Merge pull request #84 from nginxinc/NLB-4532-lua

NLB-4532: Add lua module

Author: xynicole

analyze.go

@@ -2509,3 +2509,176 @@ func MatchAppProtectWAFv5(directive string) ([]uint, bool) {
 	masks, matched := appProtectWAFv5Directives[directive]
 	return masks, matched
 }
+
+// LuaDirectives is a list of directives that are used in the Lua module
+// https://github.com/openresty/lua-nginx-module/tree/master?tab=readme-ov-file#directives
+//
+//nolint:gochecknoglobals
+var LuaDirectives = map[string][]uint{
+	"lua_load_resty_core": {
+		ngxHTTPMainConf | ngxConfFlag,
+	},
+	"lua_capture_error_log": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_use_default_type": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"lua_malloc_trim": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_code_cache": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"lua_thread_cache_max_entries": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_regex_cache_max_entries": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_regex_match_limit": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_package_path": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_package_cpath": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"init_by_lua_file": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"init_worker_by_lua_file": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"exit_worker_by_lua_file": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"set_by_lua_file": {
+		ngxHTTPSrvConf | ngxHTTPSifConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConf2More,
+	},
+	"content_by_lua_file": {
+		ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"server_rewrite_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
+	},
+	"rewrite_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"access_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"header_filter_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"body_filter_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"log_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"balancer_by_lua_file": {
+		ngxHTTPUpsConf | ngxConfTake1,
+	},
+	"lua_need_request_body": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"ssl_client_hello_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
+	},
+	"ssl_certificate_by_lua_file": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
+	},
+	"ssl_session_fetch_by_lua_file": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"ssl_session_store_by_lua_file": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_shared_dict": {
+		ngxHTTPMainConf | ngxConfTake2,
+	},
+	"lua_socket_connect_timeout": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_send_timeout": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_send_lowat": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_read_timeout": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_buffer_size": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_pool_size": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_keepalive_timeout": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfTake1,
+	},
+	"lua_socket_log_errors": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"lua_ssl_ciphers": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_crl": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_protocols": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConf1More,
+	},
+	"lua_ssl_certificate": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_certificate_key": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_trusted_certificate": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_verify_depth": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake1,
+	},
+	"lua_ssl_conf_command": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxConfTake2,
+	},
+	"lua_http10_buffering": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"rewrite_by_lua_no_postpone": {
+		ngxHTTPMainConf | ngxConfFlag,
+	},
+	"access_by_lua_no_postpone": {
+		ngxHTTPMainConf | ngxConfFlag,
+	},
+	"lua_transform_underscores_in_response_headers": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"lua_check_client_abort": {
+		ngxHTTPMainConf | ngxHTTPSrvConf | ngxHTTPLocConf | ngxHTTPLifConf | ngxConfFlag,
+	},
+	"lua_max_pending_timers": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_max_running_timers": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+	"lua_sa_restart": {
+		ngxHTTPMainConf | ngxConfFlag,
+	},
+	"lua_worker_thread_vm_pool_size": {
+		ngxHTTPMainConf | ngxConfTake1,
+	},
+}
+
+// MatchLua is a match function for parsing an NGINX config that contains the
+// Lua module.
+func MatchLua(directive string) ([]uint, bool) {
+	masks, matched := LuaDirectives[directive]
+	return masks, matched
+}

analyze_test.go

@@ -1920,3 +1920,95 @@ func TestAnalyze_nap_app_protect_waf_v5(t *testing.T) {
 		})
 	}
 }
+
+//nolint:funlen
+func TestAnalyze_lua(t *testing.T) {
+	t.Parallel()
+	testcases := map[string]struct {
+		stmt    *Directive
+		ctx     blockCtx
+		wantErr bool
+	}{
+		"content_by_lua_file ok": {
+			&Directive{
+				Directive: "content_by_lua_file",
+				Args:      []string{"/path/to/lua/app/root/$path.lua"},
+				Line:      5,
+			},
+			blockCtx{"http", "location", "location if"},
+			false,
+		},
+		"content_by_lua_file relative path ok": {
+			&Directive{
+				Directive: "content_by_lua_file",
+				Args:      []string{"foo/bar.lua"},
+				Line:      5,
+			},
+			blockCtx{"http", "location", "location if"},
+			false,
+		},
+		"content_by_lua_file nor ok": {
+			&Directive{
+				Directive: "content_by_lua_file",
+				Args:      []string{"foo/bar.lua"},
+				Line:      5,
+			},
+			blockCtx{"server"},
+			false,
+		},
+		"lua_shared_dict ok": {
+			&Directive{
+				Directive: "lua_shared_dict",
+				Args:      []string{"dogs", "10m"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			false,
+		},
+		"lua_shared_dict not ok": {
+			&Directive{
+				Directive: "lua_shared_dict",
+				Args:      []string{"10m"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			true,
+		},
+		"lua_sa_restart ok": {
+			&Directive{
+				Directive: "lua_sa_restart",
+				Args:      []string{"off"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			false,
+		},
+		"lua_sa_restart not ok": {
+			&Directive{
+				Directive: "lua_sa_restart",
+				Args:      []string{"something"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			true,
+		},
+	}
+
+	for name, tc := range testcases {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{
+				MatchFuncs: []MatchFunc{MatchLua},
+			})
+
+			if !tc.wantErr && err != nil {
+				t.Fatal(err)
+			}
+
+			if tc.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+		})
+	}
+}

lex_test.go

@@ -226,6 +226,34 @@ var lexFixtures = []lexFixture{
 		{";", 15},
 		{"}", 16},
 	}},
+	{"lua-basic", []tokenLine{
+		{"http", 1},
+		{"{", 1},
+		{"init_by_lua", 2},
+		{"\n        print(\"I need no extra escaping here, for example: \\r\\nblah\")\n    ", 2},
+		{"lua_shared_dict", 5},
+		{"dogs", 5},
+		{"1m", 5},
+		{";", 5},
+		{"server", 6},
+		{"{", 6},
+		{"listen", 7},
+		{"8080", 7},
+		{";", 7},
+		{"location", 8},
+		{"/", 8},
+		{"{", 8},
+		{"set_by_lua", 9},
+		{"$res", 9},
+		{" return 32 + math.cos(32) ", 9},
+		{";", 9},
+		{"access_by_lua_file", 10},
+		{"/path/to/lua/access.lua", 10},
+		{";", 10},
+		{"}", 11},
+		{"}", 12},
+		{"}", 13},
+	}},
 }
 
 func TestLex(t *testing.T) {

testdata/configs/lua-basic/nginx.conf

@@ -0,0 +1,13 @@
+http {
+    init_by_lua '
+        print("I need no extra escaping here, for example: \r\nblah")
+    '
+    lua_shared_dict dogs 1m;
+    server {
+        listen 8080;
+        location / {
+            set_by_lua $res ' return 32 + math.cos(32) ';
+            access_by_lua_file /path/to/lua/access.lua;
+        }
+    }
+}

testdata/configs/lua-basic/nginx.json

@@ -0,0 +1,73 @@
+{
+  "status": "ok",
+  "errors": [],
+  "config": [
+    {
+      "file": "testdata/configs/lua-block-larger/nginx.conf",
+      "status": "ok",
+      "errors": [],
+      "parsed": [
+        {
+          "directive": "http",
+          "line": 1,
+          "args": [],
+          "block": [
+            {
+              "directive": "init_by_lua",
+              "line": 2,
+              "args": [
+                "\n        print(\"I need no extra escaping here, for example: \\r\\nblah\")\n    "
+              ]
+            },
+            {
+              "directive": "lua_shared_dict",
+              "line": 5,
+              "args": [
+                "dogs",
+                "1m"
+              ]
+            },
+            {
+              "directive": "server",
+              "line": 7,
+              "args": [],
+              "block": [
+                {
+                  "directive": "listen",
+                  "line": 7,
+                  "args": [
+                    "8080"
+                  ]
+                },
+                {
+                  "directive": "location",
+                  "line": 8,
+                  "args": [
+                    "/"
+                  ],
+                  "block": [
+                    {
+                      "directive": "set_by_lua",
+                      "line": 9,
+                      "args": [
+                        "$res",
+                        " return 32 + math.cos(32) "
+                      ]
+                    },
+                    {
+                      "directive": "access_by_lua_file",
+                      "line": 10,
+                      "args": [
+                        "/path/to/lua/access.lua"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}