NLB-6350: add OIDC unit tests and fix some unit tests' directives

Author: xynicole

analyze.go

@@ -42,7 +42,7 @@ package crossplane
 //go:generate sh -c "sh ./scripts/generate/generate.sh --url https://github.com/leev/ngx_http_geoip2_module.git --config-path ./scripts/generate/configs/geoip2_config.json > ./analyze_geoip2_directives.gen.go"
 
 // Update for NPlus.
-// NPlus source code is private. Please ensure you have the correct access 
+// NPlus source code is private. Please ensure you have the correct access
 // and set the URL and branch in the environment variables NPLUS_URL and NPLUS_BRANCH.
 // Filter in config is the directives not in https://nginx.org/en/docs/dirindex.html but in source code.
 // Override for NPlus R33 and the latest version is for mgmt directives and if directive.

analyze_map.go

@@ -45,6 +45,10 @@ var mapBodies = map[string]mapParameterMasks{
 	"otel_exporter": {
 		defaultMasks: ngxConfTake1,
 	},
+	"oidc_provider": {
+		specialParameterMasks: map[string]uint{"session_timeout": ngxConf1More, "scope": ngxConf1More},
+		defaultMasks: ngxConfTake1,
+	},
 }
 
 // analyzeMapBody validates the body of a map-like directive. Map-like directives are block directives

analyze_map_test.go

@@ -239,6 +239,48 @@ func TestAnalyzeMapBody(t *testing.T) {
 			term:    "}",
 			wantErr: &ParseError{What: `unexpected "}"`, BlockCtx: "map"},
 		},
+		"valid oidc_provider": {
+			mapDirective: "oidc_provider",
+			parameter: &Directive{
+				Directive: "client_id",
+				Args:      []string{"unique_id"},
+				Line:      5,
+				Block:     Directives{},
+			},
+			term: ";",
+		},
+		"invalid oidc_provider": {
+			mapDirective: "oidc_provider",
+			parameter: &Directive{
+				Directive: "client_id ",
+				Args:      []string{},
+				Line:      5,
+				Block:     Directives{},
+			},
+			term:    ";",
+			wantErr: &ParseError{What: "invalid number of parameters", BlockCtx: "oidc_provider"},
+		},
+		"valid oidc_provider scope": {
+			mapDirective: "oidc_provider",
+			parameter: &Directive{
+				Directive: "scope",
+				Args:      []string{"openid"},
+				Line:      5,
+				Block:     Directives{},
+			},
+			term: ";",
+		},
+		"invalid oidc_provider scope": {
+			mapDirective: "oidc_provider",
+			parameter: &Directive{
+				Directive: "scope",
+				Args:      []string{},
+				Line:      5,
+				Block:     Directives{},
+			},
+			term:    ";",
+			wantErr: &ParseError{What: "invalid number of parameters", BlockCtx: "oidc_provider"},
+		},
 	}
 
 	for name, tc := range testcases {

analyze_test.go

@@ -45,7 +45,7 @@ func TestAnalyze(t *testing.T) {
 			// the state directive should only be in the "good" contexts
 			if _, ok := goodMap[key]; !ok {
 				actx := blockCtx(strings.Split(key, ">"))
-				if err := analyze(fname, stmt, ";", actx, &ParseOptions{}); err == nil {
+				if err := analyze(fname, stmt, ";", actx, &ParseOptions{DirectiveSources: []MatchFunc{MatchNginxPlusR33}}); err == nil {
 					t.Fatalf("expected error to not be nil: %v", err)
 				} else if e, ok := err.(*ParseError); !ok {
 					t.Fatalf("error was not a ParseError: %v", err)
@@ -106,7 +106,7 @@ func TestAnalyze_auth_jwt(t *testing.T) {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{})
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{DirectiveSources: []MatchFunc{MatchNginxPlusR33}})
 
 			if !tc.wantErr && err != nil {
 				t.Fatal(err)
@@ -159,7 +159,7 @@ func TestAnalyze_auth_jwt_require(t *testing.T) {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{})
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{DirectiveSources: []MatchFunc{MatchNginxPlusR33}})
 
 			if !tc.wantErr && err != nil {
 				t.Fatal(err)
@@ -531,7 +531,7 @@ func TestAnalyze_zone_sync(t *testing.T) {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{})
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{DirectiveSources: []MatchFunc{MatchNginxPlusR33}})
 			if !tc.wantErr && err != nil {
 				t.Fatal(err)
 			}
@@ -2338,7 +2338,7 @@ func TestAnalyze_mgmt(t *testing.T) {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{})
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{DirectiveSources: []MatchFunc{MatchNginxPlusR33}})
 			if !tc.wantErr && err != nil {
 				t.Fatal(err)
 			}
@@ -2593,6 +2593,7 @@ func TestAnalyze_directiveSources_defaultBehavior(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{
+				DirectiveSources:         []MatchFunc{MatchNginxPlusR33},
 				ErrorOnUnknownDirectives: true,
 			})
 
@@ -2617,7 +2618,7 @@ func TestAnalyze_limit_req_zone(t *testing.T) {
 		"limit_req_zone_4_args_nplus_latest": {
 			args:    []string{"$binary_remote_addr", "zone=one:10m", "rate=1r/s", "sync"},
 			sources: []MatchFunc{MatchNginxPlusLatest},
-			wantErr: false,
+			wantErr: true,
 		},
 		"limit_req_zone_3_args_nplus_latest": {
 			args:    []string{"$binary_remote_addr", "zone=one:10m", "rate=1r/s"},
@@ -2636,7 +2637,7 @@ func TestAnalyze_limit_req_zone(t *testing.T) {
 		},
 		"limit_req_zone_4_args_default_sources": {
 			args:    []string{"$binary_remote_addr", "zone=one:10m", "rate=1r/s", "sync"},
-			wantErr: false,
+			wantErr: true,
 		},
 		"limit_req_zone_3_args_default_sources": {
 			args:    []string{"$binary_remote_addr", "zone=one:10m", "rate=1r/s"},
@@ -2795,3 +2796,118 @@ func TestAnalyze_geoip2(t *testing.T) {
 		})
 	}
 }
+
+//nolint:funlen
+func TestAnalyze_oidc(t *testing.T) {
+	t.Parallel()
+	testcases := map[string]struct {
+		stmt    *Directive
+		ctx     blockCtx
+		wantErr bool
+	}{
+		"oidc ok": {
+			&Directive{
+				Directive: "oidc_provider",
+				Args:      []string{"my_idp"},
+				Line:      5,
+				Block: Directives{
+					{
+						Directive: "issuer",
+						Args:      []string{"https://provider.domain"},
+						Line:      6,
+						Block:     Directives{},
+					},
+					{
+						Directive: "client_id",
+						Args:      []string{"unique_id"},
+						Line:      7,
+						Block:     Directives{},
+					},
+					{
+						Directive: "client_secret",
+						Args:      []string{"unique_secret"},
+						Line:      8,
+						Block:     Directives{},
+					},
+				},
+			},
+			blockCtx{"http"},
+			false,
+		},
+
+		"oidc not ok": {
+			&Directive{
+				Directive: "oidc_provider",
+				Args:      []string{"my_idp"},
+				Line:      5,
+				Block: Directives{
+					{
+						Directive: "issuer",
+						Args:      []string{"https://provider.domain"},
+						Line:      6,
+						Block:     Directives{},
+					},
+					{
+						Directive: "client_id",
+						Args:      []string{"unique_id"},
+						Line:      7,
+						Block:     Directives{},
+					},
+					{
+						Directive: "client_secret",
+						Args:      []string{"unique_secret"},
+						Line:      8,
+						Block:     Directives{},
+					},
+				},
+			},
+			blockCtx{"stream"},
+			true,
+		},
+		"auth_oidc ok": {
+			&Directive{
+				Directive: "auth_oidc",
+				Args:      []string{"my_idp"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			false,
+		},
+		"auth_oidc args not ok": {
+			&Directive{
+				Directive: "auth_oidc",
+				Args:      []string{"my_idp", "my_realm"},
+				Line:      5,
+			},
+			blockCtx{"http"},
+			true,
+		},
+		"auth_oidc not ok": {
+			&Directive{
+				Directive: "auth_oidc",
+				Args:      []string{"203.0.113.0/24"},
+				Line:      5,
+			},
+			blockCtx{"stream"},
+			true,
+		},
+	}
+
+	for name, tc := range testcases {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			err := analyze("nginx.conf", tc.stmt, ";", tc.ctx, &ParseOptions{
+				DirectiveSources: []MatchFunc{MatchNginxPlusR34},
+			})
+
+			if !tc.wantErr && err != nil {
+				t.Fatal(err)
+			}
+
+			if tc.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+		})
+	}
+}

parse_test.go

@@ -2024,7 +2024,11 @@ var parseFixtures = []parseFixture{
 			},
 		},
 	}},
-	{"limit-req-zone", "", ParseOptions{SingleFile: true}, Payload{
+	{"limit-req-zone", "", ParseOptions{
+		SingleFile:               true,
+		ErrorOnUnknownDirectives: true,
+		DirectiveSources:         []MatchFunc{MatchNginxPlusR33},
+	}, Payload{
 		Status: "ok",
 		Errors: []PayloadError{},
 		Config: []Config{
@@ -2297,6 +2301,85 @@ var parseFixtures = []parseFixture{
 			},
 		},
 	}},
+	{"oidc", "", ParseOptions{
+		SingleFile:               true,
+		ErrorOnUnknownDirectives: true,
+		DirectiveSources:         []MatchFunc{MatchNginxPlusR34},
+	}, Payload{
+		Status: "ok",
+		Errors: []PayloadError{},
+		Config: []Config{
+			{
+				File:   getTestConfigPath("oidc", "nginx.conf"),
+				Status: "ok",
+				Parsed: Directives{
+					{
+						Directive: "http",
+						Line:      1,
+						Args:      []string{},
+						Block: Directives{
+							{
+								Directive: "oidc_provider",
+								Line:      2,
+								Args:      []string{"my_idp"},
+								Block: Directives{
+									{
+										Directive:           "issuer",
+										Args:                []string{"https://provider.domain"},
+										Line:                3,
+										Block:               Directives{},
+										IsMapBlockParameter: true,
+									},
+									{
+										Directive:           "client_id",
+										Args:                []string{"unique_id"},
+										Line:                4,
+										Block:               Directives{},
+										IsMapBlockParameter: true,
+									},
+									{
+										Directive:           "client_secret",
+										Args:                []string{"unique_secret"},
+										Line:                5,
+										Block:               Directives{},
+										IsMapBlockParameter: true,
+									},
+								},
+							},
+							{
+								Directive: "server",
+								Line:      7,
+								Args:      []string{},
+								Block: Directives{
+									{
+										Directive: "auth_oidc",
+										Line:      8,
+										Args:      []string{"my_idp"},
+										Block:     Directives{},
+									},
+									{
+										Directive: "location",
+										Line:      9,
+										Args:      []string{"/"},
+										Block: Directives{
+											{
+												Directive: "return",
+												Line:      10,
+												Args: []string{
+													"200",
+													"Hello",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}},
 }
 
 func TestParse(t *testing.T) {

testdata/configs/oidc/nginx.conf

@@ -0,0 +1,13 @@
+http {
+    oidc_provider my_idp {
+        issuer        "https://provider.domain";
+        client_id     "unique_id";
+        client_secret "unique_secret";
+    }
+    server {
+        auth_oidc my_idp;
+        location / {
+            return 200 "Hello";
+        }
+    }
+}