Staging (#23)

* Update tests (#21)

* minor udpates on docs and permissions

* add sample playbook

* add sample playbook

* fixed typos

* fixed typos

* initial commit

* updating supported OS versions

* Keep working on tests

And refactor all the things

* Ensure molecule verifier passes

* Add GitHub contribution guidelines

* updating keys and repos for NAP

* adding back nginx plus signing key

* updating repo URL

* removing changelog, as there is not one

* Bring docs up to speed with other NGINX roles

And move some default variables into the vars subfolder

* add tests and fix linting issues

* updating changelog

* added linting fix

Co-authored-by: Jesse Goodier <[email protected]>
Co-authored-by: Alessandro Fael Garcia <[email protected]>

* base 64 decoding of build secrets

* only build for master and staging

* fix formatting. dan hates yml.

* adding syslog test

* fix linting issues

* ansible writing to remote syslog messed up a test. renaming master to main

* add molecule test syntax

* increasing service timeout as travisci is super slow today

Co-authored-by: Jesse Goodier <[email protected]>
Co-authored-by: Alessandro Fael Garcia <[email protected]>

Author: 3 people

.travis.yml

@@ -1,4 +1,9 @@
 ---
+# safelist - build only on the following branches
+branches:
+  only:
+    - main
+    - staging
 language: python
 services: docker
 jobs:
@@ -18,6 +23,6 @@ install:
   - pip install molecule==3.0.8
   - pip install docker==4.3.1
 script:
-  - travis_wait 50 molecule lint -s $scenario
+  - molecule test -s $scenario
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 0.2.2 (September 14, 2020)
+
+ENHANCEMENTS:
+
+*   Added molecule tests and verifications
+
+BUG FIXES:
+
+*   Fixed newly appearing linting issues in role
+
+## 0.2.1 (September 11, 2020)
+
+ENHANCEMENTS:
+
+*   Bring docs up to speed with other NGINX roles
+*   Move some default variables into the vars subfolder
+
 ## 0.2.0 (September 10, 2020)
 
 BREAKING CHANGES:

README.md

@@ -23,6 +23,14 @@ Instructions on how to install Ansible can be found in the [Ansible website](htt
 
 Molecule is used to test the various functionalities of the role. Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/stable/installation.html).
 
+To run the Molecule tests, you must first add your NGINX repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests:
+
+``` bash
+export NGINX_CRT=$( cat <path to your certificate file> | base64)
+export NGINX_KEY=$( cat <path to your key file> | base64)
+molecule test
+```
+
 Installation
 ------------
 

molecule/default/converge.yml

@@ -1,6 +1,6 @@
 ---
 - name: Converge
-  hosts: all
+  hosts: nap
   tasks:
     - name: Install NGINX App Protect
       include_role:
@@ -15,10 +15,11 @@
         nginx_app_protect_log_policy_template_enable: true
         nginx_app_protect_log_policy_filter_request_type: all
         nginx_app_protect_conf_template_enable: true
-        nginx_app_protect_log_policy_syslog_target: 10.1.10.105:5144
+        nginx_app_protect_log_policy_syslog_target: localhost:514
         nginx_app_protect_demo_workload_protocol: http://
-        nginx_app_protect_demo_workload_host: 10.1.10.105:8080
+        nginx_app_protect_demo_workload_host: test-workload:80
         nginx_app_protect_license:
           certificate: "license/nginx-repo.crt"
           key: "license/nginx-repo.key"
-        nginx_app_protect_delete_license: false
+        nginx_app_protect_delete_license: true
+        nginx_app_protect_timeout: 300

molecule/default/molecule.yml

@@ -6,26 +6,49 @@ lint: |
   yamllint .
   ansible-lint --force-color
 platforms:
+  - name: test-workload
+    groups:
+      - workload
+    image: nginxdemos/hello
+    privileged: true
+    networks:
+      - name: molecule-test
   - name: centos-7
+    groups:
+      - nap
     image: centos:7
     dockerfile: ../Dockerfile.j2
     privileged: true
+    networks:
+      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/usr/sbin/init"
   - name: ubuntu-bionic
+    groups:
+      - nap
     image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
+    networks:
+      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
   - name: debian-stretch
+    groups:
+      - nap
     image: debian:stretch-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
+    networks:
+      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
 provisioner:
   name: ansible
+  config_options:
+    defaults:
+      no_target_syslog: true
+  log: false

molecule/default/prepare.yml

@@ -0,0 +1,45 @@
+---
+- name: Prepare
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars:
+    nginx_license:
+      certificate: "./license/nginx-repo.crt"
+      key: "./license/nginx-repo.key"
+
+  tasks:
+    - name: Create license directory
+      file:
+        path: "./license"
+        state: directory
+        mode: 0755
+
+    - name: Create ephemeral license certificate file from b64 decoded env var
+      copy:
+        content: "{{ lookup('env','NGINX_CRT') | b64decode }}"
+        dest: "{{ nginx_license.certificate }}"
+        mode: 0444
+
+    - name: Create ephemeral license key file from b64 decoded env var
+      copy:
+        content: "{{ lookup('env','NGINX_KEY') | b64decode }}"
+        dest: "{{ nginx_license.key }}"
+        mode: 0444
+
+- name: Set up rsyslog server for verifying NAP syslog events
+  hosts: nap
+  vars:
+    rsyslog_receiver: true
+    rsyslog_remote_tcp: true
+    rsyslog_remote_port: 514
+  roles:
+    - role: robertdebock.rsyslog
+
+- name: Prepare workload for tests
+  hosts: workload
+  gather_facts: false
+  tasks:
+    - name: Start nginx on test workload
+      raw: nohup nginx </dev/null >/dev/null 2>&1 & sleep 1
+      changed_when: false

molecule/default/requirements.yml

@@ -0,0 +1,3 @@
+---
+roles:
+  - robertdebock.rsyslog

molecule/default/verify.yml

@@ -1,19 +1,60 @@
 ---
 - name: Verify
-  hosts: all
+  hosts: nap
   tasks:
     - name: Check if NGINX is installed
       package:
         name: nginx-plus
-      check_mode: yes
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect is installed
+      package:
+        name: app-protect
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect Signatures is installed
+      package:
+        name: app-protect-attack-signatures
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect Threat Campaigns is installed
+      package:
+        name: app-protect-threat-campaigns
+      check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
 
     - name: Check if NGINX service is running
       service:
         name: nginx
         state: started
-        enabled: yes
-      check_mode: yes
+        enabled: true
+      check_mode: true
       register: service
       failed_when: (service is changed) or (service is failed)
+
+    - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents
+      uri:
+        url: "http://localhost"
+        return_content: true
+      register: this
+      failed_when: "'Hello World' not in this.content"
+
+    - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents
+      uri:
+        url: "http://localhost/?v=<script>"
+        return_content: true
+      register: this
+      failed_when: "'Request Rejected' not in this.content"
+
+    - name: Ensure /var/log/messages contains block event from above test
+      shell: grep -c "Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)" /var/log/messages || true
+      register: event
+      changed_when: false
+      failed_when: event.stdout == "0"

tasks/config/configure-app-protect.yml

@@ -1,5 +1,5 @@
 ---
-- name: "Ensure NGINX main directory exists"
+- name: Ensure NGINX main directory exists
   file:
     path: "{{ nginx_app_protect_conf_template.out_file_location }}"
     state: directory
@@ -8,15 +8,15 @@
         or nginx_app_protect_log_policy_template_enable | bool
         or nginx_app_protect_conf_template_enable | bool
 
-- name: "Dynamically generate NGINX App Protect security policy file"
+- name: Dynamically generate NGINX App Protect security policy file
   template:
     src: "{{ nginx_app_protect_security_policy_template.template_file }}"
     dest: "{{ nginx_app_protect_security_policy_template.out_file_location }}{{ nginx_app_protect_security_policy_template.out_file_name }}"
     mode: 0644
     backup: true
   when: nginx_app_protect_security_policy_template_enable | bool
 
-- name: "Dynamically generate NGINX App Protect log policy file"
+- name: Dynamically generate NGINX App Protect log policy file
   template:
     src: "{{ nginx_app_protect_log_policy_template.template_file }}"
     dest: "{{ nginx_app_protect_log_policy_template.out_file_location }}{{ nginx_app_protect_log_policy_template.out_file_name }}"
@@ -49,12 +49,14 @@
         path: /etc/nginx/nginx.conf
         regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)'
         replace: '# \1'
+        mode: preserve
 
     - name: Comment out NGINX App Protect directives in nginx.conf
       replace:
         path: /etc/nginx/nginx.conf
         regexp: '^([ \t]*app_protect_)'
         replace: '# \1'
+        mode: preserve
   when: nginx_app_protect_state == "absent"
 
 - name: Reload NGINX

tasks/install/setup-debian-repos.yml

@@ -3,13 +3,15 @@
   apt_repository:
     repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
     filename: nginx-app-protect
+    mode: 0644
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
 
 - name: Setup Debian and Ubuntu NGINX App Protect security updates repository
   apt_repository:
     repo: deb [arch=amd64] https://app-protect-security-updates.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
     filename: app-protect-security-updates
+    mode: 0644
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"