feat(checker): add CEL for matching complicated expressions (#421)

* feat(lib/policy): add support for CEL checkers This adds the ability for administrators to use Common Expression Language[0] (CEL) for more advanced check logic than Anubis previously offered. These can be as simple as: ```yaml - name: allow-api-routes action: ALLOW expression: and: - '!(method == "HEAD" || method == "GET")' - path.startsWith("/api/") ``` or get as complicated as: ```yaml - name: allow-git-clients action: ALLOW expression: and: - userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-") - > "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" ``` Internally these are compiled and evaluated with cel-go[1]. This also leaves room for extensibility should that be desired in the future. This will intersect with #338 and eventually intersect with TLS fingerprints as in #337. [0]: https://cel.dev/ [1]: https://github.com/google/cel-go Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(data/apps): add API route allow rule for non-HEAD/GET Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document expression syntax Signed-off-by: Xe Iaso <me@xeiaso.net> * fix: fixes in review Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-05-03 14:26:54 -04:00 · 2025-05-03 14:26:54 -04:00 · 865d513e35
commit 865d513e35
parent af07691139
39 changed files with 1166 additions and 14 deletions
--- a/lib/policy/config/expressionorlist_test.go
+++ b/lib/policy/config/expressionorlist_test.go
@ -0,0 +1,73 @@
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"testing"
+)
+
+func TestExpressionOrListUnmarshal(t *testing.T) {
+	for _, tt := range []struct {
+		name     string
+		inp      string
+		err      error
+		validErr error
+		result   *ExpressionOrList
+	}{
+		{
+			name: "simple",
+			inp:  `"\"User-Agent\" in headers"`,
+			result: &ExpressionOrList{
+				Expression: `"User-Agent" in headers`,
+			},
+		},
+		{
+			name: "object-and",
+			inp: `{
+			"all": ["\"User-Agent\" in headers"]
+			}`,
+			result: &ExpressionOrList{
+				All: []string{
+					`"User-Agent" in headers`,
+				},
+			},
+		},
+		{
+			name: "object-or",
+			inp: `{
+			"any": ["\"User-Agent\" in headers"]
+			}`,
+			result: &ExpressionOrList{
+				Any: []string{
+					`"User-Agent" in headers`,
+				},
+			},
+		},
+		{
+			name: "both-or-and",
+			inp: `{
+			"all": ["\"User-Agent\" in headers"],
+			"any": ["\"User-Agent\" in headers"]
+			}`,
+			validErr: ErrExpressionCantHaveBoth,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			var eol ExpressionOrList
+
+			if err := json.Unmarshal([]byte(tt.inp), &eol); !errors.Is(err, tt.err) {
+				t.Errorf("wanted unmarshal error: %v but got: %v", tt.err, err)
+			}
+
+			if tt.result != nil && !eol.Equal(tt.result) {
+				t.Logf("wanted: %#v", tt.result)
+				t.Logf("got:    %#v", &eol)
+				t.Fatal("parsed expression is not what was expected")
+			}
+
+			if err := eol.Valid(); !errors.Is(err, tt.validErr) {
+				t.Errorf("wanted validation error: %v but got: %v", tt.err, err)
+			}
+		})
+	}
+}