add (optional) JQ support with caching in oauth2_jq_filter

- add "json_payload_claim" claim option to oauth2_cfg_target_pass_t
- make oauth2_jwt_create public in jose.h
- nginx: fix memory leak in _oauth2_nginx_ssl_cert_set
- bump to 2.1.0dev

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

.cproject

@@ -18,7 +18,7 @@
 				</extensions>
 			</storageModule>
 			<storageModule moduleId="cdtBuildSystem" version="4.0.0">
-				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.default" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719" name="Build (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock,org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build">
+				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.default" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719" name="Build (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build">
 					<folderInfo id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719." name="/" resourcePath="">
 						<toolChain id="org.eclipse.linuxtools.cdt.autotools.core.toolChain.617277945" name="GNU Autotools Toolchain" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolChain">
 							<targetPlatform id="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform.359991688" isAbstract="false" name="GNU Autotools Target Platform" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform"/>
@@ -52,6 +52,7 @@
 								<option IS_BUILTIN_EMPTY="false" IS_VALUE_EMPTY="false" id="gnu.c.compiler.option.preprocessor.def.symbols.2047978831" name="Defined symbols (-D)" superClass="gnu.c.compiler.option.preprocessor.def.symbols" useByScannerDiscovery="false" valueType="definedSymbols">
 									<listOptionValue builtIn="false" value="HAVE_LIBHIREDIS=1"/>
 									<listOptionValue builtIn="false" value="HAVE_LIBMEMCACHE=1"/>
+									<listOptionValue builtIn="false" value="HAVE_LIBJQ=1"/>
 								</option>
 								<inputType id="cdt.managedbuild.tool.gnu.c.compiler.input.1754841162" superClass="cdt.managedbuild.tool.gnu.c.compiler.input"/>
 							</tool>
@@ -86,7 +87,7 @@
 				</extensions>
 			</storageModule>
 			<storageModule moduleId="cdtBuildSystem" version="4.0.0">
-				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.debug" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.debug.1551656597" name="Debug (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock,org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.debug">
+				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.debug" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.debug.1551656597" name="Debug (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.debug">
 					<folderInfo id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.debug.1551656597." name="/" resourcePath="">
 						<toolChain id="org.eclipse.linuxtools.cdt.autotools.core.toolChain.debug.1772566252" name="GNU Autotools Toolchain" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolChain.debug">
 							<targetPlatform id="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform.debug.1422301246" isAbstract="false" name="GNU Autotools Target Platform" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform.debug"/>
@@ -118,6 +119,7 @@
 									<listOptionValue builtIn="false" value="HAVE_LIBHIREDIS=1"/>
 									<listOptionValue builtIn="false" value="HAVE_LIBMEMCACHE=1"/>
 									<listOptionValue builtIn="false" value="HAVE_MEMCACHE=1"/>
+									<listOptionValue builtIn="false" value="HAVE_LIBJQ=1"/>
 								</option>
 								<inputType id="cdt.managedbuild.tool.gnu.c.compiler.input.814681391" superClass="cdt.managedbuild.tool.gnu.c.compiler.input"/>
 							</tool>

ChangeLog

@@ -1,3 +1,10 @@
+09/11/2024
+- add (optional) JQ support with caching in oauth2_jq_filter
+- add "json_payload_claim" claim option to oauth2_cfg_target_pass_t
+- make oauth2_jwt_create public in jose.h and add a json_payload parameter
+- nginx: fix memory leak in _oauth2_nginx_ssl_cert_set
+- bump to 2.1.0dev
+
 08/22/2024
 - change LICENSE to Apache 2.0
 - release 2.0.0
@@ -21,7 +28,7 @@
   see OpenIDC/ngx_oauth2_module#7; thanks @smanolache and @pladen
 - allow NGINX primitives in an if block within a location block in the http block
 - bump to 1.6.3dev
-.
+
 06/05/2024
 - release 1.6.2
 

Makefile.am

@@ -34,6 +34,11 @@ includesub_HEADERS = \
 	include/oauth2/util.h \
 	include/oauth2/version.h
 
+if HAVE_LIBJQ
+includesub_HEADERS += \
+	include/oauth2/jq.h
+endif
+
 #
 # liboauth
 #
@@ -81,6 +86,13 @@ liboauth2_la_SOURCES = \
 	src/openidc/state.c \
 	src/openidc/openidc.c
 
+if HAVE_LIBJQ
+AM_CPPFLAGS += -DHAVE_LIBJQ
+liboauth2_la_CFLAGS += @JQ_CFLAGS@
+liboauth2_la_LIBADD += @JQ_LIBS@
+liboauth2_la_SOURCES += src/jq.c
+endif
+
 #
 # cache
 #
@@ -161,7 +173,7 @@ TESTS = check_liboauth2
 check_PROGRAMS = $(TESTS)
 
 check_liboauth2_CPPFLAGS = $(liboauth2_cache_la_CPPFLAGS)
-check_liboauth2_CFLAGS = @OPENSSL_CFLAGS@ @CURL_CFLAGS@ @CJOSE_CFLAGS@ @PCRE2_CFLAGS@ @CHECK_CFLAGS@
+check_liboauth2_CFLAGS = @OPENSSL_CFLAGS@ @CURL_CFLAGS@ @CJOSE_CFLAGS@ @PCRE2_CFLAGS@ @JQ_CFLAGS@ @CHECK_CFLAGS@
 check_liboauth2_LDADD = liboauth2.la
 if HAVE_APACHE
 check_liboauth2_CPPFLAGS += $(liboauth2_apache_la_CPPFLAGS)
@@ -193,6 +205,11 @@ check_liboauth2_SOURCES = \
 	test/server_stubs.c \
 	test/provider.json \
 	test/client.json
+
+if HAVE_LIBJQ
+check_liboauth2_SOURCES += \
+	test/check_jq.c
+endif
 if HAVE_APACHE
 check_liboauth2_SOURCES += \
 	test/check_apache.c
@@ -216,7 +233,7 @@ test: check
 TAG=liboauth2/test
 
 docker: clean
-	docker build -f test/Dockerfile . -t $(TAG)
+	docker build --progress plain -f test/Dockerfile . -t $(TAG)
 
 docker-check: docker
 	docker run -it --rm $(TAG):latest /bin/bash -c "./start.sh && make check"

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([liboauth2],[2.0.0],[[email protected]])
+AC_INIT([liboauth2],[2.1.0dev],[[email protected]])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])
@@ -41,7 +41,6 @@ if test x"$have_memcache" = "xyes"; then
 fi
 AC_SUBST(MEMCACHE_PC)
 
-
 AC_ARG_WITH([redis], AS_HELP_STRING([--with-redis], [build with Redis cache support [default=autodetect]]),)
 if test "x$with_redis" != "xno"; then
 	PKG_CHECK_MODULES([HIREDIS], [hiredis], [have_redis="yes"], [have_redis="no"])
@@ -54,6 +53,44 @@ if test x"$have_redis" = "xyes"; then
 fi
 AC_SUBST(HIREDIS_PC)
 
+have_jq=no
+AC_ARG_WITH([jq],
+	AS_HELP_STRING([--with-jq=PATH], [location of your libjq installation])])
+if test -n "$with_jq" ; then
+	if test "x$with_jq" != "xno"; then
+		if test "x$with_jq" = "xyes"; then
+			PKG_CHECK_MODULES([JQ], [libjq >= 1.6], [have_jq="yes"], [have_jq="no"])
+		else
+			if test "$JQ_CFLAGS" = ""; then
+				JQ_CFLAGS="-I$with_jq/include"
+			fi
+			if test "$JQ_LIBS" = ""; then
+				JQ_LIBS="-L$with_jq/lib -ljq"
+			fi
+			CPPFLAGS="$JQ_CFLAGS $CPPFLAGS"
+			AC_CHECK_HEADER([jq.h], [have_jq=yes], [have_jq=no])
+
+			LDFLAGS="$JQ_LIBS $LDFLAGS"
+			AC_CHECK_LIB([jq], [jq_init], [have_jq=yes], [have_jq=no])
+			if test "x$have_jq" = "xno" ; then
+				AC_MSG_WARN("cannot find library for -ljq.")
+				JQ_CFLAGS=
+				JQ_LIBS=
+			fi
+		fi
+	fi
+fi
+AM_CONDITIONAL(HAVE_LIBJQ, [test x"$have_jq" = "xyes"])
+AC_SUBST(JQ_CFLAGS)
+AC_SUBST(JQ_LIBS)
+if test x"$have_jq" = "xyes"; then
+	# note the leading comma and space(s)
+	JQ_LIBS_PC=', libjq >= 1.6'
+	JQ_CFLAGS_PC=' -DOAUTH2_WITH_JQ'
+fi
+AC_SUBST(JQ_LIBS_PC)
+AC_SUBST(JQ_CFLAGS_PC)
+
 AC_ARG_WITH([apache], AS_HELP_STRING([--with-apache], [build with Apache support [default=autodetect]]),)
 AC_ARG_WITH([apxs],
     [AS_HELP_STRING([--with-apxs=PATH/NAME],[path to the apxs binary for Apache [[apxs]]])],

include/oauth2/cfg.h

@@ -261,6 +261,8 @@ const char *
 oauth2_cfg_target_pass_get_authn_header(oauth2_cfg_target_pass_t *cfg);
 const char *
 oauth2_cfg_target_get_remote_user_claim(oauth2_cfg_target_pass_t *cfg);
+const char *
+oauth2_cfg_target_get_json_payload_claim(oauth2_cfg_target_pass_t *cfg);
 
 /*
  * resource owner password credentials

include/oauth2/jose.h

@@ -78,4 +78,9 @@ bool oauth2_jose_jwk_thumbprint(oauth2_log_t *log, const cjose_jwk_t *jwk,
 				unsigned char **hash_bytes,
 				unsigned int *hash_bytes_len);
 
+char *oauth2_jwt_create(oauth2_log_t *log, cjose_jwk_t *jwk, const char *alg,
+			const char *iss, const char *sub, const char *client_id,
+			const char *aud, oauth2_uint_t exp, bool include_iat,
+			bool include_jti, const json_t *json_payload);
+
 #endif /* _OAUTH2_JOSE_H_ */

include/oauth2/jq.h

@@ -0,0 +1,30 @@
+#ifndef _OAUTH2_JQ_H
+#define _OAUTH2_JQ_H
+
+/***************************************************************************
+ *
+ * Copyright (C) 2018-2024 - ZmartZone Holding BV
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @Author: Hans Zandbelt - [email protected]
+ *
+ **************************************************************************/
+
+#include "oauth2/cache.h"
+#include "oauth2/log.h"
+
+bool oauth2_jq_filter(oauth2_log_t *log, oauth2_cache_t *cache,
+		      const char *input, const char *filter, char **result);
+
+#endif /* _OAUTH2_JQ_H */

liboauth2.pc.in

@@ -11,6 +11,6 @@ Name: liboauth2
 URL: https://github.com/OpenIDC/liboauth2
 Description: OAuth 2.0 / OpenID Connect implementation for C
 Version: @VERSION@
-Requires: cjose >= 0.5.1, jansson >= 2.3, libcurl, libpcre2-8, libssl, libcrypto >= 1.0.1@MEMCACHE_PC@@HIREDIS_PC@
-Cflags: -I${includedir}
+Requires: cjose >= 0.5.1, jansson >= 2.3, libcurl, libpcre2-8, libssl, libcrypto >= 1.0.1@MEMCACHE_PC@@HIREDIS_PC@@JQ_LIBS_PC@
+Cflags: -I${includedir}@JQ_CFLAGS_PC@
 Libs: -L${libdir} -loauth2

src/cfg/auth.c

@@ -316,7 +316,7 @@ static char *oauth2_cfg_endpoint_auth_private_key_jwt_options_set(
 	auth->private_key_jwt.jwk = cjose_jwk_import(jwk, strlen(jwk), &err);
 	if (auth->private_key_jwt.jwk == NULL) {
 		rv = oauth2_stradd(NULL, "parsing JWK failed: ",
-				   "cjose_jws_import error: ", err.message);
+				   "cjose_jwk_import error: ", err.message);
 		goto end;
 	}
 

src/cfg/target.c

@@ -27,13 +27,15 @@
 #define OAUTH2_CFG_PASS_TARGET_PREFIX_DEFAULT "OAUTH2_CLAIM_"
 #define OAUTH2_CFG_PASS_TARGET_AUTHN_HEADER_DEFAULT NULL
 #define OAUTH2_CFG_PASS_TARGET_REMOTE_USER_CLAIM_DEFAULT "sub"
+#define OAUTH2_CFG_PASS_TARGET_JSON_PAYLOAD_CLAIM_DEFAULT NULL
 
 typedef struct oauth2_cfg_target_pass_t {
 	oauth2_flag_t as_envvars;
 	oauth2_flag_t as_headers;
 	char *authn_header;
 	char *prefix;
 	char *remote_user_claim;
+	char *json_payload_claim;
 } oauth2_cfg_target_pass_t;
 
 oauth2_cfg_target_pass_t *oauth2_cfg_target_pass_init(oauth2_log_t *log)
@@ -50,6 +52,7 @@ oauth2_cfg_target_pass_t *oauth2_cfg_target_pass_init(oauth2_log_t *log)
 	pass->authn_header = NULL;
 	pass->prefix = NULL;
 	pass->remote_user_claim = NULL;
+	pass->json_payload_claim = NULL;
 
 end:
 
@@ -68,6 +71,8 @@ void oauth2_cfg_target_pass_free(oauth2_log_t *log,
 		oauth2_mem_free(pass->prefix);
 	if (pass->remote_user_claim)
 		oauth2_mem_free(pass->remote_user_claim);
+	if (pass->json_payload_claim)
+		oauth2_mem_free(pass->json_payload_claim);
 	oauth2_mem_free(pass);
 
 end:
@@ -96,6 +101,9 @@ void oauth2_cfg_target_pass_merge(oauth2_log_t *log,
 	cfg->remote_user_claim = oauth2_strdup(add->remote_user_claim != NULL
 						   ? add->remote_user_claim
 						   : base->remote_user_claim);
+	cfg->json_payload_claim = oauth2_strdup(add->json_payload_claim != NULL
+						    ? add->json_payload_claim
+						    : base->json_payload_claim);
 
 end:
 
@@ -162,6 +170,15 @@ char *oauth2_cfg_set_target_pass_options(oauth2_log_t *log,
 			goto end;
 	}
 
+	value = oauth2_nv_list_get(log, params, "json_payload_claim");
+	if (value) {
+		rv = oauth2_strdup(oauth2_cfg_set_str_slot(
+		    cfg, offsetof(oauth2_cfg_target_pass_t, json_payload_claim),
+		    value));
+		if (rv)
+			goto end;
+	}
+
 end:
 
 	if (params)
@@ -210,3 +227,11 @@ oauth2_cfg_target_get_remote_user_claim(oauth2_cfg_target_pass_t *cfg)
 		return OAUTH2_CFG_PASS_TARGET_REMOTE_USER_CLAIM_DEFAULT;
 	return cfg->remote_user_claim;
 }
+
+const char *
+oauth2_cfg_target_get_json_payload_claim(oauth2_cfg_target_pass_t *cfg)
+{
+	if (cfg->json_payload_claim == NULL)
+		return OAUTH2_CFG_PASS_TARGET_JSON_PAYLOAD_CLAIM_DEFAULT;
+	return cfg->json_payload_claim;
+}