Implement new NGINX Plus R25 JWT directives (#175)

alessfg · web-flow · commit b14233f9f1d1 · 2021-10-13T19:52:48.000+02:00
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -95,6 +95,6 @@ template: |
   ## Resources
 
   * Functional configuration examples (check `converge.yml` under each `molecule` scenario) -- [github.com/nginxinc/ansible-role-nginx-config/tree/$RESOLVED_VERSION/molecule](https://github.com/nginxinc/ansible-role-nginx-config/tree/$RESOLVED_VERSION/molecule).
-  * Ansible Galaxy repository -- [galaxy.ansible.com/nginxinc/nginx](https://galaxy.ansible.com/nginxinc/nginx_config).
+  * Ansible Galaxy repository -- [galaxy.ansible.com/nginxinc/nginx_config](https://galaxy.ansible.com/nginxinc/nginx_config).
   * NGINX Ansible role & collection introductory blog -- [nginx.com/blog/announcing-nginx-core-collection-ansible](https://www.nginx.com/blog/announcing-nginx-core-collection-ansible).
   * NGINX: Better with Ansible demo -- [github.com/alessfg/nginx-ansible-demo](https://github.com/alessfg/nginx-ansible-demo).
diff --git a/defaults/main/template.yml b/defaults/main/template.yml
@@ -558,7 +558,8 @@ nginx_config_http_template:
         key_file: /path/to/file
         key_request: /path/to/file
         leeway: 0s
-        type: signed  # One of 'signed' or 'encrypted'
+        type: signed  # One of 'signed', 'encrypted' or 'nested'
+        required: $valid_jwt_iss  # String or list
       api:  # Configure NGINX Plus HTTP API
         enable:  # true  # Set to Boolean directly to simply enable the 'api' directive
           write: true  # Boolean
@@ -575,7 +576,7 @@ nginx_config_http_template:
           number: 32  # Required
           size: 4k  # Required
         comp_level: 1
-        disable: []  # string or list
+        disable: []  # String or list
         http_version: 1.1  # Optional -- One of '1.0' or '1.1'
         min_length: 20
         proxied: []  # Set to 'false' to set to 'off' -- otherwise, you can specify a string or a list
diff --git a/molecule/common/Dockerfile.j2 b/molecule/common/Dockerfile.j2
@@ -17,15 +17,15 @@ ENV {{ var }} {{ value }}
 RUN \
   if [ $(command -v apt-get) ]; then \
     apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \
     && apt-get clean; \
   elif [ $(command -v dnf) ]; then \
     dnf makecache \
-    && dnf --assumeyes install bash iproute /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \
+    && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \
     && dnf clean all; \
   elif [ $(command -v yum) ]; then \
     yum makecache fast \
-    && yum install -y bash iproute /usr/bin/python /usr/bin/python2-config sudo vim yum-plugin-ovl \
+    && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
     && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \
     && yum clean all; \
   elif [ $(command -v zypper) ]; then \
@@ -34,10 +34,10 @@ RUN \
     && zypper clean -a; \
   elif [ $(command -v apk) ]; then \
     apk update \
-    && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \
+    && apk add --no-cache bash curl openrc python3 sudo vim; \
     echo 'rc_provide="loopback net"' >> /etc/rc.conf; \
   elif [ $(command -v xbps-install) ]; then \
     xbps-install -Syu \
-    && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \
+    && xbps-install -y bash iproute2 python3 sudo vim \
     && xbps-remove -O; \
   fi
diff --git a/molecule/plus/converge.yml b/molecule/plus/converge.yml
@@ -24,7 +24,7 @@
             main:
               load_module:
                 - modules/ngx_http_app_protect_module.so
-                - modules/ngx_http_app_protect_dos_module.so
+                # - modules/ngx_http_app_protect_dos_module.so
               user: nginx
               worker_processes: auto
               error_log:
@@ -206,7 +206,8 @@
                   - variable: $job
                     name: info
                 leeway: 0s
-                type: signed
+                type: nested
+                require: jwt
               auth_request:
                 uri: false
                 set:
@@ -310,13 +311,13 @@
                         dest: syslog:server=10.1.1.1:514
                       - path: /etc/app_protect/conf/log_default.json
                         dest: syslog:server=10.1.1.2:514
-                  app_protect_dos:
-                    enable: true
-                    policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json
-                    security_log_enable: true
-                    security_log:
-                      path: /etc/app_protect_dos/log-default.json
-                      dest: syslog:server=10.1.1.1:514
+                  # app_protect_dos:
+                  #   enable: true
+                  #   policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json
+                  #   security_log_enable: true
+                  #   security_log:
+                  #     path: /etc/app_protect_dos/log-default.json
+                  #     dest: syslog:server=10.1.1.1:514
                   auth_jwt:
                     enable:
                       realm: realm
diff --git a/molecule/plus/prepare.yml b/molecule/plus/prepare.yml
@@ -20,32 +20,22 @@
 - name: Install NGINX Plus
   hosts: all
   tasks:
-    - name: Set repo if Debian
-      set_fact:
-        version: "=24-2~{{ ansible_facts['distribution_release'] }}"
-      when: ansible_facts['os_family'] == "Debian"
-    - name: Set repo if Red Hat
-      set_fact:
-        version: "-24-2.{{ (ansible_facts['distribution']=='Amazon') | ternary('amzn2', ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx"
-      when: ansible_facts['os_family'] == "RedHat"
-
     - name: Install NGINX
       include_role:
         name: nginxinc.nginx
       vars:
         nginx_type: plus
-        nginx_version: "{{ version }}"
         nginx_license:
           certificate: ../common/files/license/nginx-repo.crt
           key: ../common/files/license/nginx-repo.key
         nginx_remove_license: false
 
-    - name: Install NGINX App Protect WAF and NGINX App Protect DoS
+    - name: Install NGINX App Protect WAF
       include_role:
         name: nginxinc.nginx_app_protect
       vars:
         nginx_app_protect_waf_enable: true
-        nginx_app_protect_dos_enable: true
+        nginx_app_protect_dos_enable: false
         nginx_app_protect_setup_license: false
         nginx_app_protect_remove_license: false
         nginx_app_protect_install_signatures: false
diff --git a/templates/http/auth.j2 b/templates/http/auth.j2
@@ -70,7 +70,10 @@ auth_jwt_key_request {{ auth_jwt['key_request'] }};
 {% if auth_jwt['leeway'] is defined %}
 auth_jwt_leeway {{ auth_jwt['leeway'] }};
 {% endif %}
-{% if auth_jwt['type'] is defined and auth_jwt['type'] in ['signed', 'encrypted'] %}
+{% if auth_jwt['type'] is defined and auth_jwt['type'] in ['signed', 'encrypted', 'nested'] %}
 auth_jwt_type {{ auth_jwt['type'] }};
 {% endif %}
+{% if auth_jwt['require'] is defined %}
+auth_jwt_require {{ auth_jwt['require'] if auth_jwt['require'] is string else auth_jwt['require'] | join(' ') }};
+{% endif %}
 {% endmacro %}
