Add NGINX App Protect instance watcher

Author: dhurley

internal/watcher/instance/nginx-app-protect-instance-watcher.go

@@ -40,6 +40,7 @@ type NginxAppProtectInstanceWatcher struct {
 	watcher                 *fsnotify.Watcher
 	instancesChannel        chan<- InstanceUpdatesMessage
 	nginxAppProtectInstance *mpi.Instance
+	filesBeingWatcher       map[string]bool
 	version                 string
 	release                 string
 	attackSignatureVersion  string
@@ -49,7 +50,8 @@ type NginxAppProtectInstanceWatcher struct {
 
 func NewNginxAppProtectInstanceWatcher(agentConfig *config.Config) *NginxAppProtectInstanceWatcher {
 	return &NginxAppProtectInstanceWatcher{
-		agentConfig: agentConfig,
+		agentConfig:       agentConfig,
+		filesBeingWatcher: make(map[string]bool),
 	}
 }
 
@@ -85,6 +87,8 @@ func (w *NginxAppProtectInstanceWatcher) Watch(ctx context.Context, instancesCha
 
 			return
 		case <-instanceWatcherTicker.C:
+			// Need to keep watching directories in case NAP gets installed a while after NGINX Agent is started
+			w.watchDirectories(ctx)
 			w.checkForUpdates(ctx)
 		case event := <-w.watcher.Events:
 			w.handleEvent(ctx, event)
@@ -96,29 +100,52 @@ func (w *NginxAppProtectInstanceWatcher) Watch(ctx context.Context, instancesCha
 
 func (w *NginxAppProtectInstanceWatcher) watchDirectories(ctx context.Context) {
 	for _, versionFile := range versionFiles {
-		if err := w.watcher.Add(versionFile); err != nil {
+		if !w.filesBeingWatcher[versionFile] {
+			if _, fileOs := os.Stat(versionFile); fileOs != nil && !os.IsNotExist(fileOs) {
+				w.filesBeingWatcher[versionFile] = false
+				continue
+			}
+
+			w.addWatcher(ctx, versionFile)
+			w.filesBeingWatcher[versionFile] = true
+
+			// On startup we need to read the files initially if they are discovered for the first time
+			w.readVersionFile(ctx, versionFile)
+		}
+	}
+}
+
+func (w *NginxAppProtectInstanceWatcher) addWatcher(ctx context.Context, versionFile string) {
+	if err := w.watcher.Add(versionFile); err != nil {
+		slog.ErrorContext(
+			ctx,
+			"Failed to add NGINX App Protect file watcher",
+			"file", versionFile, "error", err,
+		)
+		removeError := w.watcher.Remove(versionFile)
+		if removeError != nil {
 			slog.ErrorContext(
 				ctx,
-				"Failed to add NGINX App Protect file watcher",
-				"file", versionFile, "error", err,
+				"Failed to remove NGINX App Protect file watcher",
+				"file", versionFile, "error", removeError,
 			)
-			removeError := w.watcher.Remove(versionFile)
-			if removeError != nil {
-				slog.ErrorContext(
-					ctx,
-					"Failed to remove NGINX App Protect file watcher",
-					"file", versionFile, "error", removeError,
-				)
-			}
 		}
 	}
+}
 
-	// Check if files exists on startup
-	w.version = w.readFile(ctx, versionFilePath)
-	w.release = w.readFile(ctx, releaseFilePath)
-	w.attackSignatureVersion = w.readFile(ctx, attackSignatureVersionFilePath)
-	w.threatCampaignVersion = w.readFile(ctx, threatCampaignVersionFilePath)
-	w.enforcerEngineVersion = w.readFile(ctx, enforcerEngineVersionFilePath)
+func (w *NginxAppProtectInstanceWatcher) readVersionFile(ctx context.Context, versionFile string) {
+	switch {
+	case versionFile == versionFilePath:
+		w.version = w.readFile(ctx, versionFilePath)
+	case versionFile == releaseFilePath:
+		w.release = w.readFile(ctx, releaseFilePath)
+	case versionFile == threatCampaignVersionFilePath:
+		w.threatCampaignVersion = w.readFile(ctx, threatCampaignVersionFilePath)
+	case versionFile == enforcerEngineVersionFilePath:
+		w.enforcerEngineVersion = w.readFile(ctx, enforcerEngineVersionFilePath)
+	case versionFile == attackSignatureVersionFilePath:
+		w.attackSignatureVersion = w.readFile(ctx, attackSignatureVersionFilePath)
+	}
 }
 
 func (w *NginxAppProtectInstanceWatcher) handleEvent(ctx context.Context, event fsnotify.Event) {

internal/watcher/instance/nginx-app-protect-instance-watcher_test.go

@@ -7,6 +7,7 @@ package instance
 
 import (
 	"context"
+	"log/slog"
 	"os"
 	"testing"
 	"time"
@@ -23,6 +24,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+const timeout = 5 * time.Second
+
 func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -88,6 +91,8 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 		},
 	)
 
+	slog.SetLogLoggerLevel(slog.LevelDebug)
+
 	go nginxAppProtectInstanceWatcher.Watch(ctx, instancesChannel)
 
 	t.Run("Test 1: New instance", func(t *testing.T) {
@@ -101,7 +106,7 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 				proto.Equal(instanceUpdates.InstanceUpdates.NewInstances[0], expectedInstance),
 				"expected %s, actual %s", expectedInstance, instanceUpdates.InstanceUpdates.NewInstances[0],
 			)
-		case <-time.After(5 * time.Second):
+		case <-time.After(timeout):
 			t.Fatalf("Timed out waiting for instance updates")
 		}
 	})
@@ -122,7 +127,7 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 				proto.Equal(instanceUpdates.InstanceUpdates.UpdatedInstances[0], expectedInstance),
 				"expected %s, actual %s", expectedInstance, instanceUpdates.InstanceUpdates.UpdatedInstances[0],
 			)
-		case <-time.After(5 * time.Second):
+		case <-time.After(timeout):
 			t.Fatalf("Timed out waiting for instance updates")
 		}
 	})
@@ -139,7 +144,7 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 				proto.Equal(instanceUpdates.InstanceUpdates.DeletedInstances[0], expectedInstance),
 				"expected %s, actual %s", expectedInstance, instanceUpdates.InstanceUpdates.DeletedInstances[0],
 			)
-		case <-time.After(5 * time.Second):
+		case <-time.After(timeout):
 			t.Fatalf("Timed out waiting for instance updates")
 		}
 	})