Skip to content

fix: wrong flag in ssl_ocsp #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Oct 23, 2025
Merged

fix: wrong flag in ssl_ocsp #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
687b76b
fix: wrong flag in ssl_ocsp
dareste Oct 22, 2025
75a3c97
feat: override ssl_ocsp in code generator config
dareste Oct 23, 2025
97a7015
feat: add test for ssl_ocsp directive
dareste Oct 23, 2025
cb8dc11
chore: annotate nolint:funlen for TestAnalyze_ssl_ocsp
dareste Oct 23, 2025
0e9f5b2
chore: palallelize TestAnalyze_ssl_ocsp subtests
dareste Oct 23, 2025
36568bc
fix: loopclosure in TestAnalyze_ssl_ocsp
dareste Oct 23, 2025
25b19b1
chore: linting
dareste Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions analyze.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,20 +19,20 @@ package crossplane
// Update for OSS, filter in config is the directives not in https://nginx.org/en/docs/dirindex.html but in source code.
// Override in config is for the "if" directive. We create a bitmask ngxConfExpr for it in crossplane, which is not in source code.
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_latest_config.json > ./analyze_oss_latest_directives.gen.go"
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_126_config.json --branch branches/stable-1.26 > ./analyze_oss_126_directives.gen.go"
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_124_config.json --branch branches/stable-1.24 > ./analyze_oss_124_directives.gen.go"
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_126_config.json --branch stable-1.26 > ./analyze_oss_126_directives.gen.go"
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginx/nginx.git --config-path ./scripts/generate/configs/oss_124_config.json --branch stable-1.24 > ./analyze_oss_124_directives.gen.go"

// Update for lua, override is for the lua block directives, see https://github.com/nginxinc/nginx-go-crossplane/pull/86.
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/openresty/lua-nginx-module.git --config-path ./scripts/generate/configs/lua_config.json --path ./src > ./analyze_lua_directives.gen.go"

// Update for otel. Filter is for some directives withou context.
// Update for otel. Filter is for some directives without context.
// Otel provides its own config handler for some directives and they don't have context. Currently we don't support them.
//go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/nginxinc/nginx-otel.git --config-path ./scripts/generate/configs/otel_config.json --branch main > ./analyze_otel_directives.gen.go"

// Update for NAP v4 and v5.
// NAP is a private module. Please ensure you have correct access and put the url.
// and branch of it in environment variable NAP_URL, NAP_V4_BRANCH, and NAP_V5_BRANCH.
// Override is for flag dirctives. NAP used ngxConfTake1 for flag directives, we change them to ngxConfFlag in crossplane.
// Override is for flag directives. NAP used ngxConfTake1 for flag directives, we change them to ngxConfFlag in crossplane.
// NAP v4
//go:generate sh -c "sh ./scripts/generate/generate.sh --url $NAP_URL --config-path ./scripts/generate/configs/nap_v4_config.json --branch $NAP_V4_BRANCH --path ./src > analyze_appProtectWAFv4_directives.gen.go"
// NAP v5
Expand Down
2 changes: 1 addition & 1 deletion analyze_nplus_R30_directives.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1612,7 +1612,7 @@ var nginxPlusR30Directives = map[string][]uint{
ngxStreamMainConf | ngxStreamSrvConf | ngxConfTake1,
},
"ssl_ocsp": {
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag,
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
},
"ssl_ocsp_cache": {
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
Expand Down
2 changes: 1 addition & 1 deletion analyze_nplus_R31_directives.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1634,7 +1634,7 @@ var nginxPlusR31Directives = map[string][]uint{
ngxConfTake1 | ngxMgmtMainConf,
},
"ssl_ocsp": {
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfFlag,
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
},
"ssl_ocsp_cache": {
ngxHTTPMainConf | ngxHTTPSrvConf | ngxConfTake1,
Expand Down
4 changes: 2 additions & 2 deletions analyze_nplus_R33_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions analyze_nplus_R34_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions analyze_nplus_R35_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions analyze_nplus_latest_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion analyze_oss_124_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion analyze_oss_126_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions analyze_oss_latest_directives.gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

182 changes: 182 additions & 0 deletions analyze_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3034,3 +3034,185 @@ func TestAnalyze_auth_require(t *testing.T) {
})
}
}

//nolint:funlen
func TestAnalyze_ssl_ocsp(t *testing.T) {
t.Parallel()
testcases := map[string]struct {
stmt *Directive
ctx []blockCtx
matchFunc MatchFunc
wantErr bool
}{
"ssl_ocsp ok in OS 1.24": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}},
MatchOss124,
false,
},
"ssl_ocsp ok in OS 1.26": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}},
MatchOss126,
false,
},
"ssl_ocsp ok in OS latest": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchOssLatest,
false,
},
"ssl_ocsp ok in R30": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}},
MatchNginxPlusR30,
false,
},
"ssl_ocsp ok in R31": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}},
MatchNginxPlusR31,
false,
},
"ssl_ocsp ok in R33": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchNginxPlusR33,
false,
},
"ssl_ocsp ok in R34": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchNginxPlusR34,
false,
},
"ssl_ocsp ok in R35": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchNginxPlusR35,
false,
},
"ssl_ocsp ok in Plus latest": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchNginxPlusLatest,
false,
},
"ssl_ocsp not ok in OS 1.24 wrong context": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"stream"}, {"stream", "server"}},
MatchOss124,
true,
},
"ssl_ocsp not ok in OS 1.26 wrong context": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"stream"}, {"stream", "server"}},
MatchOss126,
true,
},
"ssl_ocsp not ok in OS latest wrong parameters": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"on", "leaf"},
Line: 5,
},
[]blockCtx{{"http"}, {"http", "server"}, {"stream"}, {"stream", "server"}},
MatchOssLatest,
true,
},
"ssl_ocsp not ok in Plus R30 wrong context": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"stream"}, {"stream", "server"}},
MatchNginxPlusR30,
true,
},
"ssl_ocsp not ok in Plus R31 wrong context": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"leaf"},
Line: 5,
},
[]blockCtx{{"stream"}, {"stream", "server"}},
MatchNginxPlusR31,
true,
},
"ssl_ocsp not ok in Plus latest wrong parameters": {
&Directive{
Directive: "ssl_ocsp",
Args: []string{"on", "leaf"},
Line: 5,
},
[]blockCtx{{"stream"}, {"stream", "server"}},
MatchNginxPlusLatest,
true,
},
}

for name, tc := range testcases {
tc := tc
t.Run(name, func(t *testing.T) {
t.Parallel()
for _, ctx := range tc.ctx {
err := analyze("nginx.conf", tc.stmt, ";", ctx, &ParseOptions{
DirectiveSources: []MatchFunc{tc.matchFunc},
})

if !tc.wantErr && err != nil {
t.Fatal(err)
}

if tc.wantErr && err == nil {
t.Fatal("expected error, got nil")
}
}
})
}
}
6 changes: 5 additions & 1 deletion scripts/generate/configs/nplus_R33_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,11 @@
"enforce_initial_report": [["ngxMgmtMainConf","ngxConfFlag"]],
"license_token": [["ngxMgmtMainConf","ngxConfTake1"]],
"state_path": [["ngxMgmtMainConf","ngxConfTake1"]],
"zone_sync": [["ngxStreamSrvConf","ngxConfNoArgs"]]
"zone_sync": [["ngxStreamSrvConf","ngxConfNoArgs"]],
"ssl_ocsp": [
["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"],
["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"]
]
},

"matchFuncComment":"MatchNginxPlusR33 contains directives in Nginx Plus R33 source code(including GEOIP, Perl, and XSLT)"
Expand Down
7 changes: 5 additions & 2 deletions scripts/generate/configs/nplus_R34_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,8 +137,11 @@
"redirect_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"scope": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"session_store": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"session_timeout": [["ngxHTTPOIDCConf", "ngxConfTake1"]]

"session_timeout": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"ssl_ocsp": [
["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"],
["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"]
]
},

"matchFuncComment":"MatchNginxPlusR34 contains directives in Nginx Plus R34 source code(including GEOIP, Perl, and XSLT)"
Expand Down
9 changes: 6 additions & 3 deletions scripts/generate/configs/nplus_R35_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,9 +142,12 @@
"logout_token_hint": [["ngxHTTPOIDCConf", "ngxConfFlag"]],
"logout_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"post_logout_uri": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"userinfo": [["ngxHTTPOIDCConf", "ngxConfTake1"]]

},
"userinfo": [["ngxHTTPOIDCConf", "ngxConfTake1"]],
"ssl_ocsp": [
["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"],
["ngxStreamMainConf", "ngxStreamSrvConf", "ngxConfTake1"]
]
},

"matchFuncComment":"MatchNginxPlusR35 contains directives in Nginx Plus R35 source code(including GEOIP, Perl, and XSLT)"
}
3 changes: 2 additions & 1 deletion scripts/generate/configs/oss_124_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
"gzip_no_buffer"
],
"override":{
"if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]]
"if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]],
"ssl_ocsp": [["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"]]
},
"matchFuncComment":"MatchOss124 contains directives in OSS 1.2.4 source code(including GEOIP, Perl, and XSLT)"
}
3 changes: 2 additions & 1 deletion scripts/generate/configs/oss_126_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
"gzip_no_buffer"
],
"override":{
"if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]]
"if":[[ "ngxHTTPSrvConf", "ngxHTTPLocConf", "ngxConfBlock", "ngxConfExpr", "ngxConf1More"]],
"ssl_ocsp": [["ngxHTTPMainConf", "ngxHTTPSrvConf", "ngxConfTake1"]]
},
"matchFuncComment":"MatchOss126 contains directives in OSS 1.2.6 source code(including GEOIP, Perl, and XSLT)"
}