add Mutual-TLS Certificate-Bound Access Tokens support to NGINX

zandbelt · zandbelt · commit 1814f5f58c13 · 2024-03-08T17:33:42.000+01:00
RFC 8705

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+03/08/2024
+- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens to the NGINX binding
+
 03/04/2024
 - add support for Redis 6 ACL username based authentication; see: OpenIDC/mod_oauth2#63
 - bump to 1.6.1dev
diff --git a/include/oauth2/http.h b/include/oauth2/http.h
@@ -51,6 +51,8 @@
 #define OAUTH2_HTTP_HDR_WWW_AUTHENTICATE "WWW-Authenticate"
 #define OAUTH2_HTTP_HDR_XML_HTTP_REQUEST "XMLHttpRequest"
 
+#define OAUTH2_TLS_CERT_VAR_NAME "SSL_CLIENT_CERT"
+
 /*
  * content type
  */
diff --git a/include/oauth2/oauth2.h b/include/oauth2/oauth2.h
@@ -65,8 +65,6 @@
 #define OAUTH2_CLAIM_AUD "aud"
 #define OAUTH2_CLAIM_IAT "iat"
 
-#define OAUTH2_TLS_CERT_VAR_NAME "SSL_CLIENT_CERT"
-
 typedef enum {
 	OAUTH2_UNAUTH_ACTION_UNDEFINED,
 	OAUTH2_UNAUTH_ACTION_AUTHENTICATE,
diff --git a/src/http.c b/src/http.c
@@ -176,6 +176,11 @@ bool oauth2_http_request_context_set(oauth2_log_t *log,
 	if (request == NULL)
 		goto end;
 
+	if (strcmp(name, OAUTH2_TLS_CERT_VAR_NAME) == 0)
+		oauth2_debug(
+		    log, "set SSL client certificate in request context: %s",
+		    value);
+
 	rc = oauth2_nv_list_set(log, request->_context, name, value);
 
 end:
diff --git a/src/server/nginx.c b/src/server/nginx.c
@@ -198,6 +198,30 @@ void _oauth2_nginx_request_copy(oauth2_nginx_request_context_t *ctx)
 	return;
 }
 
+static void _oauth2_nginx_ssl_cert_set(oauth2_nginx_request_context_t *ctx)
+{
+	ngx_str_t name;
+	ngx_uint_t key;
+	ngx_http_variable_value_t *vv = NULL;
+
+	char *s_key = "ssl_client_cert";
+
+	name.len = strlen(s_key);
+	name.data = ngx_palloc(ctx->r->pool, name.len);
+	memcpy(name.data, s_key, name.len);
+	key = ngx_hash_strlow(name.data, name.data, name.len);
+	vv = ngx_http_get_variable(ctx->r, &name, key);
+
+	if ((vv == NULL) || (vv->not_found))
+		return;
+
+	char *s = oauth2_strndup((char *)vv->data, vv->len);
+	oauth2_http_request_context_set(ctx->log, ctx->request,
+					OAUTH2_TLS_CERT_VAR_NAME, s);
+
+	ngx_pfree(ctx->r->pool, name.data);
+	oauth2_mem_free(s);
+}
 oauth2_nginx_request_context_t *
 oauth2_nginx_request_context_init(ngx_http_request_t *r)
 {
@@ -224,6 +248,8 @@ oauth2_nginx_request_context_init(ngx_http_request_t *r)
 
 	_oauth2_nginx_request_copy(ctx);
 
+	_oauth2_nginx_ssl_cert_set(ctx);
+
 	oauth2_debug(ctx->log, "created NGINX request context: %p", ctx);
 
 	// end:
diff --git a/test/server_stubs.c b/test/server_stubs.c
@@ -149,6 +149,12 @@ void *ngx_palloc(ngx_pool_t *pool, size_t size)
 	return p;
 }
 
+ngx_int_t ngx_pfree(ngx_pool_t *pool, void *p)
+{
+	oauth2_mem_free(p);
+	return NGX_OK;
+}
+
 void *ngx_list_push(ngx_list_t *l)
 {
 	void *elt;
@@ -183,4 +189,15 @@ void *ngx_list_push(ngx_list_t *l)
 	return elt;
 }
 
+ngx_http_variable_value_t *
+ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
+{
+	return NULL;
+}
+
+ngx_uint_t ngx_hash_strlow(u_char *dst, u_char *src, size_t n)
+{
+	return 0;
+}
+
 #endif
