CKM-5630 Support data team in debugging login report (#154)

Author: joan7770

nginx.dockerfile

@@ -129,19 +129,6 @@ RUN <<`
 	useradd -g nginx nginx
 `
 
-# RUN <<`
-#   set -e
-#   curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg
-#   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx\n" > /etc/apt/sources.list.d/nginx.list
-#   printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx
-# `
-
-# RUN <<`
-#   set -e
-#   apt-get update
-#   apt-get install -y nginx
-# `
-
 COPY <<` /etc/nginx/nginx.conf
 daemon off;
 user nginx;

scripts

@@ -192,6 +192,7 @@ build_test() {
     --build-arg RUNNER_BASE_IMAGE=${runnerBaseImage} \
     --build-arg PORT=${port} \
     --build-arg SSL_PORT=${sslPort} \
+    --build-arg platform="linux/amd64" \
      ${dockerArgs}
 }
 
@@ -219,34 +220,15 @@ test() {
   trap 'test_cleanup' 0
 
   printf "${MAGENTA}Running tests...${NC}\n"
+  printf "\n"
+  printf "Executing tests with the following options:\n"
+  printf "  SSL Version:     ${SSL_VERSION}\n"
+  printf "  LIBJWT Version:  ${LIBJWT_VERSION}\n"
+  printf "  NGINX Version:   ${NGINX_VERSION}\n"
+
   docker compose \
     -p ${TEST_CONTAINER_NAME_PREFIX} \
-    -f ${TEST_COMPOSE_FILE} up \
-    --no-start
-
-  test_now
-}
-
-test_now() {
-  nginxContainerName="${TEST_CONTAINER_NAME_PREFIX}-nginx"
-  runnerContainerName="${TEST_CONTAINER_NAME_PREFIX}-runner"
-
-  echo
-  echo "Executing tests with the following options:"
-  echo "  SSL Version:     ${SSL_VERSION}"
-  echo "  LIBJWT Version:  ${LIBJWT_VERSION}"
-  echo "  NGINX Version:   ${NGINX_VERSION}"
-
-  docker start ${nginxContainerName}
-
-  if [ "$(docker container inspect -f '{{.State.Running}}' ${nginxContainerName})" != "true" ]; then
-    printf "${RED}Failed to start container \"${nginxContainerName}\". See logs below:\n"
-    docker logs ${nginxContainerName}
-    printf "${NC}\n"
-    return 1
-  fi
-
-  docker start -a ${runnerContainerName}
+    -f ${TEST_COMPOSE_FILE} up
 }
 
 test_cleanup() {
@@ -260,9 +242,16 @@ get_port() {
   endPort=$((startPort + 100))
 
   for p in $(seq ${startPort} ${endPort}); do
-    if ! ss -ln | grep -q ":${p} "; then
-      echo ${p}
-      break
+    if [ "$(uname)" == "Darwin" ]; then
+      if ! lsof -i -P | grep LISTEN | grep -q ":${p} "; then
+        echo ${p}
+        break
+      fi
+    elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then
+      if ! ss -ln | grep -q ":${p} "; then
+        echo ${p}
+        break
+      fi
     fi
   done
 }

src/ngx_http_auth_jwt_module.c

@@ -350,9 +350,11 @@ static char *merge_extract_var_claims(ngx_conf_t *cf, ngx_command_t *cmd, void *
 
 static ngx_int_t get_jwt_var_claim(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data)
 {
-  ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "getting jwt value for var index %l", *((ngx_uint_t *)data));
+  ngx_uint_t *claim_idx = (ngx_uint_t *)data;
   auth_jwt_ctx_t *ctx = get_request_jwt_ctx(r);
 
+  ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "getting jwt var claim for var at index %l", *claim_idx);
+
   if (ctx == NULL)
   {
     ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "no module context found while getting jwt value");
@@ -361,7 +363,6 @@ static ngx_int_t get_jwt_var_claim(ngx_http_request_t *r, ngx_http_variable_valu
   }
   else
   {
-    ngx_uint_t *claim_idx = (ngx_uint_t *)data;
     ngx_str_t claim_value = ((ngx_str_t *)ctx->claim_values->elts)[*claim_idx];
 
     v->valid = 1;

test/docker-compose-test.yml

@@ -1,5 +1,6 @@
-services:
+name: ngx-http-auth-jwt-test
 
+services:
   nginx:
     container_name: ${TEST_CONTAINER_NAME_PREFIX:?required}-nginx
     build:
@@ -10,8 +11,14 @@ services:
       args:
         BASE_IMAGE: ${FULL_IMAGE_NAME}:${NGINX_VERSION:?required}
     platform: linux/amd64
+    pull_policy: always
     logging:
       driver: ${LOG_DRIVER:-json-file}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://nginx:${PORT:-8000}/ping"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
 
   runner:
     container_name: ${TEST_CONTAINER_NAME_PREFIX:?required}-runner
@@ -21,5 +28,7 @@ services:
       platforms:
         - linux/amd64
     platform: linux/amd64
+    pull_policy: always
     depends_on:
-      - nginx
+      nginx:
+        condition: service_healthy

test/ec_key_256.pem

@@ -1,6 +1,8 @@
 error_log /var/log/nginx/debug.log debug;
 access_log /var/log/nginx/access.log;
 
+log_format  extractTest  'Log extract test sub: $jwt_claim_sub';
+
 server {
     listen %{PORT};
     listen %{SSL_PORT} ssl;
@@ -15,6 +17,10 @@ server {
     auth_jwt_loginurl "https://example.com/login";
     auth_jwt_enabled off;
 
+    location /ping {
+        return 200 "pong";
+    }
+
     location / {
         alias /usr/share/nginx/html/;
         try_files index.html =404;
@@ -418,6 +424,15 @@ vXjq39xtcIBRTO1c2zs=
         return 200 "sub: $jwt_claim_sub";
     }
 
+    location /unsecure/extract-claim/body/sub {
+        auth_jwt_enabled off;
+        auth_jwt_redirect off;
+        auth_jwt_location HEADER=Authorization;
+        auth_jwt_extract_var_claims sub;
+
+        return 200 "sub: $jwt_claim_sub";
+    }
+
     location /secure/extract-claim/body/multiple {
         auth_jwt_enabled on;
         auth_jwt_redirect off;
@@ -445,4 +460,16 @@ vXjq39xtcIBRTO1c2zs=
         auth_jwt_enabled on;
         auth_jwt_redirect on;
     }
+
+    location /log {
+        auth_jwt_enabled on;
+        auth_jwt_redirect off;
+        auth_jwt_location HEADER=Authorization;
+        auth_jwt_validate_sub on;
+        auth_jwt_extract_var_claims sub;
+
+        access_log /var/log/nginx/test_access.log extractTest;
+
+        return 200 "Log extract test sub: $jwt_claim_sub";
+    }
 }

test/ec_key_384.pem

@@ -4,6 +4,13 @@ FROM ${BASE_IMAGE:?required}
 ARG PORT
 ARG SSL_PORT
 
+RUN <<`
+set -e
+apt-get update
+apt-get install -y curl
+apt-get clean
+`
+
 COPY etc/ /etc/
 
 COPY <<` /usr/share/nginx/html/index.html