Add support for usernames (Redis ACL)

Author: piotrp

Makefile

@@ -4,7 +4,6 @@ OPENRESTY_PREFIX    = /usr/local/openresty
 
 TEST_FILE          ?= t
 TMP_DIR			   ?= /tmp
-SENTINEL_TEST_FILE ?= $(TEST_FILE)/sentinel
 
 REDIS_CMD           = redis-server
 SENTINEL_CMD        = $(REDIS_CMD) --sentinel

README.md

@@ -81,19 +81,22 @@ If the `params.url` field is present then it will be parsed to set the other par
 
 The format for connecting directly to Redis is:
 
-`redis://PASSWORD@HOST:PORT/DB`
+`redis://USERNAME:PASSWORD@HOST:PORT/DB`
 
-The `PASSWORD` and `DB` fields are optional, all other components are required.
+The `USERNAME`, `PASSWORD` and `DB` fields are optional, all other components are required.
+
+Use of username requires Redis 6.0.0 or newer.
 
 ### Connections via Redis Sentinel
 
 When connecting via Redis Sentinel, the format is as follows:
 
-`sentinel://PASSWORD@MASTER_NAME:ROLE/DB`
+`sentinel://USERNAME:PASSWORD@MASTER_NAME:ROLE/DB`
 
-Again, `PASSWORD` and `DB` are optional. `ROLE` must be either `m` or `s` for master / slave respectively.
+Again, `USERNAME`, `PASSWORD` and `DB` are optional. `ROLE` must be either `m` or `s` for master / slave respectively.
 
 On versions of Redis newer than 5.0.1, Sentinels can optionally require their own password. If enabled, provide this password in the `sentinel_password` parameter.
+On Redis 6.2.0 and newer you can pass username using `sentinel_username` parameter.
 
 A table of `sentinels` must also be supplied. e.g.
 
@@ -103,6 +106,7 @@ local redis, err = rc:connect{
     sentinels = {
         { host = "127.0.0.1", port = 26379 },
     },
+    sentinel_username = "default",
     sentinel_password = "password"
 }
 ```
@@ -137,7 +141,9 @@ If configured as a table of commands, the command methods will be replaced by a
     host = "127.0.0.1",
     port = "6379",
     path = "",  -- unix socket path, e.g. /tmp/redis.sock
+    username = "",
     password = "",
+    sentinel_username = "",
     sentinel_password = "",
     db = 0,
 

lib/resty/redis/connector.lua

@@ -6,6 +6,7 @@ local ngx_ERR = ngx.ERR
 local ngx_re_match = ngx.re.match
 
 local str_find = string.find
+local str_sub = string.sub
 local tbl_remove = table.remove
 local tbl_sort = table.sort
 local ok, tbl_new = pcall(require, "table.new")
@@ -95,7 +96,9 @@ local DEFAULTS = setmetatable({
     host = "127.0.0.1",
     port = 6379,
     path = "", -- /tmp/redis.sock
+    username = "",
     password = "",
+    sentinel_username = "",
     sentinel_password = "",
     db = 0,
     url = "", -- DSN url
@@ -149,14 +152,14 @@ local function parse_dsn(params)
             fields = { "password", "master_name", "role", "db" }
         end
 
-        -- password may not be present
+        -- username/password may not be present
         if #m < 5 then tbl_remove(fields, 1) end
 
         local roles = { m = "master", s = "slave" }
 
         local parsed_params = {}
 
-        for i,v in ipairs(fields) do
+        for i, v in ipairs(fields) do
             if v == "db" or v == "port" then
                 parsed_params[v] = tonumber(m[i + 1])
             else
@@ -168,6 +171,12 @@ local function parse_dsn(params)
             end
         end
 
+        local colon_pos = str_find(parsed_params.password or "", ":", 1, true)
+        if colon_pos then
+            parsed_params.username = str_sub(parsed_params.password, 1, colon_pos - 1)
+            parsed_params.password = str_sub(parsed_params.password, colon_pos + 1)
+        end
+
         return tbl_copy_merge_defaults(params, parsed_params)
     end
 
@@ -233,10 +242,13 @@ function _M.connect_via_sentinel(self, params)
     local master_name = params.master_name
     local role = params.role
     local db = params.db
+    local username = params.username
     local password = params.password
+    local sentinel_username = params.sentinel_username
     local sentinel_password = params.sentinel_password
     if sentinel_password then
-        for _,host in ipairs(sentinels) do
+        for _, host in ipairs(sentinels) do
+            host.username = sentinel_username
             host.password = sentinel_password
         end
     end
@@ -255,6 +267,7 @@ function _M.connect_via_sentinel(self, params)
         sentnl:set_keepalive()
 
         master.db = db
+        master.username = username
         master.password = password
 
         local redis, err = self:connect_to_host(master)
@@ -278,6 +291,7 @@ function _M.connect_via_sentinel(self, params)
         if db or password then
             for _, slave in ipairs(slaves) do
                 slave.db = db
+                slave.username = username
                 slave.password = password
             end
         end
@@ -356,9 +370,16 @@ function _M.connect_to_host(self, host)
     else
         r:set_timeout(config.read_timeout)
 
+        local username = host.username
         local password = host.password
         if password and password ~= "" then
-            local res, err = r:auth(password)
+            local res
+            -- usernames are supported only on Redis 6+, so use new AUTH form only when absolutely necessary
+            if username and username ~= "" and username ~= "default" then
+                res, err = r:auth(username, password)
+            else
+                res, err = r:auth(password)
+            end
             if err then
                 return res, err
             end

t/config.t

@@ -120,6 +120,7 @@ location /t {
             host = "127.0.0.1",
             port = $TEST_NGINX_REDIS_PORT,
             path = "",
+            username = "",
             password = "",
             db = 0,
 
@@ -144,6 +145,7 @@ location /t {
             host = "127.0.0.1",
             port = $TEST_NGINX_REDIS_PORT,
             path = "",
+            username = "",
             password = "",
             db = 0,
 

t/connector.t

@@ -213,8 +213,30 @@ GET /t
 --- no_error_log
 [error]
 
+=== TEST 7: username and password
+--- http_config eval: $::HttpConfig
+--- config
+location /t {
+    lua_socket_log_errors Off;
+    content_by_lua_block {
+        local rc = require("resty.redis.connector").new({
+            port = $TEST_NGINX_REDIS_PORT,
+            username = "x",
+            password = "foo",
+        })
+
+        local redis, err = rc:connect()
+        assert(not redis and string.find(err, "WRONGPASS"),
+            "connect should fail with invalid username-password error")
+    }
+}
+--- request
+GET /t
+--- no_error_log
+[error]
+
 
-=== TEST 7: Bad unix domain socket path should fail
+=== TEST 8: Bad unix domain socket path should fail
 --- http_config eval: $::HttpConfig
 --- config
 location /t {
@@ -234,7 +256,7 @@ GET /t
 [error]
 
 
-=== TEST 7.1: Good unix domain socket path should succeed
+=== TEST 8.1: Good unix domain socket path should succeed
 --- http_config eval: $::HttpConfig
 --- config
 location /t {
@@ -256,7 +278,7 @@ GET /t
 [error]
 
 
-=== TEST 8: parse_dsn
+=== TEST 9: parse_dsn
 --- http_config eval: $::HttpConfig
 --- config
 location /t {
@@ -280,7 +302,7 @@ location /t {
 
 
 		local user_params = {
-			url = "sentinel://foo@foomaster:s/2"
+			url = "sentinel://foo:bar@foomaster:s/2"
 		}
 
 		local params, err = rc.parse_dsn(user_params)
@@ -290,6 +312,8 @@ location /t {
 		assert(params.master_name == "foomaster", "master_name should be foomaster")
 		assert(params.role == "slave", "role should be slave")
 		assert(tonumber(params.db) == 2, "db should be 2")
+		assert(params.username == "foo", "username should be foo")
+		assert(params.password == "bar", "password should be bar")
 
 
 		local params = {
@@ -307,7 +331,7 @@ GET /t
 [error]
 
 
-=== TEST 9: params override dsn components
+=== TEST 10: params override dsn components
 --- http_config eval: $::HttpConfig
 --- config
 location /t {
@@ -340,7 +364,7 @@ GET /t
 [error]
 
 
-=== TEST 9: Integration test for parse_dsn
+=== TEST 11: Integration test for parse_dsn
 --- http_config eval: $::HttpConfig
 --- config
 location /t {
@@ -385,7 +409,7 @@ GET /t
 [error]
 
 
-=== TEST 10: DSN without DB
+=== TEST 12: DSN without DB
 --- http_config eval: $::HttpConfig
 --- config
 location /t {