1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
import functools
import random
import string
from typing import Optional, Tuple, Union
import pytest
import redis
from redis import AuthenticationError, DataError, ResponseError
from redis.credentials import CredentialProvider, UsernamePasswordCredentialProvider
from redis.utils import str_if_bytes
from tests.conftest import _get_client, skip_if_redis_enterprise, skip_if_server_version_lt
class NoPassCredProvider(CredentialProvider):
def get_credentials(self) -> Union[Tuple[str], Tuple[str, str]]:
return "username", ""
class RandomAuthCredProvider(CredentialProvider):
def __init__(self, user: Optional[str], endpoint: str):
self.user = user
self.endpoint = endpoint
@functools.lru_cache(maxsize=10)
def get_credentials(self) -> Union[Tuple[str, str], Tuple[str]]:
def get_random_string(length):
letters = string.ascii_lowercase
result_str = "".join(random.choice(letters) for i in range(length))
return result_str
if self.user:
auth_token: str = get_random_string(5) + self.user + "_" + self.endpoint
return self.user, auth_token
else:
auth_token: str = get_random_string(5) + self.endpoint
return (auth_token,)
def init_acl_user(r, request, username, password):
# reset the user
r.acl_deluser(username)
if password:
assert (
r.acl_setuser(
username,
enabled=True,
passwords=["+" + password],
keys="~*",
commands=[
"+ping",
"+command",
"+info",
"+select",
"+flushdb",
"+cluster",
],
)
is True
)
else:
assert (
r.acl_setuser(
username,
enabled=True,
keys="~*",
commands=[
"+ping",
"+command",
"+info",
"+select",
"+flushdb",
"+cluster",
],
nopass=True,
)
is True
)
if request is not None:
def teardown():
r.acl_deluser(username)
request.addfinalizer(teardown)
def init_required_pass(r, request, password):
r.config_set("requirepass", password)
def teardown():
try:
r.auth(password)
except (ResponseError, AuthenticationError):
r.auth("default", "")
r.config_set("requirepass", "")
request.addfinalizer(teardown)
@skip_if_server_version_lt("6.0.0")
class TestCredentialsProvider:
@skip_if_redis_enterprise()
def test_only_pass_without_creds_provider(self, r, request):
# test for default user (`username` is supposed to be optional)
password = "password"
init_required_pass(r, request, password)
assert r.auth(password) is True
r2 = _get_client(redis.Redis, request, flushdb=False, password=password)
assert r2.ping() is True
@skip_if_redis_enterprise()
def test_user_and_pass_without_creds_provider(self, r, request):
"""
Test backward compatibility with username and password
"""
# test for other users
username = "username"
password = "password"
init_acl_user(r, request, username, password)
r2 = _get_client(
redis.Redis, request, flushdb=False, username=username, password=password
)
assert r2.ping() is True
@pytest.mark.parametrize("username", ["username", None])
@skip_if_redis_enterprise()
@pytest.mark.onlynoncluster
def test_credential_provider_with_supplier(self, r, request, username):
creds_provider = RandomAuthCredProvider(
user=username,
endpoint="localhost",
)
password = creds_provider.get_credentials()[-1]
if username:
init_acl_user(r, request, username, password)
else:
init_required_pass(r, request, password)
r2 = _get_client(
redis.Redis, request, flushdb=False, credential_provider=creds_provider
)
assert r2.ping() is True
def test_credential_provider_no_password_success(self, r, request):
init_acl_user(r, request, "username", "")
r2 = _get_client(
redis.Redis,
request,
flushdb=False,
credential_provider=NoPassCredProvider(),
)
assert r2.ping() is True
@pytest.mark.onlynoncluster
def test_credential_provider_no_password_error(self, r, request):
init_acl_user(r, request, "username", "password")
with pytest.raises(AuthenticationError) as e:
_get_client(
redis.Redis,
request,
flushdb=False,
credential_provider=NoPassCredProvider(),
)
assert e.match("invalid username-password")
@pytest.mark.onlynoncluster
def test_password_and_username_together_with_cred_provider_raise_error(
self, r, request
):
init_acl_user(r, request, "username", "password")
cred_provider = UsernamePasswordCredentialProvider(
username="username", password="password"
)
with pytest.raises(DataError) as e:
_get_client(
redis.Redis,
request,
flushdb=False,
username="username",
password="password",
credential_provider=cred_provider,
)
assert e.match(
"'username' and 'password' cannot be passed along with "
"'credential_provider'."
)
@pytest.mark.onlynoncluster
def test_change_username_password_on_existing_connection(self, r, request):
username = "origin_username"
password = "origin_password"
new_username = "new_username"
new_password = "new_password"
init_acl_user(r, request, username, password)
r2 = _get_client(
redis.Redis, request, flushdb=False, username=username, password=password
)
assert r2.ping() is True
conn = r2.connection_pool.get_connection("_")
conn.send_command("PING")
assert str_if_bytes(conn.read_response()) == "PONG"
assert conn.username == username
assert conn.password == password
init_acl_user(r, request, new_username, new_password)
conn.password = new_password
conn.username = new_username
conn.send_command("PING")
assert str_if_bytes(conn.read_response()) == "PONG"
@skip_if_server_version_lt("6.0.0")
class TestUsernamePasswordCredentialProvider:
def test_user_pass_credential_provider_acl_user_and_pass(self, r, request):
username = "username"
password = "password"
provider = UsernamePasswordCredentialProvider(username, password)
assert provider.username == username
assert provider.password == password
assert provider.get_credentials() == (username, password)
init_acl_user(r, request, provider.username, provider.password)
r2 = _get_client(
redis.Redis, request, flushdb=False, credential_provider=provider
)
assert r2.ping() is True
def test_user_pass_provider_only_password(self, r, request):
password = "password"
provider = UsernamePasswordCredentialProvider(password=password)
assert provider.username == ""
assert provider.password == password
assert provider.get_credentials() == (password,)
init_required_pass(r, request, password)
r2 = _get_client(
redis.Redis, request, flushdb=False, credential_provider=provider
)
assert r2.auth(provider.password) is True
assert r2.ping() is True
|
