diff options
author | Harkrishn Patro <30795839+hpatro@users.noreply.github.com> | 2022-01-30 11:02:55 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-30 12:02:55 +0200 |
commit | a43b6922d1e37d60acf63484b7057299c9bf584d (patch) | |
tree | d74294e6d9b31342cef6fc27a1b936ecbfa62f71 /tests | |
parent | eedec155acdd0ead3536edf6988e250a1a9fcb3e (diff) | |
download | redis-a43b6922d1e37d60acf63484b7057299c9bf584d.tar.gz |
Set default channel permission to resetchannels for 7.0 (#10181)
For backwards compatibility in 6.x, channels default permission was set to `allchannels` however with 7.0,
we should modify it and the default value should be `resetchannels` for better security posture.
Also, with selectors in ACL, a client doesn't have to set channel rules everytime and by default
the value will be `resetchannels`.
Before this change
```
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> acl setuser hp on nopass +@all ~*
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* &* +@all"
127.0.0.1:6379> acl setuser hp1 on nopass -@all (%R~sales*)
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* &* +@all"
3) "user hp1 on nopass &* -@all (%R~sales* &* -@all)"
```
After this change
```
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> acl setuser hp on nopass +@all ~*
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* resetchannels +@all"
127.0.0.1:6379> acl setuser hp1 on nopass -@all (%R~sales*)
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* resetchannels +@all"
3) "user hp1 on nopass resetchannels -@all (%R~sales* resetchannels -@all)"
```
Diffstat (limited to 'tests')
-rw-r--r-- | tests/assets/user.acl | 6 | ||||
-rw-r--r-- | tests/unit/acl-v2.tcl | 6 | ||||
-rw-r--r-- | tests/unit/acl.tcl | 75 |
3 files changed, 61 insertions, 26 deletions
diff --git a/tests/assets/user.acl b/tests/assets/user.acl index 67303512c..926ac54f6 100644 --- a/tests/assets/user.acl +++ b/tests/assets/user.acl @@ -1,3 +1,3 @@ -user alice on allcommands allkeys >alice -user bob on -@all +@set +acl ~set* >bob -user default on nopass ~* +@all +user alice on allcommands allkeys &* >alice +user bob on -@all +@set +acl ~set* &* >bob +user default on nopass ~* &* +@all diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl index 8f4ac83cc..72ea44c3a 100644 --- a/tests/unit/acl-v2.tcl +++ b/tests/unit/acl-v2.tcl @@ -20,12 +20,12 @@ start_server {tags {"acl external:skip"}} { assert_match "*NOPERM*keys*" $err } - test {Test ACL selectors by default have no permissions (except channels)} { + test {Test ACL selectors by default have no permissions} { r ACL SETUSER selector-default reset () set user [r ACL GETUSER "selector-default"] assert_equal 1 [llength [dict get $user selectors]] assert_equal "" [dict get [lindex [dict get $user selectors] 0] keys] - assert_equal "&*" [dict get [lindex [dict get $user selectors] 0] channels] + assert_equal "" [dict get [lindex [dict get $user selectors] 0] channels] assert_equal "-@all" [dict get [lindex [dict get $user selectors] 0] commands] } @@ -44,7 +44,7 @@ start_server {tags {"acl external:skip"}} { catch {r ACL SETUSER selector-syntax on (this-is-invalid)} e assert_match "*ERR Error in ACL SETUSER modifier '(*)*Syntax*" $e - catch {r ACL SETUSER selector-syntax on (&fail)} e + catch {r ACL SETUSER selector-syntax on (&* &fail)} e assert_match "*ERR Error in ACL SETUSER modifier '(*)*Adding a pattern after the*" $e assert_equal "" [r ACL GETUSER selector-syntax] diff --git a/tests/unit/acl.tcl b/tests/unit/acl.tcl index 24f069313..494c3847e 100644 --- a/tests/unit/acl.tcl +++ b/tests/unit/acl.tcl @@ -81,42 +81,70 @@ start_server {tags {"acl external:skip"}} { set e } {*NOPERM*key*} - test {By default users are able to publish to any channel} { + test {By default, only default user is able to publish to any channel} { + r AUTH default pwd + r PUBLISH foo bar r ACL setuser psuser on >pspass +acl +client +@pubsub r AUTH psuser pspass - r PUBLISH foo bar - } {0} + catch {r PUBLISH foo bar} e + set e + } {*NOPERM*channels*} - test {By default users are able to publish to any shard channel} { + test {By default, only default user is not able to publish to any shard channel} { + r AUTH default pwd r SPUBLISH foo bar - } {0} + r AUTH psuser pspass + catch {r SPUBLISH foo bar} e + set e + } {*NOPERM*channels*} - test {By default users are able to subscribe to any channel} { + test {By default, only default user is able to subscribe to any channel} { set rd [redis_deferring_client] - $rd AUTH psuser pspass + $rd AUTH default pwd $rd read $rd SUBSCRIBE foo assert_match {subscribe foo 1} [$rd read] + $rd UNSUBSCRIBE + $rd read + $rd AUTH psuser pspass + $rd read + $rd SUBSCRIBE foo + catch {$rd read} e $rd close - } {0} + set e + } {*NOPERM*channels*} - test {By default users are able to subscribe to any shard channel} { + test {By default, only default user is able to subscribe to any shard channel} { set rd [redis_deferring_client] - $rd AUTH psuser pspass + $rd AUTH default pwd $rd read $rd SSUBSCRIBE foo assert_match {ssubscribe foo 1} [$rd read] + $rd SUNSUBSCRIBE + $rd read + $rd AUTH psuser pspass + $rd read + $rd SSUBSCRIBE foo + catch {$rd read} e $rd close - } {0} + set e + } {*NOPERM*channels*} - test {By default users are able to subscribe to any pattern} { + test {By default, only default user is able to subscribe to any pattern} { set rd [redis_deferring_client] - $rd AUTH psuser pspass + $rd AUTH default pwd $rd read $rd PSUBSCRIBE bar* assert_match {psubscribe bar\* 1} [$rd read] + $rd PUNSUBSCRIBE + $rd read + $rd AUTH psuser pspass + $rd read + $rd PSUBSCRIBE bar* + catch {$rd read} e $rd close - } {0} + set e + } {*NOPERM*channels*} test {It's possible to allow publishing to a subset of channels} { r ACL setuser psuser resetchannels &foo:1 &bar:* @@ -675,10 +703,10 @@ start_server {tags {"acl external:skip"}} { set server_path [tmpdir "server.acl"] exec cp -f tests/assets/user.acl $server_path -start_server [list overrides [list "dir" $server_path "aclfile" "user.acl"] tags [list "external:skip"]] { - # user alice on allcommands allkeys >alice - # user bob on -@all +@set +acl ~set* >bob - # user default on nopass ~* +@all +start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "allchannels" "aclfile" "user.acl"] tags [list "external:skip"]] { + # user alice on allcommands allkeys &* >alice + # user bob on -@all +@set +acl ~set* &* >bob + # user default on nopass ~* &* +@all test {default: load from include file, can access any channels} { r SUBSCRIBE foo @@ -760,7 +788,7 @@ start_server [list overrides [list "dir" $server_path "aclfile" "user.acl"] tags set server_path [tmpdir "resetchannels.acl"] exec cp -f tests/assets/nodefaultuser.acl $server_path exec cp -f tests/assets/default.conf $server_path -start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "resetchannels" "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] { +start_server [list overrides [list "dir" $server_path "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] { test {Default user has access to all channels irrespective of flag} { set channelinfo [dict get [r ACL getuser default] channels] @@ -811,7 +839,14 @@ start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "rese start_server {overrides {user "default on nopass ~* +@all"} tags {"external:skip"}} { - test {default: load from config file, can access any channels} { + test {default: load from config file, without channel permission default user can't access any channels} { + catch {r SUBSCRIBE foo} e + set e + } {*NOPERM*channel*} +} + +start_server {overrides {user "default on nopass ~* &* +@all"} tags {"external:skip"}} { + test {default: load from config file with all channels permissions} { r SUBSCRIBE foo r PSUBSCRIBE bar* r UNSUBSCRIBE |