Repository: trafficserver Updated Branches: refs/heads/master 0e6e5c151 -> dcb2ede1a
TS-4133: Update the url_sig plugin so that application query parameters are left intact on the request. Signed-off-by: John J. Rushford <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/dcb2ede1 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/dcb2ede1 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/dcb2ede1 Branch: refs/heads/master Commit: dcb2ede1ae09dd7348e375f2730cc58b77312bd7 Parents: 0e6e5c1 Author: John J. Rushford <[email protected]> Authored: Thu Jan 14 19:22:35 2016 +0000 Committer: John J. Rushford <[email protected]> Committed: Tue Mar 22 16:40:49 2016 +0000 ---------------------------------------------------------------------- plugins/experimental/url_sig/README | 9 ++++ plugins/experimental/url_sig/sign.pl | 28 ++++++++++-- plugins/experimental/url_sig/url_sig.c | 67 +++++++++++++++++++++++++++-- plugins/experimental/url_sig/url_sig.h | 1 + 4 files changed, 98 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/dcb2ede1/plugins/experimental/url_sig/README ---------------------------------------------------------------------- diff --git a/plugins/experimental/url_sig/README b/plugins/experimental/url_sig/README index aa9a650..b5d8792 100644 --- a/plugins/experimental/url_sig/README +++ b/plugins/experimental/url_sig/README @@ -41,6 +41,15 @@ Edge cache debugging to traffic.out. Failed transactions (signature check fails that is) will be logged in to error.log. +Application Query Parameters. + If a request to be signed has application query parameters, the signing + parameters must be concatenated to the end of the requests application + query parameters. The application query parameters will be included in + the signing calculation as determined by the 'Parts' signing explained + below. At the edge after verification of the signing by this plugin, + the signing parameters are removed and the application query parameters + are preserved in the request. + Signing a URL At the signing portal take the full URL, without any query string, and add on a query string with the following parameters: http://git-wip-us.apache.org/repos/asf/trafficserver/blob/dcb2ede1/plugins/experimental/url_sig/sign.pl ---------------------------------------------------------------------- diff --git a/plugins/experimental/url_sig/sign.pl b/plugins/experimental/url_sig/sign.pl index d3fbdeb..7f2cc7b 100755 --- a/plugins/experimental/url_sig/sign.pl +++ b/plugins/experimental/url_sig/sign.pl @@ -65,12 +65,24 @@ foreach my $part ( split( /\//, $url ) ) { } $j++; } +my $urlHasParams = index($string,"?"); + chop($string); if ( defined($client) ) { - $string .= "?C=" . $client . "&E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + if ($urlHasParams > 0) { + $string .= "&C=" . $client . "&E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + } + else { + $string .= "?C=" . $client . "&E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + } } else { - $string .= "?E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + if ($urlHasParams > 0) { + $string .= "&E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + } + else { + $string .= "?E=" . ( time() + $duration ) . "&A=" . $algorithm . "&K=" . $keyindex . "&P=" . $useparts . "&S="; + } } $verbose && print "signed string = " . $string . "\n"; @@ -82,9 +94,17 @@ if ( $algorithm == 1 ) { else { $digest = hmac_md5_hex( $string, $key ); } -my $qstring = ( split( /\?/, $string ) )[1]; +if ($urlHasParams == -1) { + my $qstring = ( split( /\?/, $string ) )[1]; -print "curl -s -o /dev/null -v --max-redirs 0 'http://"; . $url . "?" . $qstring . $digest . "'\n"; + print "curl -s -o /dev/null -v --max-redirs 0 'http://"; . $url . "?" . $qstring . $digest . "'\n"; +} +else { + my $url_noparams = ( split( /\?/, $url ) )[0]; + my $qstring = ( split( /\?/, $string ) )[1]; + + print "curl -s -o /dev/null -v --max-redirs 0 'http://"; . $url_noparams . "?" . $qstring . $digest . "'\n"; +} sub help { print "sign.pl - Example signing utility in perl for signed URLs\n"; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/dcb2ede1/plugins/experimental/url_sig/url_sig.c ---------------------------------------------------------------------- diff --git a/plugins/experimental/url_sig/url_sig.c b/plugins/experimental/url_sig/url_sig.c index 96a5521..70a3f00 100644 --- a/plugins/experimental/url_sig/url_sig.c +++ b/plugins/experimental/url_sig/url_sig.c @@ -245,6 +245,60 @@ err_log(char *url, char *msg) } } +// See the README. All Signing parameters must be concatenated to the end +// of the url and any application query parameters. +static char * +getAppQueryString(char *query_string, int query_length) +{ + int done = 0; + char *p; + char buf[MAX_QUERY_LEN]; + + if (query_length > MAX_QUERY_LEN) { + TSDebug(PLUGIN_NAME, "Cannot process the query string as the length exceeds %d bytes.", MAX_QUERY_LEN); + return NULL; + } + memset(buf, 0, MAX_QUERY_LEN); + strncpy(buf, query_string, query_length); + p = buf; + + TSDebug(PLUGIN_NAME, "query_string: %s, query_length: %d", query_string, query_length); + if (p == NULL) { + return NULL; + } + + do { + switch (*p) { + case 'A': + case 'C': + case 'E': + case 'K': + case 'P': + case 'S': + done = 1; + if (*(p - 1) == '&') { + *(p - 1) = '\0'; + } else + (*p = '\0'); + break; + default: + p = strchr(p, '&'); + if (p == NULL) + done = 1; + else + p++; + break; + } + } while (!done); + + if (strlen(buf) > 0) { + p = TSstrdup(buf); + return p; + } else { + return NULL; + } +} + TSRemapStatus TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri) { @@ -275,7 +329,7 @@ TSRemapDoRemap(void *ih, TSHttpTxn txnp, TSRemapRequestInfo *rri) char *parts = NULL; char *part = NULL; char *p = NULL, *pp = NULL; - char *query = NULL; + char *query = NULL, *app_qry = NULL; int retval, sockfd; socklen_t peer_len; @@ -510,11 +564,18 @@ deny: /* ********* Allow ********* */ allow: + app_qry = getAppQueryString(query, strlen(query)); + TSfree(url); /* drop the query string so we can cache-hit */ - rval = TSUrlHttpQuerySet(rri->requestBufp, rri->requestUrl, NULL, 0); + if (app_qry != NULL) { + rval = TSUrlHttpQuerySet(rri->requestBufp, rri->requestUrl, app_qry, strlen(app_qry)); + TSfree(app_qry); + } else { + rval = TSUrlHttpQuerySet(rri->requestBufp, rri->requestUrl, NULL, 0); + } if (rval != TS_SUCCESS) { - TSError("[url_sig] Error stripping query string: %d.", rval); + TSError("[url_sig] Error setting the query string: %d.", rval); } return TSREMAP_NO_REMAP; } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/dcb2ede1/plugins/experimental/url_sig/url_sig.h ---------------------------------------------------------------------- diff --git a/plugins/experimental/url_sig/url_sig.h b/plugins/experimental/url_sig/url_sig.h index 6e22600..46e8e72 100644 --- a/plugins/experimental/url_sig/url_sig.h +++ b/plugins/experimental/url_sig/url_sig.h @@ -45,6 +45,7 @@ #define MAX_REQ_LEN 8192 #define MAX_KEY_LEN 256 #define MAX_KEY_NUM 16 +#define MAX_QUERY_LEN 4096 #define USIG_HMAC_SHA1 1 #define USIG_HMAC_MD5 2
