Adds parse option for custom directives, moves nap directives

Added an API for allowing the caller of `Parse` to specify bitmasks for
directives outsides the "core" set of NGINX directives. This would allow
the caller to parse an NGINX configuration that contained directives
from a dynamic module even if it is a unknown custom one as long as the
configuration still matches the expected grammar.

As part of this I moved the NAP WAF v4 directives out of the main
`directives` map and added directives for WAF v5.

Author: ornj

analyze.go

@@ -94,6 +94,14 @@ func analyze(fname string, stmt *Directive, term string, ctx blockCtx, options *
 	masks, knownDirective := directives[stmt.Directive]
 	currCtx, knownContext := contexts[ctx.key()]
 
+	if !knownDirective {
+		for _, matchFn := range options.MatchFuncs {
+			if masks, knownDirective = matchFn(stmt.Directive); knownDirective {
+				break
+			}
+		}
+	}
+
 	// if strict and directive isn't recognized then throw error
 	if options.ErrorOnUnknownDirectives && !knownDirective {
 		return &ParseError{
@@ -2401,9 +2409,11 @@ var directives = map[string][]uint{
 	"zone_sync_timeout": {
 		ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1,
 	},
+}
 
-	// nginx app protect specific and global directives
-	// [https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#directives]
+// nginx app protect specific and global directives
+// [https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#directives]
+var appProtectWAFv4Directives = map[string][]uint{
 	"app_protect_compressed_requests_action": {
 		ngxHTTPMainConf | ngxConfTake1,
 	},
@@ -2441,3 +2451,58 @@ var directives = map[string][]uint{
 		ngxHTTPMainConf | ngxConfTake1,
 	},
 }
+
+// MatchAppProtectWAFv4 is a match function for parsing an NGINX config that contains the
+// App Protect v4 module.
+func MatchAppProtectWAFv4(directive string) (masks []uint, matched bool) {
+	masks, matched = appProtectWAFv4Directives[directive]
+	return
+}
+
+var appProtectWAFv5Directives = map[string][]uint{
+	// https://docs.nginx.com/nginx-app-protect-waf/v5/configuration-guide/configuration/#global-directives
+	"app_protect_physical_memory_util_thresholds": {
+		ngxHTTPMainConf | ngxConfTake2,
+	},
+	"app_protect_cpu_thresholds": {
+		ngxHTTPMainConf | ngxConfTake2,
+	},
+	"app_protect_failure_mode_action": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"app_protect_cookie_seed": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"app_protect_request_buffer_overflow_action": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"app_protect_reconnect_period_seconds": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	// https://docs.nginx.com/nginx-app-protect-waf/v5/configuration-guide/configuration/#app-protect-specific-directives
+	"app_protect_enforcer_address": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"app_protect_enable": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfFlag,
+	},
+	"app_protect_policy_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"app_protect_security_log_enable": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfFlag,
+	},
+	"app_protect_security_log": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake2,
+	},
+	"app_protect_custom_log_attribute": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLmtConf | ngxConfTake2,
+	},
+}
+
+// MatchAppProtectWAFv5 is a match function for parsing an NGINX config that contains the
+// App Protect v5 module.
+func MatchAppProtectWAFv5(directive string) (masks []uint, matched bool) {
+	masks, matched = appProtectWAFv5Directives[directive]
+	return
+}

parse.go

@@ -53,6 +53,16 @@ type parser struct {
 	includeInDegree map[string]int
 }
 
+// MatchFunc is the signature of the match function used to identify NGINX directives that
+// can be encountered when parsing an NGINX configuration that references dynamic or
+// non-core modules. The argument is the name of a directive found when parsing an NGINX
+// configuration.
+//
+// The return value is a list of bitmasks that indicate the valid contexts in which the
+// directive may appear as well as the number of arguments the directive accepts. The
+// return value must contain at least one non-zero bitmask if matched is true.
+type MatchFunc func(directive string) (masks []uint, matched bool)
+
 // ParseOptions determine the behavior of an NGINX config parse.
 type ParseOptions struct {
 	// An array of directives to skip over and not include in the payload.
@@ -93,6 +103,12 @@ type ParseOptions struct {
 
 	// If true, checks that directives have a valid number of arguments.
 	SkipDirectiveArgsCheck bool
+
+	// MatchFuncs are called in order when an unknown or non-core NGINX directive is
+	// encountered by the parser to determine the valid contexts and argument count of the
+	// directive. Set this option to enable parsing of directives belonging to non-core or
+	// dynamic NGINX modules that follow the usual grammar rules of an NGINX configuration.
+	MatchFuncs []MatchFunc
 }
 
 // Parse parses an NGINX configuration file.