Add NAP paths to allowed directories (#1163)

sean-breen · aphralG · Akshay2191 · commit 033de017cada · 2025-07-23T09:56:55.000+01:00
* update go verion and golangci-lint

* add paths for NAP upon instance discovery

* use variable for NAP directory path

* add paths when creating NAP instance

* add nap paths by default, update agent config during upgrade

* add nap by default

* nap paths to default agent configuration

* add back log message

* only add config directory /etc/app_protect

* update preinstall.sh

* update default config

* remove blank line

---------

Co-authored-by: Aphral Griffin &lt;a.griffin@f5.com&gt;
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -796,7 +796,7 @@ func agentConfig() *Config {
 		},
 		AllowedDirectories: []string{
 			"/etc/nginx/", "/etc/nginx-agent/", "/usr/local/etc/nginx/", "/var/run/nginx/", "/var/log/nginx/",
-			"/usr/share/nginx/modules/",
+			"/usr/share/nginx/modules/", "/etc/app_protect/",
 		},
 		Collector: &Collector{
 			ConfigPath: "/etc/nginx-agent/nginx-agent-otelcol.yaml",
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
@@ -107,6 +107,7 @@ func DefaultAllowedDirectories() []string {
 		"/usr/share/nginx/modules",
 		"/var/run/nginx",
 		"/var/log/nginx",
+		"/etc/app_protect",
 	}
 }
 
diff --git a/internal/watcher/instance/nginx-app-protect-instance-watcher_test.go b/internal/watcher/instance/nginx-app-protect-instance-watcher_test.go
@@ -112,7 +112,6 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {
 			t.Fatalf("Timed out waiting for instance updates")
 		}
 	})
-
 	t.Run("Test 2: Update instance", func(t *testing.T) {
 		_, err = enforcerEngineVersionFile.WriteAt([]byte("6.113.0"), 0)
 		require.NoError(t, err)
diff --git a/nginx-agent.conf b/nginx-agent.conf
@@ -12,6 +12,7 @@ log:
 
 allowed_directories: 
     - /etc/nginx
+    - /etc/app_protect
     - /usr/local/etc/nginx
     - /usr/share/nginx/modules
     - /var/run/nginx
diff --git a/scripts/packages/preinstall.sh b/scripts/packages/preinstall.sh
@@ -109,6 +109,7 @@ labels:
             allowed_directories="${allowed_directories}\n  - ${config_dir}"
         done
         allowed_directories="${allowed_directories}\n  - /var/log/nginx"
+        allowed_directories="${allowed_directories}\n  - /etc/app_protect"
 
         echo "Writing new v3 configuration to $v3_config_file"
         v3_config_contents="
diff --git a/scripts/packages/upgrade-agent-config.sh b/scripts/packages/upgrade-agent-config.sh
@@ -52,7 +52,8 @@ for config_dir in $config_dirs; do
 done
 
 allowed_directories="${allowed_directories}\n  - /var/log/nginx"
-       
+allowed_directories="${allowed_directories}\n  - /etc/app_protect"
+
 v3_config_contents="
 #
 # /etc/nginx-agent/nginx-agent.conf

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ func DefaultAllowedDirectories() []string {`
`107`	`107`	`"/usr/share/nginx/modules",`
`108`	`108`	`"/var/run/nginx",`
`109`	`109`	`"/var/log/nginx",`
	`110`	`+ "/etc/app_protect",`
`110`	`111`	`}`
`111`	`112`	`}`
`112`	`113`
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,6 @@ func TestNginxAppProtectInstanceWatcher_Watch(t *testing.T) {`
`112`	`112`	`t.Fatalf("Timed out waiting for instance updates")`
`113`	`113`	`}`
`114`	`114`	`})`
`115`		`-`
`116`	`115`	`t.Run("Test 2: Update instance", func(t *testing.T) {`
`117`	`116`	`_, err = enforcerEngineVersionFile.WriteAt([]byte("6.113.0"), 0)`
`118`	`117`	`require.NoError(t, err)`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,8 @@ for config_dir in $config_dirs; do`
`52`	`52`	`done`
`53`	`53`
`54`	`54`	`allowed_directories="${allowed_directories}\n - /var/log/nginx"`
`55`		`-`
	`55`	`+allowed_directories="${allowed_directories}\n - /etc/app_protect"`
	`56`	`+`
`56`	`57`	`v3_config_contents="`
`57`	`58`	`#`
`58`	`59`	`# /etc/nginx-agent/nginx-agent.conf`