Xe Iaso
6b1cd6120f
fix!(policy/checker): make List and-like ( #1217 )
...
* fix!(policy/checker): make List and-like
This has the potential to break user configs.
Anubis lets you stack multiple checks at once with blocks like this:
```yaml
name: allow-prometheus
action: ALLOW
user_agent_regex: ^prometheus-probe$
remote_addresses:
- 192.168.2.0/24
```
Previously, this only returned ALLOW if _any one_ of the conditions
matched. This behaviour has changed to only return ALLOW if _all_ of the
conditions match.
I have marked this as a potentially breaking change because I'm
absolutely certain that someone is relying on this behaviour due to
spacebar heating. If this bites you, please let me know ASAP.
Signed-off-by: Xe Iaso <me@xeiaso.net>
Assisted-by: GPT-OSS 120b on local hardware
* fix(policy/checker): more explicit short-circuit
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-10-25 01:25:05 +00:00
Xe Iaso
e3826df3ab
feat: implement a client for Thoth, the IP reputation database for Anubis ( #637 )
...
* feat(internal): add Thoth client and simple ASN checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): cached ip to asn checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: go mod tidy
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(thoth): minor testing fixups, ensure ASNChecker is Checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): make ASNChecker instances
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): add GeoIP checker
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): store a thoth client in a context
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: refactor Checker type to its own package
Signed-off-by: Xe Iaso <me@xeiaso.net>
* test(thoth): add thoth mocking package, ignore context deadline exceeded errors
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thoth): pre-cache private ranges
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(lib/policy/config): enable thoth ASNs and GeoIP checker parsing
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(thoth): refactor to move checker creation to the checker files
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(policy): enable thoth checks
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(thothmock): test helper function for loading a mock thoth instance
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat: wire up Thoth, make thoth checks part of the default config
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(thoth): mend staticcheck errors
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(admin): add Thoth docs
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(policy): update Thoth links in error messages
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: update CHANGELOG
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore(docs/manifest): enable Thoth
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: add THOTH_INSECURE for contacting Thoth over plain TCP in extreme circumstances
Signed-off-by: Xe Iaso <me@xeiaso.net>
* test(thoth): use mock thoth when credentials aren't detected in the environment
Signed-off-by: Xe Iaso <me@xeiaso.net>
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix(cmd/anubis): better warnings for half-configured Thoth setups
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs(botpolicies): link to Thoth geoip docs
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-06-16 11:57:32 -04:00
