Strip token from upstream if conifigured and dynamically allocate string buffers

Dylan Souza · Dylan Souza · commit 82aafbefe4e4 · 2019-02-21T22:21:44.000Z
Adds a configuration option to strip uri signing tokens from both the cache key
URL and the upstream URL.

Additionally it was pointed out that some statically allocated buffers were too small in
some of the string manipulating functions (normalize and strip token). These buffers are
now dynamically allocated since the maximum buffer size is known for these.
diff --git a/plugins/experimental/uri_signing/common.h b/plugins/experimental/uri_signing/common.h
@@ -16,6 +16,8 @@
  * limitations under the License.
  */
 
+#pragma once
+
 #define PLUGIN_NAME "uri_signing"
 
 #ifdef URI_SIGNING_UNIT_TEST
@@ -24,6 +26,8 @@
 
 #define PluginDebug(fmt, ...) PrintToStdErr("(%s) %s:%d:%s() " fmt "\n", PLUGIN_NAME, __FILE__, __LINE__, __func__, ##__VA_ARGS__)
 #define PluginError(fmt, ...) PrintToStdErr("(%s) %s:%d:%s() " fmt "\n", PLUGIN_NAME, __FILE__, __LINE__, __func__, ##__VA_ARGS__)
+#define TSmalloc(x) malloc(x)
+#define TSfree(p) free(p)
 void PrintToStdErr(const char *fmt, ...);
 
 #else
diff --git a/plugins/experimental/uri_signing/config.c b/plugins/experimental/uri_signing/config.c
@@ -21,8 +21,6 @@
 #include "timing.h"
 #include "jwt.h"
 
-#include <ts/ts.h>
-
 #include <cjose/cjose.h>
 #include <jansson.h>
 
@@ -45,6 +43,7 @@ struct config {
   char **issuer_names;
   struct signer signer;
   struct auth_directive *auth_directives;
+  bool strip_token;
 };
 
 cjose_jwk_t **
@@ -80,6 +79,12 @@ find_key_by_kid(struct config *cfg, const char *issuer, const char *kid)
   return NULL;
 }
 
+bool
+config_strip_token(struct config *cfg)
+{
+  return cfg->strip_token;
+}
+
 struct config *
 config_new(size_t n)
 {
@@ -106,6 +111,8 @@ config_new(size_t n)
 
   cfg->auth_directives = NULL;
 
+  cfg->strip_token = false;
+
   PluginDebug("New config object created at %p", cfg);
   return cfg;
 }
@@ -259,6 +266,11 @@ read_config(const char *path)
       renewal_kid = json_string_value(renewal_kid_json);
     }
 
+    json_t *strip_json = json_object_get(jwks, "strip_token");
+    if (strip_json) {
+      cfg->strip_token = json_boolean_value(strip_json);
+    }
+
     size_t jwks_ct     = json_array_size(key_ary);
     cjose_jwk_t **jwks = (*jwkis++ = malloc((jwks_ct + 1) * sizeof *jwks));
     PluginDebug("Created table with size %d", cfg->issuers->size);
diff --git a/plugins/experimental/uri_signing/config.h b/plugins/experimental/uri_signing/config.h
@@ -33,3 +33,4 @@ struct signer *config_signer(struct config *);
 struct _cjose_jwk_int **find_keys(struct config *cfg, const char *issuer);
 struct _cjose_jwk_int *find_key_by_kid(struct config *cfg, const char *issuer, const char *kid);
 bool uri_matches_auth_directive(struct config *cfg, const char *uri, size_t uri_ct);
+bool config_strip_token(struct config *cfg);
diff --git a/plugins/experimental/uri_signing/cookie.c b/plugins/experimental/uri_signing/cookie.c
@@ -18,7 +18,6 @@
 
 #include "cookie.h"
 #include "common.h"
-#include <ts/ts.h>
 #include <string.h>
 
 const char *
diff --git a/plugins/experimental/uri_signing/jwt.c b/plugins/experimental/uri_signing/jwt.c
@@ -20,7 +20,6 @@
 #include "jwt.h"
 #include "match.h"
 #include "normalize.h"
-#include "ts/ts.h"
 #include <jansson.h>
 #include <cjose/cjose.h>
 #include <math.h>
@@ -173,41 +172,49 @@ jwt_check_uri(const char *cdniuc, const char *uri)
   int uri_ct  = strlen(uri);
   int buff_ct = uri_ct + 2;
   int err;
-  char normal_uri[buff_ct];
-
+  char *normal_uri = (char *)TSmalloc(buff_ct);
   memset(normal_uri, 0, buff_ct);
+
   err = normalize_uri(uri, uri_ct, normal_uri, buff_ct);
 
   if (err) {
-    return false;
+    goto fail_jwt;
   }
 
   const char *kind = cdniuc, *container = cdniuc;
   while (*container && *container != ':') {
     ++container;
   }
   if (!*container) {
-    return false;
+    goto fail_jwt;
   }
   ++container;
 
   size_t len = container - kind;
+  bool status;
   PluginDebug("Comparing with match kind \"%.*s\" on \"%s\" to normalized URI \"%s\"", (int)len - 1, kind, container, normal_uri);
   switch (len) {
   case sizeof CONT_URI_HASH_STR:
     if (!strncmp(CONT_URI_HASH_STR, kind, len - 1)) {
-      return match_hash(container, normal_uri);
+      status = match_hash(container, normal_uri);
+      TSfree(normal_uri);
+      return status;
     }
     PluginDebug("Expected kind %s, but did not find it in \"%.*s\"", CONT_URI_HASH_STR, (int)len - 1, kind);
     break;
   case sizeof CONT_URI_REGEX_STR:
     if (!strncmp(CONT_URI_REGEX_STR, kind, len - 1)) {
-      return match_regex(container, normal_uri);
+      status = match_regex(container, normal_uri);
+      TSfree(normal_uri);
+      return status;
     }
     PluginDebug("Expected kind %s, but did not find it in \"%.*s\"", CONT_URI_REGEX_STR, (int)len - 1, kind);
     break;
   }
   PluginDebug("Unknown match kind \"%.*s\"", (int)len - 1, kind);
+
+fail_jwt:
+  TSfree(normal_uri);
   return false;
 }
 
@@ -259,6 +266,7 @@ renew(struct jwt *jwt, const char *iss, cjose_jwk_t *jwk, const char *alg, const
   renew_copy_integer(new_json, "cdniv", jwt->cdniv);
   renew_copy_integer(new_json, "cdniets", jwt->cdniets);
   renew_copy_integer(new_json, "cdnistt", jwt->cdnistt);
+  renew_copy_integer(new_json, "cdnistd", jwt->cdnistd);
 
   char *pt = json_dumps(new_json, JSON_COMPACT);
 
diff --git a/plugins/experimental/uri_signing/match.c b/plugins/experimental/uri_signing/match.c
@@ -18,7 +18,6 @@
 
 #include <regex.h>
 #include "common.h"
-#include "ts/ts.h"
 #include <stdbool.h>
 #include <string.h>
 
diff --git a/plugins/experimental/uri_signing/parse.c b/plugins/experimental/uri_signing/parse.c
@@ -25,7 +25,6 @@
 #include <cjose/cjose.h>
 #include <jansson.h>
 #include <string.h>
-#include <ts/ts.h>
 #include <inttypes.h>
 
 cjose_jws_t *
diff --git a/plugins/experimental/uri_signing/unit_tests/uri_signing_test.cc b/plugins/experimental/uri_signing/unit_tests/uri_signing_test.cc
@@ -57,19 +57,22 @@ normalize_uri_helper(const char *uri, const char *expected_normal)
   size_t uri_ct = strlen(uri);
   int buff_size = uri_ct + 2;
   int err;
-  char uri_normal[buff_size];
+  char *uri_normal = (char *)malloc(buff_size);
   memset(uri_normal, 0, buff_size);
 
   err = normalize_uri(uri, uri_ct, uri_normal, buff_size);
 
   if (err) {
+    free(uri_normal);
     return false;
   }
 
   if (expected_normal && strcmp(expected_normal, uri_normal) == 0) {
+    free(uri_normal);
     return true;
   }
 
+  free(uri_normal);
   return false;
 }
 
@@ -100,8 +103,10 @@ jws_parsing_helper(const char *uri, const char *paramName, const char *expected_
   bool resp;
   size_t uri_ct   = strlen(uri);
   size_t strip_ct = 0;
-  char uri_strip[uri_ct + 1];
-  memset(uri_strip, 0, sizeof uri_strip);
+
+  char *uri_strip = (char *)malloc(uri_ct + 1);
+  memset(uri_strip, 0, uri_ct + 1);
+
   cjose_jws_t *jws = get_jws_from_uri(uri, uri_ct, paramName, uri_strip, uri_ct, &strip_ct);
   if (jws) {
     resp = true;
@@ -113,6 +118,7 @@ jws_parsing_helper(const char *uri, const char *paramName, const char *expected_
     resp = false;
   }
   cjose_jws_release(jws);
+  free(uri_strip);
   return resp;
 }
 
diff --git a/plugins/experimental/uri_signing/uri_signing.c b/plugins/experimental/uri_signing/uri_signing.c
@@ -22,10 +22,10 @@
 #include "jwt.h"
 #include "timing.h"
 
-#include <ts/ts.h>
 #include <ts/remap.h>
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <inttypes.h>
 
@@ -157,6 +157,8 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
   int cpi                 = 0;
   int url_ct              = 0;
   const char *url         = NULL;
+  char *strip_uri         = NULL;
+  TSRemapStatus status    = TSREMAP_NO_REMAP;
 
   const char *package = "URISigningPackage";
 
@@ -176,16 +178,22 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     checkpoints[cpi++] = mark_timer(&t);
   }
 
-  char strip_uri[2000] = {0};
+  int strip_size = url_ct + 1;
+  strip_uri      = (char *)TSmalloc(strip_size);
+  memset(strip_uri, 0, strip_size);
+
   size_t strip_ct;
-  cjose_jws_t *jws = get_jws_from_uri(url, url_ct, package, strip_uri, 2000, &strip_ct);
+  cjose_jws_t *jws = get_jws_from_uri(url, url_ct, package, strip_uri, strip_size, &strip_ct);
 
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
   int checked_cookies = 0;
   if (!jws) {
   check_cookies:
+    /* There is no valid token in the url */
+    strncpy(strip_uri, url, url_ct);
+    strip_ct = url_ct;
     ++checked_cookies;
 
     TSMLoc field;
@@ -218,6 +226,55 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
       checkpoints[cpi++] = mark_timer(&t);
     }
     jws = get_jws_from_cookie(&client_cookie, &client_cookie_sz_ct, package);
+  } else {
+    /* There has been a JWS found in the url */
+    /* Strip the token from the URL for upstream if configured to do so */
+    if (config_strip_token((struct config *)ih)) {
+      if ((int)strip_ct != url_ct) {
+        int map_url_ct      = 0;
+        char *map_url       = NULL;
+        char *map_strip_uri = NULL;
+        map_url             = TSUrlStringGet(rri->requestBufp, rri->requestUrl, &map_url_ct);
+
+        PluginDebug("Stripping Token from requestUrl: %s", map_url);
+
+        int map_strip_size = map_url_ct + 1;
+        map_strip_uri      = (char *)TSmalloc(map_strip_size);
+        memset(map_strip_uri, 0, map_strip_size);
+        size_t map_strip_ct = 0;
+
+        cjose_jws_t *map_jws = get_jws_from_uri(map_url, map_url_ct, package, map_strip_uri, map_strip_size, &map_strip_ct);
+        cjose_jws_release(map_jws);
+
+        char *strip_uri_start = &map_strip_uri[0];
+        char *strip_uri_end   = &map_strip_uri[map_strip_ct];
+        PluginDebug("Stripping token from upstream url to: %s", strip_uri_start);
+
+        TSParseResult parse_rc = TSUrlParse(rri->requestBufp, rri->requestUrl, (const char **)&strip_uri_start, strip_uri_end);
+        if (map_url != NULL) {
+          TSfree(map_url);
+        }
+        if (map_strip_uri != NULL) {
+          TSfree(map_strip_uri);
+        }
+
+        if (parse_rc != TS_PARSE_DONE) {
+          PluginDebug("Error in TSUrlParse");
+          goto fail;
+        }
+        status = TSREMAP_DID_REMAP;
+      }
+    }
+  }
+  /* Check auth_dir and pass through if configured */
+  if (uri_matches_auth_directive((struct config *)ih, url, url_ct)) {
+    if (url != NULL) {
+      TSfree((void *)url);
+    }
+    if (strip_uri != NULL) {
+      TSfree(strip_uri);
+    }
+    return TSREMAP_NO_REMAP;
   }
   if (!jws) {
     goto fail;
@@ -226,8 +283,10 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
+
   struct jwt *jwt = validate_jws(jws, (struct config *)ih, strip_uri, strip_ct);
   cjose_jws_release(jws);
+
   if (cpi < max_cpi) {
     checkpoints[cpi++] = mark_timer(&t);
   }
@@ -239,6 +298,8 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     }
   }
 
+  /* There has been a validated JWT found in either the cookie or url */
+
   struct signer *signer = config_signer((struct config *)ih);
   char *cookie          = renew(jwt, signer->issuer, signer->jwk, signer->alg, package);
   jwt_delete(jwt);
@@ -260,23 +321,23 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri)
     last_mark = checkpoints[i];
   }
   PluginDebug("Spent %" PRId64 " ns uri_signing verification of %.*s.", mark_timer(&t), url_ct, url);
+
   TSfree((void *)url);
-  return TSREMAP_NO_REMAP;
-fail:
-  if (uri_matches_auth_directive((struct config *)ih, url, url_ct)) {
-    if (url != NULL) {
-      TSfree((void *)url);
-    }
-    return TSREMAP_NO_REMAP;
+  if (strip_uri != NULL) {
+    TSfree(strip_uri);
   }
-
+  return status;
+fail:
   PluginDebug("Invalid JWT for %.*s", url_ct, url);
   TSHttpTxnStatusSet(txnp, TS_HTTP_STATUS_FORBIDDEN);
   PluginDebug("Spent %" PRId64 " ns uri_signing verification of %.*s.", mark_timer(&t), url_ct, url);
 
   if (url != NULL) {
     TSfree((void *)url);
   }
+  if (strip_uri != NULL) {
+    TSfree(strip_uri);
+  }
 
   return TSREMAP_DID_REMAP;
 }
