ACL: nopass user setting.

This is needed in order to model the current behavior of authenticating the connection directly when no password is set. Now with ACLs this will be obtained by setting the default user as "nopass" user. Moreover this flag can be used in order to create other users that do not require any password but will work with "AUTH username <any-password>".
2025-03-19 09:00:51 +00:00 · 2019-01-15 13:16:31 +01:00 · 2019-01-15 13:16:31 +01:00 · b39409bcf8
commit b39409bcf8
parent 4f7ff85b88
2 changed files with 21 additions and 1 deletions
--- a/src/acl.c
+++ b/src/acl.c
@ -141,9 +141,19 @@ user *ACLCreateUser(const char *name, size_t namelen) {
 * ><password>  Add this passowrd to the list of valid password for the user.
 *              For example >mypass will add "mypass" to the list.
 * <<password>  Remove this password from the list of valid passwords.
+ * nopass       All the set passwords of the user are removed, and the user
+ *              is flagged as requiring no password: it means that every
+ *              password will work against this user. If this directive is
+ *              used for the default user, every new connection will be
+ *              immediately authenticated with the default user without
+ *              any explicit AUTH command required. Note that the "resetpass"
+ *              directive will clear this condition.
 * allcommands  Alias for +@all
 * allkeys      Alias for ~*
- * resetpass    Flush the list of allowed passwords.
+ * resetpass    Flush the list of allowed passwords. Moreover removes the
+ *              "nopass" status. After "resetpass" the user has no associated
+ *              passwords and there is no way to authenticate without adding
+ *              some password (or setting it as "nopass" later).
 * resetkeys    Flush the list of allowed keys patterns.
 * reset        Performs the following actions: resetpass, resetkeys, off,
 *              -@all. The user returns to the same state it has immediately
@ -175,6 +185,9 @@ int ACLSetUser(user *u, const char *op, ssize_t oplen) {
    {
        memset(u->allowed_commands,255,sizeof(u->allowed_commands));
        u->flags |= USER_FLAG_ALLCOMMANDS;
+    } else if (!strcasecmp(op,"nopass")) {
+        u->flags |= USER_FLAG_NOPASS;
+        listEmpty(u->passwords);
    } else if (op[0] == '>') {
        sds newpass = sdsnewlen(op+1,oplen-1);
        listNode *ln = listSearchKey(u->passwords,newpass);
@ -197,6 +210,7 @@ void ACLInit(void) {
    DefaultUser = ACLCreateUser("default",7);
    ACLSetUser(DefaultUser,"+@all",-1);
    ACLSetUser(DefaultUser,"on",-1);
+    ACLSetUser(DefaultUser,"nopass",-1);
 }

 /* Check the username and password pair and return C_OK if they are valid,
--- a/src/server.h
+++ b/src/server.h
@ -715,6 +715,12 @@ typedef struct readyList {
 #define USER_FLAG_ENABLED (1<<0)        /* The user is active. */
 #define USER_FLAG_ALLKEYS (1<<1)        /* The user can mention any key. */
 #define USER_FLAG_ALLCOMMANDS (1<<2)    /* The user can run all commands. */
+#define USER_FLAG_NOPASS      (1<<3)    /* The user requires no password, any
+                                           provided password will work. For the
+                                           default user, this also means that
+                                           no AUTH is needed, and every
+                                           connection is immediately
+                                           authenticated. */
 typedef struct user {
    uint64_t flags; /* See USER_FLAG_* */