5.2.1 (#77)

fabriziofiorucci · web-flow · commit e8c7b01c87c6 · 2025-01-30T13:05:55.000Z
* 20241204 - Postman collection updated

* Postman collection fix

* 20250122 - Postman collection fixes

* 20250130-01 DNS resolution check added

* 20250130-02 Support for pre-existing NGINX Plus R33+ license tokens
diff --git a/USAGE-v5.2.md b/USAGE-v5.2.md
@@ -11,7 +11,7 @@ The JSON schema is self explanatory. See also the [sample Postman collection](/c
 
 - `.output.license` defines the JWT license to use for NGINX Plus R33+
   - `.output.license.endpoint` the usage reporting endpoint (defaults to `product.connect.nginx.com`). NGINX Instance Manager address can be used here
-  - `.output.license.token` the JWT license token
+  - `.output.license.token` the JWT license token. If this field is omitted, it is assumed that a `/etc/nginx/license.jwt` token already exists on the instance and it won't be replaced
   - `.output.license.ssl_verify` set to `false` to trust all SSL certificates (not recommended). Useful for reporting to NGINX Instance Manager without a local PKI.
   - `.output.license.grace_period` Set to 'true' to begin the 180-day reporting enforcement grace period. Reporting must begin or resume before the end of the grace period to ensure continued operation
 - `.output.type` defines how NGINX configuration will be returned:
diff --git a/contrib/postman/NGINX Declarative API.postman_collection.json b/contrib/postman/NGINX Declarative API.postman_collection.json
@@ -1,11 +1,11 @@
 {
 	"info": {
-		"_postman_id": "c988529a-6e79-45c2-8c6a-b60b9aac92ba",
+		"_postman_id": "3beaacd9-6fff-4a51-a64e-24efdad57e6a",
 		"name": "NGINX Declarative API",
 		"description": "Declarative REST API and GitOps automation layer for NGINX Instance Manager and NGINX One Console\n\n[https://github.com/f5devcentral/NGINX-Declarative-API/](https://github.com/f5devcentral/NGINX-Declarative-API/)",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
 		"_exporter_id": "1667416",
-		"_collection_link": "https://orange-rocket-1353.postman.co/workspace/NGINX-Declarative-API~8ba6e9c1-a04b-4484-8193-bbb142560553/collection/1667416-c988529a-6e79-45c2-8c6a-b60b9aac92ba?action=share&source=collection_link&creator=1667416"
+		"_collection_link": "https://orange-rocket-1353.postman.co/workspace/NGINX-Declarative-API~8ba6e9c1-a04b-4484-8193-bbb142560553/collection/1667416-3beaacd9-6fff-4a51-a64e-24efdad57e6a?action=share&source=collection_link&creator=1667416"
 	},
 	"item": [
 		{
@@ -7293,7 +7293,18 @@
 														"method": "GET",
 														"header": [],
 														"url": {
-															"raw": ""
+															"raw": "https://apigw.nginx.lab/petstore/store/inventory",
+															"protocol": "https",
+															"host": [
+																"apigw",
+																"nginx",
+																"lab"
+															],
+															"path": [
+																"petstore",
+																"store",
+																"inventory"
+															]
 														}
 													},
 													"response": []
@@ -7332,7 +7343,24 @@
 														"method": "GET",
 														"header": [],
 														"url": {
-															"raw": ""
+															"raw": "https://apigw.nginx.lab/petstore/store/inventory?<script>alert();</script>",
+															"protocol": "https",
+															"host": [
+																"apigw",
+																"nginx",
+																"lab"
+															],
+															"path": [
+																"petstore",
+																"store",
+																"inventory"
+															],
+															"query": [
+																{
+																	"key": "<script>alert();</script>",
+																	"value": null
+																}
+															]
 														}
 													},
 													"response": []
@@ -7343,7 +7371,18 @@
 														"method": "GET",
 														"header": [],
 														"url": {
-															"raw": ""
+															"raw": "https://apigw.nginx.lab/petstore/user/login",
+															"protocol": "https",
+															"host": [
+																"apigw",
+																"nginx",
+																"lab"
+															],
+															"path": [
+																"petstore",
+																"user",
+																"login"
+															]
 														}
 													},
 													"response": []
@@ -7364,7 +7403,18 @@
 														"method": "GET",
 														"header": [],
 														"url": {
-															"raw": ""
+															"raw": "https://apigw.nginx.lab/petstore/user/login",
+															"protocol": "https",
+															"host": [
+																"apigw",
+																"nginx",
+																"lab"
+															],
+															"path": [
+																"petstore",
+																"user",
+																"login"
+															]
 														}
 													},
 													"response": []
@@ -11821,4 +11871,4 @@
 			"type": "string"
 		}
 	]
-}
+}
diff --git a/src/V5_2_CreateConfig.py b/src/V5_2_CreateConfig.py
@@ -23,7 +23,7 @@
 import v5_2.DeclarationPatcher
 import v5_2.GitOps
 import v5_2.MiscUtils
-import v5_2.NMSOutput
+import v5_2.NIMOutput
 import v5_2.NGINXOneOutput
 
 # NGINX App Protect helper functions
@@ -639,7 +639,7 @@ def createconfig(declaration: ConfigDeclaration, apiversion: str, runfromautosyn
         # NGINX auxiliary files for staged config
         auxFiles['rootDir'] = NcgConfig.config['nms']['config_dir']
 
-        finalReply = v5_2.NMSOutput.NMSOutput(d = d, declaration = declaration, apiversion = apiversion,
+        finalReply = v5_2.NIMOutput.NIMOutput(d = d, declaration = declaration, apiversion = apiversion,
                                  b64HttpConf = b64HttpConf, b64StreamConf = b64StreamConf,
                                  configFiles = configFiles,
                                  auxFiles = auxFiles,
diff --git a/src/V5_2_NginxConfigDeclaration.py b/src/V5_2_NginxConfigDeclaration.py
@@ -136,7 +136,7 @@ class OutputNGINXOne(BaseModel, extra="forbid"):
 
 class License(BaseModel, extra="forbid"):
     endpoint: str = "product.connect.nginx.com"
-    token: str = ""
+    token: Optional[str] = ""
     ssl_verify: bool = True
     grace_period: bool = False
 
diff --git a/src/v5_2/MiscUtils.py b/src/v5_2/MiscUtils.py
@@ -6,13 +6,12 @@
 import json
 import yaml
 import uuid
+import socket
 
 
+# Searches for a nested key in a dictionary and returns its value, or None if nothing was found.
+# key_lookup must be a string where each key is deparated by a given "separator" character, which by default is a dot
 def getDictKey(_dict: dict, key_lookup: str, separator='.'):
-    """
-        Searches for a nested key in a dictionary and returns its value, or None if nothing was found.
-        key_lookup must be a string where each key is deparated by a given "separator" character, which by default is a dot
-    """
     keys = key_lookup.split(separator)
     subdict = _dict
 
@@ -23,38 +22,38 @@ def getDictKey(_dict: dict, key_lookup: str, separator='.'):
 
     return subdict
 
-"""
-Jinja2 regexp filter
-"""
+# Jinja2 regexp filter
 def regex_replace(s, find, replace):
     return re.sub(find, replace, s)
 
-"""
-JSON/YAML detection
-"""
+# JSON/YAML detection
 def yaml_or_json(document: str):
     try:
         json.load(document)
         return 'json'
     except Exception:
         return 'yaml'
 
-"""
-YAML to JSON conversion
-"""
+# YAML to JSON conversion
 def yaml_to_json(document: str):
     return json.dumps(yaml.safe_load(document))
 
 
-"""
-JSON TO YAML conversion
-"""
+# JSON TO YAML conversion
 def json_to_yaml(document: str):
     return yaml.dump(json.loads(document))
 
 
-"""
-Returns a unique ID
-"""
+# Returns a unique ID
 def getuniqueid():
-    return uuid.uuid4()
+    return uuid.uuid4()
+
+
+# Test DNS resolution
+# Returns {True,IP address} if successful and {False,error description} for NXDOMAIN/if DNS resolution failed
+def resolveFQDN(fqdn:str):
+  try:
+    return True,socket.gethostbyname(fqdn)
+  except Exception as e:
+    return False,e
+
diff --git a/src/v5_2/NGINXOneOutput.py b/src/v5_2/NGINXOneOutput.py
@@ -20,7 +20,6 @@
 import v5_2.DeclarationPatcher
 import v5_2.GitOps
 import v5_2.MiscUtils
-import v5_2.NMSOutput
 
 # pydantic models
 from V5_2_NginxConfigDeclaration import *
@@ -55,6 +54,14 @@ def NGINXOneOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpCo
                                                             "content": f"invalid NGINX One URL {nOneUrlFromJson}"}},
                 "headers": {'Content-Type': 'application/json'}}
 
+    # DNS resolution check
+    dnsOutcome, dnsReply = v5_2.MiscUtils.resolveFQDN(urlCheck.netloc)
+    if not dnsOutcome:
+        return {"status_code": 400,
+                "message": {"status_code": 400, "message": {"code": 400,
+                                                            "content": f"DNS resolution failed for {urlCheck.netloc}: {dnsReply}"}},
+                "headers": {'Content-Type': 'application/json'}}
+
     nOneUrl = f"{urlCheck.scheme}://{urlCheck.netloc}"
 
     if nOneSynctime < 0:
@@ -170,10 +177,14 @@ def NGINXOneOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpCo
 
     # Append config files to staged configuration
     configFiles['files'].append(filesNginxMain)
-    configFiles['files'].append(filesLicenseFile)
     configFiles['files'].append(filesHttpConf)
     configFiles['files'].append(filesStreamConf)
 
+    # If no R33+ license token was specified in the JSON declaration, it is assumed a token already exists
+    # on the NGINX instances and it won't be overwritten
+    if v5_2.MiscUtils.getDictKey(d, 'output.license.token') != "":
+        configFiles['files'].append(filesLicenseFile)
+
     # Staged config
     baseStagedConfig = {'aux': [ { 'files': configFiles } ] }
     #stagedConfig = {'conf_path': NcgConfig.config['nms']['config_dir'] + '/nginx.conf',
diff --git a/src/v5_2/NIMOutput.py b/src/v5_2/NIMOutput.py
@@ -20,7 +20,7 @@
 import v5_2.DeclarationPatcher
 import v5_2.GitOps
 import v5_2.MiscUtils
-import v5_2.NMSOutput
+import v5_2.NIMOutput
 
 # pydantic models
 from V5_2_NginxConfigDeclaration import *
@@ -34,7 +34,7 @@
 from NcgConfig import NcgConfig
 from NcgRedis import NcgRedis
 
-def NMSOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpConf: str,
+def NIMOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpConf: str,
               b64StreamConf: str,configFiles = {}, auxFiles = {},
               runfromautosync: bool = False,
               configUid: str = ""):
@@ -54,6 +54,14 @@ def NMSOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpConf: s
                                                             "content": f"invalid NGINX Instance Manager URL {nmsUrlFromJson}"}},
                 "headers": {'Content-Type': 'application/json'}}
 
+    # DNS resolution check
+    dnsOutcome, dnsReply = v5_2.MiscUtils.resolveFQDN(urlCheck.netloc)
+    if not dnsOutcome:
+        return {"status_code": 400,
+                "message": {"status_code": 400, "message": {"code": 400,
+                                                            "content": f"DNS resolution failed for {urlCheck.netloc}: {dnsReply}"}},
+                "headers": {'Content-Type': 'application/json'}}
+
     nmsUrl = f"{urlCheck.scheme}://{urlCheck.netloc}"
 
     if nmsSynctime < 0:
@@ -180,10 +188,14 @@ def NMSOutput(d, declaration: ConfigDeclaration, apiversion: str, b64HttpConf: s
 
     # Append config files to staged configuration
     configFiles['files'].append(filesNginxMain)
-    configFiles['files'].append(filesLicenseFile)
     configFiles['files'].append(filesHttpConf)
     configFiles['files'].append(filesStreamConf)
 
+    # If no R33+ license token was specified in the JSON declaration, it is assumed a token already exists
+    # on the NGINX instances and it won't be overwritten
+    if v5_2.MiscUtils.getDictKey(d, 'output.license.token') != "":
+        configFiles['files'].append(filesLicenseFile)
+
     # Staged config
     baseStagedConfig = {'auxFiles': auxFiles, 'configFiles': configFiles}
     stagedConfig = {'auxFiles': auxFiles, 'configFiles': configFiles,
