Merge pull request TeslaGov#9 from TeslaGov/joefitz/match-rh-nginx110-version

Joefitz/match rh nginx110 version

Author: fitzyjoe

Dockerfile

@@ -2,52 +2,75 @@ FROM centos:7
 
 LABEL maintainer="TeslaGov" email="[email protected]"
 
+ARG NGINX_VERSION=1.12.0
+
 COPY resources/nginx.repo /etc/yum.repos.d/nginx.repo
 
 ENV LD_LIBRARY_PATH=/usr/local/lib
 
 RUN yum -y update && \
 	yum -y groupinstall 'Development Tools' && \
 	yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \
-	yum -y install nginx-1.12.0
+	yum -y install nginx-$NGINX_VERSION
+
+# for compiling for rh-nginx110
+# yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
 
 RUN mkdir -p /root/dl
 WORKDIR /root/dl
 
-# get our JWT module
-# change this to get a specific version?
-RUN wget https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/master.zip && \
-	unzip master.zip && \
-	rm master.zip && \
-	ln -sf ngx-http-auth-jwt-module-master ngx-http-auth-jwt-module
-
 # build jansson
-RUN wget https://github.com/akheron/jansson/archive/v2.10.zip && \
-	unzip v2.10.zip && \
-	rm v2.10.zip && \
-	ln -sf jansson-2.10 jansson && \
+ARG JANSSON_VERSION=2.10
+RUN wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \
+	unzip v$JANSSON_VERSION.zip && \
+	rm v$JANSSON_VERSION.zip && \
+	ln -sf jansson-$JANSSON_VERSION jansson && \
 	cd /root/dl/jansson && \
 	cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
 	make && \
 	make check && \
 	make install
 
 # build libjwt
-RUN wget https://github.com/benmcollins/libjwt/archive/v1.8.0.zip && \
-	unzip v1.8.0.zip && \
-	rm v1.8.0.zip && \
-	ln -sf libjwt-1.8.0 libjwt && \
+ARG LIBJWT_VERSION=1.8.0
+RUN wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \
+	unzip v$LIBJWT_VERSION.zip && \
+	rm v$LIBJWT_VERSION.zip && \
+	ln -sf libjwt-$LIBJWT_VERSION libjwt && \
 	cd /root/dl/libjwt && \
 	autoreconf -i && \
 	./configure JANSSON_CFLAGS=/usr/local/include JANSSON_LIBS=/usr/local/lib && \
 	make all && \
 	make install
 
+# get our JWT module
+# change this to get a specific version?
+ARG TESLA_REPO_NAME=ngx-http-auth-jwt-module
+# ARG TESLA_REPO_URL_PREFIX=joefitz/
+# ARG TESLA_REPO_FILE_PREFIX=joefitz-
+# ARG TESLA_REPO_FILENAME=match-rh-nginx110-version
+ARG TESLA_REPO_URL_PREFIX=
+ARG TESLA_REPO_FILE_PREFIX=
+ARG TESLA_REPO_FILENAME=master
+ADD https://github.com/TeslaGov/$TESLA_REPO_NAME/archive/${TESLA_REPO_URL_PREFIX}${TESLA_REPO_FILENAME}.zip .
+RUN unzip ${TESLA_REPO_FILENAME}.zip && \
+	rm ${TESLA_REPO_FILENAME}.zip && \
+	ln -sf ${TESLA_REPO_NAME}-${TESLA_REPO_FILE_PREFIX}${TESLA_REPO_FILENAME} ${TESLA_REPO_NAME}
+
+# after 1.11.5 use this command
+# ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module --with-cc-opt='-std=gnu99'
 # build nginx module against nginx sources
-RUN wget http://nginx.org/download/nginx-1.12.0.tar.gz && \
-	tar -xzf nginx-1.12.0.tar.gz && \
-	rm nginx-1.12.0.tar.gz && \
-	ln -sf nginx-1.12.0 nginx && \
+#
+# 1.10.2 from nginx by default use config flags... I had to add the -std=c99 and could not achieve "binary compatibility"
+# ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-threads --with-ipv6 --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -std=c99'
+#
+# rh-nginx110 uses these config flags
+# ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/opt/rh/rh-nginx110/root/usr/share/nginx --sbin-path=/opt/rh/rh-nginx110/root/usr/sbin/nginx --modules-path=/opt/rh/rh-nginx110/root/usr/lib64/nginx/modules --conf-path=/etc/opt/rh/rh-nginx110/nginx/nginx.conf --error-log-path=/var/opt/rh/rh-nginx110/log/nginx/error.log --http-log-path=/var/opt/rh/rh-nginx110/log/nginx/access.log --http-client-body-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/scgi --pid-path=/var/opt/rh/rh-nginx110/run/nginx/nginx.pid --lock-path=/var/opt/rh/rh-nginx110/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=c99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
+
+RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
+	tar -xzf nginx-$NGINX_VERSION.tar.gz && \
+	rm nginx-$NGINX_VERSION.tar.gz && \
+	ln -sf nginx-$NGINX_VERSION nginx && \
 	cd /root/dl/nginx && \
 	./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module --with-cc-opt='-std=gnu99' && \
 	make modules && \
@@ -58,7 +81,6 @@ COPY resources/nginx.conf /etc/nginx/nginx.conf
 COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
 
-WORKDIR /etc/nginx
-CMD ["nginx"]
+ENTRYPOINT ["/usr/sbin/nginx"]
 
 EXPOSE 8000

build.sh

@@ -3,7 +3,7 @@
 # build
 DOCKER_IMAGE_NAME=jwt-nginx
 docker build -t ${DOCKER_IMAGE_NAME} .
-CONTAINER_ID=$(docker run -d -p 8000:8000 ${DOCKER_IMAGE_NAME})
+CONTAINER_ID=$(docker run --name "${DOCKER_IMAGE_NAME}-cont" -d -p 8000:8000 ${DOCKER_IMAGE_NAME})
 
 MACHINE_IP=`docker-machine ip`
 

src/ngx_http_auth_jwt_module.c

@@ -22,6 +22,7 @@ static void * ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf);
 static char * ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
 static int hex_char_to_binary( char ch, char* ret );
 static int hex_to_binary( const char* str, u_char* buf, int len );
+static char * ngx_str_t_to_char_ptr(ngx_pool_t *pool, ngx_str_t str);
 
 static ngx_command_t ngx_http_auth_jwt_commands[] = {
 
@@ -123,14 +124,12 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	}
 
 	// the cookie data is not necessarily null terminated... we need a null terminated character pointer
-	jwtCookieValChrPtr = ngx_alloc(jwtCookieVal.len + 1, r->connection->log);
-	ngx_memcpy(jwtCookieValChrPtr, jwtCookieVal.data, jwtCookieVal.len);
-	*(jwtCookieValChrPtr+jwtCookieVal.len) = '\0';
+	jwtCookieValChrPtr = ngx_str_t_to_char_ptr(r->pool, jwtCookieVal);
 
 //	ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "rampartjwt: %s %d", jwtCookieValChrPtr, jwtCookieVal.len);
 
 	// convert key from hex to binary
-	keyBinary = ngx_alloc(jwtcf->auth_jwt_key.len / 2, r->connection->log);
+	keyBinary = ngx_palloc(r->pool, jwtcf->auth_jwt_key.len / 2);
 	if (0 != hex_to_binary((char *)jwtcf->auth_jwt_key.data, keyBinary, jwtcf->auth_jwt_key.len))
 	{
 		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to turn hex key into binary");
@@ -207,29 +206,24 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 				uri.len = request_uri_var->len;
 				ngx_memcpy(uri.data, request_uri_var->data, request_uri_var->len);
 
-
-				char * tmp = ngx_alloc(uri.len + 1, r->connection->log);
-				ngx_memcpy(tmp, uri.data, uri.len);
-				*(tmp+uri.len) = '\0';
-
-				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "found uri with querystring %s", tmp);
+				// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "found uri with querystring %s", ngx_str_t_to_char_ptr(r->pool, uri));
 			}
 			else
 			{
 				// fallback to the querystring without params
 				uri = r->uri;
 
-				ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "fallback to querystring without params");
+				// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "fallback to querystring without params");
 			}
 
 			// escape the URI
-			escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_URI) + uri.len;
+			escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_ARGS) + uri.len;
 			uri_escaped.data = ngx_palloc(r->pool, escaped_len);
 			uri_escaped.len = escaped_len;
-			ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_URI);
+			ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_ARGS);
 
 			r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri_escaped.len;
-			return_url = ngx_alloc(r->headers_out.___location->value.len, r->connection->log);
+			return_url = ngx_palloc(r->pool, r->headers_out.___location->value.len);
 			ngx_memcpy(return_url, jwtcf->auth_jwt_loginurl.data, jwtcf->auth_jwt_loginurl.len);
 			int return_url_idx = jwtcf->auth_jwt_loginurl.len;
 			ngx_memcpy(return_url+return_url_idx, "?return_url=", sizeof("?return_url=") - 1);
@@ -244,7 +238,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 			return_url_idx += uri_escaped.len;
 			r->headers_out.___location->value.data = (u_char *)return_url;
 
-			ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "return_url: %s", return_url);
+			// ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "return_url: %s", ngx_str_t_to_char_ptr(r->pool, r->headers_out.___location->value));
 		}
 		else
 		{
@@ -335,7 +329,8 @@ hex_char_to_binary( char ch, char* ret )
 }
 
 static int
-hex_to_binary( const char* str, u_char* buf, int len ) {
+hex_to_binary( const char* str, u_char* buf, int len ) 
+{
 	u_char	
 		*cpy = buf;
 	char
@@ -357,3 +352,13 @@ hex_to_binary( const char* str, u_char* buf, int len ) {
 	return 0;
 }
 
+/** copies an nginx string structure to a newly allocated character pointer */
+static char* ngx_str_t_to_char_ptr(ngx_pool_t *pool, ngx_str_t str)
+{
+	char* char_ptr = ngx_palloc(pool, str.len + 1);
+	ngx_memcpy(char_ptr, str.data, str.len);
+	*(char_ptr + str.len) = '\0';
+	return char_ptr;
+}
+
+