fix(data): add ruleset to explicitly allow Docker / OCI clients (#1253)

* fix(data): add ruleset to explicitly allow Docker / OCI clients

Fixes #1252

This is technically a regression as these clients used to work in Anubis
v1.22.0, however it is allowable to make this opt-in as most websites do not
expect to be serving Docker / OCI registry client traffic.

Signed-off-by: Xe Iaso <me@xeiaso.net>

* Update metadata

check-spelling run (pull_request) for Xe/gh-1252/docker-registry-client-fix

Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>

* test(docker-registry): export the right envvars

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: add simdjson dependency for homebrew node

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: install go/node without homebrew

Signed-off-by: Xe Iaso <me@xeiaso.net>

* test: use right github commit variable

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: remove simdjson dependency

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: install ko with an action

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: add OCI registry caveat docs

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>

test/docker-registry/anubis.yaml

@@ -0,0 +1,7 @@
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+
+status_codes:
+  CHALLENGE: 200
+  DENY: 403

test/docker-registry/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+  registry:
+    image: distribution/distribution:edge
+    restart: always
+
+  relayd:
+    image: ghcr.io/xe/x/relayd
+    pull_policy: always
+    environment:
+      CERT_DIR: /etc/techaro/pki/registry.local.cetacean.club
+      CERT_FNAME: cert.pem
+      KEY_FNAME: key.pem
+      PROXY_TO: http://anubis:3000
+    ports:
+      - 3004:3004
+    volumes:
+      - ../pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
+
+  anubis:
+    image: ko.local/anubis
+    restart: always
+    environment:
+      BIND: ":3000"
+      TARGET: http://registry:5000
+      POLICY_FNAME: /etc/techaro/anubis.yaml
+      USE_REMOTE_ADDRESS: "true"
+    ports:
+      - 3000
+    volumes:
+      - ./anubis.yaml:/etc/techaro/anubis.yaml

test/docker-registry/test.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+export VERSION=${GITHUB_SHA}-test
+export KO_DOCKER_REPO=ko.local
+
+set -u
+
+source ../lib/lib.sh
+
+build_anubis_ko
+
+function cleanup() {
+	docker compose down
+}
+
+trap cleanup EXIT SIGINT
+
+mint_cert registry.local.cetacean.club
+
+docker compose up -d
+
+backoff-retry skopeo \
+	--insecure-policy \
+	copy \
+	--dest-tls-verify=false \
+	docker://hello-world \
+	docker://registry.local.cetacean.club:3004/hello-world

test/docker-registry/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/git-push/test.sh

@@ -2,7 +2,7 @@
 
 set -eo pipefail
 
-export VERSION=$GITHUB_COMMIT-test
+export VERSION=${GITHUB_SHA}-test
 export KO_DOCKER_REPO=ko.local
 
 set -u
@@ -21,16 +21,16 @@ docker compose up -d
 sleep 2
 
 (
-  cd var && \
-  mkdir foo && \
-  cd foo && \
-  git init && \
-  touch README && \
-  git add . && \
-  git config user.name "Anubis CI" && \
-  git config user.email "social+anubis-ci@techaro.lol" && \
-  git commit -sm "initial commit" && \
-  git push -u http://localhost:3000/git/foo.git master
+	cd var &&
+		mkdir foo &&
+		cd foo &&
+		git init &&
+		touch README &&
+		git add . &&
+		git config user.name "Anubis CI" &&
+		git config user.email "social+anubis-ci@techaro.lol" &&
+		git commit -sm "initial commit" &&
+		git push -u http://localhost:3000/git/foo.git master
 )
 
-exit 0
+exit 0