Commit 90c19702 authored by Georgios Bitzes's avatar Georgios Bitzes
Browse files

Make configurable whether to trust localhost connections automatically

parent eb72c90d
Pipeline #416182 passed with stages
in 27 minutes and 32 seconds
......@@ -155,6 +155,9 @@ bool Configuration::fromStream(XrdOucStream &stream, Configuration &out) {
else if(!strcmp("password", option)) {
success = fetchSingle(stream, out.password);
}
else if(!strcmp("require_password_for_localhost", option)) {
success = fetchSingle(stream, buffer) && parseBool(buffer, out.requirePasswordForLocalhost);
}
else {
qdb_warn("Error when parsing configuration - unknown option " << quotes(option));
return false;
......@@ -216,6 +219,11 @@ bool Configuration::isValid() {
return false;
}
if(password.empty() && passwordFilePath.empty() && requirePasswordForLocalhost) {
qdb_log("Cannot require password for localhost, when no password has been set!");
return false;
}
return true;
}
......
......@@ -70,6 +70,7 @@ public:
std::string getPassword() const { return password; }
RaftServer getMyself() const { return myself; }
bool getWriteAheadLog() const { return writeAheadLog; }
bool getRequirePasswordForLocalhost() const { return requirePasswordForLocalhost; }
std::string extractPasswordOrDie() const;
private:
......@@ -80,6 +81,7 @@ private:
std::string certificateKeyPath;
std::string passwordFilePath;
std::string password;
bool requirePasswordForLocalhost = false;
bool writeAheadLog = true;
// raft options
......
......@@ -73,9 +73,10 @@ LinkStatus QuarkDBNode::dispatch(Connection *conn, RedisRequest &req) {
return authDispatcher.dispatch(conn, req);
}
// Allow un-authenticated connections from localhost, or if we're running
// in insecure mode.
if(conn->isLocalhost() || password.empty()) {
// Always permit access if:
// - No password is set. (duh)
// - Link is from localhost, AND we don't require that all localhost connections be authenticated.
if(password.empty() || (conn->isLocalhost() && !configuration.getRequirePasswordForLocalhost() )) {
conn->authorization = true;
}
......
......@@ -48,6 +48,7 @@ TEST(Configuration, T2) {
"redis.trace debug\n"
"redis.write_ahead_log true\n"
"redis.password_file /tmp/quarkdb-tests/password-file\n"
"redis.require_password_for_localhost true\n"
"fi\n";
ASSERT_TRUE(Configuration::fromString(c, config));
......@@ -58,6 +59,7 @@ TEST(Configuration, T2) {
ASSERT_EQ(config.getWriteAheadLog(), true);
ASSERT_EQ(config.getPassword(), "");
ASSERT_EQ(config.getPasswordFilePath(), "/tmp/quarkdb-tests/password-file");
ASSERT_TRUE(config.getRequirePasswordForLocalhost());
ASSERT_THROW(config.extractPasswordOrDie(), FatalException); // file does not exist
ASSERT_EQ(system("echo 'pickles' > /tmp/quarkdb-tests/password-file"), 0);
......@@ -95,6 +97,24 @@ TEST(Configuration, NoPassword) {
ASSERT_EQ(config.extractPasswordOrDie(), "");
}
TEST(Configuration, NoPasswordButRequireForLocalhost) {
Configuration config;
std::string c;
c = "if exec xrootd\n"
"xrd.protocol redis:7776 libXrdQuarkDB.so\n"
"redis.mode raft\n"
"redis.database /home/user/mydb\n"
"redis.myself server1:7776\n"
"redis.trace debug\n"
"redis.write_ahead_log true\n"
"redis.require_password_for_localhost true\n"
"fi\n";
ASSERT_FALSE(Configuration::fromString(c, config));
}
TEST(Configuration, PasswordAndPasswordPath) {
Configuration config;
std::string c;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment