redict/tests/unit/moduleapi/aclcheck.tcl

set testmodule [file normalize tests/modules/aclcheck.so]

start_server {tags {"modules acl"}} {
    r module load $testmodule

    test {test module check acl for command perm} {
        # by default all commands allowed
        assert_equal [r aclcheck.rm_call.check.cmd set x 5] OK
        # block SET command for user
        r acl setuser default -set
        catch {r aclcheck.rm_call.check.cmd set x 5} e
        assert_match {*DENIED CMD*} $e

        # verify that new log entry added
        set entry [lindex [r ACL LOG] 0]
        assert {[dict get $entry username] eq {default}}
        assert {[dict get $entry context] eq {module}}
        assert {[dict get $entry object] eq {set}}
    }

    test {test module check acl for key perm} {
        # give permission for SET and block all keys but x
        r acl setuser default +set resetkeys ~x
        assert_equal [r aclcheck.set.check.key x 5] OK
        catch {r aclcheck.set.check.key y 5} e
        set e
    } {*DENIED KEY*}

    test {test module check acl for module user} {
        # the module user has access to all keys
        assert_equal [r aclcheck.rm_call.check.cmd.module.user set y 5] OK
    }

    test {test module check acl for channel perm} {
        # block all channels but ch1
        r acl setuser default resetchannels &ch1
        assert_equal [r aclcheck.publish.check.channel ch1 msg] 0
        catch {r aclcheck.publish.check.channel ch2 msg} e
        set e
    } {*DENIED CHANNEL*}

    test {test module check acl in rm_call} {
        # rm call check for key permission (x can be accessed)
        assert_equal [r aclcheck.rm_call set x 5] OK
        # rm call check for key permission (y can't be accessed)
        catch {r aclcheck.rm_call set y 5} e
        assert_match {*NOPERM*} $e

        # verify that new log entry added
        set entry [lindex [r ACL LOG] 0]
        assert {[dict get $entry username] eq {default}}
        assert {[dict get $entry context] eq {module}}
        assert {[dict get $entry object] eq {y}}

        # rm call check for command permission
        r acl setuser default -set
        catch {r aclcheck.rm_call set x 5} e
        assert_match {*NOPERM*} $e

        # verify that new log entry added
        set entry [lindex [r ACL LOG] 0]
        assert {[dict get $entry username] eq {default}}
        assert {[dict get $entry context] eq {module}}
        assert {[dict get $entry object] eq {set}}
    }
}
Adding ACL support for modules (#9309) This commit introduced a new flag to the RM_Call: 'C' - Check if the command can be executed according to the ACLs associated with it. Also, three new API's added to check if a command, key, or channel can be executed or accessed by a user, according to the ACLs associated with it. - RM_ACLCheckCommandPerm - RM_ACLCheckKeyPerm - RM_ACLCheckChannelPerm The user for these API's is a RedisModuleUser object, that for a Module user returned by the RM_CreateModuleUser API, or for a general ACL user can be retrieved by these two new API's: - RM_GetCurrentUserName - Retrieve the user name of the client connection behind the current context. - RM_GetModuleUserFromUserName - Get a RedisModuleUser from a user name As a result of getting a RedisModuleUser from name, it can now also access the general ACL users (not just ones created by the module). This mean the already existing API RM_SetModuleUserACL(), can be used to change the ACL rules for such users. 2021-09-23 01:52:56 -04:00			`set testmodule [file normalize tests/modules/aclcheck.so]`

			`start_server {tags {"modules acl"}} {`
			`r module load $testmodule`

			`test {test module check acl for command perm} {`
			`# by default all commands allowed`
			`assert_equal [r aclcheck.rm_call.check.cmd set x 5] OK`
			`# block SET command for user`
			`r acl setuser default -set`
			`catch {r aclcheck.rm_call.check.cmd set x 5} e`
			`assert_match {DENIED CMD} $e`

			`# verify that new log entry added`
			`set entry [lindex [r ACL LOG] 0]`
			`assert {[dict get $entry username] eq {default}}`
			`assert {[dict get $entry context] eq {module}}`
			`assert {[dict get $entry object] eq {set}}`
			`}`

			`test {test module check acl for key perm} {`
			`# give permission for SET and block all keys but x`
			`r acl setuser default +set resetkeys ~x`
			`assert_equal [r aclcheck.set.check.key x 5] OK`
			`catch {r aclcheck.set.check.key y 5} e`
			`set e`
			`} {DENIED KEY}`

			`test {test module check acl for module user} {`
			`# the module user has access to all keys`
			`assert_equal [r aclcheck.rm_call.check.cmd.module.user set y 5] OK`
			`}`

			`test {test module check acl for channel perm} {`
			`# block all channels but ch1`
			`r acl setuser default resetchannels &ch1`
			`assert_equal [r aclcheck.publish.check.channel ch1 msg] 0`
			`catch {r aclcheck.publish.check.channel ch2 msg} e`
			`set e`
			`} {DENIED CHANNEL}`

			`test {test module check acl in rm_call} {`
			`# rm call check for key permission (x can be accessed)`
			`assert_equal [r aclcheck.rm_call set x 5] OK`
			`# rm call check for key permission (y can't be accessed)`
			`catch {r aclcheck.rm_call set y 5} e`
			`assert_match {NOPERM} $e`

			`# verify that new log entry added`
			`set entry [lindex [r ACL LOG] 0]`
			`assert {[dict get $entry username] eq {default}}`
			`assert {[dict get $entry context] eq {module}}`
			`assert {[dict get $entry object] eq {y}}`

			`# rm call check for command permission`
			`r acl setuser default -set`
			`catch {r aclcheck.rm_call set x 5} e`
			`assert_match {NOPERM} $e`

			`# verify that new log entry added`
			`set entry [lindex [r ACL LOG] 0]`
			`assert {[dict get $entry username] eq {default}}`
			`assert {[dict get $entry context] eq {module}}`
			`assert {[dict get $entry object] eq {set}}`
			`}`
			`}`