diff options
| author | Madelyn Olson <34459052+madolson@users.noreply.github.com> | 2022-04-11 22:16:17 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-11 22:16:17 -0700 |
| commit | 8bd01a07ae75609a36335ab34b37da41da1b1bf2 (patch) | |
| tree | 554db739e86b21da964803b9534e5636ee8c00d8 | |
| parent | 4c6d9bbd626bb25cf7d154ea0b7d347172015cfb (diff) | |
| download | redis-8bd01a07ae75609a36335ab34b37da41da1b1bf2.tar.gz | |
Allow specifying ACL reason for module log entry (#10559)
Allow specifying an ACL log reason, which is shown in the log. Right now it always shows "unknown", which is a little bit cryptic. This is a breaking change, but this API was added as part of 7 so it seems ok to stabilize it still.
| -rw-r--r-- | src/module.c | 14 | ||||
| -rw-r--r-- | src/redismodule.h | 9 | ||||
| -rw-r--r-- | tests/modules/aclcheck.c | 2 | ||||
| -rw-r--r-- | tests/unit/moduleapi/aclcheck.tcl | 3 |
4 files changed, 24 insertions, 4 deletions
diff --git a/src/module.c b/src/module.c index a702d462b..aea28bcbe 100644 --- a/src/module.c +++ b/src/module.c @@ -8699,8 +8699,18 @@ int RM_ACLCheckChannelPermissions(RedisModuleUser *user, RedisModuleString *ch, * Returns REDISMODULE_OK on success and REDISMODULE_ERR on error. * * For more information about ACL log, please refer to https://redis.io/commands/acl-log */ -void RM_ACLAddLogEntry(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModuleString *object) { - addACLLogEntry(ctx->client, 0, ACL_LOG_CTX_MODULE, -1, user->user->name, sdsdup(object->ptr)); +int RM_ACLAddLogEntry(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModuleString *object, RedisModuleACLLogEntryReason reason) { + int acl_reason; + switch (reason) { + case REDISMODULE_ACL_LOG_AUTH: acl_reason = ACL_DENIED_AUTH; break; + case REDISMODULE_ACL_LOG_KEY: acl_reason = ACL_DENIED_KEY; break; + case REDISMODULE_ACL_LOG_CHANNEL: acl_reason = ACL_DENIED_CHANNEL; break; + case REDISMODULE_ACL_LOG_CMD: acl_reason = ACL_DENIED_CMD; break; + default: return REDISMODULE_ERR; + } + + addACLLogEntry(ctx->client, acl_reason, ACL_LOG_CTX_MODULE, -1, user->user->name, sdsdup(object->ptr)); + return REDISMODULE_OK; } /* Authenticate the client associated with the context with diff --git a/src/redismodule.h b/src/redismodule.h index 4d3141488..98844399f 100644 --- a/src/redismodule.h +++ b/src/redismodule.h @@ -735,6 +735,13 @@ typedef struct RedisModuleSwapDbInfo { #define RedisModuleSwapDbInfo RedisModuleSwapDbInfoV1 +typedef enum { + REDISMODULE_ACL_LOG_AUTH = 0, /* Authentication failure */ + REDISMODULE_ACL_LOG_CMD, /* Command authorization failure */ + REDISMODULE_ACL_LOG_KEY, /* Key authorization failure */ + REDISMODULE_ACL_LOG_CHANNEL /* Channel authorization failure */ +} RedisModuleACLLogEntryReason; + /* ------------------------- End of common defines ------------------------ */ #ifndef REDISMODULE_CORE @@ -1158,7 +1165,7 @@ REDISMODULE_API RedisModuleUser * (*RedisModule_GetModuleUserFromUserName)(Redis REDISMODULE_API int (*RedisModule_ACLCheckCommandPermissions)(RedisModuleUser *user, RedisModuleString **argv, int argc) REDISMODULE_ATTR; REDISMODULE_API int (*RedisModule_ACLCheckKeyPermissions)(RedisModuleUser *user, RedisModuleString *key, int flags) REDISMODULE_ATTR; REDISMODULE_API int (*RedisModule_ACLCheckChannelPermissions)(RedisModuleUser *user, RedisModuleString *ch, int literal) REDISMODULE_ATTR; -REDISMODULE_API void (*RedisModule_ACLAddLogEntry)(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModuleString *object) REDISMODULE_ATTR; +REDISMODULE_API void (*RedisModule_ACLAddLogEntry)(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModuleString *object, RedisModuleACLLogEntryReason reason) REDISMODULE_ATTR; REDISMODULE_API int (*RedisModule_AuthenticateClientWithACLUser)(RedisModuleCtx *ctx, const char *name, size_t len, RedisModuleUserChangedFunc callback, void *privdata, uint64_t *client_id) REDISMODULE_ATTR; REDISMODULE_API int (*RedisModule_AuthenticateClientWithUser)(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModuleUserChangedFunc callback, void *privdata, uint64_t *client_id) REDISMODULE_ATTR; REDISMODULE_API int (*RedisModule_DeauthenticateAndCloseClient)(RedisModuleCtx *ctx, uint64_t client_id) REDISMODULE_ATTR; diff --git a/tests/modules/aclcheck.c b/tests/modules/aclcheck.c index 8a9d468a6..9f4564d27 100644 --- a/tests/modules/aclcheck.c +++ b/tests/modules/aclcheck.c @@ -92,7 +92,7 @@ int rm_call_aclcheck_cmd(RedisModuleCtx *ctx, RedisModuleUser *user, RedisModule if (ret != 0) { RedisModule_ReplyWithError(ctx, "DENIED CMD"); /* Add entry to ACL log */ - RedisModule_ACLAddLogEntry(ctx, user, argv[1]); + RedisModule_ACLAddLogEntry(ctx, user, argv[1], REDISMODULE_ACL_LOG_CMD); return REDISMODULE_OK; } diff --git a/tests/unit/moduleapi/aclcheck.tcl b/tests/unit/moduleapi/aclcheck.tcl index 5adf65371..d96ea89cf 100644 --- a/tests/unit/moduleapi/aclcheck.tcl +++ b/tests/unit/moduleapi/aclcheck.tcl @@ -16,6 +16,7 @@ start_server {tags {"modules acl"}} { assert {[dict get $entry username] eq {default}} assert {[dict get $entry context] eq {module}} assert {[dict get $entry object] eq {set}} + assert {[dict get $entry reason] eq {command}} } test {test module check acl for key perm} { @@ -75,6 +76,7 @@ start_server {tags {"modules acl"}} { assert {[dict get $entry username] eq {default}} assert {[dict get $entry context] eq {module}} assert {[dict get $entry object] eq {z}} + assert {[dict get $entry reason] eq {key}} # rm call check for command permission r acl setuser default -set @@ -88,6 +90,7 @@ start_server {tags {"modules acl"}} { assert {[dict get $entry username] eq {default}} assert {[dict get $entry context] eq {module}} assert {[dict get $entry object] eq {set}} + assert {[dict get $entry reason] eq {command}} } test "Unload the module - aclcheck" { |