Merge pull request TeslaGov#15 from TeslaGov/joefitz/optionally-redirect

Joefitz/optionally redirect

Author: fitzyjoe

build.sh

@@ -27,16 +27,23 @@ else
   echo -e "${RED}Secure test without jwt fail ${TEST_SECURE_EXPECT_302}${NONE}";
 fi
 
-TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${VALIDJWT}"`
-if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
-  echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_EXPECT_200}${NONE}";
+TEST_SECURE_COOKIE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${VALIDJWT}"`
+if [ "$TEST_SECURE_COOKIE_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
 else
-  echo -e "${RED}Secure test with jwt fail ${TEST_SECURE_EXPECT_200}${NONE}";
+  echo -e "${RED}Secure test with jwt fail ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
 fi
 
-TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer ${VALIDJWT}" --cookie "rampartjwt=${VALIDJWT}"`
-if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
-  echo -e "${GREEN}Secure test with jwt and auth header pass ${TEST_SECURE_EXPECT_200}${NONE}";
+TEST_SECURE_HEADER_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer ${VALIDJWT}" --cookie "rampartjwt=${VALIDJWT}"`
+if [ "$TEST_SECURE_HEADER_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt and auth header pass ${TEST_SECURE_HEADER_EXPECT_200}${NONE}";
 else
-  echo -e "${RED}Secure test with jwt and auth header fail ${TEST_SECURE_EXPECT_200}${NONE}";
+  echo -e "${RED}Secure test with jwt and auth header fail ${TEST_SECURE_HEADER_EXPECT_200}${NONE}";
+fi
+
+TEST_SECURE_NO_REDIRECT_EXPECT_401=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-no-redirect/index.html`
+if [ "$TEST_SECURE_NO_REDIRECT_EXPECT_401" -eq "401" ];then
+  echo -e "${GREEN}Secure test without jwt no redirect pass ${TEST_SECURE_NO_REDIRECT_EXPECT_401}${NONE}";
+else
+  echo -e "${RED}Secure test without jwt no redirect fail ${TEST_SECURE_NO_REDIRECT_EXPECT_401}${NONE}";
 fi

resources/test-jwt-nginx.conf

@@ -2,10 +2,17 @@ server {
     auth_jwt_key                 "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
     auth_jwt_loginurl            "https://teslagov.com";
     auth_jwt_enabled             off;
+    auth_jwt_redirect            on;
 
     listen       8000;
     server_name  localhost;
 
+    ___location ~ ^/secure-no-redirect/ {
+        auth_jwt_enabled   on;
+        auth_jwt_redirect  off;
+        alias  /usr/share/nginx/secure/;
+    }
+
     ___location ~ ^/secure/ {
         auth_jwt_enabled   on;
         root   /usr/share/nginx;

src/ngx_http_auth_jwt_module.c

@@ -14,6 +14,7 @@ typedef struct {
 	ngx_str_t   auth_jwt_loginurl;
 	ngx_str_t   auth_jwt_key;
 	ngx_flag_t  auth_jwt_enabled;
+	ngx_flag_t  auth_jwt_redirect;
 } ngx_http_auth_jwt_loc_conf_t;
 
 static ngx_int_t ngx_http_auth_jwt_init(ngx_conf_t *cf);
@@ -48,6 +49,13 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
 		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_enabled),
 		NULL },
 
+	{ ngx_string("auth_jwt_redirect"),
+		NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+		ngx_conf_set_flag_slot,
+		NGX_HTTP_LOC_CONF_OFFSET,
+		offsetof(ngx_http_auth_jwt_loc_conf_t, auth_jwt_redirect),
+		NULL },
+
 	ngx_null_command
 };
 
@@ -272,7 +280,14 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 			r->headers_out.___location->value.data = jwtcf->auth_jwt_loginurl.data;
 		}
 
-		return NGX_HTTP_MOVED_TEMPORARILY;
+        if (jwtcf->auth_jwt_redirect)
+        {
+    		return NGX_HTTP_MOVED_TEMPORARILY;
+        }
+        else
+        {
+    		return NGX_HTTP_UNAUTHORIZED;
+        }
 }
 
 
@@ -308,6 +323,7 @@ ngx_http_auth_jwt_create_loc_conf(ngx_conf_t *cf)
 
 	// set the flag to unset
 	conf->auth_jwt_enabled = (ngx_flag_t) -1;
+	conf->auth_jwt_redirect = (ngx_flag_t) -1;
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Created Location Configuration");
 
@@ -324,11 +340,15 @@ ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 	ngx_conf_merge_str_value(conf->auth_jwt_loginurl, prev->auth_jwt_loginurl, "");
 	ngx_conf_merge_str_value(conf->auth_jwt_key, prev->auth_jwt_key, "");
 
-	
 	if (conf->auth_jwt_enabled == ((ngx_flag_t) -1)) 
 	{
 		conf->auth_jwt_enabled = (prev->auth_jwt_enabled == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_enabled;
 	}
+
+    if (conf->auth_jwt_redirect == ((ngx_flag_t) -1))
+    {
+		conf->auth_jwt_redirect = (prev->auth_jwt_redirect == ((ngx_flag_t) -1)) ? 0 : prev->auth_jwt_redirect;
+    }
 
 	ngx_conf_log_error(NGX_LOG_DEBUG, cf, 0, "Merged Location Configuration");