add nap paths by default, update agent config during upgrade

Author: sean-breen

internal/config/defaults.go

@@ -106,6 +106,8 @@ func DefaultAllowedDirectories() []string {
 		"/usr/share/nginx/modules",
 		"/var/run/nginx",
 		"/var/log/nginx",
+		"/opt/app_protect",
+		"/etc/app_protect",
 	}
 }
 

internal/watcher/instance/nginx-app-protect-instance-watcher.go

@@ -26,6 +26,7 @@ var (
 	attackSignatureVersionFilePath = "/opt/app_protect/var/update_files/signatures/version"
 	threatCampaignVersionFilePath  = "/opt/app_protect/var/update_files/threat_campaigns/version"
 	enforcerEngineVersionFilePath  = "/opt/app_protect/bd_config/enforcer.version"
+	napConfigPath                  = "/etc/app_protect"
 
 	versionFiles = []string{
 		versionFilePath,
@@ -232,11 +233,6 @@ func (w *NginxAppProtectInstanceWatcher) createInstance(ctx context.Context) {
 			InstanceChildren: make([]*mpi.InstanceChild, 0),
 		},
 	}
-
-	slog.InfoContext(ctx, "Discovered a new NGINX App Protect instance")
-	w.agentConfig.AllowedDirectories = append(w.agentConfig.AllowedDirectories, napDirPath)
-	slog.InfoContext(ctx, "Added NAP directory to allowed directories", "directories", w.agentConfig.AllowedDirectories)
-
 	w.instancesChannel <- InstanceUpdatesMessage{
 		CorrelationID: logger.CorrelationIDAttr(ctx),
 		InstanceUpdates: InstanceUpdates{

scripts/packages/upgrade-agent-config.sh

@@ -52,7 +52,9 @@ for config_dir in $config_dirs; do
 done
 
 allowed_directories="${allowed_directories}\n  - /var/log/nginx"
-       
+allowed_directories="${allowed_directories}\n  - /opt/app_protect"
+allowed_directories="${allowed_directories}\n  - /etc/app_protect"
+
 v3_config_contents="
 #
 # /etc/nginx-agent/nginx-agent.conf