mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Redis: Add support for sending AUTH commands during connection
This commit is contained in:
parent
9f12208f57
commit
f2aca331ec
8 changed files with 161 additions and 26 deletions
|
@ -39,6 +39,13 @@ export {
|
||||||
## Timeout for operation requests sent to the backend. Operations that
|
## Timeout for operation requests sent to the backend. Operations that
|
||||||
## exceed this time will return :zeek:see:`Storage::TIMEOUT`.
|
## exceed this time will return :zeek:see:`Storage::TIMEOUT`.
|
||||||
operation_timeout: interval &default=default_operation_timeout;
|
operation_timeout: interval &default=default_operation_timeout;
|
||||||
|
|
||||||
|
## A username to use for authentication the server is protected by an ACL.
|
||||||
|
username: string &optional;
|
||||||
|
|
||||||
|
## A username to use for authentication the server is protected by an ACL
|
||||||
|
## or by a simple password.
|
||||||
|
password: string &optional;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -136,6 +136,19 @@ void redisINFO(redisAsyncContext* ctx, void* reply, void* privdata) {
|
||||||
backend->HandleInfoResult(static_cast<redisReply*>(reply));
|
backend->HandleInfoResult(static_cast<redisReply*>(reply));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Callback handler for AUTH commands.
|
||||||
|
*
|
||||||
|
* @param ctx The async context that called this callback.
|
||||||
|
* @param reply The reply from the server for the command.
|
||||||
|
* @param privdata A pointer to private data passed in the command.
|
||||||
|
*/
|
||||||
|
void redisAUTH(redisAsyncContext* ctx, void* reply, void* privdata) {
|
||||||
|
auto t = Tracer("auth");
|
||||||
|
auto backend = static_cast<zeek::storage::backend::redis::Redis*>(ctx->data);
|
||||||
|
backend->HandleAuthResult(static_cast<redisReply*>(reply));
|
||||||
|
}
|
||||||
|
|
||||||
// Because we called redisPollAttach in DoOpen(), privdata here is a
|
// Because we called redisPollAttach in DoOpen(), privdata here is a
|
||||||
// redisPollEvents object. We can go through that object to get the context's
|
// redisPollEvents object. We can go through that object to get the context's
|
||||||
// data, which contains the backend. Because we overrode these callbacks in
|
// data, which contains the backend. Because we overrode these callbacks in
|
||||||
|
@ -271,6 +284,14 @@ OperationResult Redis::DoOpen(OpenResultCallback* cb, RecordValPtr options) {
|
||||||
struct timeval timeout = util::double_to_timeval(connect_timeout_opt);
|
struct timeval timeout = util::double_to_timeval(connect_timeout_opt);
|
||||||
opt.connect_timeout = &timeout;
|
opt.connect_timeout = &timeout;
|
||||||
|
|
||||||
|
auto username_field = backend_options->GetField<StringVal>("username");
|
||||||
|
if ( username_field )
|
||||||
|
username = username_field->ToStdString();
|
||||||
|
|
||||||
|
auto password_field = backend_options->GetField<StringVal>("password");
|
||||||
|
if ( password_field )
|
||||||
|
password = password_field->ToStdString();
|
||||||
|
|
||||||
// The connection request below should be operation #1.
|
// The connection request below should be operation #1.
|
||||||
active_ops = 1;
|
active_ops = 1;
|
||||||
|
|
||||||
|
@ -642,25 +663,74 @@ void Redis::HandleInfoResult(redisReply* reply) {
|
||||||
CompleteCallback(open_cb, res);
|
CompleteCallback(open_cb, res);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Redis::HandleAuthResult(redisReply* reply) {
|
||||||
|
DBG_LOG(DBG_STORAGE, "Redis backend: auth event");
|
||||||
|
--active_ops;
|
||||||
|
|
||||||
|
if ( strncmp(reply->str, "OK", 2) != 0 ) {
|
||||||
|
std::string reason = util::fmt("AUTH command failed to authenticate: %s", reply->str);
|
||||||
|
CompleteCallback(open_cb, {ReturnCode::CONNECTION_FAILED, reason});
|
||||||
|
freeReplyObject(reply);
|
||||||
|
|
||||||
|
disconnect_reason = reason;
|
||||||
|
redisAsyncDisconnect(async_ctx);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
freeReplyObject(reply);
|
||||||
|
SendInfoRequest();
|
||||||
|
}
|
||||||
|
|
||||||
|
void Redis::SendInfoRequest() {
|
||||||
|
DBG_LOG(DBG_STORAGE, "Redis backend: Sending INFO request");
|
||||||
|
|
||||||
|
// Request the INFO block from the server that should contain the version information.
|
||||||
|
int status = redisAsyncCommand(async_ctx, redisINFO, NULL, "INFO server");
|
||||||
|
|
||||||
|
if ( status == REDIS_ERR ) {
|
||||||
|
// TODO: do something with the error?
|
||||||
|
DBG_LOG(DBG_STORAGE, "INFO command failed: %s err=%d", async_ctx->errstr, async_ctx->err);
|
||||||
|
CompleteCallback(open_cb, {ReturnCode::OPERATION_FAILED,
|
||||||
|
util::fmt("INFO command failed to retrieve server info: %s", async_ctx->errstr)});
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
++active_ops;
|
||||||
|
}
|
||||||
|
|
||||||
void Redis::OnConnect(int status) {
|
void Redis::OnConnect(int status) {
|
||||||
DBG_LOG(DBG_STORAGE, "Redis backend: connection event, status=%d", status);
|
DBG_LOG(DBG_STORAGE, "Redis backend: connection event, status=%d", status);
|
||||||
--active_ops;
|
--active_ops;
|
||||||
|
|
||||||
connected = false;
|
connected = false;
|
||||||
if ( status == REDIS_OK ) {
|
if ( status == REDIS_OK ) {
|
||||||
// Request the INFO block from the server that should contain the version information.
|
bool made_auth_request = false;
|
||||||
status = redisAsyncCommand(async_ctx, redisINFO, NULL, "INFO server");
|
|
||||||
|
|
||||||
|
// If the username and/or password are set, send an AUTH command. Fail to
|
||||||
|
// connect if the authentication fails. We want to pause here while opening.
|
||||||
|
if ( ! username.empty() && ! password.empty() ) {
|
||||||
|
status = redisAsyncCommand(async_ctx, redisAUTH, NULL, "AUTH %s %s", username.c_str(), password.c_str());
|
||||||
|
made_auth_request = true;
|
||||||
|
}
|
||||||
|
else if ( ! password.empty() ) {
|
||||||
|
status = redisAsyncCommand(async_ctx, redisAUTH, NULL, "AUTH %s", password.c_str());
|
||||||
|
made_auth_request = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// This will be reset by the sync calls above if we make them and they fail. The
|
||||||
|
// condition will always be false if we don't make any auth call.
|
||||||
if ( status == REDIS_ERR ) {
|
if ( status == REDIS_ERR ) {
|
||||||
// TODO: do something with the error?
|
DBG_LOG(DBG_STORAGE, "AUTH command failed: %s err=%d", async_ctx->errstr, async_ctx->err);
|
||||||
DBG_LOG(DBG_STORAGE, "INFO command failed: %s err=%d", async_ctx->errstr, async_ctx->err);
|
CompleteCallback(open_cb, {ReturnCode::OPERATION_FAILED,
|
||||||
CompleteCallback(open_cb,
|
util::fmt("AUTH command failed to queue: %s", async_ctx->errstr)});
|
||||||
{ReturnCode::OPERATION_FAILED,
|
|
||||||
util::fmt("INFO command failed to retrieve server info: %s", async_ctx->errstr)});
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( made_auth_request )
|
||||||
++active_ops;
|
++active_ops;
|
||||||
|
else
|
||||||
|
// This will be called from the handler of the auth event if that succeeds.
|
||||||
|
SendInfoRequest();
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
DBG_LOG(DBG_STORAGE, "Redis backend: connection failed: %s err=%d", async_ctx->errstr, async_ctx->err);
|
DBG_LOG(DBG_STORAGE, "Redis backend: connection failed: %s err=%d", async_ctx->errstr, async_ctx->err);
|
||||||
|
@ -682,11 +752,9 @@ void Redis::OnDisconnect(int status) {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
--active_ops;
|
--active_ops;
|
||||||
|
std::string msg =
|
||||||
if ( disconnect_reason.empty() )
|
util::fmt("Client disconnected%s%s", disconnect_reason.empty() ? "" : ": ", disconnect_reason.c_str());
|
||||||
EnqueueBackendLost("Client disconnected");
|
EnqueueBackendLost(msg);
|
||||||
else
|
|
||||||
EnqueueBackendLost(util::fmt("Client disconnected: %s", disconnect_reason.c_str()));
|
|
||||||
|
|
||||||
if ( close_cb )
|
if ( close_cb )
|
||||||
CompleteCallback(close_cb, {ReturnCode::SUCCESS});
|
CompleteCallback(close_cb, {ReturnCode::SUCCESS});
|
||||||
|
|
|
@ -42,6 +42,7 @@ public:
|
||||||
void HandleEraseResult(redisReply* reply, ResultCallback* callback);
|
void HandleEraseResult(redisReply* reply, ResultCallback* callback);
|
||||||
void HandleGeneric(redisReply* reply);
|
void HandleGeneric(redisReply* reply);
|
||||||
void HandleInfoResult(redisReply* reply);
|
void HandleInfoResult(redisReply* reply);
|
||||||
|
void HandleAuthResult(redisReply* reply);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns whether the backend is opened.
|
* Returns whether the backend is opened.
|
||||||
|
@ -63,6 +64,8 @@ private:
|
||||||
OperationResult ParseReplyError(std::string_view op_str, std::string_view reply_err_str) const;
|
OperationResult ParseReplyError(std::string_view op_str, std::string_view reply_err_str) const;
|
||||||
OperationResult CheckServerVersion();
|
OperationResult CheckServerVersion();
|
||||||
|
|
||||||
|
void SendInfoRequest();
|
||||||
|
|
||||||
redisAsyncContext* async_ctx = nullptr;
|
redisAsyncContext* async_ctx = nullptr;
|
||||||
|
|
||||||
// When running in sync mode, this is used to keep a queue of replies as
|
// When running in sync mode, this is used to keep a queue of replies as
|
||||||
|
@ -77,6 +80,8 @@ private:
|
||||||
std::string server_addr;
|
std::string server_addr;
|
||||||
std::string key_prefix;
|
std::string key_prefix;
|
||||||
std::string disconnect_reason;
|
std::string disconnect_reason;
|
||||||
|
std::string username;
|
||||||
|
std::string password;
|
||||||
|
|
||||||
std::atomic<bool> connected = false;
|
std::atomic<bool> connected = false;
|
||||||
std::atomic<bool> expire_running = false;
|
std::atomic<bool> expire_running = false;
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
open 1, [code=Storage::CONNECTION_FAILED, error_str=AUTH command failed to authenticate: WRONGPASS invalid username-password pair or user is disabled., value=<opaque of BackendHandleVal>]
|
||||||
|
open 2, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>]
|
||||||
|
close, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>]
|
|
@ -1,4 +1,4 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
open_result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>]
|
open_result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<opaque of BackendHandleVal>]
|
||||||
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]]
|
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]]
|
||||||
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]], Server closed the connection
|
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]], Server closed the connection
|
||||||
|
|
|
@ -9,5 +9,5 @@ get result same as originally inserted, T
|
||||||
put result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>]
|
put result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=<uninitialized>]
|
||||||
get result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=value2345]
|
get result, [code=Storage::SUCCESS, error_str=<uninitialized>, value=value2345]
|
||||||
get result same as overwritten, T
|
get result same as overwritten, T
|
||||||
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]]
|
Storage::backend_opened, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]]
|
||||||
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs]], Client disconnected
|
Storage::backend_lost, Storage::STORAGE_BACKEND_REDIS, [serializer=Storage::STORAGE_SERIALIZER_JSON, redis=[server_host=127.0.0.1, server_port=xxxx/tcp, server_unix_socket=<uninitialized>, key_prefix=testing, connect_timeout=5.0 secs, operation_timeout=5.0 secs, acl_username=<uninitialized>, password=<uninitialized>]], Client disconnected
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# @TEST-DOC: Tests basic Redis storage backend functions in async mode
|
||||||
|
|
||||||
|
# @TEST-REQUIRES: have-redis
|
||||||
|
# @TEST-PORT: REDIS_PORT
|
||||||
|
|
||||||
|
# @TEST-EXEC: btest-bg-run redis-server run-redis-server ${REDIS_PORT%/tcp} testpassword
|
||||||
|
# @TEST-EXEC: zeek -b %INPUT > out
|
||||||
|
# @TEST-EXEC: btest-bg-wait -k 0
|
||||||
|
|
||||||
|
# @TEST-EXEC: btest-diff out
|
||||||
|
|
||||||
|
@load base/frameworks/storage/sync
|
||||||
|
@load policy/frameworks/storage/backend/redis
|
||||||
|
|
||||||
|
event zeek_init()
|
||||||
|
{
|
||||||
|
local opts: Storage::BackendOptions;
|
||||||
|
opts$redis = [ $server_host="127.0.0.1", $server_port=to_port(getenv(
|
||||||
|
"REDIS_PORT")), $key_prefix="testing", $password="notthepassword" ];
|
||||||
|
|
||||||
|
local key = "key1234";
|
||||||
|
local value = "value5678";
|
||||||
|
|
||||||
|
# This should fail because the password doesn't match.
|
||||||
|
local res = Storage::Sync::open_backend(Storage::STORAGE_BACKEND_REDIS, opts, string, string);
|
||||||
|
print "open 1", res;
|
||||||
|
if ( res$code == Storage::SUCCESS )
|
||||||
|
return;
|
||||||
|
|
||||||
|
opts$redis$password = "testpassword";
|
||||||
|
res = Storage::Sync::open_backend(Storage::STORAGE_BACKEND_REDIS, opts, string, string);
|
||||||
|
print "open 2", res;
|
||||||
|
|
||||||
|
if ( res$code != Storage::SUCCESS )
|
||||||
|
return;
|
||||||
|
|
||||||
|
local backend = res$value;
|
||||||
|
res = Storage::Sync::close_backend(backend);
|
||||||
|
print "close", res;
|
||||||
|
}
|
|
@ -5,17 +5,28 @@ if ! redis-server --version; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $# -ne 1 ]; then
|
if [ $# -lt 1 ]; then
|
||||||
echo "Usage $0 <listen_port>" >2
|
echo "Usage $0 <listen_port> (<password>)" >2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
listen_port=$1
|
listen_port=$1
|
||||||
|
|
||||||
exec redis-server \
|
if [ $# -eq 1 ]; then
|
||||||
|
exec redis-server \
|
||||||
--bind 127.0.0.1 \
|
--bind 127.0.0.1 \
|
||||||
--port ${listen_port} \
|
--port ${listen_port} \
|
||||||
--loglevel verbose \
|
--loglevel verbose \
|
||||||
--logfile redis.log \
|
--logfile redis.log \
|
||||||
--pidfile redis.pid \
|
--pidfile redis.pid \
|
||||||
--databases 1
|
--databases 1
|
||||||
|
elif [ $# -eq 2 ]; then
|
||||||
|
exec redis-server \
|
||||||
|
--bind 127.0.0.1 \
|
||||||
|
--port ${listen_port} \
|
||||||
|
--loglevel verbose \
|
||||||
|
--logfile redis.log \
|
||||||
|
--pidfile redis.pid \
|
||||||
|
--databases 1 \
|
||||||
|
--requirepass $2
|
||||||
|
fi
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue