Skip to content

Commit 59bd2c8

Browse files
fitzyjoefitzyjoe
authored
Merge pull request TeslaGov#8 from TeslaGov/joefitz/return-url-encode
Joefitz/return url encode
2 parents da89753 + 2a11d56 commit 59bd2c8

File tree

2 files changed

+46
-29
lines changed

2 files changed

+46
-29
lines changed

build.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,21 +11,21 @@ RED='\033[01;31m'
1111
GREEN='\033[01;32m'
1212
NONE='\033[00m'
1313

14-
TEST_INSECURE_EXPECT_200=`curl -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000`
14+
TEST_INSECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000`
1515
if [ "$TEST_INSECURE_EXPECT_200" -eq "200" ];then
1616
echo -e "${GREEN}Insecure test pass ${TEST_INSECURE_EXPECT_200}${NONE}";
1717
else
1818
echo -e "${RED}Insecure test fail ${TEST_INSECURE_EXPECT_200}${NONE}";
1919
fi
2020

21-
TEST_SECURE_EXPECT_302=`curl -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html`
21+
TEST_SECURE_EXPECT_302=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html`
2222
if [ "$TEST_SECURE_EXPECT_302" -eq "302" ];then
2323
echo -e "${GREEN}Secure test without jwt pass ${TEST_SECURE_EXPECT_302}${NONE}";
2424
else
2525
echo -e "${RED}Secure test without jwt fail ${TEST_SECURE_EXPECT_302}${NONE}";
2626
fi
2727

28-
TEST_SECURE_EXPECT_200=`curl -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4;PassportKey=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"`
28+
TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4;PassportKey=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"`
2929
if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
3030
echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_EXPECT_200}${NONE}";
3131
else

src/ngx_http_auth_jwt_module.c

Lines changed: 43 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ static char * ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, voi
2323
static int hex_char_to_binary( char ch, char* ret );
2424
static int hex_to_binary( const char* str, u_char* buf, int len );
2525

26-
static ngx_command_t ngx_http_auth_jwt_commands[] = {
26+
static ngx_command_t ngx_http_auth_jwt_commands[] = {
2727

2828
{ ngx_string("auth_jwt_loginurl"),
2929
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
@@ -38,19 +38,19 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
3838
NGX_HTTP_LOC_CONF_OFFSET,
3939
offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_key),
4040
NULL },
41-
41+
4242
{ ngx_string("auth_jwt_enabled"),
4343
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
4444
ngx_conf_set_flag_slot,
4545
NGX_HTTP_LOC_CONF_OFFSET,
4646
offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_enabled),
4747
NULL },
4848

49-
ngx_null_command
49+
ngx_null_command
5050
};
5151

5252

53-
static ngx_http_module_t ngx_http_auth_jwt_module_ctx = {
53+
static ngx_http_module_t ngx_http_auth_jwt_module_ctx = {
5454
NULL, /* preconfiguration */
5555
ngx_http_auth_jwt_init, /* postconfiguration */
5656

@@ -65,7 +65,7 @@ static ngx_http_module_t ngx_http_auth_jwt_module_ctx = {
6565
};
6666

6767

68-
ngx_module_t ngx_http_auth_jwt_module = {
68+
ngx_module_t ngx_http_auth_jwt_module = {
6969
NGX_MODULE_V1,
7070
&ngx_http_auth_jwt_module_ctx, /* module context */
7171
ngx_http_auth_jwt_commands, /* module directives */
@@ -89,7 +89,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
8989
ngx_str_t jwtCookieVal;
9090
char* jwtCookieValChrPtr;
9191
char* return_url;
92-
ngx_http_auth_jwt_loc_conf_t *jwtcf;
92+
ngx_http_auth_jwt_loc_conf_t *jwtcf;
9393
u_char *keyBinary;
9494
jwt_t *jwt;
9595
int jwtParseReturnCode;
@@ -117,7 +117,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
117117
n = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &passportKeyCookieName, &jwtCookieVal);
118118
if (n == NGX_DECLINED)
119119
{
120-
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to obtain a jwt cookie");
120+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a jwt");
121121
goto redirect;
122122
}
123123
}
@@ -183,10 +183,12 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
183183
int loginlen;
184184
char * scheme;
185185
ngx_str_t server;
186-
ngx_str_t uri_variable_name = ngx_string("request_uri");;
186+
ngx_str_t uri_variable_name = ngx_string("request_uri");
187187
ngx_int_t uri_variable_hash;
188188
ngx_http_variable_value_t * request_uri_var;
189189
ngx_str_t uri;
190+
ngx_str_t uri_escaped;
191+
uintptr_t escaped_len;
190192

191193
loginlen = jwtcf->auth_jwt_loginurl.len;
192194

@@ -197,21 +199,36 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
197199
uri_variable_hash = ngx_hash_key(uri_variable_name.data, uri_variable_name.len);
198200
request_uri_var = ngx_http_get_variable(r, &uri_variable_name, uri_variable_hash);
199201

200-
// get the uri
202+
// get the URI
201203
if(request_uri_var && !request_uri_var->not_found && request_uri_var->valid)
202204
{
203205
// ideally we would like the uri with the querystring parameters
204-
uri.data = ngx_palloc(r->pool, request_uri_var->len);
205-
uri.len = request_uri_var->len;
206+
uri.data = ngx_palloc(r->pool, request_uri_var->len);
207+
uri.len = request_uri_var->len;
206208
ngx_memcpy(uri.data, request_uri_var->data, request_uri_var->len);
209+
210+
211+
char * tmp = ngx_alloc(uri.len + 1, r->connection->log);
212+
ngx_memcpy(tmp, uri.data, uri.len);
213+
*(tmp+uri.len) = '\0';
214+
215+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "found uri with querystring %s", tmp);
207216
}
208217
else
209218
{
210219
// fallback to the querystring without params
211220
uri = r->uri;
221+
222+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "fallback to querystring without params");
212223
}
213224

214-
r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri.len;
225+
// escape the URI
226+
escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_URI) + uri.len;
227+
uri_escaped.data = ngx_palloc(r->pool, escaped_len);
228+
uri_escaped.len = escaped_len;
229+
ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_URI);
230+
231+
r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri_escaped.len;
215232
return_url = ngx_alloc(r->headers_out.___location->value.len, r->connection->log);
216233
ngx_memcpy(return_url, jwtcf->auth_jwt_loginurl.data, jwtcf->auth_jwt_loginurl.len);
217234
int return_url_idx = jwtcf->auth_jwt_loginurl.len;
@@ -223,11 +240,11 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
223240
return_url_idx += sizeof("://") - 1;
224241
ngx_memcpy(return_url+return_url_idx, server.data, server.len);
225242
return_url_idx += server.len;
226-
ngx_memcpy(return_url+return_url_idx, uri.data, uri.len);
227-
return_url_idx += uri.len;
243+
ngx_memcpy(return_url+return_url_idx, uri_escaped.data, uri_escaped.len);
244+
return_url_idx += uri_escaped.len;
228245
r->headers_out.___location->value.data = (u_char *)return_url;
229246

230-
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "redirect for get request");
247+
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "return_url: %s", return_url);
231248
}
232249
else
233250
{
@@ -262,7 +279,7 @@ static ngx_int_t ngx_http_auth_jwt_init(ngx_conf_t *cf)
262279
static void *
263280
ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
264281
{
265-
ngx_http_auth_jwt_loc_conf_t *conf;
282+
ngx_http_auth_jwt_loc_conf_t *conf;
266283

267284
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_jwt_loc_conf_t));
268285
if (conf == NULL)
@@ -282,45 +299,45 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
282299
static char *
283300
ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
284301
{
285-
ngx_http_auth_jwt_loc_conf_t *prev = parent;
286-
ngx_http_auth_jwt_loc_conf_t *conf = child;
302+
ngx_http_auth_jwt_loc_conf_t *prev = parent;
303+
ngx_http_auth_jwt_loc_conf_t *conf = child;
287304

288305
ngx_conf_merge_str_value(conf->auth_jwt_loginurl, prev->auth_jwt_loginurl, "");
289306
ngx_conf_merge_str_value(conf->auth_jwt_key, prev->auth_jwt_key, "");
290307

291308

292309
if (conf->auth_jwt_enabled == ((ngx_flag_t) -1))
293310
{
294-
conf->auth_jwt_enabled = (prev->auth_jwt_enabled == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_enabled;
311+
conf->auth_jwt_enabled = (prev->auth_jwt_enabled == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_enabled;
295312
}
296313

297314
ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Merged Location Configuration");
298315

299316
// ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "Key: %s, Enabled: %d",
300317
// conf->auth_jwt_key.data,
301318
// conf->auth_jwt_enabled);
302-
return NGX_CONF_OK;
319+
return NGX_CONF_OK;
303320
}
304321

305322
static int
306323
hex_char_to_binary( char ch, char* ret )
307324
{
308-
ch = tolower( ch );
325+
ch = tolower( ch );
309326
if( isdigit( ch ) )
310-
*ret = ch - '0';
327+
*ret = ch - '0';
311328
else if( ch >= 'a' && ch <= 'f' )
312329
*ret = ( ch - 'a' ) + 10;
313330
else if( ch >= 'A' && ch <= 'F' )
314-
*ret = ( ch - 'A' ) + 10;
331+
*ret = ( ch - 'A' ) + 10;
315332
else
316333
return *ret = 0;
317-
return 1;
334+
return 1;
318335
}
319336

320337
static int
321338
hex_to_binary( const char* str, u_char* buf, int len ) {
322339
u_char
323-
*cpy = buf;
340+
*cpy = buf;
324341
char
325342
low,
326343
high;
@@ -337,6 +354,6 @@ hex_to_binary( const char* str, u_char* buf, int len ) {
337354

338355
*cpy++ = low | (high << 4);
339356
}
340-
return 0;
357+
return 0;
341358
}
342359

0 commit comments

Comments
 (0)