From 9b4cb7a368e2093e227e072fa82f97760a93a4b0 Mon Sep 17 00:00:00 2001 From: Murillo <103451714+gruceo@users.noreply.github.com> Date: Mon, 12 Aug 2024 21:15:08 -0300 Subject: [PATCH 1/6] feat(redis) add support for username/password auth lua-resty-redis supports username/password authentication: ``` local res, err = red:auth("userexample", "passexample") if not res then ngx.say("failed to authenticate: ", err) return end ``` --- lib/resty/acme/storage/redis.lua | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/resty/acme/storage/redis.lua b/lib/resty/acme/storage/redis.lua index c365d49..5734118 100644 --- a/lib/resty/acme/storage/redis.lua +++ b/lib/resty/acme/storage/redis.lua @@ -42,9 +42,14 @@ local function op(self, op, ...) if not ok then return nil, err end - + if self.auth then - local _, err = client:auth(self.auth) + local _, err + if type(self.auth) == "table" then + _, err = client:auth(self.auth.username, self.auth.password) + else + _, err = client:auth(self.auth) + end if err then return nil, "authentication failed " .. err end From 34bddd567457e27c623b4ee344d3ce63c2405208 Mon Sep 17 00:00:00 2001 From: Murillo <103451714+gruceo@users.noreply.github.com> Date: Mon, 12 Aug 2024 21:22:52 -0300 Subject: [PATCH 2/6] tests --- t/storage/redis.t | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/t/storage/redis.t b/t/storage/redis.t index 78427d9..3888a5f 100644 --- a/t/storage/redis.t +++ b/t/storage/redis.t @@ -556,3 +556,48 @@ test14:50 --- no_error_log [error] +=== TEST 15: Redis auth works with table +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({auth = { username = "kong", password = "passkong" }, host = "172.27.0.2" }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"nil +nil +3 +" +--- no_error_log +[error] + +=== TEST 16: Redis auth works with string +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({auth = "passdefault", host = "172.27.0.2" }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"nil +nil +3 +" +--- no_error_log +[error] From 376643327496f81ee50579538c30490c1f0a4551 Mon Sep 17 00:00:00 2001 From: Murillo <103451714+gruceo@users.noreply.github.com> Date: Tue, 13 Aug 2024 10:22:18 -0300 Subject: [PATCH 3/6] add new username/password fields --- .github/workflows/redis.conf | 2 ++ .github/workflows/tests.yml | 21 +++++++++++-- lib/resty/acme/storage/redis.lua | 19 ++++++++---- t/storage/redis.t | 51 +++++++++++++++++++++++++++++--- 4 files changed, 80 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/redis.conf diff --git a/.github/workflows/redis.conf b/.github/workflows/redis.conf new file mode 100644 index 0000000..fe17641 --- /dev/null +++ b/.github/workflows/redis.conf @@ -0,0 +1,2 @@ +user kong allcommands allkeys on >passkong +requirepass passdefault diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 040707a..9d0eaad 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -49,7 +49,7 @@ jobs: lua_nginx_module: "v0.10.21" stream_lua_nginx_module: "v0.0.11" lua_resty_core: "v0.1.23" - + env: JOBS: 3 SH: bash @@ -67,11 +67,12 @@ jobs: LUACHECK_VER: 0.21.1 CC: gcc NGX_BUILD_CC: gcc - + NGINX_CC_OPTS: "" LUAJIT_CC_OPTS: "" services: + # Redis with auth disabled redis: image: redis # Set health checks to wait until redis has started @@ -82,11 +83,25 @@ jobs: --health-retries 5 ports: - 6379:6379 + # Redis with auth enabled + redis-auth: + image: redis + command: ["redis-server", "/etc/redis/redis.conf"] + volumes: + - ./redis.conf:/etc/redis/redis.conf + # Set health checks to wait until redis has started + options: >- + --health-cmd "redis-cli ping" + --health-interval 10s + --health-timeout 5s + --health-retries 5 + ports: + - 6380:6379 steps: - name: Checkout source code uses: actions/checkout@v2 - + - name: Setup cache uses: actions/cache@v2 with: diff --git a/lib/resty/acme/storage/redis.lua b/lib/resty/acme/storage/redis.lua index 5734118..4392f5f 100644 --- a/lib/resty/acme/storage/redis.lua +++ b/lib/resty/acme/storage/redis.lua @@ -22,6 +22,8 @@ function _M.new(conf) ssl_server_name = conf.ssl_server_name, namespace = conf.namespace or "", scan_count = conf.scan_count or 10, + username = conf.username, + password = conf.password, }, mt ) @@ -43,13 +45,18 @@ local function op(self, op, ...) return nil, err end - if self.auth then - local _, err - if type(self.auth) == "table" then - _, err = client:auth(self.auth.username, self.auth.password) - else - _, err = client:auth(self.auth) + if self.username and self.password then + local _, err = client:auth(self.username, self.password) + if not ok then + return nil, "authentication failed " .. err + end + elseif self.password then + local _, err = client:auth(self.password) + if err then + return nil, "authentication failed " .. err end + elseif self.auth then + local _, err = client:auth(self.auth) if err then return nil, "authentication failed " .. err end diff --git a/t/storage/redis.t b/t/storage/redis.t index 3888a5f..13ec378 100644 --- a/t/storage/redis.t +++ b/t/storage/redis.t @@ -556,12 +556,12 @@ test14:50 --- no_error_log [error] -=== TEST 15: Redis auth works with table +=== TEST 15: Redis auth works with username and password --- http_config eval: $::HttpConfig --- config location =/t { content_by_lua_block { - local st = test_lib.new({auth = { username = "kong", password = "passkong" }, host = "172.27.0.2" }) + local st = test_lib.new({ username = "kong", password = "passkong", port = 6380 }) local err = st:set("key2", "3") ngx.say(err) local v, err = st:get("key2") @@ -579,12 +579,12 @@ nil --- no_error_log [error] -=== TEST 16: Redis auth works with string +=== TEST 16: Redis auth works with single auth (backwards compatibility) --- http_config eval: $::HttpConfig --- config location =/t { content_by_lua_block { - local st = test_lib.new({auth = "passdefault", host = "172.27.0.2" }) + local st = test_lib.new({auth = "passdefault", port = 6380 }) local err = st:set("key2", "3") ngx.say(err) local v, err = st:get("key2") @@ -601,3 +601,46 @@ nil " --- no_error_log [error] + +=== TEST 17: Redis auth works with just password +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ password = "passdefault", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"nil +nil +3 +" +--- no_error_log +[error] + +=== TEST 18: Redis auth fails with just username +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ username = "kong", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"NOAUTH Authentication required" +--- no_error_log +[error] From 8a7498c5cc51481eaa8751d6eea460992fdb68d9 Mon Sep 17 00:00:00 2001 From: Murillo <103451714+gruceo@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:16:26 -0300 Subject: [PATCH 4/6] fix tests --- .github/workflows/redis.conf | 2 - .github/workflows/tests.yml | 7 ++- t/storage/redis.t | 82 +++++++++++++++++++++++++++++++++++- 3 files changed, 84 insertions(+), 7 deletions(-) delete mode 100644 .github/workflows/redis.conf diff --git a/.github/workflows/redis.conf b/.github/workflows/redis.conf deleted file mode 100644 index fe17641..0000000 --- a/.github/workflows/redis.conf +++ /dev/null @@ -1,2 +0,0 @@ -user kong allcommands allkeys on >passkong -requirepass passdefault diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 9d0eaad..f76ae66 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -85,10 +85,7 @@ jobs: - 6379:6379 # Redis with auth enabled redis-auth: - image: redis - command: ["redis-server", "/etc/redis/redis.conf"] - volumes: - - ./redis.conf:/etc/redis/redis.conf + image: redis/redis-stack-server # Set health checks to wait until redis has started options: >- --health-cmd "redis-cli ping" @@ -97,6 +94,8 @@ jobs: --health-retries 5 ports: - 6380:6379 + env: + REDIS_ARGS: "--requirepass passdefault" steps: - name: Checkout source code diff --git a/t/storage/redis.t b/t/storage/redis.t index 13ec378..6150342 100644 --- a/t/storage/redis.t +++ b/t/storage/redis.t @@ -561,7 +561,7 @@ test14:50 --- config location =/t { content_by_lua_block { - local st = test_lib.new({ username = "kong", password = "passkong", port = 6380 }) + local st = test_lib.new({ username = "default", password = "passdefault", port = 6380 }) local err = st:set("key2", "3") ngx.say(err) local v, err = st:get("key2") @@ -627,6 +627,26 @@ nil === TEST 18: Redis auth fails with just username --- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ username = "default", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"NOAUTH Authentication required" +--- no_error_log +[error] + +=== TEST 19: Redis auth fails with wrong username +--- http_config eval: $::HttpConfig --- config location =/t { content_by_lua_block { @@ -644,3 +664,63 @@ nil "NOAUTH Authentication required" --- no_error_log [error] + +=== TEST 20: Redis auth fails with wrong password and no username with error "authentication failed WRONGPASS" +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ password = "wrongpass", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"authentication failed WRONGPASS" +--- no_error_log +[error] + +=== TEST 21: Redis auth fails with wrong password and correct username with error "NOAUTH Authentication required" +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ username = "default", password = "wrongpass", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"NOAUTH Authentication required" +--- no_error_log +[error] + +=== TEST 22: Redis auth fails with correct password and wrong username with error "NOAUTH Authentication required" +--- http_config eval: $::HttpConfig +--- config + location =/t { + content_by_lua_block { + local st = test_lib.new({ username = "kong", password = "passdefault", port = 6380 }) + local err = st:set("key2", "3") + ngx.say(err) + local v, err = st:get("key2") + ngx.say(err) + ngx.say(v) + } + } +--- request + GET /t +--- response_body_like eval +"NOAUTH Authentication required" +--- no_error_log +[error] From ad28d126734da82a5633d4d3ce44d7d9513596cf Mon Sep 17 00:00:00 2001 From: Wangchong Zhou Date: Wed, 14 Aug 2024 00:31:32 +0800 Subject: [PATCH 5/6] Apply suggestions from code review --- lib/resty/acme/storage/redis.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resty/acme/storage/redis.lua b/lib/resty/acme/storage/redis.lua index 4392f5f..c9daf2b 100644 --- a/lib/resty/acme/storage/redis.lua +++ b/lib/resty/acme/storage/redis.lua @@ -47,7 +47,7 @@ local function op(self, op, ...) if self.username and self.password then local _, err = client:auth(self.username, self.password) - if not ok then + if err then return nil, "authentication failed " .. err end elseif self.password then From 68e451dfeb8c54090a8d0cf61e34221efe465338 Mon Sep 17 00:00:00 2001 From: Murillo <103451714+gruceo@users.noreply.github.com> Date: Tue, 13 Aug 2024 13:50:47 -0300 Subject: [PATCH 6/6] fix tests 2 --- t/storage/redis.t | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/t/storage/redis.t b/t/storage/redis.t index 6150342..d3ed2a4 100644 --- a/t/storage/redis.t +++ b/t/storage/redis.t @@ -625,7 +625,7 @@ nil --- no_error_log [error] -=== TEST 18: Redis auth fails with just username +=== TEST 18: Redis auth fails with just username with error "NOAUTH Authentication required" --- http_config eval: $::HttpConfig --- config location =/t { @@ -685,7 +685,7 @@ nil --- no_error_log [error] -=== TEST 21: Redis auth fails with wrong password and correct username with error "NOAUTH Authentication required" +=== TEST 21: Redis auth fails with wrong password and correct username with error "authentication failed WRONGPASS" --- http_config eval: $::HttpConfig --- config location =/t { @@ -701,11 +701,11 @@ nil --- request GET /t --- response_body_like eval -"NOAUTH Authentication required" +"authentication failed WRONGPASS" --- no_error_log [error] -=== TEST 22: Redis auth fails with correct password and wrong username with error "NOAUTH Authentication required" +=== TEST 22: Redis auth fails with correct password and wrong username with error "authentication failed WRONGPASS" --- http_config eval: $::HttpConfig --- config location =/t { @@ -721,6 +721,6 @@ nil --- request GET /t --- response_body_like eval -"NOAUTH Authentication required" +"authentication failed WRONGPASS" --- no_error_log [error]