Add module APIs for custom authentication

2025-06-30 09:21:34 +00:00 · 2019-02-26 01:23:11 +00:00
parent e9b99c78df
commit 034dcf185c
13 changed files with 685 additions and 32 deletions
--- a/tests/modules/Makefile
+++ b/tests/modules/Makefile
@ -21,7 +21,8 @@ TEST_MODULES = \
    hooks.so \
    blockonkeys.so \
    scan.so \
-    datatype.so
+    datatype.so \
+    auth.so

 .PHONY: all

--- a/tests/modules/auth.c
+++ b/tests/modules/auth.c
@ -0,0 +1,118 @@
+/* ACL API example - An example of performing custom password authentication
+ *
+ * -----------------------------------------------------------------------------
+ *
+ * Copyright 2019 Amazon.com, Inc. or its affiliates.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#define REDISMODULE_EXPERIMENTAL_API
+#include "redismodule.h"
+
+// A simple global user
+static RedisModuleUser *global;
+static long long client_change_delta = 0;
+
+void UserChangedCallback(uint64_t client_id, void *privdata) {
+    REDISMODULE_NOT_USED(privdata);
+    REDISMODULE_NOT_USED(client_id);
+    client_change_delta++;
+}
+
+int Auth_CreateModuleUser(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+
+    if (global) {
+        RedisModule_FreeModuleUser(global);
+    }
+
+    global = RedisModule_CreateModuleUser("global");
+    RedisModule_SetModuleUserACL(global, "allcommands");
+    RedisModule_SetModuleUserACL(global, "allkeys");
+    RedisModule_SetModuleUserACL(global, "on");
+
+    return RedisModule_ReplyWithSimpleString(ctx, "OK");
+}
+
+int Auth_AuthModuleUser(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    uint64_t client_id;
+    RedisModule_AuthenticateClientWithUser(ctx, global, UserChangedCallback, NULL, &client_id);
+
+    return RedisModule_ReplyWithLongLong(ctx, (uint64_t) client_id);
+}
+
+int Auth_AuthRealUser(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (argc != 2) return RedisModule_WrongArity(ctx);
+
+    size_t length;
+    uint64_t client_id;
+
+    RedisModuleString *user_string = argv[1];
+    const char *name = RedisModule_StringPtrLen(user_string, &length);
+
+    if (RedisModule_AuthenticateClientWithACLUser(ctx, name, length, 
+            UserChangedCallback, NULL, &client_id) == REDISMODULE_ERR) {
+        return RedisModule_ReplyWithError(ctx, "Invalid user");   
+    }
+
+    return RedisModule_ReplyWithLongLong(ctx, (uint64_t) client_id);
+}
+
+int Auth_ChangeCount(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    long long result = client_change_delta;
+    client_change_delta = 0;
+    return RedisModule_ReplyWithLongLong(ctx, result);
+}
+
+/* This function must be present on each Redis module. It is used in order to
+ * register the commands into the Redis server. */
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    REDISMODULE_NOT_USED(argv);
+    REDISMODULE_NOT_USED(argc);
+
+    if (RedisModule_Init(ctx,"testacl",1,REDISMODULE_APIVER_1)
+        == REDISMODULE_ERR) return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx,"auth.authrealuser",
+        Auth_AuthRealUser,"no-auth",0,0,0) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx,"auth.createmoduleuser",
+        Auth_CreateModuleUser,"",0,0,0) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx,"auth.authmoduleuser",
+        Auth_AuthModuleUser,"no-auth",0,0,0) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx,"auth.changecount",
+        Auth_ChangeCount,"",0,0,0) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    client_change_delta = 0;
+
+    return REDISMODULE_OK;
+}
--- a/tests/unit/moduleapi/auth.tcl
+++ b/tests/unit/moduleapi/auth.tcl
@ -0,0 +1,71 @@
+set testmodule [file normalize tests/modules/auth.so]
+
+start_server {tags {"modules"}} {
+    r module load $testmodule
+
+    test {Modules can create a user that can be authenticated} {
+        # Make sure we start authenticated with default user
+        r auth default ""
+        assert_equal [r acl whoami] "default"
+        r auth.createmoduleuser
+
+        set id [r auth.authmoduleuser]
+        assert_equal [r client id] $id
+
+        # Verify returned id is the same as our current id and
+        # we are authenticated with the specified user
+        assert_equal [r acl whoami] "global"
+    }
+
+    test {De-authenticating clients is tracked and kills clients} {
+        assert_equal [r auth.changecount] 0
+        r auth.createmoduleuser
+
+        # Catch the I/O exception that was thrown when Redis
+        # disconnected with us. 
+        catch { [r ping] } e
+        assert_match {*I/O*} $e
+
+        # Check that a user change was registered
+        assert_equal [r auth.changecount] 1
+    }
+
+    test {Modules cant authenticate with ACLs users that dont exist} {
+        catch { [r auth.authrealuser auth-module-test-fake] } e
+        assert_match {*Invalid user*} $e
+    }
+
+    test {Modules can authenticate with ACL users} {
+        assert_equal [r acl whoami] "default"
+
+        # Create user to auth into
+        r acl setuser auth-module-test on allkeys allcommands
+
+        set id [r auth.authrealuser auth-module-test]
+
+        # Verify returned id is the same as our current id and
+        # we are authenticated with the specified user
+        assert_equal [r client id] $id
+        assert_equal [r acl whoami] "auth-module-test"
+    }
+
+    test {Client callback is called on user switch} {
+        assert_equal [r auth.changecount] 0
+
+        # Auth again and validate change count
+        r auth.authrealuser auth-module-test
+        assert_equal [r auth.changecount] 1
+
+        # Re-auth with the default user
+        r auth default ""
+        assert_equal [r auth.changecount] 1
+        assert_equal [r acl whoami] "default"
+
+        # Re-auth with the default user again, to
+        # verify the callback isn't fired again
+        r auth default ""
+        assert_equal [r auth.changecount] 0
+        assert_equal [r acl whoami] "default"
+    }
+
+}