"Fossies" - the Fresh Open Source Software Archive

Member "redis-6.0.8/tests/unit/acl.tcl" (10 Sep 2020, 10131 Bytes) of package /linux/misc/redis-6.0.8.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Tcl/Tk source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "acl.tcl": 6.0.7_vs_6.0.8.

    1 start_server {tags {"acl"}} {
    2     test {Connections start with the default user} {
    3         r ACL WHOAMI
    4     } {default}
    5 
    6     test {It is possible to create new users} {
    7         r ACL setuser newuser
    8     }
    9 
   10     test {New users start disabled} {
   11         r ACL setuser newuser >passwd1
   12         catch {r AUTH newuser passwd1} err
   13         set err
   14     } {*WRONGPASS*}
   15 
   16     test {Enabling the user allows the login} {
   17         r ACL setuser newuser on +acl
   18         r AUTH newuser passwd1
   19         r ACL WHOAMI
   20     } {newuser}
   21 
   22     test {Only the set of correct passwords work} {
   23         r ACL setuser newuser >passwd2
   24         catch {r AUTH newuser passwd1} e
   25         assert {$e eq "OK"}
   26         catch {r AUTH newuser passwd2} e
   27         assert {$e eq "OK"}
   28         catch {r AUTH newuser passwd3} e
   29         set e
   30     } {*WRONGPASS*}
   31 
   32     test {It is possible to remove passwords from the set of valid ones} {
   33         r ACL setuser newuser <passwd1
   34         catch {r AUTH newuser passwd1} e
   35         set e
   36     } {*WRONGPASS*}
   37 
   38     test {Test password hashes can be added} {
   39         r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
   40         catch {r AUTH newuser passwd4} e
   41         assert {$e eq "OK"}
   42     }
   43 
   44     test {Test password hashes validate input} {
   45         # Validate Length
   46         catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e} e
   47         # Validate character outside set
   48         catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4eq} e
   49         set e
   50     } {*Error in ACL SETUSER modifier*}
   51 
   52     test {ACL GETUSER returns the password hash instead of the actual password} {
   53         set passstr [dict get [r ACL getuser newuser] passwords]
   54         assert_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
   55         assert_no_match {*passwd4*} $passstr
   56     }
   57 
   58     test {Test hashed passwords removal} {
   59         r ACL setuser newuser !34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
   60         set passstr [dict get [r ACL getuser newuser] passwords]
   61         assert_no_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
   62     }
   63 
   64     test {By default users are not able to access any command} {
   65         catch {r SET foo bar} e
   66         set e
   67     } {*NOPERM*}
   68 
   69     test {By default users are not able to access any key} {
   70         r ACL setuser newuser +set
   71         catch {r SET foo bar} e
   72         set e
   73     } {*NOPERM*key*}
   74 
   75     test {It's possible to allow the access of a subset of keys} {
   76         r ACL setuser newuser allcommands ~foo:* ~bar:*
   77         r SET foo:1 a
   78         r SET bar:2 b
   79         catch {r SET zap:3 c} e
   80         r ACL setuser newuser allkeys; # Undo keys ACL
   81         set e
   82     } {*NOPERM*key*}
   83 
   84     test {Users can be configured to authenticate with any password} {
   85         r ACL setuser newuser nopass
   86         r AUTH newuser zipzapblabla
   87     } {OK}
   88 
   89     test {ACLs can exclude single commands} {
   90         r ACL setuser newuser -ping
   91         r INCR mycounter ; # Should not raise an error
   92         catch {r PING} e
   93         set e
   94     } {*NOPERM*}
   95 
   96     test {ACLs can include or exclude whole classes of commands} {
   97         r ACL setuser newuser -@all +@set +acl
   98         r SADD myset a b c; # Should not raise an error
   99         r ACL setuser newuser +@all -@string
  100         r SADD myset a b c; # Again should not raise an error
  101         # String commands instead should raise an error
  102         catch {r SET foo bar} e
  103         r ACL setuser newuser allcommands; # Undo commands ACL
  104         set e
  105     } {*NOPERM*}
  106 
  107     test {ACLs can include single subcommands} {
  108         r ACL setuser newuser +@all -client
  109         r ACL setuser newuser +client|id +client|setname
  110         r CLIENT ID; # Should not fail
  111         r CLIENT SETNAME foo ; # Should not fail
  112         catch {r CLIENT KILL type master} e
  113         set e
  114     } {*NOPERM*}
  115 
  116     # Note that the order of the generated ACL rules is not stable in Redis
  117     # so we need to match the different parts and not as a whole string.
  118     test {ACL GETUSER is able to translate back command permissions} {
  119         # Subtractive
  120         r ACL setuser newuser reset +@all ~* -@string +incr -debug +debug|digest
  121         set cmdstr [dict get [r ACL getuser newuser] commands]
  122         assert_match {*+@all*} $cmdstr
  123         assert_match {*-@string*} $cmdstr
  124         assert_match {*+incr*} $cmdstr
  125         assert_match {*-debug +debug|digest**} $cmdstr
  126 
  127         # Additive
  128         r ACL setuser newuser reset +@string -incr +acl +debug|digest +debug|segfault
  129         set cmdstr [dict get [r ACL getuser newuser] commands]
  130         assert_match {*-@all*} $cmdstr
  131         assert_match {*+@string*} $cmdstr
  132         assert_match {*-incr*} $cmdstr
  133         assert_match {*+debug|digest*} $cmdstr
  134         assert_match {*+debug|segfault*} $cmdstr
  135         assert_match {*+acl*} $cmdstr
  136     }
  137 
  138     test {ACL #5998 regression: memory leaks adding / removing subcommands} {
  139         r AUTH default ""
  140         r ACL setuser newuser reset -debug +debug|a +debug|b +debug|c
  141         r ACL setuser newuser -debug
  142         # The test framework will detect a leak if any.
  143     }
  144 
  145     test {ACL LOG shows failed command executions at toplevel} {
  146         r ACL LOG RESET
  147         r ACL setuser antirez >foo on +set ~object:1234
  148         r ACL setuser antirez +eval +multi +exec
  149         r AUTH antirez foo
  150         catch {r GET foo}
  151         r AUTH default ""
  152         set entry [lindex [r ACL LOG] 0]
  153         assert {[dict get $entry username] eq {antirez}}
  154         assert {[dict get $entry context] eq {toplevel}}
  155         assert {[dict get $entry reason] eq {command}}
  156         assert {[dict get $entry object] eq {get}}
  157     }
  158 
  159     test {ACL LOG is able to test similar events} {
  160         r AUTH antirez foo
  161         catch {r GET foo}
  162         catch {r GET foo}
  163         catch {r GET foo}
  164         r AUTH default ""
  165         set entry [lindex [r ACL LOG] 0]
  166         assert {[dict get $entry count] == 4}
  167     }
  168 
  169     test {ACL LOG is able to log keys access violations and key name} {
  170         r AUTH antirez foo
  171         catch {r SET somekeynotallowed 1234}
  172         r AUTH default ""
  173         set entry [lindex [r ACL LOG] 0]
  174         assert {[dict get $entry reason] eq {key}}
  175         assert {[dict get $entry object] eq {somekeynotallowed}}
  176     }
  177 
  178     test {ACL LOG RESET is able to flush the entries in the log} {
  179         r ACL LOG RESET
  180         assert {[llength [r ACL LOG]] == 0}
  181     }
  182 
  183     test {ACL LOG can distinguish the transaction context (1)} {
  184         r AUTH antirez foo
  185         r MULTI
  186         catch {r INCR foo}
  187         catch {r EXEC}
  188         r AUTH default ""
  189         set entry [lindex [r ACL LOG] 0]
  190         assert {[dict get $entry context] eq {multi}}
  191         assert {[dict get $entry object] eq {incr}}
  192     }
  193 
  194     test {ACL LOG can distinguish the transaction context (2)} {
  195         set rd1 [redis_deferring_client]
  196         r ACL SETUSER antirez +incr
  197 
  198         r AUTH antirez foo
  199         r MULTI
  200         r INCR object:1234
  201         $rd1 ACL SETUSER antirez -incr
  202         $rd1 read
  203         catch {r EXEC}
  204         $rd1 close
  205         r AUTH default ""
  206         set entry [lindex [r ACL LOG] 0]
  207         assert {[dict get $entry context] eq {multi}}
  208         assert {[dict get $entry object] eq {incr}}
  209         r ACL SETUSER antirez -incr
  210     }
  211 
  212     test {ACL can log errors in the context of Lua scripting} {
  213         r AUTH antirez foo
  214         catch {r EVAL {redis.call('incr','foo')} 0}
  215         r AUTH default ""
  216         set entry [lindex [r ACL LOG] 0]
  217         assert {[dict get $entry context] eq {lua}}
  218         assert {[dict get $entry object] eq {incr}}
  219     }
  220 
  221     test {ACL LOG can accept a numerical argument to show less entries} {
  222         r AUTH antirez foo
  223         catch {r INCR foo}
  224         catch {r INCR foo}
  225         catch {r INCR foo}
  226         catch {r INCR foo}
  227         r AUTH default ""
  228         assert {[llength [r ACL LOG]] > 1}
  229         assert {[llength [r ACL LOG 2]] == 2}
  230     }
  231 
  232     test {ACL LOG can log failed auth attempts} {
  233         catch {r AUTH antirez wrong-password}
  234         set entry [lindex [r ACL LOG] 0]
  235         assert {[dict get $entry context] eq {toplevel}}
  236         assert {[dict get $entry reason] eq {auth}}
  237         assert {[dict get $entry object] eq {AUTH}}
  238         assert {[dict get $entry username] eq {antirez}}
  239     }
  240 
  241     test {ACL LOG entries are limited to a maximum amount} {
  242         r ACL LOG RESET
  243         r CONFIG SET acllog-max-len 5
  244         r AUTH antirez foo
  245         for {set j 0} {$j < 10} {incr j} {
  246             catch {r SET obj:$j 123}
  247         }
  248         r AUTH default ""
  249         assert {[llength [r ACL LOG]] == 5}
  250     }
  251 
  252     test {When default user is off, new connections are not authenticated} {
  253         r ACL setuser default off
  254         catch {set rd1 [redis_deferring_client]} e
  255         r ACL setuser default on
  256         set e
  257     } {*NOAUTH*}
  258 
  259     test {ACL HELP should not have unexpected options} {
  260         catch {r ACL help xxx} e
  261         assert_match "*Unknown subcommand or wrong number of arguments*" $e
  262     }
  263 }
  264 
  265 set server_path [tmpdir "server.acl"]
  266 exec cp -f tests/assets/user.acl $server_path
  267 start_server [list overrides [list "dir" $server_path "aclfile" "user.acl"]] {
  268     # user alice on allcommands allkeys >alice
  269     # user bob on -@all +@set +acl ~set* >bob
  270 
  271     test "Alice: can excute all command" {
  272         r AUTH alice alice
  273         assert_equal "alice" [r acl whoami]
  274         r SET key value
  275     }
  276 
  277     test "Bob: just excute @set and acl command" {
  278         r AUTH bob bob
  279         assert_equal "bob" [r acl whoami]
  280         assert_equal "3" [r sadd set 1 2 3]
  281         catch {r SET key value} e
  282         set e
  283     } {*NOPERM*}
  284 
  285     test "ACL load and save" {
  286         r ACL setuser eve +get allkeys >eve on
  287         r ACL save
  288 
  289         # ACL load will free user and kill clients
  290         r ACL load
  291         catch {r ACL LIST} e
  292         assert_match {*I/O error*} $e
  293 
  294         reconnect
  295         r AUTH alice alice
  296         r SET key value
  297         r AUTH eve eve
  298         r GET key
  299         catch {r SET key value} e
  300         set e
  301     } {*NOPERM*}
  302 }