Strip token from upstream if conifigured and dynamically allocate string buffers

Dylan Souza · Dylan Souza · commit fa2deeead845 · 2019-01-31T19:23:49.000Z
Adds a configuration option to strip uri signing tokens from both the cache key
URL and the upstream URL.

Additionally it was pointed out that some statically allocated buffers were too small in
some of the string manipulating functions (normalize and strip token). These buffers are
now dynamically allocated since the maximum buffer size is known for these.
diff --git a/plugins/experimental/uri_signing/config.c b/plugins/experimental/uri_signing/config.c
@@ -45,6 +45,7 @@ struct config {
   char **issuer_names;
   struct signer signer;
   struct auth_directive *auth_directives;
+  bool strip_token;
 };
 
 cjose_jwk_t **
@@ -80,6 +81,12 @@ find_key_by_kid(struct config *cfg, const char *issuer, const char *kid)
   return NULL;
 }
 
+bool
+config_strip_token(struct config *cfg)
+{
+  return cfg->strip_token;
+}
+
 struct config *
 config_new(size_t n)
 {
@@ -106,6 +113,8 @@ config_new(size_t n)
 
   cfg->auth_directives = NULL;
 
+  cfg->strip_token = false;
+
   PluginDebug("New config object created at %p", cfg);
   return cfg;
 }
@@ -259,6 +268,11 @@ read_config(const char *path)
       renewal_kid = json_string_value(renewal_kid_json);
     }
 
+    json_t *strip_json = json_object_get(jwks, "strip_token");
+    if (strip_json) {
+      cfg->strip_token = json_boolean_value(strip_json);
+    }
+
     size_t jwks_ct     = json_array_size(key_ary);
     cjose_jwk_t **jwks = (*jwkis++ = malloc((jwks_ct + 1) * sizeof *jwks));
     PluginDebug("Created table with size %d", cfg->issuers->size);
diff --git a/plugins/experimental/uri_signing/config.h b/plugins/experimental/uri_signing/config.h
@@ -33,3 +33,4 @@ struct signer *config_signer(struct config *);
 struct _cjose_jwk_int **find_keys(struct config *cfg, const char *issuer);
 struct _cjose_jwk_int *find_key_by_kid(struct config *cfg, const char *issuer, const char *kid);
 bool uri_matches_auth_directive(struct config *cfg, const char *uri, size_t uri_ct);
+bool config_strip_token(struct config *cfg);
diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
@@ -173,41 +173,49 @@ jwt_check_uri(const char *cdniuc, const char *uri)
   int uri_ct  = strlen(uri);
   int buff_ct = uri_ct + 2;
   int err;
-  char normal_uri[buff_ct];
-
+  char *normal_uri = (char *)malloc(buff_ct);
   memset(normal_uri, 0, buff_ct);
+
   err = normalize_uri(uri, uri_ct, normal_uri, buff_ct);
 
   if (err) {
-    return false;
+    goto fail_jwt;
   }
 
   const char *kind = cdniuc, *container = cdniuc;
   while (*container && *container != ':') {
     ++container;
   }
   if (!*container) {
-    return false;
+    goto fail_jwt;
   }
   ++container;
 
   size_t len = container - kind;
+  bool status;
   PluginDebug("Comparing with match kind \"%.*s\" on \"%s\" to normalized URI \"%s\"", (int)len - 1, kind, container, normal_uri);
   switch (len) {
   case sizeof CONT_URI_HASH_STR:
     if (!strncmp(CONT_URI_HASH_STR, kind, len - 1)) {
-      return match_hash(container, normal_uri);
+      status = match_hash(container, normal_uri);
+      free(normal_uri);
+      return status;
     }
     PluginDebug("Expected kind %s, but did not find it in \"%.*s\"", CONT_URI_HASH_STR, (int)len - 1, kind);
     break;
   case sizeof CONT_URI_REGEX_STR:
     if (!strncmp(CONT_URI_REGEX_STR, kind, len - 1)) {
-      return match_regex(container, normal_uri);
+      status = match_regex(container, normal_uri);
+      free(normal_uri);
+      return status;
     }
     PluginDebug("Expected kind %s, but did not find it in \"%.*s\"", CONT_URI_REGEX_STR, (int)len - 1, kind);
     break;
   }
   PluginDebug("Unknown match kind \"%.*s\"", (int)len - 1, kind);
+
+fail_jwt:
+  free(normal_uri);
   return false;
 }
 
diff --git a/plugins/experimental/uri_signing/unit_tests/uri_signing_test.cc b/plugins/experimental/uri_signing/unit_tests/uri_signing_test.cc
@@ -56,19 +56,22 @@ normalize_uri_helper(const char *uri, const char *expected_normal)
   size_t uri_ct = strlen(uri);
   int buff_size = uri_ct + 2;
   int err;
-  char uri_normal[buff_size];
+  char *uri_normal = (char *)malloc(buff_size);
   memset(uri_normal, 0, buff_size);
 
   err = normalize_uri(uri, uri_ct, uri_normal, buff_size);
 
   if (err) {
+    free(uri_normal);
     return false;
   }
 
   if (expected_normal && strcmp(expected_normal, uri_normal) == 0) {
+    free(uri_normal);
     return true;
   }
 
+  free(uri_normal);
   return false;
 }
 
@@ -99,8 +102,10 @@ jws_parsing_helper(const char *uri, const char *paramName, const char *expected_
   bool resp;
   size_t uri_ct   = strlen(uri);
   size_t strip_ct = 0;
-  char uri_strip[uri_ct + 1];
-  memset(uri_strip, 0, sizeof uri_strip);
+
+  char *uri_strip = (char *)malloc(uri_ct + 1);
+  memset(uri_strip, 0, uri_ct + 1);
+
   cjose_jws_t *jws = get_jws_from_uri(uri, uri_ct, paramName, uri_strip, uri_ct, &strip_ct);
   if (jws) {
     resp = true;
@@ -112,6 +117,7 @@ jws_parsing_helper(const char *uri, const char *paramName, const char *expected_
     resp = false;
   }
   cjose_jws_release(jws);
+  free(uri_strip);
   return resp;
 }
 
diff --git a/plugins/experimental/uri_signing/uri_signing.c b/plugins/experimental/uri_signing/uri_signing.c
@@ -157,9 +157,11 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
   int cpi                 = 0;
   int url_ct              = 0;
   const char *url         = NULL;
+  char *strip_uri         = NULL;
 
   const char *package = "URISigningPackage";
 
+  TSRemapStatus status = TSREMAP_NO_REMAP;
   TSMBuffer mbuf;
   TSMLoc ul;
   TSReturnCode rc = TSHttpTxnPristineUrlGet(txnp, &mbuf, &ul);
@@ -176,16 +178,20 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     checkpoints[cpi++] = mark_timer(&t);
   }
 
-  char strip_uri[2000] = {0};
+  strip_uri = (char *)malloc(url_ct + 1);
+  memset(strip_uri, 0, url_ct + 1);
   size_t strip_ct;
-  cjose_jws_t *jws = get_jws_from_uri(url, url_ct, package, strip_uri, 2000, &strip_ct);
+  cjose_jws_t *jws = get_jws_from_uri(url, url_ct, package, strip_uri, url_ct + 1, &strip_ct);
 
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
   int checked_cookies = 0;
   if (!jws) {
   check_cookies:
+    /* There is no valid token in the url */
+    strncpy(strip_uri, url, url_ct);
+    strip_ct = url_ct;
     ++checked_cookies;
 
     TSMLoc field;
@@ -218,6 +224,32 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
       checkpoints[cpi++] = mark_timer(&t);
     }
     jws = get_jws_from_cookie(&client_cookie, &client_cookie_sz_ct, package);
+  } else {
+    /* There has been a JWS found in the url */
+    /* Strip the token from the URL for upstream if configured to do so */
+    if (config_strip_token((struct config *)ih)) {
+      if (strncmp(url, strip_uri, strip_ct) != 0) {
+        char *strip_uri_start = &strip_uri[0];
+        char *strip_uri_end   = &strip_uri[strip_ct];
+        PluginDebug("Stripping token from upstream url to: %s", strip_uri_start);
+        if (TSUrlParse(rri->requestBufp, rri->requestUrl, (const char **)&strip_uri_start, strip_uri_end) != TS_PARSE_DONE) {
+          PluginDebug("Error in TSUrlParse");
+        } else {
+          status = TSREMAP_DID_REMAP;
+        }
+      }
+    }
+
+    /* Check auth_dir and pass through if configured */
+    if (uri_matches_auth_directive((struct config *)ih, url, url_ct)) {
+      if (url != NULL) {
+        TSfree((void *)url);
+      }
+      if (url != NULL) {
+        free(strip_uri);
+      }
+      return TSREMAP_NO_REMAP;
+    }
   }
   if (!jws) {
     goto fail;
@@ -226,8 +258,10 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
+
   struct jwt *jwt = validate_jws(jws, (struct config *)ih, strip_uri, strip_ct);
   cjose_jws_release(jws);
+
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
@@ -239,6 +273,8 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     }
   }
 
+  /* There has been a validated JWT found in either the cookie or url */
+
   struct signer *signer = config_signer((struct config *)ih);
   char *cookie          = renew(jwt, signer->issuer, signer->jwk, signer->alg, package);
   jwt_delete(jwt);
@@ -260,15 +296,13 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     last_mark = checkpoints[i];
   }
   PluginDebug("Spent %" PRId64 " ns uri_signing verification of %.*s.", mark_timer(&t), url_ct, url);
+
   TSfree((void *)url);
-  return TSREMAP_NO_REMAP;
-fail:
-  if (uri_matches_auth_directive((struct config *)ih, url, url_ct)) {
-    if (url != NULL) {
-      TSfree((void *)url);
-    }
-    return TSREMAP_NO_REMAP;
+  if (strip_uri != NULL) {
+    free(strip_uri);
   }
+  return status;
+fail:
 
   PluginDebug("Invalid JWT for %.*s", url_ct, url);
   TSHttpTxnStatusSet(txnp, TS_HTTP_STATUS_FORBIDDEN);
@@ -277,6 +311,9 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
   if (url != NULL) {
     TSfree((void *)url);
   }
+  if (strip_uri != NULL) {
+    free(strip_uri);
+  }
 
   return TSREMAP_DID_REMAP;
 }
