Joefitz/optional auth header (TeslaGov#24)

* created more tests, exit if docker fails

* copy files to support more tests

* Added cookie vs auth header feature, refactored code

Author: fitzyjoe

Dockerfile

@@ -99,6 +99,8 @@ RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
 COPY resources/nginx.conf /etc/nginx/nginx.conf
 COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
+RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
+RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect
 
 ENTRYPOINT ["/usr/sbin/nginx"]
 #ENTRYPOINT ["while true; do echo hello world; sleep 1; done"]

build.sh

@@ -1,42 +1,62 @@
 #!/bin/bash
 
+RED='\033[01;31m'
+GREEN='\033[01;32m'
+NONE='\033[00m'
+
 # build
 DOCKER_IMAGE_NAME=jwt-nginx
 docker build -t ${DOCKER_IMAGE_NAME} .
+if [ $? -ne 0 ]
+then
+  echo -e "${RED}Build Failed${NONE}";
+  exit 1;
+fi
+
 CONTAINER_ID=$(docker run --name "${DOCKER_IMAGE_NAME}-cont" -d -p 8000:8000 ${DOCKER_IMAGE_NAME})
 
 MACHINE_IP=`docker-machine ip`
 
 docker cp ${CONTAINER_ID}:/usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so .
 
-RED='\033[01;31m'
-GREEN='\033[01;32m'
-NONE='\033[00m'
-
 VALIDJWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4
 
-TEST_INSECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000`
+TEST_INSECURE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000 -H 'cache-control: no-cache'`
 if [ "$TEST_INSECURE_EXPECT_200" -eq "200" ];then
   echo -e "${GREEN}Insecure test pass ${TEST_INSECURE_EXPECT_200}${NONE}";
 else
   echo -e "${RED}Insecure test fail ${TEST_INSECURE_EXPECT_200}${NONE}";
 fi
 
-TEST_SECURE_EXPECT_302=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html`
-if [ "$TEST_SECURE_EXPECT_302" -eq "302" ];then
-  echo -e "${GREEN}Secure test without jwt pass ${TEST_SECURE_EXPECT_302}${NONE}";
+TEST_SECURE_COOKIE_EXPECT_302=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache'`
+if [ "$TEST_SECURE_COOKIE_EXPECT_302" -eq "302" ];then
+  echo -e "${GREEN}Secure test without jwt cookie pass ${TEST_SECURE_COOKIE_EXPECT_302}${NONE}";
 else
-  echo -e "${RED}Secure test without jwt fail ${TEST_SECURE_EXPECT_302}${NONE}";
+  echo -e "${RED}Secure test without jwt cookie fail ${TEST_SECURE_COOKIE_EXPECT_302}${NONE}";
 fi
 
 TEST_SECURE_COOKIE_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure/index.html -H 'cache-control: no-cache' --cookie "rampartjwt=${VALIDJWT}"`
 if [ "$TEST_SECURE_COOKIE_EXPECT_200" -eq "200" ];then
-  echo -e "${GREEN}Secure test with jwt pass ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
+  echo -e "${GREEN}Secure test with jwt cookie pass ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
+else
+  echo -e "${RED}Secure test with jwt cookie fail ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
+fi
+
+TEST_SECURE_HEADER_EXPECT_200=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-auth-header/index.html -H 'cache-control: no-cache' --header "Authorization: Bearer ${VALIDJWT}"`
+if [ "$TEST_SECURE_HEADER_EXPECT_200" -eq "200" ];then
+  echo -e "${GREEN}Secure test with jwt auth header pass ${TEST_SECURE_HEADER_EXPECT_200}${NONE}";
+else
+  echo -e "${RED}Secure test with jwt auth header fail ${TEST_SECURE_HEADER_EXPECT_200}${NONE}";
+fi
+
+TEST_SECURE_HEADER_EXPECT_302=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-auth-header/index.html -H 'cache-control: no-cache'`
+if [ "$TEST_SECURE_HEADER_EXPECT_302" -eq "200" ];then
+  echo -e "${GREEN}Secure test without jwt auth header pass ${TEST_SECURE_HEADER_EXPECT_302}${NONE}";
 else
-  echo -e "${RED}Secure test with jwt fail ${TEST_SECURE_COOKIE_EXPECT_200}${NONE}";
+  echo -e "${RED}Secure test without jwt auth header fail ${TEST_SECURE_HEADER_EXPECT_302}${NONE}";
 fi
 
-TEST_SECURE_NO_REDIRECT_EXPECT_401=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-no-redirect/index.html`
+TEST_SECURE_NO_REDIRECT_EXPECT_401=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-no-redirect/index.html -H 'cache-control: no-cache'`
 if [ "$TEST_SECURE_NO_REDIRECT_EXPECT_401" -eq "401" ];then
   echo -e "${GREEN}Secure test without jwt no redirect pass ${TEST_SECURE_NO_REDIRECT_EXPECT_401}${NONE}";
 else

config

@@ -2,7 +2,7 @@ ngx_addon_name=ngx_http_auth_jwt_module
 
 ngx_module_type=HTTP
 ngx_module_name=ngx_http_auth_jwt_module
-ngx_module_srcs="$ngx_addon_dir/src/ngx_http_auth_jwt_module.c"
+ngx_module_srcs="$ngx_addon_dir/src/ngx_http_auth_jwt_binary_converters.c $ngx_addon_dir/src/ngx_http_auth_jwt_header_processing.c $ngx_addon_dir/src/ngx_http_auth_jwt_string.c $ngx_addon_dir/src/ngx_http_auth_jwt_module.c"
 ngx_module_libs="-ljansson -ljwt"
 
 . auto/module

ngx_http_auth_jwt_module.so

@@ -10,12 +10,20 @@ server {
     ___location ~ ^/secure-no-redirect/ {
         auth_jwt_enabled   on;
         auth_jwt_redirect  off;
-        alias  /usr/share/nginx/secure/;
+        root  /usr/share/nginx;
+        index  index.html index.htm;
     }
 
     ___location ~ ^/secure/ {
         auth_jwt_enabled   on;
-        root   /usr/share/nginx;
+        auth_jwt_validation_type COOKIE=rampartjwt;
+        root  /usr/share/nginx;
+        index  index.html index.htm;
+    }
+
+    ___location ~ ^/secure-auth-header/ {
+        auth_jwt_enabled on;
+        root  /usr/share/nginx;
         index  index.html index.htm;
     }
 

resources/test-jwt-nginx.conf

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2018 Tesla Government
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ *
+ * https://github.com/TeslaGov/ngx-http-auth-jwt-module
+ */
+
+#include "ngx_http_auth_jwt_binary_converters.h"
+
+#include <ngx_core.h>
+
+int hex_char_to_binary( char ch, char* ret )
+{
+	ch = tolower( ch );
+	if( isdigit( ch ) )
+		*ret = ch - '0';
+	else if( ch >= 'a' && ch <= 'f' )
+		*ret = ( ch - 'a' ) + 10;
+	else if( ch >= 'A' && ch <= 'F' )
+		*ret = ( ch - 'A' ) + 10;
+	else
+		return *ret = 0;
+	return 1;
+}
+
+int hex_to_binary( const char* str, u_char* buf, int len ) 
+{
+	u_char	
+		*cpy = buf;
+	char
+		low,
+		high;
+	int
+		odd = len % 2;
+	
+	if (odd) {
+		return -1;
+	}
+
+	for (int i = 0; i < len; i += 2) {
+		hex_char_to_binary( *(str + i), &high );
+		hex_char_to_binary( *(str + i + 1 ), &low );
+		
+		*cpy++ = low | (high << 4);
+	}
+	return 0;
+}

src/ngx_http_auth_jwt_binary_converters.c

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 2018 Tesla Government
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ *
+ * https://github.com/TeslaGov/ngx-http-auth-jwt-module
+ */
+
+#ifndef _NGX_HTTP_AUTH_JWT_BINARY_CONVERTERS_H
+#define _NGX_HTTP_AUTH_JWT_BINARY_CONVERTERS_H
+
+#include <ngx_core.h>
+
+int hex_char_to_binary( char ch, char* ret );
+int hex_to_binary( const char* str, u_char* buf, int len );
+
+#endif /* _NGX_HTTP_AUTH_JWT_BINARY_CONVERTERS_H */

src/ngx_http_auth_jwt_binary_converters.h

@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2018 Tesla Government
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ *
+ * https://github.com/TeslaGov/ngx-http-auth-jwt-module
+ */
+
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+#include "ngx_http_auth_jwt_header_processing.h"
+
+/**
+ * Sample code from nginx.
+ * https://www.nginx.com/resources/wiki/start/topics/examples/headers_management/?highlight=http%20settings
+ */
+ngx_table_elt_t* search_headers_in(ngx_http_request_t *r, u_char *name, size_t len)
+{
+	ngx_list_part_t            *part;
+	ngx_table_elt_t            *h;
+	ngx_uint_t                  i;
+
+	// Get the first part of the list. There is usual only one part.
+	part = &r->headers_in.headers.part;
+	h = part->elts;
+
+	// Headers list array may consist of more than one part, so loop through all of it
+	for (i = 0; /* void */ ; i++)
+	{
+		if (i >= part->nelts)
+		{
+			if (part->next == NULL)
+			{
+				/* The last part, search is done. */
+				break;
+			}
+
+			part = part->next;
+			h = part->elts;
+			i = 0;
+		}
+
+		//Just compare the lengths and then the names case insensitively.
+		if (len != h[i].key.len || ngx_strcasecmp(name, h[i].key.data) != 0)
+		{
+			/* This header doesn't match. */
+			continue;
+		}
+
+		/*
+		* Ta-da, we got one!
+		* Note, we've stopped the search at the first matched header
+		* while more then one header may match.
+		*/
+		return &h[i];
+	}
+
+	/* No headers was found */
+	return NULL;
+}
+
+/**
+ * Sample code from nginx
+ * https://www.nginx.com/resources/wiki/start/topics/examples/headers_management/#how-can-i-set-a-header
+ */
+ngx_int_t set_custom_header_in_headers_out(ngx_http_request_t *r, ngx_str_t *key, ngx_str_t *value) {
+    ngx_table_elt_t   *h;
+
+    /*
+    All we have to do is just to allocate the header...
+    */
+    h = ngx_list_push(&r->headers_out.headers);
+    if (h == NULL) {
+        return NGX_ERROR;
+    }
+
+    /*
+    ... setup the header key ...
+    */
+    h->key = *key;
+
+    /*
+    ... and the value.
+    */
+    h->value = *value;
+
+    /*
+    Mark the header as not deleted.
+    */
+    h->hash = 1;
+
+    return NGX_OK;
+}

src/ngx_http_auth_jwt_header_processing.c

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) 2018 Tesla Government
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+#ifndef _NGX_HTTP_AUTH_JWT_HEADER_PROCESSING_H
+#define _NGX_HTTP_AUTH_JWT_HEADER_PROCESSING_H
+
+ngx_table_elt_t* search_headers_in(ngx_http_request_t *r, u_char *name, size_t len);
+ngx_int_t set_custom_header_in_headers_out(ngx_http_request_t *r, ngx_str_t *key, ngx_str_t *value);
+
+#endif /* _NGX_HTTP_AUTH_JWT_HEADER_PROCESSING_H */