change allowed dir

Author: aphralG

internal/config/config.go

@@ -161,7 +161,8 @@ func registerFlags() {
 
 	fs.StringSlice(AllowedDirectoriesKey,
 		DefaultAllowedDirectories(),
-		"A comma-separated list of paths that you want to grant NGINX Agent read/write access to")
+		"A comma-separated list of paths that you want to grant NGINX Agent read/write access to. Allowed "+
+			"directories are case sensitive")
 
 	fs.Duration(
 		InstanceWatcherMonitoringFrequencyKey,

internal/config/config_test.go

@@ -625,7 +625,8 @@ func getAgentConfig() *Config {
 			},
 		},
 		AllowedDirectories: []string{
-			"/etc/nginx", "/usr/local/etc/nginx", "/var/run/nginx", "/var/log/nginx", "/usr/share/nginx/modules",
+			"/etc/nginx", "/etc/nginx-agent", "/usr/local/etc/nginx", "/var/run/nginx", "/var/log/nginx",
+			"/usr/share/nginx/modules",
 		},
 		Collector: &Collector{
 			ConfigPath: "/etc/nginx-agent/nginx-agent-otelcol.yaml",
@@ -755,7 +756,8 @@ func createConfig() *Config {
 			},
 		},
 		AllowedDirectories: []string{
-			"/etc/nginx", "/usr/local/etc/nginx", "/var/run/nginx", "/usr/share/nginx/modules", "/var/log/nginx",
+			"/etc/nginx", "/etc/nginx-agent", "/usr/local/etc/nginx",
+			"/var/run/nginx", "/usr/share/nginx/modules", "/var/log/nginx",
 		},
 		DataPlaneConfig: &DataPlaneConfig{
 			Nginx: &NginxDataPlaneConfig{

internal/config/testdata/nginx-agent.conf

@@ -44,6 +44,7 @@ client:
 
 allowed_directories:
     - /etc/nginx
+    - /etc/nginx-agent
     - /usr/local/etc/nginx
     - /var/run/nginx
     - /usr/share/nginx/modules

internal/config/types.go

@@ -382,6 +382,9 @@ func (c *Config) AreReceiversConfigured() bool {
 
 func isAllowedDir(dir string, allowedDirs []string) bool {
 	for _, allowedDirectory := range allowedDirs {
+		if !strings.HasSuffix(allowedDirectory, "/") {
+			allowedDirectory += "/"
+		}
 		if strings.HasPrefix(dir, allowedDirectory) {
 			return true
 		}

internal/config/types_test.go

@@ -0,0 +1,87 @@
+// Copyright (c) F5, Inc.
+//
+// This source code is licensed under the Apache License, Version 2.0 license found in the
+// LICENSE file in the root directory of this source tree.
+
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTypes_IsDirectoryAllowed(t *testing.T) {
+	config := getAgentConfig()
+
+	tests := []struct {
+		name        string
+		fileDir     string
+		allowedDirs []string
+		allowed     bool
+	}{
+		{
+			name:    "Test 1: directory allowed",
+			allowed: true,
+			allowedDirs: []string{
+				"/etc/nginx",
+				"/var/log/nginx/",
+			},
+			fileDir: "/etc/nginx/nginx.conf",
+		},
+		{
+			name:    "Test 2: directory not allowed",
+			allowed: false,
+			allowedDirs: []string{
+				"/etc/nginx/",
+				"/var/log/nginx/",
+			},
+			fileDir: "/etc/nginx-agent/nginx-agent.conf",
+		},
+		{
+			name:    "Test 3: directory allowed",
+			allowed: true,
+			allowedDirs: []string{
+				"/etc/nginx/",
+				"/var/log/nginx/",
+			},
+			fileDir: "/etc/nginx/conf.d/nginx-agent.conf",
+		},
+		{
+			name:    "Test 4: directory not allowed",
+			allowed: false,
+			allowedDirs: []string{
+				"/etc/nginx",
+				"/var/log/nginx",
+			},
+			fileDir: "~/test.conf",
+		},
+		{
+			name:    "Test 5: directory not allowed",
+			allowed: false,
+			allowedDirs: []string{
+				"/etc/nginx/",
+				"/var/log/nginx/",
+			},
+			fileDir: "//test.conf",
+		},
+		{
+			name:    "Test 6: directory allowed",
+			allowed: true,
+			allowedDirs: []string{
+				"/etc/nginx/",
+				"/var/log/nginx/",
+				"/",
+			},
+			fileDir: "/test.conf",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			config.AllowedDirectories = test.allowedDirs
+			result := config.IsDirectoryAllowed(test.fileDir)
+			assert.Equal(t, test.allowed, result)
+		})
+	}
+}

internal/watcher/instance/nginx_config_parser.go

@@ -10,7 +10,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/fs"
 	"log/slog"
 	"net"
 	"net/http"
@@ -113,102 +112,101 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 	rootDir := filepath.Dir(instance.GetInstanceRuntime().GetConfigPath())
 
 	for _, conf := range payload.Config {
-		if ncp.agentConfig.IsDirectoryAllowed(strings.ToLower(conf.File)) {
-			formatMap := make(map[string]string)
-			err := ncp.crossplaneConfigTraverse(ctx, &conf,
-				func(ctx context.Context, parent, directive *crossplane.Directive) error {
-					switch directive.Directive {
-					case "log_format":
-						formatMap = ncp.formatMap(directive)
-					case "access_log":
-						if !ncp.ignoreLog(directive.Args[0]) {
-							accessLog := ncp.accessLog(directive.Args[0], ncp.accessLogDirectiveFormat(directive),
-								formatMap)
-							nginxConfigContext.AccessLogs = append(nginxConfigContext.AccessLogs, accessLog)
-						}
-					case "error_log":
-						if !ncp.ignoreLog(directive.Args[0]) {
-							errorLog := ncp.errorLog(directive.Args[0], ncp.errorLogDirectiveLevel(directive))
-							nginxConfigContext.ErrorLogs = append(nginxConfigContext.ErrorLogs, errorLog)
-						} else {
-							slog.WarnContext(ctx, fmt.Sprintf("Currently error log outputs to %s. Log monitoring "+
-								"is disabled while applying a config; "+"log errors to file to enable error monitoring",
-								directive.Args[0]), "error_log", directive.Args[0])
-						}
-					case "root":
-						rootFiles := ncp.rootFiles(ctx, directive.Args[0])
-						nginxConfigContext.Files = append(nginxConfigContext.Files, rootFiles...)
-					case "ssl_certificate", "proxy_ssl_certificate", "ssl_client_certificate",
-						"ssl_trusted_certificate":
-						sslCertFile := ncp.sslCert(ctx, directive.Args[0], rootDir)
-						if !ncp.isDuplicateFile(nginxConfigContext.Files, sslCertFile) {
-							nginxConfigContext.Files = append(nginxConfigContext.Files, sslCertFile)
-						}
+		if !ncp.agentConfig.IsDirectoryAllowed(conf.File) {
+			slog.WarnContext(ctx, "File included in NGINX config is outside of allowed directories, "+
+				"excluding from config",
+				"file", conf.File)
+
+			continue
+		}
+
+		formatMap := make(map[string]string)
+		err := ncp.crossplaneConfigTraverse(ctx, &conf,
+			func(ctx context.Context, parent, directive *crossplane.Directive) error {
+				switch directive.Directive {
+				case "log_format":
+					formatMap = ncp.formatMap(directive)
+				case "access_log":
+					if !ncp.ignoreLog(directive.Args[0]) {
+						accessLog := ncp.accessLog(directive.Args[0], ncp.accessLogDirectiveFormat(directive),
+							formatMap)
+						nginxConfigContext.AccessLogs = append(nginxConfigContext.AccessLogs, accessLog)
+					}
+				case "error_log":
+					if !ncp.ignoreLog(directive.Args[0]) {
+						errorLog := ncp.errorLog(directive.Args[0], ncp.errorLogDirectiveLevel(directive))
+						nginxConfigContext.ErrorLogs = append(nginxConfigContext.ErrorLogs, errorLog)
+					} else {
+						slog.WarnContext(ctx, fmt.Sprintf("Currently error log outputs to %s. Log monitoring "+
+							"is disabled while applying a config; "+"log errors to file to enable error monitoring",
+							directive.Args[0]), "error_log", directive.Args[0])
+					}
+				case "ssl_certificate", "proxy_ssl_certificate", "ssl_client_certificate",
+					"ssl_trusted_certificate":
+					sslCertFile := ncp.sslCert(ctx, directive.Args[0], rootDir)
+					if !ncp.isDuplicateFile(nginxConfigContext.Files, sslCertFile) {
+						nginxConfigContext.Files = append(nginxConfigContext.Files, sslCertFile)
+					}
 
-					case "app_protect_security_log":
-						if len(directive.Args) > 1 {
-							syslogArg := directive.Args[1]
-							re := regexp.MustCompile(`syslog:server=([\S]+)`)
-							matches := re.FindStringSubmatch(syslogArg)
-							if len(matches) > 1 {
-								syslogServer := matches[1]
-								if !napSyslogServersFound[syslogServer] {
-									nginxConfigContext.NAPSysLogServers = append(
-										nginxConfigContext.NAPSysLogServers,
-										syslogServer,
-									)
-									napSyslogServersFound[syslogServer] = true
-									slog.DebugContext(ctx, "Found NAP syslog server", "address", syslogServer)
-								}
+				case "app_protect_security_log":
+					if len(directive.Args) > 1 {
+						syslogArg := directive.Args[1]
+						re := regexp.MustCompile(`syslog:server=([\S]+)`)
+						matches := re.FindStringSubmatch(syslogArg)
+						if len(matches) > 1 {
+							syslogServer := matches[1]
+							if !napSyslogServersFound[syslogServer] {
+								nginxConfigContext.NAPSysLogServers = append(
+									nginxConfigContext.NAPSysLogServers,
+									syslogServer,
+								)
+								napSyslogServersFound[syslogServer] = true
+								slog.DebugContext(ctx, "Found NAP syslog server", "address", syslogServer)
 							}
 						}
 					}
+				}
 
-					return nil
-				},
-			)
-			if err != nil {
-				return nginxConfigContext, fmt.Errorf("traverse nginx config: %w", err)
-			}
+				return nil
+			},
+		)
+		if err != nil {
+			return nginxConfigContext, fmt.Errorf("traverse nginx config: %w", err)
+		}
 
-			stubStatus := ncp.crossplaneConfigTraverseAPIDetails(ctx, &conf, ncp.apiCallback, stubStatusAPIDirective)
-			if stubStatus.URL != "" {
-				nginxConfigContext.StubStatus = stubStatus
-			}
+		stubStatus := ncp.crossplaneConfigTraverseAPIDetails(ctx, &conf, ncp.apiCallback, stubStatusAPIDirective)
+		if stubStatus.URL != "" {
+			nginxConfigContext.StubStatus = stubStatus
+		}
 
-			plusAPI := ncp.crossplaneConfigTraverseAPIDetails(ctx, &conf, ncp.apiCallback, plusAPIDirective)
-			if plusAPI.URL != "" {
-				nginxConfigContext.PlusAPI = plusAPI
-			}
+		plusAPI := ncp.crossplaneConfigTraverseAPIDetails(ctx, &conf, ncp.apiCallback, plusAPIDirective)
+		if plusAPI.URL != "" {
+			nginxConfigContext.PlusAPI = plusAPI
+		}
 
-			fileMeta, err := files.FileMeta(conf.File)
-			if err != nil {
-				slog.WarnContext(ctx, "Unable to get file metadata", "file_name", conf.File, "error", err)
-			} else {
-				nginxConfigContext.Files = append(nginxConfigContext.Files, &mpi.File{FileMeta: fileMeta})
-			}
+		fileMeta, err := files.FileMeta(conf.File)
+		if err != nil {
+			slog.WarnContext(ctx, "Unable to get file metadata", "file_name", conf.File, "error", err)
 		} else {
-			slog.WarnContext(ctx, "File in NGINX config not in allowed directories, excluding from config",
-				"file", conf.File)
+			nginxConfigContext.Files = append(nginxConfigContext.Files, &mpi.File{FileMeta: fileMeta})
 		}
 	}
 
 	return nginxConfigContext, nil
 }
 
 func (ncp *NginxConfigParser) ignoreLog(logPath string) bool {
-	logLower := strings.ToLower(logPath)
 	ignoreLogs := []string{"off", "/dev/stderr", "/dev/stdout", "/dev/null", "stderr", "stdout"}
 
-	if strings.HasPrefix(logLower, "syslog:") || slices.Contains(ignoreLogs, logLower) {
+	if strings.HasPrefix(logPath, "syslog:") || slices.Contains(ignoreLogs, logPath) {
 		return true
 	}
 
-	if ncp.isExcludeLog(logLower) {
+	if ncp.isExcludeLog(logPath) {
 		return true
 	}
 
-	if !ncp.agentConfig.IsDirectoryAllowed(logLower) {
+	if !ncp.agentConfig.IsDirectoryAllowed(logPath) {
 		slog.Warn("Log being read is outside of allowed directories", "log_path", logPath)
 	}
 
@@ -317,39 +315,6 @@ func (ncp *NginxConfigParser) errorLogDirectiveLevel(directive *crossplane.Direc
 	return ""
 }
 
-func (ncp *NginxConfigParser) rootFiles(ctx context.Context, rootDir string) (rootFiles []*mpi.File) {
-	if !ncp.agentConfig.IsDirectoryAllowed(rootDir) {
-		slog.DebugContext(ctx, "Root directory not in allowed directories", "root_directory", rootDir)
-		return rootFiles
-	}
-
-	err := filepath.WalkDir(rootDir,
-		func(path string, d fs.DirEntry, err error) error {
-			if err != nil {
-				return err
-			}
-
-			if d.IsDir() {
-				return nil
-			}
-
-			rootFileMeta, fileMetaErr := files.FileMeta(path)
-			if fileMetaErr != nil {
-				return fileMetaErr
-			}
-
-			rootFiles = append(rootFiles, &mpi.File{FileMeta: rootFileMeta})
-
-			return nil
-		},
-	)
-	if err != nil {
-		slog.WarnContext(ctx, "Unable to walk root directory", "root_directory", rootDir)
-	}
-
-	return rootFiles
-}
-
 func (ncp *NginxConfigParser) sslCert(ctx context.Context, file, rootDir string) (sslCertFile *mpi.File) {
 	if strings.Contains(file, "$") {
 		// cannot process any filepath with variables