From 35954361041e2b1a3a6dcb89d75aa71d5cd621f8 Mon Sep 17 00:00:00 2001
From: Jiri Kyjovsky <j1.kyjovsky@gmail.com>
Date: Thu, 8 Jan 2026 16:19:28 +0100
Subject: [PATCH] copr-anubis: loosen policies (go through defaults), allow
 essentials

---
 inventory/group_vars/copr_dist_git_aws        |  3 -
 inventory/group_vars/copr_dist_git_dev_aws    |  3 -
 inventory/group_vars/copr_front_aws           |  3 -
 inventory/group_vars/copr_front_dev_aws       |  3 -
 .../policies.yaml.j2.copr-infrastructure      | 93 +++++++++++++++----
 roles/copr/dist_git/templates/ssl.conf.j2     | 11 +--
 .../copr/frontend/templates/httpd/coprs.conf  | 11 +--
 7 files changed, 82 insertions(+), 45 deletions(-)

diff --git a/inventory/group_vars/copr_dist_git_aws b/inventory/group_vars/copr_dist_git_aws
index e6b730f4c6..0a90ee2dba 100644
--- a/inventory/group_vars/copr_dist_git_aws
+++ b/inventory/group_vars/copr_dist_git_aws
@@ -1,9 +1,6 @@
 ---
 copr_machine_type: distgit
 
-# Anubis protects only /packages/ endpoint
-anubis_base_prefix: /packages
-
 freezes: false
 # consumed by roles/copr/certbot
 letsencrypt:
diff --git a/inventory/group_vars/copr_dist_git_dev_aws b/inventory/group_vars/copr_dist_git_dev_aws
index 1c420803da..ffc4e5437c 100644
--- a/inventory/group_vars/copr_dist_git_dev_aws
+++ b/inventory/group_vars/copr_dist_git_dev_aws
@@ -1,9 +1,6 @@
 ---
 copr_machine_type: distgit
 
-# Anubis protects only /packages/ endpoint
-anubis_base_prefix: /packages
-
 devel: true
 freezes: false
 # consumed by roles/copr/certbot
diff --git a/inventory/group_vars/copr_front_aws b/inventory/group_vars/copr_front_aws
index bbde0207d2..f9e29f5545 100644
--- a/inventory/group_vars/copr_front_aws
+++ b/inventory/group_vars/copr_front_aws
@@ -2,9 +2,6 @@
 copr_machine_type: frontend
 
 copr_fe_homedir: /usr/share/copr/coprs_frontend
-
-# Anubis protects only /coprs/ endpoint
-anubis_base_prefix: /coprs
 copr_frontend_public_hostname: "copr.fedorainfracloud.org"
 copr_kerberos_auth_enabled: true
 copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
diff --git a/inventory/group_vars/copr_front_dev_aws b/inventory/group_vars/copr_front_dev_aws
index 5ee617b084..afdd836455 100644
--- a/inventory/group_vars/copr_front_dev_aws
+++ b/inventory/group_vars/copr_front_dev_aws
@@ -1,9 +1,6 @@
 ---
 copr_machine_type: frontend
 
-# Anubis protects only /coprs/ endpoint
-anubis_base_prefix: /coprs
-
 allowlist_emails:
   - msuchy@redhat.com
   - praiskup@redhat.com
diff --git a/roles/anubis/templates/policies.yaml.j2.copr-infrastructure b/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
index cacb5f7c3d..d69181327b 100644
--- a/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
+++ b/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
@@ -1,30 +1,85 @@
 ---
 bots:
 {% if copr_machine_type == "frontend" %}
-  - name: allow badges
-    action: ALLOW
-    path_regex: status_image/last_build.png$
+  # Machine/API endpoints - ALLOW without challenge
+  # These are used by dnf, copr-cli, webhooks, and internal services
 
-  # For yum-util-copr:
-  # /coprs/g/copr/copr-dev/repo/epel-9/
-  # For dnf-plugins-core (dnf4):
-  # /coprs/g/copr/copr-dev/repo/epel-9/group_copr-copr-dev-epel-9.repo
-  # DNF5 uses /api_3/.
-  - name: allow repos
+  # API api info
+  - name: allow-api
+    action: ALLOW
+    path_regex: ^/api
+
+  # Copr's API
+  - name: allow-api-v3
+    action: ALLOW
+    path_regex: ^/api_3
+
+  # Internal backend communication
+  - name: allow-backend
+    action: ALLOW
+    path_regex: ^/backend
+
+  # Webhooks from GitHub, GitLab, Pagure, etc.
+  - name: allow-webhooks
+    action: ALLOW
+    path_regex: ^/webhooks
+
+  # RSS feeds for feed readers
+  - name: allow-rss
+    action: ALLOW
+    path_regex: ^/rss
+
+  # Internal stats receiver
+  - name: allow-stats
+    action: ALLOW
+    path_regex: ^/stats_rcv
+
+  # Internal temp files
+  - name: allow-tmp
+    action: ALLOW
+    path_regex: ^/tmp
+
+  # Repo metadata for dnf/yum
+  - name: allow-repos
     action: ALLOW
     path_regex: /repo/
 
-  - name: coprs-web-ui
-    action: WEIGH
-    weight:
-      adjust: 20
-    path_regex: ^/coprs
+  # Build status badges
+  - name: allow-badges
+    action: ALLOW
+    path_regex: status_image/last_build.png$
+
+  # Trusted services - ALLOW by user-agent
+
+  # Packit - automated upstream/downstream sync
+  # https://packit.dev
+  - name: allow-packit
+    action: ALLOW
+    user_agent_regex: packit.dev/packit
+
+  # Web UI endpoints - protected (browsers get challenged)
+  # /coprs, /admin, /status, /recent, /explore, /batches, /groups, /user
+  # These are handled by default-config
+
 {% elif copr_machine_type == "distgit" %}
-  - name: packages
-    action: WEIGH
-    weight:
-      adjust: 20
-    path_regex: ^/packages
+  # Dist-git: Allow git operations, protect web UI
+
+  # Git clone/fetch operations (git clients)
+  - name: allow-git-operations
+    action: ALLOW
+    path_regex: ^/git
+
+  # cgit static files
+  - name: allow-cgit-static
+    action: ALLOW
+    path_regex: ^/cgit-data
+
+  # Per-task logs (accessed by backend)
+  - name: allow-logs
+    action: ALLOW
+    path_regex: ^/per-task-logs
+
+  # /packages (cgit web UI) - protected, handled by default-config
 {% endif %}
 
   - import: (data)/meta/default-config.yaml
diff --git a/roles/copr/dist_git/templates/ssl.conf.j2 b/roles/copr/dist_git/templates/ssl.conf.j2
index bc53f4bdb7..6e89d19ba6 100644
--- a/roles/copr/dist_git/templates/ssl.conf.j2
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -33,13 +33,10 @@ SSLCryptoDevice builtin
     RequestHeader set X-Forwarded-Proto "https"
     RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
 
-    # /{{ cgit_uri }}/ goes through Anubis (configured with BASE_PREFIX=/{{ cgit_uri }})
-    ProxyPass /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
-    ProxyPassReverse /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
-
-    # Everything else goes directly to backend
-    ProxyPass / http://localhost:8345/
-    ProxyPassReverse / http://localhost:8345/
+    # All traffic goes through Anubis for bot protection.
+    # Policies control which endpoints are protected vs allowed in /etc/anubis/policies.yaml
+    ProxyPass / http://localhost:8987/
+    ProxyPassReverse / http://localhost:8987/
 
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf
index 1893426826..cd0dc1d305 100644
--- a/roles/copr/frontend/templates/httpd/coprs.conf
+++ b/roles/copr/frontend/templates/httpd/coprs.conf
@@ -85,13 +85,10 @@ WSGIApplicationGroup %{GLOBAL}
     ProxyRequests Off
     ProxyVia Off
 
-    # /coprs/ goes through Anubis (configured with BASE_PREFIX=/coprs)
-    ProxyPass /coprs/ http://127.0.0.1:8987/coprs/
-    ProxyPassReverse /coprs/ http://127.0.0.1:8987/coprs/
-
-    # Everything else goes directly to backend
-    ProxyPass / http://127.0.0.1:8345/
-    ProxyPassReverse / http://127.0.0.1:8345/
+    # All traffic goes through Anubis for bot protection.
+    # Policies control which endpoints are protected vs allowed in /etc/anubis/policies.yaml
+    ProxyPass / http://127.0.0.1:8987/
+    ProxyPassReverse / http://127.0.0.1:8987/
 </VirtualHost>