Removal fixes for WAF and DoS (#141)

Co-authored-by: Alessandro Fael Garcia <[email protected]>

Author: aknot242

.github/workflows/molecule.yml

@@ -21,8 +21,9 @@ jobs:
         scenario:
           - advanced
           - default
-          - specific-version
           - dos
+          - specific-version
+          - uninstall
     steps:
       - name: Check out the codebase
         if: github.event.pull_request.head.repo.full_name == github.repository

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 0.8.0 (Unreleased)
+
+BREAKING CHANGES:
+
+* Rename `nginx_app_protect_<waf/dos>_state` parameter to `nginx_app_protect_<waf/dos>_setup` parameters.
+* Rename multiple `nginx_app_protect_*` parameters and tags to `nginx_app_protect_waf_*` to aid in disambiguation.
+* Cleanup remaining Alpine Linux tasks.
+
+ENHANCEMENTS:
+
+New molecule tests for NGINX App Protect WAF and DoS removal scenarios.
+
+BUG FIXES:
+
+* Role was failing to uninstall NGINX App Protect DoS packages when the `nginx_app_protect_dos_state` was set to `absent`.
+* Uninstallation scenario was unintentionally creating repository entries.
+
 ## 0.7.1 (February 16, 2022)
 
 ENHANCEMENTS:

defaults/main.yml

@@ -5,19 +5,19 @@ nginx_app_protect_waf_enable: true
 # Specify whether or not this role should install the NGINX App Protect DoS product.
 nginx_app_protect_dos_enable: false
 
-# Specify whether you want to maintain your version of NGINX App Protect WAF, upgrade to the latest version, or remove NGINX App Protect WAF.
-# Using 'present' will install the latest version of NGINX App Protect WAF on a fresh install.
-# Using 'latest' will upgrade NGINX App Protect WAF to the latest version on every playbook execution.
-# Using 'absent' will remove NGINX App Protect WAF from your system.
-# Default is present.
-nginx_app_protect_waf_state: present
-
-# Specify whether you want to maintain your version of NGINX App Protect DoS, upgrade to the latest version, or remove NGINX App Protect DoS.
-# Using 'present' will install the latest version of NGINX App Protect DoS on a fresh install.
-# Using 'latest' will upgrade NGINX App Protect DoS to the latest version on every playbook execution.
-# Using 'absent' will remove NGINX App Protect DoS from your system.
-# Default is present.
-nginx_app_protect_dos_state: present
+# Specify whether you want to install NGINX App Protect WAF, upgrade to the latest version, or remove NGINX App Protect WAF.
+# Using 'install' will install the latest version of NGINX App Protect WAF on a fresh install.
+# Using 'upgrade' will upgrade NGINX App Protect WAF to the latest version of NGINX App Protect WAF on every playbook execution.
+# Using 'uninstall' will remove NGINX App Protect WAF from your system.
+# Default is install.
+nginx_app_protect_waf_setup: install
+
+# Specify whether you want to install NGINX App Protect DoS, upgrade to the latest version, or remove NGINX App Protect DoS.
+# Using 'install' will install the latest version of NGINX App Protect DoS on a fresh install.
+# Using 'upgrade' will upgrade NGINX App Protect DoS to the latest version of NGINX App Protect DoS on every playbook execution.
+# Using 'uninstall' will remove NGINX App Protect DoS from your system.
+# Default is install.
+nginx_app_protect_dos_setup: install
 
 # If you have a RHEL subscription, NGINX App Protect WAF's dependencies will use subscription repos.
 # Otherwise, it will source packages from CentOS' repositories.
@@ -27,16 +27,16 @@ nginx_app_protect_use_rhel_subscription_repos: false
 # The installation of NGINX App Protect WAF includes a base signature set, which may be out of date.
 # This option installs the latest NGINX App Protect signatures.
 # Default is true.
-nginx_app_protect_install_signatures: true
+nginx_app_protect_waf_install_signatures: true
 
 # (Optional) Installs a specific version of the NGINX App Protect WAF attack signatures package
 # Default is to install the latest release.
-# nginx_app_protect_signatures_version: "=2019.07.16-1" # <- Example value for Debian/Ubuntu
+# nginx_app_protect_waf_signatures_version: "=2019.07.16-1" # <- Example value for Debian/Ubuntu
 
 # The installation of NGINX App Protect WAF can include a page of frequently-updated, high-accuracy signatures called "threat campaigns".
 # This option installs the latest NGINX App Protect WAF threat campaigns signatures.
 # Default is true.
-nginx_app_protect_install_threat_campaigns: true
+nginx_app_protect_waf_install_threat_campaigns: true
 
 # (Optional) Installs a specific version of the NGINX App Protect WAF threat campaigns package
 # Default is to install the latest release.
@@ -46,25 +46,35 @@ nginx_app_protect_install_threat_campaigns: true
 # Default settings are the official NGINX signing key hosts.
 # nginx_app_protect_signing_key:
 #   nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
-#   security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
+#   waf_security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 
-# Specify whether or not you want to manage the NGINX App Protect repositories.
-# Using 'true' will manage NGINX App Protect repositories.
-# Using 'false' will not manage the NGINX App Protect repositories, allowing them to be managed through other means.
+# Specify whether or not you want to manage the NGINX App Protect WAF repositories.
+# Using 'true' will manage NGINX App Protect WAF repositories.
+# Using 'false' will not manage the NGINX App Protect WAF repositories, allowing them to be managed through other means.
 # Default is true
-nginx_app_protect_manage_repo: true
+nginx_app_protect_waf_manage_repo: true
+
+# Specify whether or not you want to manage the NGINX App Protect DoS repositories.
+# Using 'true' will manage NGINX App Protect DoS repositories.
+# Using 'false' will not manage the NGINX App Protect DoS repositories, allowing them to be managed through other means.
+# Default is true
+nginx_app_protect_dos_manage_repo: true
 
 # (Optional) Specify repository for NGINX Plus.
 # Defaults are the official NGINX repositories.
 # nginx_plus_repository: deb [arch=amd64] https://pkgs.nginx.com/plus/debian buster nginx-plus
 
-# (Optional) Specify repository for NGINX App Protect.
+# (Optional) Specify repository for NGINX App Protect WAF.
+# Defaults are the official NGINX repositories.
+# nginx_app_protect_waf_repository: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian buster nginx-plus
+
+# (Optional) Specify repository for NGINX App Protect WAF security updates.
 # Defaults are the official NGINX repositories.
-# nginx_app_protect_repository: deb [arch=amd64] https://pkgs.nginx.com/app-protect/debian buster nginx-plus
+# nginx_app_protect_waf_security_updates_repository: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://app-protect-security-updates.nginx.com/debian buster nginx-plus
 
-# (Optional) Specify repository for NGINX App Protect security updates.
+# (Optional) Specify repository for NGINX App Protect DoS.
 # Defaults are the official NGINX repositories.
-# nginx_app_protect_security_updates_repository: deb [arch=amd64] https://app-protect-security-updates.nginx.com/debian buster nginx-plus
+# nginx_app_protect_dos_repository: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian buster nginx-plus
 
 # Location of your NGINX App Protect license in your local machine.
 # Default is the files folder within the NGINX Ansible role.

handlers/main.yml

@@ -11,7 +11,6 @@
   when:
     - nginx_app_protect_start | bool
     - not ansible_check_mode | bool
-    - ansible_os_family != "Alpine"
   listen: (Handler - NGINX App Protect) Run NGINX
 
 - name: (Handler - NGINX App Protect) Check NGINX

molecule/advanced/verify.yml

@@ -9,7 +9,6 @@
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Check if NGINX App Protect WAF is installed
       package:

molecule/default/files/test-security-policy.json

@@ -5,4 +5,4 @@
             "name": "POLICY_TEMPLATE_NGINX_BASE"
         }
     }
-}
+}

molecule/default/verify.yml

@@ -42,7 +42,6 @@
       check_mode: true
       register: service
       failed_when: (service is changed) or (service is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Store the statistics of /etc/app_protect/conf/test-security-policy.json in the 'security_policy' variable
       stat:

molecule/dos/verify.yml

@@ -9,7 +9,6 @@
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Check if NGINX App Protect DoS is installed
       package:
@@ -27,4 +26,3 @@
       check_mode: true
       register: service
       failed_when: (service is changed) or (service is failed)
-      when: ansible_os_family != "Alpine"

molecule/specific-version/converge.yml

@@ -5,22 +5,20 @@
     specify_app_protect_signatures_version: true
     specify_app_protect_threat_campaigns_version: true
     app_protect_signature_version_matrix:
-      alpine: "=2021.01.20-r1"
       debian: "=2019.07.16-1"
       redhat: "-2019.07.16"
     app_protect_threat_campaigns_version_matrix:
-      alpine: "=2021.01.03-r1"
       debian: "=2020.08.20-1"
       redhat: "-2020.08.20"
   tasks:
     - name: Set NGINX App Protect WAF signature version fact
       set_fact:
-        nginx_app_protect_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
+        nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
       when: specify_app_protect_signatures_version| bool
 
     - name: Set NGINX App Protect WAF threat campaigns version fact
       set_fact:
-        nginx_app_protect_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
+        nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}"
       when: specify_app_protect_threat_campaigns_version| bool
 
     - name: Install NGINX App Protect WAF
@@ -31,7 +29,5 @@
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
         nginx_app_protect_remove_license: false
-        nginx_app_protect_install_signatures: true
-        nginx_app_protect_install_threat_campaigns: true
-        nginx_app_protect_configure: false
-        nginx_app_protect_waf_state: present
+        nginx_app_protect_waf_install_signatures: true
+        nginx_app_protect_waf_install_threat_campaigns: true

molecule/specific-version/verify.yml

@@ -5,11 +5,9 @@
     specify_app_protect_signatures_version: true
     specify_app_protect_threat_campaigns_version: true
     app_protect_signature_version_matrix:
-      alpine: "=2021.01.20-r1"
       debian: "=2019.07.16-1"
       redhat: "-2019.07.16"
     app_protect_threat_campaigns_version_matrix:
-      alpine: "=2021.01.03-r1"
       debian: "=2020.08.20-1"
       redhat: "-2020.08.20"
   tasks:
@@ -20,7 +18,6 @@
       check_mode: true
       register: install
       failed_when: (install is changed) or (install is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Check if NGINX App Protect WAF is installed
       package:
@@ -54,7 +51,6 @@
       check_mode: true
       register: service
       failed_when: (service is changed) or (service is failed)
-      when: ansible_os_family != "Alpine"
 
     - name: Check NGINX App Protect WAF version
       block:
@@ -69,4 +65,3 @@
         - name: Verify installed NAP threat campaigns version matches requested version
           assert:
             that: (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, ''))
-      when: ansible_os_family != "Alpine"