search

nicolasff / webdis

A Redis HTTP interface with JSON output
https://webd.is
BSD 2-Clause "Simplified" License
2.82k stars 307 forks source link

Disable all commands to non authenticated users #161

Closed tomgie closed 4 years ago

tomgie commented 4 years ago

I tried to create a config that disables all commands to users that do not have the authentication correct, and enable those that do. Currently, this seems to not work as the disabled parameter overrides the auth parameter.

"acl":[ { "disabled": [ "*" ] }, { "http_basic_auth":"username:pw", "enabled": [ "*" ] } ]

nicolasff commented 4 years ago

Hi @tomgie,

Thanks for reporting this issue. From a quick look at the code it seems like your config would work for what you're trying to do, and it's not obvious to me what the issue might be. I'll try to reproduce it later today to figure it out.

tomgie commented 4 years ago

Thanks, hopefully we can get this sorted out

nicolasff commented 4 years ago

I am not able to reproduce this issue. Here's my ACL section from webdis.json, matching yours:

$ jq .acl webdis.json
[
  {
    "disabled": [
      "*"
    ]
  },
  {
    "http_basic_auth": "username:pw",
    "enabled": [
      "*"
    ]
  }
]

Running the server:

$ ./webdis webdis.json &
[1] 60581

Here's a request without auth, failing as expected:

$ curl -v http://127.0.0.1:7379/ping
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
> GET /ping HTTP/1.1
> Host: 127.0.0.1:7379
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
< Connection: Keep-Alive
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact

Now with valid credentials, succeeding:

$ curl -v -u username:pw http://127.0.0.1:7379/ping
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
* Server auth using Basic with user 'username'
> GET /ping HTTP/1.1
> Host: 127.0.0.1:7379
> Authorization: Basic dXNlcm5hbWU6cHc=
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
< Content-Type: application/json
< ETag: "98bfe03a3621cded1a1f125efe3a9c14"
< Connection: Keep-Alive
< Content-Length: 22
<
* Connection #0 to host 127.0.0.1 left intact
{"ping":[true,"PONG"]}

And invalid credentials, failing as expected:

$ curl -v -u username:incorrect_password http://127.0.0.1:7379/ping
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
* Server auth using Basic with user 'username'
> GET /ping HTTP/1.1
> Host: 127.0.0.1:7379
> Authorization: Basic dXNlcm5hbWU6aW5jb3JyZWN0X3Bhc3N3b3Jk
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
< Connection: Keep-Alive
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact
tomgie commented 4 years ago

I figured out what the problem was. It seems that setting a long password, (128 characters) breaks the authentication. Cutting the password down a decent amount seems to fix the problem.

nicolasff commented 4 years ago

Ah! Thanks a lot for this detail. The base-64 encoding of the expected basic auth value for the account was adding new lines every 72 characters, I changed this to a much larger value.

I published release 0.1.7 with this fix. Would you mind verifying it?

tomgie commented 4 years ago

Everything seems to be working now. Thanks.