4.2.4 (#45)

* 20240329-01 commit
- changed return code to 412 if devportal service unreachable

* 20240409-01 commit
- mTLS fixes

Author: fabriziofiorucci

FEATURES.md

@@ -67,7 +67,16 @@ Client-side authentication profiles to be defined under `.declaration.http.authe
     "type": "mtls",
     "mtls": {
         "enabled": "<on|off|optional|optional_no_ca>",
-        "client_certificates": "<CLIENT_CERTIFICATES_OBJECT_NAME>"
+        "client_certificates": "<CLIENT_CERTIFICATES_OBJECT_NAME>",
+        "ocsp": {
+            "enabled": "on",
+            "responder": "<OCSP_RESPONDER_URL>"
+        },
+        "stapling": {
+            "enabled": true,
+            "verify": true,
+            "responder": "<OCSP_RESPONDER_URL>"
+        }
     }
 }
 ```

contrib/postman/NGINX Declarative API.postman_collection.json

@@ -393,7 +393,7 @@ def createconfig(declaration: ConfigDeclaration, apiversion: str, runfromautosyn
                         status, devPortalHTML = v4_2.DevPortal.createDevPortal(locationDeclaration = loc, authProfiles = d['declaration']['http']['authentication'])
 
                         if status != 200:
-                            return {"status_code": 400,
+                            return {"status_code": 412,
                                     "message": {"status_code": status, "message":
                                         {"code": status, "content": f"Developer Portal creation failed for {loc['uri']}"}}}
 

src/V4_2_CreateConfig.py

@@ -166,6 +166,8 @@ class Ocsp(BaseModel, extra="forbid"):
 class AuthClientMtls(BaseModel, extra="forbid"):
     enabled: Optional[str] = "off"
     client_certificates: str = ""
+    ocsp: Optional[Ocsp] = {}
+    stapling: Optional[OcspStapling] = {}
 
     @model_validator(mode='after')
     def check_type(self) -> 'AuthClientMtls':
@@ -184,8 +186,6 @@ class Tls(BaseModel, extra="forbid"):
     trusted_ca_certificates: str = ""
     ciphers: Optional[str] = ""
     protocols: Optional[List[str]] = []
-    ocsp: Optional[Ocsp] = {}
-    stapling: Optional[OcspStapling] = {}
     authentication: Optional[LocationAuth] = {}
 
 
@@ -453,13 +453,13 @@ def check_type(self) -> 'NjsHookLocationDetails':
 
         return self
 
+
 class NjsHookHttpServer(BaseModel, extra="forbid"):
     hook: NjsHookHttpServerDetails
     profile: str
     function: str
 
 
-
 class NjsHookLocation(BaseModel, extra="forbid"):
     hook: NjsHookLocationDetails
     profile: str

src/V4_2_NginxConfigDeclaration.py

@@ -3,4 +3,23 @@ ssl_verify_client {{ authprofile.mtls.enabled }};
 {% if authprofile.mtls.client_certificates -%}
 ssl_client_certificate {{ ncgconfig.nms.certs_dir }}/{{ authprofile.mtls.client_certificates }}.crt;
 {% endif %}
+
+{# --- OCSP section start --- #}
+{%- if authprofile.mtls.ocsp and authprofile.mtls.ocsp.enabled|lower != "off" -%}
+ssl_ocsp {{ authprofile.mtls.ocsp.enabled }};
+{% if authprofile.mtls.ocsp.responder -%}
+ssl_ocsp_responder {{ authprofile.mtls.ocsp.responder }};
+{% endif %}
+{% endif %}
+{# --- OCSP section end --- #}
+
+{# --- TLS stapling section start --- #}
+{%- if authprofile.mtls.stapling and authprofile.mtls.stapling.enabled == True -%}
+ssl_stapling on;
+ssl_stapling_verify {% if authprofile.mtls.stapling.verify == True %}on{% else %}off{% endif %};
+{% if authprofile.mtls.stapling.responder -%}
+ssl_stapling_responder {{ authprofile.mtls.stapling.responder }};
+{% endif -%}
+{%- endif %}
+{# --- TLS stapling section end --- #}
 {% endif %}

templates/v4.2/authn/client/mtls.tmpl

@@ -143,26 +143,6 @@ server {
     include "{{ ncgconfig.nms.auth_client_dir }}/{{ s.listen.tls.authentication.client[0].profile | replace(" ", "_") }}.conf";
     {% endif %}
 
-    {# --- OCSP section start --- #}
-    {%- if s.listen.tls.ocsp and s.listen.tls.ocsp.enabled|lower != "off" -%}
-    ssl_ocsp {{ s.listen.tls.ocsp.enabled }};
-    {% if s.listen.tls.ocsp.responder -%}
-    ssl_ocsp_responder {{ s.listen.tls.ocsp.responder }};
-    {% endif %}
-    {% endif %}
-    {# --- OCSP section end --- #}
-
-    {# --- TLS stapling section start --- #}
-    {%- if s.listen.tls.stapling and s.listen.tls.stapling.enabled == True -%}
-    ssl_stapling on;
-    ssl_stapling_verify {% if s.listen.tls.stapling.verify == True %}on{% else %}off{% endif %};
-    {% if s.listen.tls.stapling.responder -%}
-    ssl_stapling_responder {{ s.listen.tls.stapling.responder }};
-
-    {% endif -%}
-    {%- endif %}
-    {# --- TLS stapling section end --- #}
-
     {%- endif %}
     {# --- TLS section end --- #}
 
@@ -418,12 +398,11 @@ server {
         {% endif %}
         {% endif %}
 
-        {# --- Location snippets --- #}
-
-        {% if loc.apigateway.api_gateway.enabled == True %}
+        {% if loc.apigateway and loc.apigateway.api_gateway.enabled == True %}
         include "{{ ncgconfig.nms.apigw_dir }}{{ loc.uri }}.conf";
         {% endif %}
 
+        {# --- Location snippets --- #}
         {% if loc.snippet and loc.snippet.content %}{{ loc.snippet.content | b64decode }}{% endif %}
 
     }