fix: replace checker.NewMapIterator with newMapIterator for HTTPHeaders and URLValues

Signed-off-by: Jason Cameron <jason.cameron@stanwith.me>

.github/workflows/docker-pr.yml

@@ -31,7 +31,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 

.github/workflows/docker.yml

@@ -41,7 +41,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 

.github/workflows/go-mod-tidy-check.yml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Check go.mod and go.sum in main directory
         run: |

.github/workflows/go.yml

@@ -29,7 +29,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Cache playwright binaries
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@@ -61,4 +61,4 @@ jobs:
 
       - name: Govulncheck
         run: |
-          go tool govulncheck ./... ||:
+          go tool govulncheck ./...

.github/workflows/package-builds-stable.yml

@@ -30,7 +30,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: install node deps
         run: |

.github/workflows/package-builds-unstable.yml

@@ -31,7 +31,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: install node deps
         run: |

.github/workflows/smoke-tests.yml

@@ -39,7 +39,7 @@ jobs:
           node-version: "24.11.0"
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 

.github/workflows/ssh-ci.yml

@@ -37,7 +37,7 @@ jobs:
 
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: "stable"
+          go-version: "1.25.4"
 
       - name: Run CI
         run: go run ./utils/cmd/backoff-retry bash test/ssh-ci/rigging.sh ${{ matrix.host }}

Makefile

@@ -24,7 +24,8 @@ build: assets
 lint: assets
 	$(GO) vet ./...
 	$(GO) tool staticcheck ./...
-	
+	$(GO) tool govulncheck ./...
+
 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
 	$(GO) build -o ./var/robots2policy -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/robots2policy

docs/docs/CHANGELOG.md

@@ -11,9 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-- Fixed mixed tab/space indentation in Caddy documentation code block
-
 <!-- This changes the project to: -->
+- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
 
 ## v1.25.0: Necron
 

docs/docs/admin/environments/caddy.mdx

@@ -62,9 +62,9 @@ yourdomain.example.com {
   tls your@email.address
 
   reverse_proxy http://anubis:3000 {
-    header_up X-Real-Ip {remote_host}
-    header_up X-Http-Version {http.request.proto}
-  }
+		header_up X-Real-Ip {remote_host}
+		header_up X-Http-Version {http.request.proto}
+	}
 }
 ```
 

docs/docs/admin/policies.mdx

@@ -393,32 +393,6 @@ logging:
 
 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).
 
-:::note
-
-If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
-
-```text
-# /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
-[Service]
-ReadWritePaths=/run /var/log/anubis
-```
-
-Once you write this to the correct place, reload the systemd configuration:
-
-```text
-sudo systemctl daemon-reload
-```
-
-And then restart Anubis:
-
-```text
-sudo systemctl restart anubis@instance-name
-```
-
-You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
-
-:::
-
 ### `stdio` sink
 
 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration:

lib/policy/celchecker_test.go

@@ -0,0 +1,44 @@
+package policy
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/TecharoHQ/anubis/internal/dns"
+	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/TecharoHQ/anubis/lib/store/memory"
+)
+
+func newTestDNS(t *testing.T) *dns.Dns {
+	t.Helper()
+
+	ctx := t.Context()
+	memStore := memory.New(ctx)
+	cache := dns.NewDNSCache(300, 300, memStore)
+	return dns.New(ctx, cache)
+}
+
+func TestCELChecker_MapIterationWrappers(t *testing.T) {
+	cfg := &config.ExpressionOrList{
+		Expression: `headers.exists(k, k == "Accept") && query.exists(k, k == "format")`,
+	}
+
+	checker, err := NewCELChecker(cfg, newTestDNS(t))
+	if err != nil {
+		t.Fatalf("creating CEL checker failed: %v", err)
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "https://example.com/?format=json", nil)
+	if err != nil {
+		t.Fatalf("making request failed: %v", err)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	got, err := checker.Check(req)
+	if err != nil {
+		t.Fatalf("checking expression failed: %v", err)
+	}
+	if !got {
+		t.Fatal("expected expression to evaluate true")
+	}
+}

lib/policy/expressions/http_headers.go

@@ -66,7 +66,9 @@ func (h HTTPHeaders) Get(key ref.Val) ref.Val {
 	return result
 }
 
-func (h HTTPHeaders) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
+func (h HTTPHeaders) Iterator() traits.Iterator {
+	return newMapIterator(h.Header)
+}
 
 func (h HTTPHeaders) IsZeroValue() bool {
 	return len(h.Header) == 0

lib/policy/expressions/map_iterator.go

@@ -0,0 +1,60 @@
+package expressions
+
+import (
+	"errors"
+	"maps"
+	"reflect"
+	"slices"
+
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/common/types/traits"
+)
+
+var ErrNotImplemented = errors.New("expressions: not implemented")
+
+type stringSliceIterator struct {
+	keys []string
+	idx  int
+}
+
+func (s *stringSliceIterator) Value() any {
+	return s
+}
+
+func (s *stringSliceIterator) ConvertToNative(typeDesc reflect.Type) (any, error) {
+	return nil, ErrNotImplemented
+}
+
+func (s *stringSliceIterator) ConvertToType(typeValue ref.Type) ref.Val {
+	return types.NewErr("can't convert from %q to %q", types.IteratorType, typeValue)
+}
+
+func (s *stringSliceIterator) Equal(other ref.Val) ref.Val {
+	return types.NewErr("can't compare %q to %q", types.IteratorType, other.Type())
+}
+
+func (s *stringSliceIterator) Type() ref.Type {
+	return types.IteratorType
+}
+
+func (s *stringSliceIterator) HasNext() ref.Val {
+	return types.Bool(s.idx < len(s.keys))
+}
+
+func (s *stringSliceIterator) Next() ref.Val {
+	if s.HasNext() != types.True {
+		return nil
+	}
+
+	val := s.keys[s.idx]
+	s.idx++
+	return types.String(val)
+}
+
+func newMapIterator(m map[string][]string) traits.Iterator {
+	return &stringSliceIterator{
+		keys: slices.Collect(maps.Keys(m)),
+		idx:  0,
+	}
+}

lib/policy/expressions/url_values.go

@@ -1,7 +1,6 @@
 package expressions
 
 import (
-	"errors"
 	"net/url"
 	"reflect"
 	"strings"
@@ -11,8 +10,6 @@ import (
 	"github.com/google/cel-go/common/types/traits"
 )
 
-var ErrNotImplemented = errors.New("expressions: not implemented")
-
 // URLValues is a type wrapper to expose url.Values into CEL programs.
 type URLValues struct {
 	url.Values
@@ -69,7 +66,9 @@ func (u URLValues) Get(key ref.Val) ref.Val {
 	return result
 }
 
-func (u URLValues) Iterator() traits.Iterator { panic("TODO(Xe): implement me") }
+func (u URLValues) Iterator() traits.Iterator {
+	return newMapIterator(u.Values)
+}
 
 func (u URLValues) IsZeroValue() bool {
 	return len(u.Values) == 0