search

nicolasff / webdis

A Redis HTTP interface with JSON output
https://webd.is
BSD 2-Clause "Simplified" License
2.83k stars 304 forks source link

acl not working #37

Closed eph214 closed 12 years ago

eph214 commented 12 years ago

hi,

i'm trying to block all commands except for a certain username and password, this acl blocked everything: { "disabled": ["*"] }, { "http_basic_auth": "test:test", "enabled": ["PUBLISH"] }

i couldn't publish anywhere.

nicolasff commented 12 years ago

Hi,

Thanks for reporting this issue, I'll have a look in a couple of hours.

Nicolas

On Thursday, December 8, 2011, eph214 < reply@reply.github.com> wrote:

hi,

i'm trying to block all commands except for a certain username and password, this acl blocked everything: { "disabled": ["*"] }, { "http_basic_auth": "test:test", "enabled": ["PUBLISH"] }

i couldn't publish anywhere.

Reply to this email directly or view it on GitHub: https://github.com/nicolasff/webdis/issues/37

nicolasff commented 12 years ago

I can't seem to reproduce this issue:

Without auth, 403 as expected:

$ curl -v http://127.0.0.1:7379/PUBLISH/chan/msg
* About to connect() to 127.0.0.1 port 7379 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
> GET /PUBLISH/chan/msg HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: 127.0.0.1:7379
> Accept: */*
>  
< HTTP/1.1 403 Forbidden
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Connection: Keep-Alive
< Content-Length: 0
< 
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

With auth, a response:

$ curl -v -u test:test http://127.0.0.1:7379/PUBLISH/chan/msg
* About to connect() to 127.0.0.1 port 7379 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
* Server auth using Basic with user 'test'
> GET /PUBLISH/chan/msg HTTP/1.1
> Authorization: Basic dGVzdDp0ZXN0
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: 127.0.0.1:7379
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< ETag: "d389b33974a6e1807c5c222cd1c28e0d"
< Connection: Keep-Alive
< Content-Length: 13
< 
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
{"PUBLISH":0}

The encoded password dGVzdDp0ZXN0 is base-64 for "test:test"; any other credentials will return a 403.

Could you share more details on how you're accessing webdis?

eph214 commented 12 years ago

yeah, here's what I'm trying to do. I think you cleared at least one thing up for me :-)

curl -u test:test http://10.1.90.6:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully

i'm uploading these statuses from other machines, and i need them to be able to access webdis only via the password. I tried now changing the acl to this:

"acl": [ { "disabled": ["*"] }, { "http_basic_auth": "test:test", "enabled": ["HMSET"] }

    ],

but it still didn't work. with password or without: curl http://10.1.90.6:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully {"HMSET":[true,"OK"]}

curl -u test:test http://10.1.90.6:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully {"HMSET":[true,"OK"]}

nicolasff commented 12 years ago

This seems wrong indeed. I'll be away from a computer until Sunday, but I'll be sure to look into it when I get back.

eph214 commented 12 years ago

hi,

any word on this issue?

thanks!

nicolasff commented 12 years ago

Hi,

I still can't reproduce the issue:

$ curl -v -u test:test "http://127.0.0.1:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully"
* About to connect() to 127.0.0.1 port 7379 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
* Server auth using Basic with user 'test'
> GET /HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully HTTP/1.1
> Authorization: Basic dGVzdDp0ZXN0
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: 127.0.0.1:7379
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< ETag: "32bd262fdbcccfcf12fe49335c7abc1f"
< Connection: Keep-Alive
< Content-Length: 21
< 
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
{"HMSET":[true,"OK"]}

$ curl -v -u test:test "http://127.0.0.1:7379/HGETALL/33"
* About to connect() to 127.0.0.1 port 7379 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 7379 (#0)
* Server auth using Basic with user 'test'
> GET /HGETALL/33 HTTP/1.1
> Authorization: Basic dGVzdDp0ZXN0
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: 127.0.0.1:7379
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: Webdis
< Allow: GET,POST,PUT,OPTIONS
< Access-Control-Allow-Origin: *
< Connection: Keep-Alive
< Content-Length: 0
< 
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

$ redis-cli HGETALL 33
1) "status"
2) "1"
3) "endtime"
4) "1111111111"
5) "description"
6) "SUCCESS: reboot command calling successfully"

Could you share more details about the way you're connecting to Webdis?

eph214 commented 12 years ago

Hi,

I can reproduce it: here's my webdis.json auth setting: "acl": [ { "disabled": ["*"] }, { "http_basic_auth": "test:test", "enabled": ["HMSET"] }

    ],

here's a curl call with the auth user (correct): curl -v -u test:test "http://127.0.0.1:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully"

in both cases the submission is accepted without issue. This seems to be a bug.

and here's a curl call without the auth user (no authentication provided):

eph214 commented 12 years ago

sorry, the post above was maybe a bit confusing.

here's a curl call with the auth user (correct):

curl -v -u test:test "http://127.0.0.1:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully"

and here's a curl call without the auth user (no authentication provided):

curl -v "http://127.0.0.1:7379/HMSET/33/status/1/endtime/1111111111/description/SUCCESS:%20reboot%20command%20calling%20successfully"

in both cases the submission is accepted without issue. This seems to be a bug.

nicolasff commented 12 years ago

@eph214, I'm sorry but I can't reproduce this issue; I get a 403 Forbidden without a password. I have exactly the same configuration as the one you posted.

I also started 2 EC2 instances (one 32-bit and one 64-bit), installed Redis and webdis, and tried your example without a problem.

Can you make sure you're running the latest version of webdis? Also, try forcing the recompilation after updating the code, with make clean all. You're either running an old version of webdis or having configuration issues.

eph214 commented 12 years ago

ok, i did a clean clone from git and rebuilt, and it's working now. Thanks for your help on this!