redict/tests/unit/auth.tcl

# SPDX-FileCopyrightText: 2024 Redict Contributors
# SPDX-FileCopyrightText: 2024 Salvatore Sanfilippo <antirez at gmail dot com>
#
# SPDX-License-Identifier: BSD-3-Clause
# SPDX-License-Identifier: LGPL-3.0-only

start_server {tags {"auth external:skip"}} {
    test {AUTH fails if there is no password configured server side} {
        catch {r auth foo} err
        set _ $err
    } {ERR *any password*}

    test {Arity check for auth command} {
        catch {r auth a b c} err
        set _ $err
    } {*syntax error*}
}

start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
    test {AUTH fails when a wrong password is given} {
        catch {r auth wrong!} err
        set _ $err
    } {WRONGPASS*}

    test {Arbitrary command gives an error when AUTH is required} {
        catch {r set foo bar} err
        set _ $err
    } {NOAUTH*}

    test {AUTH succeeds when the right password is given} {
        r auth foobar
    } {OK}

    test {Once AUTH succeeded we can actually send commands to the server} {
        r set foo 100
        r incr foo
    } {101}

    test {For unauthenticated clients multibulk and bulk length are limited} {
        set rr [redict [srv "host"] [srv "port"] 0 $::tls]
        $rr write "*100\r\n"
        $rr flush
        catch {[$rr read]} e
        assert_match {*unauthenticated multibulk length*} $e
        $rr close

        set rr [redict [srv "host"] [srv "port"] 0 $::tls]
        $rr write "*1\r\n\$100000000\r\n"
        $rr flush
        catch {[$rr read]} e
        assert_match {*unauthenticated bulk length*} $e
        $rr close
    }
}

start_server {tags {"auth_binary_password external:skip"}} {
    test {AUTH fails when binary password is wrong} {
        r config set requirepass "abc\x00def"
        catch {r auth abc} err
        set _ $err
    } {WRONGPASS*}

    test {AUTH succeeds when binary password is correct} {
        r config set requirepass "abc\x00def"
        r auth "abc\x00def"
    } {OK}

    start_server {tags {"masterauth"}} {
        set master [srv -1 client]
        set master_host [srv -1 host]
        set master_port [srv -1 port]
        set slave [srv 0 client]

        test {MASTERAUTH test with binary password} {
            $master config set requirepass "abc\x00def"

            # Configure the replica with masterauth
            set loglines [count_log_lines 0]
            $slave config set masterauth "abc"
            $slave slaveof $master_host $master_port

            # Verify replica is not able to sync with master
            wait_for_log_messages 0 {"*Unable to AUTH to MASTER*"} $loglines 1000 10
            assert_equal {down} [s 0 master_link_status]
            
            # Test replica with the correct masterauth
            $slave config set masterauth "abc\x00def"
            wait_for_condition 50 100 {
                [s 0 master_link_status] eq {up}
            } else {
                fail "Can't turn the instance into a replica"
            }
        }
    }
}
all: use REUSE for license management 2024-03-21 09:30:47 -04:00			`# SPDX-FileCopyrightText: 2024 Redict Contributors`
			`# SPDX-FileCopyrightText: 2024 Salvatore Sanfilippo <antirez at gmail dot com>`
			`#`
			`# SPDX-License-Identifier: BSD-3-Clause`
all: let's go LGPL over GPL Based on feedback from interested parties 2024-03-21 15:11:44 -04:00			`# SPDX-License-Identifier: LGPL-3.0-only`
all: use REUSE for license management 2024-03-21 09:30:47 -04:00
Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth external:skip"}} {`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`test {AUTH fails if there is no password configured server side} {`
			`catch {r auth foo} err`
			`set _ $err`
Fix incorrect error code for eval scripts and fix test error checking (#10575) By the convention of errors, there is supposed to be a space between the code and the name. While looking at some lua stuff I noticed that interpreter errors were not adding the space, so some clients will try to map the detailed error message into the error. We have tests that hit this condition, but they were just checking that the string "starts" with ERR. I updated some other tests with similar incorrect string checking. This isn't complete though, as there are other ways we check for ERR I didn't fix. Produces some fun output like: ``` # Errorstats errorstat_ERR:count=1 errorstat_ERRuser_script_1_:count=1 ``` 2022-04-14 04:18:32 -04:00			`} {ERR any password}`
Add AUTH arity test (#10266) Add test for AUTH with too many arguments 2022-02-09 15:09:20 -05:00
			`test {Arity check for auth command} {`
			`catch {r auth a b c} err`
			`set _ $err`
			`} {syntax error}`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`}`

Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`test {AUTH fails when a wrong password is given} {`
			`catch {r auth wrong!} err`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`set _ $err`
ACL: AUTH + no default user password raises an error. This way the behavior is very similar to the past one. This is useful in order to remember the user she probably failed to configure a password correctly. 2019-01-17 12:30:23 -05:00			`} {WRONGPASS*}`
Remove trailing spaces from tests 2014-07-31 14:39:49 -04:00
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`test {Arbitrary command gives an error when AUTH is required} {`
			`catch {r set foo bar} err`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00			`set _ $err`
Return a specific NOAUTH error if authentication is required. 2013-02-12 10:25:41 -05:00			`} {NOAUTH*}`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00
			`test {AUTH succeeds when the right password is given} {`
			`r auth foobar`
			`} {OK}`
Fix for issue #132. Now AUTH raises an error if no server password is configured. 2011-10-10 16:21:17 -04:00
			`test {Once AUTH succeeded we can actually send commands to the server} {`
			`r set foo 100`
			`r incr foo`
			`} {101}`
Prevent unauthenticated client from easily consuming lots of memory (CVE-2021-32675) (#9588) This change sets a low limit for multibulk and bulk length in the protocol for unauthenticated connections, so that they can't easily cause redis to allocate massive amounts of memory by sending just a few characters on the network. The new limits are 10 arguments of 16kb each (instead of 1m of 512mb) 2021-10-04 05:10:31 -04:00
			`test {For unauthenticated clients multibulk and bulk length are limited} {`
Working test suite under the Redict name 2024-03-21 05:56:59 -04:00			`set rr [redict [srv "host"] [srv "port"] 0 $::tls]`
Prevent unauthenticated client from easily consuming lots of memory (CVE-2021-32675) (#9588) This change sets a low limit for multibulk and bulk length in the protocol for unauthenticated connections, so that they can't easily cause redis to allocate massive amounts of memory by sending just a few characters on the network. The new limits are 10 arguments of 16kb each (instead of 1m of 512mb) 2021-10-04 05:10:31 -04:00			`$rr write "*100\r\n"`
			`$rr flush`
			`catch {[$rr read]} e`
			`assert_match {unauthenticated multibulk length} $e`
			`$rr close`

Working test suite under the Redict name 2024-03-21 05:56:59 -04:00			`set rr [redict [srv "host"] [srv "port"] 0 $::tls]`
Prevent unauthenticated client from easily consuming lots of memory (CVE-2021-32675) (#9588) This change sets a low limit for multibulk and bulk length in the protocol for unauthenticated connections, so that they can't easily cause redis to allocate massive amounts of memory by sending just a few characters on the network. The new limits are 10 arguments of 16kb each (instead of 1m of 512mb) 2021-10-04 05:10:31 -04:00			`$rr write "*1\r\n\$100000000\r\n"`
			`$rr flush`
			`catch {[$rr read]} e`
			`assert_match {unauthenticated bulk length} $e`
			`$rr close`
			`}`
split test suite into multiple files; runs redis-server in isolation 2010-05-14 11:31:11 -04:00			`}`
Handle binary safe string for REQUIREPASS and MASTERAUTH directives (#8200) * Handle binary safe string for REQUIREPASS and MASTERAUTH directives. 2020-12-17 12:26:33 -05:00
Improve test suite to handle external servers better. (#9033) This commit revives the improves the ability to run the test suite against external servers, instead of launching and managing `redis-server` processes as part of the test fixture. This capability existed in the past, using the `--host` and `--port` options. However, it was quite limited and mostly useful when running a specific tests. Attempting to run larger chunks of the test suite experienced many issues: * Many tests depend on being able to start and control `redis-server` themselves, and there's no clear distinction between external server compatible and other tests. * Cluster mode is not supported (resulting with `CROSSSLOT` errors). This PR cleans up many things and makes it possible to run the entire test suite against an external server. It also provides more fine grained controls to handle cases where the external server supports a subset of the Redis commands, limited number of databases, cluster mode, etc. The tests directory now contains a `README.md` file that describes how this works. This commit also includes additional cleanups and fixes: * Tests can now be tagged. * Tag-based selection is now unified across `start_server`, `tags` and `test`. * More information is provided about skipped or ignored tests. * Repeated patterns in tests have been extracted to common procedures, both at a global level and on a per-test file basis. * Cleaned up some cases where test setup was based on a previous test executing (a major anti-pattern that repeats itself in many places). * Cleaned up some cases where test teardown was not part of a test (in the future we should have dedicated teardown code that executes even when tests fail). * Fixed some tests that were flaky running on external servers. 2021-06-09 08:13:24 -04:00			`start_server {tags {"auth_binary_password external:skip"}} {`
Handle binary safe string for REQUIREPASS and MASTERAUTH directives (#8200) * Handle binary safe string for REQUIREPASS and MASTERAUTH directives. 2020-12-17 12:26:33 -05:00			`test {AUTH fails when binary password is wrong} {`
			`r config set requirepass "abc\x00def"`
			`catch {r auth abc} err`
			`set _ $err`
			`} {WRONGPASS*}`

			`test {AUTH succeeds when binary password is correct} {`
			`r config set requirepass "abc\x00def"`
			`r auth "abc\x00def"`
			`} {OK}`

			`start_server {tags {"masterauth"}} {`
			`set master [srv -1 client]`
			`set master_host [srv -1 host]`
			`set master_port [srv -1 port]`
			`set slave [srv 0 client]`

			`test {MASTERAUTH test with binary password} {`
			`$master config set requirepass "abc\x00def"`

			`# Configure the replica with masterauth`
			`set loglines [count_log_lines 0]`
			`$slave config set masterauth "abc"`
Fix race condition in tests/unit/auth.tcl (#12444) Changing the masterauth while turning into a replica is racy. Turn into replica after changing the masterauth instead. 2023-08-01 11:03:33 -04:00			`$slave slaveof $master_host $master_port`
Handle binary safe string for REQUIREPASS and MASTERAUTH directives (#8200) * Handle binary safe string for REQUIREPASS and MASTERAUTH directives. 2020-12-17 12:26:33 -05:00
			`# Verify replica is not able to sync with master`
			`wait_for_log_messages 0 {"Unable to AUTH to MASTER"} $loglines 1000 10`
			`assert_equal {down} [s 0 master_link_status]`

			`# Test replica with the correct masterauth`
			`$slave config set masterauth "abc\x00def"`
			`wait_for_condition 50 100 {`
			`[s 0 master_link_status] eq {up}`
			`} else {`
			`fail "Can't turn the instance into a replica"`
			`}`
			`}`
			`}`
			`}`