mirror of
https://codeberg.org/redict/redict.git
synced 2025-01-23 08:38:27 -05:00
71204f9632
This implements the following main pieces of functionality: * Renames key spec "CHANNEL" to be "NOT_KEY", and update the documentation to indicate it's for cluster routing and not for any other key related purpose. * Add the getchannels-api, so that modules can now define commands that are subject to ACL channel permission checks. * Add 4 new flags that describe how a module interacts with a command (SUBSCRIBE, PUBLISH, UNSUBSCRIBE, and PATTERN). They are all technically composable, however not sure how a command could both subscribe and unsubscribe from a command at once, but didn't see a reason to add explicit validation there. * Add two new module apis RM_ChannelAtPosWithFlags and RM_IsChannelsPositionRequest to duplicate the functionality provided by the keys position APIs. * The RM_ACLCheckChannelPermissions (only released in 7.0 RC1) was changed to take flags rather than a boolean literal. * The RM_ACLCheckKeyPermissions (only released in 7.0 RC1) was changed to take flags corresponding to keyspecs instead of custom permission flags. These keyspec flags mimic the flags for ACLCheckChannelPermissions.
92 lines
3.4 KiB
Tcl
92 lines
3.4 KiB
Tcl
set testmodule [file normalize tests/modules/aclcheck.so]
|
|
|
|
start_server {tags {"modules acl"}} {
|
|
r module load $testmodule
|
|
|
|
test {test module check acl for command perm} {
|
|
# by default all commands allowed
|
|
assert_equal [r aclcheck.rm_call.check.cmd set x 5] OK
|
|
# block SET command for user
|
|
r acl setuser default -set
|
|
catch {r aclcheck.rm_call.check.cmd set x 5} e
|
|
assert_match {*DENIED CMD*} $e
|
|
|
|
# verify that new log entry added
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry username] eq {default}}
|
|
assert {[dict get $entry context] eq {module}}
|
|
assert {[dict get $entry object] eq {set}}
|
|
}
|
|
|
|
test {test module check acl for key perm} {
|
|
# give permission for SET and block all keys but x(READ+WRITE), y(WRITE), z(READ)
|
|
r acl setuser default +set resetkeys ~x %W~y %R~z
|
|
|
|
assert_equal [r aclcheck.set.check.key "*" x 5] OK
|
|
catch {r aclcheck.set.check.key "*" v 5} e
|
|
assert_match "*DENIED KEY*" $e
|
|
|
|
assert_equal [r aclcheck.set.check.key "~" x 5] OK
|
|
assert_equal [r aclcheck.set.check.key "~" y 5] OK
|
|
assert_equal [r aclcheck.set.check.key "~" z 5] OK
|
|
catch {r aclcheck.set.check.key "~" v 5} e
|
|
assert_match "*DENIED KEY*" $e
|
|
|
|
assert_equal [r aclcheck.set.check.key "W" y 5] OK
|
|
catch {r aclcheck.set.check.key "W" v 5} e
|
|
assert_match "*DENIED KEY*" $e
|
|
|
|
assert_equal [r aclcheck.set.check.key "R" z 5] OK
|
|
catch {r aclcheck.set.check.key "R" v 5} e
|
|
assert_match "*DENIED KEY*" $e
|
|
}
|
|
|
|
test {test module check acl for module user} {
|
|
# the module user has access to all keys
|
|
assert_equal [r aclcheck.rm_call.check.cmd.module.user set y 5] OK
|
|
}
|
|
|
|
test {test module check acl for channel perm} {
|
|
# block all channels but ch1
|
|
r acl setuser default resetchannels &ch1
|
|
assert_equal [r aclcheck.publish.check.channel ch1 msg] 0
|
|
catch {r aclcheck.publish.check.channel ch2 msg} e
|
|
set e
|
|
} {*DENIED CHANNEL*}
|
|
|
|
test {test module check acl in rm_call} {
|
|
# rm call check for key permission (x: READ + WRITE)
|
|
assert_equal [r aclcheck.rm_call set x 5] OK
|
|
assert_equal [r aclcheck.rm_call set x 6 get] 5
|
|
|
|
# rm call check for key permission (y: only WRITE)
|
|
assert_equal [r aclcheck.rm_call set y 5] OK
|
|
assert_error {*NOPERM*} {r aclcheck.rm_call set y 5 get}
|
|
|
|
# rm call check for key permission (z: only READ)
|
|
assert_error {*NOPERM*} {r aclcheck.rm_call set z 5}
|
|
assert_error {*NOPERM*} {r aclcheck.rm_call set z 6 get}
|
|
|
|
# verify that new log entry added
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry username] eq {default}}
|
|
assert {[dict get $entry context] eq {module}}
|
|
assert {[dict get $entry object] eq {z}}
|
|
|
|
# rm call check for command permission
|
|
r acl setuser default -set
|
|
catch {r aclcheck.rm_call set x 5} e
|
|
assert_match {*NOPERM*} $e
|
|
|
|
# verify that new log entry added
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry username] eq {default}}
|
|
assert {[dict get $entry context] eq {module}}
|
|
assert {[dict get $entry object] eq {set}}
|
|
}
|
|
|
|
test "Unload the module - aclcheck" {
|
|
assert_equal {OK} [r module unload aclcheck]
|
|
}
|
|
}
|