From bbf1d8b7a6f7c7955967f8cebe07c118997ff483 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 28 Sep 2020 17:07:48 +0300
Subject: [PATCH] Userid: userid_flags directive to set cookie flags.

---
 .../modules/ngx_http_userid_filter_module.c   | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/src/http/modules/ngx_http_userid_filter_module.c b/src/http/modules/ngx_http_userid_filter_module.c
index 31cf402f4..db1643c30 100644
--- a/src/http/modules/ngx_http_userid_filter_module.c
+++ b/src/http/modules/ngx_http_userid_filter_module.c
@@ -15,12 +15,20 @@
 #define NGX_HTTP_USERID_V1    2
 #define NGX_HTTP_USERID_ON    3
 
+#define NGX_HTTP_USERID_COOKIE_SECURE           0x0001
+#define NGX_HTTP_USERID_COOKIE_HTTPONLY         0x0002
+#define NGX_HTTP_USERID_COOKIE_SAMESITE         0x0004
+#define NGX_HTTP_USERID_COOKIE_SAMESITE_STRICT  0x0008
+#define NGX_HTTP_USERID_COOKIE_SAMESITE_LAX     0x0010
+#define NGX_HTTP_USERID_COOKIE_SAMESITE_NONE    0x0020
+
 /* 31 Dec 2037 23:55:55 GMT */
 #define NGX_HTTP_USERID_MAX_EXPIRES  2145916555
 
 
 typedef struct {
     ngx_uint_t  enable;
+    ngx_uint_t  flags;
 
     ngx_int_t   service;
 
@@ -88,6 +96,19 @@ static ngx_conf_enum_t  ngx_http_userid_state[] = {
 };
 
 
+static ngx_conf_bitmask_t  ngx_http_userid_flags[] = {
+    { ngx_string("secure"), NGX_HTTP_USERID_COOKIE_SECURE },
+    { ngx_string("httponly"), NGX_HTTP_USERID_COOKIE_HTTPONLY },
+    { ngx_string("samesite=strict"),
+      NGX_HTTP_USERID_COOKIE_SAMESITE|NGX_HTTP_USERID_COOKIE_SAMESITE_STRICT },
+    { ngx_string("samesite=lax"),
+      NGX_HTTP_USERID_COOKIE_SAMESITE|NGX_HTTP_USERID_COOKIE_SAMESITE_LAX },
+    { ngx_string("samesite=none"),
+      NGX_HTTP_USERID_COOKIE_SAMESITE|NGX_HTTP_USERID_COOKIE_SAMESITE_NONE },
+    { ngx_null_string, 0 }
+};
+
+
 static ngx_conf_post_handler_pt  ngx_http_userid_domain_p =
     ngx_http_userid_domain;
 static ngx_conf_post_handler_pt  ngx_http_userid_path_p = ngx_http_userid_path;
@@ -138,6 +159,13 @@ static ngx_command_t  ngx_http_userid_commands[] = {
       0,
       NULL },
 
+    { ngx_string("userid_flags"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE123,
+      ngx_conf_set_bitmask_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_userid_conf_t, flags),
+      &ngx_http_userid_flags },
+
     { ngx_string("userid_p3p"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
@@ -383,6 +411,26 @@ ngx_http_userid_set_uid(ngx_http_request_t *r, ngx_http_userid_ctx_t *ctx,
         len += conf->domain.len;
     }
 
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SECURE) {
+        len += sizeof("; secure") - 1;
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_HTTPONLY) {
+        len += sizeof("; httponly") - 1;
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_STRICT) {
+        len += sizeof("; samesite=strict") - 1;
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_LAX) {
+        len += sizeof("; samesite=lax") - 1;
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_NONE) {
+        len += sizeof("; samesite=none") - 1;
+    }
+
     cookie = ngx_pnalloc(r->pool, len);
     if (cookie == NULL) {
         return NGX_ERROR;
@@ -422,6 +470,26 @@ ngx_http_userid_set_uid(ngx_http_request_t *r, ngx_http_userid_ctx_t *ctx,
 
     p = ngx_copy(p, conf->path.data, conf->path.len);
 
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SECURE) {
+        p = ngx_cpymem(p, "; secure", sizeof("; secure") - 1);
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_HTTPONLY) {
+        p = ngx_cpymem(p, "; httponly", sizeof("; httponly") - 1);
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_STRICT) {
+        p = ngx_cpymem(p, "; samesite=strict", sizeof("; samesite=strict") - 1);
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_LAX) {
+        p = ngx_cpymem(p, "; samesite=lax", sizeof("; samesite=lax") - 1);
+    }
+
+    if (conf->flags & NGX_HTTP_USERID_COOKIE_SAMESITE_NONE) {
+        p = ngx_cpymem(p, "; samesite=none", sizeof("; samesite=none") - 1);
+    }
+
     set_cookie = ngx_list_push(&r->headers_out.headers);
     if (set_cookie == NULL) {
         return NGX_ERROR;
@@ -658,6 +726,7 @@ ngx_http_userid_create_conf(ngx_conf_t *cf)
     /*
      * set by ngx_pcalloc():
      *
+     *     conf->flags = 0;
      *     conf->name = { 0, NULL };
      *     conf->domain = { 0, NULL };
      *     conf->path = { 0, NULL };
@@ -682,6 +751,9 @@ ngx_http_userid_merge_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_uint_value(conf->enable, prev->enable,
                               NGX_HTTP_USERID_OFF);
 
+    ngx_conf_merge_bitmask_value(conf->flags, prev->flags,
+                                 NGX_CONF_BITMASK_SET);
+
     ngx_conf_merge_str_value(conf->name, prev->name, "uid");
     ngx_conf_merge_str_value(conf->domain, prev->domain, "");
     ngx_conf_merge_str_value(conf->path, prev->path, "; path=/");