feat(lib): implement request weight (#621)
* feat(lib): implement request weight Replaces #608 This is a big one and will be what makes Anubis a generic web application firewall. This introduces the WEIGH option, allowing administrators to have facets of request metadata add or remove "weight", or the level of suspicion. This really makes Anubis weigh the soul of requests. Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(lib): maintain legacy challenge behavior Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(lib): make weight have dedicated checkers for the hashes Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(data): convert some rules over to weight points Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document request weight Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(CHANGELOG): spelling error Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: fix links to challenge information Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(policies): fix formatting Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(config): make default weight adjustment 5 Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
parent
0fe46b48cf
commit
c638653172
22 changed files with 214 additions and 53 deletions
|
|
@ -402,13 +402,20 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
|
|||
http.Redirect(w, r, redir, http.StatusFound)
|
||||
}
|
||||
|
||||
func cr(name string, rule config.Rule) policy.CheckResult {
|
||||
func cr(name string, rule config.Rule, weight int) policy.CheckResult {
|
||||
return policy.CheckResult{
|
||||
Name: name,
|
||||
Rule: rule,
|
||||
Name: name,
|
||||
Rule: rule,
|
||||
Weight: weight,
|
||||
}
|
||||
}
|
||||
|
||||
var (
|
||||
weightOkayStatic = policy.NewStaticHashChecker("weight/okay")
|
||||
weightMildSusStatic = policy.NewStaticHashChecker("weight/mild-suspicion")
|
||||
weightVerySusStatic = policy.NewStaticHashChecker("weight/extreme-suspicion")
|
||||
)
|
||||
|
||||
// Check evaluates the list of rules, and returns the result
|
||||
func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error) {
|
||||
host := r.Header.Get("X-Real-Ip")
|
||||
|
|
@ -421,6 +428,8 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
|
|||
return decaymap.Zilch[policy.CheckResult](), nil, fmt.Errorf("[misconfiguration] %q is not an IP address", host)
|
||||
}
|
||||
|
||||
weight := 0
|
||||
|
||||
for _, b := range s.policy.Bots {
|
||||
match, err := b.Rules.Check(r)
|
||||
if err != nil {
|
||||
|
|
@ -428,11 +437,47 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
|
|||
}
|
||||
|
||||
if match {
|
||||
return cr("bot/"+b.Name, b.Action), &b, nil
|
||||
switch b.Action {
|
||||
case config.RuleDeny, config.RuleAllow, config.RuleBenchmark, config.RuleChallenge:
|
||||
return cr("bot/"+b.Name, b.Action, weight), &b, nil
|
||||
case config.RuleWeigh:
|
||||
slog.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
|
||||
weight += b.Weight.Adjust
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return cr("default/allow", config.RuleAllow), &policy.Bot{
|
||||
switch {
|
||||
case weight <= 0:
|
||||
return cr("weight/okay", config.RuleAllow, weight), &policy.Bot{
|
||||
Challenge: &config.ChallengeRules{
|
||||
Difficulty: s.policy.DefaultDifficulty,
|
||||
ReportAs: s.policy.DefaultDifficulty,
|
||||
Algorithm: config.DefaultAlgorithm,
|
||||
},
|
||||
Rules: weightOkayStatic,
|
||||
}, nil
|
||||
case weight > 0 && weight < 10:
|
||||
return cr("weight/mild-suspicion", config.RuleChallenge, weight), &policy.Bot{
|
||||
Challenge: &config.ChallengeRules{
|
||||
Difficulty: s.policy.DefaultDifficulty,
|
||||
ReportAs: s.policy.DefaultDifficulty,
|
||||
Algorithm: "metarefresh",
|
||||
},
|
||||
Rules: weightMildSusStatic,
|
||||
}, nil
|
||||
case weight >= 10:
|
||||
return cr("weight/extreme-suspicion", config.RuleChallenge, weight), &policy.Bot{
|
||||
Challenge: &config.ChallengeRules{
|
||||
Difficulty: s.policy.DefaultDifficulty,
|
||||
ReportAs: s.policy.DefaultDifficulty,
|
||||
Algorithm: "fast",
|
||||
},
|
||||
Rules: weightVerySusStatic,
|
||||
}, nil
|
||||
}
|
||||
|
||||
return cr("default/allow", config.RuleAllow, weight), &policy.Bot{
|
||||
Challenge: &config.ChallengeRules{
|
||||
Difficulty: s.policy.DefaultDifficulty,
|
||||
ReportAs: s.policy.DefaultDifficulty,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ type Bot struct {
|
|||
Challenge *config.ChallengeRules
|
||||
Name string
|
||||
Action config.Rule
|
||||
Weight *config.Weight
|
||||
}
|
||||
|
||||
func (b Bot) Hash() string {
|
||||
|
|
|
|||
|
|
@ -47,6 +47,20 @@ func (cl CheckerList) Hash() string {
|
|||
return internal.SHA256sum(sb.String())
|
||||
}
|
||||
|
||||
type staticHashChecker struct {
|
||||
hash string
|
||||
}
|
||||
|
||||
func (staticHashChecker) Check(r *http.Request) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func (s staticHashChecker) Hash() string { return s.hash }
|
||||
|
||||
func NewStaticHashChecker(hashable string) Checker {
|
||||
return staticHashChecker{hash: internal.SHA256sum(hashable)}
|
||||
}
|
||||
|
||||
type RemoteAddrChecker struct {
|
||||
ranger cidranger.Ranger
|
||||
hash string
|
||||
|
|
|
|||
|
|
@ -7,12 +7,15 @@ import (
|
|||
)
|
||||
|
||||
type CheckResult struct {
|
||||
Name string
|
||||
Rule config.Rule
|
||||
Name string
|
||||
Rule config.Rule
|
||||
Weight int
|
||||
}
|
||||
|
||||
func (cr CheckResult) LogValue() slog.Value {
|
||||
return slog.GroupValue(
|
||||
slog.String("name", cr.Name),
|
||||
slog.String("rule", string(cr.Rule)))
|
||||
slog.String("rule", string(cr.Rule)),
|
||||
slog.Int("weight", cr.Weight),
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,20 +39,22 @@ const (
|
|||
RuleAllow Rule = "ALLOW"
|
||||
RuleDeny Rule = "DENY"
|
||||
RuleChallenge Rule = "CHALLENGE"
|
||||
RuleWeigh Rule = "WEIGH"
|
||||
RuleBenchmark Rule = "DEBUG_BENCHMARK"
|
||||
)
|
||||
|
||||
const DefaultAlgorithm = "fast"
|
||||
|
||||
type BotConfig struct {
|
||||
UserAgentRegex *string `json:"user_agent_regex"`
|
||||
PathRegex *string `json:"path_regex"`
|
||||
HeadersRegex map[string]string `json:"headers_regex"`
|
||||
Expression *ExpressionOrList `json:"expression"`
|
||||
UserAgentRegex *string `json:"user_agent_regex,omitempty"`
|
||||
PathRegex *string `json:"path_regex,omitempty"`
|
||||
HeadersRegex map[string]string `json:"headers_regex,omitempty"`
|
||||
Expression *ExpressionOrList `json:"expression,omitempty"`
|
||||
Challenge *ChallengeRules `json:"challenge,omitempty"`
|
||||
Weight *Weight `json:"weight,omitempty"`
|
||||
Name string `json:"name"`
|
||||
Action Rule `json:"action"`
|
||||
RemoteAddr []string `json:"remote_addresses"`
|
||||
RemoteAddr []string `json:"remote_addresses,omitempty"`
|
||||
}
|
||||
|
||||
func (b BotConfig) Zero() bool {
|
||||
|
|
@ -73,7 +75,7 @@ func (b BotConfig) Zero() bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func (b BotConfig) Valid() error {
|
||||
func (b *BotConfig) Valid() error {
|
||||
var errs []error
|
||||
|
||||
if b.Name == "" {
|
||||
|
|
@ -144,7 +146,7 @@ func (b BotConfig) Valid() error {
|
|||
}
|
||||
|
||||
switch b.Action {
|
||||
case RuleAllow, RuleBenchmark, RuleChallenge, RuleDeny:
|
||||
case RuleAllow, RuleBenchmark, RuleChallenge, RuleDeny, RuleWeigh:
|
||||
// okay
|
||||
default:
|
||||
errs = append(errs, fmt.Errorf("%w: %q", ErrUnknownAction, b.Action))
|
||||
|
|
@ -156,6 +158,10 @@ func (b BotConfig) Valid() error {
|
|||
}
|
||||
}
|
||||
|
||||
if b.Action == RuleWeigh && b.Weight == nil {
|
||||
b.Weight = &Weight{Adjust: 5}
|
||||
}
|
||||
|
||||
if len(errs) != 0 {
|
||||
return fmt.Errorf("config: bot entry for %q is not valid:\n%w", b.Name, errors.Join(errs...))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -168,6 +168,25 @@ func TestBotValid(t *testing.T) {
|
|||
},
|
||||
err: nil,
|
||||
},
|
||||
{
|
||||
name: "weight rule without weight",
|
||||
bot: BotConfig{
|
||||
Name: "weight-adjust-if-mozilla",
|
||||
Action: RuleWeigh,
|
||||
UserAgentRegex: p("Mozilla"),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "weight rule with weight adjust",
|
||||
bot: BotConfig{
|
||||
Name: "weight-adjust-if-mozilla",
|
||||
Action: RuleWeigh,
|
||||
UserAgentRegex: p("Mozilla"),
|
||||
Weight: &Weight{
|
||||
Adjust: 5,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, cs := range tests {
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ var (
|
|||
|
||||
type ExpressionOrList struct {
|
||||
Expression string `json:"-"`
|
||||
All []string `json:"all"`
|
||||
Any []string `json:"any"`
|
||||
All []string `json:"all,omitempty"`
|
||||
Any []string `json:"any,omitempty"`
|
||||
}
|
||||
|
||||
func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool {
|
||||
|
|
|
|||
6
lib/policy/config/testdata/good/simple-weight.yaml
vendored
Normal file
6
lib/policy/config/testdata/good/simple-weight.yaml
vendored
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
bots:
|
||||
- name: simple-weight-adjust
|
||||
action: WEIGH
|
||||
user_agent_regex: Mozilla
|
||||
weight:
|
||||
adjust: 5
|
||||
4
lib/policy/config/testdata/good/weight-no-weight.yaml
vendored
Normal file
4
lib/policy/config/testdata/good/weight-no-weight.yaml
vendored
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
bots:
|
||||
- name: weight
|
||||
action: WEIGH
|
||||
user_agent_regex: Mozilla
|
||||
5
lib/policy/config/weight.go
Normal file
5
lib/policy/config/weight.go
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
package config
|
||||
|
||||
type Weight struct {
|
||||
Adjust int `json:"adjust"`
|
||||
}
|
||||
|
|
@ -117,6 +117,10 @@ func ParseConfig(fin io.Reader, fname string, defaultDifficulty int) (*ParsedCon
|
|||
}
|
||||
}
|
||||
|
||||
if b.Weight != nil {
|
||||
parsedBot.Weight = b.Weight
|
||||
}
|
||||
|
||||
parsedBot.Rules = cl
|
||||
|
||||
result.Bots = append(result.Bots, parsedBot)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue