Enable authentication for the HTTP interface. (#1792)

2024-12-15 17:51:06 +00:00 · 2023-09-04 15:18:57 +03:00 · 2023-09-04 15:18:57 +03:00 · 502f76fada
commit 502f76fada
parent f1d9ab30ee
3 changed files with 61 additions and 1 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 7de4ee8fdc6bac809293dbd779bbe5563dbc3ec8
+Subproject commit bb725aa5812183809047f4309b9aee40de64b7bf
--- a/src/server/main_service.cc
+++ b/src/server/main_service.cc
@ -78,6 +78,7 @@ ABSL_FLAG(bool, multi_exec_squash, false,

 ABSL_FLAG(uint32_t, multi_eval_squash_buffer, 4_KB, "Max buffer for squashed commands per script");

+ABSL_DECLARE_FLAG(bool, primary_port_http_enabled);
 ABSL_FLAG(bool, admin_nopass, false,
          "If set, would enable open admin access to console on the assigned port, without auth "
          "token needed.");
@ -2029,6 +2030,11 @@ GlobalState Service::GetGlobalState() const {
 }

 void Service::ConfigureHttpHandlers(util::HttpListenerBase* base) {
+  // We set the password for the HTTP service unless it is only enabled on the
+  // admin port and the admin port is password-less.
+  if (GetFlag(FLAGS_primary_port_http_enabled) || !GetFlag(FLAGS_admin_nopass)) {
+    base->SetPassword(GetPassword());
+  }
  server_family_.ConfigureMetrics(base);
  base->RegisterCb("/txz", TxTable);
  base->RegisterCb("/topkeys", Topkeys);
--- a/tests/dragonfly/http_conf_test.py
+++ b/tests/dragonfly/http_conf_test.py
@ -0,0 +1,54 @@
+import aiohttp
+
+
+async def test_password(df_factory):
+    # Needs a private key and certificate.
+    server = df_factory.create(port=1112, requirepass="XXX")
+    server.start()
+
+    async with aiohttp.ClientSession() as session:
+        resp = await session.get(f"http://localhost:{server.port}/")
+        assert resp.status == 401
+    async with aiohttp.ClientSession(auth=aiohttp.BasicAuth("user", "wrongpassword")) as session:
+        resp = await session.get(f"http://localhost:{server.port}/")
+        assert resp.status == 401
+    async with aiohttp.ClientSession(auth=aiohttp.BasicAuth("user", "XXX")) as session:
+        resp = await session.get(f"http://localhost:{server.port}/")
+        assert resp.status == 200
+    server.stop()
+
+
+async def test_no_password_on_admin(df_factory):
+    # Needs a private key and certificate.
+    server = df_factory.create(
+        port=1112,
+        admin_port=1113,
+        requirepass="XXX",
+        noprimary_port_http_enabled=None,
+        admin_nopass=None,
+    )
+    server.start()
+
+    async with aiohttp.ClientSession(auth=aiohttp.BasicAuth("user", "XXX")) as session:
+        resp = await session.get(f"http://localhost:{server.admin_port}/")
+        assert resp.status == 200
+    server.stop()
+
+
+async def test_password_on_admin(df_factory):
+    # Needs a private key and certificate.
+    server = df_factory.create(
+        port=1112,
+        admin_port=1113,
+        requirepass="XXX",
+        admin_nopass=None,
+    )
+    server.start()
+
+    async with aiohttp.ClientSession(auth=aiohttp.BasicAuth("user", "badpass")) as session:
+        resp = await session.get(f"http://localhost:{server.port}/")
+        assert resp.status == 401
+    async with aiohttp.ClientSession(auth=aiohttp.BasicAuth("user", "XXX")) as session:
+        resp = await session.get(f"http://localhost:{server.port}/")
+        assert resp.status == 200
+    server.stop()