Report NGINX App Protect instances

Author: dhurley

api/grpc/mpi/v1/command.pb.go

@@ -362,6 +362,8 @@ message NGINXAppProtectRuntimeInfo {
     string attack_signature_version = 2;
     // Threat campaign version
     string threat_campaign_version = 3;
+    // Enforcer engine version
+    string enforcer_engine_version = 4;
 }
 
 // A set of actions that can be performed on an instance

api/grpc/mpi/v1/command.pb.validate.go

@@ -1053,6 +1053,7 @@ A set of runtime NGINX App Protect settings
 | release | [string](#string) |  | NGINX App Protect Release |
 | attack_signature_version | [string](#string) |  | Attack signature version |
 | threat_campaign_version | [string](#string) |  | Threat campaign version |
+| enforcer_engine_version | [string](#string) |  | Enforcer engine version |
 
 
 

api/grpc/mpi/v1/command.proto

@@ -32,25 +32,30 @@ const defaultAgentPath = "/run/nginx-agent"
 
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6@v6.8.1 -generate
 //counterfeiter:generate . processParser
+//counterfeiter:generate . instanceFinder
 
 type (
 	processParser interface {
 		Parse(ctx context.Context, processes []*nginxprocess.Process) map[string]*mpi.Instance
 	}
 
+	instanceFinder interface {
+		Find(ctx context.Context) *mpi.Instance
+	}
+
 	InstanceWatcherService struct {
-		processOperator              process.ProcessOperatorInterface
-		nginxConfigParser            parser.ConfigParser
-		executer                     exec.ExecInterface
-		enabled                      *atomic.Bool
-		agentConfig                  *config.Config
-		instanceCache                map[string]*mpi.Instance
-		nginxConfigCache             map[string]*model.NginxConfigContext
-		instancesChannel             chan<- InstanceUpdatesMessage
-		nginxConfigContextChannel    chan<- NginxConfigContextMessage
-		nginxParser                  processParser
-		nginxAppProtectProcessParser processParser
-		cacheMutex                   sync.Mutex
+		processOperator               process.ProcessOperatorInterface
+		nginxConfigParser             parser.ConfigParser
+		executer                      exec.ExecInterface
+		enabled                       *atomic.Bool
+		agentConfig                   *config.Config
+		instanceCache                 map[string]*mpi.Instance
+		nginxConfigCache              map[string]*model.NginxConfigContext
+		instancesChannel              chan<- InstanceUpdatesMessage
+		nginxConfigContextChannel     chan<- NginxConfigContextMessage
+		nginxParser                   processParser
+		nginxAppProtectInstanceFinder instanceFinder
+		cacheMutex                    sync.Mutex
 	}
 
 	InstanceUpdates struct {
@@ -75,16 +80,16 @@ func NewInstanceWatcherService(agentConfig *config.Config) *InstanceWatcherServi
 	enabled.Store(true)
 
 	return &InstanceWatcherService{
-		agentConfig:                  agentConfig,
-		processOperator:              process.NewProcessOperator(),
-		nginxParser:                  NewNginxProcessParser(),
-		nginxAppProtectProcessParser: NewNginxAppProtectProcessParser(),
-		nginxConfigParser:            parser.NewNginxConfigParser(agentConfig),
-		instanceCache:                make(map[string]*mpi.Instance),
-		cacheMutex:                   sync.Mutex{},
-		nginxConfigCache:             make(map[string]*model.NginxConfigContext),
-		executer:                     &exec.Exec{},
-		enabled:                      enabled,
+		agentConfig:                   agentConfig,
+		processOperator:               process.NewProcessOperator(),
+		nginxParser:                   NewNginxProcessParser(),
+		nginxAppProtectInstanceFinder: NewNginxAppProtectInstanceFinder(),
+		nginxConfigParser:             parser.NewNginxConfigParser(agentConfig),
+		instanceCache:                 make(map[string]*mpi.Instance),
+		cacheMutex:                    sync.Mutex{},
+		nginxConfigCache:              make(map[string]*model.NginxConfigContext),
+		executer:                      &exec.Exec{},
+		enabled:                       enabled,
 	}
 }
 
@@ -265,7 +270,7 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 ) {
 	iw.cacheMutex.Lock()
 	defer iw.cacheMutex.Unlock()
-	nginxProcesses, nginxAppProtectProcesses, err := iw.processOperator.Processes(ctx)
+	nginxProcesses, err := iw.processOperator.Processes(ctx)
 	if err != nil {
 		return instanceUpdates, err
 	}
@@ -280,10 +285,11 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
 	}
 
-	nginxAppProtectInstances := iw.nginxAppProtectProcessParser.Parse(ctx, nginxAppProtectProcesses)
-	for _, instance := range nginxAppProtectInstances {
-		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
+	nginxAppProtectInstance := iw.nginxAppProtectInstanceFinder.Find(ctx)
+	if nginxAppProtectInstance != nil {
+		instancesFound[nginxAppProtectInstance.GetInstanceMeta().GetInstanceId()] = nginxAppProtectInstance
 	}
+
 	newInstances, updatedInstances, deletedInstances := compareInstances(iw.instanceCache, instancesFound)
 
 	instanceUpdates.NewInstances = newInstances

docs/proto/protos.md

@@ -28,14 +28,17 @@ func TestInstanceWatcherService_checkForUpdates(t *testing.T) {
 	nginxConfigContext := testModel.ConfigContext()
 
 	fakeProcessWatcher := &processfakes.FakeProcessOperatorInterface{}
-	fakeProcessWatcher.ProcessesReturns(nil, nil, nil)
+	fakeProcessWatcher.ProcessesReturns(nil, nil)
 
 	fakeProcessParser := &instancefakes.FakeProcessParser{}
 	fakeProcessParser.ParseReturns(map[string]*mpi.Instance{
 		protos.NginxOssInstance([]string{}).GetInstanceMeta().GetInstanceId(): protos.
 			NginxOssInstance([]string{}),
 	})
 
+	fakeNginxAppProtectInstanceFinder := &instancefakes.FakeInstanceFinder{}
+	fakeNginxAppProtectInstanceFinder.FindReturns(protos.NginxAppProtectInstance())
+
 	fakeNginxConfigParser := &instancefakes.FakeNginxConfigParser{}
 	fakeNginxConfigParser.ParseReturns(nginxConfigContext, nil)
 	instanceUpdatesChannel := make(chan InstanceUpdatesMessage, 1)
@@ -44,15 +47,15 @@ func TestInstanceWatcherService_checkForUpdates(t *testing.T) {
 	instanceWatcherService := NewInstanceWatcherService(types.AgentConfig())
 	instanceWatcherService.processOperator = fakeProcessWatcher
 	instanceWatcherService.nginxParser = fakeProcessParser
-	instanceWatcherService.nginxAppProtectProcessParser = fakeProcessParser
+	instanceWatcherService.nginxAppProtectInstanceFinder = fakeNginxAppProtectInstanceFinder
 	instanceWatcherService.nginxConfigParser = fakeNginxConfigParser
 	instanceWatcherService.instancesChannel = instanceUpdatesChannel
 	instanceWatcherService.nginxConfigContextChannel = nginxConfigContextChannel
 
 	instanceWatcherService.checkForUpdates(ctx)
 
 	instanceUpdatesMessage := <-instanceUpdatesChannel
-	assert.Len(t, instanceUpdatesMessage.InstanceUpdates.NewInstances, 2)
+	assert.Len(t, instanceUpdatesMessage.InstanceUpdates.NewInstances, 3)
 	assert.Empty(t, instanceUpdatesMessage.InstanceUpdates.DeletedInstances)
 
 	nginxConfigContextMessage := <-nginxConfigContextChannel
@@ -67,6 +70,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 	nginxInstance := protos.NginxOssInstance([]string{})
 	nginxInstanceWithDifferentPID := protos.NginxOssInstance([]string{})
 	nginxInstanceWithDifferentPID.GetInstanceRuntime().ProcessId = 3526
+	napInstance := protos.NginxAppProtectInstance()
 
 	tests := []struct {
 		name                    string
@@ -78,6 +82,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 			name: "Test 1: No updates",
 			oldInstances: map[string]*mpi.Instance{
 				agentInstance.GetInstanceMeta().GetInstanceId(): agentInstance,
+				napInstance.GetInstanceMeta().GetInstanceId():   napInstance,
 			},
 			parsedInstances:         make(map[string]*mpi.Instance),
 			expectedInstanceUpdates: InstanceUpdates{},
@@ -94,6 +99,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 			expectedInstanceUpdates: InstanceUpdates{
 				NewInstances: []*mpi.Instance{
 					nginxInstance,
+					napInstance,
 				},
 			},
 		},
@@ -102,6 +108,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 			oldInstances: map[string]*mpi.Instance{
 				agentInstance.GetInstanceMeta().GetInstanceId():                 agentInstance,
 				nginxInstanceWithDifferentPID.GetInstanceMeta().GetInstanceId(): nginxInstanceWithDifferentPID,
+				napInstance.GetInstanceMeta().GetInstanceId():                   napInstance,
 			},
 			parsedInstances: map[string]*mpi.Instance{
 				agentInstance.GetInstanceMeta().GetInstanceId(): agentInstance,
@@ -119,6 +126,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 				agentInstance.GetInstanceMeta().GetInstanceId(): agentInstance,
 				protos.NginxOssInstance([]string{}).GetInstanceMeta().
 					GetInstanceId(): protos.NginxOssInstance([]string{}),
+				napInstance.GetInstanceMeta().GetInstanceId(): napInstance,
 			},
 			parsedInstances: make(map[string]*mpi.Instance),
 			expectedInstanceUpdates: InstanceUpdates{
@@ -132,7 +140,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(tt *testing.T) {
 			fakeProcessWatcher := &processfakes.FakeProcessOperatorInterface{}
-			fakeProcessWatcher.ProcessesReturns(nil, nil, nil)
+			fakeProcessWatcher.ProcessesReturns(nil, nil)
 
 			fakeProcessParser := &instancefakes.FakeProcessParser{}
 			fakeProcessParser.ParseReturns(test.parsedInstances)
@@ -141,10 +149,13 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 			fakeExec.ExecutableReturns(defaultAgentPath, nil)
 			fakeExec.ProcessIDReturns(processID)
 
+			fakeNginxAppProtectInstanceFinder := &instancefakes.FakeInstanceFinder{}
+			fakeNginxAppProtectInstanceFinder.FindReturns(napInstance)
+
 			instanceWatcherService := NewInstanceWatcherService(types.AgentConfig())
 			instanceWatcherService.processOperator = fakeProcessWatcher
 			instanceWatcherService.nginxParser = fakeProcessParser
-			instanceWatcherService.nginxAppProtectProcessParser = fakeProcessParser
+			instanceWatcherService.nginxAppProtectInstanceFinder = fakeNginxAppProtectInstanceFinder
 			instanceWatcherService.instanceCache = test.oldInstances
 			instanceWatcherService.executer = fakeExec