From e6654574484344621c3be3a1f45c48722d8ea3a7 Mon Sep 17 00:00:00 2001 From: Joshua Noble Date: Thu, 8 Sep 2016 14:02:31 -0400 Subject: [PATCH 1/3] Resolve string variable --- ngx_http_aws_auth_module.c | 80 ++++++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 20 deletions(-) diff --git a/ngx_http_aws_auth_module.c b/ngx_http_aws_auth_module.c index c8816c6..1612d10 100644 --- a/ngx_http_aws_auth_module.c +++ b/ngx_http_aws_auth_module.c @@ -16,6 +16,8 @@ static void* ngx_http_aws_auth_create_loc_conf(ngx_conf_t *cf); static char* ngx_http_aws_auth_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t register_variable(ngx_conf_t *cf); static char * +ngx_http_aws_auth_set_secret_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_aws_auth_set_s3_bucket(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char * ngx_http_aws_auth_set_chop_prefix(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); @@ -71,7 +73,7 @@ static ngx_command_t ngx_http_aws_auth_commands[] = { { ngx_string("aws_secret_key"), NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, - ngx_conf_set_str_slot, + ngx_http_aws_auth_set_secret_key, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_aws_auth_conf_t, secret), NULL }, @@ -82,7 +84,7 @@ static ngx_command_t ngx_http_aws_auth_commands[] = { NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_aws_auth_conf_t, s3_bucket), NULL }, - + { ngx_string("chop_prefix"), NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_http_aws_auth_set_chop_prefix, @@ -123,6 +125,45 @@ ngx_module_t ngx_http_aws_auth_module = { NGX_MODULE_V1_PADDING }; +static char * +ngx_http_aws_auth_set_secret_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_aws_auth_conf_t *aws_conf = conf; + ngx_http_script_compile_t sc; + ngx_str_t *value; + ngx_uint_t n; + value = cf->args->elts; + n = ngx_http_script_variables_count(&value[1]); + + if (n == 0) { + // set secret key as string + aws_conf->secret.data = value[1].data; + aws_conf->secret.len = value[1].len; + } + // else { + // //add script to compile + // aws_conf->s3_bucket_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); + // if (aws_conf->s3_bucket_script == NULL) { + // return NGX_CONF_ERROR; + // } + // + // ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); + // + // sc.cf = cf; + // sc.source = &value[1]; + // sc.lengths = &aws_conf->s3_bucket_script->lengths; + // sc.values = &aws_conf->s3_bucket_script->values; + // sc.variables = n; + // sc.complete_lengths = 1; + // sc.complete_values = 1; + // + // if (ngx_http_script_compile(&sc) != NGX_OK) { + // return NGX_CONF_ERROR; + // } + // } + return NGX_CONF_OK; +} + static char * ngx_http_aws_auth_set_s3_bucket(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { @@ -210,7 +251,7 @@ ngx_http_aws_auth_create_loc_conf(ngx_conf_t *cf) return NGX_CONF_ERROR; } - return conf; + return conf; } static char * @@ -383,7 +424,7 @@ ngx_http_aws_auth_get_canon_resource(ngx_http_request_t *r, ngx_str_t *retstr) { } } - u_char *c_args = ngx_palloc(r->pool, r->args.len + 1); + u_char *c_args = ngx_palloc(r->pool, r->args.len + 1); u_char *c_args_cur = c_args; ngx_str_t arg_val; ngx_int_t c_args_len = 0; @@ -408,17 +449,17 @@ ngx_http_aws_auth_get_canon_resource(ngx_http_request_t *r, ngx_str_t *retstr) { } c_args_len = c_args_cur - c_args; *c_args_cur = '\0'; - } + } uri_len = ngx_strlen(uri); - u_char *ret = ngx_palloc(r->pool, uri_len + aws_conf->s3_bucket.len + sizeof("/") + c_args_len + 1); - u_char *cur = ret; + u_char *ret = ngx_palloc(r->pool, uri_len + aws_conf->s3_bucket.len + sizeof("/") + c_args_len + 1); + u_char *cur = ret; cur = ngx_cpystrn(cur, (u_char *)"/", sizeof("/")); ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "bucket: %V", &aws_conf->s3_bucket); ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "uri: %s", uri); cur = ngx_cpystrn(cur, aws_conf->s3_bucket.data, aws_conf->s3_bucket.len + 1); cur = ngx_cpystrn(cur, uri, uri_len + 1); - + if ( c_args_len ) { ngx_memcpy(cur, c_args, c_args_len + 1); ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "args: %s", c_args); @@ -433,8 +474,8 @@ ngx_http_aws_auth_get_canon_resource(ngx_http_request_t *r, ngx_str_t *retstr) { static ngx_int_t ngx_http_aws_auth_get_dynamic_variables(ngx_http_request_t *r){ - /* - * Get value for s3_bucket and chop_prefix + /* + * Get value for s3_bucket and chop_prefix */ ngx_http_aws_auth_conf_t *aws_conf; aws_conf = ngx_http_get_module_loc_conf(r, ngx_http_aws_auth_module); @@ -483,10 +524,10 @@ ngx_http_aws_auth_variable_s3(ngx_http_request_t *r, ngx_http_variable_value_t * return NGX_ERROR; } - /* + /* * This Block of code added to deal with paths that are not on the root - - * that is, via proxy_pass that are being redirected and the base part of - * the proxy url needs to be taken off the beginning of the URI in order + * that is, via proxy_pass that are being redirected and the base part of + * the proxy url needs to be taken off the beginning of the URI in order * to sign it correctly. */ @@ -570,7 +611,7 @@ ngx_http_aws_auth_variable_s3(ngx_http_request_t *r, ngx_http_variable_value_t * lenall += el_sign->len; el = to_sign->elts; - lenall += 4; //newlines + lenall += 4; //newlines u_char * str_to_sign = ngx_palloc(r->pool, lenall + 50); int offset = 0; for (i = 0; i < to_sign->nelts ; i++) { @@ -593,11 +634,11 @@ ngx_http_aws_auth_variable_s3(ngx_http_request_t *r, ngx_http_variable_value_t * HMAC(evp_md, aws_conf->secret.data, aws_conf->secret.len, str_to_sign, ngx_strlen(str_to_sign), md, &md_len); BIO* b64 = BIO_new(BIO_f_base64()); - BIO* bmem = BIO_new(BIO_s_mem()); + BIO* bmem = BIO_new(BIO_s_mem()); b64 = BIO_push(b64, bmem); BIO_write(b64, md, md_len); (void)BIO_flush(b64); - BUF_MEM *bptr; + BUF_MEM *bptr; BIO_get_mem_ptr(b64, &bptr); ngx_memcpy(str_to_sign, bptr->data, bptr->length-1); @@ -620,7 +661,7 @@ ngx_http_aws_auth_variable_s3(ngx_http_request_t *r, ngx_http_variable_value_t * static ngx_int_t ngx_http_aws_auth_variable_date(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data) -{ +{ v->len = ngx_cached_http_time.len; v->data = ngx_cached_http_time.data; v->valid = 1; @@ -654,10 +695,9 @@ register_variable(ngx_conf_t *cf) var->data = v->data; } - return NGX_OK; + return NGX_OK; } -/* +/* * vim: ts=4 sw=4 et */ - From ec50dfb85dcacfb59b28ee8dada78ea016a52962 Mon Sep 17 00:00:00 2001 From: Joshua Noble Date: Thu, 8 Sep 2016 14:16:04 -0400 Subject: [PATCH 2/3] Round 2 --- ngx_http_aws_auth_module.c | 43 +++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/ngx_http_aws_auth_module.c b/ngx_http_aws_auth_module.c index 1612d10..16d6711 100644 --- a/ngx_http_aws_auth_module.c +++ b/ngx_http_aws_auth_module.c @@ -16,6 +16,8 @@ static void* ngx_http_aws_auth_create_loc_conf(ngx_conf_t *cf); static char* ngx_http_aws_auth_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t register_variable(ngx_conf_t *cf); static char * +ngx_http_aws_auth_set_access_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char * ngx_http_aws_auth_set_secret_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char * ngx_http_aws_auth_set_s3_bucket(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); @@ -66,7 +68,7 @@ static const char *signed_subresources[] = { static ngx_command_t ngx_http_aws_auth_commands[] = { { ngx_string("aws_access_key"), NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, - ngx_conf_set_str_slot, + ngx_http_aws_auth_set_access_key, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_aws_auth_conf_t, access_key), NULL }, @@ -125,6 +127,45 @@ ngx_module_t ngx_http_aws_auth_module = { NGX_MODULE_V1_PADDING }; +static char * +ngx_http_aws_auth_set_access_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_aws_auth_conf_t *aws_conf = conf; + ngx_http_script_compile_t sc; + ngx_str_t *value; + ngx_uint_t n; + value = cf->args->elts; + n = ngx_http_script_variables_count(&value[1]); + + if (n == 0) { + // set secret key as string + aws_conf->access_key.data = value[1].data; + aws_conf->access_key.len = value[1].len; + } + // else { + // //add script to compile + // aws_conf->s3_bucket_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); + // if (aws_conf->s3_bucket_script == NULL) { + // return NGX_CONF_ERROR; + // } + // + // ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); + // + // sc.cf = cf; + // sc.source = &value[1]; + // sc.lengths = &aws_conf->s3_bucket_script->lengths; + // sc.values = &aws_conf->s3_bucket_script->values; + // sc.variables = n; + // sc.complete_lengths = 1; + // sc.complete_values = 1; + // + // if (ngx_http_script_compile(&sc) != NGX_OK) { + // return NGX_CONF_ERROR; + // } + // } + return NGX_CONF_OK; +} + static char * ngx_http_aws_auth_set_secret_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { From 5c25c8d625d8b9a0d3af5e1135c580ada7b53b01 Mon Sep 17 00:00:00 2001 From: Joshua Noble Date: Thu, 8 Sep 2016 15:01:26 -0400 Subject: [PATCH 3/3] Add dynamic support for key and secret --- ngx_http_aws_auth_module.c | 100 +++++++++++++++++++++---------------- 1 file changed, 58 insertions(+), 42 deletions(-) diff --git a/ngx_http_aws_auth_module.c b/ngx_http_aws_auth_module.c index 16d6711..6aace69 100644 --- a/ngx_http_aws_auth_module.c +++ b/ngx_http_aws_auth_module.c @@ -34,6 +34,8 @@ typedef struct { ngx_str_t secret; ngx_str_t s3_bucket; ngx_str_t chop_prefix; + ngx_http_aws_auth_script_t *access_key_script; + ngx_http_aws_auth_script_t *secret_script; ngx_http_aws_auth_script_t *s3_bucket_script; ngx_http_aws_auth_script_t *chop_prefix_script; } ngx_http_aws_auth_conf_t; @@ -142,27 +144,27 @@ ngx_http_aws_auth_set_access_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) aws_conf->access_key.data = value[1].data; aws_conf->access_key.len = value[1].len; } - // else { - // //add script to compile - // aws_conf->s3_bucket_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); - // if (aws_conf->s3_bucket_script == NULL) { - // return NGX_CONF_ERROR; - // } - // - // ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); - // - // sc.cf = cf; - // sc.source = &value[1]; - // sc.lengths = &aws_conf->s3_bucket_script->lengths; - // sc.values = &aws_conf->s3_bucket_script->values; - // sc.variables = n; - // sc.complete_lengths = 1; - // sc.complete_values = 1; - // - // if (ngx_http_script_compile(&sc) != NGX_OK) { - // return NGX_CONF_ERROR; - // } - // } + else { + //add script to compile + aws_conf->access_key_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); + if (aws_conf->access_key_script == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); + + sc.cf = cf; + sc.source = &value[1]; + sc.lengths = &aws_conf->access_key_script->lengths; + sc.values = &aws_conf->access_key_script->values; + sc.variables = n; + sc.complete_lengths = 1; + sc.complete_values = 1; + + if (ngx_http_script_compile(&sc) != NGX_OK) { + return NGX_CONF_ERROR; + } + } return NGX_CONF_OK; } @@ -181,27 +183,27 @@ ngx_http_aws_auth_set_secret_key(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) aws_conf->secret.data = value[1].data; aws_conf->secret.len = value[1].len; } - // else { - // //add script to compile - // aws_conf->s3_bucket_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); - // if (aws_conf->s3_bucket_script == NULL) { - // return NGX_CONF_ERROR; - // } - // - // ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); - // - // sc.cf = cf; - // sc.source = &value[1]; - // sc.lengths = &aws_conf->s3_bucket_script->lengths; - // sc.values = &aws_conf->s3_bucket_script->values; - // sc.variables = n; - // sc.complete_lengths = 1; - // sc.complete_values = 1; - // - // if (ngx_http_script_compile(&sc) != NGX_OK) { - // return NGX_CONF_ERROR; - // } - // } + else { + //add script to compile + aws_conf->secret_script = ngx_pcalloc(cf->pool, sizeof(ngx_http_aws_auth_script_t)); + if (aws_conf->secret_script == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); + + sc.cf = cf; + sc.source = &value[1]; + sc.lengths = &aws_conf->secret_script->lengths; + sc.values = &aws_conf->secret_script->values; + sc.variables = n; + sc.complete_lengths = 1; + sc.complete_values = 1; + + if (ngx_http_script_compile(&sc) != NGX_OK) { + return NGX_CONF_ERROR; + } + } return NGX_CONF_OK; } @@ -520,6 +522,20 @@ ngx_http_aws_auth_get_dynamic_variables(ngx_http_request_t *r){ */ ngx_http_aws_auth_conf_t *aws_conf; aws_conf = ngx_http_get_module_loc_conf(r, ngx_http_aws_auth_module); + if (aws_conf->access_key_script != NULL){ + if (ngx_http_script_run(r, &aws_conf->access_key, aws_conf->access_key_script->lengths->elts, 1, + aws_conf->access_key_script->values->elts) == NULL) { + return NGX_ERROR; + } + aws_conf->access_key.len = aws_conf->access_key.len -1; + } + if (aws_conf->secret_script != NULL){ + if (ngx_http_script_run(r, &aws_conf->secret, aws_conf->secret_script->lengths->elts, 1, + aws_conf->secret_script->values->elts) == NULL) { + return NGX_ERROR; + } + aws_conf->secret.len = aws_conf->secret.len -1; + } if (aws_conf->s3_bucket_script != NULL){ if (ngx_http_script_run(r, &aws_conf->s3_bucket, aws_conf->s3_bucket_script->lengths->elts, 1, aws_conf->s3_bucket_script->values->elts) == NULL) {