mirror of
https://codeberg.org/redict/redict.git
synced 2025-01-22 16:18:28 -05:00
f8a5a4f70c
This change adds new module callbacks that can override the default password based authentication associated with ACLs. With this, Modules can register auth callbacks through which they can implement their own Authentication logic. When `AUTH` and `HELLO AUTH ...` commands are used, Module based authentication is attempted and then normal password based authentication is attempted if needed.
The new Module APIs added in this PR are - `RM_RegisterCustomAuthCallback` and `RM_BlockClientOnAuth` and `RedisModule_ACLAddLogEntryByUserName `.
Module based authentication will be attempted for all Redis users (created through the ACL SETUSER cmd or through Module APIs) even if the Redis user does not exist at the time of the command. This gives a chance for the Module to create the RedisModule user and then authenticate via the RedisModule API - from the custom auth callback.
For the AUTH command, we will support both variations - `AUTH <username> <password>` and `AUTH <password>`. In case of the `AUTH <password>` variation, the custom auth callbacks are triggered with “default” as the username and password as what is provided.
### RedisModule_RegisterCustomAuthCallback
```
void RM_RegisterCustomAuthCallback(RedisModuleCtx *ctx, RedisModuleCustomAuthCallback cb) {
```
This API registers a callback to execute to prior to normal password based authentication. Multiple callbacks can be registered across different modules. These callbacks are responsible for either handling the authentication, each authenticating the user or explicitly denying, or deferring it to other authentication mechanisms. Callbacks are triggered in the order they were registered. When a Module is unloaded, all the auth callbacks registered by it are unregistered. The callbacks are attempted, in the order of most recently registered callbacks, when the AUTH/HELLO (with AUTH field is provided) commands are called. The callbacks will be called with a module context along with a username and a password, and are expected to take one of the following actions:
(1) Authenticate - Use the RM_Authenticate* API successfully and return `REDISMODULE_AUTH_HANDLED`. This will immediately end the auth chain as successful and add the OK reply.
(2) Block a client on authentication - Use the `RM_BlockClientOnAuth` API and return `REDISMODULE_AUTH_HANDLED`. Here, the client will be blocked until the `RM_UnblockClient `API is used which will trigger the auth reply callback (provided earlier through the `RM_BlockClientOnAuth`). In this reply callback, the Module should authenticate, deny or skip handling authentication.
(3) Deny Authentication - Return `REDISMODULE_AUTH_HANDLED` without authenticating or blocking the client. Optionally, `err` can be set to a custom error message. This will immediately end the auth chain as unsuccessful and add the ERR reply.
(4) Skip handling Authentication - Return `REDISMODULE_AUTH_NOT_HANDLED` without blocking the client. This will allow the engine to attempt the next custom auth callback.
If none of the callbacks authenticate or deny auth, then password based auth is attempted and will authenticate or add failure logs and reply to the clients accordingly.
### RedisModule_BlockClientOnAuth
```
RedisModuleBlockedClient *RM_BlockClientOnAuth(RedisModuleCtx *ctx, RedisModuleCustomAuthCallback reply_callback,
void (*free_privdata)(RedisModuleCtx*,void*))
```
This API can only be used from a Module from the custom auth callback. If a client is not in the middle of custom module based authentication, ERROR is returned. Otherwise, the client is blocked and the `RedisModule_BlockedClient` is returned similar to the `RedisModule_BlockClient` API.
### RedisModule_ACLAddLogEntryByUserName
```
int RM_ACLAddLogEntryByUserName(RedisModuleCtx *ctx, RedisModuleString *username, RedisModuleString *object, RedisModuleACLLogEntryReason reason)
```
Adds a new entry in the ACL log with the `username` RedisModuleString provided. This simplifies the Module usage because now, developers do not need to create a Module User just to add an error ACL Log entry. Aside from accepting username (RedisModuleString) instead of a RedisModuleUser, it is the same as the existing `RedisModule_ACLAddLogEntry` API.
### Breaking changes
- HELLO command - Clients can now only set the client name and RESP protocol from the `HELLO` command if they are authenticated. Also, we now finish command arg validation first and return early with a ERR reply if any arg is invalid. This is to avoid mutating the client name / RESP from a command that would have failed on invalid arguments.
### Notable behaviors
- Module unblocking - Now, we will not allow Modules to block the client from inside the context of a reply callback (triggered from the Module unblock flow `moduleHandleBlockedClients`).
---------
Co-authored-by: Madelyn Olson <34459052+madolson@users.noreply.github.com>
1139 lines
43 KiB
Tcl
1139 lines
43 KiB
Tcl
start_server {tags {"acl external:skip"}} {
|
|
test {Connections start with the default user} {
|
|
r ACL WHOAMI
|
|
} {default}
|
|
|
|
test {It is possible to create new users} {
|
|
r ACL setuser newuser
|
|
}
|
|
|
|
test {Coverage: ACL USERS} {
|
|
r ACL USERS
|
|
} {default newuser}
|
|
|
|
test {Usernames can not contain spaces or null characters} {
|
|
catch {r ACL setuser "a a"} err
|
|
set err
|
|
} {*Usernames can't contain spaces or null characters*}
|
|
|
|
test {New users start disabled} {
|
|
r ACL setuser newuser >passwd1
|
|
catch {r AUTH newuser passwd1} err
|
|
set err
|
|
} {*WRONGPASS*}
|
|
|
|
test {Enabling the user allows the login} {
|
|
r ACL setuser newuser on +acl
|
|
r AUTH newuser passwd1
|
|
r ACL WHOAMI
|
|
} {newuser}
|
|
|
|
test {Only the set of correct passwords work} {
|
|
r ACL setuser newuser >passwd2
|
|
catch {r AUTH newuser passwd1} e
|
|
assert {$e eq "OK"}
|
|
catch {r AUTH newuser passwd2} e
|
|
assert {$e eq "OK"}
|
|
catch {r AUTH newuser passwd3} e
|
|
set e
|
|
} {*WRONGPASS*}
|
|
|
|
test {It is possible to remove passwords from the set of valid ones} {
|
|
r ACL setuser newuser <passwd1
|
|
catch {r AUTH newuser passwd1} e
|
|
set e
|
|
} {*WRONGPASS*}
|
|
|
|
test {Test password hashes can be added} {
|
|
r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
|
|
catch {r AUTH newuser passwd4} e
|
|
assert {$e eq "OK"}
|
|
}
|
|
|
|
test {Test password hashes validate input} {
|
|
# Validate Length
|
|
catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e} e
|
|
# Validate character outside set
|
|
catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4eq} e
|
|
set e
|
|
} {*Error in ACL SETUSER modifier*}
|
|
|
|
test {ACL GETUSER returns the password hash instead of the actual password} {
|
|
set passstr [dict get [r ACL getuser newuser] passwords]
|
|
assert_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
|
|
assert_no_match {*passwd4*} $passstr
|
|
}
|
|
|
|
test {Test hashed passwords removal} {
|
|
r ACL setuser newuser !34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
|
|
set passstr [dict get [r ACL getuser newuser] passwords]
|
|
assert_no_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
|
|
}
|
|
|
|
test {By default users are not able to access any command} {
|
|
catch {r SET foo bar} e
|
|
set e
|
|
} {*NOPERM*set*}
|
|
|
|
test {By default users are not able to access any key} {
|
|
r ACL setuser newuser +set
|
|
catch {r SET foo bar} e
|
|
set e
|
|
} {*NOPERM*key*}
|
|
|
|
test {It's possible to allow the access of a subset of keys} {
|
|
r ACL setuser newuser allcommands ~foo:* ~bar:*
|
|
r SET foo:1 a
|
|
r SET bar:2 b
|
|
catch {r SET zap:3 c} e
|
|
r ACL setuser newuser allkeys; # Undo keys ACL
|
|
set e
|
|
} {*NOPERM*key*}
|
|
|
|
test {By default, only default user is able to publish to any channel} {
|
|
r AUTH default pwd
|
|
r PUBLISH foo bar
|
|
r ACL setuser psuser on >pspass +acl +client +@pubsub
|
|
r AUTH psuser pspass
|
|
catch {r PUBLISH foo bar} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {By default, only default user is not able to publish to any shard channel} {
|
|
r AUTH default pwd
|
|
r SPUBLISH foo bar
|
|
r AUTH psuser pspass
|
|
catch {r SPUBLISH foo bar} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {By default, only default user is able to subscribe to any channel} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH default pwd
|
|
$rd read
|
|
$rd SUBSCRIBE foo
|
|
assert_match {subscribe foo 1} [$rd read]
|
|
$rd UNSUBSCRIBE
|
|
$rd read
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd SUBSCRIBE foo
|
|
catch {$rd read} e
|
|
$rd close
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {By default, only default user is able to subscribe to any shard channel} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH default pwd
|
|
$rd read
|
|
$rd SSUBSCRIBE foo
|
|
assert_match {ssubscribe foo 1} [$rd read]
|
|
$rd SUNSUBSCRIBE
|
|
$rd read
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd SSUBSCRIBE foo
|
|
catch {$rd read} e
|
|
$rd close
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {By default, only default user is able to subscribe to any pattern} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH default pwd
|
|
$rd read
|
|
$rd PSUBSCRIBE bar*
|
|
assert_match {psubscribe bar\* 1} [$rd read]
|
|
$rd PUNSUBSCRIBE
|
|
$rd read
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd PSUBSCRIBE bar*
|
|
catch {$rd read} e
|
|
$rd close
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {It's possible to allow publishing to a subset of channels} {
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:*
|
|
assert_equal {0} [r PUBLISH foo:1 somemessage]
|
|
assert_equal {0} [r PUBLISH bar:2 anothermessage]
|
|
catch {r PUBLISH zap:3 nosuchmessage} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {It's possible to allow publishing to a subset of shard channels} {
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:*
|
|
assert_equal {0} [r SPUBLISH foo:1 somemessage]
|
|
assert_equal {0} [r SPUBLISH bar:2 anothermessage]
|
|
catch {r SPUBLISH zap:3 nosuchmessage} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {Validate subset of channels is prefixed with resetchannels flag} {
|
|
r ACL setuser hpuser on nopass resetchannels &foo +@all
|
|
|
|
# Verify resetchannels flag is prefixed before the channel name(s)
|
|
set users [r ACL LIST]
|
|
set curruser "hpuser"
|
|
foreach user [lshuffle $users] {
|
|
if {[string first $curruser $user] != -1} {
|
|
assert_equal {user hpuser on nopass sanitize-payload resetchannels &foo +@all} $user
|
|
}
|
|
}
|
|
|
|
# authenticate as hpuser
|
|
r AUTH hpuser pass
|
|
|
|
assert_equal {0} [r PUBLISH foo bar]
|
|
catch {r PUBLISH bar game} e
|
|
|
|
# Falling back to psuser for the below tests
|
|
r AUTH psuser pspass
|
|
r ACL deluser hpuser
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {In transaction queue publish/subscribe/psubscribe to unauthorized channel will fail} {
|
|
r ACL setuser psuser +multi +discard
|
|
r MULTI
|
|
assert_error {*NOPERM*channel*} {r PUBLISH notexits helloworld}
|
|
r DISCARD
|
|
r MULTI
|
|
assert_error {*NOPERM*channel*} {r SUBSCRIBE notexits foo:1}
|
|
r DISCARD
|
|
r MULTI
|
|
assert_error {*NOPERM*channel*} {r PSUBSCRIBE notexits:* bar:*}
|
|
r DISCARD
|
|
}
|
|
|
|
test {It's possible to allow subscribing to a subset of channels} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd SUBSCRIBE foo:1
|
|
assert_match {subscribe foo:1 1} [$rd read]
|
|
$rd SUBSCRIBE bar:2
|
|
assert_match {subscribe bar:2 2} [$rd read]
|
|
$rd SUBSCRIBE zap:3
|
|
catch {$rd read} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {It's possible to allow subscribing to a subset of shard channels} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd SSUBSCRIBE foo:1
|
|
assert_match {ssubscribe foo:1 1} [$rd read]
|
|
$rd SSUBSCRIBE bar:2
|
|
assert_match {ssubscribe bar:2 2} [$rd read]
|
|
$rd SSUBSCRIBE zap:3
|
|
catch {$rd read} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {It's possible to allow subscribing to a subset of channel patterns} {
|
|
set rd [redis_deferring_client]
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd PSUBSCRIBE foo:1
|
|
assert_match {psubscribe foo:1 1} [$rd read]
|
|
$rd PSUBSCRIBE bar:*
|
|
assert_match {psubscribe bar:\* 2} [$rd read]
|
|
$rd PSUBSCRIBE bar:baz
|
|
catch {$rd read} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
|
|
test {Subscribers are killed when revoked of channel permission} {
|
|
set rd [redis_deferring_client]
|
|
r ACL setuser psuser resetchannels &foo:1
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd CLIENT SETNAME deathrow
|
|
$rd read
|
|
$rd SUBSCRIBE foo:1
|
|
$rd read
|
|
r ACL setuser psuser resetchannels
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
$rd close
|
|
} {0}
|
|
|
|
test {Subscribers are killed when revoked of channel permission} {
|
|
set rd [redis_deferring_client]
|
|
r ACL setuser psuser resetchannels &foo:1
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd CLIENT SETNAME deathrow
|
|
$rd read
|
|
$rd SSUBSCRIBE foo:1
|
|
$rd read
|
|
r ACL setuser psuser resetchannels
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
$rd close
|
|
} {0}
|
|
|
|
test {Subscribers are killed when revoked of pattern permission} {
|
|
set rd [redis_deferring_client]
|
|
r ACL setuser psuser resetchannels &bar:*
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd CLIENT SETNAME deathrow
|
|
$rd read
|
|
$rd PSUBSCRIBE bar:*
|
|
$rd read
|
|
r ACL setuser psuser resetchannels
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
$rd close
|
|
} {0}
|
|
|
|
test {Subscribers are pardoned if literal permissions are retained and/or gaining allchannels} {
|
|
set rd [redis_deferring_client]
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:* &orders
|
|
$rd AUTH psuser pspass
|
|
$rd read
|
|
$rd CLIENT SETNAME pardoned
|
|
$rd read
|
|
$rd SUBSCRIBE foo:1
|
|
$rd read
|
|
$rd SSUBSCRIBE orders
|
|
$rd read
|
|
$rd PSUBSCRIBE bar:*
|
|
$rd read
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:* &orders &baz:qaz &zoo:*
|
|
assert_match {*pardoned*} [r CLIENT LIST]
|
|
r ACL setuser psuser allchannels
|
|
assert_match {*pardoned*} [r CLIENT LIST]
|
|
$rd close
|
|
} {0}
|
|
|
|
test {Users can be configured to authenticate with any password} {
|
|
r ACL setuser newuser nopass
|
|
r AUTH newuser zipzapblabla
|
|
} {OK}
|
|
|
|
test {ACLs can exclude single commands} {
|
|
r ACL setuser newuser -ping
|
|
r INCR mycounter ; # Should not raise an error
|
|
catch {r PING} e
|
|
set e
|
|
} {*NOPERM*ping*}
|
|
|
|
test {ACLs can include or exclude whole classes of commands} {
|
|
r ACL setuser newuser -@all +@set +acl
|
|
r SADD myset a b c; # Should not raise an error
|
|
r ACL setuser newuser +@all -@string
|
|
r SADD myset a b c; # Again should not raise an error
|
|
# String commands instead should raise an error
|
|
catch {r SET foo bar} e
|
|
r ACL setuser newuser allcommands; # Undo commands ACL
|
|
set e
|
|
} {*NOPERM*set*}
|
|
|
|
test {ACLs can include single subcommands} {
|
|
r ACL setuser newuser +@all -client
|
|
r ACL setuser newuser +client|id +client|setname
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {+@all*-client*+client|id*} $cmdstr
|
|
assert_match {+@all*-client*+client|setname*} $cmdstr
|
|
r CLIENT ID; # Should not fail
|
|
r CLIENT SETNAME foo ; # Should not fail
|
|
catch {r CLIENT KILL type master} e
|
|
set e
|
|
} {*NOPERM*client|kill*}
|
|
|
|
test {ACLs can exclude single subcommands, case 1} {
|
|
r ACL setuser newuser +@all -client|kill
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_equal {+@all -client|kill} $cmdstr
|
|
r CLIENT ID; # Should not fail
|
|
r CLIENT SETNAME foo ; # Should not fail
|
|
catch {r CLIENT KILL type master} e
|
|
set e
|
|
} {*NOPERM*client|kill*}
|
|
|
|
test {ACLs can exclude single subcommands, case 2} {
|
|
r ACL setuser newuser -@all +acl +config -config|set
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {*+config*} $cmdstr
|
|
assert_match {*-config|set*} $cmdstr
|
|
r CONFIG GET loglevel; # Should not fail
|
|
catch {r CONFIG SET loglevel debug} e
|
|
set e
|
|
} {*NOPERM*config|set*}
|
|
|
|
test {ACLs cannot include a subcommand with a specific arg} {
|
|
r ACL setuser newuser +@all -config|get
|
|
catch { r ACL setuser newuser +config|get|appendonly} e
|
|
set e
|
|
} {*Allowing first-arg of a subcommand is not supported*}
|
|
|
|
test {ACLs cannot exclude or include a container commands with a specific arg} {
|
|
r ACL setuser newuser +@all +config|get
|
|
catch { r ACL setuser newuser +@all +config|asdf} e
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
catch { r ACL setuser newuser +@all -config|asdf} e
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
} {}
|
|
|
|
test {ACLs cannot exclude or include a container command with two args} {
|
|
r ACL setuser newuser +@all +config|get
|
|
catch { r ACL setuser newuser +@all +get|key1|key2} e
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
catch { r ACL setuser newuser +@all -get|key1|key2} e
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
} {}
|
|
|
|
test {ACLs including of a type includes also subcommands} {
|
|
r ACL setuser newuser -@all +del +acl +@stream
|
|
r DEL key
|
|
r XADD key * field value
|
|
r XINFO STREAM key
|
|
}
|
|
|
|
test {ACLs can block SELECT of all but a specific DB} {
|
|
r ACL setuser newuser -@all +acl +select|0
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {*+select|0*} $cmdstr
|
|
r SELECT 0
|
|
catch {r SELECT 1} e
|
|
set e
|
|
} {*NOPERM*select*} {singledb:skip}
|
|
|
|
test {ACLs can block all DEBUG subcommands except one} {
|
|
r ACL setuser newuser -@all +acl +del +incr +debug|object
|
|
r DEL key
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {*+debug|object*} $cmdstr
|
|
r INCR key
|
|
r DEBUG OBJECT key
|
|
catch {r DEBUG SEGFAULT} e
|
|
set e
|
|
} {*NOPERM*debug*}
|
|
|
|
test {ACLs set can include subcommands, if already full command exists} {
|
|
r ACL setuser bob +memory|doctor
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
assert_equal {-@all +memory|doctor} $cmdstr
|
|
|
|
# Validate the commands have got engulfed to +memory.
|
|
r ACL setuser bob +memory
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
assert_equal {-@all +memory} $cmdstr
|
|
|
|
# Appending to the existing access string of bob.
|
|
r ACL setuser bob +@all +client|id
|
|
# Although this does nothing, we retain it anyways so we can reproduce
|
|
# the original ACL.
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
assert_equal {+@all +client|id} $cmdstr
|
|
|
|
r ACL setuser bob >passwd1 on
|
|
r AUTH bob passwd1
|
|
r CLIENT ID; # Should not fail
|
|
r MEMORY DOCTOR; # Should not fail
|
|
}
|
|
|
|
test {ACLs set can exclude subcommands, if already full command exists} {
|
|
r ACL setuser alice +@all -memory|doctor
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
assert_equal {+@all -memory|doctor} $cmdstr
|
|
|
|
r ACL setuser alice >passwd1 on
|
|
r AUTH alice passwd1
|
|
|
|
assert_error {*NOPERM*memory|doctor*} {r MEMORY DOCTOR}
|
|
r MEMORY STATS ;# should work
|
|
|
|
# Validate the commands have got engulfed to -memory.
|
|
r ACL setuser alice +@all -memory
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
assert_equal {+@all -memory} $cmdstr
|
|
|
|
assert_error {*NOPERM*memory|doctor*} {r MEMORY DOCTOR}
|
|
assert_error {*NOPERM*memory|stats*} {r MEMORY STATS}
|
|
|
|
# Appending to the existing access string of alice.
|
|
r ACL setuser alice -@all
|
|
|
|
# Now, alice can't do anything, we need to auth newuser to execute ACL GETUSER
|
|
r AUTH newuser passwd1
|
|
|
|
# Validate the new commands has got engulfed to -@all.
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
assert_equal {-@all} $cmdstr
|
|
|
|
r AUTH alice passwd1
|
|
|
|
assert_error {*NOPERM*get*} {r GET key}
|
|
assert_error {*NOPERM*memory|stats*} {r MEMORY STATS}
|
|
|
|
# Auth newuser before the next test
|
|
r AUTH newuser passwd1
|
|
}
|
|
|
|
test {ACL SETUSER RESET reverting to default newly created user} {
|
|
set current_user "example"
|
|
r ACL DELUSER $current_user
|
|
r ACL SETUSER $current_user
|
|
|
|
set users [r ACL LIST]
|
|
foreach user [lshuffle $users] {
|
|
if {[string first $current_user $user] != -1} {
|
|
set current_user_output $user
|
|
}
|
|
}
|
|
|
|
r ACL SETUSER $current_user reset
|
|
set users [r ACL LIST]
|
|
foreach user [lshuffle $users] {
|
|
if {[string first $current_user $user] != -1} {
|
|
assert_equal $current_user_output $user
|
|
}
|
|
}
|
|
}
|
|
|
|
# Note that the order of the generated ACL rules is not stable in Redis
|
|
# so we need to match the different parts and not as a whole string.
|
|
test {ACL GETUSER is able to translate back command permissions} {
|
|
# Subtractive
|
|
r ACL setuser newuser reset +@all ~* -@string +incr -debug +debug|digest
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {*+@all*} $cmdstr
|
|
assert_match {*-@string*} $cmdstr
|
|
assert_match {*+incr*} $cmdstr
|
|
assert_match {*-debug +debug|digest**} $cmdstr
|
|
|
|
# Additive
|
|
r ACL setuser newuser reset +@string -incr +acl +debug|digest +debug|segfault
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
assert_match {*-@all*} $cmdstr
|
|
assert_match {*+@string*} $cmdstr
|
|
assert_match {*-incr*} $cmdstr
|
|
assert_match {*+debug|digest*} $cmdstr
|
|
assert_match {*+debug|segfault*} $cmdstr
|
|
assert_match {*+acl*} $cmdstr
|
|
}
|
|
|
|
# A regression test make sure that as long as there is a simple
|
|
# category defining the commands, that it will be used as is.
|
|
test {ACL GETUSER provides reasonable results} {
|
|
set categories [r ACL CAT]
|
|
|
|
# Test that adding each single category will
|
|
# result in just that category with both +@all and -@all
|
|
foreach category $categories {
|
|
# Test for future commands where allowed
|
|
r ACL setuser additive reset +@all "-@$category"
|
|
set cmdstr [dict get [r ACL getuser additive] commands]
|
|
assert_equal "+@all -@$category" $cmdstr
|
|
|
|
# Test for future commands where disallowed
|
|
r ACL setuser restrictive reset -@all "+@$category"
|
|
set cmdstr [dict get [r ACL getuser restrictive] commands]
|
|
assert_equal "-@all +@$category" $cmdstr
|
|
}
|
|
}
|
|
|
|
# Test that only lossless compaction of ACLs occur.
|
|
test {ACL GETUSER provides correct results} {
|
|
r ACL SETUSER adv-test
|
|
r ACL SETUSER adv-test +@all -@hash -@slow +hget
|
|
assert_equal "+@all -@hash -@slow +hget" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Categories are re-ordered if re-added
|
|
r ACL SETUSER adv-test -@hash
|
|
assert_equal "+@all -@slow +hget -@hash" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Inverting categories removes existing categories
|
|
r ACL SETUSER adv-test +@hash
|
|
assert_equal "+@all -@slow +hget +@hash" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Inverting the all category compacts everything
|
|
r ACL SETUSER adv-test -@all
|
|
assert_equal "-@all" [dict get [r ACL getuser adv-test] commands]
|
|
r ACL SETUSER adv-test -@string -@slow +@all
|
|
assert_equal "+@all" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Make sure categories are case insensitive
|
|
r ACL SETUSER adv-test -@all +@HASH +@hash +@HaSh
|
|
assert_equal "-@all +@hash" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Make sure commands are case insensitive
|
|
r ACL SETUSER adv-test -@all +HGET +hget +hGeT
|
|
assert_equal "-@all +hget" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Arbitrary category additions and removals are handled
|
|
r ACL SETUSER adv-test -@all +@hash +@slow +@set +@set +@slow +@hash
|
|
assert_equal "-@all +@set +@slow +@hash" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Arbitrary command additions and removals are handled
|
|
r ACL SETUSER adv-test -@all +hget -hset +hset -hget
|
|
assert_equal "-@all +hset -hget" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Arbitrary subcommands are compacted
|
|
r ACL SETUSER adv-test -@all +client|list +client|list +config|get +config +acl|list -acl
|
|
assert_equal "-@all +client|list +config -acl" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Deprecated subcommand usage is handled
|
|
r ACL SETUSER adv-test -@all +select|0 +select|0 +debug|segfault +debug
|
|
assert_equal "-@all +select|0 +debug" [dict get [r ACL getuser adv-test] commands]
|
|
|
|
# Unnecessary categories are retained for potentional future compatibility
|
|
r ACL SETUSER adv-test -@all -@dangerous
|
|
assert_equal "-@all -@dangerous" [dict get [r ACL getuser adv-test] commands]
|
|
}
|
|
|
|
test "ACL CAT with illegal arguments" {
|
|
assert_error {*Unknown category 'NON_EXISTS'} {r ACL CAT NON_EXISTS}
|
|
assert_error {*unknown subcommand or wrong number of arguments for 'CAT'*} {r ACL CAT NON_EXISTS NON_EXISTS2}
|
|
}
|
|
|
|
test "ACL CAT without category - list all categories" {
|
|
set categories [r acl cat]
|
|
assert_not_equal [lsearch $categories "keyspace"] -1
|
|
assert_not_equal [lsearch $categories "connection"] -1
|
|
}
|
|
|
|
test "ACL CAT category - list all commands/subcommands that belong to category" {
|
|
assert_not_equal [lsearch [r acl cat transaction] "multi"] -1
|
|
assert_not_equal [lsearch [r acl cat scripting] "function|list"] -1
|
|
|
|
# Negative check to make sure it doesn't actually return all commands.
|
|
assert_equal [lsearch [r acl cat keyspace] "set"] -1
|
|
assert_equal [lsearch [r acl cat stream] "get"] -1
|
|
}
|
|
|
|
test "ACL requires explicit permission for scripting for EVAL_RO, EVALSHA_RO and FCALL_RO" {
|
|
r ACL SETUSER scripter on nopass +readonly
|
|
assert_match {*has no permissions to run the 'eval_ro' command*} [r ACL DRYRUN scripter EVAL_RO "" 0]
|
|
assert_match {*has no permissions to run the 'evalsha_ro' command*} [r ACL DRYRUN scripter EVALSHA_RO "" 0]
|
|
assert_match {*has no permissions to run the 'fcall_ro' command*} [r ACL DRYRUN scripter FCALL_RO "" 0]
|
|
}
|
|
|
|
test {ACL #5998 regression: memory leaks adding / removing subcommands} {
|
|
r AUTH default ""
|
|
r ACL setuser newuser reset -debug +debug|a +debug|b +debug|c
|
|
r ACL setuser newuser -debug
|
|
# The test framework will detect a leak if any.
|
|
}
|
|
|
|
test {ACL LOG aggregates similar errors together and assigns unique entry-id to new errors} {
|
|
r ACL LOG RESET
|
|
r ACL setuser user1 >foo
|
|
assert_error "*WRONGPASS*" {r AUTH user1 doo}
|
|
set entry_id_initial_error [dict get [lindex [r ACL LOG] 0] entry-id]
|
|
set timestamp_created_original [dict get [lindex [r ACL LOG] 0] timestamp-created]
|
|
set timestamp_last_update_original [dict get [lindex [r ACL LOG] 0] timestamp-last-updated]
|
|
after 1
|
|
for {set j 0} {$j < 10} {incr j} {
|
|
assert_error "*WRONGPASS*" {r AUTH user1 doo}
|
|
}
|
|
set entry_id_lastest_error [dict get [lindex [r ACL LOG] 0] entry-id]
|
|
set timestamp_created_updated [dict get [lindex [r ACL LOG] 0] timestamp-created]
|
|
set timestamp_last_updated_after_update [dict get [lindex [r ACL LOG] 0] timestamp-last-updated]
|
|
assert {$entry_id_lastest_error eq $entry_id_initial_error}
|
|
assert {$timestamp_last_update_original < $timestamp_last_updated_after_update}
|
|
assert {$timestamp_created_original eq $timestamp_created_updated}
|
|
r ACL setuser user2 >doo
|
|
assert_error "*WRONGPASS*" {r AUTH user2 foo}
|
|
set new_error_entry_id [dict get [lindex [r ACL LOG] 0] entry-id]
|
|
assert {$new_error_entry_id eq $entry_id_lastest_error + 1 }
|
|
}
|
|
|
|
test {ACL LOG shows failed command executions at toplevel} {
|
|
r ACL LOG RESET
|
|
r ACL setuser antirez >foo on +set ~object:1234
|
|
r ACL setuser antirez +eval +multi +exec
|
|
r ACL setuser antirez resetchannels +publish
|
|
r AUTH antirez foo
|
|
assert_error "*NOPERM*get*" {r GET foo}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry username] eq {antirez}}
|
|
assert {[dict get $entry context] eq {toplevel}}
|
|
assert {[dict get $entry reason] eq {command}}
|
|
assert {[dict get $entry object] eq {get}}
|
|
assert_match {*cmd=get*} [dict get $entry client-info]
|
|
}
|
|
|
|
test "ACL LOG shows failed subcommand executions at toplevel" {
|
|
r ACL LOG RESET
|
|
r ACL DELUSER demo
|
|
r ACL SETUSER demo on nopass
|
|
r AUTH demo ""
|
|
assert_error "*NOPERM*script|help*" {r SCRIPT HELP}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert_equal [dict get $entry username] {demo}
|
|
assert_equal [dict get $entry context] {toplevel}
|
|
assert_equal [dict get $entry reason] {command}
|
|
assert_equal [dict get $entry object] {script|help}
|
|
}
|
|
|
|
test {ACL LOG is able to test similar events} {
|
|
r ACL LOG RESET
|
|
r AUTH antirez foo
|
|
catch {r GET foo}
|
|
catch {r GET foo}
|
|
catch {r GET foo}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry count] == 3}
|
|
}
|
|
|
|
test {ACL LOG is able to log keys access violations and key name} {
|
|
r AUTH antirez foo
|
|
catch {r SET somekeynotallowed 1234}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry reason] eq {key}}
|
|
assert {[dict get $entry object] eq {somekeynotallowed}}
|
|
}
|
|
|
|
test {ACL LOG is able to log channel access violations and channel name} {
|
|
r AUTH antirez foo
|
|
catch {r PUBLISH somechannelnotallowed nullmsg}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry reason] eq {channel}}
|
|
assert {[dict get $entry object] eq {somechannelnotallowed}}
|
|
}
|
|
|
|
test {ACL LOG RESET is able to flush the entries in the log} {
|
|
r ACL LOG RESET
|
|
assert {[llength [r ACL LOG]] == 0}
|
|
}
|
|
|
|
test {ACL LOG can distinguish the transaction context (1)} {
|
|
r AUTH antirez foo
|
|
r MULTI
|
|
catch {r INCR foo}
|
|
catch {r EXEC}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry context] eq {multi}}
|
|
assert {[dict get $entry object] eq {incr}}
|
|
}
|
|
|
|
test {ACL LOG can distinguish the transaction context (2)} {
|
|
set rd1 [redis_deferring_client]
|
|
r ACL SETUSER antirez +incr
|
|
|
|
r AUTH antirez foo
|
|
r MULTI
|
|
r INCR object:1234
|
|
$rd1 ACL SETUSER antirez -incr
|
|
$rd1 read
|
|
catch {r EXEC}
|
|
$rd1 close
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry context] eq {multi}}
|
|
assert {[dict get $entry object] eq {incr}}
|
|
assert_match {*cmd=exec*} [dict get $entry client-info]
|
|
r ACL SETUSER antirez -incr
|
|
}
|
|
|
|
test {ACL can log errors in the context of Lua scripting} {
|
|
r AUTH antirez foo
|
|
catch {r EVAL {redis.call('incr','foo')} 0}
|
|
r AUTH default ""
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry context] eq {lua}}
|
|
assert {[dict get $entry object] eq {incr}}
|
|
assert_match {*cmd=eval*} [dict get $entry client-info]
|
|
}
|
|
|
|
test {ACL LOG can accept a numerical argument to show less entries} {
|
|
r AUTH antirez foo
|
|
catch {r INCR foo}
|
|
catch {r INCR foo}
|
|
catch {r INCR foo}
|
|
catch {r INCR foo}
|
|
r AUTH default ""
|
|
assert {[llength [r ACL LOG]] > 1}
|
|
assert {[llength [r ACL LOG 2]] == 2}
|
|
}
|
|
|
|
test {ACL LOG can log failed auth attempts} {
|
|
catch {r AUTH antirez wrong-password}
|
|
set entry [lindex [r ACL LOG] 0]
|
|
assert {[dict get $entry context] eq {toplevel}}
|
|
assert {[dict get $entry reason] eq {auth}}
|
|
assert {[dict get $entry object] eq {AUTH}}
|
|
assert {[dict get $entry username] eq {antirez}}
|
|
}
|
|
|
|
test {ACL LOG entries are limited to a maximum amount} {
|
|
r ACL LOG RESET
|
|
r CONFIG SET acllog-max-len 5
|
|
r AUTH antirez foo
|
|
for {set j 0} {$j < 10} {incr j} {
|
|
catch {r SET obj:$j 123}
|
|
}
|
|
r AUTH default ""
|
|
assert {[llength [r ACL LOG]] == 5}
|
|
}
|
|
|
|
test {When default user is off, new connections are not authenticated} {
|
|
r ACL setuser default off
|
|
catch {set rd1 [redis_deferring_client]} e
|
|
r ACL setuser default on
|
|
set e
|
|
} {*NOAUTH*}
|
|
|
|
test {When default user has no command permission, hello command still works for other users} {
|
|
r ACL setuser secure-user >supass on +@all
|
|
r ACL setuser default -@all
|
|
r HELLO 2 AUTH secure-user supass
|
|
r ACL setuser default nopass +@all
|
|
r AUTH default ""
|
|
}
|
|
|
|
test {When an authentication chain is used in the HELLO cmd, the last auth cmd has precedence} {
|
|
r ACL setuser secure-user1 >supass on +@all
|
|
r ACL setuser secure-user2 >supass on +@all
|
|
r HELLO 2 AUTH secure-user pass AUTH secure-user2 supass AUTH secure-user1 supass
|
|
assert {[r ACL whoami] eq {secure-user1}}
|
|
catch {r HELLO 2 AUTH secure-user supass AUTH secure-user2 supass AUTH secure-user pass} e
|
|
assert_match "WRONGPASS invalid username-password pair or user is disabled." $e
|
|
assert {[r ACL whoami] eq {secure-user1}}
|
|
}
|
|
|
|
test {When a setname chain is used in the HELLO cmd, the last setname cmd has precedence} {
|
|
r HELLO 2 setname client1 setname client2 setname client3 setname client4
|
|
assert {[r client getname] eq {client4}}
|
|
catch {r HELLO 2 setname client5 setname client6 setname "client name"} e
|
|
assert_match "ERR Client names cannot contain spaces, newlines or special characters." $e
|
|
assert {[r client getname] eq {client4}}
|
|
}
|
|
|
|
test {When authentication fails in the HELLO cmd, the client setname should not be applied} {
|
|
r client setname client0
|
|
catch {r HELLO 2 AUTH user pass setname client1} e
|
|
assert_match "WRONGPASS invalid username-password pair or user is disabled." $e
|
|
assert {[r client getname] eq {client0}}
|
|
}
|
|
|
|
test {ACL HELP should not have unexpected options} {
|
|
catch {r ACL help xxx} e
|
|
assert_match "*wrong number of arguments for 'acl|help' command" $e
|
|
}
|
|
|
|
test {Delete a user that the client doesn't use} {
|
|
r ACL setuser not_used on >passwd
|
|
assert {[r ACL deluser not_used] == 1}
|
|
# The client is not closed
|
|
assert {[r ping] eq {PONG}}
|
|
}
|
|
|
|
test {Delete a user that the client is using} {
|
|
r ACL setuser using on +acl >passwd
|
|
r AUTH using passwd
|
|
# The client will receive reply normally
|
|
assert {[r ACL deluser using] == 1}
|
|
# The client is closed
|
|
catch {[r ping]} e
|
|
assert_match "*I/O error*" $e
|
|
}
|
|
|
|
test {ACL GENPASS command failed test} {
|
|
catch {r ACL genpass -236} err1
|
|
catch {r ACL genpass 5000} err2
|
|
assert_match "*ACL GENPASS argument must be the number*" $err1
|
|
assert_match "*ACL GENPASS argument must be the number*" $err2
|
|
}
|
|
|
|
test {Default user can not be removed} {
|
|
catch {r ACL deluser default} err
|
|
set err
|
|
} {ERR The 'default' user cannot be removed}
|
|
|
|
test {ACL load non-existing configured ACL file} {
|
|
catch {r ACL load} err
|
|
set err
|
|
} {*Redis instance is not configured to use an ACL file*}
|
|
|
|
# If there is an AUTH failure the metric increases
|
|
test {ACL-Metrics user AUTH failure} {
|
|
set current_auth_failures [s acl_access_denied_auth]
|
|
set current_invalid_cmd_accesses [s acl_access_denied_cmd]
|
|
set current_invalid_key_accesses [s acl_access_denied_key]
|
|
set current_invalid_channel_accesses [s acl_access_denied_channel]
|
|
assert_error "*WRONGPASS*" {r AUTH notrealuser 1233456}
|
|
assert {[s acl_access_denied_auth] eq [expr $current_auth_failures + 1]}
|
|
assert_error "*WRONGPASS*" {r HELLO 3 AUTH notrealuser 1233456}
|
|
assert {[s acl_access_denied_auth] eq [expr $current_auth_failures + 2]}
|
|
assert_error "*WRONGPASS*" {r HELLO 2 AUTH notrealuser 1233456}
|
|
assert {[s acl_access_denied_auth] eq [expr $current_auth_failures + 3]}
|
|
assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
|
|
assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
|
|
assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
|
|
}
|
|
|
|
# If a user try to access an unauthorized command the metric increases
|
|
test {ACL-Metrics invalid command accesses} {
|
|
set current_auth_failures [s acl_access_denied_auth]
|
|
set current_invalid_cmd_accesses [s acl_access_denied_cmd]
|
|
set current_invalid_key_accesses [s acl_access_denied_key]
|
|
set current_invalid_channel_accesses [s acl_access_denied_channel]
|
|
r ACL setuser invalidcmduser on >passwd nocommands
|
|
r AUTH invalidcmduser passwd
|
|
assert_error "*no permissions to run the * command*" {r acl list}
|
|
r AUTH default ""
|
|
assert {[s acl_access_denied_auth] eq $current_auth_failures}
|
|
assert {[s acl_access_denied_cmd] eq [expr $current_invalid_cmd_accesses + 1]}
|
|
assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
|
|
assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
|
|
}
|
|
|
|
# If a user try to access an unauthorized key the metric increases
|
|
test {ACL-Metrics invalid key accesses} {
|
|
set current_auth_failures [s acl_access_denied_auth]
|
|
set current_invalid_cmd_accesses [s acl_access_denied_cmd]
|
|
set current_invalid_key_accesses [s acl_access_denied_key]
|
|
set current_invalid_channel_accesses [s acl_access_denied_channel]
|
|
r ACL setuser invalidkeyuser on >passwd resetkeys allcommands
|
|
r AUTH invalidkeyuser passwd
|
|
assert_error "*NOPERM*key*" {r get x}
|
|
r AUTH default ""
|
|
assert {[s acl_access_denied_auth] eq $current_auth_failures}
|
|
assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
|
|
assert {[s acl_access_denied_key] eq [expr $current_invalid_key_accesses + 1]}
|
|
assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
|
|
}
|
|
|
|
# If a user try to access an unauthorized channel the metric increases
|
|
test {ACL-Metrics invalid channels accesses} {
|
|
set current_auth_failures [s acl_access_denied_auth]
|
|
set current_invalid_cmd_accesses [s acl_access_denied_cmd]
|
|
set current_invalid_key_accesses [s acl_access_denied_key]
|
|
set current_invalid_channel_accesses [s acl_access_denied_channel]
|
|
r ACL setuser invalidchanneluser on >passwd resetchannels allcommands
|
|
r AUTH invalidkeyuser passwd
|
|
assert_error "*NOPERM*channel*" {r subscribe x}
|
|
r AUTH default ""
|
|
assert {[s acl_access_denied_auth] eq $current_auth_failures}
|
|
assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
|
|
assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
|
|
assert {[s acl_access_denied_channel] eq [expr $current_invalid_channel_accesses + 1]}
|
|
}
|
|
}
|
|
|
|
set server_path [tmpdir "server.acl"]
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "allchannels" "aclfile" "user.acl"] tags [list "external:skip"]] {
|
|
# user alice on allcommands allkeys &* >alice
|
|
# user bob on -@all +@set +acl ~set* &* >bob
|
|
# user default on nopass ~* &* +@all
|
|
|
|
test {default: load from include file, can access any channels} {
|
|
r SUBSCRIBE foo
|
|
r PSUBSCRIBE bar*
|
|
r UNSUBSCRIBE
|
|
r PUNSUBSCRIBE
|
|
r PUBLISH hello world
|
|
}
|
|
|
|
test {default: with config acl-pubsub-default allchannels after reset, can access any channels} {
|
|
r ACL setuser default reset on nopass ~* +@all
|
|
r SUBSCRIBE foo
|
|
r PSUBSCRIBE bar*
|
|
r UNSUBSCRIBE
|
|
r PUNSUBSCRIBE
|
|
r PUBLISH hello world
|
|
}
|
|
|
|
test {default: with config acl-pubsub-default resetchannels after reset, can not access any channels} {
|
|
r CONFIG SET acl-pubsub-default resetchannels
|
|
r ACL setuser default reset on nopass ~* +@all
|
|
assert_error {*NOPERM*channel*} {r SUBSCRIBE foo}
|
|
assert_error {*NOPERM*channel*} {r PSUBSCRIBE bar*}
|
|
assert_error {*NOPERM*channel*} {r PUBLISH hello world}
|
|
r CONFIG SET acl-pubsub-default resetchannels
|
|
}
|
|
|
|
test {Alice: can execute all command} {
|
|
r AUTH alice alice
|
|
assert_equal "alice" [r acl whoami]
|
|
r SET key value
|
|
}
|
|
|
|
test {Bob: just execute @set and acl command} {
|
|
r AUTH bob bob
|
|
assert_equal "bob" [r acl whoami]
|
|
assert_equal "3" [r sadd set 1 2 3]
|
|
catch {r SET key value} e
|
|
set e
|
|
} {*NOPERM*set*}
|
|
|
|
test {ACL load and save} {
|
|
r ACL setuser eve +get allkeys >eve on
|
|
r ACL save
|
|
|
|
# ACL load will free user and kill clients
|
|
r ACL load
|
|
catch {r ACL LIST} e
|
|
assert_match {*I/O error*} $e
|
|
|
|
reconnect
|
|
r AUTH alice alice
|
|
r SET key value
|
|
r AUTH eve eve
|
|
r GET key
|
|
catch {r SET key value} e
|
|
set e
|
|
} {*NOPERM*set*}
|
|
|
|
test {ACL load and save with restricted channels} {
|
|
r AUTH alice alice
|
|
r ACL setuser harry on nopass resetchannels &test +@all ~*
|
|
r ACL save
|
|
|
|
# ACL load will free user and kill clients
|
|
r ACL load
|
|
catch {r ACL LIST} e
|
|
assert_match {*I/O error*} $e
|
|
|
|
reconnect
|
|
r AUTH harry anything
|
|
r publish test bar
|
|
catch {r publish test1 bar} e
|
|
r ACL deluser harry
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
}
|
|
|
|
set server_path [tmpdir "resetchannels.acl"]
|
|
exec cp -f tests/assets/nodefaultuser.acl $server_path
|
|
exec cp -f tests/assets/default.conf $server_path
|
|
start_server [list overrides [list "dir" $server_path "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] {
|
|
|
|
test {Default user has access to all channels irrespective of flag} {
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
|
assert_equal "&*" $channelinfo
|
|
set channelinfo [dict get [r ACL getuser alice] channels]
|
|
assert_equal "" $channelinfo
|
|
}
|
|
|
|
test {Update acl-pubsub-default, existing users shouldn't get affected} {
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
|
assert_equal "&*" $channelinfo
|
|
r CONFIG set acl-pubsub-default allchannels
|
|
r ACL setuser mydefault
|
|
set channelinfo [dict get [r ACL getuser mydefault] channels]
|
|
assert_equal "&*" $channelinfo
|
|
r CONFIG set acl-pubsub-default resetchannels
|
|
set channelinfo [dict get [r ACL getuser mydefault] channels]
|
|
assert_equal "&*" $channelinfo
|
|
}
|
|
|
|
test {Single channel is valid} {
|
|
r ACL setuser onechannel &test
|
|
set channelinfo [dict get [r ACL getuser onechannel] channels]
|
|
assert_equal "&test" $channelinfo
|
|
r ACL deluser onechannel
|
|
}
|
|
|
|
test {Single channel is not valid with allchannels} {
|
|
r CONFIG set acl-pubsub-default allchannels
|
|
catch {r ACL setuser onechannel &test} err
|
|
r CONFIG set acl-pubsub-default resetchannels
|
|
set err
|
|
} {*start with an empty list of channels*}
|
|
}
|
|
|
|
set server_path [tmpdir "resetchannels.acl"]
|
|
exec cp -f tests/assets/nodefaultuser.acl $server_path
|
|
exec cp -f tests/assets/default.conf $server_path
|
|
start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "resetchannels" "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] {
|
|
|
|
test {Only default user has access to all channels irrespective of flag} {
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
|
assert_equal "&*" $channelinfo
|
|
set channelinfo [dict get [r ACL getuser alice] channels]
|
|
assert_equal "" $channelinfo
|
|
}
|
|
}
|
|
|
|
|
|
start_server {overrides {user "default on nopass ~* +@all"} tags {"external:skip"}} {
|
|
test {default: load from config file, without channel permission default user can't access any channels} {
|
|
catch {r SUBSCRIBE foo} e
|
|
set e
|
|
} {*NOPERM*channel*}
|
|
}
|
|
|
|
start_server {overrides {user "default on nopass ~* &* +@all"} tags {"external:skip"}} {
|
|
test {default: load from config file with all channels permissions} {
|
|
r SUBSCRIBE foo
|
|
r PSUBSCRIBE bar*
|
|
r UNSUBSCRIBE
|
|
r PUNSUBSCRIBE
|
|
r PUBLISH hello world
|
|
}
|
|
}
|
|
|
|
set server_path [tmpdir "duplicate.acl"]
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
exec cp -f tests/assets/default.conf $server_path
|
|
start_server [list overrides [list "dir" $server_path "aclfile" "user.acl"] tags [list "external:skip"]] {
|
|
|
|
test {Test loading an ACL file with duplicate users} {
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
|
|
# Corrupt the ACL file
|
|
set corruption "\nuser alice on nopass ~* -@all"
|
|
exec echo $corruption >> $server_path/user.acl
|
|
catch {r ACL LOAD} err
|
|
assert_match {*Duplicate user 'alice' found*} $err
|
|
|
|
# Verify the previous users still exist
|
|
# NOTE: A missing user evaluates to an empty
|
|
# string.
|
|
assert {[r ACL GETUSER alice] != ""}
|
|
assert_equal [dict get [r ACL GETUSER alice] commands] "+@all"
|
|
assert {[r ACL GETUSER bob] != ""}
|
|
assert {[r ACL GETUSER default] != ""}
|
|
}
|
|
|
|
test {Test loading an ACL file with duplicate default user} {
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
|
|
# Corrupt the ACL file
|
|
set corruption "\nuser default on nopass ~* -@all"
|
|
exec echo $corruption >> $server_path/user.acl
|
|
catch {r ACL LOAD} err
|
|
assert_match {*Duplicate user 'default' found*} $err
|
|
|
|
# Verify the previous users still exist
|
|
# NOTE: A missing user evaluates to an empty
|
|
# string.
|
|
assert {[r ACL GETUSER alice] != ""}
|
|
assert_equal [dict get [r ACL GETUSER alice] commands] "+@all"
|
|
assert {[r ACL GETUSER bob] != ""}
|
|
assert {[r ACL GETUSER default] != ""}
|
|
}
|
|
|
|
test {Test loading duplicate users in config on startup} {
|
|
catch {exec src/redis-server --user foo --user foo} err
|
|
assert_match {*Duplicate user*} $err
|
|
|
|
catch {exec src/redis-server --user default --user default} err
|
|
assert_match {*Duplicate user*} $err
|
|
} {} {external:skip}
|
|
}
|
|
|
|
start_server {overrides {user "default on nopass ~* +@all -flushdb"} tags {acl external:skip}} {
|
|
test {ACL from config file and config rewrite} {
|
|
assert_error {NOPERM *} {r flushdb}
|
|
r config rewrite
|
|
restart_server 0 true false
|
|
assert_error {NOPERM *} {r flushdb}
|
|
}
|
|
}
|
|
|