Skip to content

feat(AclFamily): add AUTH for acl members #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Aug 25, 2023
Merged

feat(AclFamily): add AUTH for acl members #1732

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
f6d8d1e
feat(AclFamily): add acl setuser command
kostasrim Aug 22, 2023
f4dbe93
chore: add tests, add overloaded header, improve implementation
kostasrim Aug 23, 2023
d37290a
fix: clang bug on Overloaded
kostasrim Aug 23, 2023
0cf215e
Merge branch 'main' into acl_part_4_add_acl_set_user
kostasrim Aug 23, 2023
20412b9
fix: revert accidental removal of a line in acl_family_test
kostasrim Aug 23, 2023
9d3b767
chore: address gh comments
kostasrim Aug 23, 2023
cc2432d
Merge branch 'main' into acl_part_4_add_acl_set_user
kostasrim Aug 23, 2023
c0356d8
chore: use StartsWith instead of string comparison
kostasrim Aug 24, 2023
2251f8e
chore: replace `starts_with` member function with `absl::StartsWith`
kostasrim Aug 24, 2023
ff6e3f0
feat(AclFamily): add AUTH for acl members
kostasrim Aug 24, 2023
16aa85f
Merge branch 'main' into acl_part_5_add_acl_auth
kostasrim Aug 24, 2023
d98d270
chore: address gh comments
kostasrim Aug 24, 2023
d84ff8f
Merge branch 'main' into acl_part_5_add_acl_auth
kostasrim Aug 24, 2023
b4a9163
chore: apply gh comments
kostasrim Aug 25, 2023
cdfdb29
Merge branch 'main' into acl_part_5_add_acl_auth
kostasrim Aug 25, 2023
dba320c
fix broken test
kostasrim Aug 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions src/server/acl/acl_family.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,16 +123,17 @@ std::variant<User::UpdateRequest, ErrorReply> ParseAclSetUser(CmdArgList args) {
User::UpdateRequest req;

for (auto arg : args) {
ToUpper(&arg);
const auto command = facade::ToSV(arg);
if (auto pass = MaybeParsePassword(command); pass) {
if (auto pass = MaybeParsePassword(facade::ToSV(arg)); pass) {
if (req.password) {
return ErrorReply("Only one password is allowed");
}
req.password = std::move(pass);
continue;
}

ToUpper(&arg);
const auto command = facade::ToSV(arg);

if (auto status = MaybeParseStatus(command); status) {
if (req.is_active) {
return ErrorReply("Multiple ON/OFF are not allowed");
Expand All @@ -143,7 +144,7 @@ std::variant<User::UpdateRequest, ErrorReply> ParseAclSetUser(CmdArgList args) {

auto [cat, add] = MaybeParseAclCategory(command);
if (!cat) {
return ErrorReply(absl::StrCat("Unrecognized paramter", command));
return ErrorReply(absl::StrCat("Unrecognized parameter", command));
}

auto* acl_field = add ? &req.plus_acl_categories : &req.minus_acl_categories;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit silly, but do we want to check no category appears both as a minus and as a plus?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is from the previous PR. What do you mean no caregory? You mean NONE ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like what happens if I do ACL SETUSER +@JSON -@JSON

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I thought about this before, and for this specific case there won't be an issue because the ADD set is applied Before the REMOVE set and I thought that this redundancy is fine. However, now I am thinking about it, for the reverse case this is not true, that is -@JSON +@JSON won't do what is expected and therefore I think we should only allow a group once per SET USER command (and probably this will require some special handling for some categories, example is -@JSON +@ALL).

Another solution is to apply them one by one in order which is slightly slower (since I can apply them all at once) but I don't expect it will affect the performance and IMO I think this is a better solution since it covers the ordering and we can allow +@JSON -@JSON and vice versa.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will address this in a separate PR since this is about the AUTH command

Copy link
Contributor

@dranikpg dranikpg Aug 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait... What operations are permitted? If the string is SSO, then any operations on the map (rehashing, shrinking, etc) will invalidate the string_view 🤨

using RegistryType = absl::flat_hash_map<std::string, User>;

PS: I wanted to put this comment below the std::optional<std::string_view> authed_username; discussion 😬

Expand Down
8 changes: 5 additions & 3 deletions src/server/acl/user_registry.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "server/acl/user_registry.h"

#include "core/fibers.h"
#include "facade/facade_types.h"
#include "server/acl/acl_commands_def.h"

namespace dfly::acl {
Expand Down Expand Up @@ -44,14 +45,15 @@ bool UserRegistry::IsUserActive(std::string_view username) const {
return it->second.IsActive();
}

bool UserRegistry::AuthUser(std::string_view username, std::string_view password) const {
std::pair<bool, const std::string_view> UserRegistry::AuthUser(std::string_view username,
std::string_view password) const {
std::shared_lock<util::SharedMutex> lock(mu_);
const auto& user = registry_.find(username);
if (user == registry_.end()) {
return false;
return {false, {}};
}

return user->second.HasPassword(password);
return {user->second.IsActive() && user->second.HasPassword(password), user->first};
}

UserRegistry::RegistryViewWithLock::RegistryViewWithLock(std::shared_lock<util::SharedMutex> mu,
Expand Down
3 changes: 2 additions & 1 deletion src/server/acl/user_registry.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ class UserRegistry {

// Acquires a read lock
// Used by Auth
bool AuthUser(std::string_view username, std::string_view password) const;
std::pair<bool, const std::string_view> AuthUser(std::string_view username,
std::string_view password) const;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment what the return value means (not obvious without looking at impl how to tell apart non-existing and existing but disabled user)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No needed anymore, we deep copy the username :)


// Helper class for accessing the registry with a ReadLock outside the scope of UserRegistry
class RegistryViewWithLock {
Expand Down
2 changes: 2 additions & 0 deletions src/server/conn_context.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,8 @@ class ConnectionContext : public facade::ConnectionContext {
// Reference to a FlowInfo for this connection if from a master to a replica.
FlowInfo* replication_flow;

std::optional<std::string_view> authed_username;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, the underlying std::string_view lives in the user registry and can be de-allocated when that user is deleted.

There's an issue in general of what happens to connections when their user is deleted. But this especially looks like a UAF bug waiting to happen.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope. That's not true.

  1. You can't change the username of a user once its created.
  2. You can only delete, but when that happens you first evict && close already opened connections so the lifetime semantics are guaranteed -- you will never access the name of the user once its released

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but please document this next to the field.


private:
void EnableMonitoring(bool enable) {
subscriptions++; // required to support the monitoring
Expand Down
12 changes: 10 additions & 2 deletions src/server/server_family.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1514,8 +1514,16 @@ void ServerFamily::Auth(CmdArgList args, ConnectionContext* cntx) {
return (*cntx)->SendError(kSyntaxErr);
}

if (args.size() == 3) {
return (*cntx)->SendError("ACL is not supported yet");
if (args.size() == 2) {
const auto* registry = ServerState::tlocal()->user_registry;
std::string_view username = facade::ToSV(args[0]);
std::string_view password = facade::ToSV(args[1]);
auto [is_authorized, user] = registry->AuthUser(username, password);
if (is_authorized) {
cntx->authed_username = user;
return (*cntx)->SendOk();
}
return (*cntx)->SendError(absl::StrCat("Could not authorize user: ", username));
}

if (!cntx->req_auth) {
Expand Down
22 changes: 22 additions & 0 deletions tests/dragonfly/acl_family_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,25 @@ async def test_acl_setuser(async_client):
await async_client.execute_command("ACL SETUSER kostas +@all")
result = await async_client.execute_command("ACL LIST")
assert "user kostas on nopass +@ALL" in result


@pytest.mark.asyncio
async def test_acl_auth(async_client):
await async_client.execute_command("ACL SETUSER kostas >mypass")

with pytest.raises(redis.exceptions.ResponseError):
await async_client.execute_command("AUTH kostas wrong_pass")

# This should fail because user is inactive
with pytest.raises(redis.exceptions.ResponseError):
await async_client.execute_command("AUTH kostas mypass")

# Activate user
await async_client.execute_command("ACL SETUSER kostas ON")

result = await async_client.execute_command("AUTH kostas mypass")
result == "ok"

# Let's also try default
result = await async_client.execute_command("AUTH default nopass")
result == "ok"