TecharoHQ
diff --git a/‎data/botPolicies.yaml‎
Lines changed: 54 additions & 0 deletions b/‎data/botPolicies.yaml‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎docs/docs/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/docs/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/docs/admin/configuration/thresholds.mdx‎
Lines changed: 140 additions & 0 deletions b/‎docs/docs/admin/configuration/thresholds.mdx‎
Lines changed: 140 additions & 0 deletions
diff --git a/‎docs/docs/admin/policies.mdx‎
Lines changed: 2 additions & 8 deletions b/‎docs/docs/admin/policies.mdx‎
Lines changed: 2 additions & 8 deletions
diff --git a/‎lib/anubis.go‎
Lines changed: 20 additions & 34 deletions b/‎lib/anubis.go‎
Lines changed: 20 additions & 34 deletions
diff --git a/‎lib/policy/celchecker.go‎
Lines changed: 3 additions & 32 deletions b/‎lib/policy/celchecker.go‎
Lines changed: 3 additions & 32 deletions
@@ -91,3 +91,57 @@ dnsbl: false
 status_codes:
   CHALLENGE: 200
   DENY: 200
+
+# The weight thresholds for when to trigger individual challenges. Any
+# CHALLENGE will take precedence over this.
+#
+# A threshold has four configuration options:
+#
+#   - name: the name that is reported down the stack and used for metrics
+#   - expression: A CEL expression with the request weight in the variable
+#     weight
+#   - action: the Anubis action to apply, similar to in a bot policy
+#   - challenge: which challenge to send to the user, similar to in a bot policy
+#
+# See https://anubis.techaro.lol/docs/admin/configuration/thresholds for more
+# information.
+thresholds:
+  # By default Anubis ships with the following thresholds:
+  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
+    expression: weight < 0 # a feather weighs zero units
+    action: ALLOW # Allow the traffic through
+  # For clients that had some weight reduced through custom rules, give them a
+  # lightweight challenge.
+  - name: mild-suspicion
+    expression:
+      all:
+        - weight >= 0
+        - weight < 10
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
+      algorithm: metarefresh
+      difficulty: 1
+      report_as: 1
+  # For clients that are browser-like but have either gained points from custom rules or
+  # report as a standard browser.
+  - name: moderate-suspicion
+    expression:
+      all:
+        - weight >= 10
+        - weight < 20
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+      algorithm: fast
+      difficulty: 2 # two leading zeros, very fast for most clients
+      report_as: 2
+  # For clients that are browser like and have gained many points from custom rules
+  - name: extreme-suspicion
+    expression: weight >= 20
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+      algorithm: fast
+      difficulty: 4
+      report_as: 4
@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
 - Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
 - Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
+- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
 
 ## v1.19.1: Jenomis cen Lexentale - Echo 1
 
 
@@ -0,0 +1,140 @@
+# Weight Threshold Configuration
+
+Anubis offers the ability to assign "weight" to requests. This is a custom level of suspicion that rules can add to or remove from. For example, here's how you assign 10 weight points to anything that might be a browser:
+
+```yaml
+# botPolicies.yaml
+
+bots:
+  - name: generic-browser
+    user_agent_regex: >-
+      Mozilla|Opera
+    action: WEIGH
+    weight:
+      adjust: 10
+```
+
+Thresholds let you take this per-request weight value and take actions in response to it. Thresholds are defined alongside your bot configuration in `botPolicies.yaml`.
+
+:::note
+
+Thresholds DO NOT apply when a request matches a bot rule with the CHALLENGE action. Thresholds only apply when requests don't match any terminal bot rules.
+
+:::
+
+```yaml
+# botPolicies.yaml
+
+bots: ...
+
+thresholds:
+  - name: minimal-suspicion
+    expression: weight < 0
+    action: ALLOW
+
+  - name: mild-suspicion
+    expression:
+      all:
+        - weight >= 0
+        - weight < 10
+    action: CHALLENGE
+    challenge:
+      algorithm: metarefresh
+      difficulty: 1
+      report_as: 1
+
+  - name: moderate-suspicion
+    expression:
+      all:
+        - weight >= 10
+        - weight < 20
+    action: CHALLENGE
+    challenge:
+      algorithm: fast
+      difficulty: 2
+      report_as: 2
+
+  - name: extreme-suspicion
+    expression: weight >= 20
+    action: CHALLENGE
+    challenge:
+      algorithm: fast
+      difficulty: 4
+      report_as: 4
+```
+
+This defines a suite of 4 thresholds:
+
+1. If the request weight is less than zero, allow it through.
+2. If the request weight is greater than or equal to zero, but less than ten: give it [a very lightweight challenge](./challenges/metarefresh.mdx).
+3. If the request weight is greater than or equal to ten, but less than twenty: give it [a slightly heavier challenge](./challenges/proof-of-work.mdx).
+4. Otherwise, give it [the heaviest challenge](./challenges/proof-of-work.mdx).
+
+Thresholds can be configured with the following options:
+
+<table>
+  <thead>
+  <tr>
+    <th>Name</th>
+    <th>Description</th>
+    <th>Example</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>`name`</td>
+      <td>The human-readable name for this threshold.</td>
+      <td>
+
+```yaml
+name: extreme-suspicion
+```
+
+      </td>
+    </tr>
+    <tr>
+    <td>`expression`</td>
+    <td>A [CEL](https://cel.dev/) expression taking the request weight and returning true or false</td>
+    <td>
+
+To check if the request weight is less than zero:
+
+```yaml
+expression: weight < 0
+```
+
+To check if it's between 0 and 10 (inclusive):
+
+```yaml
+expression:
+  all:
+    - weight >= 0
+    - weight < 10
+```
+
+    </td>
+    </tr>
+    <tr>
+    <td>`action`</td>
+    <td>The Anubis action to apply: `ALLOW`, `CHALLENGE`, or `DENY`</td>
+    <td>
+
+```yaml
+action: ALLOW
+```
+
+If you set the CHALLENGE action, you must set challenge details:
+
+```yaml
+action: CHALLENGE
+challenge:
+  algorithm: metarefresh
+  difficulty: 1
+  report_as: 1
+```
+
+    </td>
+    </tr>
+
+  </tbody>
+</table>
@@ -261,17 +261,11 @@ Anubis rules can also add or remove "weight" from requests, allowing administrat
     adjust: -5
 ```
 
-This would remove five weight points from the request, making Anubis present the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx).
+This would remove five weight points from the request, which would make Anubis present the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx) in the default configuration.
 
 ### Weight Thresholds
 
-Weight thresholds and challenge associations will be configurable with CEL expressions in the configuration file in an upcoming patch, for now here's how Anubis configures the weight thresholds:
-
-|                                      Weight Expression | Action                                                                                                                                 |
-| -----------------------------------------------------: | :------------------------------------------------------------------------------------------------------------------------------------- |
-|                   `weight < 0` (weight is less than 0) | Allow the request through.                                                                                                             |
-|                 `weight < 10` (weight is less than 10) | Challenge the client with the [Meta Refresh challenge](./configuration/challenges/metarefresh.mdx) at the default difficulty level.    |
-| `weight >= 10` (weight is greater than or equal to 10) | Challenge the client with the [Proof of Work challenge](./configuration/challenges/proof-of-work.mdx) at the default difficulty level. |
+For more information on configuring weight thresholds, see [Weight Threshold Configuration](./configuration/thresholds.mdx)
 
 ### Advice
 
 
@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/cel-go/common/types"
 
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
@@ -411,12 +412,6 @@ func cr(name string, rule config.Rule, weight int) policy.CheckResult {
 	}
 }
 
-var (
-	weightOkayStatic    = policy.NewStaticHashChecker("weight/okay")
-	weightMildSusStatic = policy.NewStaticHashChecker("weight/mild-suspicion")
-	weightVerySusStatic = policy.NewStaticHashChecker("weight/extreme-suspicion")
-)
-
 // Check evaluates the list of rules, and returns the result
 func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error) {
 	host := r.Header.Get("X-Real-Ip")
@@ -448,34 +443,25 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 		}
 	}
 
-	switch {
-	case weight <= 0:
-		return cr("weight/okay", config.RuleAllow, weight), &policy.Bot{
-			Challenge: &config.ChallengeRules{
-				Difficulty: s.policy.DefaultDifficulty,
-				ReportAs:   s.policy.DefaultDifficulty,
-				Algorithm:  config.DefaultAlgorithm,
-			},
-			Rules: weightOkayStatic,
-		}, nil
-	case weight > 0 && weight < 10:
-		return cr("weight/mild-suspicion", config.RuleChallenge, weight), &policy.Bot{
-			Challenge: &config.ChallengeRules{
-				Difficulty: s.policy.DefaultDifficulty,
-				ReportAs:   s.policy.DefaultDifficulty,
-				Algorithm:  "metarefresh",
-			},
-			Rules: weightMildSusStatic,
-		}, nil
-	case weight >= 10:
-		return cr("weight/extreme-suspicion", config.RuleChallenge, weight), &policy.Bot{
-			Challenge: &config.ChallengeRules{
-				Difficulty: s.policy.DefaultDifficulty,
-				ReportAs:   s.policy.DefaultDifficulty,
-				Algorithm:  "fast",
-			},
-			Rules: weightVerySusStatic,
-		}, nil
+	for _, t := range s.policy.Thresholds {
+		result, _, err := t.Program.ContextEval(r.Context(), &policy.ThresholdRequest{Weight: weight})
+		if err != nil {
+			slog.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
+			continue
+		}
+
+		var matches bool
+
+		if val, ok := result.(types.Bool); ok {
+			matches = bool(val)
+		}
+
+		if matches {
+			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
+				Challenge: t.Challenge,
+				Rules:     &checker.List{},
+			}, nil
+		}
 	}
 
 	return cr("default/allow", config.RuleAllow, weight), &policy.Bot{
 
@@ -17,47 +17,18 @@ type CELChecker struct {
 }
 
 func NewCELChecker(cfg *config.ExpressionOrList) (*CELChecker, error) {
-	env, err := expressions.NewEnvironment()
+	env, err := expressions.BotEnvironment()
 	if err != nil {
 		return nil, err
 	}
 
-	var src string
-	var ast *cel.Ast
-
-	if cfg.Expression != "" {
-		src = cfg.Expression
-		var iss *cel.Issues
-		intermediate, iss := env.Compile(src)
-		if iss != nil {
-			return nil, iss.Err()
-		}
-
-		ast, iss = env.Check(intermediate)
-		if iss != nil {
-			return nil, iss.Err()
-		}
-	}
-
-	if len(cfg.All) != 0 {
-		ast, err = expressions.Join(env, expressions.JoinAnd, cfg.All...)
-	}
-
-	if len(cfg.Any) != 0 {
-		ast, err = expressions.Join(env, expressions.JoinOr, cfg.Any...)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	program, err := expressions.Compile(env, ast)
+	program, err := expressions.Compile(env, cfg.String())
 	if err != nil {
 		return nil, fmt.Errorf("can't compile CEL program: %w", err)
 	}
 
 	return &CELChecker{
-		src:     src,
+		src:     cfg.String(),
 		program: program,
 	}, nil
 }