Add config parser tests for SSLCerts

john-david3 · john-david3 · commit f4cf4f050f16 · 2025-04-17T14:17:21.000+01:00
diff --git a/internal/watcher/instance/nginx_config_parser_test.go b/internal/watcher/instance/nginx_config_parser_test.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"sort"
 	"testing"
 
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -260,6 +261,7 @@ var (
 `
 )
 
+// nolint: maintidx
 func TestNginxConfigParser_Parse(t *testing.T) {
 	ctx := context.Background()
 	dir := t.TempDir()
@@ -288,6 +290,20 @@ func TestNginxConfigParser_Parse(t *testing.T) {
 	fileMetaAllowedFiles, err := files.FileMeta(allowedFile.Name())
 	require.NoError(t, err)
 
+	_, cert := helpers.GenerateSelfSignedCert(t)
+	certContents := helpers.Cert{Name: "nginx.cert", Type: "CERTIFICATE", Contents: cert}
+	certFile := helpers.WriteCertFiles(t, dir, certContents)
+	require.NotNil(t, certFile)
+	fileMetaCertFiles, err := files.FileMetaWithCertificate(certFile)
+	require.NoError(t, err)
+
+	_, diffCert := helpers.GenerateSelfSignedCert(t)
+	diffCertContents := helpers.Cert{Name: "nginx1.cert", Type: "CERTIFICATE", Contents: diffCert}
+	diffCertFile := helpers.WriteCertFiles(t, dir, diffCertContents)
+	require.NotNil(t, diffCertFile)
+	diffFileMetaCertFiles, err := files.FileMetaWithCertificate(diffCertFile)
+	require.NoError(t, err)
+
 	tests := []struct {
 		instance              *mpi.Instance
 		name                  string
@@ -368,6 +384,125 @@ func TestNginxConfigParser_Parse(t *testing.T) {
 			},
 			allowedDirectories: []string{dir},
 		},
+		{
+			name:     "Test 4: Check Parser for SSL Certs",
+			instance: protos.GetNginxPlusInstance([]string{}),
+			content: testconfig.GetNginxConfigWithSSLCerts(
+				errorLog.Name(),
+				accessLog.Name(),
+				certFile,
+			),
+			expectedConfigContext: &model.NginxConfigContext{
+				StubStatus: &model.APIDetails{},
+				PlusAPI:    &model.APIDetails{},
+				InstanceID: protos.GetNginxPlusInstance([]string{}).GetInstanceMeta().GetInstanceId(),
+				Files: []*mpi.File{
+					{
+						FileMeta: fileMetaCertFiles,
+					},
+				},
+				AccessLogs: []*model.AccessLog{
+					{
+						Name: accessLog.Name(),
+						Format: "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent " +
+							"\"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\" \"$bytes_sent\" " +
+							"\"$request_length\" \"$request_time\" \"$gzip_ratio\" $server_protocol ",
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				ErrorLogs: []*model.ErrorLog{
+					{
+						Name:        errorLog.Name(),
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				NAPSysLogServers: nil,
+			},
+			allowedDirectories: []string{dir},
+		},
+		{
+			name:     "Test 5: Check for multiple different SSL Certs",
+			instance: protos.GetNginxPlusInstance([]string{}),
+			content: testconfig.GetNginxConfigWithMultipleSSLCerts(
+				errorLog.Name(),
+				accessLog.Name(),
+				certFile,
+				diffCertFile,
+			),
+			expectedConfigContext: &model.NginxConfigContext{
+				StubStatus: &model.APIDetails{},
+				PlusAPI:    &model.APIDetails{},
+				InstanceID: protos.GetNginxPlusInstance([]string{}).GetInstanceMeta().GetInstanceId(),
+				Files: []*mpi.File{
+					{
+						FileMeta: fileMetaCertFiles,
+					},
+					{
+						FileMeta: diffFileMetaCertFiles,
+					},
+				},
+				AccessLogs: []*model.AccessLog{
+					{
+						Name: accessLog.Name(),
+						Format: "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent " +
+							"\"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\" \"$bytes_sent\" " +
+							"\"$request_length\" \"$request_time\" \"$gzip_ratio\" $server_protocol ",
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				ErrorLogs: []*model.ErrorLog{
+					{
+						Name:        errorLog.Name(),
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				NAPSysLogServers: nil,
+			},
+			allowedDirectories: []string{dir},
+		},
+		{
+			name:     "Test 6: Check for multiple same SSL Certs",
+			instance: protos.GetNginxPlusInstance([]string{}),
+			content: testconfig.GetNginxConfigWithMultipleSSLCerts(
+				errorLog.Name(),
+				accessLog.Name(),
+				certFile,
+				certFile,
+			),
+			expectedConfigContext: &model.NginxConfigContext{
+				StubStatus: &model.APIDetails{},
+				PlusAPI:    &model.APIDetails{},
+				InstanceID: protos.GetNginxPlusInstance([]string{}).GetInstanceMeta().GetInstanceId(),
+				Files: []*mpi.File{
+					{
+						FileMeta: fileMetaCertFiles,
+					},
+				},
+				AccessLogs: []*model.AccessLog{
+					{
+						Name: accessLog.Name(),
+						Format: "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent " +
+							"\"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\" \"$bytes_sent\" " +
+							"\"$request_length\" \"$request_time\" \"$gzip_ratio\" $server_protocol ",
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				ErrorLogs: []*model.ErrorLog{
+					{
+						Name:        errorLog.Name(),
+						Permissions: "0600",
+						Readable:    true,
+					},
+				},
+				NAPSysLogServers: nil,
+			},
+			allowedDirectories: []string{dir},
+		},
 	}
 
 	for _, test := range tests {
@@ -391,13 +526,19 @@ func TestNginxConfigParser_Parse(t *testing.T) {
 			result, parseError := nginxConfig.Parse(ctx, test.instance)
 			require.NoError(t, parseError)
 
+			sort.Slice(test.expectedConfigContext.Files, func(i, j int) bool {
+				return test.expectedConfigContext.Files[i].GetFileMeta().GetName() >
+					test.expectedConfigContext.Files[j].GetFileMeta().GetName()
+			})
+
 			assert.ElementsMatch(t, test.expectedConfigContext.Files, result.Files)
 			assert.Equal(t, test.expectedConfigContext.NAPSysLogServers, result.NAPSysLogServers)
 			assert.Equal(t, test.expectedConfigContext.PlusAPI, result.PlusAPI)
 			assert.ElementsMatch(t, test.expectedConfigContext.AccessLogs, result.AccessLogs)
 			assert.ElementsMatch(t, test.expectedConfigContext.ErrorLogs, result.ErrorLogs)
 			assert.Equal(t, test.expectedConfigContext.StubStatus, result.StubStatus)
 			assert.Equal(t, test.expectedConfigContext.InstanceID, result.InstanceID)
+			assert.Equal(t, len(test.expectedConfigContext.Files), len(result.Files))
 		})
 	}
 }
diff --git a/test/config/nginx/nginx-with-multiple-ssl-certs.conf b/test/config/nginx/nginx-with-multiple-ssl-certs.conf
@@ -0,0 +1,49 @@
+worker_processes  1;
+error_log  %s;
+events {
+    worker_connections  1024;
+}
+
+http {
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '"$bytes_sent" "$request_length" "$request_time" '
+                  '"$gzip_ratio" $server_protocol ';
+
+    access_log %s main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen       8080;
+        server_name  localhost;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+        
+        ssl_certificate %s;
+        ssl_certificate %s;
+
+        ##
+        # Enable Metrics
+        ##
+        location /api {
+            stub_status;
+            allow 127.0.0.1;
+            deny all;
+        }
+        
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}
diff --git a/test/config/nginx/nginx-with-ssl-certs.conf b/test/config/nginx/nginx-with-ssl-certs.conf
@@ -0,0 +1,48 @@
+worker_processes  1;
+error_log  %s;
+events {
+    worker_connections  1024;
+}
+
+http {
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '"$bytes_sent" "$request_length" "$request_time" '
+                  '"$gzip_ratio" $server_protocol ';
+
+    access_log %s main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen       8080;
+        server_name  localhost;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+        
+        ssl_certificate %s;
+
+        ##
+        # Enable Metrics
+        ##
+        location /api {
+            stub_status;
+            allow 127.0.0.1;
+            deny all;
+        }
+        
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}
diff --git a/test/config/nginx_config.go b/test/config/nginx_config.go
@@ -16,6 +16,12 @@ var embedNginxConfWithMultipleAccessLogs string
 //go:embed nginx/nginx-not-allowed-dir.conf
 var embedNginxConfWithNotAllowedDir string
 
+//go:embed nginx/nginx-with-ssl-certs.conf
+var embedNginxConfWithSSLCerts string
+
+//go:embed nginx/nginx-with-multiple-ssl-certs.conf
+var embedNginxConfWithMultipleSSLCerts string
+
 func GetNginxConfigWithMultipleAccessLogs(
 	errorLogName,
 	accessLogName,
@@ -34,3 +40,11 @@ func GetNginxConfigWithMultipleAccessLogs(
 func GetNginxConfigWithNotAllowedDir(errorLogFile, notAllowedFile, allowedFileDir, accessLogFile string) string {
 	return fmt.Sprintf(embedNginxConfWithNotAllowedDir, errorLogFile, notAllowedFile, allowedFileDir, accessLogFile)
 }
+
+func GetNginxConfigWithSSLCerts(errorLogFile, accessLogFile, certFile string) string {
+	return fmt.Sprintf(embedNginxConfWithSSLCerts, errorLogFile, accessLogFile, certFile)
+}
+
+func GetNginxConfigWithMultipleSSLCerts(errorLogFile, accessLogFile, certFile1, certFile2 string) string {
+	return fmt.Sprintf(embedNginxConfWithMultipleSSLCerts, errorLogFile, accessLogFile, certFile1, certFile2)
+}
