Skip to content

Commit

Permalink
test: add acl and userBlackList test (OpenAtomFoundation#2495)
Browse files Browse the repository at this point in the history
  • Loading branch information
luky116 authored and liuyuecai committed Mar 14, 2024
1 parent b423165 commit 2c7e409
Show file tree
Hide file tree
Showing 3 changed files with 180 additions and 17 deletions.
107 changes: 95 additions & 12 deletions tests/integration/acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,35 +2,117 @@ package pika_integration

import (
"context"
"time"

. "github.com/bsm/ginkgo/v2"
. "github.com/bsm/gomega"
"github.com/redis/go-redis/v9"
)

var _ = Describe("Acl test", func() {
ctx := context.TODO()
var client *redis.Client

BeforeEach(func() {
client = redis.NewClient(PikaOption(SINGLEADDR))
Expect(client.FlushDB(ctx).Err()).NotTo(HaveOccurred())
time.Sleep(1 * time.Second)
It("has requirepass & userpass & blacklist", func() {
client := redis.NewClient(PikaOption(ACLADDR_1))
authRes := client.Do(ctx, "auth", "wrong!")
Expect(authRes.Err()).To(MatchError("WRONGPASS invalid username-password pair or user is disabled."))

// user:limit
authRes = client.Do(ctx, "auth", "userpass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

limitRes := client.Do(ctx, "flushall")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushall' command"))

limitRes = client.Do(ctx, "flushdb")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushdb' command"))

// user:default
authRes = client.Do(ctx, "auth", "requirepass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

adminRes := client.Do(ctx, "flushall")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

adminRes = client.Do(ctx, "flushdb")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

})
It("has requirepass & blacklist", func() {
client := redis.NewClient(PikaOption(ACLADDR_2))

// user:limit
authRes := client.Do(ctx, "auth", "anypass")
Expect(authRes.Err()).NotTo(HaveOccurred())

limitRes := client.Do(ctx, "flushall")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushall' command"))

limitRes = client.Do(ctx, "flushdb")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushdb' command"))

// user:default
authRes = client.Do(ctx, "auth", "requirepass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

adminRes := client.Do(ctx, "flushall")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

adminRes = client.Do(ctx, "flushdb")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

AfterEach(func() {
Expect(client.Close()).NotTo(HaveOccurred())
})
It("has other acl user", func() {
client := redis.NewClient(PikaOption(ACLADDR_3))

authRes := client.Do(ctx, "auth", "wrong!")
Expect(authRes.Err()).To(MatchError("WRONGPASS invalid username-password pair or user is disabled."))

// user:limit
authRes = client.Do(ctx, "auth", "userpass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

limitRes := client.Do(ctx, "flushall")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushall' command"))

limitRes = client.Do(ctx, "flushdb")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushdb' command"))

// user:limit
authRes = client.Do(ctx, "auth", "limitpass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

limitRes = client.Do(ctx, "flushall")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushall' command"))

limitRes = client.Do(ctx, "flushdb")
Expect(limitRes.Err()).To(MatchError("NOPERM this user has no permissions to run the 'flushdb' command"))

// user:default
authRes = client.Do(ctx, "auth", "requirepass")
Expect(authRes.Err()).NotTo(HaveOccurred())
Expect(authRes.Val()).To(Equal("OK"))

adminRes := client.Do(ctx, "flushall")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

adminRes = client.Do(ctx, "flushdb")
Expect(adminRes.Err()).NotTo(HaveOccurred())
Expect(adminRes.Val()).To(Equal("OK"))

It("should acl dryrun", func() {
dryRun := client.ACLDryRun(ctx, "default", "get", "randomKey")

Expect(dryRun.Err()).NotTo(HaveOccurred())
Expect(dryRun.Val()).To(Equal("OK"))
})

It("should ACL LOG RESET", Label("NonRedisEnterprise"), func() {
// Call ACL LOG RESET
resetCmd := client.ACLLogReset(ctx)
Expect(resetCmd.Err()).NotTo(HaveOccurred())
Expand All @@ -41,4 +123,5 @@ var _ = Describe("Acl test", func() {
Expect(err).NotTo(HaveOccurred())
Expect(len(logEntries)).To(Equal(0))
})

})
4 changes: 4 additions & 0 deletions tests/integration/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ const (
SLAVEADDR = "127.0.0.1:9231"
MASTERADDR = "127.0.0.1:9241"
RenameADDR = "127.0.0.1:9251"

ACLADDR_1 = "127.0.0.1:9261"
ACLADDR_2 = "127.0.0.1:9271"
ACLADDR_3 = "127.0.0.1:9281"
)

type TimeValue struct {
Expand Down
86 changes: 81 additions & 5 deletions tests/integration/start_master_and_slave.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,94 @@ cp ../conf/pika.conf ./pika_single.conf
cp ../conf/pika.conf ./pika_master.conf
cp ../conf/pika.conf ./pika_slave.conf
cp ../conf/pika.conf ./pika_rename.conf
cp ../conf/pika.conf ./pika_acl_both_password.conf
cp ../conf/pika.conf ./pika_acl_only_admin_password.conf
cp ../conf/pika.conf ./pika_has_other_acl_user.conf
# Create folders for storing data on the primary and secondary nodes
mkdir master_data
mkdir slave_data
# Example Change the location for storing data on primary and secondary nodes in the configuration file
sed -i '' -e 's|databases : 1|databases : 2|' -e 's|#daemonize : yes|daemonize : yes|' ./pika_single.conf
sed -i '' -e 's|databases : 1|databases : 2|' -e 's|port : 9221|port : 9241|' -e 's|log-path : ./log/|log-path : ./master_data/log/|' -e 's|db-path : ./db/|db-path : ./master_data/db/|' -e 's|dump-path : ./dump/|dump-path : ./master_data/dump/|' -e 's|pidfile : ./pika.pid|pidfile : ./master_data/pika.pid|' -e 's|db-sync-path : ./dbsync/|db-sync-path : ./master_data/dbsync/|' -e 's|#daemonize : yes|daemonize : yes|' ./pika_master.conf
sed -i '' -e 's|databases : 1|databases : 2|' -e 's|port : 9221|port : 9231|' -e 's|log-path : ./log/|log-path : ./slave_data/log/|' -e 's|db-path : ./db/|db-path : ./slave_data/db/|' -e 's|dump-path : ./dump/|dump-path : ./slave_data/dump/|' -e 's|pidfile : ./pika.pid|pidfile : ./slave_data/pika.pid|' -e 's|db-sync-path : ./dbsync/|db-sync-path : ./slave_data/dbsync/|' -e 's|#daemonize : yes|daemonize : yes|' ./pika_slave.conf
sed -i '' -e 's|# rename-command : FLUSHALL 360flushall|rename-command : FLUSHALL 360flushall|' -e 's|# rename-command : FLUSHDB 360flushdb|rename-command : FLUSHDB 360flushdb|' -e 's|databases : 1|databases : 2|' -e 's|port : 9221|port : 9251|' -e 's|log-path : ./log/|log-path : ./rename_data/log/|' -e 's|db-path : ./db/|db-path : ./rename_data/db/|' -e 's|dump-path : ./dump/|dump-path : ./rename_data/dump/|' -e 's|pidfile : ./pika.pid|pidfile : ./rename_data/pika.pid|' -e 's|db-sync-path : ./dbsync/|db-sync-path : ./rename_data/dbsync/|' -e 's|#daemonize : yes|daemonize : yes|' ./pika_rename.conf
sed -i '' \
-e 's|databases : 1|databases : 2|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_single.conf

sed -i '' \
-e 's|databases : 1|databases : 2|' \
-e 's|port : 9221|port : 9241|' \
-e 's|log-path : ./log/|log-path : ./master_data/log/|' \
-e 's|db-path : ./db/|db-path : ./master_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./master_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./master_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./master_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_master.conf

sed -i '' \
-e 's|databases : 1|databases : 2|' \
-e 's|port : 9221|port : 9231|' \
-e 's|log-path : ./log/|log-path : ./slave_data/log/|' \
-e 's|db-path : ./db/|db-path : ./slave_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./slave_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./slave_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./slave_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_slave.conf

sed -i '' \
-e 's|# rename-command : FLUSHALL 360flushall|rename-command : FLUSHALL 360flushall|' \
-e 's|# rename-command : FLUSHDB 360flushdb|rename-command : FLUSHDB 360flushdb|' \
-e 's|databases : 1|databases : 2|' \
-e 's|port : 9221|port : 9251|' \
-e 's|log-path : ./log/|log-path : ./rename_data/log/|' \
-e 's|db-path : ./db/|db-path : ./rename_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./rename_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./rename_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./rename_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_rename.conf

sed -i '' \
-e 's|requirepass :|requirepass : requirepass|' \
-e 's|masterauth :|masterauth : requirepass|' \
-e 's|# userpass :|userpass : userpass|' \
-e 's|# userblacklist :|userblacklist : flushall,flushdb|' \
-e 's|port : 9221|port : 9261|' \
-e 's|log-path : ./log/|log-path : ./acl1_data/log/|' \
-e 's|db-path : ./db/|db-path : ./acl1_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./acl1_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./acl1_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./acl1_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_acl_both_password.conf

sed -i '' \
-e 's|requirepass :|requirepass : requirepass|' \
-e 's|masterauth :|masterauth : requirepass|' \
-e 's|# userblacklist :|userblacklist : flushall,flushdb|' \
-e 's|port : 9221|port : 9271|' \
-e 's|log-path : ./log/|log-path : ./acl2_data/log/|' \
-e 's|db-path : ./db/|db-path : ./acl2_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./acl2_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./acl2_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./acl2_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_acl_only_admin_password.conf
sed -i '' \
-e 's|requirepass :|requirepass : requirepass|' \
-e 's|masterauth :|masterauth : requirepass|' \
-e 's|# userpass :|userpass : userpass|' \
-e 's|# userblacklist :|userblacklist : flushall,flushdb|' \
-e 's|port : 9221|port : 9281|' \
-e 's|log-path : ./log/|log-path : ./acl3_data/log/|' \
-e 's|db-path : ./db/|db-path : ./acl3_data/db/|' \
-e 's|dump-path : ./dump/|dump-path : ./acl3_data/dump/|' \
-e 's|pidfile : ./pika.pid|pidfile : ./acl3_data/pika.pid|' \
-e 's|db-sync-path : ./dbsync/|db-sync-path : ./acl3_data/dbsync/|' \
-e 's|#daemonize : yes|daemonize : yes|' ./pika_has_other_acl_user.conf
echo -e '\nuser : limit on >limitpass ~* +@all &*' >> ./pika_has_other_acl_user.conf

# Start three nodes
./pika -c ./pika_single.conf
./pika -c ./pika_master.conf
./pika -c ./pika_slave.conf
./pika -c ./pika_rename.conf
./pika -c ./pika_acl_both_password.conf
./pika -c ./pika_acl_only_admin_password.conf
./pika -c ./pika_has_other_acl_user.conf
#ensure both master and slave are ready
sleep 10
sleep 10

0 comments on commit 2c7e409

Please sign in to comment.