blob: ae3f67156ceda9ff90b8fbe0bbbefadfcbe752fd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
set testmodule [file normalize tests/modules/aclcheck.so]
start_server {tags {"modules acl"}} {
r module load $testmodule
test {test module check acl for command perm} {
# by default all commands allowed
assert_equal [r aclcheck.rm_call.check.cmd set x 5] OK
# block SET command for user
r acl setuser default -set
catch {r aclcheck.rm_call.check.cmd set x 5} e
assert_match {*DENIED CMD*} $e
# verify that new log entry added
set entry [lindex [r ACL LOG] 0]
assert {[dict get $entry username] eq {default}}
assert {[dict get $entry context] eq {module}}
assert {[dict get $entry object] eq {set}}
assert {[dict get $entry reason] eq {command}}
}
test {test module check acl for key perm} {
# give permission for SET and block all keys but x(READ+WRITE), y(WRITE), z(READ)
r acl setuser default +set resetkeys ~x %W~y %R~z
assert_equal [r aclcheck.set.check.key "*" x 5] OK
catch {r aclcheck.set.check.key "*" v 5} e
assert_match "*DENIED KEY*" $e
assert_equal [r aclcheck.set.check.key "~" x 5] OK
assert_equal [r aclcheck.set.check.key "~" y 5] OK
assert_equal [r aclcheck.set.check.key "~" z 5] OK
catch {r aclcheck.set.check.key "~" v 5} e
assert_match "*DENIED KEY*" $e
assert_equal [r aclcheck.set.check.key "W" y 5] OK
catch {r aclcheck.set.check.key "W" v 5} e
assert_match "*DENIED KEY*" $e
assert_equal [r aclcheck.set.check.key "R" z 5] OK
catch {r aclcheck.set.check.key "R" v 5} e
assert_match "*DENIED KEY*" $e
}
test {test module check acl for module user} {
# the module user has access to all keys
assert_equal [r aclcheck.rm_call.check.cmd.module.user set y 5] OK
}
test {test module check acl for channel perm} {
# block all channels but ch1
r acl setuser default resetchannels &ch1
assert_equal [r aclcheck.publish.check.channel ch1 msg] 0
catch {r aclcheck.publish.check.channel ch2 msg} e
set e
} {*DENIED CHANNEL*}
test {test module check acl in rm_call} {
# rm call check for key permission (x: READ + WRITE)
assert_equal [r aclcheck.rm_call set x 5] OK
assert_equal [r aclcheck.rm_call set x 6 get] 5
# rm call check for key permission (y: only WRITE)
assert_equal [r aclcheck.rm_call set y 5] OK
assert_error {*NOPERM*} {r aclcheck.rm_call set y 5 get}
assert_error {*NOPERM*No permissions to access a key*} {r aclcheck.rm_call_with_errors set y 5 get}
# rm call check for key permission (z: only READ)
assert_error {*NOPERM*} {r aclcheck.rm_call set z 5}
catch {r aclcheck.rm_call_with_errors set z 5} e
assert_match {*NOPERM*No permissions to access a key*} $e
assert_error {*NOPERM*} {r aclcheck.rm_call set z 6 get}
assert_error {*NOPERM*No permissions to access a key*} {r aclcheck.rm_call_with_errors set z 6 get}
# verify that new log entry added
set entry [lindex [r ACL LOG] 0]
assert {[dict get $entry username] eq {default}}
assert {[dict get $entry context] eq {module}}
assert {[dict get $entry object] eq {z}}
assert {[dict get $entry reason] eq {key}}
# rm call check for command permission
r acl setuser default -set
assert_error {*NOPERM*} {r aclcheck.rm_call set x 5}
assert_error {*NOPERM*has no permissions to run the 'set' command*} {r aclcheck.rm_call_with_errors set x 5}
# verify that new log entry added
set entry [lindex [r ACL LOG] 0]
assert {[dict get $entry username] eq {default}}
assert {[dict get $entry context] eq {module}}
assert {[dict get $entry object] eq {set}}
assert {[dict get $entry reason] eq {command}}
}
test {test blocking of Commands outside of OnLoad} {
assert_equal [r block.commands.outside.onload] OK
}
test {test users to have access to module commands having acl categories} {
r acl SETUSER j1 on >password -@all +@WRITE
r acl SETUSER j2 on >password -@all +@READ
assert_equal [r acl DRYRUN j1 aclcheck.module.command.aclcategories.write] OK
assert_equal [r acl DRYRUN j2 aclcheck.module.command.aclcategories.write.function.read.category] OK
assert_equal [r acl DRYRUN j2 aclcheck.module.command.aclcategories.read.only.category] OK
}
test {test existing users to have access to module commands loaded on runtime} {
assert_equal [r module unload aclcheck] OK
r acl SETUSER j3 on >password -@all +@WRITE
assert_equal [r module load $testmodule] OK
assert_equal [r acl DRYRUN j3 aclcheck.module.command.aclcategories.write] OK
}
test {test existing users without permissions, do not have access to module commands loaded on runtime.} {
assert_equal [r module unload aclcheck] OK
r acl SETUSER j4 on >password -@all +@READ
r acl SETUSER j5 on >password -@all +@WRITE
assert_equal [r module load $testmodule] OK
catch {r acl DRYRUN j4 aclcheck.module.command.aclcategories.write} e
assert_equal {User j4 has no permissions to run the 'aclcheck.module.command.aclcategories.write' command} $e
catch {r acl DRYRUN j5 aclcheck.module.command.aclcategories.write.function.read.category} e
assert_equal {User j5 has no permissions to run the 'aclcheck.module.command.aclcategories.write.function.read.category' command} $e
}
test {test users without permissions, do not have access to module commands.} {
r acl SETUSER j6 on >password -@all +@READ
catch {r acl DRYRUN j6 aclcheck.module.command.aclcategories.write} e
assert_equal {User j6 has no permissions to run the 'aclcheck.module.command.aclcategories.write' command} $e
r acl SETUSER j7 on >password -@all +@WRITE
catch {r acl DRYRUN j7 aclcheck.module.command.aclcategories.write.function.read.category} e
assert_equal {User j7 has no permissions to run the 'aclcheck.module.command.aclcategories.write.function.read.category' command} $e
}
test "Unload the module - aclcheck" {
assert_equal {OK} [r module unload aclcheck]
}
}
|
