case-insenitive Bearer check #134 (#135)

TeslaGov · Aug 28, 2024 · 02f4e17 · 02f4e17
1 parent 03d9553
commit 02f4e17
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 13 deletions.
diff --git a/openssl.dockerfile b/openssl.dockerfile
@@ -1,9 +1,9 @@
-ARG BASE_IMAGE
+ARG BASE_IMAGE=debian:bookworm-slim
 
 FROM ${BASE_IMAGE}
-ARG SRC_DIR=/tmp/openssl-src
-ARG OUT_DIR=/usr/local/.openssl
-ARG SSL_VERSION
+ARG SSL_VERSION=3.2.1
+ENV SRC_DIR=/tmp/openssl-src
+ENV OUT_DIR=/usr/local/.openssl
 RUN <<`
     set -e
     apt-get update
@@ -13,8 +13,8 @@ RUN <<`
 `
 WORKDIR ${SRC_DIR}
 RUN <<`
-    set -e
-    curl --silent -O https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz
+    set -ex
+    curl --silent -LO https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz
     tar -xf openssl-${SSL_VERSION}.tar.gz --strip-components=1
 `
 RUN ./config --prefix=${OUT_DIR} --openssldir=${OUT_DIR} shared zlib
@@ -34,4 +34,4 @@ RUN <<`
     ln -sf ${OUT_DIR}/lib64/libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3
 `
 WORKDIR /
-#RUN rm -rf ${SRC_DIR}
+RUN rm -rf ${SRC_DIR}
diff --git a/scripts.sh b/scripts.sh
@@ -40,13 +40,13 @@ all() {
 verify_and_build_base_image() {
 	local image=${SSL_IMAGE_MAP[$SSL_VERSION]}
 	local baseImage=${image%%:*}
-	
+
 	if [ -z ${image} ]; then
 		echo "Base image not set for SSL version :${SSL_VERSION}"
 		exit 1
 	else
-		printf "${MAGENTA}Building base image for SSL ${SSL_VERSION}...${NC}\n"
-		docker image build \
+		printf "${MAGENTA}Building ${baseImage} base image for SSL ${SSL_VERSION}...${NC}\n"
+		docker buildx build \
 		  --build-arg BASE_IMAGE=debian:${baseImage} \
 			--build-arg SSL_VERSION=${SSL_VERSION} \
 			-f openssl.dockerfile \

diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -630,7 +630,7 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location)
     {
       static const char *BEARER_PREFIX = "Bearer ";
 
-      if (ngx_strncmp(jwtHeaderVal->value.data, BEARER_PREFIX, strlen(BEARER_PREFIX)) == 0)
+      if (ngx_strncasecmp(jwtHeaderVal->value.data, (u_char *)BEARER_PREFIX, strlen(BEARER_PREFIX)) == 0)
       {
         ngx_str_t jwtHeaderValWithoutBearer = jwtHeaderVal->value;
 

diff --git a/test/docker-compose-test.yml b/test/docker-compose-test.yml
@@ -1,5 +1,3 @@
-version: '3.3'
-
 services:
 
   nginx:

diff --git a/test/test.sh b/test/test.sh
@@ -143,6 +143,12 @@ main() {
            -r "< Test-Authorization: Bearer ${JWT_HS256_VALID}" \
            -x "--header \"Authorization: Bearer ${JWT_HS256_VALID}\""
 
+  run_test -n 'when auth enabled with Authorization header with Bearer, lower-case "bearer" should be accepted' \
+           -p '/secure/auth-header/default/proxy-header' \
+           -c '200' \
+           -r "< Test-Authorization: bearer ${JWT_HS256_VALID}" \
+           -x "--header \"Authorization: bearer ${JWT_HS256_VALID}\""
+
   run_test -n 'when auth enabled with default algorithm and no JWT cookie, returns 302' \
            -p '/secure/cookie/default' \
            -c '302'