Implement AUTH. Closes #58
This change makes password authentication required for redis usage, and removes anonymous access. Users will need to change their underlying clients to enable writing the auth token for authenticating, otherwise requests will fail. This is a non-optional change, and improves security for users who wish to expose their redis installations outside of their network.
This commit is contained in:
Jose Diaz-Gonzalez
@@ -25,6 +25,7 @@ teardown() {
|
||||
export ECHO_DOCKER_COMMAND="true"
|
||||
export SSH_TTY=`tty`
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:export" l
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_exit_status 0
|
||||
assert_output "docker exec dokku.redis.l cat /data/dump.rdb"
|
||||
}
|
||||
@@ -33,6 +34,7 @@ teardown() {
|
||||
export ECHO_DOCKER_COMMAND="true"
|
||||
unset SSH_TTY
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:export" l
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_exit_status 0
|
||||
assert_output "docker exec dokku.redis.l cat /data/dump.rdb"
|
||||
}
|
||||
|
||||
@@ -31,6 +31,7 @@ teardown() {
|
||||
@test "($PLUGIN_COMMAND_PREFIX:import) success" {
|
||||
export ECHO_DOCKER_COMMAND="true"
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:import" l < "$PLUGIN_DATA_ROOT/fake.rdb"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_output "docker run --rm -i -v $PLUGIN_DATA_ROOT/l/data:/data redis:3.2.3 bash -c cat > /data/dump.rdb && chown redis: /data/dump.rdb"
|
||||
}
|
||||
|
||||
|
||||
@@ -21,19 +21,22 @@ teardown() {
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:info) success" {
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:info" l
|
||||
assert_contains "${lines[*]}" "redis://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_contains "${lines[*]}" "redis://l:$password@dokku-redis-l:6379"
|
||||
}
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:info) replaces underscores by dash in hostname" {
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:create" test_with_underscores
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:info" test_with_underscores
|
||||
assert_contains "${lines[*]}" "redis://dokku-redis-test-with-underscores:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/test_with_underscores/PASSWORD")"
|
||||
assert_contains "${lines[*]}" "redis://test_with_underscores:$password@dokku-redis-test-with-underscores:6379"
|
||||
dokku --force "$PLUGIN_COMMAND_PREFIX:destroy" test_with_underscores
|
||||
}
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:info) success with flag" {
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:info" l --dsn
|
||||
assert_output "redis://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_output "redis://l:$password@dokku-redis-l:6379"
|
||||
|
||||
run dokku "$PLUGIN_COMMAND_PREFIX:info" l --config-dir
|
||||
assert_success
|
||||
|
||||
@@ -40,7 +40,8 @@ teardown() {
|
||||
@test "($PLUGIN_COMMAND_PREFIX:link) exports REDIS_URL to app" {
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:link" l my_app
|
||||
url=$(dokku config:get my_app REDIS_URL)
|
||||
assert_contains "$url" "redis://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_contains "$url" "redis://l:$password@dokku-redis-l:6379"
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:unlink" l my_app
|
||||
}
|
||||
|
||||
@@ -63,6 +64,7 @@ teardown() {
|
||||
dokku config:set my_app REDIS_DATABASE_SCHEME=redis2
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:link" l my_app
|
||||
url=$(dokku config:get my_app REDIS_URL)
|
||||
assert_contains "$url" "redis2://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
assert_contains "$url" "redis2://l:$password@dokku-redis-l:6379"
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:unlink" l my_app
|
||||
}
|
||||
|
||||
@@ -39,22 +39,25 @@ teardown() {
|
||||
}
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:promote) changes REDIS_URL" {
|
||||
dokku config:set my_app "REDIS_URL=redis://host:6379/db" "DOKKU_REDIS_BLUE_URL=redis://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
dokku config:set my_app "REDIS_URL=redis://u:p@host:6379/db" "DOKKU_REDIS_BLUE_URL=redis://l:$password@dokku-redis-l:6379"
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:promote" l my_app
|
||||
url=$(dokku config:get my_app REDIS_URL)
|
||||
assert_equal "$url" "redis://dokku-redis-l:6379"
|
||||
assert_equal "$url" "redis://l:$password@dokku-redis-l:6379"
|
||||
}
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:promote) creates new config url when needed" {
|
||||
dokku config:set my_app "REDIS_URL=redis://host:6379/db" "DOKKU_REDIS_BLUE_URL=redis://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
dokku config:set my_app "REDIS_URL=redis://u:p@host:6379/db" "DOKKU_REDIS_BLUE_URL=redis://l:$password@dokku-redis-l:6379"
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:promote" l my_app
|
||||
run dokku config my_app
|
||||
assert_contains "${lines[*]}" "DOKKU_REDIS_"
|
||||
}
|
||||
|
||||
@test "($PLUGIN_COMMAND_PREFIX:promote) uses REDIS_DATABASE_SCHEME variable" {
|
||||
dokku config:set my_app "REDIS_DATABASE_SCHEME=redis2" "REDIS_URL=redis://u:p@host:6379" "DOKKU_REDIS_BLUE_URL=redis2://dokku-redis-l:6379"
|
||||
password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
|
||||
dokku config:set my_app "REDIS_DATABASE_SCHEME=redis2" "REDIS_URL=redis://u:p@host:6379" "DOKKU_REDIS_BLUE_URL=redis2://l:$password@dokku-redis-l:6379"
|
||||
dokku "$PLUGIN_COMMAND_PREFIX:promote" l my_app
|
||||
url=$(dokku config:get my_app REDIS_URL)
|
||||
assert_equal "$url" "redis2://dokku-redis-l:6379"
|
||||
assert_equal "$url" "redis2://l:$password@dokku-redis-l:6379"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user