Backport of all uri-signing changes in to 8.1.x

List of included PRs:

- #6363 (partial pick)
- #6420
- #6419
- #6354
- #6252
- #4513
- #4603
- #4750 (partial pick)
- #4604
- #4540
- #4777
- #4862
- #4814
- #4802
- #4897
- #4988
- #5034
- #5140
- #5112
- #4895
- #5834 (partial pick)
- #6061
- #6210 (partial pick)
- #6265 (partial pick)
- #6282 (partial pick)

Updating uri_signing docs to reflect new RFC changes

(cherry picked from commit 90e51a2)

Add normalization the URI before cdniuc validation

(cherry picked from commit b39b0f7)

JWT Parser strips token from URI and places in buffer

(cherry picked from commit 5f9d358)

Use POSIX ERE for uri signing regex evaluation

(cherry picked from commit be56b3a)

Implement nbf claim in Uri Signing Plugin

(cherry picked from commit d9dc0f4)

Implement aud claim in Uri Signing Plugin

The Aud claim is implemented as per the RFC version 16 that
can be found here:https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-16

As per the specification, the aud claim can be either a JSON array or
a string. The aud claim is stored as raw json in the jwt class
in this implementation. It is converted either to an array or a
string at validation time.

This commit also expands the unit tests quite a bit. Test configs
can be provided in the unit_tests directory and parsed in the test framework.
JWS validation is also testable now.

This commit also fixes two memory leaks
1. Issuers were never being freed on configuration cleanup.
2. Token renewal allocates a tmp json_object without freeing.

(cherry picked from commit 012d437)

cdniuc is not a manditory claim

With Internet Draft 16 for uri signing, the cdniuc claim is not manditory. It
took the place of the manditory sub claim in draft 12, and the manditory nature
of the sub claim was still in effect. This change allows for tokens to not contain
the cdniuc claim and also renews the cdniuc and cdnistd claim on token renewal.

(cherry picked from commit fa53771)

add --with-jansson and --with-cjose options, document sample commands for building and configuring both locally

(cherry picked from commit 0cce83c)

Strip token from upstream if conifigured and dynamically allocate string buffers

Adds a configuration option to strip uri signing tokens from both the cache key
URL and the upstream URL.

Additionally it was pointed out that some statically allocated buffers were too small in
some of the string manipulating functions (normalize and strip token). These buffers are
now dynamically allocated since the maximum buffer size is known for these.

(cherry picked from commit 192dc83)

Cherry-pick from commit 4cfd5a7

Add Example URI Signer Python Script

Provide an example script to be used in conjunction with the uri signing
plugin. This script is meant to serve as an example of how to get started
with uri signing and could be useful in testing various configs.

(cherry picked from commit 3632eb7)

Cherry-pick from commit 9c1b88a

Cherry-pick from commit a139fd1

Cherry-pick from commit c07474d

Add simple autest and subsequent fixes

(cherry picked from commit ea3aa04)

Cherry-pick from commit 6d64842

URI Sig Null Check for Clang Warning (#6419)

This commit adds a missing null check in the uri normalization function.
This was caught by the clang analyzer.

(cherry picked from commit 2de1c35)

Syntax Error fixed in URI sig Plugin (#6420)

(cherry picked from commit c154d40)

Change gold files to be less restrictive since some of the headers include can be in a different order (#6410)

(cherry picked from commit 4bdde5d)

Add a dummy cachekey usage to handle the effective vs pristine url issue that exists in 8x where the first plugin gets a different url then subsequent ones.  This is not needed on 9x+

Author: Dylan Souza

.gitignore

@@ -122,6 +122,7 @@ plugins/esi/vars_test
 plugins/experimental/slice/test_config
 plugins/experimental/slice/test_content_range
 plugins/experimental/slice/test_range
+plugins/experimental/uri_signing/test_uri_signing
 
 mgmt/api/traffic_api_cli_remote
 mgmt/tools/traffic_mcast_snoop

build/cjose.m4

@@ -0,0 +1,47 @@
+dnl -------------------------------------------------------- -*- autoconf -*-
+dnl Licensed to the Apache Software Foundation (ASF) under one or more
+dnl contributor license agreements.  See the NOTICE file distributed with
+dnl this work for additional information regarding copyright ownership.
+dnl The ASF licenses this file to You under the Apache License, Version 2.0
+dnl (the "License"); you may not use this file except in compliance with
+dnl the License.  You may obtain a copy of the License at
+dnl
+dnl     http://www.apache.org/licenses/LICENSE-2.0
+dnl
+dnl Unless required by applicable law or agreed to in writing, software
+dnl distributed under the License is distributed on an "AS IS" BASIS,
+dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+dnl See the License for the specific language governing permissions and
+dnl limitations under the License.
+
+dnl
+dnl cjose.m4: Trafficserver's cjose autoconf macros
+dnl
+
+dnl
+dnl TS_CHECK_CJOSE: look for cjose libraries and headers
+dnl
+
+AC_DEFUN([TS_CHECK_CJOSE], [
+AC_MSG_CHECKING([for --with-cjose])
+  AC_ARG_WITH(
+      [cjose],
+      [AS_HELP_STRING([--with-cjose=DIR], [use a specific cjose library])],
+      [ LDFLAGS="$LDFLAGS -L$with_cjose/lib";
+        CFLAGS="$CFLAGS -I$with_cjose/include/";
+        CPPFLAGS="$CPPFLAGS -I$with_cjose/include/";
+        AC_MSG_RESULT([$with_cjose])
+      ],
+      [ AC_MSG_RESULT([no])]
+  )
+
+  AC_CHECK_HEADERS([cjose/cjose.h], [
+    AC_MSG_CHECKING([whether cjose is dynamic])
+    TS_LINK_WITH_FLAGS_IFELSE([-fPIC -lcjose -ljansson -lcrypto],[AC_LANG_PROGRAM(
+                              [#include <cjose/cjose.h>],
+                              [(void) cjose_jws_import("", 0, NULL);])],
+                              [AC_MSG_RESULT([yes]); LIBCJOSE=-lcjose],
+                              [AC_MSG_RESULT([no]);  LIBCJOSE=-l:libcjose.a])
+    ],
+    [LIBCJOSE=])
+])

build/hiredis.m4

@@ -0,0 +1,93 @@
+dnl -------------------------------------------------------- -*- autoconf -*-
+dnl Licensed to the Apache Software Foundation (ASF) under one or more
+dnl contributor license agreements.  See the NOTICE file distributed with
+dnl this work for additional information regarding copyright ownership.
+dnl The ASF licenses this file to You under the Apache License, Version 2.0
+dnl (the "License"); you may not use this file except in compliance with
+dnl the License.  You may obtain a copy of the License at
+dnl
+dnl     http://www.apache.org/licenses/LICENSE-2.0
+dnl
+dnl Unless required by applicable law or agreed to in writing, software
+dnl distributed under the License is distributed on an "AS IS" BASIS,
+dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+dnl See the License for the specific language governing permissions and
+dnl limitations under the License.
+
+dnl
+dnl hiredis.m4: Trafficserver's hiredis autoconf macros
+dnl
+
+dnl
+dnl TS_CHECK_HIREDIS: look for hiredis libraries and headers
+dnl
+
+AC_DEFUN([TS_CHECK_HIREDIS], [
+hiredis_base_dir='/usr'
+has_hiredis=0
+AC_ARG_WITH(hiredis, [AC_HELP_STRING([--with-hiredis=DIR],[use a specific hiredis library])],
+[
+  has_hiredis=1
+  if test "x$withval" != "xyes" && test "x$withval" != "x"; then
+    hiredis_base_dir="$withval"
+    if test "$withval" != "no"; then
+      case "$withval" in
+      *":"*)
+        hiredis_include="`echo $withval |sed -e 's/:.*$//'`"
+        hiredis_ldflags="`echo $withval |sed -e 's/^.*://'`"
+        AC_MSG_CHECKING(checking for hiredis includes in $hiredis_include libs in $hiredis_ldflags )
+        ;;
+      *)
+        hiredis_include="$withval/include"
+        hiredis_ldflags="$withval/lib"
+        AC_MSG_CHECKING(checking for hiredis includes in $withval)
+        ;;
+      esac
+    fi
+  fi
+
+  if test -d $hiredis_include && test -d $hiredis_ldflags && test -f $hiredis_include/hiredis/hiredis.h; then
+    AC_MSG_RESULT([ok])
+  else
+    has_hiredis=0
+    AC_MSG_RESULT([not found])
+  fi
+
+if test "$has_hiredis" != "0"; then
+  saved_ldflags=$LDFLAGS
+  saved_cppflags=$CPPFLAGS
+  hiredis_have_headers=0
+  hiredis_have_libs=0
+  if test "$hiredis_base_dir" != "/usr"; then
+    TS_ADDTO(CPPFLAGS, [-I${hiredis_include}])
+    TS_ADDTO(LDFLAGS, [-L${hiredis_ldflags}])
+    TS_ADDTO_RPATH(${hiredis_ldflags})
+  fi
+
+  AC_CHECK_LIB([hiredis], redisConnect, [hiredis_have_libs=1])
+  if test "$hiredis_have_libs" != "0"; then
+    AC_CHECK_HEADERS(hiredis/hiredis.h, [hiredis_have_headers=1])
+  fi
+  if test "$hiredis_have_headers" != "0"; then
+    AC_SUBST([LIB_HIREDIS], [-lhiredis])
+    AC_SUBST([CFLAGS_HIREDIS], [-I${hiredis_include}])
+  else
+    has_hiredis=0
+    CPPFLAGS=$saved_cppflags
+    LDFLAGS=$saved_ldflags
+  fi
+fi
+],
+[
+has_hiredis=1
+AC_CHECK_HEADER([hiredis/hiredis.h], [], [has_hiredis=0])
+AC_CHECK_LIB([hiredis], redisConnect, [], [has_hiredis=0])
+
+if test "x$has_hiredis" == "x1"; then
+    AC_SUBST([LIB_HIREDIS], [-lhiredis])
+fi
+])
+
+])
+
+

build/jansson.m4

@@ -0,0 +1,47 @@
+dnl -------------------------------------------------------- -*- autoconf -*-
+dnl Licensed to the Apache Software Foundation (ASF) under one or more
+dnl contributor license agreements.  See the NOTICE file distributed with
+dnl this work for additional information regarding copyright ownership.
+dnl The ASF licenses this file to You under the Apache License, Version 2.0
+dnl (the "License"); you may not use this file except in compliance with
+dnl the License.  You may obtain a copy of the License at
+dnl
+dnl     http://www.apache.org/licenses/LICENSE-2.0
+dnl
+dnl Unless required by applicable law or agreed to in writing, software
+dnl distributed under the License is distributed on an "AS IS" BASIS,
+dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+dnl See the License for the specific language governing permissions and
+dnl limitations under the License.
+
+dnl
+dnl jansson.m4: Trafficserver's jansson autoconf macros
+dnl
+
+dnl
+dnl TS_CHECK_JANSSON: look for jansson libraries and headers
+dnl
+
+AC_DEFUN([TS_CHECK_JANSSON], [
+  AC_MSG_CHECKING([for --with-jansson])
+  AC_ARG_WITH(
+      [jansson],
+      [AS_HELP_STRING([--with-jansson], [use a specific jansson library])],
+      [ LDFLAGS="$LDFLAGS -L$with_jansson/lib";
+        CFLAGS="$CFLAGS -I$with_jansson/include/";
+        CPPFLAGS="$CPPFLAGS -I$with_jansson/include/";
+        AC_MSG_RESULT([$with_jansson])
+      ],
+      [ AC_MSG_RESULT([no])]
+  )
+
+  AC_CHECK_HEADERS([jansson.h], [
+    AC_MSG_CHECKING([whether jansson is dynamic])
+    TS_LINK_WITH_FLAGS_IFELSE([-fPIC -ljansson],[AC_LANG_PROGRAM(
+                              [#include <jansson.h>],
+                              [(void) json_object();])],
+                              [AC_MSG_RESULT([yes]); LIBJANSSON=-ljansson],
+                              [AC_MSG_RESULT([no]);  LIBJANSSON=-l:libjansson.a])
+    ],
+    [LIBJANSSON=])
+])

configure.ac

@@ -1316,27 +1316,15 @@ TS_CHECK_LUAJIT
 # Enable experimental/uri_singing plugin
 # This is here, instead of above, because it needs to know if PCRE is available.
 #
-AC_CHECK_HEADERS([jansson.h], [
-  AC_MSG_CHECKING([whether jansson is dynamic])
-  TS_LINK_WITH_FLAGS_IFELSE([-fPIC -ljansson],[AC_LANG_PROGRAM(
-                            [#include <jansson.h>],
-                            [(void) json_object();])],
-                            [AC_MSG_RESULT([yes]); LIBJANSSON=-ljansson],
-                            [AC_MSG_RESULT([no]);  LIBJANSSON=-l:libjansson.a])
-  ],
-  [LIBJANSSON=])
-
-AC_CHECK_HEADERS([cjose/cjose.h], [
-  AC_MSG_CHECKING([whether cjose is dynamic])
-  TS_LINK_WITH_FLAGS_IFELSE([-fPIC -lcjose],[AC_LANG_PROGRAM(
-                            [#include <cjose/cjose.h>],
-                            [(void) cjose_jws_import("", 0, NULL);])],
-                            [AC_MSG_RESULT([yes]); LIBCJOSE=-lcjose],
-                            [AC_MSG_RESULT([no]);  LIBCJOSE=-l:libcjose.a])
-  ],
-  [LIBCJOSE=])
+
+#### Check for optional jansson library (uri_signing)
+TS_CHECK_JANSSON
+
 AC_CHECK_LIB([crypto],[HMAC],[has_libcrypto=1],[has_libcrypto=0])
 
+#### Check for optional cjose library (uri_signing)
+TS_CHECK_CJOSE
+
 AM_CONDITIONAL([BUILD_URI_SIGNING_PLUGIN], [test ! -z "${LIBCJOSE}" -a ! -z "${LIBJANSSON}" -a "x${enable_pcre}" = "xyes" -a "x${has_libcrypto}" = "x1"])
 AC_SUBST([LIBCJOSE])
 AC_SUBST([LIBJANSSON])

plugins/experimental/uri_signing/Makefile.inc

@@ -23,6 +23,22 @@ experimental_uri_signing_uri_signing_la_SOURCES = \
   experimental/uri_signing/jwt.c                  \
   experimental/uri_signing/match.c                \
   experimental/uri_signing/parse.c                \
+  experimental/uri_signing/normalize.c            \
   experimental/uri_signing/timing.c
 
 experimental_uri_signing_uri_signing_la_LIBADD = @LIBJANSSON@ @LIBCJOSE@ @LIBPCRE@ -lm -lcrypto
+
+check_PROGRAMS += experimental/uri_signing/test_uri_signing
+
+experimental_uri_signing_test_uri_signing_CPPFLAGS = $(AM_CPPFLAGS) -I$(abs_top_srcdir)/tests/include -DURI_SIGNING_UNIT_TEST
+experimental_uri_signing_test_uri_signing_LDADD = @LIBJANSSON@ @LIBCJOSE@ @LIBPCRE@ -lm -lcrypto
+experimental_uri_signing_test_uri_signing_SOURCES = \
+	experimental/uri_signing/unit_tests/uri_signing_test.cc \
+    experimental/uri_signing/jwt.c \
+    experimental/uri_signing/common.c \
+    experimental/uri_signing/parse.c \
+    experimental/uri_signing/cookie.c \
+    experimental/uri_signing/config.c \
+    experimental/uri_signing/timing.c \
+    experimental/uri_signing/normalize.c \
+    experimental/uri_signing/match.c