TeslaGov
diff --git a/‎.github/workflows/make-releases.yml
Lines changed: 143 additions & 0 deletions b/‎.github/workflows/make-releases.yml
Lines changed: 143 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 0 additions & 59 deletions b/‎Dockerfile
Lines changed: 0 additions & 59 deletions
diff --git a/‎README.md
Lines changed: 8 additions & 2 deletions b/‎README.md
Lines changed: 8 additions & 2 deletions
diff --git a/‎nginx.dockerfile
Lines changed: 135 additions & 0 deletions b/‎nginx.dockerfile
Lines changed: 135 additions & 0 deletions
@@ -0,0 +1,143 @@
+name: CI
+
+on:
+  push:
+    branches: 
+      - master
+    paths:
+      - src/**
+  pull_request:
+    branches:
+      - master
+    paths:
+      - src/**
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: "NGINX: ${{ matrix.nginx-version }}; libjwt: ${{ matrix.libjwt-version }}"
+    strategy:
+      matrix:
+        # NGINX versions to build/test against
+        nginx-version: ['1.20.2', '1.22.1', '1.24.0', '1.25.3']
+
+        # The following versions of libjwt are compatible:
+        #   * v1.0 - v1.12.0
+        #   * v1.12.1 - v1.14.0
+        #   * v1.15.0+
+        # At the time of writing this:
+        #   * Debian and Ubuntu's repos have v1.10.2
+        #   * EPEL has v1.12.1
+        # This compiles against each version prior to a breaking change and the latest release
+        libjwt-version: ['1.12.0', '1.14.0', '1.15.3']
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v3
+      with:
+        path: 'ngx-http-auth-jwt-module'
+
+    # TODO cache the build result so we don't have to do this every time?
+    - name: Download jansson
+      uses: actions/checkout@v3
+      with:
+        repository: 'akheron/jansson'
+        ref: 'v2.14'
+        path: 'jansson'
+
+    - name: Build jansson
+      working-directory: ./jansson
+      run: |
+        cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
+        make && \
+        make check && \
+        sudo make install
+
+    # TODO cache the build result so we don't have to do this every time?
+    - name: Download libjwt
+      uses: actions/checkout@v3
+      with:
+        repository: 'benmcollins/libjwt'
+        ref: 'v${{matrix.libjwt-version}}'
+        path: 'libjwt'
+
+    - name: Build libjwt
+      working-directory: ./libjwt
+      run: |
+        autoreconf -i && \
+        ./configure && \
+        make all && \
+        sudo make install
+
+    - name: Download NGINX
+      run: | 
+        mkdir nginx
+        curl -O http://nginx.org/download/nginx-${{matrix.nginx-version}}.tar.gz
+        tar -xzf nginx-${{matrix.nginx-version}}.tar.gz --strip-components 1 -C nginx
+
+    - name: Configure NGINX
+      working-directory: ./nginx
+      run: |
+        BUILD_FLAGS=''
+        MAJ=$(echo ${{matrix.nginx-version}} | cut -f1 -d.)
+        MIN=$(echo ${{matrix.nginx-version}} | cut -f2 -d.)
+        REV=$(echo ${{matrix.nginx-version}} | cut -f3 -d.)
+        
+        if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
+          BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
+        fi
+        
+        ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module ${BUILD_FLAGS}
+
+    - name: Make Modules
+      working-directory: ./nginx
+      run: make modules
+
+    - name: Create release archive
+      run: |
+        cp ./nginx/objs/ngx_http_auth_jwt_module.so ./
+        tar czf ngx_http_auth_jwt_module_libjwt_${{matrix.libjwt-version}}_nginx_${{matrix.nginx-version}}.tgz ngx_http_auth_jwt_module.so
+
+    - name: Upload build artifact
+      uses: actions/upload-artifact@v3
+      with:
+        if-no-files-found: error
+        name: ngx_http_auth_jwt_module_libjwt_${{matrix.libjwt-version}}_nginx_${{matrix.nginx-version}}.tgz
+        path: ngx_http_auth_jwt_module_libjwt_${{matrix.libjwt-version}}_nginx_${{matrix.nginx-version}}.tgz
+
+  update_releases_page:
+    name: Upload builds to Releases
+    if: github.event_name != 'pull_request'
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Set up variables
+        id: vars
+        run: |
+          echo "date_now=$(date --rfc-3339=seconds)" >> "${GITHUB_OUTPUT}"
+          
+      - name: Download build artifacts from previous jobs
+        uses: actions/download-artifact@v3
+        with:
+          path: artifacts
+
+      - name: Upload builds to Releases
+        uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          artifactErrorsFailBuild: true
+          artifacts: artifacts/*/*
+          body: |
+            > [!WARNING]
+            > This is an automatically generated pre-release version of the module, which includes the latest master branch changes.
+            > Please report any bugs you find to the issue tracker.
+
+            - Build Date: `${{ steps.vars.outputs.date_now }}`
+            - Commit: ${{ github.sha }}
+          name: 'Development build: ${{ github.ref_name }}@${{ github.sha }}'
+          prerelease: true
+          removeArtifacts: true
+          tag: dev-build
@@ -31,7 +31,13 @@ This module requires several new `nginx.conf` directives, which can be specified
 
 ## Algorithms
 
-The default algorithm is `HS256`, for symmetric key validation. When using one of the `HS*` algorithms, the value for `auth_jwt_key` should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above. Note that using more than 512 bits will not increase the security. For key guidelines please see [NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms](https://csrc.nist.gov/publications/detail/sp/800-107/rev-1/final), Section 5.3.2 The HMAC Key.
+The default algorithm is `HS256`, for symmetric key validation. When using one of the `HS*` algorithms, the value for `auth_jwt_key` should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total). Note that using more than 512 bits will not increase the security. For key guidelines please see [NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms](https://csrc.nist.gov/publications/detail/sp/800-107/rev-1/final), Section 5.3.2 The HMAC Key.
+
+To generate a 256-bit key (32 pairs of hex characters; 64 characters in total):
+
+```bash
+openssl rand -hex 32
+```
 
 ### Additional Supported Algorithms
 
@@ -225,7 +231,7 @@ The tests use a customized NGINX image, distinct from the main image, as well as
 
 After making changes and finding that some tests fail, it can be difficult to understand why. By default, logs are written to Docker's internal log mechanism, but they won't be persisted after the test run completes and the containers are removed.
 
-In order to persist logs, you can configure the log driver to use. You can do this by setting the environment variable `LOG_DRIVER` before running the tests. On Linux/Unix systems, you can use the driver `journald`, as follows:
+If you'd like to persist logs across test runs, you can configure the log driver to use `journald` (on Linux/Unix systems for example). You can do this by setting the environment variable `LOG_DRIVER` before running the tests:
 
 ```shell
 # need to rebuild the test runner with the proper log driver
 
@@ -0,0 +1,135 @@
+ARG BASE_IMAGE
+ARG NGINX_VERSION
+
+FROM ${BASE_IMAGE} AS ngx_http_auth_jwt_builder_base
+LABEL stage=ngx_http_auth_jwt_builder
+RUN chmod 1777 /tmp
+RUN <<`
+apt-get update
+apt-get install -y curl build-essential
+`
+
+FROM ngx_http_auth_jwt_builder_base AS ngx_http_auth_jwt_builder_module
+LABEL stage=ngx_http_auth_jwt_builder
+ENV PATH "${PATH}:/etc/nginx"
+ENV LD_LIBRARY_PATH=/usr/local/lib
+ARG NGINX_VERSION
+RUN <<`
+	set -e
+	apt-get install -y libjwt-dev libjwt0 libjansson-dev libjansson4 libpcre2-dev zlib1g-dev libpcre3-dev
+	mkdir -p /root/build/ngx-http-auth-jwt-module
+`
+WORKDIR /root/build/ngx-http-auth-jwt-module
+ADD config ./
+ADD src/*.h src/*.c ./src/
+WORKDIR /root/build
+RUN <<`
+	set -e
+	mkdir nginx
+	curl -O http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
+	tar -xzf nginx-${NGINX_VERSION}.tar.gz --strip-components 1 -C nginx
+`
+WORKDIR /root/build/nginx
+RUN <<`
+	set -e
+	BUILD_FLAGS=''
+	MAJ=$(echo ${NGINX_VERSION} | cut -f1 -d.)
+	MIN=$(echo ${NGINX_VERSION} | cut -f2 -d.)
+	REV=$(echo ${NGINX_VERSION} | cut -f3 -d.)
+
+	# NGINX 1.23.0+ changes cookies to use a linked list, and renames `cookies` to `cookie`
+	if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
+		BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
+	fi
+
+	./configure \
+    --prefix=/etc/nginx \
+		--sbin-path=/usr/sbin/nginx \
+		--modules-path=/usr/lib64/nginx/modules \
+		--conf-path=/etc/nginx/nginx.conf \
+		--error-log-path=/var/log/nginx/error.log \
+		--http-log-path=/var/log/nginx/access.log \
+		--pid-path=/var/run/nginx.pid \
+		--lock-path=/var/run/nginx.lock \
+		--http-client-body-temp-path=/var/cache/nginx/client_temp \
+		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+		--user=nginx \
+		--group=nginx \
+		--with-compat \
+		--with-debug \
+		--with-file-aio \
+		--with-threads \
+		--with-http_addition_module \
+		--with-http_auth_request_module \
+		--with-http_dav_module \
+		--with-http_flv_module \
+		--with-http_gunzip_module \
+		--with-http_gzip_static_module \
+		--with-http_mp4_module \
+		--with-http_random_index_module \
+		--with-http_realip_module \
+		--with-http_secure_link_module \
+		--with-http_slice_module \
+		--with-http_ssl_module \
+		--with-http_stub_status_module \
+		--with-http_sub_module \
+		--with-http_v2_module \
+		--with-mail \
+		--with-mail_ssl_module \
+		--with-stream \
+		--with-stream_realip_module \
+		--with-stream_ssl_module \
+		--with-stream_ssl_preread_module \
+		--with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
+		--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
+		--add-dynamic-module=../ngx-http-auth-jwt-module \
+		${BUILD_FLAGS}
+		# --with-openssl=/usr/local \
+`
+RUN make modules
+RUN make install
+WORKDIR /usr/lib64/nginx/modules
+RUN	cp /root/build/nginx/objs/ngx_http_auth_jwt_module.so .
+RUN rm -rf /root/build
+RUN adduser --system --no-create-home --shell /bin/false --group --disabled-login nginx
+RUN mkdir -p /var/cache/nginx /var/log/nginx
+WORKDIR /etc/nginx
+
+FROM ngx_http_auth_jwt_builder_module AS ngx_http_auth_jwt_nginx
+LABEL maintainer="TeslaGov" email="[email protected]"
+ARG NGINX_VERSION
+RUN <<`
+	set -e
+
+	apt-get update
+	apt-get install -y libjansson4 libjwt0
+	apt-get clean
+`
+COPY <<` /etc/nginx/nginx.conf
+user nginx;
+pid /var/run/nginx.pid;
+
+load_module /usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so;
+
+worker_processes 1;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$$remote_addr - $$remote_user [$$time_local] "$$request" '
+	                '$$status $$body_bytes_sent "$$http_referer" '
+	                '"$$http_user_agent" "$$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+	include conf.d/*.conf;
+}
+`
+ENTRYPOINT ["nginx", "-g", "daemon off;"]