Redis: Add support for sending AUTH commands during connection

This commit is contained in:
Tim Wojtulewicz 2025-05-30 07:50:08 -07:00
parent 9f12208f57
commit f2aca331ec
8 changed files with 161 additions and 26 deletions

View file

@ -39,6 +39,13 @@ export {
## Timeout for operation requests sent to the backend. Operations that ## Timeout for operation requests sent to the backend. Operations that
## exceed this time will return :zeek:see:`Storage::TIMEOUT`. ## exceed this time will return :zeek:see:`Storage::TIMEOUT`.
operation_timeout: interval &default=default_operation_timeout; operation_timeout: interval &default=default_operation_timeout;
## A username to use for authentication the server is protected by an ACL.
username: string &optional;
## A username to use for authentication the server is protected by an ACL
## or by a simple password.
password: string &optional;
}; };
} }

View file

@ -136,6 +136,19 @@ void redisINFO(redisAsyncContext* ctx, void* reply, void* privdata) {
backend->HandleInfoResult(static_cast<redisReply*>(reply)); backend->HandleInfoResult(static_cast<redisReply*>(reply));
} }
/**
* Callback handler for AUTH commands.
*
* @param ctx The async context that called this callback.
* @param reply The reply from the server for the command.
* @param privdata A pointer to private data passed in the command.
*/
void redisAUTH(redisAsyncContext* ctx, void* reply, void* privdata) {
auto t = Tracer("auth");
auto backend = static_cast<zeek::storage::backend::redis::Redis*>(ctx->data);
backend->HandleAuthResult(static_cast<redisReply*>(reply));
}
// Because we called redisPollAttach in DoOpen(), privdata here is a // Because we called redisPollAttach in DoOpen(), privdata here is a
// redisPollEvents object. We can go through that object to get the context's // redisPollEvents object. We can go through that object to get the context's
// data, which contains the backend. Because we overrode these callbacks in // data, which contains the backend. Because we overrode these callbacks in
@ -271,6 +284,14 @@ OperationResult Redis::DoOpen(OpenResultCallback* cb, RecordValPtr options) {
struct timeval timeout = util::double_to_timeval(connect_timeout_opt); struct timeval timeout = util::double_to_timeval(connect_timeout_opt);
opt.connect_timeout = &timeout; opt.connect_timeout = &timeout;
auto username_field = backend_options->GetField<StringVal>("username");
if ( username_field )
username = username_field->ToStdString();
auto password_field = backend_options->GetField<StringVal>("password");
if ( password_field )
password = password_field->ToStdString();
// The connection request below should be operation #1. // The connection request below should be operation #1.
active_ops = 1; active_ops = 1;
@ -642,25 +663,74 @@ void Redis::HandleInfoResult(redisReply* reply) {
CompleteCallback(open_cb, res); CompleteCallback(open_cb, res);
} }
void Redis::HandleAuthResult(redisReply* reply) {
DBG_LOG(DBG_STORAGE, "Redis backend: auth event");
--active_ops;
if ( strncmp(reply->str, "OK", 2) != 0 ) {
std::string reason = util::fmt("AUTH command failed to authenticate: %s", reply->str);
CompleteCallback(open_cb, {ReturnCode::CONNECTION_FAILED, reason});
freeReplyObject(reply);
disconnect_reason = reason;
redisAsyncDisconnect(async_ctx);
return;
}
freeReplyObject(reply);
SendInfoRequest();
}
void Redis::SendInfoRequest() {
DBG_LOG(DBG_STORAGE, "Redis backend: Sending INFO request");
// Request the INFO block from the server that should contain the version information.
int status = redisAsyncCommand(async_ctx, redisINFO, NULL, "INFO server");
if ( status == REDIS_ERR ) {
// TODO: do something with the error?
DBG_LOG(DBG_STORAGE, "INFO command failed: %s err=%d", async_ctx->errstr, async_ctx->err);
CompleteCallback(open_cb, {ReturnCode::OPERATION_FAILED,
util::fmt("INFO command failed to retrieve server info: %s", async_ctx->errstr)});
return;
}
++active_ops;
}
void Redis::OnConnect(int status) { void Redis::OnConnect(int status) {
DBG_LOG(DBG_STORAGE, "Redis backend: connection event, status=%d", status); DBG_LOG(DBG_STORAGE, "Redis backend: connection event, status=%d", status);
--active_ops; --active_ops;
connected = false; connected = false;
if ( status == REDIS_OK ) { if ( status == REDIS_OK ) {
// Request the INFO block from the server that should contain the version information. bool made_auth_request = false;
status = redisAsyncCommand(async_ctx, redisINFO, NULL, "INFO server");
// If the username and/or password are set, send an AUTH command. Fail to
// connect if the authentication fails. We want to pause here while opening.
if ( ! username.empty() && ! password.empty() ) {
status = redisAsyncCommand(async_ctx, redisAUTH, NULL, "AUTH %s %s", username.c_str(), password.c_str());
made_auth_request = true;
}
else if ( ! password.empty() ) {
status = redisAsyncCommand(async_ctx, redisAUTH, NULL, "AUTH %s", password.c_str());
made_auth_request = true;
}
// This will be reset by the sync calls above if we make them and they fail. The
// condition will always be false if we don't make any auth call.
if ( status == REDIS_ERR ) { if ( status == REDIS_ERR ) {
// TODO: do something with the error? DBG_LOG(DBG_STORAGE, "AUTH command failed: %s err=%d", async_ctx->errstr, async_ctx->err);
DBG_LOG(DBG_STORAGE, "INFO command failed: %s err=%d", async_ctx->errstr, async_ctx->err); CompleteCallback(open_cb, {ReturnCode::OPERATION_FAILED,
CompleteCallback(open_cb, util::fmt("AUTH command failed to queue: %s", async_ctx->errstr)});
{ReturnCode::OPERATION_FAILED,
util::fmt("INFO command failed to retrieve server info: %s", async_ctx->errstr)});
return; return;
} }
if ( made_auth_request )
++active_ops; ++active_ops;
else
// This will be called from the handler of the auth event if that succeeds.
SendInfoRequest();
} }
else { else {
DBG_LOG(DBG_STORAGE, "Redis backend: connection failed: %s err=%d", async_ctx->errstr, async_ctx->err); DBG_LOG(DBG_STORAGE, "Redis backend: connection failed: %s err=%d", async_ctx->errstr, async_ctx->err);
@ -682,11 +752,9 @@ void Redis::OnDisconnect(int status) {
} }
else { else {
--active_ops; --active_ops;
std::string msg =
if ( disconnect_reason.empty() ) util::fmt("Client disconnected%s%s", disconnect_reason.empty() ? "" : ": ", disconnect_reason.c_str());
EnqueueBackendLost("Client disconnected"); EnqueueBackendLost(msg);
else
EnqueueBackendLost(util::fmt("Client disconnected: %s", disconnect_reason.c_str()));
if ( close_cb ) if ( close_cb )
CompleteCallback(close_cb, {ReturnCode::SUCCESS}); CompleteCallback(close_cb, {ReturnCode::SUCCESS});

View file

@ -42,6 +42,7 @@ public:
void HandleEraseResult(redisReply* reply, ResultCallback* callback); void HandleEraseResult(redisReply* reply, ResultCallback* callback);
void HandleGeneric(redisReply* reply); void HandleGeneric(redisReply* reply);
void HandleInfoResult(redisReply* reply); void HandleInfoResult(redisReply* reply);
void HandleAuthResult(redisReply* reply);
/** /**
* Returns whether the backend is opened. * Returns whether the backend is opened.
@ -63,6 +64,8 @@ private:
OperationResult ParseReplyError(std::string_view op_str, std::string_view reply_err_str) const; OperationResult ParseReplyError(std::string_view op_str, std::string_view reply_err_str) const;
OperationResult CheckServerVersion(); OperationResult CheckServerVersion();
void SendInfoRequest();
redisAsyncContext* async_ctx = nullptr; redisAsyncContext* async_ctx = nullptr;
// When running in sync mode, this is used to keep a queue of replies as // When running in sync mode, this is used to keep a queue of replies as
@ -77,6 +80,8 @@ private:
std::string server_addr; std::string server_addr;
std::string key_prefix; std::string key_prefix;
std::string disconnect_reason; std::string disconnect_reason;
std::string username;
std::string password;
std::atomic<bool> connected = false; std::atomic<bool> connected = false;
std::atomic<bool> expire_running = false; std::atomic<bool> expire_running = false;

View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
open 1, [code=Storage::CONNECTION_FAILED, error_str=AUTH command failed to authenticate: WRONGPASS invalid username-password pair or user is disabled., value=<opaque of BackendHandleVal>]
open 2, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>]
close, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>]

View file

@ -1,4 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
open_result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>] open_result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>]
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]] Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]]
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]], Server closed the connection Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]], Server closed the connection

View file

@ -9,5 +9,5 @@ get result same as originally inserted, T
put result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>] put result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>]
get result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=value2345] get result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=value2345]
get result same as overwritten, T get result same as overwritten, T
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]] Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]]
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]], Client disconnected Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]], Client disconnected

View file

@ -0,0 +1,40 @@
# @TEST-DOC: Tests basic Redis storage backend functions in async mode
# @TEST-REQUIRES: have-redis
# @TEST-PORT: REDIS_PORT
# @TEST-EXEC: btest-bg-run redis-server run-redis-server ${REDIS_PORT%/tcp} testpassword
# @TEST-EXEC: zeek -b %INPUT > out
# @TEST-EXEC: btest-bg-wait -k 0
# @TEST-EXEC: btest-diff out
@load base/frameworks/storage/sync
@load policy/frameworks/storage/backend/redis
event zeek_init()
{
local opts: Storage::BackendOptions;
opts$redis = [ $server_host="127.0.0.1", $server_port=to_port(getenv(
"REDIS_PORT")), $key_prefix="testing", $password="notthepassword" ];
local key = "key1234";
local value = "value5678";
# This should fail because the password doesn't match.
local res = Storage::Sync::open_backend(Storage::STORAGE_BACKEND_REDIS, opts, string, string);
print "open 1", res;
if ( res$code == Storage::SUCCESS )
return;
opts$redis$password = "testpassword";
res = Storage::Sync::open_backend(Storage::STORAGE_BACKEND_REDIS, opts, string, string);
print "open 2", res;
if ( res$code != Storage::SUCCESS )
return;
local backend = res$value;
res = Storage::Sync::close_backend(backend);
print "close", res;
}

View file

@ -5,17 +5,28 @@ if ! redis-server --version; then
exit 1 exit 1
fi fi
if [ $# -ne 1 ]; then if [ $# -lt 1 ]; then
echo "Usage $0 <listen_port>" >2 echo "Usage $0 <listen_port> (<password>)" >2
exit 1 exit 1
fi fi
listen_port=$1 listen_port=$1
exec redis-server \ if [ $# -eq 1 ]; then
exec redis-server \
--bind 127.0.0.1 \ --bind 127.0.0.1 \
--port ${listen_port} \ --port ${listen_port} \
--loglevel verbose \ --loglevel verbose \
--logfile redis.log \ --logfile redis.log \
--pidfile redis.pid \ --pidfile redis.pid \
--databases 1 --databases 1
elif [ $# -eq 2 ]; then
exec redis-server \
--bind 127.0.0.1 \
--port ${listen_port} \
--loglevel verbose \
--logfile redis.log \
--pidfile redis.pid \
--databases 1 \
--requirepass $2
fi