Merge branch 'master' into jwt-37

Author: fitzyjoe

.gitignore

@@ -1 +1,2 @@
+.idea
 ngx_http_auth_jwt_module.so

Dockerfile

@@ -8,9 +8,9 @@ ENV LD_LIBRARY_PATH=/usr/local/lib
 
 RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
     yum -y update && \
-	yum -y groupinstall 'Development Tools' && \
-	yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \
-	yum -y install nginx-$NGINX_VERSION
+    yum -y groupinstall 'Development Tools' && \
+    yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \
+    yum -y install nginx-$NGINX_VERSION
 
 # for compiling for rh-nginx110
 # yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
@@ -24,40 +24,26 @@ WORKDIR /root/dl
 # build jansson
 ARG JANSSON_VERSION=2.10
 RUN wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \
-	unzip v$JANSSON_VERSION.zip && \
-	rm v$JANSSON_VERSION.zip && \
-	ln -sf jansson-$JANSSON_VERSION jansson && \
-	cd /root/dl/jansson && \
-	cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
-	make && \
-	make check && \
-	make install
+    unzip v$JANSSON_VERSION.zip && \
+    rm v$JANSSON_VERSION.zip && \
+    ln -sf jansson-$JANSSON_VERSION jansson && \
+    cd /root/dl/jansson && \
+    cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
+    make && \
+    make check && \
+    make install
 
 # build libjwt
 ARG LIBJWT_VERSION=1.9.0
 RUN wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \
-	unzip v$LIBJWT_VERSION.zip && \
-	rm v$LIBJWT_VERSION.zip && \
-	ln -sf libjwt-$LIBJWT_VERSION libjwt && \
-	cd /root/dl/libjwt && \
-	autoreconf -i && \
-	./configure JANSSON_CFLAGS=/usr/local/include JANSSON_LIBS=/usr/local/lib && \
-	make all && \
-	make install
-
-# get our JWT module
-# change this to get a specific version?
-#ARG TESLA_REPO_NAME=ngx-http-auth-jwt-module
-# ARG TESLA_REPO_URL_PREFIX=joefitz/
-# ARG TESLA_REPO_FILE_PREFIX=joefitz-
-# ARG TESLA_REPO_FILENAME=validate-authorization-header
-#ARG TESLA_REPO_URL_PREFIX=
-#ARG TESLA_REPO_FILE_PREFIX=
-#ARG TESLA_REPO_FILENAME=master
-#ADD https://github.com/TeslaGov/$TESLA_REPO_NAME/archive/${TESLA_REPO_URL_PREFIX}${TESLA_REPO_FILENAME}.zip .
-#RUN unzip ${TESLA_REPO_FILENAME}.zip && \
-#	rm ${TESLA_REPO_FILENAME}.zip && \
-#	ln -sf ${TESLA_REPO_NAME}-${TESLA_REPO_FILE_PREFIX}${TESLA_REPO_FILENAME} ${TESLA_REPO_NAME}
+    unzip v$LIBJWT_VERSION.zip && \
+    rm v$LIBJWT_VERSION.zip && \
+    ln -sf libjwt-$LIBJWT_VERSION libjwt && \
+    cd /root/dl/libjwt && \
+    autoreconf -i && \
+    ./configure JANSSON_CFLAGS=/usr/local/include JANSSON_LIBS=/usr/local/lib && \
+    make all && \
+    make install
 
 ADD . /root/dl/ngx-http-auth-jwt-module
 
@@ -76,24 +62,73 @@ ADD . /root/dl/ngx-http-auth-jwt-module
 # ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
 #
 #RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
-#	tar -xzf nginx-$NGINX_VERSION.tar.gz && \
-#	rm nginx-$NGINX_VERSION.tar.gz && \
-#	ln -sf nginx-$NGINX_VERSION nginx && \
-#	cd /root/dl/nginx && \
+#  tar -xzf nginx-$NGINX_VERSION.tar.gz && \
+#  rm nginx-$NGINX_VERSION.tar.gz && \
+#  ln -sf nginx-$NGINX_VERSION nginx && \
+#  cd /root/dl/nginx && \
 #    ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
-#	make modules && \
-#	cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/.
+#  make modules && \
+#  cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/.
 
 # ARG CACHEBUST=1
 
 RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
-	tar -xzf nginx-$NGINX_VERSION.tar.gz && \
-	rm nginx-$NGINX_VERSION.tar.gz && \
-	ln -sf nginx-$NGINX_VERSION nginx && \
+    tar -xzf nginx-$NGINX_VERSION.tar.gz && \
+    rm nginx-$NGINX_VERSION.tar.gz && \
+    ln -sf nginx-$NGINX_VERSION nginx && \
     cd /root/dl/nginx && \
-    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
+    ./configure \
+      --add-dynamic-module=../ngx-http-auth-jwt-module \
+      --prefix=/usr/share/nginx \
+      --sbin-path=/usr/sbin/nginx \
+      --modules-path=/usr/lib64/nginx/modules \
+      --conf-path=/etc/nginx/nginx.conf \
+      --error-log-path=/var/log/nginx/error.log \
+      --http-log-path=/var/log/nginx/access.log \
+      --http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
+      --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
+      --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
+      --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
+      --http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
+      --pid-path=/run/nginx.pid \
+      --lock-path=/run/lock/subsys/nginx \
+      --user=nginx \
+      --group=nginx \
+      --with-file-aio \
+      --with-ipv6 \
+      --with-http_ssl_module \
+      --with-http_v2_module \
+      --with-http_realip_module \
+      --with-http_addition_module \
+      --with-http_xslt_module=dynamic \
+      --with-http_image_filter_module=dynamic \
+      --with-http_geoip_module=dynamic \
+      --with-http_sub_module \
+      --with-http_dav_module \
+      --with-http_flv_module \
+      --with-http_mp4_module \
+      --with-http_gunzip_module \
+      --with-http_gzip_static_module \
+      --with-http_random_index_module \
+      --with-http_secure_link_module \
+      --with-http_degradation_module \
+      --with-http_slice_module \
+      --with-http_stub_status_module \
+      --with-http_perl_module=dynamic \
+      --with-mail=dynamic \
+      --with-mail_ssl_module \
+      --with-pcre \
+      --with-pcre-jit \
+      --with-stream=dynamic \
+      --with-stream_ssl_module \
+      --with-google_perftools_module \
+      --with-debug \
+      --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' \
+      --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \
     make modules && \
-	cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/.
+    cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/. && \
+    mkdir /build && \
+    cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /build.
 
 # Get nginx ready to run
 COPY resources/nginx.conf /etc/nginx/nginx.conf

Dockerfile-test

@@ -0,0 +1,4 @@
+FROM alpine:3.7
+RUN apk add --no-cache bash curl
+COPY test.sh .
+CMD ["./test.sh"]

Makefile

@@ -0,0 +1,53 @@
+SHELL += -eu
+
+BLUE  := \033[0;34m
+GREEN := \033[0;32m
+RED   := \033[0;31m
+NC    := \033[0m
+
+DOCKER_ORG_NAME = teslagov
+DOCKER_IMAGE_NAME = jwt-nginx
+
+.PHONY: all
+all:
+	@$(MAKE) build-nginx
+	@$(MAKE) build-test-runner
+	@$(MAKE) start-nginx
+	@$(MAKE) test
+
+.PHONY: build-nginx
+build-nginx:
+	@echo "${BLUE}  Building...${NC}"
+	@docker image build -t $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME) . ; \
+	if [ $$? -ne 0 ] ; \
+		then echo "${RED}  Build failed :(${NC}" ; \
+	else echo "${GREEN}✓ Successfully built NGINX module ${NC}" ; fi
+
+.PHONY: rebuild-nginx
+rebuild-nginx:
+	@echo "${BLUE}  Rebuilding...${NC}"
+	@docker image build -t $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME) . --no-cache ; \
+	if [ $$? -ne 0 ] ; \
+		then echo "${RED}  Build failed :(${NC}" ; \
+	else echo "${GREEN}✓ Successfully rebuilt NGINX module ${NC}" ; fi
+
+.PHONY: stop-nginx
+stop-nginx:
+	docker stop $(shell docker inspect --format="{{.Id}}" "$(DOCKER_IMAGE_NAME)-cont") ||:
+
+.PHONY: start-nginx
+start-nginx:
+	docker run --rm --name "$(DOCKER_IMAGE_NAME)-cont" -d -p 8000:8000 $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME)
+	docker cp $(DOCKER_IMAGE_NAME)-cont:/usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so .
+
+.PHONY: build-test-runner
+build-test-runner:
+	docker image build -f Dockerfile-test -t $(DOCKER_ORG_NAME)/jwt-nginx-test-runner .
+
+.PHONY: frebuild-test-runner
+rebuild-test-runner:
+	docker image build -f Dockerfile-test -t $(DOCKER_ORG_NAME)/jwt-nginx-test-runner . --no-cache
+
+.PHONY: test
+test:
+	docker run --rm $(DOCKER_ORG_NAME)/jwt-nginx-test-runner

README.md

@@ -1,13 +1,43 @@
 # Intro
 This is an NGINX module to check for a valid JWT and proxy to an upstream server or redirect to a login page.
 
-# Build Requirements
+## Building and testing
+To build the Docker image, start NGINX, and run our Bash test against it, run
+```bash
+make
+```
+
+When you make a change to the module, run `make rebuild-nginx`.
+
+When you make a change to `test.sh`, run `make rebuild-test-runner`.
+
+| Command                    | Description                                 |
+| -------------------------- |:-------------------------------------------:|
+| `make build-nginx`         | Builds the NGINX image                      |
+| `make rebuild-nginx`       | Re-builds the NGINX image                   |
+| `make build-test-runner`   | Builds the image that will run `test.sh`    |
+| `make rebuild-test-runner` | Re-builds the image that will run `test.sh` |
+| `make start-nginx`         | Starts the NGINX container                  |
+| `make stop-nginx`          | Stops the NGINX container                   |
+| `make test`                | Runs `test.sh` against the NGINX container  |
+
+You can re-run tests as many times as you like while NGINX is up.
+When you're done running tests, make sure to stop the NGINX container.
+
+The Dockerfile builds all of the dependencies as well as the module,
+downloads a binary version of NGINX, and runs the module as a dynamic module.
+
+Tests get executed in containers. This project is 100% Docker-ized.
+
+## Dependencies
 This module depends on the [JWT C Library](https://github.com/benmcollins/libjwt)
 
-Transitively, that library depends on a JSON Parser called [Jansson](https://github.com/akheron/jansson) as well as the OpenSSL library.
+Transitively, that library depends on a JSON Parser called
+[Jansson](https://github.com/akheron/jansson) as well as the OpenSSL library.
 
-# NGINX Directives
-This module requires several new nginx.conf directives, which can be specified in on the `main` `server` or `___location` level.
+## NGINX Directives
+This module requires several new `nginx.conf` directives,
+which can be specified in on the `main` `server` or `___location` level.
 
 ```
 auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
@@ -16,7 +46,10 @@ auth_jwt_algorithm HS256; # or RS256
 auth_jwt_validate_email on;  # or off
 ```
 
-So, a typical use would be to specify the key on the main level and then only turn on the locations that you want to secure (not the login page).  Unauthorized requests are given 401 "Unauthorized" responses, you can redirect them with the nginx's `error_page` directive.
+So, a typical use would be to specify the key on the main level and then only 
+turn on the locations that you want to secure (not the login page).  Unauthorized 
+requests are given 401 "Unauthorized" responses, you can redirect them with the 
+nginx's `error_page` directive.
 
 ```
 ___location @login_redirect {
@@ -34,13 +67,16 @@ ___location /secure-___location/ {
 auth_jwt_validation_type AUTHORIZATION;
 auth_jwt_validation_type COOKIE=rampartjwt;
 ```
-By default the authorization header is used to provide a JWT for validation.  However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT.
+By default the authorization header is used to provide a JWT for validation.
+However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT.
 
 
 
-The default algorithm is 'HS256', for symmetric key validation.  Also supported is 'RS256', for RSA 256-bit public key validation.
+The default algorithm is 'HS256', for symmetric key validation.
+Also supported is 'RS256', for RSA 256-bit public key validation.
 
-If using "auth_jwt_algorithm RS256;", then the 'auth_jwt_key' field must be set to your public key.  That is the public key, rather than a PEM certificate.  I.e.:
+If using "auth_jwt_algorithm RS256;", then the 'auth_jwt_key' field must be set to your public key.
+That is the public key, rather than a PEM certificate.  I.e.:
 
 ```
 auth_jwt_key "-----BEGIN PUBLIC KEY-----
@@ -54,16 +90,10 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
-
-
-By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the session, and will log an error if it isn't found.  To disable this behavior, for instance if you are using a different user identifier property such as 'sub', set:
+By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the
+session, and will log an error if it isn't found.  To disable this behavior, for instance if you are using a different
+user identifier property such as 'sub', set:
 
 ```
 auth_jwt_validate_email off;
 ```
-
-
-
-The Dockerfile builds all of the dependencies as well as the module, downloads a binary version of nginx, and runs the module as a dynamic module.
-
-Have a look at build.sh, which creates the docker image and container and executes some test requests to illustrate that some pages are secured by the module and requre a valid JWT.