Feature: Add support for runtime variable in auth_jwt_enabled directive (#152)

Co-authored-by: Josh McCullough <JoshMcCullough@users.noreply.github.com>

Author: w453y

src/ngx_http_auth_jwt_module.c

@@ -26,7 +26,7 @@ typedef struct
 {
   ngx_str_t loginurl;
   ngx_str_t key;
-  ngx_flag_t enabled;
+  ngx_http_complex_value_t *enabled;
   ngx_flag_t redirect;
   ngx_str_t jwt_location;
   ngx_str_t algorithm;
@@ -83,8 +83,8 @@ static ngx_command_t auth_jwt_directives[] = {
      NULL},
 
     {ngx_string("auth_jwt_enabled"),
-     NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_CONF_FLAG,
-     ngx_conf_set_flag_slot,
+     NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1,
+     ngx_http_set_complex_value_slot,
      NGX_HTTP_LOC_CONF_OFFSET,
      offsetof(auth_jwt_conf_t, enabled),
      NULL},
@@ -207,9 +207,7 @@ static void *create_conf(ngx_conf_t *cf)
   else
   {
     // ngx_str_t fields are initialized by the ngx_palloc call above -- only need to init flags and arrays here
-    conf->enabled = NGX_CONF_UNSET;
-    conf->redirect = NGX_CONF_UNSET;
-    conf->validate_sub = NGX_CONF_UNSET;
+    conf->enabled = NULL;
     conf->redirect = NGX_CONF_UNSET;
     conf->validate_sub = NGX_CONF_UNSET;
     conf->extract_var_claims = NULL;
@@ -236,20 +234,12 @@ static char *merge_conf(ngx_conf_t *cf, void *parent, void *child)
   merge_array(cf->pool, &conf->extract_request_claims, prev->extract_request_claims, sizeof(ngx_str_t));
   merge_array(cf->pool, &conf->extract_response_claims, prev->extract_response_claims, sizeof(ngx_str_t));
 
-  if (conf->enabled == NGX_CONF_UNSET)
-  {
-    conf->enabled = prev->enabled == NGX_CONF_UNSET ? 0 : prev->enabled;
-  }
-
-  if (conf->redirect == NGX_CONF_UNSET)
-  {
-    conf->redirect = prev->redirect == NGX_CONF_UNSET ? 0 : prev->redirect;
+  if (conf->enabled == NULL) {
+    conf->enabled = prev->enabled;
   }
 
-  if (conf->use_keyfile == NGX_CONF_UNSET)
-  {
-    conf->use_keyfile = prev->use_keyfile == NGX_CONF_UNSET ? 0 : prev->use_keyfile;
-  }
+  ngx_conf_merge_off_value(conf->redirect, prev->redirect, 0);
+  ngx_conf_merge_off_value(conf->use_keyfile, prev->use_keyfile, 0);
 
   // If the usage of the keyfile is specified, check if the key_path is also configured
   if (conf->use_keyfile == 1)
@@ -461,109 +451,138 @@ static auth_jwt_ctx_t *get_or_init_jwt_module_ctx(ngx_http_request_t *r, auth_jw
 static auth_jwt_ctx_t *get_request_jwt_ctx(ngx_http_request_t *r)
 {
   auth_jwt_conf_t *jwtcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_jwt_module);
+  ngx_int_t enabled = 1;
 
-  if (!jwtcf->enabled)
-  {
-    return NULL;
+  if (jwtcf->enabled != NULL) {
+    ngx_str_t cv;
+    if (ngx_http_complex_value(r, jwtcf->enabled, &cv) == NGX_OK && cv.len > 0) {
+      if (ngx_strncmp(cv.data, "off", 3) == 0) {
+        enabled = 0;
+      }
+    }
   }
 
-  auth_jwt_ctx_t *ctx = get_or_init_jwt_module_ctx(r, jwtcf);
-
-  if (ctx == NULL)
-  {
+  if (!enabled) {
     return NULL;
   }
-  else if (ctx->validation_status != NGX_AGAIN)
-  {
-    // we already validated and extacted everything we care about, so we just return the already-complete context
-    return ctx;
-  }
-
-  char *jwtPtr = get_jwt(r, jwtcf->jwt_location);
+  else {
+    auth_jwt_ctx_t *ctx = get_or_init_jwt_module_ctx(r, jwtcf);
 
-  if (jwtPtr == NULL)
-  {
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a JWT");
-    ctx->validation_status = NGX_ERROR;
-    return ctx;
-  }
-  else
-  {
-    ngx_str_t algorithm = jwtcf->algorithm;
-    int keyLength;
-    u_char *key;
-    jwt_t *jwt = NULL;
-
-    if (algorithm.len == 0 || (algorithm.len == 5 && ngx_strncmp(algorithm.data, "HS", 2) == 0))
+    if (ctx == NULL) {
+      return NULL;
+    }
+    else if (ctx->validation_status != NGX_AGAIN)
     {
-      keyLength = jwtcf->key.len / 2;
-      key = ngx_palloc(r->pool, keyLength);
+      // we already validated and extacted everything we care about, so we just return the already-complete context
+      return ctx;
+    }
+    else {
+      char *jwtPtr = get_jwt(r, jwtcf->jwt_location);
 
-      if (0 != hex_to_binary((char *)jwtcf->key.data, key, jwtcf->key.len))
+      if (jwtPtr == NULL)
       {
-        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to turn hex key into binary");
+        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to find a JWT");
         ctx->validation_status = NGX_ERROR;
+
         return ctx;
       }
-    }
-    else if (algorithm.len == 5 && (ngx_strncmp(algorithm.data, "RS", 2) == 0 || ngx_strncmp(algorithm.data, "ES", 2) == 0))
-    {
-      if (jwtcf->use_keyfile == 1)
-      {
-        keyLength = jwtcf->_keyfile.len;
-        key = (u_char *)jwtcf->_keyfile.data;
-      }
       else
       {
-        keyLength = jwtcf->key.len;
-        key = jwtcf->key.data;
-      }
-    }
-    else
-    {
-      ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "unsupported algorithm %s", algorithm);
-      ctx->validation_status = NGX_ERROR;
-      return ctx;
-    }
+        ngx_str_t algorithm = jwtcf->algorithm;
+        int keyLength;
+        u_char *key;
+        jwt_t *jwt = NULL;
 
-    if (jwt_decode(&jwt, jwtPtr, key, keyLength) != 0 || !jwt)
-    {
-      ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to parse JWT");
-      ctx->validation_status = NGX_ERROR;
-    }
-    else if (validate_alg(jwtcf, jwt) != 0)
-    {
-      ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "invalid algorithm specified");
-      ctx->validation_status = NGX_ERROR;
-    }
-    else if (validate_exp(jwtcf, jwt) != 0)
-    {
-      ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the JWT has expired");
-      ctx->validation_status = NGX_ERROR;
-    }
-    else if (validate_sub(jwtcf, jwt) != 0)
-    {
-      ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the JWT does not contain a subject");
-      ctx->validation_status = NGX_ERROR;
-    }
-    else
-    {
-      extract_request_claims(r, jwtcf, jwt);
-      extract_response_claims(r, jwtcf, jwt);
-      ctx->validation_status = extract_var_claims(r, jwtcf, jwt, ctx);
-    }
+        if (algorithm.len == 0 || (algorithm.len == 5 && ngx_strncmp(algorithm.data, "HS", 2) == 0))
+        {
+          keyLength = jwtcf->key.len / 2;
+          key = ngx_palloc(r->pool, keyLength);
 
-    jwt_free(jwt);
-    return ctx;
+          if (0 != hex_to_binary((char *)jwtcf->key.data, key, jwtcf->key.len))
+          {
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to turn hex key into binary");
+            ctx->validation_status = NGX_ERROR;
+
+            return ctx;
+          }
+        }
+        else if (algorithm.len == 5 && (ngx_strncmp(algorithm.data, "RS", 2) == 0 || ngx_strncmp(algorithm.data, "ES", 2) == 0))
+        {
+          if (jwtcf->use_keyfile == 1)
+          {
+            keyLength = jwtcf->_keyfile.len;
+            key = (u_char *)jwtcf->_keyfile.data;
+          }
+          else
+          {
+            keyLength = jwtcf->key.len;
+            key = jwtcf->key.data;
+          }
+        }
+        else
+        {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "unsupported algorithm %s", algorithm);
+          ctx->validation_status = NGX_ERROR;
+
+          return ctx;
+        }
+
+        if (jwt_decode(&jwt, jwtPtr, key, keyLength) != 0 || !jwt)
+        {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to parse JWT");
+          ctx->validation_status = NGX_ERROR;
+        }
+        else if (validate_alg(jwtcf, jwt) != 0)
+        {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "invalid algorithm specified");
+          ctx->validation_status = NGX_ERROR;
+        }
+        else if (validate_exp(jwtcf, jwt) != 0)
+        {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the JWT has expired");
+          ctx->validation_status = NGX_ERROR;
+        }
+        else if (validate_sub(jwtcf, jwt) != 0)
+        {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "the JWT does not contain a subject");
+          ctx->validation_status = NGX_ERROR;
+        }
+        else
+        {
+          extract_request_claims(r, jwtcf, jwt);
+          extract_response_claims(r, jwtcf, jwt);
+          ctx->validation_status = extract_var_claims(r, jwtcf, jwt, ctx);
+        }
+
+        jwt_free(jwt);
+
+        return ctx;
+      }
+    }
   }
 }
 
 static ngx_int_t handle_request(ngx_http_request_t *r)
 {
   auth_jwt_conf_t *jwtcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_jwt_module);
+
+  // Only activate JWT logic if key or keyfile_path is set
+  if (jwtcf->key.len == 0 && jwtcf->keyfile_path.len == 0) {
+    return NGX_DECLINED;
+  }
+
   auth_jwt_ctx_t *ctx = get_request_jwt_ctx(r);
 
-  if (!jwtcf->enabled)
+  ngx_int_t enabled = 1;
+  if (jwtcf->enabled != NULL) {
+    ngx_str_t cv;
+    if (ngx_http_complex_value(r, jwtcf->enabled, &cv) == NGX_OK && cv.len > 0) {
+      if (ngx_strncmp(cv.data, "off", 3) == 0) {
+        enabled = 0;
+      }
+    }
+  }
+  if (!enabled)
   {
     return NGX_DECLINED;
   }

test/etc/nginx/conf.d/test.conf

@@ -1,7 +1,7 @@
 error_log /var/log/nginx/debug.log debug;
 access_log /var/log/nginx/access.log;
 
-log_format  extractTest  'Log extract test sub: $jwt_claim_sub';
+log_format  extract_test  'Log extract test sub: $jwt_claim_sub';
 
 server {
     listen %{PORT};
@@ -468,8 +468,21 @@ vXjq39xtcIBRTO1c2zs=
         auth_jwt_validate_sub on;
         auth_jwt_extract_var_claims sub;
 
-        access_log /var/log/nginx/test_access.log extractTest;
+        access_log /var/log/nginx/test_access.log extract_test;
 
         return 200 "Log extract test sub: $jwt_claim_sub";
     }
+
+    location /enabled/variable {
+        auth_jwt_enabled $jwt_enabled;
+
+        alias /usr/share/nginx/html/;
+        try_files index.html =404;
+    }
+}
+
+map $http_test_auth_enabled $jwt_enabled {
+    default on;
+    on on;
+    off off;
 }