ホーム エクスプローラ ヘルプ
登録 サインイン
third
/
redis
同期ミラー git@github.com:redis/redis.git
2
0
フォーク 0
ファイル
ブランチ: conduct
ブランチ タグ
redis
/
tests
/
unit
/
acl.tcl

acl.tcl 8.7 KB
パーマリンク 履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258 
  1. start_server {tags {"acl"}} {
    2. 

  2.     test {Connections start with the default user} {
    3. 

  3.         r ACL WHOAMI
    4. 

  4.     } {default}
    5. 

  5. 

  6.     test {It is possible to create new users} {
    7. 

  7.         r ACL setuser newuser
    8. 

  8.     }
    9. 

  9. 

  10.     test {New users start disabled} {
    11. 

  11.         r ACL setuser newuser >passwd1
    12. 

  12.         catch {r AUTH newuser passwd1} err
    13. 

  13.         set err
    14. 

  14.     } {*WRONGPASS*}
    15. 

  15. 

  16.     test {Enabling the user allows the login} {
    17. 

  17.         r ACL setuser newuser on +acl
    18. 

  18.         r AUTH newuser passwd1
    19. 

  19.         r ACL WHOAMI
    20. 

  20.     } {newuser}
    21. 

  21. 

  22.     test {Only the set of correct passwords work} {
    23. 

  23.         r ACL setuser newuser >passwd2
    24. 

  24.         catch {r AUTH newuser passwd1} e
    25. 

  25.         assert {$e eq "OK"}
    26. 

  26.         catch {r AUTH newuser passwd2} e
    27. 

  27.         assert {$e eq "OK"}
    28. 

  28.         catch {r AUTH newuser passwd3} e
    29. 

  29.         set e
    30. 

  30.     } {*WRONGPASS*}
    31. 

  31. 

  32.     test {It is possible to remove passwords from the set of valid ones} {
    33. 

  33.         r ACL setuser newuser <passwd1
    34. 

  34.         catch {r AUTH newuser passwd1} e
    35. 

  35.         set e
    36. 

  36.     } {*WRONGPASS*}
    37. 

  37. 

  38.     test {Test password hashes can be added} {
    39. 

  39.         r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
    40. 

  40.         catch {r AUTH newuser passwd4} e
    41. 

  41.         assert {$e eq "OK"}
    42. 

  42.     }
    43. 

  43. 

  44.     test {Test password hashes validate input} {
    45. 

  45.         # Validate Length
    46. 

  46.         catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e} e
    47. 

  47.         # Validate character outside set
    48. 

  48.         catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4eq} e
    49. 

  49.         set e
    50. 

  50.     } {*Error in ACL SETUSER modifier*}
    51. 

  51. 

  52.     test {ACL GETUSER returns the password hash instead of the actual password} {
    53. 

  53.         set passstr [dict get [r ACL getuser newuser] passwords]
    54. 

  54.         assert_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
    55. 

  55.         assert_no_match {*passwd4*} $passstr
    56. 

  56.     }
    57. 

  57. 

  58.     test {Test hashed passwords removal} {
    59. 

  59.         r ACL setuser newuser !34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
    60. 

  60.         set passstr [dict get [r ACL getuser newuser] passwords]
    61. 

  61.         assert_no_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
    62. 

  62.     }
    63. 

  63. 

  64.     test {By default users are not able to access any command} {
    65. 

  65.         catch {r SET foo bar} e
    66. 

  66.         set e
    67. 

  67.     } {*NOPERM*}
    68. 

  68. 

  69.     test {By default users are not able to access any key} {
    70. 

  70.         r ACL setuser newuser +set
    71. 

  71.         catch {r SET foo bar} e
    72. 

  72.         set e
    73. 

  73.     } {*NOPERM*key*}
    74. 

  74. 

  75.     test {It's possible to allow the access of a subset of keys} {
    76. 

  76.         r ACL setuser newuser allcommands ~foo:* ~bar:*
    77. 

  77.         r SET foo:1 a
    78. 

  78.         r SET bar:2 b
    79. 

  79.         catch {r SET zap:3 c} e
    80. 

  80.         r ACL setuser newuser allkeys; # Undo keys ACL
    81. 

  81.         set e
    82. 

  82.     } {*NOPERM*key*}
    83. 

  83. 

  84.     test {Users can be configured to authenticate with any password} {
    85. 

  85.         r ACL setuser newuser nopass
    86. 

  86.         r AUTH newuser zipzapblabla
    87. 

  87.     } {OK}
    88. 

  88. 

  89.     test {ACLs can exclude single commands} {
    90. 

  90.         r ACL setuser newuser -ping
    91. 

  91.         r INCR mycounter ; # Should not raise an error
    92. 

  92.         catch {r PING} e
    93. 

  93.         set e
    94. 

  94.     } {*NOPERM*}
    95. 

  95. 

  96.     test {ACLs can include or exclude whole classes of commands} {
    97. 

  97.         r ACL setuser newuser -@all +@set +acl
    98. 

  98.         r SADD myset a b c; # Should not raise an error
    99. 

  99.         r ACL setuser newuser +@all -@string
    100. 

  100.         r SADD myset a b c; # Again should not raise an error
    101. 

  101.         # String commands instead should raise an error
    102. 

  102.         catch {r SET foo bar} e
    103. 

  103.         r ACL setuser newuser allcommands; # Undo commands ACL
    104. 

  104.         set e
    105. 

  105.     } {*NOPERM*}
    106. 

  106. 

  107.     test {ACLs can include single subcommands} {
    108. 

  108.         r ACL setuser newuser +@all -client
    109. 

  109.         r ACL setuser newuser +client|id +client|setname
    110. 

  110.         r CLIENT ID; # Should not fail
    111. 

  111.         r CLIENT SETNAME foo ; # Should not fail
    112. 

  112.         catch {r CLIENT KILL type master} e
    113. 

  113.         set e
    114. 

  114.     } {*NOPERM*}
    115. 

  115. 

  116.     # Note that the order of the generated ACL rules is not stable in Redis
    117. 

  117.     # so we need to match the different parts and not as a whole string.
    118. 

  118.     test {ACL GETUSER is able to translate back command permissions} {
    119. 

  119.         # Subtractive
    120. 

  120.         r ACL setuser newuser reset +@all ~* -@string +incr -debug +debug|digest
    121. 

  121.         set cmdstr [dict get [r ACL getuser newuser] commands]
    122. 

  122.         assert_match {*+@all*} $cmdstr
    123. 

  123.         assert_match {*-@string*} $cmdstr
    124. 

  124.         assert_match {*+incr*} $cmdstr
    125. 

  125.         assert_match {*-debug +debug|digest**} $cmdstr
    126. 

  126. 

  127.         # Additive
    128. 

  128.         r ACL setuser newuser reset +@string -incr +acl +debug|digest +debug|segfault
    129. 

  129.         set cmdstr [dict get [r ACL getuser newuser] commands]
    130. 

  130.         assert_match {*-@all*} $cmdstr
    131. 

  131.         assert_match {*+@string*} $cmdstr
    132. 

  132.         assert_match {*-incr*} $cmdstr
    133. 

  133.         assert_match {*+debug|digest*} $cmdstr
    134. 

  134.         assert_match {*+debug|segfault*} $cmdstr
    135. 

  135.         assert_match {*+acl*} $cmdstr
    136. 

  136.     }
    137. 

  137. 

  138.     test {ACL #5998 regression: memory leaks adding / removing subcommands} {
    139. 

  139.         r AUTH default ""
    140. 

  140.         r ACL setuser newuser reset -debug +debug|a +debug|b +debug|c
    141. 

  141.         r ACL setuser newuser -debug
    142. 

  142.         # The test framework will detect a leak if any.
    143. 

  143.     }
    144. 

  144. 

  145.     test {ACL LOG shows failed command executions at toplevel} {
    146. 

  146.         r ACL LOG RESET
    147. 

  147.         r ACL setuser antirez >foo on +set ~object:1234
    148. 

  148.         r ACL setuser antirez +eval +multi +exec
    149. 

  149.         r AUTH antirez foo
    150. 

  150.         catch {r GET foo}
    151. 

  151.         r AUTH default ""
    152. 

  152.         set entry [lindex [r ACL LOG] 0]
    153. 

  153.         assert {[dict get $entry username] eq {antirez}}
    154. 

  154.         assert {[dict get $entry context] eq {toplevel}}
    155. 

  155.         assert {[dict get $entry reason] eq {command}}
    156. 

  156.         assert {[dict get $entry object] eq {get}}
    157. 

  157.     }
    158. 

  158. 

  159.     test {ACL LOG is able to test similar events} {
    160. 

  160.         r AUTH antirez foo
    161. 

  161.         catch {r GET foo}
    162. 

  162.         catch {r GET foo}
    163. 

  163.         catch {r GET foo}
    164. 

  164.         r AUTH default ""
    165. 

  165.         set entry [lindex [r ACL LOG] 0]
    166. 

  166.         assert {[dict get $entry count] == 4}
    167. 

  167.     }
    168. 

  168. 

  169.     test {ACL LOG is able to log keys access violations and key name} {
    170. 

  170.         r AUTH antirez foo
    171. 

  171.         catch {r SET somekeynotallowed 1234}
    172. 

  172.         r AUTH default ""
    173. 

  173.         set entry [lindex [r ACL LOG] 0]
    174. 

  174.         assert {[dict get $entry reason] eq {key}}
    175. 

  175.         assert {[dict get $entry object] eq {somekeynotallowed}}
    176. 

  176.     }
    177. 

  177. 

  178.     test {ACL LOG RESET is able to flush the entries in the log} {
    179. 

  179.         r ACL LOG RESET
    180. 

  180.         assert {[llength [r ACL LOG]] == 0}
    181. 

  181.     }
    182. 

  182. 

  183.     test {ACL LOG can distinguish the transaction context (1)} {
    184. 

  184.         r AUTH antirez foo
    185. 

  185.         r MULTI
    186. 

  186.         catch {r INCR foo}
    187. 

  187.         catch {r EXEC}
    188. 

  188.         r AUTH default ""
    189. 

  189.         set entry [lindex [r ACL LOG] 0]
    190. 

  190.         assert {[dict get $entry context] eq {multi}}
    191. 

  191.         assert {[dict get $entry object] eq {incr}}
    192. 

  192.     }
    193. 

  193. 

  194.     test {ACL LOG can distinguish the transaction context (2)} {
    195. 

  195.         set rd1 [redis_deferring_client]
    196. 

  196.         r ACL SETUSER antirez +incr
    197. 

  197. 

  198.         r AUTH antirez foo
    199. 

  199.         r MULTI
    200. 

  200.         r INCR object:1234
    201. 

  201.         $rd1 ACL SETUSER antirez -incr
    202. 

  202.         $rd1 read
    203. 

  203.         catch {r EXEC}
    204. 

  204.         $rd1 close
    205. 

  205.         r AUTH default ""
    206. 

  206.         set entry [lindex [r ACL LOG] 0]
    207. 

  207.         assert {[dict get $entry context] eq {multi}}
    208. 

  208.         assert {[dict get $entry object] eq {incr}}
    209. 

  209.         r ACL SETUSER antirez -incr
    210. 

  210.     }
    211. 

  211. 

  212.     test {ACL can log errors in the context of Lua scripting} {
    213. 

  213.         r AUTH antirez foo
    214. 

  214.         catch {r EVAL {redis.call('incr','foo')} 0}
    215. 

  215.         r AUTH default ""
    216. 

  216.         set entry [lindex [r ACL LOG] 0]
    217. 

  217.         assert {[dict get $entry context] eq {lua}}
    218. 

  218.         assert {[dict get $entry object] eq {incr}}
    219. 

  219.     }
    220. 

  220. 

  221.     test {ACL LOG can accept a numerical argument to show less entries} {
    222. 

  222.         r AUTH antirez foo
    223. 

  223.         catch {r INCR foo}
    224. 

  224.         catch {r INCR foo}
    225. 

  225.         catch {r INCR foo}
    226. 

  226.         catch {r INCR foo}
    227. 

  227.         r AUTH default ""
    228. 

  228.         assert {[llength [r ACL LOG]] > 1}
    229. 

  229.         assert {[llength [r ACL LOG 2]] == 2}
    230. 

  230.     }
    231. 

  231. 

  232.     test {ACL LOG can log failed auth attempts} {
    233. 

  233.         catch {r AUTH antirez wrong-password}
    234. 

  234.         set entry [lindex [r ACL LOG] 0]
    235. 

  235.         assert {[dict get $entry context] eq {toplevel}}
    236. 

  236.         assert {[dict get $entry reason] eq {auth}}
    237. 

  237.         assert {[dict get $entry object] eq {AUTH}}
    238. 

  238.         assert {[dict get $entry username] eq {antirez}}
    239. 

  239.     }
    240. 

  240. 

  241.     test {ACL LOG entries are limited to a maximum amount} {
    242. 

  242.         r ACL LOG RESET
    243. 

  243.         r CONFIG SET acllog-max-len 5
    244. 

  244.         r AUTH antirez foo
    245. 

  245.         for {set j 0} {$j < 10} {incr j} {
    246. 

  246.             catch {r SET obj:$j 123}
    247. 

  247.         }
    248. 

  248.         r AUTH default ""
    249. 

  249.         assert {[llength [r ACL LOG]] == 5}
    250. 

  250.     }
    251. 

  251. 

  252.     test {When default user is off, new connections are not authenticated} {
    253. 

  253.         r ACL setuser default off
    254. 

  254.         catch {set rd1 [redis_deferring_client]} e
    255. 

  255.         r ACL setuser default on
    256. 

  256.         set e
    257. 

  257.     } {*NOAUTH*}
    258. 

  258. }
    259.