Condition, rules, state and action refactor / rewrite

Add nested rules
Add backend action, allow wildcard in backends
Remove poison from tree, update README with action table

Allow defining pass/fail actions on challenge,

Remove redirect/referer parameters on backend pass

Set challenge cookie tied to host

Rewrite DNSBL condition into a challenge

Allow passing an arbitrary path for assets to js challenges

Optimize programs exhaustively on compilation

Activation instead of map for CEL context, faster map access, new network override

Return valid host on cookie setting in case Host is an IP address.
bug: does not work with IPv6, see https://github.com/golang/go/issues/65521

Apply TLS fingerprinter on GetConfigForClient instead of GetCertificate

Cleanup go-away cookies before passing to backend

Code action for specifically replying with an HTTP code

lib/action/backend.go

@@ -0,0 +1,80 @@
+package action
+
+import (
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+	"regexp"
+)
+
+func init() {
+	Register[policy.RuleActionPROXY] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		params := ProxyDefaultSettings
+
+		if settings != nil {
+			ymlData, err := settings.MarshalYAML()
+			if err != nil {
+				return nil, err
+			}
+			err = yaml.Unmarshal(ymlData, &params)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if params.Match != "" {
+			expr, err := regexp.Compile(params.Match)
+			if err != nil {
+				return nil, err
+			}
+
+			return Proxy{
+				Match:   expr,
+				Rewrite: params.Rewrite,
+				Backend: params.Backend,
+			}, nil
+		}
+
+		return Proxy{
+			Backend: params.Backend,
+		}, nil
+	}
+}
+
+var ProxyDefaultSettings = ProxySettings{}
+
+type ProxySettings struct {
+	Match   string `yaml:"proxy-match"`
+	Rewrite string `yaml:"proxy-rewrite"`
+	Backend string `yaml:"proxy-backend"`
+}
+
+type Proxy struct {
+	Match   *regexp.Regexp
+	Rewrite string
+	Backend string
+}
+
+func (a Proxy) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	data := challenge.RequestDataFromContext(r.Context())
+
+	backend := data.State.GetBackend(a.Backend)
+	if backend == nil {
+		return false, fmt.Errorf("backend for %s not found", a.Backend)
+	}
+
+	if a.Match != nil {
+		// rewrite query
+		r.URL.Path = a.Match.ReplaceAllString(r.URL.Path, a.Rewrite)
+	}
+
+	// set headers, ignore reply
+	_ = done()
+	backend.ServeHTTP(w, r)
+
+	return false, nil
+}

lib/action/block.go

@@ -0,0 +1,36 @@
+package action
+
+import (
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionBLOCK] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return Block{
+			Code:     http.StatusForbidden,
+			RuleHash: ruleHash,
+		}, nil
+	}
+}
+
+type Block struct {
+	Code     int
+	RuleHash string
+}
+
+func (a Block) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	logger.Info("request blocked")
+	data := challenge.RequestDataFromContext(r.Context())
+
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Connection", "close")
+	w.WriteHeader(a.Code)
+	_, _ = w.Write([]byte(fmt.Errorf("access blocked: blocked by administrative rule %s/%s", data.Id.String(), a.RuleHash).Error()))
+
+	return false, nil
+}

lib/action/challenge.go

@@ -0,0 +1,178 @@
+package action
+
+import (
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+	"strings"
+)
+
+func init() {
+	i := func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node, cont bool) (Handler, error) {
+		params := ChallengeDefaultSettings
+
+		if settings != nil {
+			ymlData, err := settings.MarshalYAML()
+			if err != nil {
+				return nil, err
+			}
+			err = yaml.Unmarshal(ymlData, &params)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if params.Code == 0 {
+			params.Code = state.Settings().ChallengeResponseCode
+		}
+
+		var regs []*challenge.Registration
+		for _, regName := range params.Challenges {
+			if reg, ok := state.GetChallengeByName(regName); ok {
+				regs = append(regs, reg)
+			} else {
+				return nil, fmt.Errorf("challenge %s not found", regName)
+			}
+		}
+
+		if len(regs) == 0 {
+			return nil, fmt.Errorf("no registered challenges found in rule %s", ruleName)
+		}
+
+		passHandler, ok := Register[policy.RuleAction(strings.ToUpper(params.PassAction))]
+		if !ok {
+			return nil, fmt.Errorf("unknown pass action %s", params.PassAction)
+		}
+
+		passActionHandler, err := passHandler(state, ruleName, ruleHash, params.PassSettings)
+		if err != nil {
+			return nil, err
+		}
+
+		failHandler, ok := Register[policy.RuleAction(strings.ToUpper(params.FailAction))]
+		if !ok {
+			return nil, fmt.Errorf("unknown pass action %s", params.FailAction)
+		}
+
+		failActionHandler, err := failHandler(state, ruleName, ruleHash, params.FailSettings)
+		if err != nil {
+			return nil, err
+		}
+
+		return Challenge{
+			RuleHash:   ruleHash,
+			Code:       params.Code,
+			Continue:   cont,
+			Challenges: regs,
+
+			PassAction: passActionHandler,
+			FailAction: failActionHandler,
+		}, nil
+	}
+	Register[policy.RuleActionCHALLENGE] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return i(state, ruleName, ruleHash, settings, false)
+	}
+	Register[policy.RuleActionCHECK] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return i(state, ruleName, ruleHash, settings, true)
+	}
+}
+
+var ChallengeDefaultSettings = ChallengeSettings{
+	PassAction: string(policy.RuleActionPASS),
+	FailAction: string(policy.RuleActionDENY),
+}
+
+type ChallengeSettings struct {
+	Code       int      `yaml:"http-code"`
+	Challenges []string `yaml:"challenges"`
+
+	PassAction   string   `yaml:"pass"`
+	PassSettings ast.Node `yaml:"pass-settings"`
+
+	// FailAction Executed in case no challenges match or
+	FailAction   string   `yaml:"fail"`
+	FailSettings ast.Node `yaml:"fail-settings"`
+}
+
+type Challenge struct {
+	RuleHash   string
+	Code       int
+	Continue   bool
+	Challenges []*challenge.Registration
+
+	PassAction Handler
+	FailAction Handler
+}
+
+func (a Challenge) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	data := challenge.RequestDataFromContext(r.Context())
+	for _, reg := range a.Challenges {
+		if data.HasValidChallenge(reg.Id()) {
+			if a.Continue {
+				return true, nil
+			}
+
+			// we passed!
+			return a.PassAction.Handle(logger.With("challenge", reg.Name), w, r, done)
+		}
+	}
+	// none matched, issue challenges in sequential priority
+	for _, reg := range a.Challenges {
+		result := data.ChallengeVerify[reg.Id()]
+		state := data.ChallengeState[reg.Id()]
+		if result.Ok() || result == challenge.VerifyResultSkip || state == challenge.VerifyStatePass {
+			// skip already ok'd challenges for some reason (TODO: why)
+			// also skip skipped challenges due to preconditions
+			continue
+		}
+
+		expiry := data.Expiration(reg.Duration)
+		key := challenge.GetChallengeKeyForRequest(data.State, reg, expiry, r)
+		data.State.ChallengeIssued(r, reg, r.URL.String(), logger)
+		result = reg.IssueChallenge(w, r, key, expiry)
+		data.ChallengeVerify[reg.Id()] = result
+		data.ChallengeState[reg.Id()] = challenge.VerifyStatePass
+		switch result {
+		case challenge.VerifyResultOK:
+			data.State.ChallengePassed(r, reg, r.URL.String(), logger)
+			if a.Continue {
+				return true, nil
+			}
+
+			return a.PassAction.Handle(logger.With("challenge", reg.Name), w, r, done)
+		case challenge.VerifyResultNotOK:
+			// we have had the challenge checked, but it's not ok!
+			// safe to continue
+			continue
+		case challenge.VerifyResultFail:
+			err := fmt.Errorf("challenge %s failed on issuance", reg.Name)
+			data.State.ChallengeFailed(r, reg, err, r.URL.String(), logger)
+
+			if reg.Class == challenge.ClassTransparent {
+				// allow continuing transparent challenges
+				continue
+			}
+
+			return a.FailAction.Handle(logger, w, r, done)
+		case challenge.VerifyResultNone:
+			// challenge was issued
+			if reg.Class == challenge.ClassTransparent {
+				// allow continuing transparent challenges
+				continue
+			}
+			// we cannot continue after issuance
+			return false, nil
+
+		case challenge.VerifyResultSkip:
+			// continue onto next one due to precondition
+			continue
+		}
+	}
+
+	// nothing matched, execute default action
+	return a.FailAction.Handle(logger, w, r, done)
+}

lib/action/code.go

@@ -0,0 +1,47 @@
+package action
+
+import (
+	"errors"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionCODE] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		params := CodeDefaultSettings
+
+		if settings != nil {
+			ymlData, err := settings.MarshalYAML()
+			if err != nil {
+				return nil, err
+			}
+			err = yaml.Unmarshal(ymlData, &params)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if params.Code == 0 {
+			return nil, errors.New("http-code not set")
+		}
+
+		return Code(params.Code), nil
+	}
+}
+
+var CodeDefaultSettings = CodeSettings{}
+
+type CodeSettings struct {
+	Code int `yaml:"http-code"`
+}
+
+type Code int
+
+func (a Code) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	w.WriteHeader(int(a))
+	return false, nil
+}

lib/action/deny.go

@@ -0,0 +1,31 @@
+package action
+
+import (
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionDENY] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return Deny{
+			Code:     http.StatusForbidden,
+			RuleHash: ruleHash,
+		}, nil
+	}
+}
+
+type Deny struct {
+	Code     int
+	RuleHash string
+}
+
+func (a Deny) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	logger.Info("request denied")
+	data := challenge.RequestDataFromContext(r.Context())
+	data.State.ErrorPage(w, r, a.Code, fmt.Errorf("access denied: denied by administrative rule %s/%s", data.Id.String(), a.RuleHash), "")
+	return false, nil
+}

lib/action/drop.go

@@ -0,0 +1,39 @@
+package action
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionDROP] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return Drop{}, nil
+	}
+}
+
+type Drop struct {
+}
+
+func (a Drop) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	logger.Info("request dropped")
+
+	if hj, ok := w.(http.Hijacker); ok {
+		if conn, _, err := hj.Hijack(); err == nil {
+			// drop without sending data
+			_ = conn.Close()
+			return false, nil
+		}
+	}
+
+	// fallback
+
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Content-Length", "0")
+	w.Header().Set("Connection", "close")
+	w.WriteHeader(http.StatusForbidden)
+
+	return false, nil
+}

lib/action/none.go

@@ -0,0 +1,21 @@
+package action
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionNONE] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return None{}, nil
+	}
+}
+
+type None struct{}
+
+func (a None) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	return true, nil
+}

lib/action/pass.go

@@ -0,0 +1,23 @@
+package action
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+func init() {
+	Register[policy.RuleActionPASS] = func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error) {
+		return Pass{}, nil
+	}
+}
+
+type Pass struct{}
+
+func (a Pass) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
+	logger.Debug("request passed")
+	done().ServeHTTP(w, r)
+	return false, nil
+}

lib/action/register.go

@@ -0,0 +1,20 @@
+package action
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/goccy/go-yaml/ast"
+	"log/slog"
+	"net/http"
+)
+
+type Handler interface {
+	// Handle An incoming request.
+	// If next is true, continue processing
+	// If next is false, stop processing. If passing to a backend, done() must be called beforehand to set headers.
+	Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error)
+}
+
+type NewFunc func(state challenge.StateInterface, ruleName, ruleHash string, settings ast.Node) (Handler, error)
+
+var Register = make(map[policy.RuleAction]NewFunc)

lib/challenge.go

@@ -1,125 +1,13 @@
 package lib
 
 import (
-	"crypto/sha256"
-	"encoding/binary"
-	"encoding/hex"
-	"errors"
-	"github.com/go-jose/go-jose/v4/jwt"
-	"net"
-	"net/http"
-	"strings"
-	"time"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/cookie"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/dnsbl"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/http"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/preload-link"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/refresh"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/resource-load"
+	_ "git.gammaspectra.live/git/go-away/lib/challenge/wasm"
 )
 
-type ChallengeInformation struct {
-	Name   string `json:"name"`
-	Key    []byte `json:"key"`
-	Result []byte `json:"result"`
-
-	Expiry    *jwt.NumericDate `json:"exp,omitempty"`
-	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`
-	IssuedAt  *jwt.NumericDate `json:"iat,omitempty"`
-}
-
-func getRequestScheme(r *http.Request) string {
-	if proto := r.Header.Get("X-Forwarded-Proto"); proto == "http" || proto == "https" {
-		return proto
-	}
-
-	if r.TLS != nil {
-		return "https"
-	}
-
-	return "http"
-}
-
-func getRequestAddress(r *http.Request, clientHeader string) net.IP {
-	var ipStr string
-	if clientHeader != "" {
-		ipStr = r.Header.Get(clientHeader)
-	}
-	if ipStr != "" {
-		// handle X-Forwarded-For
-		ipStr = strings.Split(ipStr, ",")[0]
-	}
-
-	// fallback
-	if ipStr == "" {
-		parts := strings.Split(r.RemoteAddr, ":")
-		// drop port
-		ipStr = strings.Join(parts[:len(parts)-1], ":")
-	}
-	ipStr = strings.Trim(ipStr, "[]")
-	return net.ParseIP(ipStr)
-}
-
-type ChallengeKey []byte
-
-const ChallengeKeySize = sha256.Size
-
-func (k *ChallengeKey) Set(flags ChallengeKeyFlags) {
-	(*k)[0] |= uint8(flags)
-}
-func (k *ChallengeKey) Get(flags ChallengeKeyFlags) ChallengeKeyFlags {
-	return ChallengeKeyFlags((*k)[0] & uint8(flags))
-}
-func (k *ChallengeKey) Unset(flags ChallengeKeyFlags) {
-	(*k)[0] = (*k)[0] & ^(uint8(flags))
-}
-
-type ChallengeKeyFlags uint8
-
-const (
-	ChallengeKeyFlagIsIPv4 = ChallengeKeyFlags(1 << iota)
-)
-
-func ChallengeKeyFromString(s string) (ChallengeKey, error) {
-	b, err := hex.DecodeString(s)
-	if err != nil {
-		return nil, err
-	}
-	if len(b) != ChallengeKeySize {
-		return nil, errors.New("invalid challenge key")
-	}
-	return ChallengeKey(b), nil
-}
-
-func (state *State) GetChallengeKeyForRequest(challengeName string, until time.Time, r *http.Request) ChallengeKey {
-	data := RequestDataFromContext(r.Context())
-	address := data.RemoteAddress
-	hasher := sha256.New()
-	hasher.Write([]byte("challenge\x00"))
-	hasher.Write([]byte(challengeName))
-	hasher.Write([]byte{0})
-	hasher.Write(address.To16())
-	hasher.Write([]byte{0})
-
-	// specific headers
-	for _, k := range []string{
-		"Accept-Language",
-		// General browser information
-		"User-Agent",
-		// TODO: not sent in preload
-		//"Sec-Ch-Ua",
-		//"Sec-Ch-Ua-Platform",
-	} {
-		hasher.Write([]byte(r.Header.Get(k)))
-		hasher.Write([]byte{0})
-	}
-	hasher.Write([]byte{0})
-	_ = binary.Write(hasher, binary.LittleEndian, until.UTC().Unix())
-	hasher.Write([]byte{0})
-	hasher.Write(state.publicKey)
-	hasher.Write([]byte{0})
-
-	sum := ChallengeKey(hasher.Sum(nil))
-
-	sum[0] = 0
-
-	if address.To4() != nil {
-		// Is IPv4, mark
-		sum.Set(ChallengeKeyFlagIsIPv4)
-	}
-	return ChallengeKey(sum)
-}
+// This file loads embedded challenge runtimes so their init() is called

lib/challenge/awaiter.go

@@ -0,0 +1,47 @@
+package challenge
+
+import (
+	"context"
+	"github.com/alphadose/haxmap"
+	"sync/atomic"
+)
+
+type awaiterCallback func(result VerifyResult)
+
+type Awaiter[K ~string | ~int64 | ~uint64] haxmap.Map[K, awaiterCallback]
+
+func NewAwaiter[T ~string | ~int64 | ~uint64]() *Awaiter[T] {
+	return (*Awaiter[T])(haxmap.New[T, awaiterCallback]())
+}
+
+func (a *Awaiter[T]) Await(key T, ctx context.Context) VerifyResult {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	var result atomic.Int64
+
+	a.m().Set(key, func(receivedResult VerifyResult) {
+		result.Store(int64(receivedResult))
+		cancel()
+	})
+	// cleanup
+	defer a.m().Del(key)
+
+	<-ctx.Done()
+
+	return VerifyResult(result.Load())
+}
+
+func (a *Awaiter[T]) Solve(key T, result VerifyResult) {
+	if f, ok := a.m().GetAndDel(key); ok && f != nil {
+		f(result)
+	}
+}
+
+func (a *Awaiter[T]) m() *haxmap.Map[T, awaiterCallback] {
+	return (*haxmap.Map[T, awaiterCallback])(a)
+}
+
+func (a *Awaiter[T]) Close() error {
+	return nil
+}

lib/challenge/cookie/cookie.go

@@ -0,0 +1,38 @@
+package cookie
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/goccy/go-yaml/ast"
+	"net/http"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes[Key] = FillRegistration
+}
+
+const Key = "cookie"
+
+func FillRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	reg.Class = challenge.ClassBlocking
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		token, err := reg.IssueChallengeToken(state.PrivateKey(), key, nil, expiry, true)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
+
+		uri, err := challenge.RedirectUrl(r, reg)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		http.Redirect(w, r, uri.String(), http.StatusTemporaryRedirect)
+		return challenge.VerifyResultNone
+	}
+
+	return nil
+}

lib/challenge/data.go

@@ -0,0 +1,171 @@
+package challenge
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/condition"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/traits"
+	"net"
+	"net/http"
+	"net/textproto"
+	"time"
+)
+
+type requestDataContextKey struct {
+}
+
+func RequestDataFromContext(ctx context.Context) *RequestData {
+	return ctx.Value(requestDataContextKey{}).(*RequestData)
+}
+
+type RequestId [16]byte
+
+func (id RequestId) String() string {
+	return hex.EncodeToString(id[:])
+}
+
+type RequestData struct {
+	Id              RequestId
+	Time            time.Time
+	ChallengeVerify map[Id]VerifyResult
+	ChallengeState  map[Id]VerifyState
+	RemoteAddress   net.IP
+	State           StateInterface
+
+	r *http.Request
+
+	fp     map[string]string
+	header traits.Mapper
+	query  traits.Mapper
+}
+
+func CreateRequestData(r *http.Request, state StateInterface) (*http.Request, *RequestData) {
+
+	var data RequestData
+	// generate random id, todo: is this fast?
+	_, _ = rand.Read(data.Id[:])
+	data.RemoteAddress = utils.GetRequestAddress(r, state.Settings().ClientIpHeader)
+	data.ChallengeVerify = make(map[Id]VerifyResult, len(state.GetChallenges()))
+	data.ChallengeState = make(map[Id]VerifyState, len(state.GetChallenges()))
+	data.Time = time.Now().UTC()
+	data.State = state
+	data.r = r
+
+	data.fp = make(map[string]string, 2)
+
+	if fp := utils.GetTLSFingerprint(r); fp != nil {
+		if ja3nPtr := fp.JA3N(); ja3nPtr != nil {
+			ja3n := ja3nPtr.String()
+			data.fp["ja3n"] = ja3n
+			r.Header.Set("X-TLS-Fingerprint-JA3N", ja3n)
+		}
+		if ja4Ptr := fp.JA4(); ja4Ptr != nil {
+			ja4 := ja4Ptr.String()
+			data.fp["ja4"] = ja4
+			r.Header.Set("X-TLS-Fingerprint-JA4", ja4)
+		}
+	}
+
+	data.query = condition.NewValuesMap(r.URL.Query())
+	data.header = condition.NewMIMEMap(textproto.MIMEHeader(r.Header))
+
+	r = r.WithContext(context.WithValue(r.Context(), requestDataContextKey{}, &data))
+
+	return r, &data
+}
+
+func (d *RequestData) ResolveName(name string) (any, bool) {
+	switch name {
+	case "host":
+		return d.r.Host, true
+	case "method":
+		return d.r.Method, true
+	case "remoteAddress":
+		return d.RemoteAddress, true
+	case "userAgent":
+		return d.r.UserAgent(), true
+	case "path":
+		return d.r.URL.Path, true
+	case "query":
+		return d.query, true
+	case "headers":
+		return d.header, true
+	case "fp":
+		return d.fp, true
+	default:
+		return nil, false
+	}
+}
+
+func (d *RequestData) Parent() cel.Activation {
+	return nil
+}
+
+func (d *RequestData) EvaluateChallenges(w http.ResponseWriter, r *http.Request) {
+	for _, reg := range d.State.GetChallenges() {
+		key := GetChallengeKeyForRequest(d.State, reg, d.Expiration(reg.Duration), r)
+		verifyResult, verifyState, err := reg.VerifyChallengeToken(d.State.PublicKey(), key, r)
+		if err != nil && !errors.Is(err, http.ErrNoCookie) {
+			// clear invalid cookie
+			utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
+		}
+
+		// prevent evaluating the challenge if not solved
+		if !verifyResult.Ok() && reg.Condition != nil {
+			out, _, err := reg.Condition.Eval(d)
+			// verify eligibility
+			if err != nil {
+				d.State.Logger(r).Error(err.Error(), "challenge", reg.Name)
+			} else if out != nil && out.Type() == types.BoolType {
+				if out.Equal(types.True) != types.True {
+					// skip challenge match due to precondition!
+					verifyResult = VerifyResultSkip
+					continue
+				}
+			}
+		}
+		d.ChallengeVerify[reg.Id()] = verifyResult
+		d.ChallengeState[reg.Id()] = verifyState
+	}
+
+	if d.State.Settings().BackendIpHeader != "" {
+		if d.State.Settings().ClientIpHeader != "" {
+			r.Header.Del(d.State.Settings().ClientIpHeader)
+		}
+		r.Header.Set(d.State.Settings().BackendIpHeader, d.RemoteAddress.String())
+	}
+
+	// send these to client so we consistently get the headers
+	//w.Header().Set("Accept-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
+	//w.Header().Set("Critical-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
+}
+
+func (d *RequestData) Expiration(duration time.Duration) time.Time {
+	return d.Time.Add(duration).Round(duration)
+}
+
+func (d *RequestData) HasValidChallenge(id Id) bool {
+	return d.ChallengeVerify[id].Ok()
+}
+
+func (d *RequestData) Headers(headers http.Header) {
+	headers.Set("X-Away-Id", d.Id.String())
+
+	for id, result := range d.ChallengeVerify {
+		if result.Ok() {
+			c, ok := d.State.GetChallenge(id)
+			if !ok {
+				panic("challenge not found")
+			}
+
+			headers.Set(fmt.Sprintf("X-Away-Challenge-%s-Result", c.Name), result.String())
+			headers.Set(fmt.Sprintf("X-Away-Challenge-%s-State", c.Name), d.ChallengeState[id].String())
+		}
+	}
+}

lib/challenge/dnsbl/dnsbl.go

@@ -0,0 +1,149 @@
+package http
+
+import (
+	"context"
+	"errors"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"net"
+	"net/http"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes[Key] = FillRegistration
+}
+
+const Key = "dnsbl"
+
+type Parameters struct {
+	VerifyProbability float64       `yaml:"verify-probability"`
+	Host              string        `yaml:"dnsbl-host"`
+	Timeout           time.Duration `yaml:"dnsbl-timeout"`
+	Decay             time.Duration `yaml:"dnsbl-decay"`
+}
+
+var DefaultParameters = Parameters{
+	VerifyProbability: 0.10,
+	Timeout:           time.Second * 1,
+	Decay:             time.Hour * 1,
+	Host:              "dnsbl.dronebl.org",
+}
+
+func lookup(ctx context.Context, decay, timeout time.Duration, dnsbl *utils.DNSBL, decayMap *utils.DecayMap[[net.IPv6len]byte, utils.DNSBLResponse], ip net.IP) (utils.DNSBLResponse, error) {
+	var key [net.IPv6len]byte
+	copy(key[:], ip.To16())
+
+	result, ok := decayMap.Get(key)
+	if ok {
+		return result, nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	result, err := dnsbl.Lookup(ctx, ip)
+	if err != nil {
+
+	}
+	decayMap.Set(key, result, decay)
+
+	return result, err
+}
+
+type closer chan struct{}
+
+func (c closer) Close() error {
+	select {
+	case <-c:
+	default:
+		close(c)
+	}
+	return nil
+}
+
+func FillRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	params := DefaultParameters
+
+	if parameters != nil {
+		ymlData, err := parameters.MarshalYAML()
+		if err != nil {
+			return err
+		}
+		err = yaml.Unmarshal(ymlData, &params)
+		if err != nil {
+			return err
+		}
+	}
+
+	if params.Host == "" {
+		return errors.New("empty host")
+	}
+
+	reg.Class = challenge.ClassTransparent
+
+	if params.VerifyProbability <= 0 {
+		//20% default
+		params.VerifyProbability = 0.20
+	} else if params.VerifyProbability > 1.0 {
+		params.VerifyProbability = 1.0
+	}
+	reg.VerifyProbability = params.VerifyProbability
+
+	decayMap := utils.NewDecayMap[[net.IPv6len]byte, utils.DNSBLResponse]()
+
+	dnsbl := utils.NewDNSBL(params.Host, &net.Resolver{
+		PreferGo: true,
+	})
+
+	ob := make(closer)
+
+	go func() {
+		ticker := time.NewTicker(params.Timeout / 3)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				decayMap.Decay()
+			case <-ob:
+				return
+			}
+		}
+	}()
+
+	// allow freeing the ticker/decay map
+	reg.Object = ob
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+
+		data := challenge.RequestDataFromContext(r.Context())
+
+		result, err := lookup(r.Context(), params.Decay, params.Timeout, dnsbl, decayMap, data.RemoteAddress)
+		if err != nil {
+			data.State.Logger(r).Debug("dnsbl lookup failed", "address", data.RemoteAddress.String(), "result", result, "err", err)
+		}
+
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		if result.Bad() {
+			token, err := reg.IssueChallengeToken(state.PrivateKey(), key, nil, expiry, false)
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
+			return challenge.VerifyResultNotOK
+		} else {
+			token, err := reg.IssueChallengeToken(state.PrivateKey(), key, nil, expiry, true)
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
+			return challenge.VerifyResultOK
+		}
+	}
+
+	return nil
+}

lib/challenge/helper.go

@@ -0,0 +1,164 @@
+package challenge
+
+import (
+	"crypto/subtle"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/utils"
+	"net/http"
+	"net/url"
+)
+
+func NewKeyVerifier() (verify VerifyFunc, issue func(key Key) string) {
+	return func(key Key, token []byte, r *http.Request) (VerifyResult, error) {
+			expectedKey, err := hex.DecodeString(string(token))
+			if err != nil {
+				return VerifyResultFail, err
+			}
+			if subtle.ConstantTimeCompare(key[:], expectedKey) == 1 {
+				return VerifyResultOK, nil
+			}
+			return VerifyResultFail, errors.New("invalid token")
+		}, func(key Key) string {
+			return hex.EncodeToString(key[:])
+		}
+}
+
+const (
+	QueryArgPrefix    = "__goaway"
+	QueryArgReferer   = QueryArgPrefix + "_referer"
+	QueryArgRedirect  = QueryArgPrefix + "_redirect"
+	QueryArgRequestId = QueryArgPrefix + "_id"
+	QueryArgChallenge = QueryArgPrefix + "_challenge"
+	QueryArgToken     = QueryArgPrefix + "_token"
+)
+
+const MakeChallengeUrlSuffix = "/make-challenge"
+const VerifyChallengeUrlSuffix = "/verify-challenge"
+
+func GetVerifyInformation(r *http.Request, reg *Registration) (requestId RequestId, redirect, token string, err error) {
+
+	if r.FormValue(QueryArgChallenge) != reg.Name {
+		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", r.FormValue(QueryArgChallenge))
+	}
+
+	requestIdHex := r.FormValue(QueryArgRequestId)
+
+	if len(requestId) != hex.DecodedLen(len(requestIdHex)) {
+		return RequestId{}, "", "", errors.New("invalid request id")
+	}
+	n, err := hex.Decode(requestId[:], []byte(requestIdHex))
+	if err != nil {
+		return RequestId{}, "", "", err
+	} else if n != len(requestId) {
+		return RequestId{}, "", "", errors.New("invalid request id")
+	}
+
+	token = r.FormValue(QueryArgToken)
+	redirect, err = utils.EnsureNoOpenRedirect(r.FormValue(QueryArgRedirect))
+	if err != nil {
+		return RequestId{}, "", "", err
+	}
+	return
+}
+
+func VerifyUrl(r *http.Request, reg *Registration, token string) (*url.URL, error) {
+
+	redirectUrl, err := RedirectUrl(r, reg)
+	if err != nil {
+		return nil, err
+	}
+
+	uri := new(url.URL)
+	uri.Path = reg.Path + VerifyChallengeUrlSuffix
+
+	data := RequestDataFromContext(r.Context())
+	values := uri.Query()
+	values.Set(QueryArgRequestId, data.Id.String())
+	values.Set(QueryArgRedirect, redirectUrl.String())
+	values.Set(QueryArgToken, token)
+	values.Set(QueryArgChallenge, reg.Name)
+	uri.RawQuery = values.Encode()
+
+	return uri, nil
+}
+
+func RedirectUrl(r *http.Request, reg *Registration) (*url.URL, error) {
+	uri, err := url.ParseRequestURI(r.URL.String())
+	if err != nil {
+		return nil, err
+	}
+
+	data := RequestDataFromContext(r.Context())
+	values := uri.Query()
+	values.Set(QueryArgRequestId, data.Id.String())
+	values.Set(QueryArgReferer, r.Referer())
+	values.Set(QueryArgChallenge, reg.Name)
+	uri.RawQuery = values.Encode()
+
+	return uri, nil
+}
+
+func VerifyHandlerChallengeResponseFunc(state StateInterface, data *RequestData, w http.ResponseWriter, r *http.Request, verifyResult VerifyResult, err error, redirect string) {
+	if err != nil {
+		state.ErrorPage(w, r, http.StatusBadRequest, err, redirect)
+		return
+	} else if !verifyResult.Ok() {
+		state.ErrorPage(w, r, http.StatusForbidden, fmt.Errorf("access denied: failed challenge"), redirect)
+		return
+	}
+	http.Redirect(w, r, redirect, http.StatusTemporaryRedirect)
+}
+
+func VerifyHandlerFunc(state StateInterface, reg *Registration, verify VerifyFunc, responseFunc func(state StateInterface, data *RequestData, w http.ResponseWriter, r *http.Request, verifyResult VerifyResult, err error, redirect string)) http.HandlerFunc {
+	if verify == nil {
+		verify = reg.Verify
+	}
+	if responseFunc == nil {
+		responseFunc = VerifyHandlerChallengeResponseFunc
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		data := RequestDataFromContext(r.Context())
+		requestId, redirect, token, err := GetVerifyInformation(r, reg)
+		if err != nil {
+			state.ChallengeFailed(r, reg, err, "", nil)
+			responseFunc(state, data, w, r, VerifyResultFail, fmt.Errorf("internal error: %w", err), "")
+			return
+		}
+		data.Id = requestId
+
+		err = func() (err error) {
+			expiration := data.Expiration(reg.Duration)
+			key := GetChallengeKeyForRequest(state, reg, expiration, r)
+
+			verifyResult, err := verify(key, []byte(token), r)
+			if err != nil {
+				return err
+			} else if !verifyResult.Ok() {
+				utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
+				state.ChallengeFailed(r, reg, nil, redirect, nil)
+				responseFunc(state, data, w, r, verifyResult, nil, redirect)
+				return nil
+			}
+
+			challengeToken, err := reg.IssueChallengeToken(state.PrivateKey(), key, []byte(token), expiration, true)
+			if err != nil {
+				utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
+			} else {
+				utils.SetCookie(utils.CookiePrefix+reg.Name, challengeToken, expiration, w, r)
+			}
+			data.ChallengeVerify[reg.id] = verifyResult
+			state.ChallengePassed(r, reg, redirect, nil)
+
+			responseFunc(state, data, w, r, verifyResult, nil, redirect)
+			return nil
+		}()
+		if err != nil {
+			utils.ClearCookie(utils.CookiePrefix+reg.Name, w, r)
+			state.ChallengeFailed(r, reg, err, redirect, nil)
+			responseFunc(state, data, w, r, VerifyResultFail, fmt.Errorf("access denied: error in challenge %s: %w", reg.Name, err), redirect)
+			return
+		}
+	}
+}

lib/challenge/http/http.go

@@ -0,0 +1,158 @@
+package http
+
+import (
+	"crypto/sha256"
+	"crypto/subtle"
+	"errors"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"io"
+	"net/http"
+	"slices"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes[Key] = FillRegistration
+}
+
+const Key = "http"
+
+type Parameters struct {
+	VerifyProbability float64 `yaml:"verify-probability"`
+
+	HttpMethod string `yaml:"http-method"`
+	HttpCode   int    `yaml:"http-code"`
+	HttpCookie string `yaml:"http-cookie"`
+	Url        string `yaml:"http-url"`
+}
+
+var DefaultParameters = Parameters{
+	VerifyProbability: 0.20,
+	HttpMethod:        http.MethodGet,
+	HttpCode:          http.StatusOK,
+}
+
+func FillRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	params := DefaultParameters
+
+	if parameters != nil {
+		ymlData, err := parameters.MarshalYAML()
+		if err != nil {
+			return err
+		}
+		err = yaml.Unmarshal(ymlData, &params)
+		if err != nil {
+			return err
+		}
+	}
+
+	if params.Url == "" {
+		return errors.New("empty url")
+	}
+
+	reg.Class = challenge.ClassTransparent
+
+	bindAuthValue := func(key challenge.Key, r *http.Request) ([]byte, error) {
+		var cookieValue string
+		if cookie, err := r.Cookie(params.HttpCookie); err != nil || cookie == nil {
+			// skip check if we don't have cookie or it's expired
+			return nil, http.ErrNoCookie
+		} else {
+			cookieValue = cookie.Value
+		}
+
+		// bind hash of cookie contents
+		sum := sha256.New()
+		sum.Write([]byte(cookieValue))
+		sum.Write([]byte{0})
+		sum.Write(key[:])
+		return sum.Sum(nil), nil
+	}
+
+	if params.VerifyProbability <= 0 {
+		//20% default
+		params.VerifyProbability = 0.20
+	} else if params.VerifyProbability > 1.0 {
+		params.VerifyProbability = 1.0
+	}
+	reg.VerifyProbability = params.VerifyProbability
+
+	if params.HttpCookie != "" {
+		// re-verify the cookie value
+		// TODO: configure to verify with backend
+		reg.Verify = func(key challenge.Key, token []byte, r *http.Request) (challenge.VerifyResult, error) {
+			sum, err := bindAuthValue(key, r)
+			if err != nil {
+				return challenge.VerifyResultFail, err
+			}
+			if subtle.ConstantTimeCompare(sum, token) == 1 {
+				return challenge.VerifyResultOK, nil
+			}
+			return challenge.VerifyResultFail, errors.New("invalid cookie value")
+		}
+	}
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		var sum []byte
+		if params.HttpCookie != "" {
+			if c, err := r.Cookie(params.HttpCookie); err != nil || c == nil {
+				// skip check if we don't have cookie or it's expired
+				return challenge.VerifyResultSkip
+			} else {
+				sum, err = bindAuthValue(key, r)
+				if err != nil {
+					return challenge.VerifyResultFail
+				}
+			}
+		}
+
+		request, err := http.NewRequest(params.HttpMethod, params.Url, nil)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		var excludeHeaders = []string{"Host", "Content-Length"}
+		for k, v := range r.Header {
+			if slices.Contains(excludeHeaders, k) {
+				// skip these parameters
+				continue
+			}
+			request.Header[k] = v
+		}
+		// set id
+		request.Header.Set("X-Away-Id", challenge.RequestDataFromContext(r.Context()).Id.String())
+
+		// set request info in X headers
+		request.Header.Set("X-Away-Host", r.Host)
+		request.Header.Set("X-Away-Path", r.URL.Path)
+		request.Header.Set("X-Away-Query", r.URL.RawQuery)
+
+		response, err := state.Client().Do(request)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+		defer response.Body.Close()
+		defer io.Copy(io.Discard, response.Body)
+
+		if response.StatusCode != params.HttpCode {
+			token, err := reg.IssueChallengeToken(state.PrivateKey(), key, sum, expiry, false)
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
+			return challenge.VerifyResultNotOK
+		} else {
+			token, err := reg.IssueChallengeToken(state.PrivateKey(), key, sum, expiry, true)
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			utils.SetCookie(utils.CookiePrefix+reg.Name, token, expiry, w, r)
+			return challenge.VerifyResultOK
+		}
+	}
+
+	return nil
+}

lib/challenge/key.go

@@ -0,0 +1,80 @@
+package challenge
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"net/http"
+	"time"
+)
+
+type Key [KeySize]byte
+
+const KeySize = sha256.Size
+
+func (k *Key) Set(flags KeyFlags) {
+	(*k)[0] |= uint8(flags)
+}
+func (k *Key) Get(flags KeyFlags) KeyFlags {
+	return KeyFlags((*k)[0] & uint8(flags))
+}
+func (k *Key) Unset(flags KeyFlags) {
+	(*k)[0] = (*k)[0] & ^(uint8(flags))
+}
+
+type KeyFlags uint8
+
+const (
+	KeyFlagIsIPv4 = KeyFlags(1 << iota)
+)
+
+func KeyFromString(s string) (Key, error) {
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return Key{}, err
+	}
+	if len(b) != KeySize {
+		return Key{}, errors.New("invalid challenge key")
+	}
+	return Key(b), nil
+}
+
+func GetChallengeKeyForRequest(state StateInterface, reg *Registration, until time.Time, r *http.Request) Key {
+	data := RequestDataFromContext(r.Context())
+	address := data.RemoteAddress
+	hasher := sha256.New()
+	hasher.Write([]byte("challenge\x00"))
+	hasher.Write([]byte(reg.Name))
+	hasher.Write([]byte{0})
+	hasher.Write(address.To16())
+	hasher.Write([]byte{0})
+
+	// specific headers
+	for _, k := range []string{
+		"Accept-Language",
+		// General browser information
+		"User-Agent",
+		// TODO: not sent in preload
+		//"Sec-Ch-Ua",
+		//"Sec-Ch-Ua-Platform",
+	} {
+		hasher.Write([]byte(r.Header.Get(k)))
+		hasher.Write([]byte{0})
+	}
+	hasher.Write([]byte{0})
+	_ = binary.Write(hasher, binary.LittleEndian, until.UTC().Unix())
+	hasher.Write([]byte{0})
+	hasher.Write(state.PublicKey())
+	hasher.Write([]byte{0})
+
+	sum := Key(hasher.Sum(nil))
+
+	sum[0] = 0
+
+	if address.To4() != nil {
+		// Is IPv4, mark
+		sum.Set(KeyFlagIsIPv4)
+	}
+	return Key(sum)
+}

lib/challenge/preload-link/preload-link.go

@@ -0,0 +1,128 @@
+package preload_link
+
+import (
+	"context"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"net/http"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes[Key] = FillRegistration
+}
+
+const Key = "preload-link"
+
+type Parameters struct {
+	Deadline time.Duration `yaml:"preload-early-hint-deadline"`
+}
+
+var DefaultParameters = Parameters{
+	Deadline: time.Second * 3,
+}
+
+func FillRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	params := DefaultParameters
+
+	if parameters != nil {
+		ymlData, err := parameters.MarshalYAML()
+		if err != nil {
+			return err
+		}
+		err = yaml.Unmarshal(ymlData, &params)
+		if err != nil {
+			return err
+		}
+	}
+
+	verifier, issuer := challenge.NewKeyVerifier()
+	reg.Verify = verifier
+
+	reg.Class = challenge.ClassTransparent
+
+	ob := challenge.NewAwaiter[string]()
+
+	reg.Object = ob
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		// this only works on HTTP/2 and HTTP/3
+
+		if r.ProtoMajor < 2 {
+			// this can happen if we are an upgraded request from HTTP/1.1 to HTTP/2 in H2C
+			if _, ok := w.(http.Pusher); !ok {
+				return challenge.VerifyResultSkip
+			}
+		}
+
+		issuerKey := issuer(key)
+
+		uri, err := challenge.VerifyUrl(r, reg, issuerKey)
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		// remove redirect args
+		values := uri.Query()
+		values.Del(challenge.QueryArgRedirect)
+		uri.RawQuery = values.Encode()
+
+		// Redirect URI must be absolute to work
+		uri.Scheme = utils.GetRequestScheme(r)
+		uri.Host = r.Host
+
+		w.Header().Set("Link", fmt.Sprintf("<%s>; rel=\"preload\"; as=\"style\"; fetchpriority=high", uri.String()))
+		defer func() {
+			// remove old header so it won't show on response!
+			w.Header().Del("Link")
+		}()
+		w.WriteHeader(http.StatusEarlyHints)
+
+		ctx, cancel := context.WithTimeout(r.Context(), params.Deadline)
+		defer cancel()
+		if result := ob.Await(issuerKey, ctx); result.Ok() {
+			// this should serve!
+			return challenge.VerifyResultOK
+		} else if result == challenge.VerifyResultNone {
+			// we hit timeout
+			return challenge.VerifyResultFail
+		} else {
+			return result
+		}
+	}
+
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Content-Length", "0")
+
+		data := challenge.RequestDataFromContext(r.Context())
+		key := challenge.GetChallengeKeyForRequest(state, reg, data.Expiration(reg.Duration), r)
+		issuerKey := issuer(key)
+
+		_, _, token, err := challenge.GetVerifyInformation(r, reg)
+		if err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+		}
+
+		verifyResult, _ := verifier(key, []byte(token), r)
+		if !verifyResult.Ok() {
+			w.WriteHeader(http.StatusUnauthorized)
+		} else {
+			w.WriteHeader(http.StatusOK)
+		}
+
+		ob.Solve(issuerKey, verifyResult)
+		if !verifyResult.Ok() {
+			// also give data on other failure when mismatched
+			ob.Solve(token, verifyResult)
+		}
+	})
+	reg.Handler = mux
+
+	return nil
+}

lib/challenge/refresh/refresh.go

@@ -0,0 +1,64 @@
+package refresh
+
+import (
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"net/http"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes["refresh"] = FillRegistration
+}
+
+type Parameters struct {
+	Mode string `yaml:"refresh-mode"`
+}
+
+var DefaultParameters = Parameters{
+	Mode: "header",
+}
+
+func FillRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	params := DefaultParameters
+
+	if parameters != nil {
+		ymlData, err := parameters.MarshalYAML()
+		if err != nil {
+			return err
+		}
+		err = yaml.Unmarshal(ymlData, &params)
+		if err != nil {
+			return err
+		}
+	}
+
+	reg.Class = challenge.ClassBlocking
+
+	verifier, issuer := challenge.NewKeyVerifier()
+	reg.Verify = verifier
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		uri, err := challenge.VerifyUrl(r, reg, issuer(key))
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		if params.Mode == "meta" {
+			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
+				"Meta": map[string]string{
+					"refresh": "0; url=" + uri.String(),
+				},
+			})
+		} else {
+			// self redirect!
+			w.Header().Set("Refresh", "0; url="+uri.String())
+
+			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, nil)
+		}
+		return challenge.VerifyResultNone
+	}
+
+	return nil
+}

lib/challenge/register.go

@@ -0,0 +1,252 @@
+package challenge
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"errors"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/condition"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
+	"github.com/goccy/go-yaml/ast"
+	"github.com/google/cel-go/cel"
+	"io"
+	"math/rand/v2"
+	"net/http"
+	"path"
+	"strings"
+	"time"
+)
+
+type Register map[Id]*Registration
+
+func (r Register) Get(id Id) (*Registration, bool) {
+	c, ok := r[id]
+	return c, ok
+}
+
+func (r Register) GetByName(name string) (*Registration, Id, bool) {
+	for id, c := range r {
+		if c.Name == name {
+			return c, id, true
+		}
+	}
+
+	return nil, 0, false
+}
+
+var idCounter Id
+
+// DefaultDuration TODO: adjust
+const DefaultDuration = time.Hour * 24 * 7
+
+func (r Register) Create(state StateInterface, name string, pol policy.Challenge, replacer *strings.Replacer) (*Registration, Id, error) {
+	runtime, ok := Runtimes[pol.Runtime]
+	if !ok {
+		return nil, 0, fmt.Errorf("unknown challenge runtime %s", pol.Runtime)
+	}
+
+	reg := &Registration{
+		Name:     name,
+		Path:     path.Join(state.UrlPath(), "challenge", name),
+		Duration: pol.Duration,
+	}
+
+	if reg.Duration == 0 {
+		reg.Duration = DefaultDuration
+	}
+
+	// allow nesting
+	var conditions []string
+	for _, cond := range pol.Conditions {
+		if replacer != nil {
+			cond = replacer.Replace(cond)
+		}
+		conditions = append(conditions, cond)
+	}
+
+	if len(conditions) > 0 {
+		ast, err := condition.FromStrings(state.ProgramEnv(), condition.OperatorOr, conditions...)
+		if err != nil {
+			return nil, 0, fmt.Errorf("error compiling conditions: %v", err)
+		}
+		reg.Condition, err = condition.Program(state.ProgramEnv(), ast)
+		if err != nil {
+			return nil, 0, fmt.Errorf("error compiling program: %v", err)
+		}
+	}
+
+	if _, oldId, ok := r.GetByName(reg.Name); ok {
+		reg.id = oldId
+	} else {
+		idCounter++
+		reg.id = idCounter
+	}
+
+	err := runtime(state, reg, pol.Parameters)
+	if err != nil {
+		return nil, 0, fmt.Errorf("error filling registration: %v", err)
+	}
+	r[reg.id] = reg
+	return reg, reg.id, nil
+}
+
+func (r Register) Add(c *Registration) Id {
+	if _, oldId, ok := r.GetByName(c.Name); ok {
+		c.id = oldId
+		r[oldId] = c
+		return oldId
+	} else {
+		idCounter++
+		c.id = idCounter
+		r[idCounter] = c
+		return idCounter
+	}
+}
+
+type Registration struct {
+	// id The assigned internal identifier
+	id Id
+
+	// Name The unique name for this challenge
+	Name string
+
+	// Class whether this challenge is transparent or otherwise
+	Class Class
+
+	// Condition A CEL condition which is passed the same environment as general rules.
+	// If nil, always true
+	// If non-nil, must return true for this challenge to be allowed to be executed
+	Condition cel.Program
+
+	// Path The url path that this challenge is hosted under for the Handler to be called.
+	Path string
+
+	// Duration How long this challenge will be valid when passed
+	Duration time.Duration
+
+	// Handler An HTTP handler for all requests coming on the Path
+	// This handler will need to handle MakeChallengeUrlSuffix and VerifyChallengeUrlSuffix as well if needed
+	// Recommended to use http.ServeMux
+	Handler http.Handler
+
+	// Verify Verify an issued token
+	Verify            VerifyFunc
+	VerifyProbability float64
+
+	// IssueChallenge Issues a challenge to a request.
+	// If Class is ClassTransparent and VerifyResult is !VerifyResult.Ok(), continue with other challenges
+	// TODO: have this return error as well
+	IssueChallenge func(w http.ResponseWriter, r *http.Request, key Key, expiry time.Time) VerifyResult
+
+	// Object used to handle state or similar
+	// Can be nil if no state is needed
+	// If non-nil must implement io.Closer even if there's nothing to do
+	Object io.Closer
+}
+
+type VerifyFunc func(key Key, token []byte, r *http.Request) (VerifyResult, error)
+
+type Token struct {
+	Name   string `json:"name"`
+	Key    []byte `json:"key"`
+	Result []byte `json:"result,omitempty"`
+	Ok     bool   `json:"ok"`
+
+	Expiry    jwt.NumericDate `json:"exp,omitempty"`
+	NotBefore jwt.NumericDate `json:"nbf,omitempty"`
+	IssuedAt  jwt.NumericDate `json:"iat,omitempty"`
+}
+
+func (reg Registration) Id() Id {
+	return reg.id
+}
+
+func (reg Registration) IssueChallengeToken(privateKey ed25519.PrivateKey, key Key, result []byte, until time.Time, ok bool) (token string, err error) {
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.EdDSA,
+		Key:       privateKey,
+	}, nil)
+	if err != nil {
+		return "", err
+	}
+
+	token, err = jwt.Signed(signer).Claims(Token{
+		Name:      reg.Name,
+		Key:       key[:],
+		Result:    result,
+		Ok:        ok,
+		Expiry:    jwt.NumericDate(until.Unix()),
+		NotBefore: jwt.NumericDate(time.Now().UTC().AddDate(0, 0, -1).Unix()),
+		IssuedAt:  jwt.NumericDate(time.Now().UTC().Unix()),
+	}).Serialize()
+	if err != nil {
+		return "", err
+	}
+	return token, nil
+}
+
+var ErrVerifyKeyMismatch = errors.New("verify: key mismatch")
+var ErrVerifyVerifyMismatch = errors.New("verify: verification mismatch")
+var ErrTokenExpired = errors.New("token: expired")
+
+func (reg Registration) VerifyChallengeToken(publicKey ed25519.PublicKey, expectedKey Key, r *http.Request) (VerifyResult, VerifyState, error) {
+	cookie, err := r.Cookie(utils.CookiePrefix + reg.Name)
+	if err != nil {
+		return VerifyResultNone, VerifyStateNone, err
+	}
+	if cookie == nil {
+		return VerifyResultNone, VerifyStateNone, http.ErrNoCookie
+	}
+
+	token, err := jwt.ParseSigned(cookie.Value, []jose.SignatureAlgorithm{jose.EdDSA})
+	if err != nil {
+		return VerifyResultFail, VerifyStateNone, err
+	}
+
+	var i Token
+	err = token.Claims(publicKey, &i)
+	if err != nil {
+		return VerifyResultFail, VerifyStateNone, err
+	}
+
+	if i.Name != reg.Name {
+		return VerifyResultFail, VerifyStateNone, errors.New("token invalid name")
+	}
+	if i.Expiry.Time().Compare(time.Now()) < 0 {
+		return VerifyResultFail, VerifyStateNone, ErrTokenExpired
+	}
+	if i.NotBefore.Time().Compare(time.Now()) > 0 {
+		return VerifyResultFail, VerifyStateNone, errors.New("token not valid yet")
+	}
+
+	if bytes.Compare(expectedKey[:], i.Key) != 0 {
+		return VerifyResultFail, VerifyStateNone, ErrVerifyKeyMismatch
+	}
+
+	if reg.Verify != nil {
+		if rand.Float64() < reg.VerifyProbability {
+			// random spot check
+			if ok, err := reg.Verify(expectedKey, i.Result, r); err != nil {
+				return VerifyResultFail, VerifyStateFull, err
+			} else if ok == VerifyResultNotOK {
+				return VerifyResultNotOK, VerifyStateFull, nil
+			} else if !ok.Ok() {
+				return ok, VerifyStateFull, ErrVerifyVerifyMismatch
+			} else {
+				return ok, VerifyStateFull, nil
+			}
+		}
+	}
+
+	if !i.Ok {
+		return VerifyResultNotOK, VerifyStateBrief, nil
+	}
+	return VerifyResultOK, VerifyStateBrief, nil
+}
+
+type FillRegistration func(state StateInterface, reg *Registration, parameters ast.Node) error
+
+var Runtimes = make(map[string]FillRegistration)

lib/challenge/resource-load/resource-load.go

@@ -0,0 +1,55 @@
+package resource_load
+
+import (
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"github.com/goccy/go-yaml/ast"
+	"html/template"
+	"net/http"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes["resource-load"] = FillRegistrationHeader
+}
+
+func FillRegistrationHeader(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	reg.Class = challenge.ClassBlocking
+
+	verifier, issuer := challenge.NewKeyVerifier()
+	reg.Verify = verifier
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		uri, err := challenge.VerifyUrl(r, reg, issuer(key))
+		if err != nil {
+			return challenge.VerifyResultFail
+		}
+
+		// self redirect!
+		//TODO: adjust deadline
+		w.Header().Set("Refresh", "2; url="+r.URL.String())
+
+		state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
+			"HeaderTags": []template.HTML{
+				template.HTML(fmt.Sprintf("<link href=\"%s\" rel=\"stylesheet\" crossorigin=\"use-credentials\">", uri.String())),
+			},
+		})
+		return challenge.VerifyResultNone
+	}
+
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, func(state challenge.StateInterface, data *challenge.RequestData, w http.ResponseWriter, r *http.Request, verifyResult challenge.VerifyResult, err error, redirect string) {
+		//TODO: add other types inside css that need to be loaded!
+		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Content-Length", "0")
+		if !verifyResult.Ok() {
+			w.WriteHeader(http.StatusForbidden)
+		} else {
+			w.WriteHeader(http.StatusOK)
+		}
+	}))
+	reg.Handler = mux
+
+	return nil
+}

lib/challenge/script.go

@@ -0,0 +1,41 @@
+package challenge
+
+import (
+	_ "embed"
+	"encoding/json"
+	"git.gammaspectra.live/git/go-away/utils"
+	"net/http"
+	"text/template"
+)
+
+//go:embed script.mjs
+var scriptData []byte
+
+var scriptTemplate = template.Must(template.New("script.mjs").Parse(string(scriptData)))
+
+func ServeChallengeScript(w http.ResponseWriter, r *http.Request, reg *Registration, params any, script string) {
+	data := RequestDataFromContext(r.Context())
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Content-Type", "text/javascript; charset=utf-8")
+
+	paramData, err := json.Marshal(params)
+	if err != nil {
+		//TODO: log
+		panic(err)
+	}
+
+	w.WriteHeader(http.StatusOK)
+
+	err = scriptTemplate.Execute(w, map[string]any{
+		"Id":              data.Id.String(),
+		"Path":            reg.Path,
+		"Parameters":      paramData,
+		"Random":          utils.CacheBust(),
+		"Challenge":       reg.Name,
+		"ChallengeScript": script,
+	})
+	if err != nil {
+		//TODO: log
+		panic(err)
+	}
+}

lib/challenge/script.mjs

@@ -0,0 +1,70 @@
+import {setup, challenge} from "{{ .ChallengeScript }}";
+
+
+// from Xeact
+const u = (url = "", params = {}) => {
+    let result = new URL(url, window.location.href);
+    Object.entries(params).forEach((kv) => {
+        let [k, v] = kv;
+        result.searchParams.set(k, v);
+    });
+    return result.toString();
+};
+
+(async () => {
+    const status = document.getElementById('status');
+    const title = document.getElementById('title');
+    const spinner = document.getElementById('spinner');
+
+    status.innerText = 'Starting challenge {{ .Challenge }}...';
+
+    try {
+        const info = await setup({
+            Path: "{{ .Path }}",
+            Parameters: "{{ .Parameters }}"
+        });
+
+        if (info != "") {
+            status.innerText = 'Calculating... ' + info
+        } else {
+            status.innerText = 'Calculating...';
+        }
+    } catch (err) {
+        title.innerHTML = "Oh no!";
+        status.innerHTML = `Failed to initialize: ${err.message}`;
+        spinner.innerHTML = "";
+        spinner.style.display = "none";
+        return
+    }
+
+
+    try {
+        const t0 = Date.now();
+        const { result, info } = await challenge();
+        const t1 = Date.now();
+        console.log({ result, info });
+
+        title.innerHTML = "Challenge success!";
+        if (info != "") {
+            status.innerHTML = `Done! Took ${t1 - t0}ms, ${info}`;
+        } else {
+            status.innerHTML = `Done! Took ${t1 - t0}ms`;
+        }
+
+        setTimeout(() => {
+            const redir = window.location.href;
+            window.location.href = u("{{ .Path }}/verify-challenge", {
+                __goaway_token: result,
+                __goaway_challenge: "{{ .Challenge }}",
+                __goaway_redirect: redir,
+                __goaway_id: "{{ .Id }}",
+                __goaway_elapsedTime: t1 - t0,
+            });
+        }, 500);
+    } catch (err) {
+        title.innerHTML = "Oh no!";
+        status.innerHTML = `Failed to challenge: ${err.message}`;
+        spinner.innerHTML = "";
+        spinner.style.display = "none";
+    }
+})();

lib/challenge/state.go

@@ -1,176 +0,0 @@
-package challenge
-
-import (
-	"bytes"
-	"crypto/ed25519"
-	"errors"
-	"git.gammaspectra.live/git/go-away/utils"
-	"github.com/go-jose/go-jose/v4"
-	"github.com/go-jose/go-jose/v4/jwt"
-	"github.com/google/cel-go/cel"
-	"math/rand/v2"
-	"net/http"
-	"time"
-)
-
-type Result int
-
-const (
-	// ResultStop Stop testing other challenges and return
-	ResultStop = Result(iota)
-	// ResultContinue Test next
-	ResultContinue
-	// ResultPass  passed, return and proxy
-	ResultPass
-)
-
-type Id int
-
-type Challenge struct {
-	Id      Id
-	Program cel.Program
-	Name    string
-	Path    string
-
-	Verify            func(key []byte, result string, r *http.Request) (bool, error)
-	VerifyProbability float64
-
-	ServeStatic http.Handler
-
-	ServeChallenge func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) Result
-
-	ServeScript     http.Handler
-	ServeScriptPath string
-
-	ServeMakeChallenge   http.Handler
-	ServeVerifyChallenge http.Handler
-}
-
-type Token struct {
-	Name   string `json:"name"`
-	Key    []byte `json:"key"`
-	Result []byte `json:"result,omitempty"`
-
-	Expiry    *jwt.NumericDate `json:"exp,omitempty"`
-	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`
-	IssuedAt  *jwt.NumericDate `json:"iat,omitempty"`
-}
-
-func (c Challenge) IssueChallengeToken(privateKey ed25519.PrivateKey, key, result []byte, until time.Time) (token string, err error) {
-	signer, err := jose.NewSigner(jose.SigningKey{
-		Algorithm: jose.EdDSA,
-		Key:       privateKey,
-	}, nil)
-	if err != nil {
-		return "", err
-	}
-
-	expiry := jwt.NumericDate(until.Unix())
-	notBefore := jwt.NumericDate(time.Now().UTC().AddDate(0, 0, -1).Unix())
-	issuedAt := jwt.NumericDate(time.Now().UTC().Unix())
-
-	token, err = jwt.Signed(signer).Claims(Token{
-		Name:      c.Name,
-		Key:       key,
-		Result:    result,
-		Expiry:    &expiry,
-		NotBefore: &notBefore,
-		IssuedAt:  &issuedAt,
-	}).Serialize()
-	if err != nil {
-		return "", err
-	}
-	return token, nil
-}
-
-type VerifyResult int
-
-const (
-	VerifyResultNONE = VerifyResult(iota)
-	VerifyResultFAIL
-	VerifyResultSKIP
-
-	// VerifyResultPASS Client just passed this challenge
-	VerifyResultPASS
-	VerifyResultOK
-	VerifyResultBRIEF
-	VerifyResultFULL
-)
-
-func (r VerifyResult) Ok() bool {
-	return r >= VerifyResultPASS
-}
-
-func (r VerifyResult) String() string {
-	switch r {
-	case VerifyResultNONE:
-		return "NONE"
-	case VerifyResultFAIL:
-		return "FAIL"
-	case VerifyResultSKIP:
-		return "SKIP"
-	case VerifyResultPASS:
-		return "PASS"
-	case VerifyResultOK:
-		return "OK"
-	case VerifyResultBRIEF:
-		return "BRIEF"
-	case VerifyResultFULL:
-		return "FULL"
-	default:
-		panic("unsupported")
-	}
-}
-
-var ErrVerifyKeyMismatch = errors.New("verify: key mismatch")
-var ErrVerifyVerifyMismatch = errors.New("verify: verification mismatch")
-
-func (c Challenge) VerifyChallengeToken(publicKey ed25519.PublicKey, expectedKey []byte, r *http.Request) (VerifyResult, error) {
-	cookie, err := r.Cookie(utils.CookiePrefix + c.Name)
-	if err != nil {
-		return VerifyResultNONE, err
-	}
-	if cookie == nil {
-		return VerifyResultNONE, http.ErrNoCookie
-	}
-
-	token, err := jwt.ParseSigned(cookie.Value, []jose.SignatureAlgorithm{jose.EdDSA})
-	if err != nil {
-		return VerifyResultFAIL, err
-	}
-
-	var i Token
-	err = token.Claims(publicKey, &i)
-	if err != nil {
-		return VerifyResultFAIL, err
-	}
-
-	if i.Name != c.Name {
-		return VerifyResultFAIL, errors.New("token invalid name")
-	}
-	if i.Expiry == nil && i.Expiry.Time().Compare(time.Now()) < 0 {
-		return VerifyResultFAIL, errors.New("token expired")
-	}
-	if i.NotBefore == nil && i.NotBefore.Time().Compare(time.Now()) > 0 {
-		return VerifyResultFAIL, errors.New("token not valid yet")
-	}
-
-	if bytes.Compare(expectedKey, i.Key) != 0 {
-		return VerifyResultFAIL, ErrVerifyKeyMismatch
-	}
-
-	if c.Verify != nil {
-		if rand.Float64() < c.VerifyProbability {
-			// random spot check
-			if ok, err := c.Verify(expectedKey, string(i.Result), r); err != nil {
-				return VerifyResultFAIL, err
-			} else if !ok {
-				return VerifyResultFAIL, ErrVerifyVerifyMismatch
-			}
-			return VerifyResultFULL, nil
-		} else {
-			return VerifyResultBRIEF, nil
-		}
-	}
-	return VerifyResultOK, nil
-}

lib/challenge/types.go

@@ -0,0 +1,112 @@
+package challenge
+
+import (
+	"crypto/ed25519"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/google/cel-go/cel"
+	"log/slog"
+	"net/http"
+)
+
+type Id int64
+
+type Class uint8
+
+const (
+	// ClassTransparent Transparent challenges work inline in the execution process.
+	// These can pass or continue, so more challenges or requests can ve served afterward.
+	ClassTransparent = Class(iota)
+
+	// ClassBlocking Blocking challenges must serve a different response to challenge the requester.
+	// These can pass or stop, for example, due to serving a challenge
+	ClassBlocking
+)
+
+type VerifyState uint8
+
+const (
+	VerifyStateNone = VerifyState(iota)
+	// VerifyStatePass Challenge was just passed on this request
+	VerifyStatePass
+	// VerifyStateBrief Challenge token was verified but didn't check the challenge
+	VerifyStateBrief
+	// VerifyStateFull Challenge token was verified and challenge verification was done
+	VerifyStateFull
+)
+
+func (r VerifyState) String() string {
+	switch r {
+	case VerifyStatePass:
+		return "PASS"
+	case VerifyStateBrief:
+		return "BRIEF"
+	case VerifyStateFull:
+		return "FULL"
+	default:
+		panic("unsupported")
+	}
+}
+
+type VerifyResult uint8
+
+const (
+	// VerifyResultNone A negative pass result, without a token
+	VerifyResultNone = VerifyResult(iota)
+	// VerifyResultFail A negative pass result, with an invalid token
+	VerifyResultFail
+	// VerifyResultSkip Challenge was skipped due to precondition
+	VerifyResultSkip
+	// VerifyResultNotOK A negative pass result, with a valid token
+	VerifyResultNotOK
+
+	// VerifyResultOK A positive pass result, with a valid token
+	VerifyResultOK
+)
+
+func (r VerifyResult) Ok() bool {
+	return r >= VerifyResultOK
+}
+
+func (r VerifyResult) String() string {
+	switch r {
+	case VerifyResultNone:
+		return "None"
+	case VerifyResultFail:
+		return "Fail"
+	case VerifyResultSkip:
+		return "Skip"
+	case VerifyResultNotOK:
+		return "NotOK"
+	case VerifyResultOK:
+		return "OK"
+	default:
+		panic("unsupported")
+	}
+}
+
+type StateInterface interface {
+	ProgramEnv() *cel.Env
+
+	Client() *http.Client
+	PrivateKey() ed25519.PrivateKey
+	PublicKey() ed25519.PublicKey
+
+	UrlPath() string
+
+	ChallengeFailed(r *http.Request, reg *Registration, err error, redirect string, logger *slog.Logger)
+	ChallengePassed(r *http.Request, reg *Registration, redirect string, logger *slog.Logger)
+	ChallengeIssued(r *http.Request, reg *Registration, redirect string, logger *slog.Logger)
+
+	Logger(r *http.Request) *slog.Logger
+
+	ChallengePage(w http.ResponseWriter, r *http.Request, status int, reg *Registration, params map[string]any)
+	ErrorPage(w http.ResponseWriter, r *http.Request, status int, err error, redirect string)
+
+	GetChallenge(id Id) (*Registration, bool)
+	GetChallengeByName(name string) (*Registration, bool)
+	GetChallenges() Register
+
+	Settings() policy.Settings
+
+	GetBackend(host string) http.Handler
+}

lib/challenge/wasm/interface/interface.go

@@ -111,6 +111,7 @@ type VerifyChallengeInput struct {
 
 type VerifyChallengeOutput uint64
 
+// TODO: expand allowed values
 const (
 	VerifyChallengeOutputOK = VerifyChallengeOutput(iota)
 	VerifyChallengeOutputFailed

lib/challenge/wasm/registration.go

@@ -0,0 +1,186 @@
+package wasm
+
+import (
+	"codeberg.org/meta/gzipped/v2"
+	"context"
+	"errors"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/embed"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	_interface "git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
+	"git.gammaspectra.live/git/go-away/utils"
+	"git.gammaspectra.live/git/go-away/utils/inline"
+	"github.com/goccy/go-yaml"
+	"github.com/goccy/go-yaml/ast"
+	"github.com/tetratelabs/wazero/api"
+	"html/template"
+	"io"
+	"io/fs"
+	"net/http"
+	"path"
+	"time"
+)
+
+func init() {
+	challenge.Runtimes["js"] = FillJavaScriptRegistration
+}
+
+type Parameters struct {
+	Path string `yaml:"path"`
+	// Loader path to js/mjs file to use as challenge issuer
+	Loader string `yaml:"js-loader"`
+
+	// Runtime path to WASM wasip1 runtime
+	Runtime string `yaml:"wasm-runtime"`
+
+	Settings map[string]string `yaml:"wasm-runtime-settings"`
+
+	NativeCompiler bool `yaml:"wasm-native-compiler"`
+
+	VerifyProbability float64 `yaml:"verify-probability"`
+}
+
+var DefaultParameters = Parameters{
+	VerifyProbability: 0.1,
+	NativeCompiler:    true,
+}
+
+func FillJavaScriptRegistration(state challenge.StateInterface, reg *challenge.Registration, parameters ast.Node) error {
+	params := DefaultParameters
+
+	if parameters != nil {
+		ymlData, err := parameters.MarshalYAML()
+		if err != nil {
+			return err
+		}
+		err = yaml.Unmarshal(ymlData, &params)
+		if err != nil {
+			return err
+		}
+	}
+
+	reg.Class = challenge.ClassBlocking
+
+	mux := http.NewServeMux()
+
+	if params.Path == "" {
+		params.Path = reg.Name
+	}
+
+	assetsFs, err := embed.GetFallbackFS(embed.ChallengeFs, params.Path)
+	if err != nil {
+		return err
+	}
+
+	if params.VerifyProbability <= 0 {
+		//10% default
+		params.VerifyProbability = 0.1
+	} else if params.VerifyProbability > 1.0 {
+		params.VerifyProbability = 1.0
+	}
+
+	reg.VerifyProbability = params.VerifyProbability
+
+	ob := NewRunner(params.NativeCompiler)
+	reg.Object = ob
+
+	wasmData, err := assetsFs.ReadFile(path.Join("runtime", params.Runtime))
+	if err != nil {
+		return fmt.Errorf("could not load runtime: %w", err)
+	}
+
+	err = ob.Compile("runtime", wasmData)
+	if err != nil {
+		return fmt.Errorf("compiling runtime: %w", err)
+	}
+
+	reg.IssueChallenge = func(w http.ResponseWriter, r *http.Request, key challenge.Key, expiry time.Time) challenge.VerifyResult {
+		state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
+			"EndTags": []template.HTML{
+				template.HTML(fmt.Sprintf("<script async type=\"module\" src=\"%s?cacheBust=%s\"></script>", reg.Path+"/script.mjs", utils.CacheBust())),
+			},
+		})
+		return challenge.VerifyResultNone
+	}
+
+	reg.Verify = func(key challenge.Key, token []byte, r *http.Request) (challenge.VerifyResult, error) {
+		var ok bool
+		err = ob.Instantiate("runtime", func(ctx context.Context, mod api.Module) (err error) {
+			in := _interface.VerifyChallengeInput{
+				Key:        key[:],
+				Parameters: params.Settings,
+				Result:     token,
+			}
+
+			out, err := VerifyChallengeCall(ctx, mod, in)
+			if err != nil {
+				return err
+			}
+
+			if out == _interface.VerifyChallengeOutputError {
+				return errors.New("error checking challenge")
+			}
+			ok = out == _interface.VerifyChallengeOutputOK
+			return nil
+		})
+		if err != nil {
+			return challenge.VerifyResultFail, err
+		}
+		if ok {
+			return challenge.VerifyResultOK, nil
+		}
+		return challenge.VerifyResultFail, nil
+	}
+
+	// serve assets if existent
+	if staticFs, err := fs.Sub(assetsFs, "static"); err != nil {
+		return fmt.Errorf("no static assets: %w", err)
+	} else {
+		mux.Handle("GET "+reg.Path+"/static/", http.StripPrefix(reg.Path+"/static/", gzipped.FileServer(gzipped.FS(staticFs))))
+	}
+
+	mux.HandleFunc(reg.Path+challenge.MakeChallengeUrlSuffix, func(w http.ResponseWriter, r *http.Request) {
+		data := challenge.RequestDataFromContext(r.Context())
+		err := ob.Instantiate("runtime", func(ctx context.Context, mod api.Module) (err error) {
+			key := challenge.GetChallengeKeyForRequest(state, reg, data.Expiration(reg.Duration), r)
+
+			in := _interface.MakeChallengeInput{
+				Key:        key[:],
+				Parameters: params.Settings,
+				Headers:    inline.MIMEHeader(r.Header),
+			}
+			in.Data, err = io.ReadAll(r.Body)
+			if err != nil {
+				return err
+			}
+
+			out, err := MakeChallengeCall(ctx, mod, in)
+			if err != nil {
+				return err
+			}
+
+			// set output headers
+			for k, v := range out.Headers {
+				w.Header()[k] = v
+			}
+			w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out.Data)))
+			w.WriteHeader(out.Code)
+			_, _ = w.Write(out.Data)
+			return nil
+		})
+		if err != nil {
+			state.ErrorPage(w, r, http.StatusInternalServerError, err, "")
+			return
+		}
+	})
+
+	mux.HandleFunc(reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, nil))
+
+	mux.HandleFunc("GET "+reg.Path+"/script.mjs", func(w http.ResponseWriter, r *http.Request) {
+		challenge.ServeChallengeScript(w, r, reg, params.Settings, path.Join(reg.Path, "static", params.Loader))
+	})
+
+	reg.Handler = mux
+
+	return nil
+}

lib/challenge/wasm/runner.go

@@ -94,11 +94,13 @@ func (r *Runner) Compile(key string, binary []byte) error {
 	return nil
 }
 
-func (r *Runner) Close() {
+func (r *Runner) Close() error {
 	for _, module := range r.modules {
-		module.Close(r.context)
+		if err := module.Close(r.context); err != nil {
+			return err
+		}
 	}
-	r.runtime.Close(r.context)
+	return r.runtime.Close(r.context)
 }
 
 var ErrModuleNotFound = errors.New("module not found")

lib/condition/condition.go

@@ -3,6 +3,12 @@ package condition
 import (
 	"fmt"
 	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/ext"
+	"github.com/yl2chen/cidranger"
+	"log/slog"
+	"net"
 	"strings"
 )
 
@@ -15,6 +21,124 @@ const (
 	OperatorAnd = "&&"
 )
 
+func NewRulesEnvironment(networks map[string]cidranger.Ranger) (*cel.Env, error) {
+
+	return cel.NewEnv(
+		ext.Strings(
+			ext.StringsLocale("en_US"),
+			ext.StringsValidateFormatCalls(true),
+		),
+		cel.DefaultUTCTimeZone(true),
+		//TODO: custom type for remoteAddress
+		cel.Variable("remoteAddress", cel.BytesType),
+		cel.Variable("host", cel.StringType),
+		cel.Variable("method", cel.StringType),
+		cel.Variable("userAgent", cel.StringType),
+		cel.Variable("path", cel.StringType),
+		cel.Variable("query", cel.MapType(cel.StringType, cel.StringType)),
+		cel.Variable("fp", cel.MapType(cel.StringType, cel.StringType)),
+		// http.Header
+		cel.Variable("headers", cel.MapType(cel.StringType, cel.StringType)),
+		//TODO: dynamic type?
+		cel.Function("inDNSBL",
+			cel.Overload("inDNSBL_ip",
+				[]*cel.Type{cel.AnyType},
+				cel.BoolType,
+				cel.UnaryBinding(func(val ref.Val) ref.Val {
+					slog.Error("inDNSBL function has been deprecated, replace with dnsbl challenge")
+					return types.Bool(false)
+				}),
+			),
+		),
+		cel.Function("network",
+			cel.MemberOverload("netIP_network_string",
+				[]*cel.Type{cel.BytesType, cel.StringType},
+				cel.BoolType,
+				cel.BinaryBinding(func(lhs ref.Val, rhs ref.Val) ref.Val {
+					var ip net.IP
+					switch v := lhs.Value().(type) {
+					case []byte:
+						ip = v
+					case net.IP:
+						ip = v
+					}
+
+					if ip == nil {
+						panic(fmt.Errorf("invalid ip %v", lhs.Value()))
+					}
+
+					val, ok := rhs.Value().(string)
+					if !ok {
+						panic(fmt.Errorf("invalid network value %v", rhs.Value()))
+					}
+
+					network, ok := networks[val]
+					if !ok {
+						_, ipNet, err := net.ParseCIDR(val)
+						if err != nil {
+							panic("network not found")
+						}
+						return types.Bool(ipNet.Contains(ip))
+					} else {
+						ok, err := network.Contains(ip)
+						if err != nil {
+							panic(err)
+						}
+						return types.Bool(ok)
+					}
+				}),
+			),
+		),
+
+		cel.Function("inNetwork",
+			cel.Overload("inNetwork_string_ip",
+				[]*cel.Type{cel.StringType, cel.BytesType},
+				cel.BoolType,
+				cel.BinaryBinding(func(lhs ref.Val, rhs ref.Val) ref.Val {
+					var ip net.IP
+					switch v := rhs.Value().(type) {
+					case []byte:
+						ip = v
+					case net.IP:
+						ip = v
+					}
+
+					if ip == nil {
+						panic(fmt.Errorf("invalid ip %v", rhs.Value()))
+					}
+
+					val, ok := lhs.Value().(string)
+					if !ok {
+						panic(fmt.Errorf("invalid value %v", lhs.Value()))
+					}
+					slog.Debug(fmt.Sprintf("inNetwork function has been deprecated and will be removed in a future release, use remoteAddress.network(\"%s\") instead", val))
+
+					network, ok := networks[val]
+					if !ok {
+						_, ipNet, err := net.ParseCIDR(val)
+						if err != nil {
+							panic("network not found")
+						}
+						return types.Bool(ipNet.Contains(ip))
+					} else {
+						ok, err := network.Contains(ip)
+						if err != nil {
+							panic(err)
+						}
+						return types.Bool(ok)
+					}
+				}),
+			),
+		),
+	)
+}
+
+func Program(env *cel.Env, ast *cel.Ast) (cel.Program, error) {
+	return env.Program(ast,
+		cel.EvalOptions(cel.OptOptimize),
+	)
+}
+
 func FromStrings(env *cel.Env, operator string, conditions ...string) (*cel.Ast, error) {
 	var asts []*cel.Ast
 	for _, c := range conditions {

lib/condition/map.go

@@ -0,0 +1,158 @@
+package condition
+
+import (
+	"fmt"
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/common/types/traits"
+	"net/textproto"
+	"reflect"
+	"strings"
+)
+
+type mimeLike struct {
+	m textproto.MIMEHeader
+}
+
+func (a mimeLike) ConvertToNative(typeDesc reflect.Type) (any, error) {
+	return nil, fmt.Errorf("type conversion error from map to '%v'", typeDesc)
+}
+
+func (a mimeLike) ConvertToType(typeVal ref.Type) ref.Val {
+	switch typeVal {
+	case types.MapType:
+		return a
+	case types.TypeType:
+		return types.MapType
+	}
+	return types.NewErr("type conversion error from '%s' to '%s'", types.MapType, typeVal)
+}
+
+func (a mimeLike) Equal(other ref.Val) ref.Val {
+	return types.Bool(false)
+}
+
+func (a mimeLike) Type() ref.Type {
+	return types.MapType
+}
+
+func (a mimeLike) Value() any {
+	return a.m
+}
+
+func (a mimeLike) Contains(key ref.Val) ref.Val {
+	_, found := a.Find(key)
+	return types.Bool(found)
+}
+
+func (a mimeLike) Get(key ref.Val) ref.Val {
+	v, found := a.Find(key)
+	if !found {
+		return types.ValOrErr(v, "no such key: %v", key)
+	}
+	return v
+}
+
+func (a mimeLike) Iterator() traits.Iterator {
+	panic("implement me")
+}
+
+func (a mimeLike) IsZeroValue() bool {
+	return len(a.m) == 0
+}
+
+func (a mimeLike) Size() ref.Val {
+	return types.Int(len(a.m))
+}
+
+func (a mimeLike) Find(key ref.Val) (ref.Val, bool) {
+	k, ok := key.(types.String)
+	if !ok {
+		return nil, false
+	}
+
+	return singleVal(a.m.Values(string(k)), true)
+}
+
+type valuesLike struct {
+	m map[string][]string
+}
+
+func (a valuesLike) ConvertToNative(typeDesc reflect.Type) (any, error) {
+	return nil, fmt.Errorf("type conversion error from map to '%v'", typeDesc)
+}
+
+func (a valuesLike) ConvertToType(typeVal ref.Type) ref.Val {
+	switch typeVal {
+	case types.MapType:
+		return a
+	case types.TypeType:
+		return types.MapType
+	}
+	return types.NewErr("type conversion error from '%s' to '%s'", types.MapType, typeVal)
+}
+
+func (a valuesLike) Equal(other ref.Val) ref.Val {
+	return types.Bool(false)
+}
+
+func (a valuesLike) Type() ref.Type {
+	return types.MapType
+}
+
+func (a valuesLike) Value() any {
+	return a.m
+}
+
+func (a valuesLike) Contains(key ref.Val) ref.Val {
+	_, found := a.Find(key)
+	return types.Bool(found)
+}
+
+func (a valuesLike) Get(key ref.Val) ref.Val {
+	v, found := a.Find(key)
+	if !found {
+		return types.ValOrErr(v, "no such key: %v", key)
+	}
+	return v
+}
+
+func (a valuesLike) Iterator() traits.Iterator {
+	panic("implement me")
+}
+
+func (a valuesLike) IsZeroValue() bool {
+	return len(a.m) == 0
+}
+
+func (a valuesLike) Size() ref.Val {
+	return types.Int(len(a.m))
+}
+
+func (a valuesLike) Find(key ref.Val) (ref.Val, bool) {
+	k, ok := key.(types.String)
+	if !ok {
+		return nil, false
+	}
+
+	val, ok := a.m[string(k)]
+	return singleVal(val, ok)
+}
+
+func singleVal(values []string, ok bool) (ref.Val, bool) {
+	if len(values) == 0 || !ok {
+		return nil, false
+	}
+	if len(values) > 1 {
+		return types.String(strings.Join(values, ",")), true
+	}
+	return types.String(values[0]), true
+}
+
+func NewMIMEMap(m textproto.MIMEHeader) traits.Mapper {
+	return mimeLike{m: m}
+}
+
+func NewValuesMap(m map[string][]string) traits.Mapper {
+	return mimeLike{m: m}
+}

lib/conditions.go

@@ -1,118 +1,11 @@
 package lib
 
 import (
-	"context"
-	"fmt"
-	"github.com/google/cel-go/cel"
-	"github.com/google/cel-go/common/types"
-	"github.com/google/cel-go/common/types/ref"
-	"log/slog"
-	"net"
-	"time"
+	"git.gammaspectra.live/git/go-away/lib/condition"
 )
 
 func (state *State) initConditions() (err error) {
-	state.RulesEnv, err = cel.NewEnv(
-		cel.DefaultUTCTimeZone(true),
-		cel.Variable("remoteAddress", cel.BytesType),
-		cel.Variable("host", cel.StringType),
-		cel.Variable("method", cel.StringType),
-		cel.Variable("userAgent", cel.StringType),
-		cel.Variable("path", cel.StringType),
-		cel.Variable("query", cel.MapType(cel.StringType, cel.StringType)),
-		cel.Variable("fpJA3N", cel.StringType),
-		cel.Variable("fpJA4", cel.StringType),
-		// http.Header
-		cel.Variable("headers", cel.MapType(cel.StringType, cel.StringType)),
-		//TODO: dynamic type?
-		cel.Function("inDNSBL",
-			cel.Overload("inDNSBL_ip",
-				[]*cel.Type{cel.AnyType},
-				cel.BoolType,
-				cel.UnaryBinding(func(val ref.Val) ref.Val {
-					if state.Settings.DNSBL == nil {
-						return types.Bool(false)
-					}
-
-					var ip net.IP
-					switch v := val.Value().(type) {
-					case []byte:
-						ip = v
-					case net.IP:
-						ip = v
-					case string:
-						ip = net.ParseIP(v)
-					}
-
-					if ip == nil {
-						panic(fmt.Errorf("invalid ip %v", val.Value()))
-					}
-
-					var key [net.IPv6len]byte
-					copy(key[:], ip.To16())
-
-					result, ok := state.DecayMap.Get(key)
-					if ok {
-						return types.Bool(result.Bad())
-					}
-
-					ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-					defer cancel()
-					result, err := state.Settings.DNSBL.Lookup(ctx, ip)
-					if err != nil {
-						slog.Debug("dnsbl lookup failed", "address", ip.String(), "result", result, "err", err)
-					} else {
-						slog.Debug("dnsbl lookup", "address", ip.String(), "result", result)
-					}
-					//TODO: configure decay
-					state.DecayMap.Set(key, result, time.Hour)
-
-					return types.Bool(result.Bad())
-				}),
-			),
-		),
-		cel.Function("inNetwork",
-			cel.Overload("inNetwork_string_ip",
-				[]*cel.Type{cel.StringType, cel.AnyType},
-				cel.BoolType,
-				cel.BinaryBinding(func(lhs ref.Val, rhs ref.Val) ref.Val {
-					var ip net.IP
-					switch v := rhs.Value().(type) {
-					case []byte:
-						ip = v
-					case net.IP:
-						ip = v
-					case string:
-						ip = net.ParseIP(v)
-					}
-
-					if ip == nil {
-						panic(fmt.Errorf("invalid ip %v", rhs.Value()))
-					}
-
-					val, ok := lhs.Value().(string)
-					if !ok {
-						panic(fmt.Errorf("invalid value %v", lhs.Value()))
-					}
-
-					network, ok := state.Networks[val]
-					if !ok {
-						_, ipNet, err := net.ParseCIDR(val)
-						if err != nil {
-							panic("network not found")
-						}
-						return types.Bool(ipNet.Contains(ip))
-					} else {
-						ok, err := network.Contains(ip)
-						if err != nil {
-							panic(err)
-						}
-						return types.Bool(ok)
-					}
-				}),
-			),
-		),
-	)
+	state.programEnv, err = condition.NewRulesEnvironment(state.networks)
 	if err != nil {
 		return err
 	}

lib/http.go

@@ -1,28 +1,16 @@
 package lib
 
 import (
-	"bytes"
 	"codeberg.org/meta/gzipped/v2"
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
 	"fmt"
 	"git.gammaspectra.live/git/go-away/embed"
+	"git.gammaspectra.live/git/go-away/lib/action"
 	"git.gammaspectra.live/git/go-away/lib/challenge"
-	"git.gammaspectra.live/git/go-away/lib/policy"
 	"git.gammaspectra.live/git/go-away/utils"
-	"github.com/google/cel-go/common/types"
 	"html/template"
-	"io"
 	"log/slog"
-	"maps"
-	"net"
 	"net/http"
 	"net/http/pprof"
-	"path"
-	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -30,20 +18,11 @@ import (
 
 var templates map[string]*template.Template
 
-var cacheBust string
-
-// DefaultValidity TODO: adjust
-const DefaultValidity = time.Hour * 24 * 7
-
 func init() {
 
-	buf := make([]byte, 16)
-	_, _ = rand.Read(buf)
-	cacheBust = base64.RawURLEncoding.EncodeToString(buf)
-
 	templates = make(map[string]*template.Template)
 
-	dir, err := embed.TemplatesFs.ReadDir("templates")
+	dir, err := embed.TemplatesFs.ReadDir(".")
 	if err != nil {
 		panic(err)
 	}
@@ -51,7 +30,7 @@ func init() {
 		if e.IsDir() {
 			continue
 		}
-		data, err := embed.TemplatesFs.ReadFile(filepath.Join("templates", e.Name()))
+		data, err := embed.TemplatesFs.ReadFile(e.Name())
 		if err != nil {
 			panic(err)
 		}
@@ -72,69 +51,16 @@ func initTemplate(name, data string) error {
 	return nil
 }
 
-func (state *State) challengePage(w http.ResponseWriter, id string, status int, challenge string, params map[string]any) error {
-	input := make(map[string]any)
-	input["Id"] = id
-	input["Random"] = cacheBust
-	input["Challenge"] = challenge
-	input["Path"] = state.UrlPath
-	input["Theme"] = state.Settings.ChallengeTemplateTheme
-
-	maps.Copy(input, params)
-
-	if _, ok := input["Title"]; !ok {
-		input["Title"] = "Checking you are not a bot"
-	}
-
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-
-	buf := bytes.NewBuffer(make([]byte, 0, 8192))
-
-	err := templates["challenge-"+state.Settings.ChallengeTemplate+".gohtml"].Execute(buf, input)
-	if err != nil {
-		_ = state.errorPage(w, id, http.StatusInternalServerError, err, "")
-	} else {
-		w.WriteHeader(status)
-		_, _ = w.Write(buf.Bytes())
-	}
-	return nil
-}
-
-func (state *State) errorPage(w http.ResponseWriter, id string, status int, err error, redirect string) error {
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-
-	buf := bytes.NewBuffer(make([]byte, 0, 8192))
-
-	err2 := templates["challenge-"+state.Settings.ChallengeTemplate+".gohtml"].Execute(buf, map[string]any{
-		"Id":          id,
-		"Random":      cacheBust,
-		"Error":       err.Error(),
-		"Path":        state.UrlPath,
-		"Theme":       state.Settings.ChallengeTemplateTheme,
-		"Title":       "Oh no! " + http.StatusText(status),
-		"HideSpinner": true,
-		"Challenge":   "",
-		"Redirect":    redirect,
-	})
-	if err2 != nil {
-		panic(err2)
-	} else {
-		w.WriteHeader(status)
-		_, _ = w.Write(buf.Bytes())
-	}
-	return nil
-}
-
 func (state *State) addTiming(w http.ResponseWriter, name, desc string, duration time.Duration) {
-	if state.Settings.Debug {
+	if state.Settings().Debug {
 		w.Header().Add("Server-Timing", fmt.Sprintf("%s;desc=%s;dur=%d", name, strconv.Quote(desc), duration.Milliseconds()))
 	}
 }
 
 func GetLoggerForRequest(r *http.Request) *slog.Logger {
-	data := RequestDataFromContext(r.Context())
+	data := challenge.RequestDataFromContext(r.Context())
 	args := []any{
-		"request_id", hex.EncodeToString(data.Id[:]),
+		"request_id", data.Id.String(),
 		"remote_address", data.RemoteAddress.String(),
 		"user_agent", r.UserAgent(),
 		"host", r.Host,
@@ -153,272 +79,95 @@ func GetLoggerForRequest(r *http.Request) *slog.Logger {
 	return slog.With(args...)
 }
 
-func (state *State) logger(r *http.Request) *slog.Logger {
-	return GetLoggerForRequest(r)
-}
-
 func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 	host := r.Host
 
-	data := RequestDataFromContext(r.Context())
+	data := challenge.RequestDataFromContext(r.Context())
 
-	backend, ok := state.Settings.Backends[host]
-	if !ok {
+	backend := state.GetBackend(host)
+	if backend == nil {
 		http.Error(w, http.StatusText(http.StatusServiceUnavailable), http.StatusServiceUnavailable)
 		return
 	}
 
-	lg := state.logger(r)
+	lg := state.Logger(r)
 
-	start := time.Now()
-
-	state.addTiming(w, "rule-env", "Setup the rule environment", time.Since(start))
-
-	var (
-		ruleEvalDuration time.Duration
-	)
-
-	serve := func() {
-		state.addTiming(w, "rule-eval", "Evaluate access rules", ruleEvalDuration)
-		backend.ServeHTTP(w, r)
-	}
-
-	fail := func(code int, err error) {
-		state.addTiming(w, "rule-eval", "Evaluate access rules", ruleEvalDuration)
-		_ = state.errorPage(w, r.Header.Get("X-Away-Id"), code, err, "")
-	}
-
-	setAwayState := func(rule RuleState) {
-		r.Header.Set("X-Away-Rule", rule.Name)
-		r.Header.Set("X-Away-Hash", rule.Hash)
-		r.Header.Set("X-Away-Action", string(rule.Action))
-		data.Headers(state, r.Header)
-	}
-
-	for _, rule := range state.Rules {
-		// skip rules that have host match
-		if rule.Host != nil && *rule.Host != host {
-			continue
+	cleanupRequest := func(r *http.Request, fromChallenge bool) {
+		if fromChallenge {
+			r.Header.Del("Referer")
+		}
+		if ref := r.FormValue(challenge.QueryArgReferer); ref != "" {
+			r.Header.Set("Referer", ref)
 		}
-		start = time.Now()
-		out, _, err := rule.Program.Eval(data.ProgramEnv)
-		ruleEvalDuration += time.Since(start)
 
-		if err != nil {
-			fail(http.StatusInternalServerError, err)
-			lg.Error(err.Error(), "rule", rule.Name, "rule_hash", rule.Hash)
-			panic(err)
-			return
-		} else if out != nil && out.Type() == types.BoolType {
-			if out.Equal(types.True) == types.True {
-				switch rule.Action {
-				default:
-					panic(fmt.Errorf("unknown action %s", rule.Action))
-				case policy.RuleActionPASS:
-					lg.Debug("request passed", "rule", rule.Name, "rule_hash", rule.Hash)
-					setAwayState(rule)
-					serve()
-					return
-				case policy.RuleActionCHALLENGE, policy.RuleActionCHECK:
-					for _, challengeId := range rule.Challenges {
-						if result := data.Challenges[challengeId]; !result.Ok() {
-							continue
-						} else {
-							if rule.Action == policy.RuleActionCHECK {
-								goto nextRule
-							}
-
-							// we passed the challenge!
-							lg.Debug("request passed", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", state.Challenges[challengeId].Name)
-							setAwayState(rule)
-							serve()
-							return
-						}
-					}
-
-					// none matched, issue first challenge in priority
-					for _, challengeId := range rule.Challenges {
-						result := data.Challenges[challengeId]
-						if result.Ok() || result == challenge.VerifyResultSKIP {
-							// skip already ok'd challenges for some reason, and also skip skipped challenges
-							continue
-						}
-						c := state.Challenges[challengeId]
-						if c.ServeChallenge != nil {
-							result := c.ServeChallenge(w, r, state.GetChallengeKeyForRequest(c.Name, data.Expires, r), data.Expires)
-							switch result {
-							case challenge.ResultStop:
-								lg.Info("request challenged", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", c.Name)
-								return
-							case challenge.ResultContinue:
-								continue
-							case challenge.ResultPass:
-								if rule.Action == policy.RuleActionCHECK {
-									goto nextRule
-								}
-								state.logger(r).Warn("challenge passed", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", c.Name)
-
-								// set pass if caller didn't set one
-								if !data.Challenges[c.Id].Ok() {
-									data.Challenges[c.Id] = challenge.VerifyResultPASS
-								}
-
-								// we pass the challenge early!
-								lg.Debug("request passed", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", c.Name)
-								setAwayState(rule)
-								serve()
-								return
-							}
-						} else {
-							panic("challenge not found")
-						}
-					}
-				case policy.RuleActionDENY:
-					lg.Info("request denied", "rule", rule.Name, "rule_hash", rule.Hash)
-					//TODO: config error code
-					fail(http.StatusForbidden, fmt.Errorf("access denied: denied by administrative rule %s/%s", r.Header.Get("X-Away-Id"), rule.Hash))
-					return
-				case policy.RuleActionBLOCK:
-					lg.Info("request blocked", "rule", rule.Name, "rule_hash", rule.Hash)
-					//TODO: config error code
-					//TODO: configure block
-					fail(http.StatusForbidden, fmt.Errorf("access denied: blocked by administrative rule %s/%s", r.Header.Get("X-Away-Id"), rule.Hash))
-					return
-				case policy.RuleActionPOISON:
-					lg.Info("request poisoned", "rule", rule.Name, "rule_hash", rule.Hash)
-
-					mime := "text/html"
-					switch path.Ext(r.URL.Path) {
-					case ".css":
-					case ".json", ".js", ".mjs":
-
-					}
-
-					encodings := strings.Split(r.Header.Get("Accept-Encoding"), ",")
-					for i, encoding := range encodings {
-						encodings[i] = strings.TrimSpace(strings.ToLower(encoding))
-					}
-
-					reader, encoding := state.getPoison(mime, encodings)
-					if reader == nil {
-						mime = "application/octet-stream"
-						reader, encoding = state.getPoison(mime, encodings)
-					}
-
-					if reader != nil {
-						defer reader.Close()
-
-						w.Header().Set("Cache-Control", "max-age=0, private, must-revalidate, no-transform")
-						w.Header().Set("Vary", "Accept-Encoding")
-						w.Header().Set("Content-Type", mime)
-						w.Header().Set("X-Content-Type-Options", "nosniff")
-						if encoding != "" {
-							w.Header().Set("Content-Encoding", encoding)
-						}
-						w.WriteHeader(http.StatusOK)
-						if flusher, ok := w.(http.Flusher); ok {
-							// trigger chunked encoding
-							flusher.Flush()
-						}
-						if r != nil {
-							_, _ = io.Copy(w, reader)
-						}
-					} else {
-						http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-					}
-					return
-				}
+		q := r.URL.Query()
+		// delete query parameters that were set by go-away
+		for k := range q {
+			if strings.HasPrefix(k, challenge.QueryArgPrefix) {
+				q.Del(k)
 			}
 		}
+		r.URL.RawQuery = q.Encode()
 
-	nextRule:
+		data.Headers(r.Header)
+
+		// delete cookies set by go-away to prevent user tracking that way
+		cookies := r.Cookies()
+		r.Header.Del("Cookie")
+		for _, c := range cookies {
+			if !strings.HasPrefix(c.Name, utils.CookiePrefix) {
+				r.AddCookie(c)
+			}
+		}
 	}
 
-	serve()
-	return
+	for _, rule := range state.rules {
+		next, err := rule.Evaluate(lg, w, r, func() http.Handler {
+			cleanupRequest(r, true)
+			return backend
+		})
+		if err != nil {
+			state.ErrorPage(w, r, http.StatusInternalServerError, err, "")
+			panic(err)
+			return
+		}
+
+		if !next {
+			return
+		}
+	}
+
+	// default pass
+	_, _ = action.Pass{}.Handle(lg, w, r, func() http.Handler {
+		r.Header.Set("X-Away-Rule", "DEFAULT")
+		r.Header.Set("X-Away-Action", "PASS")
+
+		cleanupRequest(r, false)
+		return backend
+	})
 }
 
 func (state *State) setupRoutes() error {
 
 	state.Mux.HandleFunc("/", state.handleRequest)
 
-	if state.Settings.Debug {
-		http.HandleFunc(state.UrlPath+"/debug/pprof/", pprof.Index)
-		http.HandleFunc(state.UrlPath+"/debug/pprof/profile", pprof.Profile)
-		http.HandleFunc(state.UrlPath+"/debug/pprof/symbol", pprof.Symbol)
-		http.HandleFunc(state.UrlPath+"/debug/pprof/trace", pprof.Trace)
+	if state.Settings().Debug {
+		//TODO: split this to a different listener, metrics listener
+		http.HandleFunc(state.urlPath+"/debug/pprof/", pprof.Index)
+		http.HandleFunc(state.urlPath+"/debug/pprof/profile", pprof.Profile)
+		http.HandleFunc(state.urlPath+"/debug/pprof/symbol", pprof.Symbol)
+		http.HandleFunc(state.urlPath+"/debug/pprof/trace", pprof.Trace)
 	}
 
-	state.Mux.Handle("GET "+state.UrlPath+"/assets/", http.StripPrefix(state.UrlPath, gzipped.FileServer(gzipped.FS(embed.AssetsFs))))
+	state.Mux.Handle("GET "+state.urlPath+"/assets/", http.StripPrefix(state.UrlPath()+"/assets/", gzipped.FileServer(gzipped.FS(embed.AssetsFs))))
 
-	for _, c := range state.Challenges {
-		if c.ServeStatic != nil {
-			state.Mux.Handle("GET "+c.Path+"/static/", c.ServeStatic)
-		}
+	for _, reg := range state.challenges {
 
-		if c.ServeScript != nil {
-			state.Mux.Handle("GET "+c.ServeScriptPath, c.ServeScript)
-		}
-
-		if c.ServeMakeChallenge != nil {
-			state.Mux.Handle(fmt.Sprintf("POST %s/make-challenge", c.Path), c.ServeMakeChallenge)
-		}
-
-		if c.ServeVerifyChallenge != nil {
-			state.Mux.Handle(fmt.Sprintf("GET %s/verify-challenge", c.Path), c.ServeVerifyChallenge)
-		} else if c.Verify != nil {
-			state.Mux.HandleFunc(fmt.Sprintf("GET %s/verify-challenge", c.Path), func(w http.ResponseWriter, r *http.Request) {
-				redirect, err := utils.EnsureNoOpenRedirect(r.FormValue("redirect"))
-				if redirect == "" {
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusInternalServerError, err, "")
-					return
-				}
-
-				err = func() (err error) {
-
-					data := RequestDataFromContext(r.Context())
-
-					key := state.GetChallengeKeyForRequest(c.Name, data.Expires, r)
-					result := r.FormValue("result")
-
-					requestId, err := hex.DecodeString(r.FormValue("requestId"))
-					if err == nil {
-						// override
-						r.Header.Set("X-Away-Id", hex.EncodeToString(requestId))
-					}
-
-					start := time.Now()
-					ok, err := c.Verify(key, result, r)
-					state.addTiming(w, "challenge-verify", "Verify client challenge", time.Since(start))
-
-					if err != nil {
-						state.logger(r).Error(fmt.Errorf("challenge error: %w", err).Error(), "challenge", c.Name, "redirect", redirect)
-						return err
-					} else if !ok {
-						state.logger(r).Warn("challenge failed", "challenge", c.Name, "redirect", redirect)
-						utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-						_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", c.Name), redirect)
-						return nil
-					}
-					state.logger(r).Info("challenge passed", "challenge", c.Name, "redirect", redirect)
-
-					token, err := c.IssueChallengeToken(state.privateKey, key, []byte(result), data.Expires)
-					if err != nil {
-						utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-					} else {
-						utils.SetCookie(utils.CookiePrefix+c.Name, token, data.Expires, w)
-					}
-					data.Challenges[c.Id] = challenge.VerifyResultPASS
-
-					http.Redirect(w, r, redirect, http.StatusTemporaryRedirect)
-					return nil
-				}()
-				if err != nil {
-					utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusInternalServerError, err, redirect)
-					return
-				}
-			})
+		if reg.Handler != nil {
+			state.Mux.Handle(reg.Path+"/", reg.Handler)
+		} else if reg.Verify != nil {
+			// default verify
+			state.Mux.HandleFunc(reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, nil))
 		}
 	}
 
@@ -426,116 +175,12 @@ func (state *State) setupRoutes() error {
 }
 
 func (state *State) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	r, data := challenge.CreateRequestData(r, state)
 
-	var data RequestData
-	// generate random id, todo: is this fast?
-	_, _ = rand.Read(data.Id[:])
-	data.RemoteAddress = getRequestAddress(r, state.Settings.ClientIpHeader)
-	data.Challenges = make(map[challenge.Id]challenge.VerifyResult, len(state.Challenges))
-	data.Expires = time.Now().UTC().Add(DefaultValidity).Round(DefaultValidity)
+	data.EvaluateChallenges(w, r)
 
-	var ja3n, ja4 string
-	if fp := utils.GetTLSFingerprint(r); fp != nil {
-		if ja3nPtr := fp.JA3N(); ja3nPtr != nil {
-			ja3n = ja3nPtr.String()
-			r.Header.Set("X-TLS-Fingerprint-JA3N", ja3n)
-		}
-		if ja4Ptr := fp.JA4(); ja4Ptr != nil {
-			ja4 = ja4Ptr.String()
-			r.Header.Set("X-TLS-Fingerprint-JA4", ja4)
-		}
-	}
-
-	data.ProgramEnv = map[string]any{
-		"host":          r.Host,
-		"method":        r.Method,
-		"remoteAddress": data.RemoteAddress,
-		"userAgent":     r.UserAgent(),
-		"path":          r.URL.Path,
-		"fpJA3N":        ja3n,
-		"fpJA4":         ja4,
-		"query": func() map[string]string {
-			result := make(map[string]string)
-			for k, v := range r.URL.Query() {
-				result[k] = strings.Join(v, ",")
-			}
-			return result
-		}(),
-		"headers": func() map[string]string {
-			result := make(map[string]string)
-			for k, v := range r.Header {
-				result[k] = strings.Join(v, ",")
-			}
-			return result
-		}(),
-	}
-
-	r = r.WithContext(context.WithValue(r.Context(), "_goaway_data", &data))
-
-	for _, c := range state.Challenges {
-		key := state.GetChallengeKeyForRequest(c.Name, data.Expires, r)
-		result, err := c.VerifyChallengeToken(state.publicKey, key, r)
-		if err != nil && !errors.Is(err, http.ErrNoCookie) {
-			// clear invalid cookie
-			utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-		}
-
-		// prevent the challenge if not solved
-		if !result.Ok() && c.Program != nil {
-			out, _, err := c.Program.Eval(data.ProgramEnv)
-			// verify eligibility
-			if err != nil {
-				state.logger(r).Error(err.Error(), "challenge", c.Name)
-			} else if out != nil && out.Type() == types.BoolType {
-				if out.Equal(types.True) != types.True {
-					// skip challenge match!
-					result = challenge.VerifyResultSKIP
-					continue
-				}
-			}
-		}
-		data.Challenges[c.Id] = result
-	}
-
-	r.Header.Set("X-Away-Id", hex.EncodeToString(data.Id[:]))
-	if state.Settings.BackendIpHeader != "" {
-		r.Header.Del(state.Settings.ClientIpHeader)
-		r.Header.Set(state.Settings.BackendIpHeader, data.RemoteAddress.String())
-	}
+	// TODO: make this configurable!
 	w.Header().Add("Via", fmt.Sprintf("%s %s", r.Proto, "go-away"))
 
-	// send these to client so we consistently get the headers
-	//w.Header().Set("Accept-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
-	//w.Header().Set("Critical-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
-
 	state.Mux.ServeHTTP(w, r)
 }
-
-func RequestDataFromContext(ctx context.Context) *RequestData {
-	return ctx.Value("_goaway_data").(*RequestData)
-}
-
-type RequestData struct {
-	Id            [16]byte
-	ProgramEnv    map[string]any
-	Expires       time.Time
-	Challenges    map[challenge.Id]challenge.VerifyResult
-	RemoteAddress net.IP
-}
-
-func (d *RequestData) HasValidChallenge(id challenge.Id) bool {
-	return d.Challenges[id].Ok()
-}
-
-func (d *RequestData) Headers(state *State, headers http.Header) {
-	for id, result := range d.Challenges {
-		if result.Ok() {
-			c, ok := state.Challenges[id]
-			if !ok {
-				panic("challenge not found")
-			}
-
-			headers.Set(fmt.Sprintf("X-Away-Challenge-%s-Result", c.Name), result.String())
-		}
-	}
-}

lib/interface.go

@@ -0,0 +1,158 @@
+package lib
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/google/cel-go/cel"
+	"log/slog"
+	"maps"
+	"net/http"
+	"strings"
+)
+
+// Defines challenge.StateInterface
+
+var _ challenge.StateInterface
+
+func (state *State) ProgramEnv() *cel.Env {
+	return state.programEnv
+}
+
+func (state *State) Client() *http.Client {
+	return state.client
+}
+
+func (state *State) PrivateKey() ed25519.PrivateKey {
+	return state.privateKey
+}
+
+func (state *State) PublicKey() ed25519.PublicKey {
+	return state.publicKey
+}
+
+func (state *State) UrlPath() string {
+	return state.urlPath
+}
+
+func (state *State) ChallengeFailed(r *http.Request, reg *challenge.Registration, err error, redirect string, logger *slog.Logger) {
+	if logger == nil {
+		logger = state.Logger(r)
+	}
+	logger.Warn("challenge failed", "challenge", reg.Name, "err", err, "redirect", redirect)
+
+	//TODO: metrics
+}
+
+func (state *State) ChallengePassed(r *http.Request, reg *challenge.Registration, redirect string, logger *slog.Logger) {
+	if logger == nil {
+		logger = state.Logger(r)
+	}
+	logger.Warn("challenge passed", "challenge", reg.Name, "redirect", redirect)
+
+	//TODO: metrics
+}
+
+func (state *State) ChallengeIssued(r *http.Request, reg *challenge.Registration, redirect string, logger *slog.Logger) {
+	if logger == nil {
+		logger = state.Logger(r)
+	}
+	logger.Info("challenge issued", "challenge", reg.Name, "redirect", redirect)
+
+	//TODO: metrics
+}
+
+func (state *State) Logger(r *http.Request) *slog.Logger {
+	return GetLoggerForRequest(r)
+}
+
+func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status int, reg *challenge.Registration, params map[string]any) {
+	data := challenge.RequestDataFromContext(r.Context())
+	input := make(map[string]any)
+	input["Id"] = data.Id.String()
+	input["Random"] = utils.CacheBust()
+	if reg != nil {
+		input["Challenge"] = reg.Name
+		input["Path"] = state.UrlPath()
+	}
+	input["Theme"] = state.Settings().ChallengeTemplateTheme
+
+	maps.Copy(input, params)
+
+	if _, ok := input["Title"]; !ok {
+		input["Title"] = "Checking you are not a bot"
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+
+	buf := bytes.NewBuffer(make([]byte, 0, 8192))
+
+	err := templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"].Execute(buf, input)
+	if err != nil {
+		state.ErrorPage(w, r, http.StatusInternalServerError, err, "")
+	} else {
+		w.WriteHeader(status)
+		_, _ = w.Write(buf.Bytes())
+	}
+}
+
+func (state *State) ErrorPage(w http.ResponseWriter, r *http.Request, status int, err error, redirect string) {
+	data := challenge.RequestDataFromContext(r.Context())
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+
+	buf := bytes.NewBuffer(make([]byte, 0, 8192))
+
+	err2 := templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"].Execute(buf, map[string]any{
+		"Id":          data.Id.String(),
+		"Random":      utils.CacheBust(),
+		"Error":       err.Error(),
+		"Path":        state.UrlPath(),
+		"Theme":       state.Settings().ChallengeTemplateTheme,
+		"Title":       "Oh no! " + http.StatusText(status),
+		"HideSpinner": true,
+		"Challenge":   "",
+		"Redirect":    redirect,
+	})
+	if err2 != nil {
+		// nested errors!
+		panic(err2)
+	} else {
+		w.WriteHeader(status)
+		_, _ = w.Write(buf.Bytes())
+	}
+}
+
+func (state *State) GetChallenge(id challenge.Id) (*challenge.Registration, bool) {
+	reg, ok := state.challenges.Get(id)
+	return reg, ok
+}
+
+func (state *State) GetChallenges() challenge.Register {
+	return state.challenges
+}
+
+func (state *State) GetChallengeByName(name string) (*challenge.Registration, bool) {
+	reg, _, ok := state.challenges.GetByName(name)
+	return reg, ok
+}
+func (state *State) Settings() policy.Settings {
+	return state.settings
+}
+
+func (state *State) GetBackend(host string) http.Handler {
+	backend, ok := state.Settings().Backends[host]
+	if !ok {
+		// do wildcard match
+		wildcard := "*." + strings.Join(strings.Split(host, ".")[1:], ".")
+		backend, ok = state.Settings().Backends[wildcard]
+
+		if !ok {
+			// return fallback
+			backend = state.Settings().Backends["*"]
+		}
+	}
+	//TODO: dynamic
+	return backend
+}

lib/poison.go

@@ -1,26 +0,0 @@
-package lib
-
-import (
-	"git.gammaspectra.live/git/go-away/embed"
-	"io"
-	"path"
-	"slices"
-	"strings"
-)
-
-var poisonEncodings = []string{"br", "zstd", "gzip"}
-
-func (state *State) getPoison(mime string, encodings []string) (r io.ReadCloser, encoding string) {
-	for _, encoding = range poisonEncodings {
-		if !slices.Contains(encodings, encoding) {
-			continue
-		}
-
-		p := path.Join("poison", strings.ReplaceAll(mime, "/", "_")+"."+encoding+".poison")
-		f, err := embed.PoisonFs.Open(p)
-		if err == nil {
-			return f, encoding
-		}
-	}
-	return nil, ""
-}

lib/policy/challenge.go

@@ -1,15 +1,15 @@
 package policy
 
+import (
+	"github.com/goccy/go-yaml/ast"
+	"time"
+)
+
 type Challenge struct {
 	Conditions []string `yaml:"conditions"`
-	Mode       string   `yaml:"mode"`
-	Asset      *string  `yaml:"asset,omitempty"`
-	Url        *string  `yaml:"url,omitempty"`
+	Runtime    string   `yaml:"runtime"`
 
-	Parameters map[string]string `json:"parameters,omitempty"`
-	Runtime    struct {
-		Mode        string  `yaml:"mode,omitempty"`
-		Asset       string  `yaml:"asset,omitempty"`
-		Probability float64 `yaml:"probability,omitempty"`
-	} `yaml:"runtime"`
+	Duration time.Duration `yaml:"duration"`
+
+	Parameters ast.Node `yaml:"parameters,omitempty"`
 }

lib/policy/options.go

@@ -0,0 +1,18 @@
+package policy
+
+import (
+	"net/http"
+)
+
+type Settings struct {
+	Backends               map[string]http.Handler
+	PrivateKeySeed         []byte
+	Debug                  bool
+	PackageName            string
+	ChallengeTemplate      string
+	ChallengeTemplateTheme string
+	ClientIpHeader         string
+	BackendIpHeader        string
+
+	ChallengeResponseCode int
+}

lib/policy/rule.go

@@ -1,22 +1,40 @@
 package policy
 
+import "github.com/goccy/go-yaml/ast"
+
 type RuleAction string
 
 const (
-	RuleActionPASS      RuleAction = "PASS"
-	RuleActionDENY      RuleAction = "DENY"
-	RuleActionBLOCK     RuleAction = "BLOCK"
+	// RuleActionNONE Does nothing. Useful for parent rules when children want to be specified
+	RuleActionNONE RuleAction = "NONE"
+	// RuleActionPASS Passes the connection immediately
+	RuleActionPASS RuleAction = "PASS"
+	// RuleActionDENY Denies the connection with a fancy page
+	RuleActionDENY RuleAction = "DENY"
+	// RuleActionBLOCK Denies the connection with a response code
+	RuleActionBLOCK RuleAction = "BLOCK"
+	// RuleActionCODE Returns a specified HTTP code
+	RuleActionCODE RuleAction = "CODE"
+
+	// RuleActionDROP Drops the connection without sending a reply
+	RuleActionDROP RuleAction = "DROP"
+
+	// RuleActionCHALLENGE Issues a challenge that when passed, passes the connection
 	RuleActionCHALLENGE RuleAction = "CHALLENGE"
-	RuleActionCHECK     RuleAction = "CHECK"
-	RuleActionPOISON    RuleAction = "POISON"
+	// RuleActionCHECK Issues a challenge that when passed, continues checking rules
+	RuleActionCHECK RuleAction = "CHECK"
+
+	// RuleActionPROXY Proxies request to a backend, with optional path replacements
+	RuleActionPROXY RuleAction = "PROXY"
 )
 
 type Rule struct {
 	Name       string   `yaml:"name"`
-	Host       *string  `yaml:"host"`
 	Conditions []string `yaml:"conditions"`
 
 	Action string `yaml:"action"`
 
-	Challenges []string `yaml:"challenges"`
+	Settings ast.Node `yaml:"settings"`
+
+	Children []Rule `yaml:"children"`
 }

lib/rule.go

@@ -0,0 +1,141 @@
+package lib
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/lib/action"
+	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/condition"
+	"git.gammaspectra.live/git/go-away/lib/policy"
+	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+	"log/slog"
+	"net/http"
+	"strings"
+)
+
+type RuleState struct {
+	Name string
+	Hash string
+
+	Condition cel.Program
+
+	Action  policy.RuleAction
+	Handler action.Handler
+
+	Children []RuleState
+}
+
+func NewRuleState(state challenge.StateInterface, r policy.Rule, replacer *strings.Replacer, parent *RuleState) (RuleState, error) {
+	fp := sha256.Sum256(state.PrivateKey())
+	hasher := sha256.New()
+	if parent != nil {
+		hasher.Write([]byte(parent.Name))
+		hasher.Write([]byte{0})
+		r.Name = fmt.Sprintf("%s/%s", parent.Name, r.Name)
+	}
+	hasher.Write([]byte(r.Name))
+	hasher.Write([]byte{0})
+	hasher.Write(fp[:])
+	sum := hasher.Sum(nil)
+
+	rule := RuleState{
+		Name:   r.Name,
+		Hash:   hex.EncodeToString(sum[:10]),
+		Action: policy.RuleAction(strings.ToUpper(r.Action)),
+	}
+
+	newHandler, ok := action.Register[rule.Action]
+	if !ok {
+		return RuleState{}, fmt.Errorf("unknown action %s", r.Action)
+	}
+
+	actionHandler, err := newHandler(state, rule.Name, rule.Hash, r.Settings)
+	if err != nil {
+		return RuleState{}, err
+	}
+	rule.Handler = actionHandler
+
+	if len(r.Conditions) > 0 {
+		// allow nesting
+		var conditions []string
+		for _, cond := range r.Conditions {
+			cond = replacer.Replace(cond)
+			conditions = append(conditions, cond)
+		}
+
+		ast, err := condition.FromStrings(state.ProgramEnv(), condition.OperatorOr, conditions...)
+		if err != nil {
+			return RuleState{}, fmt.Errorf("error compiling conditions: %w", err)
+		}
+
+		program, err := condition.Program(state.ProgramEnv(), ast)
+		if err != nil {
+			return RuleState{}, fmt.Errorf("error compiling program: %w", err)
+		}
+		rule.Condition = program
+	}
+
+	if len(r.Children) > 0 {
+		for _, child := range r.Children {
+			childRule, err := NewRuleState(state, child, replacer, &rule)
+			if err != nil {
+				return RuleState{}, fmt.Errorf("child %s: %w", child.Name, err)
+			}
+			rule.Children = append(rule.Children, childRule)
+		}
+	}
+
+	return rule, nil
+}
+
+func (rule RuleState) Evaluate(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() http.Handler) (next bool, err error) {
+	data := challenge.RequestDataFromContext(r.Context())
+	var out ref.Val
+
+	lg := logger.With("rule", rule.Name, "rule_hash", rule.Hash, "action", string(rule.Action))
+	if rule.Condition != nil {
+		out, _, err = rule.Condition.Eval(data)
+	} else {
+		// default true
+		out = types.Bool(true)
+	}
+	if err != nil {
+		lg.Error(err.Error())
+		return false, fmt.Errorf("error: evaluating administrative rule %s/%s: %w", data.Id.String(), rule.Hash, err)
+	} else if out != nil && out.Type() == types.BoolType {
+		if out.Equal(types.True) == types.True {
+			next, err = rule.Handler.Handle(lg, w, r, func() http.Handler {
+				r.Header.Set("X-Away-Rule", rule.Name)
+				r.Header.Set("X-Away-Hash", rule.Hash)
+				r.Header.Set("X-Away-Action", string(rule.Action))
+
+				return done()
+			})
+			if err != nil {
+				lg.Error(err.Error())
+				return false, fmt.Errorf("error: executing administrative rule %s/%s: %w", data.Id.String(), rule.Hash, err)
+			}
+
+			if !next {
+				return next, nil
+			}
+
+			for _, child := range rule.Children {
+				next, err = child.Evaluate(logger, w, r, done)
+				if err != nil {
+					lg.Error(err.Error())
+					return false, fmt.Errorf("error: executing administrative rule %s/%s: %w", data.Id.String(), rule.Hash, err)
+				}
+
+				if !next {
+					return next, nil
+				}
+			}
+		}
+	}
+
+	return true, nil
+}

lib/state.go

@@ -1,157 +1,76 @@
 package lib
 
 import (
-	"codeberg.org/meta/gzipped/v2"
-	"context"
 	"crypto/ed25519"
 	"crypto/rand"
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
 	"fmt"
-	"git.gammaspectra.live/git/go-away/embed"
 	"git.gammaspectra.live/git/go-away/lib/challenge"
-	"git.gammaspectra.live/git/go-away/lib/challenge/wasm"
-	"git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
 	"git.gammaspectra.live/git/go-away/lib/condition"
 	"git.gammaspectra.live/git/go-away/lib/policy"
-	"git.gammaspectra.live/git/go-away/utils"
-	"git.gammaspectra.live/git/go-away/utils/inline"
 	"github.com/google/cel-go/cel"
-	"github.com/tetratelabs/wazero/api"
 	"github.com/yl2chen/cidranger"
-	"html/template"
-	"io"
-	"io/fs"
 	"log/slog"
-	"net"
 	"net/http"
 	"net/http/httputil"
-	"net/url"
 	"os"
 	"path"
-	"strconv"
 	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
 )
 
 type State struct {
-	Client   *http.Client
-	Settings StateSettings
-	UrlPath  string
-	Mux      *http.ServeMux
+	client  *http.Client
+	urlPath string
 
-	Networks map[string]cidranger.Ranger
-
-	Wasm *wasm.Runner
-
-	Challenges map[challenge.Id]challenge.Challenge
-
-	RulesEnv *cel.Env
-
-	Rules []RuleState
+	programEnv *cel.Env
 
 	publicKey  ed25519.PublicKey
 	privateKey ed25519.PrivateKey
 
-	Poison map[string][]byte
+	settings policy.Settings
 
-	ChallengeSolve sync.Map
+	networks map[string]cidranger.Ranger
 
-	DecayMap *utils.DecayMap[[net.IPv6len]byte, utils.DNSBLResponse]
+	challenges challenge.Register
+
+	rules []RuleState
 
 	close chan struct{}
+
+	Mux *http.ServeMux
 }
 
-func (state *State) AwaitChallenge(key []byte, ctx context.Context) challenge.VerifyResult {
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	var result atomic.Int64
-
-	state.ChallengeSolve.Store(string(key), ChallengeCallback(func(receivedResult challenge.VerifyResult) {
-		result.Store(int64(receivedResult))
-		cancel()
-	}))
-
-	<-ctx.Done()
-
-	return challenge.VerifyResult(result.Load())
-}
-
-func (state *State) SolveChallenge(key []byte, result challenge.VerifyResult) {
-	if f, ok := state.ChallengeSolve.LoadAndDelete(string(key)); ok && f != nil {
-		if cb, ok := f.(ChallengeCallback); ok {
-			cb(result)
-		}
-	}
-}
-
-type ChallengeCallback func(result challenge.VerifyResult)
-
-type RuleState struct {
-	Name string
-	Hash string
-
-	Host *string
-
-	Program    cel.Program
-	Action     policy.RuleAction
-	Challenges []challenge.Id
-}
-
-type StateSettings struct {
-	Backends               map[string]http.Handler
-	PrivateKeySeed         []byte
-	Debug                  bool
-	PackageName            string
-	ChallengeTemplate      string
-	ChallengeTemplateTheme string
-	ClientIpHeader         string
-	BackendIpHeader        string
-	DNSBL                  *utils.DNSBL
-}
-
-func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, err error) {
+func NewState(p policy.Policy, settings policy.Settings) (handler http.Handler, err error) {
 	state := new(State)
 	state.close = make(chan struct{})
-	state.Settings = settings
-	state.Client = &http.Client{
+	state.settings = settings
+	state.client = &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
-	state.UrlPath = "/.well-known/." + state.Settings.PackageName
-
-	if state.Settings.DNSBL != nil {
-		state.DecayMap = utils.NewDecayMap[[net.IPv6len]byte, utils.DNSBLResponse]()
-	}
+	state.urlPath = "/.well-known/." + state.Settings().PackageName
 
 	// set a reasonable configuration for default http proxy if there is none
-	for _, backend := range state.Settings.Backends {
+	for _, backend := range state.Settings().Backends {
 		if proxy, ok := backend.(*httputil.ReverseProxy); ok {
 			if proxy.ErrorHandler == nil {
 				proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
-					state.logger(r).Error(err.Error())
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadGateway, err, "")
+					state.Logger(r).Error(err.Error())
+					state.ErrorPage(w, r, http.StatusBadGateway, err, "")
 				}
 			}
 		}
 	}
 
-	if len(state.Settings.PrivateKeySeed) > 0 {
-		if len(state.Settings.PrivateKeySeed) != ed25519.SeedSize {
-			return nil, fmt.Errorf("invalid private key seed length: %d", len(state.Settings.PrivateKeySeed))
+	if len(state.Settings().PrivateKeySeed) > 0 {
+		if len(state.Settings().PrivateKeySeed) != ed25519.SeedSize {
+			return nil, fmt.Errorf("invalid private key seed length: %d", len(state.Settings().PrivateKeySeed))
 		}
 
-		state.privateKey = ed25519.NewKeyFromSeed(state.Settings.PrivateKeySeed)
+		state.privateKey = ed25519.NewKeyFromSeed(state.Settings().PrivateKeySeed)
 		state.publicKey = state.privateKey.Public().(ed25519.PublicKey)
 
-		clear(state.Settings.PrivateKeySeed)
+		clear(state.settings.PrivateKeySeed)
 
 	} else {
 		state.publicKey, state.privateKey, err = ed25519.GenerateKey(rand.Reader)
@@ -160,34 +79,32 @@ func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, er
 		}
 	}
 
-	privateKeyFingerprint := sha256.Sum256(state.privateKey)
-
-	if state.Settings.ChallengeTemplate == "" {
-		state.Settings.ChallengeTemplate = "anubis"
+	if state.Settings().ChallengeTemplate == "" {
+		state.settings.ChallengeTemplate = "anubis"
 	}
 
-	if templates["challenge-"+state.Settings.ChallengeTemplate+".gohtml"] == nil {
+	if templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"] == nil {
 
-		if data, err := os.ReadFile(state.Settings.ChallengeTemplate); err == nil && len(data) > 0 {
-			name := path.Base(state.Settings.ChallengeTemplate)
+		if data, err := os.ReadFile(state.Settings().ChallengeTemplate); err == nil && len(data) > 0 {
+			name := path.Base(state.Settings().ChallengeTemplate)
 			err := initTemplate(name, string(data))
 			if err != nil {
 				return nil, fmt.Errorf("error loading template %s: %w", settings.ChallengeTemplate, err)
 			}
-			state.Settings.ChallengeTemplate = name
+			state.settings.ChallengeTemplate = name
 		}
 
 		return nil, fmt.Errorf("no template defined for %s", settings.ChallengeTemplate)
 	}
 
-	state.Networks = make(map[string]cidranger.Ranger)
+	state.networks = make(map[string]cidranger.Ranger)
 	for k, network := range p.Networks {
 		ranger := cidranger.NewPCTrieRanger()
 		for _, e := range network {
 			if e.Url != nil {
 				slog.Debug("loading network url list", "network", k, "url", *e.Url)
 			}
-			prefixes, err := e.FetchPrefixes(state.Client)
+			prefixes, err := e.FetchPrefixes(state.client)
 			if err != nil {
 				slog.Error("error fetching network url list", "network", k, "url", *e.Url)
 				continue
@@ -202,11 +119,9 @@ func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, er
 
 		slog.Warn("loaded network prefixes", "network", k, "count", ranger.Len())
 
-		state.Networks[k] = ranger
+		state.networks[k] = ranger
 	}
 
-	state.Wasm = wasm.NewRunner(true)
-
 	err = state.initConditions()
 	if err != nil {
 		return nil, err
@@ -214,7 +129,7 @@ func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, er
 
 	var replacements []string
 	for k, entries := range p.Conditions {
-		ast, err := condition.FromStrings(state.RulesEnv, condition.OperatorOr, entries...)
+		ast, err := condition.FromStrings(state.programEnv, condition.OperatorOr, entries...)
 		if err != nil {
 			return nil, fmt.Errorf("conditions %s: error compiling conditions: %v", k, err)
 		}
@@ -229,563 +144,26 @@ func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, er
 	}
 	conditionReplacer := strings.NewReplacer(replacements...)
 
-	state.Challenges = make(map[challenge.Id]challenge.Challenge)
-
-	idCounter := challenge.Id(1)
+	state.challenges = make(challenge.Register)
 
 	//TODO: move this to self-contained challenge files
-	for challengeName, p := range p.Challenges {
-
-		// allow nesting
-		var conditions []string
-		for _, cond := range p.Conditions {
-			cond = conditionReplacer.Replace(cond)
-			conditions = append(conditions, cond)
+	for challengeName, pol := range p.Challenges {
+		_, _, err := state.challenges.Create(state, challengeName, pol, conditionReplacer)
+		if err != nil {
+			return nil, fmt.Errorf("challenge %s: %w", challengeName, err)
 		}
-
-		var program cel.Program
-		if len(conditions) > 0 {
-			ast, err := condition.FromStrings(state.RulesEnv, condition.OperatorOr, conditions...)
-			if err != nil {
-				return nil, fmt.Errorf("challenge %s: error compiling conditions: %v", challengeName, err)
-			}
-			program, err = state.RulesEnv.Program(ast)
-			if err != nil {
-				return nil, fmt.Errorf("challenge %s: error compiling program: %v", challengeName, err)
-			}
-		}
-
-		c := challenge.Challenge{
-			Id:                idCounter,
-			Program:           program,
-			Name:              challengeName,
-			Path:              fmt.Sprintf("%s/challenge/%s", state.UrlPath, challengeName),
-			VerifyProbability: p.Runtime.Probability,
-		}
-		idCounter++
-
-		if c.VerifyProbability <= 0 {
-			//10% default
-			c.VerifyProbability = 0.1
-		} else if c.VerifyProbability > 1.0 {
-			c.VerifyProbability = 1.0
-		}
-
-		assetPath := c.Path + "/static/"
-		subFs, err := fs.Sub(embed.ChallengeFs, fmt.Sprintf("challenge/%s/static", challengeName))
-		if err == nil {
-			c.ServeStatic = http.StripPrefix(
-				assetPath,
-				gzipped.FileServer(gzipped.FS(subFs)),
-			)
-		}
-
-		switch p.Mode {
-		default:
-			return nil, fmt.Errorf("unknown challenge mode: %s", p.Mode)
-		case "http":
-			if p.Url == nil {
-				return nil, fmt.Errorf("challenge %s: missing url", challengeName)
-			}
-			method := p.Parameters["http-method"]
-			if method == "" {
-				method = "GET"
-			}
-
-			httpCode, _ := strconv.Atoi(p.Parameters["http-code"])
-			if httpCode == 0 {
-				httpCode = http.StatusOK
-			}
-
-			expectedCookie := p.Parameters["http-cookie"]
-
-			c.Verify = func(key []byte, result string, r *http.Request) (bool, error) {
-				var cookieValue string
-				if expectedCookie != "" {
-					if cookie, err := r.Cookie(expectedCookie); err != nil || cookie == nil {
-						// skip check if we don't have cookie or it's expired
-						return false, nil
-					} else {
-						cookieValue = cookie.Value
-					}
-				}
-				// bind hash of cookie contents
-				sum := sha256.New()
-				sum.Write([]byte(cookieValue))
-				sum.Write([]byte{0})
-				sum.Write(key)
-				sum.Write([]byte{0})
-				sum.Write(state.publicKey)
-
-				if subtle.ConstantTimeCompare(sum.Sum(nil), []byte(result)) == 1 {
-					return true, nil
-				}
-				return false, nil
-			}
-
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-
-				data := RequestDataFromContext(r.Context())
-
-				if result := data.Challenges[c.Id]; result.Ok() {
-					return challenge.ResultPass
-				}
-
-				var cookieValue string
-				if expectedCookie != "" {
-					if cookie, err := r.Cookie(expectedCookie); err != nil || cookie == nil {
-						// skip check if we don't have cookie or it's expired
-						return challenge.ResultContinue
-					} else {
-						cookieValue = cookie.Value
-					}
-				}
-
-				request, err := http.NewRequest(method, *p.Url, nil)
-				if err != nil {
-					return challenge.ResultContinue
-				}
-
-				request.Header = r.Header
-				response, err := state.Client.Do(request)
-				if err != nil {
-					return challenge.ResultContinue
-				}
-				defer response.Body.Close()
-				defer io.Copy(io.Discard, response.Body)
-
-				if response.StatusCode != httpCode {
-					utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-					// continue other challenges!
-
-					//TODO: negatively cache failure
-
-					return challenge.ResultContinue
-				} else {
-					// bind hash of cookie contents
-					sum := sha256.New()
-					sum.Write([]byte(cookieValue))
-					sum.Write([]byte{0})
-					sum.Write(key)
-					sum.Write([]byte{0})
-					sum.Write(state.publicKey)
-					token, err := c.IssueChallengeToken(state.privateKey, key, sum.Sum(nil), expiry)
-					if err != nil {
-						utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-					} else {
-						utils.SetCookie(utils.CookiePrefix+challengeName, token, expiry, w)
-					}
-
-					data.Challenges[c.Id] = challenge.VerifyResultPASS
-
-					// we passed it!
-					return challenge.ResultPass
-				}
-			}
-
-		case "cookie":
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				if chall := r.URL.Query().Get("__goaway_challenge"); chall == challengeName {
-					state.logger(r).Warn("challenge failed", "challenge", c.Name)
-					utils.ClearCookie(utils.CookiePrefix+c.Name, w)
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", c.Name), "")
-					return challenge.ResultStop
-				}
-
-				token, err := c.IssueChallengeToken(state.privateKey, key, nil, expiry)
-				if err != nil {
-					utils.ClearCookie(utils.CookiePrefix+challengeName, w)
-				} else {
-					utils.SetCookie(utils.CookiePrefix+challengeName, token, expiry, w)
-				}
-
-				// self redirect!
-				uri, err := url.ParseRequestURI(r.URL.String())
-				values := uri.Query()
-				values.Set("__goaway_challenge", challengeName)
-				uri.RawQuery = values.Encode()
-
-				http.Redirect(w, r, uri.String(), http.StatusTemporaryRedirect)
-				return challenge.ResultStop
-			}
-		case "meta-refresh":
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				redirectUri := new(url.URL)
-				redirectUri.Path = c.Path + "/verify-challenge"
-
-				values := make(url.Values)
-				values.Set("result", hex.EncodeToString(key))
-				values.Set("redirect", r.URL.String())
-				values.Set("requestId", r.Header.Get("X-Away-Id"))
-
-				redirectUri.RawQuery = values.Encode()
-
-				_ = state.challengePage(w, r.Header.Get("X-Away-Id"), http.StatusTeapot, "", map[string]any{
-					"Meta": map[string]string{
-						"refresh": "0; url=" + redirectUri.String(),
-					},
-				})
-
-				return challenge.ResultStop
-			}
-		case "header-refresh":
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				redirectUri := new(url.URL)
-				redirectUri.Path = c.Path + "/verify-challenge"
-
-				values := make(url.Values)
-				values.Set("result", hex.EncodeToString(key))
-				values.Set("redirect", r.URL.String())
-				values.Set("requestId", r.Header.Get("X-Away-Id"))
-
-				redirectUri.RawQuery = values.Encode()
-
-				// self redirect!
-				w.Header().Set("Refresh", "0; url="+redirectUri.String())
-
-				_ = state.challengePage(w, r.Header.Get("X-Away-Id"), http.StatusTeapot, "", nil)
-
-				return challenge.ResultStop
-			}
-		case "preload-link":
-			deadline, _ := time.ParseDuration(p.Parameters["preload-early-hint-deadline"])
-			if deadline == 0 {
-				deadline = time.Second * 3
-			}
-
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				// this only works on HTTP/2 and HTTP/3
-
-				if r.ProtoMajor < 2 {
-					// this can happen if we are an upgraded request from HTTP/1.1 to HTTP/2 in H2C
-					if _, ok := w.(http.Pusher); !ok {
-						return challenge.ResultContinue
-					}
-				}
-
-				data := RequestDataFromContext(r.Context())
-				redirectUri := new(url.URL)
-				redirectUri.Scheme = getRequestScheme(r)
-				redirectUri.Host = r.Host
-				redirectUri.Path = c.Path + "/verify-challenge"
-
-				values := make(url.Values)
-				values.Set("result", hex.EncodeToString(key))
-				values.Set("requestId", r.Header.Get("X-Away-Id"))
-
-				redirectUri.RawQuery = values.Encode()
-
-				w.Header().Set("Link", fmt.Sprintf("<%s>; rel=\"preload\"; as=\"style\"; fetchpriority=high", redirectUri.String()))
-				defer func() {
-					// remove old header so it won't show on response!
-					w.Header().Del("Link")
-				}()
-				w.WriteHeader(http.StatusEarlyHints)
-
-				ctx, cancel := context.WithTimeout(r.Context(), deadline)
-				defer cancel()
-				if result := state.AwaitChallenge(key, ctx); result.Ok() {
-					data.Challenges[c.Id] = challenge.VerifyResultPASS
-
-					// this should serve!
-					return challenge.ResultPass
-				}
-
-				data.Challenges[c.Id] = challenge.VerifyResultFAIL
-				// we failed, continue
-				return challenge.ResultContinue
-			}
-		case "resource-load":
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				redirectUri := new(url.URL)
-				redirectUri.Path = c.Path + "/verify-challenge"
-
-				values := make(url.Values)
-				values.Set("result", hex.EncodeToString(key))
-				values.Set("requestId", r.Header.Get("X-Away-Id"))
-
-				redirectUri.RawQuery = values.Encode()
-
-				// self redirect!
-				w.Header().Set("Refresh", "2; url="+r.URL.String())
-
-				_ = state.challengePage(w, r.Header.Get("X-Away-Id"), http.StatusTeapot, "", map[string]any{
-					"Tags": []template.HTML{
-						template.HTML(fmt.Sprintf("<link href=\"%s\" rel=\"stylesheet\" crossorigin=\"use-credentials\">", redirectUri.String())),
-					},
-				})
-
-				return challenge.ResultStop
-			}
-		case "js":
-			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
-				_ = state.challengePage(w, r.Header.Get("X-Away-Id"), http.StatusTeapot, challengeName, nil)
-
-				return challenge.ResultStop
-			}
-			c.ServeScriptPath = c.Path + "/challenge.mjs"
-			c.ServeScript = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				params, _ := json.Marshal(p.Parameters)
-
-				//TODO: move this to http.go as a template
-				w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-				w.Header().Set("Content-Type", "text/javascript; charset=utf-8")
-				w.WriteHeader(http.StatusOK)
-
-				err := templates["challenge.mjs"].Execute(w, map[string]any{
-					"Path":       c.Path,
-					"Parameters": string(params),
-					"Random":     cacheBust,
-					"Challenge":  challengeName,
-					"ChallengeScript": func() string {
-						if p.Asset != nil {
-							return assetPath + *p.Asset
-						} else if p.Url != nil {
-							return *p.Url
-						} else {
-							panic("not implemented")
-						}
-					}(),
-				})
-				if err != nil {
-					//TODO: log
-				}
-			})
-		}
-
-		// how to runtime
-		switch p.Runtime.Mode {
-		default:
-			return nil, fmt.Errorf("unknown challenge runtime mode: %s", p.Runtime.Mode)
-		case "":
-		case "http":
-		case "key":
-			mimeType := p.Parameters["key-mime"]
-			if mimeType == "" {
-				mimeType = "text/html; charset=utf-8"
-			}
-
-			httpCode, _ := strconv.Atoi(p.Parameters["key-code"])
-			if httpCode == 0 {
-				httpCode = http.StatusTemporaryRedirect
-			}
-
-			var content []byte
-			if data, ok := p.Parameters["key-content"]; ok {
-				content = []byte(data)
-			}
-
-			c.Verify = func(key []byte, result string, r *http.Request) (bool, error) {
-				resultBytes, err := hex.DecodeString(result)
-				if err != nil {
-					return false, err
-				}
-
-				if subtle.ConstantTimeCompare(resultBytes, key) != 1 {
-					return false, nil
-				}
-				return true, nil
-			}
-
-			c.ServeVerifyChallenge = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
-				redirect, err := utils.EnsureNoOpenRedirect(r.FormValue("redirect"))
-				if err != nil {
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadRequest, err, "")
-					return
-				}
-
-				err = func() (err error) {
-
-					data := RequestDataFromContext(r.Context())
-
-					key := state.GetChallengeKeyForRequest(challengeName, data.Expires, r)
-					result := r.FormValue("result")
-
-					requestId, err := hex.DecodeString(r.FormValue("requestId"))
-					if err == nil {
-						r.Header.Set("X-Away-Id", hex.EncodeToString(requestId))
-					}
-
-					if ok, err := c.Verify(key, result, r); err != nil {
-						return err
-					} else if !ok {
-						utils.ClearCookie(utils.CookiePrefix+challengeName, w)
-						data.Challenges[c.Id] = challenge.VerifyResultFAIL
-						state.SolveChallenge(key, challenge.VerifyResultFAIL)
-						state.logger(r).Warn("challenge failed", "challenge", challengeName, "redirect", redirect)
-
-						// catch happy eyeballs IPv4 -> IPv6 migration, re-direct to try again
-						if resultKey, err := ChallengeKeyFromString(result); err == nil && resultKey.Get(ChallengeKeyFlagIsIPv4) > 0 && key.Get(ChallengeKeyFlagIsIPv4) == 0 {
-
-						} else {
-							_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", challengeName), redirect)
-							return nil
-						}
-					} else {
-						state.logger(r).Warn("challenge passed", "challenge", challengeName, "redirect", redirect)
-
-						token, err := c.IssueChallengeToken(state.privateKey, key, []byte(result), data.Expires)
-						if err != nil {
-							utils.ClearCookie(utils.CookiePrefix+challengeName, w)
-						} else {
-							utils.SetCookie(utils.CookiePrefix+challengeName, token, data.Expires, w)
-						}
-						data.Challenges[c.Id] = challenge.VerifyResultPASS
-						state.SolveChallenge(key, challenge.VerifyResultPASS)
-					}
-
-					switch httpCode {
-					case http.StatusMovedPermanently, http.StatusFound, http.StatusSeeOther, http.StatusTemporaryRedirect, http.StatusPermanentRedirect:
-						if redirect == "" {
-							_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadRequest, errors.New("no redirect found"), "")
-							return nil
-						}
-						http.Redirect(w, r, redirect, httpCode)
-					default:
-						w.Header().Set("Content-Type", mimeType)
-						w.WriteHeader(httpCode)
-						if content != nil {
-							_, _ = w.Write(content)
-						}
-					}
-
-					return nil
-				}()
-				if err != nil {
-					utils.ClearCookie(utils.CookiePrefix+challengeName, w)
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusInternalServerError, err, redirect)
-					return
-				}
-			})
-
-		case "wasm":
-			wasmData, err := embed.ChallengeFs.ReadFile(fmt.Sprintf("challenge/%s/runtime/%s", challengeName, p.Runtime.Asset))
-			if err != nil {
-				return nil, fmt.Errorf("c %s: could not load runtime: %w", challengeName, err)
-			}
-			err = state.Wasm.Compile(challengeName, wasmData)
-			if err != nil {
-				return nil, fmt.Errorf("c %s: compiling runtime: %w", challengeName, err)
-			}
-
-			c.ServeMakeChallenge = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				err := state.Wasm.Instantiate(challengeName, func(ctx context.Context, mod api.Module) (err error) {
-
-					data := RequestDataFromContext(r.Context())
-
-					in := _interface.MakeChallengeInput{
-						Key:        state.GetChallengeKeyForRequest(challengeName, data.Expires, r),
-						Parameters: p.Parameters,
-						Headers:    inline.MIMEHeader(r.Header),
-					}
-					in.Data, err = io.ReadAll(r.Body)
-					if err != nil {
-						return err
-					}
-
-					out, err := wasm.MakeChallengeCall(ctx, mod, in)
-					if err != nil {
-						return err
-					}
-
-					// set output headers
-					for k, v := range out.Headers {
-						w.Header()[k] = v
-					}
-					w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out.Data)))
-					w.WriteHeader(out.Code)
-					_, _ = w.Write(out.Data)
-					return nil
-				})
-				if err != nil {
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusInternalServerError, err, "")
-					return
-				}
-			})
-
-			c.Verify = func(key []byte, result string, r *http.Request) (ok bool, err error) {
-				err = state.Wasm.Instantiate(challengeName, func(ctx context.Context, mod api.Module) (err error) {
-					in := _interface.VerifyChallengeInput{
-						Key:        key,
-						Parameters: p.Parameters,
-						Result:     []byte(result),
-					}
-
-					out, err := wasm.VerifyChallengeCall(ctx, mod, in)
-					if err != nil {
-						return err
-					}
-
-					if out == _interface.VerifyChallengeOutputError {
-						return errors.New("error checking challenge")
-					}
-					ok = out == _interface.VerifyChallengeOutputOK
-					return nil
-				})
-				if err != nil {
-					return false, err
-				}
-				return ok, nil
-			}
-		}
-
-		state.Challenges[c.Id] = c
 	}
 
-	for _, rule := range p.Rules {
-		hasher := sha256.New()
-		hasher.Write([]byte(rule.Name))
-		hasher.Write([]byte{0})
-		if rule.Host != nil {
-			hasher.Write([]byte(*rule.Host))
-		}
-		hasher.Write([]byte{0})
-		hasher.Write(privateKeyFingerprint[:])
-		sum := hasher.Sum(nil)
+	for _, r := range p.Rules {
 
-		challenges := make([]challenge.Id, 0, len(rule.Challenges))
-
-		for _, challengeName := range rule.Challenges {
-			c, ok := state.GetChallengeByName(challengeName)
-			if !ok {
-				return nil, fmt.Errorf("challenge %s not found", challengeName)
-			}
-			challenges = append(challenges, c.Id)
-		}
-
-		r := RuleState{
-			Name:       rule.Name,
-			Hash:       hex.EncodeToString(sum[:8]),
-			Host:       rule.Host,
-			Action:     policy.RuleAction(strings.ToUpper(rule.Action)),
-			Challenges: challenges,
-		}
-
-		if (r.Action == policy.RuleActionCHALLENGE || r.Action == policy.RuleActionCHECK) && len(r.Challenges) == 0 {
-			return nil, fmt.Errorf("no challenges found in rule %s", rule.Name)
-		}
-
-		// allow nesting
-		var conditions []string
-		for _, cond := range rule.Conditions {
-			cond = conditionReplacer.Replace(cond)
-			conditions = append(conditions, cond)
-		}
-
-		ast, err := condition.FromStrings(state.RulesEnv, condition.OperatorOr, conditions...)
+		rule, err := NewRuleState(state, r, conditionReplacer, nil)
 		if err != nil {
-			return nil, fmt.Errorf("rules %s: error compiling conditions: %v", rule.Name, err)
+			return nil, fmt.Errorf("rule %s: %w", r.Name, err)
 		}
-		program, err := state.RulesEnv.Program(ast)
-		if err != nil {
-			return nil, fmt.Errorf("rules %s: error compiling program: %v", rule.Name, err)
-		}
-		r.Program = program
 
-		slog.Warn("loaded rule", "rule", r.Name, "hash", r.Hash, "action", rule.Action)
+		slog.Warn("loaded rule", "rule", rule.Name, "hash", rule.Hash, "action", rule.Action, "children", len(rule.Children))
 
-		state.Rules = append(state.Rules, r)
+		state.rules = append(state.rules, rule)
 	}
 
 	state.Mux = http.NewServeMux()
@@ -794,28 +172,5 @@ func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, er
 		return nil, err
 	}
 
-	if state.DecayMap != nil {
-		go func() {
-			ticker := time.NewTicker(17 * time.Minute)
-			for {
-				select {
-				case <-ticker.C:
-					state.DecayMap.Decay()
-				case <-state.close:
-					return
-				}
-			}
-		}()
-	}
-
 	return state, nil
 }
-
-func (state *State) GetChallengeByName(name string) (challenge.Challenge, bool) {
-	for _, c := range state.Challenges {
-		if c.Name == name {
-			return c, true
-		}
-	}
-	return challenge.Challenge{}, false
-}