From 02f4e17eb84dd2de78d5cedca8f0b4f8247470e3 Mon Sep 17 00:00:00 2001 From: Josh McCullough Date: Wed, 28 Aug 2024 12:12:07 -0400 Subject: [PATCH] case-insenitive Bearer check #134 (#135) --- openssl.dockerfile | 14 +++++++------- scripts.sh | 6 +++--- src/ngx_http_auth_jwt_module.c | 2 +- test/docker-compose-test.yml | 2 -- test/test.sh | 6 ++++++ 5 files changed, 17 insertions(+), 13 deletions(-) diff --git a/openssl.dockerfile b/openssl.dockerfile index 45140cc..d8bb293 100644 --- a/openssl.dockerfile +++ b/openssl.dockerfile @@ -1,9 +1,9 @@ -ARG BASE_IMAGE +ARG BASE_IMAGE=debian:bookworm-slim FROM ${BASE_IMAGE} -ARG SRC_DIR=/tmp/openssl-src -ARG OUT_DIR=/usr/local/.openssl -ARG SSL_VERSION +ARG SSL_VERSION=3.2.1 +ENV SRC_DIR=/tmp/openssl-src +ENV OUT_DIR=/usr/local/.openssl RUN <<` set -e apt-get update @@ -13,8 +13,8 @@ RUN <<` ` WORKDIR ${SRC_DIR} RUN <<` - set -e - curl --silent -O https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz + set -ex + curl --silent -LO https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz tar -xf openssl-${SSL_VERSION}.tar.gz --strip-components=1 ` RUN ./config --prefix=${OUT_DIR} --openssldir=${OUT_DIR} shared zlib @@ -34,4 +34,4 @@ RUN <<` ln -sf ${OUT_DIR}/lib64/libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3 ` WORKDIR / -#RUN rm -rf ${SRC_DIR} \ No newline at end of file +RUN rm -rf ${SRC_DIR} \ No newline at end of file diff --git a/scripts.sh b/scripts.sh index 421a4cb..6f109d9 100755 --- a/scripts.sh +++ b/scripts.sh @@ -40,13 +40,13 @@ all() { verify_and_build_base_image() { local image=${SSL_IMAGE_MAP[$SSL_VERSION]} local baseImage=${image%%:*} - + if [ -z ${image} ]; then echo "Base image not set for SSL version :${SSL_VERSION}" exit 1 else - printf "${MAGENTA}Building base image for SSL ${SSL_VERSION}...${NC}\n" - docker image build \ + printf "${MAGENTA}Building ${baseImage} base image for SSL ${SSL_VERSION}...${NC}\n" + docker buildx build \ --build-arg BASE_IMAGE=debian:${baseImage} \ --build-arg SSL_VERSION=${SSL_VERSION} \ -f openssl.dockerfile \ diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c index 85a646d..e21560c 100644 --- a/src/ngx_http_auth_jwt_module.c +++ b/src/ngx_http_auth_jwt_module.c @@ -630,7 +630,7 @@ static char *get_jwt(ngx_http_request_t *r, ngx_str_t jwt_location) { static const char *BEARER_PREFIX = "Bearer "; - if (ngx_strncmp(jwtHeaderVal->value.data, BEARER_PREFIX, strlen(BEARER_PREFIX)) == 0) + if (ngx_strncasecmp(jwtHeaderVal->value.data, (u_char *)BEARER_PREFIX, strlen(BEARER_PREFIX)) == 0) { ngx_str_t jwtHeaderValWithoutBearer = jwtHeaderVal->value; diff --git a/test/docker-compose-test.yml b/test/docker-compose-test.yml index 3c0e9be..14c88da 100644 --- a/test/docker-compose-test.yml +++ b/test/docker-compose-test.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: nginx: diff --git a/test/test.sh b/test/test.sh index f54e0de..2bf9cb3 100755 --- a/test/test.sh +++ b/test/test.sh @@ -143,6 +143,12 @@ main() { -r "< Test-Authorization: Bearer ${JWT_HS256_VALID}" \ -x "--header \"Authorization: Bearer ${JWT_HS256_VALID}\"" + run_test -n 'when auth enabled with Authorization header with Bearer, lower-case "bearer" should be accepted' \ + -p '/secure/auth-header/default/proxy-header' \ + -c '200' \ + -r "< Test-Authorization: bearer ${JWT_HS256_VALID}" \ + -x "--header \"Authorization: bearer ${JWT_HS256_VALID}\"" + run_test -n 'when auth enabled with default algorithm and no JWT cookie, returns 302' \ -p '/secure/cookie/default' \ -c '302'