summaryrefslogtreecommitdiffstats
path: root/lualib
diff options
context:
space:
mode:
authorlaodc <github@laodc.com>2023-08-21 15:45:58 +0700
committerlaodc <github@laodc.com>2023-08-21 15:45:58 +0700
commit75fdc829bacbdc767b20d3f0e40b91215fce14fe (patch)
tree209d8d53e71cd5a92deb69fcb740bb2649bb66ee /lualib
parent1931487b17059d6c63adf2245c9632384657f89e (diff)
downloadrspamd-75fdc829bacbdc767b20d3f0e40b91215fce14fe.tar.gz
rspamd-75fdc829bacbdc767b20d3f0e40b91215fce14fe.zip
Added support for Redis 6 ACL (username/password)
Diffstat (limited to 'lualib')
-rw-r--r--lualib/lua_redis.lua37
-rw-r--r--lualib/rspamadm/configwizard.lua16
-rw-r--r--lualib/rspamadm/fuzzy_convert.lua34
3 files changed, 73 insertions, 14 deletions
diff --git a/lualib/lua_redis.lua b/lualib/lua_redis.lua
index b03160bb0..377541f87 100644
--- a/lualib/lua_redis.lua
+++ b/lualib/lua_redis.lua
@@ -30,12 +30,14 @@ local common_schema = {
database = ts.string:is_optional():describe("Database number"),
dbname = ts.string:is_optional():describe("Database number"),
prefix = ts.string:is_optional():describe("Key prefix"),
+ username = ts.string:is_optional():describe("Username"),
password = ts.string:is_optional():describe("Password"),
expand_keys = ts.boolean:is_optional():describe("Expand keys"),
sentinels = (ts.string + ts.array_of(ts.string)):is_optional():describe("Sentinel servers"),
sentinel_watch_time = (ts.number + ts.string / lutil.parse_time_interval):is_optional():describe("Sentinel watch time"),
sentinel_masters_pattern = ts.string:is_optional():describe("Sentinel masters pattern"),
sentinel_master_maxerrors = (ts.number + ts.string / tonumber):is_optional():describe("Sentinel master max errors"),
+ sentinel_username = ts.string:is_optional():describe("sentinel username"),
sentinel_password = ts.string:is_optional():describe("Sentinel password"),
}
@@ -153,6 +155,7 @@ local function redis_query_sentinel(ev_base, params, initialised)
local ret = rspamd_redis.make_request {
host = addr:get_addr(),
timeout = params.timeout,
+ username = params.sentinel_username,
password = params.sentinel_password,
config = rspamd_config,
ev_base = ev_base,
@@ -184,6 +187,7 @@ local function redis_query_sentinel(ev_base, params, initialised)
timeout = params.timeout,
config = rspamd_config,
ev_base = ev_base,
+ username = params.sentinel_username,
password = params.sentinel_password,
cmd = 'SENTINEL',
args = { 'masters' },
@@ -366,6 +370,9 @@ local function process_redis_opts(options, redis_params)
redis_params['db'] = tostring(options['database'])
end
end
+ if options['username'] and not redis_params['username'] then
+ redis_params['username'] = options['username']
+ end
if options['password'] and not redis_params['password'] then
redis_params['password'] = options['password']
end
@@ -996,6 +1003,10 @@ local function rspamd_redis_make_request(task, redis_params, key, is_write,
end
end
+ if redis_params['username'] then
+ options['username'] = redis_params['username']
+ end
+
if redis_params['password'] then
options['password'] = redis_params['password']
end
@@ -1086,6 +1097,10 @@ local function redis_make_request_taskless(ev_base, cfg, redis_params, key,
end
end
+ if redis_params['username'] then
+ options['username'] = redis_params['username']
+ end
+
if redis_params['password'] then
options['password'] = redis_params['password']
end
@@ -1157,6 +1172,10 @@ local function prepare_redis_call(script)
upstream = s
}
+ if script.redis_params['username'] then
+ cur_opts['username'] = script.redis_params['username']
+ end
+
if script.redis_params['password'] then
cur_opts['password'] = script.redis_params['password']
end
@@ -1497,7 +1516,15 @@ local function redis_connect_sync(redis_params, is_write, key, cfg, ev_base)
if conn then
local need_exec = false
- if redis_params['password'] then
+ if redis_params['username'] then
+ if redis_params['password'] then
+ conn:add_cmd('AUTH', { redis_params['username'], redis_params['password'] })
+ need_exec = true
+ else
+ logger.errx('Redis requires a password when username is supplied')
+ return false, nil, addr
+ end
+ elseif redis_params['password'] then
conn:add_cmd('AUTH', { redis_params['password'] })
need_exec = true
end
@@ -1602,6 +1629,10 @@ exports.request = function(redis_params, attrs, req)
opts.args = req
end
+ if redis_params.username then
+ opts.username = redis_params.username
+ end
+
if redis_params.password then
opts.password = redis_params.password
end
@@ -1701,6 +1732,10 @@ exports.connect = function(redis_params, attrs)
opts.host = addr:get_addr()
opts.timeout = redis_params.timeout
+ if redis_params.username then
+ opts.username = redis_params.username
+ end
+
if redis_params.password then
opts.password = redis_params.password
end
diff --git a/lualib/rspamadm/configwizard.lua b/lualib/rspamadm/configwizard.lua
index 27c358e3b..7bcda5a01 100644
--- a/lualib/rspamadm/configwizard.lua
+++ b/lualib/rspamadm/configwizard.lua
@@ -249,7 +249,21 @@ local function setup_redis(cfg, changes)
redis_params['write_servers'] = ws
end
- if ask_yes_no('Do you have any password set for your Redis?') then
+ if ask_yes_no('Do you have any username set for your Redis?') then
+ local usernm = readline_default("Enter Redis username:", nil)
+
+ if usernm then
+ changes.l['redis.conf']['username'] = usernm
+ redis_params['username'] = usernm
+ end
+
+ local passwd = readline_default("Enter Redis password:", nil)
+
+ if passwd then
+ changes.l['redis.conf']['password'] = passwd
+ redis_params['password'] = passwd
+ end
+ elseif ask_yes_no('Do you have any password set for your Redis?') then
local passwd = readline_default("Enter Redis password:", nil)
if passwd then
diff --git a/lualib/rspamadm/fuzzy_convert.lua b/lualib/rspamadm/fuzzy_convert.lua
index a31baa4e2..67a2664bc 100644
--- a/lualib/rspamadm/fuzzy_convert.lua
+++ b/lualib/rspamadm/fuzzy_convert.lua
@@ -12,7 +12,16 @@ local function connect_redis(server, password, db)
return nil, 'Cannot connect: ' .. err
end
- if password then
+ if username then
+ if password then
+ ret = conn:add_cmd('AUTH', { username, password })
+ if not ret then
+ return nil, 'Cannot queue command'
+ end
+ else
+ return nil, 'Redis requires a password when username is supplied'
+ end
+ else if password then
ret = conn:add_cmd('AUTH', { password })
if not ret then
return nil, 'Cannot queue command'
@@ -28,8 +37,8 @@ local function connect_redis(server, password, db)
return conn, nil
end
-local function send_digests(digests, redis_host, redis_password, redis_db)
- local conn, err = connect_redis(redis_host, redis_password, redis_db)
+local function send_digests(digests, redis_host, redis_username, redis_password, redis_db)
+ local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db)
if err then
print(err)
return false
@@ -62,8 +71,8 @@ local function send_digests(digests, redis_host, redis_password, redis_db)
return true
end
-local function send_shingles(shingles, redis_host, redis_password, redis_db)
- local conn, err = connect_redis(redis_host, redis_password, redis_db)
+local function send_shingles(shingles, redis_host, redis_username, redis_password, redis_db)
+ local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db)
if err then
print("Redis error: " .. err)
return false
@@ -95,8 +104,8 @@ local function send_shingles(shingles, redis_host, redis_password, redis_db)
return true
end
-local function update_counters(total, redis_host, redis_password, redis_db)
- local conn, err = connect_redis(redis_host, redis_password, redis_db)
+local function update_counters(total, redis_host, redis_username, redis_password, redis_db)
+ local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db)
if err then
print(err)
return false
@@ -135,6 +144,7 @@ return function(_, res)
local total_digests = 0
local total_shingles = 0
local lim_batch = 1000 -- Update each 1000 entries
+ local redis_username = res['redis_username']
local redis_password = res['redis_password']
local redis_db = nil
@@ -162,14 +172,14 @@ return function(_, res)
end
end
if num_batch_digests >= lim_batch then
- if not send_digests(digests, res['redis_host'], redis_password, redis_db) then
+ if not send_digests(digests, res['redis_host'], redis_username, redis_password, redis_db) then
return
end
num_batch_digests = 0
digests = {}
end
if num_batch_shingles >= lim_batch then
- if not send_shingles(shingles, res['redis_host'], redis_password, redis_db) then
+ if not send_shingles(shingles, res['redis_host'], redis_username, redis_password, redis_db) then
return
end
num_batch_shingles = 0
@@ -177,12 +187,12 @@ return function(_, res)
end
end
if digests[1] then
- if not send_digests(digests, res['redis_host'], redis_password, redis_db) then
+ if not send_digests(digests, res['redis_host'], redis_username, redis_password, redis_db) then
return
end
end
if shingles[1] then
- if not send_shingles(shingles, res['redis_host'], redis_password, redis_db) then
+ if not send_shingles(shingles, res['redis_host'], redis_username, redis_password, redis_db) then
return
end
end
@@ -191,7 +201,7 @@ return function(_, res)
'Migrated %d digests and %d shingles',
total_digests, total_shingles
)
- if not update_counters(total_digests, res['redis_host'], redis_password, redis_db) then
+ if not update_counters(total_digests, res['redis_host'], redis_username, redis_password, redis_db) then
message = message .. ' but failed to update counters'
end
print(message)