Merge pull request TeslaGov#12 from TeslaGov/joefitz/validate-authorization-header

fitzyjoe · web-flow · commit f5387606c299 · 2017-10-31T13:45:05.000-04:00
Joefitz/validate authorization header
diff --git a/Dockerfile b/Dockerfile
@@ -48,7 +48,7 @@ RUN wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \
 ARG TESLA_REPO_NAME=ngx-http-auth-jwt-module
 # ARG TESLA_REPO_URL_PREFIX=joefitz/
 # ARG TESLA_REPO_FILE_PREFIX=joefitz-
-# ARG TESLA_REPO_FILENAME=match-rh-nginx110-version
+# ARG TESLA_REPO_FILENAME=validate-authorization-header
 ARG TESLA_REPO_URL_PREFIX=
 ARG TESLA_REPO_FILE_PREFIX=
 ARG TESLA_REPO_FILENAME=master
diff --git a/build.sh b/build.sh
@@ -11,6 +11,8 @@ RED='\033[01;31m'
 GREEN='\033[01;32m'
 NONE='\033[00m'
 
+VALIDJWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4
+
 TEST_INSECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000`
 if [ "$TEST_INSECURE_EXPECT_200" -eq "200" ];then
   echo -e "${GREEN}Insecure test pass ${TEST_INSECURE_EXPECT_200}${NONE}";
@@ -25,9 +27,16 @@ else
   echo -e "${RED}Secure test without jwt fail ${TEST_SECURE_EXPECT_302}${NONE}";
 fi
 
-TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4;PassportKey=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4"`
+TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${VALIDJWT}"`
 if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
   echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_EXPECT_200}${NONE}";
 else
   echo -e "${RED}Secure test with jwt fail ${TEST_SECURE_EXPECT_200}${NONE}";
 fi
+
+TEST_SECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer ${VALIDJWT}" --cookie "rampartjwt=${VALIDJWT}"`
+if [ "$TEST_SECURE_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt and auth header pass ${TEST_SECURE_EXPECT_200}${NONE}";
+else
+  echo -e "${RED}Secure test with jwt and auth header fail ${TEST_SECURE_EXPECT_200}${NONE}";
+fi
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -23,6 +23,7 @@ static char * ngx_http_auth_jwt_merge_loc_conf(ngx_conf_t *cf, void *parent, voi
 static int hex_char_to_binary( char ch, char* ret );
 static int hex_to_binary( const char* str, u_char* buf, int len );
 static char * ngx_str_t_to_char_ptr(ngx_pool_t *pool, ngx_str_t str);
+static ngx_table_elt_t* search_headers_in(ngx_http_request_t *r, u_char *name, size_t len);
 
 static ngx_command_t ngx_http_auth_jwt_commands[] = {
 
@@ -84,9 +85,12 @@ ngx_module_t ngx_http_auth_jwt_module = {
 
 static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 {
-	ngx_int_t n;
+	static const int BEARER_LEN = 7; // strlen("Bearer ");
+	
 	ngx_str_t jwtCookieName = ngx_string("rampartjwt");
 	ngx_str_t passportKeyCookieName = ngx_string("PassportKey");
+	ngx_str_t authorizationHeaderName = ngx_string("Authorization");
+	ngx_int_t n;
 	ngx_str_t jwtCookieVal;
 	char* jwtCookieValChrPtr;
 	char* return_url;
@@ -97,6 +101,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 	jwt_alg_t alg;
 	time_t exp;
 	time_t now;
+	ngx_table_elt_t *authorizationHeader;
 	
 	jwtcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_jwt_module);
 	
@@ -109,6 +114,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 //			jwtcf->auth_jwt_key.data, 
 //			jwtcf->auth_jwt_enabled);
 	
+
 	// get the cookie
 	// TODO: the cookie name could be passed in dynamicallly
 	n = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &jwtCookieName, &jwtCookieVal);
@@ -163,6 +169,25 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 		goto redirect;
 	}
 	
+	// if an Authorization header exists, it must match the cookie
+	authorizationHeader = search_headers_in(r, authorizationHeaderName.data, authorizationHeaderName.len);
+	if (authorizationHeader != NULL)
+	{
+		// compare lengths first
+		if (authorizationHeader->value.len != jwtCookieVal.len + BEARER_LEN)
+		{
+			ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Authorization and Cookie do not match lengths");
+			goto redirect;
+		}
+
+		// compare content
+		if (0 != strncmp((const char *)(authorizationHeader->value.data + BEARER_LEN), (const char *)jwtCookieVal.data, jwtCookieVal.len)) 
+		{
+			ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Authorization and Cookie do not match content");
+			goto redirect;
+		}
+	}
+
 	return NGX_OK;
 	
 	redirect:
@@ -361,4 +386,48 @@ static char* ngx_str_t_to_char_ptr(ngx_pool_t *pool, ngx_str_t str)
 	return char_ptr;
 }
 
+static ngx_table_elt_t* search_headers_in(ngx_http_request_t *r, u_char *name, size_t len)
+{
+	ngx_list_part_t            *part;
+	ngx_table_elt_t            *h;
+	ngx_uint_t                  i;
+
+	// Get the first part of the list. There is usual only one part.
+	part = &r->headers_in.headers.part;
+	h = part->elts;
+
+	// Headers list array may consist of more than one part, so loop through all of it
+	for (i = 0; /* void */ ; i++)
+	{
+		if (i >= part->nelts)
+		{
+			if (part->next == NULL)
+			{
+				/* The last part, search is done. */
+				break;
+			}
+
+			part = part->next;
+			h = part->elts;
+			i = 0;
+		}
+
+		//Just compare the lengths and then the names case insensitively.
+		if (len != h[i].key.len || ngx_strcasecmp(name, h[i].key.data) != 0)
+		{
+			/* This header doesn't match. */
+			continue;
+		}
+
+		/*
+		* Ta-da, we got one!
+		* Note, we've stopped the search at the first matched header
+		* while more then one header may match.
+		*/
+		return &h[i];
+	}
+
+	/* No headers was found */
+	return NULL;
+}
 
