NGINX 2.3 updates and new features (#50)

* initial commit

* fix for buster broken minor version number missing

* use more succint fact naming convention

* Alpine functionality warning

* removing alpine from molecule

* adding support for specific sigs and tc package versions

* move to platform specific package management modules

* new downgrade syntax

* changed downgrade options

* create version specific test

* allow downgrade

* adding default package options

* downgrades not working

* check mode fix. remove latest designation

* fix conditional

* updating version detection logic. remove package facts in role itself.

* missing var

* updating apk key task

* update signing keys for alpine

* update cache

* add alpine prereqs

* remove dependencies and explicit repository for apk

* do not modify service if no systemd

* fix molecule tests

* Various syntax updates

Also consolidate dependency into a single tasks file

* Update Molecule CICD

* Fix typo

* Update GitHub actions base images

* remove nap version selection option

Co-authored-by: alessfg <[email protected]>

Author: aknot242

.github/workflows/molecule.yml

@@ -20,6 +20,7 @@ jobs:
         scenario:
           - advanced
           - default
+          - specific-version
     steps:
       - name: Check out the codebase
         if: github.event.pull_request.head.repo.full_name == github.repository

CHANGELOG.md

@@ -4,18 +4,34 @@
 
 FEATURES:
 
+*   Add support for Dependabot.
 *   Replace Ansible community distribution with Ansible base and add the necessary extra collections as a dependency requirement. For reference, these are:
     *   `community.general`
     *   `ansible.posix`
-*   Add support for Dependabot.
+*   You can now specify an `nginx_app_protect_repository` for NGINX App Protect.
+*   You can now specify an `nginx_app_protect_security_updates_repository` for NGINX App Protect signatures and threat campaigns packages.
+*   You can now specify NGINX App Protect signatures and threat campaigns package versions using the `nginx_app_protect_signatures_version` and `nginx_app_protect_threat_campaigns_version` variables.
 
 ENHANCEMENTS:
 
+*   Support for App Protect 2.3 -- Adds support for Debian 10 (buster) and Alpine 3.10.x.
+*   Add test coverage for new platforms and testing scenario.
+*   Consolidate dependencies into a single tasks file.
+*   Remove requirement for `package_facts` module when using this role.
+*   Update Signatures repository URL.
 *   Update Ansible base to `2.10.7`, Molecule to `3.2.4`, yamllint to `1.26.0` and Docker Python SDK to `4.4.4`.
 *   Specify GitHub actions Ubuntu release.
 *   Minor GitHub template tweaks, including the creation of a SECURITY doc.
 *   Only run GitHub actions Galaxy CI/CD workflow when a new release is published.
 
+BREAKING CHANGES:
+
+The `nginx_app_protect_version` variable has been removed, as it cannot be implemented fully on all platforms.
+
+KNOWN ISSUES:
+
+Service manager support is not included in NGINX App Protect for Alpine. When using this role to install NGINX App Protect on Alpine, you will need to start the NGINX App Protect processes then reload NGINX Plus yourself in order for App Protect to function. You can use commands similar to what are contained in the `entrypoint.sh` script in the [NGINX App Protect Administration Guide](https://docs.nginx.com/nginx-app-protect/admin-guide/install/#docker-deployment-instructions) to accomplish this.
+
 ## 0.4.2 (January 11, 2021)
 
 ENHANCEMENTS:

README.md

@@ -79,11 +79,7 @@ Similarly, descriptions and defaults for preset variables can be found in the **
 
 ## Dependencies
 
-*   Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts.
-
-*   If NGINX Plus is *not* already installed on the system, this role will install the version of NGINX Plus that is dependent on the version of NGINX App Protect set with the `nginx_app_protect_version` variable. If none is specified, the latest version of NGINX Plus and NGINX App Protect will be installed.
-
-*   When using the `nginx_app_protect_version` variable, a specific version of NGINX Plus must already be installed on the target system.
+*   If NGINX Plus is *not* already installed on the system, this role will install the version of NGINX Plus that is dependent on the version of NGINX App Protect that is being installed.
 
 ## Example Playbook
 

defaults/main.yml

@@ -1,16 +1,11 @@
 ---
 # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
-# Can be used with `nginx_app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
-# Using 'present' will install the latest version (or 'nginx_app_protect_version') of NGINX App Protect on a fresh install.
-# Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'nginx_app_protect_version') of NGINX App Protect on every playbook execution.
+# Using 'present' will install the latest version of NGINX App Protect on a fresh install.
+# Using 'latest' will upgrade NGINX App Protect to the latest version on every playbook execution.
 # Using 'absent' will remove NGINX App Protect from your system.
 # Default is present.
 nginx_app_protect_state: present
 
-# (Optional) Installs a specific version of NGINX App Protect
-# Default is to install the latest release.
-# nginx_app_protect_version: 22
-
 # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
 # Otherwise, it will source packages from CentOS' repositories.
 # Default is false.
@@ -21,17 +16,33 @@ nginx_app_protect_use_rhel_subscription_repos: false
 # Default is true.
 nginx_app_protect_install_signatures: true
 
+# (Optional) Installs a specific version of the NGINX App Protect attack signatures package
+# Default is to install the latest release.
+# nginx_app_protect_signatures_version: "=2019.07.16-1" # <- Example value for Debian/Ubuntu
+
 # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called "threat campaigns".
 # This option installs the latest NGINX App Protect threat campaigns signatures.
 # Default is true.
 nginx_app_protect_install_threat_campaigns: true
 
+# (Optional) Installs a specific version of the NGINX App Protect threat campaigns package
+# Default is to install the latest release.
+# nginx_app_protect_threat_campaigns_version: "=2020.08.20-1" # <- Example value for Debian/Ubuntu
+
 # (Optional) Choose where to fetch the NGINX App Protect and security updates signing keys from.
 # Default settings are the official NGINX signing key hosts.
 # nginx_app_protect_signing_key:
 #   nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
 #   security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 
+# (Optional) Specify repository for NGINX App Protect.
+# Defaults are the official NGINX repositories.
+# nginx_app_protect_repository: deb [arch=amd64] https://plus-pkgs.nginx.com/debian buster nginx-plus
+
+# (Optional) Specify repository for NGINX App Protect security updates.
+# Defaults are the official NGINX repositories.
+# nginx_app_protect_security_updates_repository: deb [arch=amd64] https://app-protect-security-updates.nginx.com/debian buster nginx-plus
+
 # Location of your NGINX App Protect license in your local machine.
 # Default is the files folder within the NGINX Ansible role.
 nginx_app_protect_license:

handlers/main.yml

@@ -11,6 +11,7 @@
   when:
     - nginx_app_protect_start | bool
     - not ansible_check_mode | bool
+    - ansible_os_family != "Alpine"
   listen: (Handler - NGINX App Protect) Run NGINX
 
 - name: (Handler - NGINX App Protect) Check NGINX
@@ -24,5 +25,7 @@
   debug:
     var: config.stderr_lines
   failed_when: config.rc != 0
-  when: config.rc != 0
+  when:
+    - config.rc is defined
+    - config.rc != 0
   listen: (Handler - NGINX App Protect) Run NGINX

meta/main.yml

@@ -10,12 +10,16 @@ galaxy_info:
   min_ansible_version: 2.10
 
   platforms:
+    - name: Alpine
+      versions:
+        - any
     - name: EL
       versions:
         - 7
     - name: Debian
       versions:
         - stretch
+        - buster
     - name: Ubuntu
       versions:
         - bionic

molecule/Dockerfile.j2

@@ -17,27 +17,27 @@ ENV {{ var }} {{ value }}
 RUN \
   if [ $(command -v apt-get) ]; then \
     apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \
     && apt-get clean; \
   elif [ $(command -v dnf) ]; then \
     dnf makecache \
-    && dnf --assumeyes install bash iproute /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config \
+    && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \
     && dnf clean all; \
   elif [ $(command -v yum) ]; then \
     yum makecache fast \
-    && yum install -y bash iproute /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl \
+    && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
     && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \
     && yum clean all; \
   elif [ $(command -v zypper) ]; then \
     zypper refresh \
-    && zypper install -y bash iproute2 python3 sudo \
+    && zypper install -y bash iproute2 python3 sudo vim \
     && zypper clean -a; \
   elif [ $(command -v apk) ]; then \
     apk update \
-    && apk add --no-cache bash ca-certificates curl openrc python3 sudo; \
+    && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \
     echo 'rc_provide="loopback net"' >> /etc/rc.conf; \
   elif [ $(command -v xbps-install) ]; then \
     xbps-install -Syu \
-    && xbps-install -y bash ca-certificates iproute2 python3 sudo \
+    && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \
     && xbps-remove -O; \
   fi

molecule/advanced/molecule.yml

@@ -7,45 +7,67 @@ lint: |
   ansible-lint --force-color
 platforms:
   - name: test-workload
-    groups:
-      - workload
     image: nginxdemos/hello
     privileged: true
+    groups:
+      - workload
     networks:
       - name: molecule-test
-  - name: centos-7
+  - name: alpine-3.10
+    image: alpine:3.10
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
     groups:
       - nap
+    networks:
+      - name: molecule-test
+  - name: centos-7
     image: centos:7
     dockerfile: ../Dockerfile.j2
     privileged: true
-    networks:
-      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/usr/sbin/init"
-  - name: ubuntu-bionic
     groups:
       - nap
+    networks:
+      - name: molecule-test
+  - name: ubuntu-bionic
     image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
-    networks:
-      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
-  - name: debian-stretch
     groups:
       - nap
+    networks:
+      - name: molecule-test
+  - name: debian-stretch
     image: debian:stretch-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
+    groups:
+      - nap
     networks:
       - name: molecule-test
+  - name: debian-buster
+    image: debian:buster-slim
+    dockerfile: ../Dockerfile.j2
+    privileged: true
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
+    groups:
+      - nap
+    networks:
+      - name: molecule-test
 provisioner:
   name: ansible
   config_options:

molecule/advanced/requirements.yml

@@ -1,3 +1,4 @@
 ---
 roles:
-  - robertdebock.rsyslog
+  - name: robertdebock.rsyslog
+    version: 3.2.0

molecule/advanced/verify.yml

@@ -2,59 +2,67 @@
 - name: Verify
   hosts: nap
   tasks:
-    - name: Check if NGINX is installed
+    - name: Check if NGINX Plus is installed
       package:
         name: nginx-plus
+        state: present
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
+      when: ansible_os_family != "Alpine"
 
     - name: Check if NGINX App Protect is installed
       package:
         name: app-protect
+        state: present
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
 
-    - name: Check if NGINX App Protect Signatures is installed
+    - name: Check if NGINX App Protect signatures is installed
       package:
         name: app-protect-attack-signatures
+        state: present
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
 
-    - name: Check if NGINX App Protect Threat Campaigns is installed
+    - name: Check if NGINX App Protect threat campaigns is installed
       package:
         name: app-protect-threat-campaigns
+        state: present
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
 
-    - name: Check if NGINX service is running
-      service:
-        name: nginx
-        state: started
-        enabled: true
-      check_mode: true
-      register: service
-      failed_when: (service is changed) or (service is failed)
+    - name: Functional tests
+      block:
+        - name: Check if NGINX service is running
+          service:
+            name: nginx
+            state: started
+            enabled: true
+          check_mode: true
+          register: service
+          failed_when: (service is changed) or (service is failed)
 
-    - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents
-      uri:
-        url: "http://localhost"
-        return_content: true
-      register: this
-      failed_when: "'Hello World' not in this.content"
+        - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents
+          uri:
+            url: "http://localhost"
+            return_content: true
+          register: this
+          failed_when: "'Hello World' not in this.content"
 
-    - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents
-      uri:
-        url: "http://localhost/?v=<script>"
-        return_content: true
-      register: this
-      failed_when: "'Request Rejected' not in this.content"
+        - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents
+          uri:
+            url: "http://localhost/?v=<script>"
+            return_content: true
+          register: this
+          failed_when: "'Request Rejected' not in this.content"
 
-    - name: Ensure /var/log/messages contains block event from above test
-      shell: grep -c "Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)" /var/log/messages || true
-      register: event
-      changed_when: false
-      failed_when: event.stdout == "0"
+        - name: Ensure /var/log/messages contains block event from above test
+          shell: grep -c "Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)" /var/log/messages || true
+          register: event
+          changed_when: false
+          failed_when: event.stdout == "0"
+      when: ansible_os_family != "Alpine"