fix acl

OpenAtomFoundation · Mar 6, 2024 · e950156 · e950156
1 parent 1bbd402
commit e950156
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 7 deletions.
diff --git a/include/acl.h b/include/acl.h
@@ -365,6 +365,9 @@ class Acl {
 
   void UpdateDefaultUserPassword(const std::string& pass);
 
+  void InitAdminUser();
+  void InitDefaultUser(const std::string& bl);
+
   // After the user channel is modified, determine whether the current channel needs to be disconnected
   void KillPubsubClientsIfNeeded(const std::shared_ptr<User>& origin, const std::shared_ptr<User>& newUser);
 
@@ -380,6 +383,7 @@ class Acl {
   static std::vector<std::string> GetAllCategoryName();
 
   static const std::string DefaultUser;
+  static const std::string Admin;
   static const int64_t LogGroupingMaxTimeDelta;
 
   // Adds a new entry in the ACL log, making sure to delete the old entry

diff --git a/include/pika_conf.h b/include/pika_conf.h
@@ -168,6 +168,10 @@ class PikaConf : public pstd::BaseConf {
     std::shared_lock l(rwlock_);
     return masterauth_;
   }
+  std::string userpass() {
+    std::shared_lock l(rwlock_);
+    return userpass_;
+  }
   std::string bgsave_path() {
     std::shared_lock l(rwlock_);
     return bgsave_path_;
@@ -367,6 +371,11 @@ class PikaConf : public pstd::BaseConf {
     return pstd::Set2String(slow_cmd_set_, ',');
   }
 
+  const std::string GetUserBlackList() {
+    std::shared_lock l(rwlock_);
+    return userblacklist_;
+  }
+
   bool is_slow_cmd(const std::string& cmd) {
     std::shared_lock l(rwlock_);
     return slow_cmd_set_.find(cmd) != slow_cmd_set_.end();
@@ -689,6 +698,7 @@ class PikaConf : public pstd::BaseConf {
   std::string replication_id_;
   std::string requirepass_;
   std::string masterauth_;
+  std::string userpass_;
   std::atomic<bool> classic_mode_;
   int databases_ = 0;
   int default_slot_num_ = 1;
@@ -740,6 +750,7 @@ class PikaConf : public pstd::BaseConf {
 
   std::string network_interface_;
 
+  std::string userblacklist_;
   std::vector<std::string> users_;  // acl user rules
 
   std::string aclFile_;

diff --git a/src/acl.cc b/src/acl.cc
@@ -293,11 +293,15 @@ std::vector<std::string> User::AllChannelKey() {
 // class Acl
 pstd::Status Acl::Initialization() {
   AddUser(CreateDefaultUser());
-  UpdateDefaultUserPassword(g_pika_conf->requirepass());
+  UpdateDefaultUserPassword(g_pika_conf->userpass());
+
+  AddUser(CreatedUser(Admin));
+  InitAdminUser();
   auto status = LoadUsersAtStartup();
   if (!status.ok()) {
     return status;
   }
+  InitDefaultUser(g_pika_conf->GetUserBlackList());
   return status;
 }
 
@@ -472,6 +476,31 @@ void Acl::UpdateDefaultUserPassword(const std::string& pass) {
   }
 }
 
+void Acl::InitAdminUser() {
+  auto pass = g_pika_conf->requirepass();
+  std::unique_lock wl(mutex_);
+  auto u = GetUser(Admin);
+  if (pass.empty()) {
+    u->SetUser("nopass");
+  } else {
+    u->SetUser(">"+pass);
+  }
+  u->SetUser("+@all");
+  u->SetUser("~*");
+  u->SetUser("&*");
+  u->SetUser("on");
+}
+
+void Acl::InitDefaultUser(const std::string& bl) {
+  std::unique_lock wl(mutex_);
+  auto defaultUser = GetUser(DefaultUser);
+  std::vector<std::string> blacklist;
+  pstd::StringSplit(bl, ',', blacklist);
+  for(auto& i : blacklist) {
+    defaultUser->SetUser("-"+i);
+  }
+}
+
 // bool Acl::CheckUserCanExec(const std::shared_ptr<Cmd>& cmd, const PikaCmdArgsType& argv) { cmd->name(); }
 
 std::shared_ptr<User> Acl::CreateDefaultUser() {
@@ -725,6 +754,7 @@ std::array<std::pair<std::string, uint32_t>, 3> Acl::SelectorFlags = {{
 }};
 
 const std::string Acl::DefaultUser = "default";
+const std::string Acl::Admin = "admin";
 const int64_t Acl::LogGroupingMaxTimeDelta = 60000;
 
 void Acl::AddLogEntry(int32_t reason, int32_t context, const std::string& username, const std::string& object,

diff --git a/src/pika_admin.cc b/src/pika_admin.cc
@@ -269,15 +269,24 @@ void AuthCmd::Do() {
   std::string pwd = "";
   bool defaultAuth = false;
   if (argv_.size() == 2) {
-    userName = Acl::DefaultUser;
     pwd = argv_[1];
-    defaultAuth = true;
+//    defaultAuth = true;
   } else {
     userName = argv_[1];
     pwd = argv_[2];
   }
 
-  auto authResult = AuthenticateUser(name(), userName, pwd, conn, defaultAuth);
+  AuthResult authResult;
+  if (userName == "") {
+    //  admin
+    authResult = AuthenticateUser(name(), Acl::Admin, pwd, conn, defaultAuth);
+    if (authResult != AuthResult::OK) {
+      //  default。
+        authResult = AuthenticateUser(name(), Acl::DefaultUser, pwd, conn, true);
+    }
+  } else {
+    authResult = AuthenticateUser(name(), userName, pwd, conn, defaultAuth);
+  }
 
   switch (authResult) {
     case AuthResult::INVALID_CONN:

diff --git a/src/pika_conf.cc b/src/pika_conf.cc
@@ -49,7 +49,7 @@ int PikaConf::Load() {
   GetConfStr("replication-id", &replication_id_);
   GetConfStr("requirepass", &requirepass_);
   GetConfStr("masterauth", &masterauth_);
-  //  GetConfStr("userpass", &userpass_);
+  GetConfStr("userpass", &userpass_);
   GetConfInt("maxclients", &maxclients_);
   if (maxclients_ <= 0) {
     maxclients_ = 20000;
@@ -461,6 +461,8 @@ int PikaConf::Load() {
   network_interface_ = "";
   GetConfStr("network-interface", &network_interface_);
 
+  // userblacklist
+  GetConfStr("userblacklist", &userblacklist_);
   // acl users
   GetConfStrMulti("user", &users_);
 
@@ -623,8 +625,8 @@ int PikaConf::ConfigRewrite() {
   SetConfInt("timeout", timeout_);
   SetConfStr("requirepass", requirepass_);
   SetConfStr("masterauth", masterauth_);
-  //  SetConfStr("userpass", userpass_);
-  //  SetConfStr("userblacklist", userblacklist);
+  SetConfStr("userpass", userpass_);
+//    SetConfStr("userblacklist", userblacklist_);
   SetConfStr("dump-prefix", bgsave_prefix_);
   SetConfInt("maxclients", maxclients_);
   SetConfInt("dump-expire", expire_dump_days_);