Add nil check for SSL certificate file paths (#1027)

dhurley · web-flow · commit 8a05e9a27a50 · 2025-04-22T10:38:31.000+01:00
* Add nil check for SSL certificate file paths

* Add unit test
diff --git a/internal/watcher/instance/nginx_config_parser.go b/internal/watcher/instance/nginx_config_parser.go
@@ -116,6 +116,7 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 	rootDir := filepath.Dir(instance.GetInstanceRuntime().GetConfigPath())
 
 	for _, conf := range payload.Config {
+		slog.DebugContext(ctx, "Traversing NGINX config file", "config", conf)
 		if !ncp.agentConfig.IsDirectoryAllowed(conf.File) {
 			slog.WarnContext(ctx, "File included in NGINX config is outside of allowed directories, "+
 				"excluding from config",
@@ -148,8 +149,11 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 				case "ssl_certificate", "proxy_ssl_certificate", "ssl_client_certificate",
 					"ssl_trusted_certificate":
 					sslCertFile := ncp.sslCert(ctx, directive.Args[0], rootDir)
-					if !ncp.isDuplicateFile(nginxConfigContext.Files, sslCertFile) {
-						nginxConfigContext.Files = append(nginxConfigContext.Files, sslCertFile)
+					if sslCertFile != nil {
+						if !ncp.isDuplicateFile(nginxConfigContext.Files, sslCertFile) {
+							slog.DebugContext(ctx, "Adding SSL certificate file", "ssl_cert", sslCertFile)
+							nginxConfigContext.Files = append(nginxConfigContext.Files, sslCertFile)
+						}
 					}
 
 				case "app_protect_security_log":
@@ -321,7 +325,7 @@ func (ncp *NginxConfigParser) errorLogDirectiveLevel(directive *crossplane.Direc
 
 func (ncp *NginxConfigParser) sslCert(ctx context.Context, file, rootDir string) (sslCertFile *mpi.File) {
 	if strings.Contains(file, "$") {
-		// cannot process any filepath with variables
+		slog.DebugContext(ctx, "Cannot process SSL certificate file path with variables", "file", file)
 		return nil
 	}
 
diff --git a/internal/watcher/instance/nginx_config_parser_test.go b/internal/watcher/instance/nginx_config_parser_test.go
@@ -368,6 +368,21 @@ func TestNginxConfigParser_Parse(t *testing.T) {
 			},
 			allowedDirectories: []string{dir},
 		},
+		{
+			name:     "Test 4: SSL Certificate file path containing variables",
+			instance: protos.GetNginxPlusInstance([]string{}),
+			content:  testconfig.GetNginxConfWithSSLCertsWithVariables(),
+			expectedConfigContext: &model.NginxConfigContext{
+				StubStatus:       &model.APIDetails{},
+				PlusAPI:          &model.APIDetails{},
+				InstanceID:       protos.GetNginxPlusInstance([]string{}).GetInstanceMeta().GetInstanceId(),
+				Files:            []*mpi.File{},
+				AccessLogs:       []*model.AccessLog{},
+				ErrorLogs:        []*model.ErrorLog{},
+				NAPSysLogServers: nil,
+			},
+			allowedDirectories: []string{dir},
+		},
 	}
 
 	for _, test := range tests {
diff --git a/test/config/nginx/nginx-ssl-certs-with-variables.conf b/test/config/nginx/nginx-ssl-certs-with-variables.conf
@@ -0,0 +1,39 @@
+worker_processes  1;
+events {
+    worker_connections  1024;
+}
+
+http {
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen 80;listen [::]:80;
+        listen 443 ssl;listen [::]:443 ssl;
+        ssl_certificate $secret_dir_path/default-cafe-secret;
+        ssl_certificate_key $secret_dir_path/default-cafe-secret;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        ##
+        # Enable Metrics
+        ##
+        location /api {
+            stub_status;
+            allow 127.0.0.1;
+            deny all;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}
diff --git a/test/config/nginx_config.go b/test/config/nginx_config.go
@@ -16,6 +16,9 @@ var embedNginxConfWithMultipleAccessLogs string
 //go:embed nginx/nginx-not-allowed-dir.conf
 var embedNginxConfWithNotAllowedDir string
 
+//go:embed nginx/nginx-ssl-certs-with-variables.conf
+var embedNginxConfWithSSLCertsWithVariables string
+
 func GetNginxConfigWithMultipleAccessLogs(
 	errorLogName,
 	accessLogName,
@@ -34,3 +37,7 @@ func GetNginxConfigWithMultipleAccessLogs(
 func GetNginxConfigWithNotAllowedDir(errorLogFile, notAllowedFile, allowedFileDir, accessLogFile string) string {
 	return fmt.Sprintf(embedNginxConfWithNotAllowedDir, errorLogFile, notAllowedFile, allowedFileDir, accessLogFile)
 }
+
+func GetNginxConfWithSSLCertsWithVariables() string {
+	return embedNginxConfWithSSLCertsWithVariables
+}
