redict/tests/unit/auth.tcl

start_server {tags {"auth external:skip"}} {
    test {AUTH fails if there is no password configured server side} {
        catch {r auth foo} err
        set _ $err
    } {ERR*any password*}
}

start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
    test {AUTH fails when a wrong password is given} {
        catch {r auth wrong!} err
        set _ $err
    } {WRONGPASS*}

    test {Arbitrary command gives an error when AUTH is required} {
        catch {r set foo bar} err
        set _ $err
    } {NOAUTH*}

    test {AUTH succeeds when the right password is given} {
        r auth foobar
    } {OK}

    test {Once AUTH succeeded we can actually send commands to the server} {
        r set foo 100
        r incr foo
    } {101}

    test {For unauthenticated clients multibulk and bulk length are limited} {
        set rr [redis [srv "host"] [srv "port"] 0 $::tls]
        $rr write "*100\r\n"
        $rr flush
        catch {[$rr read]} e
        assert_match {*unauthenticated multibulk length*} $e
        $rr close

        set rr [redis [srv "host"] [srv "port"] 0 $::tls]
        $rr write "*1\r\n\$100000000\r\n"
        $rr flush
        catch {[$rr read]} e
        assert_match {*unauthenticated bulk length*} $e
        $rr close
    }
}

start_server {tags {"auth_binary_password external:skip"}} {
    test {AUTH fails when binary password is wrong} {
        r config set requirepass "abc\x00def"
        catch {r auth abc} err
        set _ $err
    } {WRONGPASS*}

    test {AUTH succeeds when binary password is correct} {
        r config set requirepass "abc\x00def"
        r auth "abc\x00def"
    } {OK}

    start_server {tags {"masterauth"}} {
        set master [srv -1 client]
        set master_host [srv -1 host]
        set master_port [srv -1 port]
        set slave [srv 0 client]

        test {MASTERAUTH test with binary password} {
            $master config set requirepass "abc\x00def"

            # Configure the replica with masterauth
            set loglines [count_log_lines 0]
            $slave slaveof $master_host $master_port
            $slave config set masterauth "abc"

            # Verify replica is not able to sync with master
            wait_for_log_messages 0 {"*Unable to AUTH to MASTER*"} $loglines 1000 10
            assert_equal {down} [s 0 master_link_status]
            
            # Test replica with the correct masterauth
            $slave config set masterauth "abc\x00def"
            wait_for_condition 50 100 {
                [s 0 master_link_status] eq {up}
            } else {
                fail "Can't turn the instance into a replica"
            }
        }
    }
}
Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth external:skip"}} {`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`test {AUTH fails if there is no password configured server side} {`
			`catch {r auth foo} err`
			`set _ $err`
ACL: AUTH + no default user password raises an error. This way the behavior is very similar to the past one. This is useful in order to remember the user she probably failed to configure a password correctly. 2019-01-17 12:30:23 -05:00			`} {ERRany password}`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`}`

Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`test {AUTH fails when a wrong password is given} {`
			`catch {r auth wrong!} err`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`set _ $err`
ACL: AUTH + no default user password raises an error. This way the behavior is very similar to the past one. This is useful in order to remember the user she probably failed to configure a password correctly. 2019-01-17 12:30:23 -05:00			`} {WRONGPASS*}`
Remove trailing spaces from tests 2014-07-31 14:39:49 -04:00
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`test {Arbitrary command gives an error when AUTH is required} {`
			`catch {r set foo bar} err`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`set _ $err`
Return a specific NOAUTH error if authentication is required. 2013-02-12 10:25:41 -05:00			`} {NOAUTH*}`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00
			`test {AUTH succeeds when the right password is given} {`
			`r auth foobar`
			`} {OK}`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00
			`test {Once AUTH succeeded we can actually send commands to the server} {`
			`r set foo 100`
			`r incr foo`
			`} {101}`
Prevent unauthenticated client from easily consuming lots of memory (CVE-2021-32675) (#9588) This change sets a low limit for multibulk and bulk length in the protocol for unauthenticated connections, so that they can't easily cause redis to allocate massive amounts of memory by sending just a few characters on the network. The new limits are 10 arguments of 16kb each (instead of 1m of 512mb) 2021-10-04 05:10:31 -04:00
			`test {For unauthenticated clients multibulk and bulk length are limited} {`
			`set rr [redis [srv "host"] [srv "port"] 0 $::tls]`
			`$rr write "*100\r\n"`
			`$rr flush`
			`catch {[$rr read]} e`
			`assert_match {unauthenticated multibulk length} $e`
			`$rr close`

			`set rr [redis [srv "host"] [srv "port"] 0 $::tls]`
			`$rr write "*1\r\n\$100000000\r\n"`
			`$rr flush`
			`catch {[$rr read]} e`
			`assert_match {unauthenticated bulk length} $e`
			`$rr close`
			`}`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`}`
Handle binary safe string for REQUIREPASS and MASTERAUTH directives (#8200) * Handle binary safe string for REQUIREPASS and MASTERAUTH directives. 2020-12-17 12:26:33 -05:00
Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth_binary_password external:skip"}} {`
Handle binary safe string for REQUIREPASS and MASTERAUTH directives (#8200) * Handle binary safe string for REQUIREPASS and MASTERAUTH directives. 2020-12-17 12:26:33 -05:00			`test {AUTH fails when binary password is wrong} {`
			`r config set requirepass "abc\x00def"`
			`catch {r auth abc} err`
			`set _ $err`
			`} {WRONGPASS*}`

			`test {AUTH succeeds when binary password is correct} {`
			`r config set requirepass "abc\x00def"`
			`r auth "abc\x00def"`
			`} {OK}`

			`start_server {tags {"masterauth"}} {`
			`set master [srv -1 client]`
			`set master_host [srv -1 host]`
			`set master_port [srv -1 port]`
			`set slave [srv 0 client]`

			`test {MASTERAUTH test with binary password} {`
			`$master config set requirepass "abc\x00def"`

			`# Configure the replica with masterauth`
			`set loglines [count_log_lines 0]`
			`$slave slaveof $master_host $master_port`
			`$slave config set masterauth "abc"`

			`# Verify replica is not able to sync with master`
			`wait_for_log_messages 0 {"Unable to AUTH to MASTER"} $loglines 1000 10`
			`assert_equal {down} [s 0 master_link_status]`

			`# Test replica with the correct masterauth`
			`$slave config set masterauth "abc\x00def"`
			`wait_for_condition 50 100 {`
			`[s 0 master_link_status] eq {up}`
			`} else {`
			`fail "Can't turn the instance into a replica"`
			`}`
			`}`
			`}`
			`}`