Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(docs/manifest): enable Thoth Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: add THOTH_INSECURE for contacting Thoth over plain TCP in extreme circumstances Signed-off-by: Xe Iaso <me@xeiaso.net> * test(thoth): use mock thoth when credentials aren't detected in the environment Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(cmd/anubis): better warnings for half-configured Thoth setups Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(botpolicies): link to Thoth geoip docs Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
89 lines
2.4 KiB
Go
89 lines
2.4 KiB
Go
package thoth
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/TecharoHQ/anubis"
|
|
iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
|
|
grpcprom "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus"
|
|
"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/timeout"
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
"google.golang.org/grpc/credentials/insecure"
|
|
healthv1 "google.golang.org/grpc/health/grpc_health_v1"
|
|
)
|
|
|
|
type Client struct {
|
|
conn *grpc.ClientConn
|
|
health healthv1.HealthClient
|
|
IPToASN iptoasnv1.IpToASNServiceClient
|
|
}
|
|
|
|
func New(ctx context.Context, thothURL, apiToken string, plaintext bool) (*Client, error) {
|
|
clMetrics := grpcprom.NewClientMetrics(
|
|
grpcprom.WithClientHandlingTimeHistogram(
|
|
grpcprom.WithHistogramBuckets([]float64{0.001, 0.01, 0.1, 0.3, 0.6, 1, 3, 6, 9, 20, 30, 60, 90, 120}),
|
|
),
|
|
)
|
|
prometheus.DefaultRegisterer.Register(clMetrics)
|
|
|
|
do := []grpc.DialOption{
|
|
grpc.WithChainUnaryInterceptor(
|
|
timeout.UnaryClientInterceptor(500*time.Millisecond),
|
|
clMetrics.UnaryClientInterceptor(),
|
|
authUnaryClientInterceptor(apiToken),
|
|
),
|
|
grpc.WithChainStreamInterceptor(
|
|
clMetrics.StreamClientInterceptor(),
|
|
authStreamClientInterceptor(apiToken),
|
|
),
|
|
grpc.WithUserAgent(fmt.Sprint("Techaro/anubis:", anubis.Version)),
|
|
}
|
|
|
|
if plaintext {
|
|
do = append(do, grpc.WithTransportCredentials(insecure.NewCredentials()))
|
|
} else {
|
|
do = append(do, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
|
|
}
|
|
|
|
conn, err := grpc.NewClient(
|
|
thothURL,
|
|
do...,
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("can't dial thoth at %s: %w", thothURL, err)
|
|
}
|
|
|
|
hc := healthv1.NewHealthClient(conn)
|
|
|
|
resp, err := hc.Check(ctx, &healthv1.HealthCheckRequest{})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("can't verify thoth health at %s: %w", thothURL, err)
|
|
}
|
|
|
|
if resp.Status != healthv1.HealthCheckResponse_SERVING {
|
|
return nil, fmt.Errorf("thoth is not healthy, wanted %s but got %s", healthv1.HealthCheckResponse_SERVING, resp.Status)
|
|
}
|
|
|
|
return &Client{
|
|
conn: conn,
|
|
health: hc,
|
|
IPToASN: NewIpToASNWithCache(iptoasnv1.NewIpToASNServiceClient(conn)),
|
|
}, nil
|
|
}
|
|
|
|
func (c *Client) Close() error {
|
|
if c.conn != nil {
|
|
return c.conn.Close()
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Client) WithIPToASNService(impl iptoasnv1.IpToASNServiceClient) {
|
|
c.IPToASN = impl
|
|
}
|