SmartArray
diff --git a/‎Dockerfile
Lines changed: 1 addition & 1 deletion b/‎Dockerfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎Dockerfile-test-nginx
Lines changed: 0 additions & 10 deletions b/‎Dockerfile-test-nginx
Lines changed: 0 additions & 10 deletions
diff --git a/‎Makefile
Lines changed: 0 additions & 73 deletions b/‎Makefile
Lines changed: 0 additions & 73 deletions
diff --git a/‎README.md
Lines changed: 92 additions & 50 deletions b/‎README.md
Lines changed: 92 additions & 50 deletions
diff --git a/‎docker-compose-test.yml
Lines changed: 0 additions & 20 deletions b/‎docker-compose-test.yml
Lines changed: 0 additions & 20 deletions
diff --git a/‎resources/nginx.conf
Lines changed: 7 additions & 15 deletions b/‎resources/nginx.conf
Lines changed: 7 additions & 15 deletions
@@ -29,7 +29,7 @@ RUN set -x \
 FROM nginx:${NGINX_VERSION}
 LABEL stage=builder
 RUN apt-get update \
-    && apt-get -y install libjansson4 libjwt0 \
+	&& apt-get -y install libjansson4 libjwt0 \
 	&& cd /etc/nginx \
 	&& cp nginx.conf nginx.conf.orig \
 	&& sed -ri '/pid\s+\/var\/run\/nginx\.pid;$/a load_module \/usr\/lib64\/nginx\/modules\/ngx_http_auth_jwt_module\.so;' nginx.conf
 
@@ -1,58 +1,96 @@
 # Intro
+
 This is an NGINX module to check for a valid JWT and proxy to an upstream server or redirect to a login page.
 
 ## Building and testing
+
 To build the Docker image, start NGINX, and run our Bash test against it, run
 
 ```bash
-make
+./scripts.sh all
 ```
 
-When you make a change to the module, run `make rebuild-nginx`.
+When you make a change to the module or the NGINX test config, run `./scripts.sh rebuild_nginx` to rebuild the NGINX Docker image.
 
-When you make a change to `test.sh`, run `make rebuild-test-runner`.
+When you make a change to `test.sh`, run `./scripts.sh rebuild_test_runner test` to rebuild the test runner image and run the tests.
 
-| Command                    | Description                                                       |
-| -------------------------- |:-----------------------------------------------------------------:|
-| `make build-nginx`         | Builds the NGINX image                                            |
-| `make rebuild-nginx`       | Re-builds the NGINX image                                         |
-| `make build-test-runner`   | Builds the images used by the test stack (uses Docker compose)    |
-| `make rebuild-test-runner` | Re-builds the images used by the test stack                       |
-| `make start-nginx`         | Starts the NGINX container                                        |
-| `make stop-nginx`          | Stops the NGINX container                                         |
-| `make test`                | Runs `test.sh` against the NGINX container (uses Docker compose)  |
+The `./scripts.sh` file contains multiple commands to make things easy:
 
-The image produced with `make build-nginx` only differs from the official Nginx image in two ways: the module itself and the nginx.conf configuration entry that loads it.
+| Command               | Description                                                       |
+| --------------------- | ----------------------------------------------------------------- |
+| `build_nginx`         | Builds the NGINX image.                                           |
+| `rebuild_nginx`       | Re-builds the NGINX image.                                        |
+| `start_nginx`         | Starts the NGINX container.                                       |
+| `stop_nginx`          | Stops the NGINX container.                                        |
+| `cp_bin`              | Copies the compiled binaries out of the NGINX container.          |
+| `build_test_runner`   | Builds the images used by the test stack (uses Docker compose).   |
+| `rebuild_test_runner` | Re-builds the images used by the test stack.                      |
+| `test`                | Runs `test.sh` against the NGINX container (uses Docker compose). |
 
-The tests use a customized Nginx image, distinct from the main image, as well as a test runner image.  By running `make test`, the two test containers will be created up with Docker compose, started, and the tests run.  At the end, both containers will be automatically stopped and destroyed.
+You can run multiple commands in sequence by separating them with a space, e.g.:
 
-This project is 100% Docker-ized.
+```shell
+./scripts.sh rebuild_nginx rebuild_test_runner test
+```
 
-## Dependencies
-This module depends on the [JWT C Library](https://github.com/benmcollins/libjwt)
+The image produced with `./scripts.sh build_nginx` only differs from the official NGINX image in two ways:
+ - the JWT module itself, and
+ - the `nginx.conf` file is overwritten with our own.
 
-Transitively, that library depends on a JSON Parser called
-[Jansson](https://github.com/akheron/jansson) as well as the OpenSSL library.
+The tests use a customized NGINX image, distinct from the main image, as well as a test runner image. By running `./scripts.sh test`, the two test containers will be stood up via Docker compose, then they'll be started, and the tests will run. At the end of the test run, both containers will be automatically stopped and destroyed. See below to learn how to trace test failures across runs.
 
-## NGINX Directives
-This module requires several new `nginx.conf` directives,
-which can be specified in on the `main` `server` or `___location` level.
+### Tracing test failures
+
+After making changes and finding that some tests fail, it can be difficult to understand why. By default, logs are written to Docker's internal log mechanism, but they won't be persisted after the test run completes and the containers are removed.
+
+In order to persist logs, you can configure the log driver to use. You can do this by setting the environment variable `LOG_DRIVER` before running the tests. On Linux/Unix systems, you can use the driver `journald`, as follows:
+
+```shell
+# need to rebuild the test runner with the proper log driver
+LOG_DRIVER=journald ./scripts.sh rebuild_test_runner
 
+# run the tests
+./scripts.sh test
+
+# check the logs
+journalctl -eu docker CONTAINER_NAME=jwt-nginx-test
 ```
-auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF"; # see docs for format based on algorithm
-auth_jwt_loginurl "https://yourdomain.com/loginpage";
-auth_jwt_enabled on;
-auth_jwt_algorithm HS256;    # or RS256
-auth_jwt_extract_sub on;     # or off
-auth_jwt_validate_email on;  # or off
-auth_jwt_use_keyfile off;    # or on
-auth_jwt_keyfile_path "/app/pub_key";
+
+Now you'll be able to see logs from previous test runs. The best way to make use of this  is to open two terminals, one where you run the tests, and one where you follow the logs:
+
+```shell
+# terminal 1
+./scripts.sh test
+
+# terminal 2
+journalctl -fu docker CONTAINER_NAME=jwt-nginx-test
 ```
 
-The default algorithm is 'HS256', for symmetric key validation.  When using HS256, the value for `auth_jwt_key` should be specified in binhex format.  It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above.  Note that using more than 512 bits will not increase the security.  For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key.
+## Dependencies
+
+This module depends on the [JWT C Library](https://github.com/benmcollins/libjwt). Transitively, that library depends on a JSON Parser called [Jansson](https://github.com/akheron/jansson) as well as the OpenSSL library.
+
+## NGINX Directives
+This module requires several new `nginx.conf` directives, which can be specified at the `http`, `server`, or `___location` levels.
+
+| Directive                  | Description                                                                                                        |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `auth_jwt_key`             | The key to use to decode/verify the JWT -- see below.                                                              |
+| `auth_jwt_redirect`        | Set to "on" to redirect to `auth_jwt_loginurl` if authentication fails.                                            |
+| `auth_jwt_loginurl`        | The URL to redirect to if `auth_jwt_redirect` is enabled and authentication fails.                                 |
+| `auth_jwt_enabled`         | Set to "on" to enable JWT checking.                                                                                |
+| `auth_jwt_algorithm`       | The algorithm to use. One of: HS256, HS384, HS512, RS256, RS384, RS512                                             |
+| `auth_jwt_extract_sub`     | Set to "on" to extract the `sub` claim (e.g. user id) from the JWT and into the `x-userid` header on the response. |
+| `auth_jwt_validate_email`  | Set to "on" to extract the `emailAddress` claim from the JWT and into the `x-email` header on the response.        |
+| `auth_jwt_use_keyfile`     | Set to "on" to read the key from a file rather than from the `auth_jwt_key` directive.                             |
+| `auth_jwt_keyfile_path`    | Set to the path from which the key should be read when `auth_jwt_use_keyfile` is enabled.                          |
+
+
+The default algorithm is `HS256`, for symmetric key validation. When using one of the `HS*` algorithms, the value for `auth_jwt_key` should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above. Note that using more than 512 bits will not increase the security. For key guidelines please see [NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms](https://csrc.nist.gov/publications/detail/sp/800-107/rev-1/final), Section 5.3.2 The HMAC Key.
+
+The configuration also supports RSA public key validation via (e.g.) `auth_jwt_algorithm RS256`. When using the `RS*` alhorithms, the `auth_jwt_key` field must be set to your public key **OR** `auth_jwt_use_keyfile` should be set to `on` and `auth_jwt_keyfile_path` should point to the public key on disk. NGINX won't start if `auth_jwt_use_keyfile` is set to `on` and a key file is not provided.
 
-The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key **OR** `auth_jwt_use_keyfile` should be set to `on` with the `auth_jwt_keyfile_path` set to the public key path (nginx won't start if the `auth_jwt_use_keyfile` is set to `on` without a keyfile).
-That is the public key, rather than a PEM certificate.  I.e.:
+When using an `RS*` algorithm with an inline key, be sure to set `auth_jwt_key` to the _public key_, rather than a PEM certificate. E.g.:
 
 ```
 auth_jwt_key "-----BEGIN PUBLIC KEY-----
@@ -66,40 +104,44 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
-**OR**
+When using an `RS*` algorithm with a public key file, do as follows:
 
 ```
 auth_jwt_use_keyfile on;
-auth_jwt_keyfile_path "/etc/nginx/pub_key.pem";
+auth_jwt_keyfile_path "/path/to/pub_key.pem";
 ```
 
-A typical use would be to specify the key and loginurl on the main level
-and then only turn on the locations that you want to secure (not the login page).
-Unauthorized requests are given 302 "Moved Temporarily" responses with a ___location of the specified loginurl.
+A typical use would be to specify the key and login URL at the `http` level, and then only turn JWT authentication on for the locations which you want to secure. Unauthorized requests result in a 302 "Moved Temporarily" response with the `Location` header set to the URL specified in the `auth_jwt_loginurl` directive, and a querystring parameter `return_url` whose value is the current / attempted URL.
+
+If you prefer to return `401 Unauthorized` rather than redirect, you may turn `auth_jwt_redirect` off:
 
 ```
-auth_jwt_redirect            off;
+auth_jwt_redirect off;
 ```
-If you prefer to return 401 Unauthorized, you may turn `auth_jwt_redirect` off.
+
+By default the authorization header is used to provide a JWT for validation. However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT:
 
 ```
-auth_jwt_validation_type AUTHORIZATION;
 auth_jwt_validation_type COOKIE=jwt;
 ```
-By default the authorization header is used to provide a JWT for validation.
-However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT.
 
-```
-auth_jwt_extract_sub
-```
 By default, the module will attempt to extract the `sub` claim (e.g. the user's id) from the JWT. If successful, the 
 value will be set in the `x-userid` HTTP header. An error will be logged if this option is enabled and the JWT does not 
-contain the `sub` claim.
+contain the `sub` claim. You may disable this option as follows:
 
 ```
-auth_jwt_validate_email off;
+auth_jwt_extract_sub off
 ```
+
 By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the
-session, and will log an error if it isn't found.  To disable this behavior, for instance if you are using a different
+session, and will log an error if it isn't found. To disable this behavior, for instance if you are using a different
 user identifier property such as `sub`, set `auth_jwt_validate_email` to the value `off`. _Note that this flag may be 
-renamed to `auth_jwt_extract_email` in a future release._
+renamed to `auth_jwt_extract_email` in a future release._ You may disable this option as follows:
+
+```
+auth_jwt_validate_email off;
+```
+
+## Contributing
+
+If you'd like to contribute to this repository, please first initiate the Git hooks by running `./bin/init` -- this will ensure that tests are run before you push your changes.
@@ -1,33 +1,25 @@
-
 user  nginx;
 worker_processes  auto;
 
 error_log  /var/log/nginx/error.log notice;
 pid        /var/run/nginx.pid;
 load_module /usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so;
 
-
 events {
     worker_connections  1024;
 }
 
-
 http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
+    include  /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log /var/log/nginx/access.log  main;
 
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
+    sendfile on;
+    keepalive_timeout 65;
 
     include /etc/nginx/conf.d/*.conf;
-}
+}