only set headers for sub and email if they exist in the jet (TeslaGov#29)

Author: fitzyjoe

build.sh

@@ -20,6 +20,8 @@ MACHINE_IP=`docker-machine ip`
 docker cp ${CONTAINER_ID}:/usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so .
 
 VALIDJWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4
+MISSING_SUB_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaXJzdE5hbWUiOiJoZWxsbyIsImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwicm9sZXMiOlsidGhpcyIsInRoYXQiLCJ0aGVvdGhlciJdLCJpc3MiOiJpc3N1ZXIiLCJwZXJzb25JZCI6Ijc1YmIzY2M3LWI5MzMtNDRmMC05M2M2LTE0N2IwODJmYWRiNSIsImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.lD6jUsazVtzeGhRTNeP_b2Zs6O798V2FQql11QOEI1Q
+MISSING_EMAIL_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwiaXNzIjoiaXNzdWVyIiwicGVyc29uSWQiOiI3NWJiM2NjNy1iOTMzLTQ0ZjAtOTNjNi0xNDdiMDgyZmFkYjUiLCJleHAiOjE5MDg4MzUyMDAsImlhdCI6MTQ4ODgxOTYwMCwidXNlcm5hbWUiOiJoZWxsby53b3JsZCJ9.tJoAl_pvq95hK7GKqsp5TU462pLTbmSYZc1fAHzcqWM
 
 TEST_INSECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000 -H 'cache-control: no-cache'`
 if [ "$TEST_INSECURE_EXPECT_200" -eq "200" ];then
@@ -62,3 +64,19 @@ if [ "$TEST_SECURE_NO_REDIRECT_EXPECT_401" -eq "401" ];then
 else
   echo -e "${RED}Secure test without jwt no redirect fail ${TEST_SECURE_NO_REDIRECT_EXPECT_401}${NONE}";
 fi
+
+TEST_WITH_NO_SUB_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${MISSING_SUB_JWT}"`
+if [ "$TEST_WITH_NO_SUB_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt cookie pass ${TEST_WITH_NO_SUB_EXPECT_200}${NONE}";
+else
+  echo -e "${RED}Secure test with jwt cookie fail ${TEST_WITH_NO_SUB_EXPECT_200}${NONE}";
+fi
+
+TEST_WITH_NO_EMAIL_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${MISSING_EMAIL_JWT}"`
+if [ "$TEST_WITH_NO_EMAIL_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt cookie pass ${TEST_WITH_NO_EMAIL_EXPECT_200}${NONE}";
+else
+  echo -e "${RED}Secure test with jwt cookie fail ${TEST_WITH_NO_EMAIL_EXPECT_200}${NONE}";
+fi
+
+

src/ngx_http_auth_jwt_module.c

@@ -176,16 +176,22 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the jwt does not contain a subject");
 	}
-	sub_t = ngx_char_ptr_to_str_t(r->pool, (char *)sub);
-	set_custom_header_in_headers_out(r, &useridHeaderName, &sub_t);
+	else
+	{
+		sub_t = ngx_char_ptr_to_str_t(r->pool, (char *)sub);
+		set_custom_header_in_headers_out(r, &useridHeaderName, &sub_t);
+	}
 
 	email = jwt_get_grant(jwt, "emailAddress");
 	if (email == NULL)
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the jwt does not contain an email address");
 	}
-	email_t = ngx_char_ptr_to_str_t(r->pool, (char *)email);
-	set_custom_header_in_headers_out(r, &emailHeaderName, &email_t);
+	else
+	{
+		email_t = ngx_char_ptr_to_str_t(r->pool, (char *)email);
+		set_custom_header_in_headers_out(r, &emailHeaderName, &email_t);
+	}
 
 	return NGX_OK;