Add reading key file name, minify docker image size

Author: penumbra23

Dockerfile

@@ -16,23 +16,23 @@ RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.n
     yum -y install nginx-$NGINX_VERSION
 
 # for compiling for rh-nginx110
-# yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
+# RUN yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
 
 # for compiling for epel7
 RUN yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed geoip geoip-devel google-perftools google-perftools-devel
 
 # Jansson requires new cmake
-RUN yum -y install cmake3 && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake 10 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake \
---family cmake && \
-    alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake3 20 \
---slave /usr/local/bin/ctest ctest /usr/bin/ctest3 \
---slave /usr/local/bin/cpack cpack /usr/bin/cpack3 \
---slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake3 \
---family cmake
+# RUN yum -y install cmake3 && \
+#     alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake 10 \
+# --slave /usr/local/bin/ctest ctest /usr/bin/ctest \
+# --slave /usr/local/bin/cpack cpack /usr/bin/cpack \
+# --slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake \
+# --family cmake && \
+#     alternatives --install /usr/local/bin/cmake cmake /usr/bin/cmake3 20 \
+# --slave /usr/local/bin/ctest ctest /usr/bin/ctest3 \
+# --slave /usr/local/bin/cpack cpack /usr/bin/cpack3 \
+# --slave /usr/local/bin/ccmake ccmake /usr/bin/ccmake3 \
+# --family cmake
 
 RUN mkdir -p /root/dl
 WORKDIR /root/dl
@@ -85,19 +85,19 @@ RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
     rm nginx-$NGINX_VERSION.tar.gz && \
     ln -sf nginx-$NGINX_VERSION nginx && \
     cd /root/dl/nginx && \
-    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
+    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Werror=unused-variable -Wno-unused-variable -Wno-error=unused-but-set-variable -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
     make modules && \
     cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/.
 
 # Get nginx ready to run
 COPY resources/nginx.conf /etc/nginx/nginx.conf
 COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
-RUN rm -rf /usr/share/nginx/html
-RUN cp -r /root/dl/nginx/html /usr/share/nginx
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
-RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect
+# RUN rm -rf /usr/share/nginx/html
+# RUN cp -r /root/dl/nginx/html /usr/share/nginx
+# RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
+# RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256
+# RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
+# RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect
 
 ENTRYPOINT ["/usr/sbin/nginx"]
 

resources/test-jwt-nginx.conf

@@ -2,7 +2,7 @@ server {
     auth_jwt_key                 "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
     auth_jwt_loginurl            "https://teslagov.com";
     auth_jwt_enabled             off;
-    auth_jwt_redirect            on;
+    auth_jwt_redirect            off;
 
     listen       8000;
     server_name  localhost;
@@ -29,21 +29,30 @@ server {
 
     ___location ~ ^/secure-rs256/ {
         auth_jwt_enabled on;
-        auth_jwt_validation_type COOKIE=rampartjwt;
+        auth_jwt_validation_type AUTHORIZATION;
         auth_jwt_algorithm RS256;
         auth_jwt_key "-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtpMAM4l1H995oqlqdMh
-uqNuffp4+4aUCwuFE9B5s9MJr63gyf8jW0oDr7Mb1Xb8y9iGkWfhouZqNJbMFry+
-iBs+z2TtJF06vbHQZzajDsdux3XVfXv9v6dDIImyU24MsGNkpNt0GISaaiqv51NM
-ZQX0miOXXWdkQvWTZFXhmsFCmJLE67oQFSar4hzfAaCulaMD+b3Mcsjlh0yvSq7g
-6swiIasEU3qNLKaJAZEzfywroVYr3BwM1IiVbQeKgIkyPS/85M4Y6Ss/T+OWi1Oe
-K49NdYBvFP+hNVEoeZzJz5K/nd6C35IX0t2bN5CVXchUFmaUMYk2iPdhXdsC720t
-BwIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoDssqQi9TL79UPYaWqEr
+W11InyFvIUjhOYlTv4N/1AqOBRSCOLyGrm3MI/ngqxD2MEcBYwko7SWX0TR2WJsE
+kFv0V+107lmALMLBBrBzBIkmxUsBUwgwbn5639k8p/zXELsBOqTQ4bdLK+cpsEUE
+ECZU4kNcWm7c/VNEhf0SbgYoco6IGPBR7SrhWfbFSwCbbzdYMQE39kAOExSZgEav
+7oMbjK82ciDWrxtl+adNIPCDAA8tv0//YuxARSDnXXUKybagooYFwLs8RhIH4WRo
+ZhHrF0zHJrYCR/QoHF5Q96iDHJ/gBAUAhB76w+65IrzPQHbsCC/9VJAm+DPmEcZq
+jwIDAQAB
 -----END PUBLIC KEY-----";
         root  /usr/share/nginx;
         index  index.html index.htm;
     }
 
+    ___location ~ ^/secure-rs256-file/ {
+        auth_jwt_enabled on;
+        auth_jwt_validation_type AUTHORIZATION;
+        auth_jwt_algorithm RS256;
+		auth_jwt_filekey on;
+        root  /usr/share/nginx;
+        index  index.html index.htm;
+    }
+
     ___location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;

src/ngx_http_auth_jwt_module.c

@@ -18,13 +18,18 @@
 #include "ngx_http_auth_jwt_binary_converters.h"
 #include "ngx_http_auth_jwt_string.h"
 
+#include <stdio.h>
+
+const char* KEY_FILE_PATH = "/app/pub_key";
+
 typedef struct {
 	ngx_str_t    auth_jwt_loginurl;
 	ngx_str_t    auth_jwt_key;
 	ngx_flag_t   auth_jwt_enabled;
 	ngx_flag_t   auth_jwt_redirect;
 	ngx_str_t    auth_jwt_validation_type;
 	ngx_str_t    auth_jwt_algorithm;
+	ngx_flag_t	 auth_jwt_filekey;
 	ngx_flag_t   auth_jwt_validate_email;
 
 } ngx_http_auth_jwt_loc_conf_t;
@@ -58,6 +63,13 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
 		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_enabled),
 		NULL },
 
+	{ ngx_string("auth_jwt_filekey"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+		ngx_conf_set_flag_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_filekey),
+		NULL },
+
 	{ ngx_string("auth_jwt_redirect"),
 		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
 		ngx_conf_set_flag_slot,
@@ -177,8 +189,45 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	else if ( auth_jwt_algorithm.len == sizeof("RS256") - 1 && ngx_strncmp(auth_jwt_algorithm.data, "RS256", sizeof("RS256") - 1) == 0 )
 	{
 		// in this case, 'Binary' is a misnomer, as it is the public key string itself
-		keyBinary = jwtcf->auth_jwt_key.data;
-		keylen = jwtcf->auth_jwt_key.len;
+		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a jwt");
+		if (jwtcf->auth_jwt_filekey == 1)
+		{
+			FILE *file = fopen(KEY_FILE_PATH, "rb");
+
+			// Check if file exists or is correctly opened
+			if (file == NULL)
+			{
+				char err[100];
+				strcpy(err, "failed to open pub key file: ");
+				strcat(err, KEY_FILE_PATH);
+				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, err);
+				goto redirect;
+			}
+
+			// Read file length
+			fseek(file, 0, SEEK_END);
+			long key_size = ftell(file);
+			fseek(file, 0, SEEK_SET);
+			
+			if (key_size == 0)
+			{
+				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "invalid key file size, check the key file");
+				goto redirect;
+			}
+
+			// Read pub key
+			char *pub_key = malloc(key_size + 1);
+			size_t bytes_read = fread(pub_key, 1, key_size, file);
+			fclose(file);
+
+			keyBinary = (u_char*)pub_key;
+			keylen = (int)key_size;
+		}
+		else
+		{
+			keyBinary = jwtcf->auth_jwt_key.data;
+			keylen = jwtcf->auth_jwt_key.len;
+		}
 	}
 	else
 	{
@@ -374,6 +423,7 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 	conf->auth_jwt_enabled = (ngx_flag_t) -1;
 	conf->auth_jwt_redirect = (ngx_flag_t) -1;
 	conf->auth_jwt_validate_email = (ngx_flag_t) -1;
+	conf->auth_jwt_filekey = (ngx_flag_t) -1;
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Created Location Configuration");
 
@@ -403,6 +453,11 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 		conf->auth_jwt_redirect = (prev->auth_jwt_redirect == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_redirect;
 	}
 
+	if (conf->auth_jwt_filekey == ((ngx_flag_t) -1))
+	{
+		conf->auth_jwt_filekey = (prev->auth_jwt_filekey == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_filekey;
+	}
+
 	return NGX_CONF_OK;
 }