Replace Jinja2 sequence checks with mapping (dictionary) checks (#189)

alessfg · web-flow · commit 767db05cee11 · 2021-10-27T19:07:06.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.4.2 (Unreleased)
+
+BUG FIXES:
+
+Dictionaries are a sequence per Jinja2 contrary to Python's defaults (dictionaries are not a sequence in Python). The template conditionals assumed the latter.
+
 ## 0.4.1 (October 25, 2021)
 
 BUG FIXES:
diff --git a/defaults/main/template.yml b/defaults/main/template.yml
diff --git a/molecule/common/requirements/oss_requirements.yml b/molecule/common/requirements/oss_requirements.yml
@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.2
+    version: 0.21.3
diff --git a/molecule/common/requirements/plus_requirements.yml b/molecule/common/requirements/plus_requirements.yml
@@ -1,6 +1,6 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.21.2
+    version: 0.21.3
   - name: nginxinc.nginx_app_protect
-    version: 0.6.1
+    version: 0.6.2
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -46,9 +46,8 @@
               daemon: true
               debug_points: abort
               env:
-                - variable: MALLOC_OPTIONS
-                - variable: PERL5LIB
-                  value: /data/site/modules
+                variable: PERL5LIB
+                value: /data/site/modules
               lock_file: logs/nginx.lock
               master_process: true
               pcre_jit: false
@@ -306,8 +305,10 @@
                 cookie_domain:
                   - domain: localhost
                     replacement: example.com
-                cookie_flags: false  # -- set to false
-                cookie_path: false
+                cookie_flags: false
+                cookie_path:
+                  path: $uri
+                  replacement: $uri
                 force_ranges: false
                 headers_hash_bucket_size: 64
                 headers_hash_max_size: 512
@@ -346,6 +347,17 @@
                   - field: Connection
                     value: close
                 socket_keepalive: false
+                ssl_certificate: /etc/ssl/certs/molecule.crt
+                ssl_certificate_key: /etc/ssl/private/molecule.key
+                ssl_ciphers: HIGH
+                ssl_conf_command:
+                  - Protocol TLSv1.2
+                ssl_name: $proxy_host
+                ssl_protocols: TLSv1.2
+                ssl_server_name: false
+                ssl_session_reuse: true
+                ssl_verify: false
+                ssl_verify_depth: 1
                 store: false
                 store_access:
                   user: rw
@@ -361,23 +373,29 @@
                   transparent: false
                 buffer_size: 4k
                 connect_timeout: 60s
-                hide_header:
-                  - X-Accel-Redirect
-                ignore_headers:
-                  - X-Accel-Redirect
+                hide_header: X-Accel-Redirect
+                ignore_headers: X-Accel-Redirect
                 intercept_errors: false
-                next_upstream:
-                  - timeout
+                next_upstream: timeout
                 next_upstream_timeout: 0
                 next_upstream_tries: 0
-                pass_header:
-                  - X-Accel-Charset
+                pass_header: X-Accel-Charset
                 read_timeout: 60s
                 send_timeout: 60s
                 set_header:
-                  - field: Accept-Encoding
-                    value: '""'
+                  field: Accept-Encoding
+                  value: '""'
                 socket_keepalive: false
+                ssl_certificate: /etc/ssl/certs/molecule.crt
+                ssl_certificate_key: /etc/ssl/private/molecule.key
+                ssl_ciphers: HIGH
+                ssl_conf_command: Protocol TLSv1.2
+                ssl_name: $proxy_host
+                ssl_protocols: TLSv1.2
+                ssl_server_name: false
+                ssl_session_reuse: true
+                ssl_verify: false
+                ssl_verify_depth: 1
               access:
                 allow:
                   - all
@@ -416,9 +434,9 @@
                     value: '"max-age=15768000; includeSubDomains"'
                     always: true
                 add_trailers:
-                  - name: Strict-Transport-Security
-                    value: '"max-age=15768000; includeSubDomains"'
-                    always: false
+                  name: Strict-Transport-Security
+                  value: '"max-age=15768000; includeSubDomains"'
+                  always: false
                 expires:
                   modified: true
                   time: "12h"
diff --git a/molecule/plus/converge.yml b/molecule/plus/converge.yml
@@ -203,8 +203,8 @@
                     name:
                       - info
                 header_set:
-                  - variable: $job
-                    name: info
+                  variable: $job
+                  name: info
                 leeway: 0s
                 type: nested
                 require: jwt
diff --git a/templates/core.j2 b/templates/core.j2
@@ -2,7 +2,7 @@
 
 {# NGINX Core template -- ngx_core_module #}
 {% macro main(main) %}
-{% if main['load_module'] is defined and main['load_module'] is sequence %}
+{% if main['load_module'] is defined and main['load_module'] is not mapping %}
 {% for module in main['load_module'] if main['load_module'] is not string %}
 load_module {{ module }};
 {% else %}
@@ -34,7 +34,7 @@ worker_shutdown_timeout {{ main['worker_shutdown_timeout'] }};
 {% endif %}
 
 {% if main['error_log'] is defined %}
-{% for log in main['error_log'] if (main['error_log'] is sequence and main['error_log'] is not string) %}
+{% for log in main['error_log'] if (main['error_log'] is not mapping and main['error_log'] is not string) %}
 error_log {{ log if log is string else log['file'] }}{{ (' ' + log['level'] | string) if log['level'] is defined }};
 {% else %}
 error_log {{ main['error_log'] if main['error_log'] is string else main['error_log']['file'] }}{{ (' ' + main['error_log']['level'] | string) if main['error_log']['level'] is defined }};
@@ -52,7 +52,7 @@ debug_points {{ main['debug_points'] }};
 {% endif %}
 
 {% if main['env'] is defined %}
-{% for env in main['env'] if (main['env'] is sequence and main['env'] is not string) %}
+{% for env in main['env'] if (main['env'] is not mapping and main['env'] is not string) %}
 env {{ env if env is string else env['variable'] }}{{ ('=' + env['value'] | string) if env['value'] is defined }};
 {% else %}
 env {{ main['env'] if main['env'] is string else main['env']['variable'] }}{{ ('=' + main['env']['value'] | string) if main['env']['value'] is defined }};
@@ -70,9 +70,11 @@ pcre_jit {{ main['pcre_jit'] | ternary('on', 'off') }};
 {% if main['ssl_engine'] is defined %}
 ssl_engine {{ main['ssl_engine'] }};
 {% endif %}
-{% if main['thread_pool'] is defined %}
-{% for thread in main['thread_pool'] %}
+{% if main['thread_pool'] is defined and main['thread_pool'] is not string %}
+{% for thread in main['thread_pool'] if main['thread_pool'] is not mapping %}
 thread_pool {{ thread['name'] }} {{ ('threads=' + thread['threads'] | string) if thread['threads'] is number }}{{ (' max_queue=' + thread['max_queue'] | string) if thread['max_queue'] is defined and thread['max_queue'] is number }};
+{% else %}
+thread_pool {{ main['thread_pool']['name'] }} {{ ('threads=' + main['thread_pool']['threads'] | string) if main['thread_pool']['threads'] is number }}{{ (' max_queue=' + main['thread_pool']['max_queue'] | string) if main['thread_pool']['max_queue'] is defined and main['thread_pool']['max_queue'] is number }};
 {% endfor %}
 {% endif %}
 {% if main['timer_resolution'] is defined %}
@@ -90,7 +92,7 @@ accept_mutex {{ events['accept_mutex'] | ternary('on', 'off') }};
 {% if events['accept_mutex_delay'] is defined %}
 accept_mutex_delay {{ events['accept_mutex_delay'] }};
 {% endif %}
-{% if events['debug_connection'] is defined and events['debug_connection'] is sequence %}
+{% if events['debug_connection'] is defined and events['debug_connection'] is not mapping %}
 {% for connection in events['debug_connection'] if events['debug_connection'] is not string %}
 debug_connection {{ connection }};
 {% else %}
diff --git a/templates/http/app_protect.j2 b/templates/http/app_protect.j2
@@ -11,8 +11,8 @@ app_protect_policy_file {{ app_protect_waf['policy_file'] }};
 {% if app_protect_waf['security_log_enable'] is defined and app_protect_waf['security_log_enable'] is boolean %}
 app_protect_security_log_enable {{ app_protect_waf['security_log_enable'] | ternary('on', 'off') }};
 {% endif %}
-{% if app_protect_waf['security_log'] is defined %}
-{% for security_log in app_protect_waf['security_log'] if (app_protect_waf['security_log'] is sequence and app_protect_waf['security_log'] is not string) %}
+{% if app_protect_waf['security_log'] is defined and app_protect_waf['security_log'] is not string %}
+{% for security_log in app_protect_waf['security_log'] if app_protect_waf['security_log'] is not mapping %}
 app_protect_security_log {{ security_log['path'] }} {{ security_log['dest'] }};
 {% else %}
 app_protect_security_log {{ app_protect_waf['security_log']['path'] }} {{ app_protect_waf['security_log']['dest'] }};
@@ -39,7 +39,7 @@ app_protect_reconnect_period_seconds {{ app_protect_waf['reconnect_period_second
 {% if app_protect_waf['request_buffer_overflow_action'] is defined and app_protect_waf['request_buffer_overflow_action'] in ['pass', 'drop'] %}{# Available only in 'http' context #}
 app_protect_request_buffer_overflow_action {{ app_protect_waf['request_buffer_overflow_action'] }};
 {% endif %}
-{% if app_protect_waf['user_defined_signatures'] is defined and app_protect_waf['user_defined_signatures'] is sequence %}{# Available only in 'http' context #}
+{% if app_protect_waf['user_defined_signatures'] is defined and app_protect_waf['user_defined_signatures'] is not mapping %}{# Available only in 'http' context #}
 {% for signature in app_protect_waf['user_defined_signatures'] if app_protect_waf['user_defined_signatures'] is not string %}
 app_protect_user_defined_signatures {{ signature }};
 {% else %}
@@ -62,7 +62,7 @@ app_protect_dos_name {{ app_protect_dos['name'] }};
 {% endif %}
 {% if app_protect_dos['monitor'] is defined and app_protect_dos['monitor'] is mapping %}
 app_protect_dos_monitor uri={{ app_protect_dos['monitor']['uri'] | ternary(app_protect_dos['monitor']['uri'], app_protect_dos['monitor']) }}{{ app_protect_dos['monitor']['protocol'] | ternary((' protocol=' + app_protect_dos['monitor']['protocol'] | string), '') }}{{ app_protect_dos['monitor']['timeout'] | ternary((' timeout=' + app_protect_dos['monitor']['timeout'] | string), '') }};
-{% elif app_protect_dos['monitor'] is defined %}
+{% elif app_protect_dos['monitor'] is defined and app_protect_dos['monitor'] is string %}
 app_protect_dos_monitor {{ app_protect_dos['monitor'] }};
 {% endif %}
 {% if app_protect_dos['security_log_enable'] is defined and app_protect_dos['security_log_enable'] is boolean %}
diff --git a/templates/http/auth.j2 b/templates/http/auth.j2
@@ -3,14 +3,14 @@
 
 {# NGINX HTTP Access -- ngx_http_access_module #}
 {% macro access(access) %}
-{% if access['allow'] is defined and access['allow'] is sequence %}
+{% if access['allow'] is defined and access['allow'] is not mapping %}
 {% for allow in access['allow'] if access['allow'] is not string %}
 allow {{ allow }};
 {% else %}
 allow {{ access['allow'] }};
 {% endfor %}
 {% endif %}
-{% if access['deny'] is defined and access['deny'] is sequence %}
+{% if access['deny'] is defined and access['deny'] is not mapping %}
 {% for deny in access['deny'] if access['deny'] is not string %}
 deny {{ deny }};
 {% else %}
@@ -48,14 +48,14 @@ auth_request_set {{ auth_request['set']['variable'] }} {{ auth_request['set']['v
 auth_jwt {{ 'off' if not auth_jwt['enable'] }}{{ auth_jwt['enable']['realm'] if auth_jwt['enable']['realm'] is defined }}{{ (' token=' + auth_jwt['enable']['token'] if auth_jwt['enable']['token'] is defined) }};
 {% endif %}
 {% if auth_jwt['claim_set'] is defined %}{# 'claim_set' is only available in the 'http' context #}
-{% for claim in auth_jwt['claim_set'] if (auth_jwt['claim_set'] is sequence and auth_jwt['claim_set'] is not string) %}
+{% for claim in auth_jwt['claim_set'] if (auth_jwt['claim_set'] is not mapping and auth_jwt['claim_set'] is not string) %}
 auth_jwt_claim_set {{ claim['variable'] }} {{ (claim['name'] if claim['name'] is string else claim['name'] | join(' ')) }};
 {% else %}
 auth_jwt_claim_set {{ auth_jwt['claim_set']['variable'] }} {{ (auth_jwt['claim_set']['name'] if auth_jwt['claim_set']['name'] is string else auth_jwt['claim_set']['name'] | join(' ')) }};
 {% endfor %}
 {% endif %}
 {% if auth_jwt['header_set'] is defined %}{# 'header_set' is only available in the 'http' context #}
-{% for claim in auth_jwt['header_set'] if (auth_jwt['header_set'] is sequence and auth_jwt['header_set'] is not string) %}
+{% for claim in auth_jwt['header_set'] if (auth_jwt['header_set'] is not mapping and auth_jwt['header_set'] is not string) %}
 auth_jwt_header_set {{ claim['variable'] }} {{ (claim['name'] if claim['name'] is string else claim['name'] | join(' ')) }};
 {% else %}
 auth_jwt_header_set {{ auth_jwt['header_set']['variable'] }} {{ (auth_jwt['header_set']['name'] if auth_jwt['header_set']['name'] is string else auth_jwt['header_set']['name'] | join(' ')) }};
diff --git a/templates/http/core.j2 b/templates/http/core.j2
@@ -65,11 +65,15 @@ directio_alignment {{ core['directio_alignment'] }};
 disable_symlinks {{ (core['disable_symlinks'] | ternary('on', 'off')) if core['disable_symlinks'] is boolean else 'if_not_owner' if core['disable_symlinks'] == 'if_not_owner' -}}
                  {{- core['disable_symlinks']['check'] if core['disable_symlinks']['check'] is defined and core['disable_symlinks']['check'] in ['on', 'if_not_owner'] }}{{ (' from=' + core['disable_symlinks']['from']) if core['disable_symlinks']['from'] is defined }};
 {% endif %}
-{% if core['error_page'] is defined %}
-{% for page in core['error_page'] %}
+{% if core['error_page'] is defined and core['error_page'] is not string %}
+{% for page in core['error_page'] if core['error_page'] is not mapping %}
 error_page {{ page['code'] if page['code'] is number else page['code'] | join(' ') -}}
 {{- (' ' + page['response'] | string) if page['response'] is defined -}}
 {{- (' ' + page['uri'] | string) if page['uri'] is defined }};
+{% else %}
+error_page {{ core['error_page']['code'] if core['error_page']['code'] is number else core['error_page']['code'] | join(' ') -}}
+{{- (' ' + core['error_page']['response'] | string) if core['error_page']['response'] is defined -}}
+{{- (' ' + core['error_page']['uri'] | string) if core['error_page']['uri'] is defined }};
 {% endfor %}
 {% endif %}
 {% if core['etag'] is defined and core['etag'] is boolean %}
@@ -108,7 +112,7 @@ large_client_header_buffers {{ core['large_client_header_buffers']['number'] }}
 {% endif %}
 {% if core['limit_except'] is defined %}{# 'limit_except' directive is only available in the location context #}
 limit_except {{ core['limit_except']['method'] if core['limit_except']['method'] is string else core['limit_except']['method'] | join(' ') }} {
-{% if core['limit_except']['directive'] is sequence %}
+{% if core['limit_except']['directive'] is not mapping %}
 {% for directive in core['limit_except']['directive'] if core['limit_except']['directive'] is not string %}
     {{ directive }};
 {% else %}
@@ -260,10 +264,12 @@ tcp_nopush {{ core['tcp_nopush'] | ternary('on', 'off') }};
 {% if core['try_files']['files'] is defined %}{# 'try_files' directive is not available in the 'http' context #}
 try_files {{ core['try_files']['files'] if core['try_files']['files'] is string else core['try_files']['files'] | join(' ') }} {{ core['try_files']['uri'] if core['try_files']['uri'] is defined else core['try_files']['code'] if core['try_files']['code'] is defined }};
 {% endif %}
-{% if core['types'] is defined %}
+{% if core['types'] is defined and core['types'] is not string %}
 types {
-{% for type in core['types'] %}
+{% for type in core['types'] if core['types'] is not mapping %}
     {{ type['mime'] }} {{type['extensions'] if type['extensions'] is string else type['extensions'] | join(' ') }};
+{% else %}
+    {{ core['types']['mime'] }} {{core['types']['extensions'] if core['types']['extensions'] is string else core['types']['extensions'] | join(' ') }};
 {% endfor %}
 }
 {% endif %}
diff --git a/templates/http/grpc.j2 b/templates/http/grpc.j2
@@ -11,23 +11,15 @@ grpc_buffer_size {{ grpc['buffer_size'] }};
 {% if grpc['connect_timeout'] is defined %}
 grpc_connect_timeout {{ grpc['connect_timeout'] }};
 {% endif %}
-{% if grpc['hide_header'] is defined and grpc['hide_header'] is sequence %}
+{% if grpc['hide_header'] is defined and grpc['hide_header'] is not mapping %}
 {% for header in grpc['hide_header'] if grpc['hide_header'] is not string %}
 grpc_hide_header {{ header }};
 {% else %}
 grpc_hide_header {{ grpc['hide_header'] }};
 {% endfor %}
 {% endif %}
-{% if grpc['ignore_headers'] is defined and grpc['ignore_headers'] is sequence %}
-{% for header in grpc['ignore_headers'] if grpc['ignore_headers'] is not string %}
-{% if header in ['X-Accel-Redirect', 'X-Accel-Charset'] %}
-grpc_ignore_headers {{ header }};
-{% endif %}
-{% else %}
-{% if grpc['ignore_headers'] in ['X-Accel-Redirect', 'X-Accel-Charset'] %}
-grpc_ignore_headers {{ grpc['ignore_headers'] }};
-{% endif %}
-{% endfor %}
+{% if grpc['ignore_headers'] is defined and grpc['ignore_headers'] in ['X-Accel-Redirect', 'X-Accel-Charset'] %}
+grpc_ignore_headers {{ grpc['ignore_headers'] if grpc['ignore_headers'] is string else grpc['ignore_headers'] | join(' ') }};
 {% endif %}
 {% if grpc['intercept_errors'] is defined and grpc['intercept_errors'] is boolean %}
 grpc_intercept_errors {{ grpc['intercept_errors'] | ternary ('on', 'off') }};
@@ -44,7 +36,7 @@ grpc_next_upstream_tries {{ grpc['next_upstream_tries'] }};
 {% if grpc['pass'] is defined %}{# 'pass' directive is only available in the 'location' context #}
 grpc_pass {{ grpc['pass'] }};
 {% endif %}
-{% if grpc['pass_header'] is defined and grpc['pass_header'] is sequence %}
+{% if grpc['pass_header'] is defined and grpc['pass_header'] is not mapping %}
 {% for header in grpc['pass_header'] if grpc['pass_header'] is not string %}
 grpc_pass_header {{ header }};
 {% else %}
@@ -57,8 +49,8 @@ grpc_read_timeout {{ grpc['read_timeout'] }};
 {% if grpc['send_timeout'] is defined %}
 grpc_send_timeout {{ grpc['send_timeout'] }};
 {% endif %}
-{% if grpc['set_header'] is defined and grpc['set_header'] is sequence %}
-{% for header in grpc['set_header'] if grpc['set_header'] is not string %}
+{% if grpc['set_header'] is defined %}
+{% for header in grpc['set_header'] if grpc['set_header'] is not mapping %}
 grpc_set_header {{ header['field'] }} {{ header['value'] }};
 {% else %}
 grpc_set_header {{ grpc['set_header']['field'] }} {{ grpc['set_header']['value'] }};
@@ -76,7 +68,7 @@ grpc_ssl_certificate_key {{ grpc['ssl_certificate_key'] }};
 {% if grpc['ssl_ciphers'] is defined %}
 grpc_ssl_ciphers {{ grpc['ssl_ciphers'] }};
 {% endif %}
-{% if grpc['ssl_conf_command'] is defined and grpc['ssl_conf_command'] is sequence %}
+{% if grpc['ssl_conf_command'] is defined and grpc['ssl_conf_command'] is not mapping %}
 {% for command in grpc['ssl_conf_command'] if grpc['ssl_conf_command'] is not string %}
 grpc_ssl_conf_command {{ command }};
 {% else %}
diff --git a/templates/http/modules.j2 b/templates/http/modules.j2
diff --git a/templates/http/proxy.j2 b/templates/http/proxy.j2
diff --git a/templates/http/ssl.j2 b/templates/http/ssl.j2
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
