diff --git a/analyze.go b/analyze.go index 4cda3549..9f28476a 100644 --- a/analyze.go +++ b/analyze.go @@ -19,20 +19,20 @@ package crossplane // Update for OSS, filter in config is the directives not in https://nginx.org/en/docs/dirindex.html but in source code. // Override in config is for the "if" directive. We create a bitmask ngxConfExpr for it in crossplane, which is not in source code. //go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_latest_config.json > ./analyze_oss_latest_directives.gen.go" -//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_126_config.json --branch branches/stable-1.26 > ./analyze_oss_126_directives.gen.go" -//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_124_config.json --branch branches/stable-1.24 > ./analyze_oss_124_directives.gen.go" +//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_126_config.json --branch stable-1.26 > ./analyze_oss_126_directives.gen.go" +//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_124_config.json --branch stable-1.24 > ./analyze_oss_124_directives.gen.go" // Update for lua, override is for the lua block directives, see https://github.com/nginxinc/nginx-go-crossplane/pull/86. //go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/openresty/lua-nginx-module.git --config-path ./scripts/generate/configs/lua_config.json --path ./src > ./analyze_lua_directives.gen.go" -// Update for otel. Filter is for some directives withou context. +// Update for otel. Filter is for some directives without context. // Otel provides its own config handler for some directives and they don't have context. Currently we don't support them. //go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginxinc/nginx-otel.git --config-path ./scripts/generate/configs/otel_config.json --branch main > ./analyze_otel_directives.gen.go" // Update for NAP v4 and v5. // NAP is a private module. Please ensure you have correct access and put the url. // and branch of it in environment variable NAP_URL, NAP_V4_BRANCH, and NAP_V5_BRANCH. -// Override is for flag dirctives. NAP used ngxConfTake1 for flag directives, we change them to ngxConfFlag in crossplane. +// Override is for flag directives. NAP used ngxConfTake1 for flag directives, we change them to ngxConfFlag in crossplane. // NAP v4 //go:generate sh -c "sh ./scripts/generate/generate.sh --url $NAP_URL --config-path ./scripts/generate/configs/nap_v4_config.json --branch $NAP_V4_BRANCH --path ./src > analyze_appProtectWAFv4_directives.gen.go" // NAP v5 diff --git a/analyze_nplus_R30_directives.go b/analyze_nplus_R30_directives.go index e06a42a9..95c43a01 100644 --- a/analyze_nplus_R30_directives.go +++ b/analyze_nplus_R30_directives.go @@ -1612,7 +1612,7 @@ var nginxPlusR30Directives = map[string][]uint{ ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_nplus_R31_directives.go b/analyze_nplus_R31_directives.go index 13d31ef4..b4cbd998 100644 --- a/analyze_nplus_R31_directives.go +++ b/analyze_nplus_R31_directives.go @@ -1634,7 +1634,7 @@ var nginxPlusR31Directives = map[string][]uint{ ngxConfTake1 | ngxMgmtMainConf, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_nplus_R33_directives.gen.go b/analyze_nplus_R33_directives.gen.go index 2ccd6ad5..37403a97 100644 --- a/analyze_nplus_R33_directives.gen.go +++ b/analyze_nplus_R33_directives.gen.go @@ -1660,8 +1660,8 @@ var nginxPlusR33Directives = map[string][]uint{ ngxMgmtMainConf | ngxConfTake1, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, - ngxStreamMainConf | ngxStreamSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, + ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_nplus_R34_directives.gen.go b/analyze_nplus_R34_directives.gen.go index 57dc5384..1b97f679 100644 --- a/analyze_nplus_R34_directives.gen.go +++ b/analyze_nplus_R34_directives.gen.go @@ -1724,8 +1724,8 @@ var nginxPlusR34Directives = map[string][]uint{ ngxMainConf | ngxDirectConf | ngxConfFlag, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, - ngxStreamMainConf | ngxStreamSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, + ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_nplus_R35_directives.gen.go b/analyze_nplus_R35_directives.gen.go index c3e0c408..dcdbe532 100644 --- a/analyze_nplus_R35_directives.gen.go +++ b/analyze_nplus_R35_directives.gen.go @@ -1739,8 +1739,8 @@ var nginxPlusR35Directives = map[string][]uint{ ngxMainConf | ngxDirectConf | ngxConfFlag, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, - ngxStreamMainConf | ngxStreamSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, + ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_nplus_latest_directives.gen.go b/analyze_nplus_latest_directives.gen.go index 9f328bf1..7f04c9d8 100644 --- a/analyze_nplus_latest_directives.gen.go +++ b/analyze_nplus_latest_directives.gen.go @@ -1739,8 +1739,8 @@ var nginxPlusLatestDirectives = map[string][]uint{ ngxMainConf | ngxDirectConf | ngxConfFlag, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, - ngxStreamMainConf | ngxStreamSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, + ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_oss_124_directives.gen.go b/analyze_oss_124_directives.gen.go index 2e2b8da4..0aa7a719 100644 --- a/analyze_oss_124_directives.gen.go +++ b/analyze_oss_124_directives.gen.go @@ -1454,7 +1454,7 @@ var oss124Directives = map[string][]uint{ ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_oss_126_directives.gen.go b/analyze_oss_126_directives.gen.go index 1fb0ee8c..8a6a0eca 100644 --- a/analyze_oss_126_directives.gen.go +++ b/analyze_oss_126_directives.gen.go @@ -1486,7 +1486,7 @@ var oss126Directives = map[string][]uint{ ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_oss_latest_directives.gen.go b/analyze_oss_latest_directives.gen.go index 018722ec..5adfc312 100644 --- a/analyze_oss_latest_directives.gen.go +++ b/analyze_oss_latest_directives.gen.go @@ -1518,8 +1518,8 @@ var ossLatestDirectives = map[string][]uint{ ngxMainConf | ngxDirectConf | ngxConfFlag, }, "ssl_ocsp": { - ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag, - ngxStreamMainConf | ngxStreamSrvConf | ngxConfFlag, + ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, + ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1, }, "ssl_ocsp_cache": { ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1, diff --git a/analyze_test.go b/analyze_test.go index 3d9e192f..5913076b 100644 --- a/analyze_test.go +++ b/analyze_test.go @@ -3034,3 +3034,185 @@ func TestAnalyze_auth_require(t *testing.T) { }) } } + +//nolint:funlen +func TestAnalyze_ssl_ocsp(t *testing.T) { + t.Parallel() + testcases := map[string]struct { + stmt *Directive + ctx []blockCtx + matchFunc MatchFunc + wantErr bool + }{ + "ssl_ocsp ok in OS 1.24": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}}, + MatchOss124, + false, + }, + "ssl_ocsp ok in OS 1.26": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}}, + MatchOss126, + false, + }, + "ssl_ocsp ok in OS latest": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchOssLatest, + false, + }, + "ssl_ocsp ok in R30": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}}, + MatchNginxPlusR30, + false, + }, + "ssl_ocsp ok in R31": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}}, + MatchNginxPlusR31, + false, + }, + "ssl_ocsp ok in R33": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchNginxPlusR33, + false, + }, + "ssl_ocsp ok in R34": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchNginxPlusR34, + false, + }, + "ssl_ocsp ok in R35": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchNginxPlusR35, + false, + }, + "ssl_ocsp ok in Plus latest": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchNginxPlusLatest, + false, + }, + "ssl_ocsp not ok in OS 1.24 wrong context": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"stream"}, {"stream", "server"}}, + MatchOss124, + true, + }, + "ssl_ocsp not ok in OS 1.26 wrong context": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"stream"}, {"stream", "server"}}, + MatchOss126, + true, + }, + "ssl_ocsp not ok in OS latest wrong parameters": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"on", "leaf"}, + Line: 5, + }, + []blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}}, + MatchOssLatest, + true, + }, + "ssl_ocsp not ok in Plus R30 wrong context": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"stream"}, {"stream", "server"}}, + MatchNginxPlusR30, + true, + }, + "ssl_ocsp not ok in Plus R31 wrong context": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"leaf"}, + Line: 5, + }, + []blockCtx{{"stream"}, {"stream", "server"}}, + MatchNginxPlusR31, + true, + }, + "ssl_ocsp not ok in Plus latest wrong parameters": { + &Directive{ + Directive: "ssl_ocsp", + Args: []string{"on", "leaf"}, + Line: 5, + }, + []blockCtx{{"stream"}, {"stream", "server"}}, + MatchNginxPlusLatest, + true, + }, + } + + for name, tc := range testcases { + tc := tc + t.Run(name, func(t *testing.T) { + t.Parallel() + for _, ctx := range tc.ctx { + err := analyze("nginx.conf", tc.stmt, ";", ctx, &ParseOptions{ + DirectiveSources: []MatchFunc{tc.matchFunc}, + }) + + if !tc.wantErr && err != nil { + t.Fatal(err) + } + + if tc.wantErr && err == nil { + t.Fatal("expected error, got nil") + } + } + }) + } +} diff --git a/scripts/generate/configs/nplus_R33_config.json b/scripts/generate/configs/nplus_R33_config.json index a53c1f7c..b87f18c8 100644 --- a/scripts/generate/configs/nplus_R33_config.json +++ b/scripts/generate/configs/nplus_R33_config.json @@ -119,7 +119,11 @@ "enforce_initial_report": [["ngxMgmtMainConf","ngxConfFlag"]], "license_token": [["ngxMgmtMainConf","ngxConfTake1"]], "state_path": [["ngxMgmtMainConf","ngxConfTake1"]], - "zone_sync": [["ngxStreamSrvConf","ngxConfNoArgs"]] + "zone_sync": [["ngxStreamSrvConf","ngxConfNoArgs"]], + "ssl_ocsp": [ + ["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"], + ["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"] + ] }, "matchFuncComment":"MatchNginxPlusR33 contains directives in Nginx Plus R33 source code(including GEOIP, Perl, and XSLT)" diff --git a/scripts/generate/configs/nplus_R34_config.json b/scripts/generate/configs/nplus_R34_config.json index 7a2eb672..6bc6fb67 100644 --- a/scripts/generate/configs/nplus_R34_config.json +++ b/scripts/generate/configs/nplus_R34_config.json @@ -137,8 +137,11 @@ "redirect_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]], "scope": [["ngxHTTPOIDCConf", "ngxConfTake1"]], "session_store": [["ngxHTTPOIDCConf", "ngxConfTake1"]], - "session_timeout": [["ngxHTTPOIDCConf", "ngxConfTake1"]] - + "session_timeout": [["ngxHTTPOIDCConf", "ngxConfTake1"]], + "ssl_ocsp": [ + ["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"], + ["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"] + ] }, "matchFuncComment":"MatchNginxPlusR34 contains directives in Nginx Plus R34 source code(including GEOIP, Perl, and XSLT)" diff --git a/scripts/generate/configs/nplus_R35_config.json b/scripts/generate/configs/nplus_R35_config.json index c393f81a..6e3d2d32 100644 --- a/scripts/generate/configs/nplus_R35_config.json +++ b/scripts/generate/configs/nplus_R35_config.json @@ -142,9 +142,12 @@ "logout_token_hint": [["ngxHTTPOIDCConf", "ngxConfFlag"]], "logout_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]], "post_logout_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]], - "userinfo": [["ngxHTTPOIDCConf", "ngxConfTake1"]] - - }, + "userinfo": [["ngxHTTPOIDCConf", "ngxConfTake1"]], + "ssl_ocsp": [ + ["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"], + ["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"] + ] +}, "matchFuncComment":"MatchNginxPlusR35 contains directives in Nginx Plus R35 source code(including GEOIP, Perl, and XSLT)" } diff --git a/scripts/generate/configs/oss_124_config.json b/scripts/generate/configs/oss_124_config.json index 477dd6f8..573d6e88 100644 --- a/scripts/generate/configs/oss_124_config.json +++ b/scripts/generate/configs/oss_124_config.json @@ -38,7 +38,8 @@ "gzip_no_buffer" ], "override":{ - "if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]] + "if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]], + "ssl_ocsp": [["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"]] }, "matchFuncComment":"MatchOss124 contains directives in OSS 1.2.4 source code(including GEOIP, Perl, and XSLT)" } diff --git a/scripts/generate/configs/oss_126_config.json b/scripts/generate/configs/oss_126_config.json index 1ed6b163..186ee2b4 100644 --- a/scripts/generate/configs/oss_126_config.json +++ b/scripts/generate/configs/oss_126_config.json @@ -38,7 +38,8 @@ "gzip_no_buffer" ], "override":{ - "if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]] + "if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]], + "ssl_ocsp": [["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"]] }, "matchFuncComment":"MatchOss126 contains directives in OSS 1.2.6 source code(including GEOIP, Perl, and XSLT)" }