You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@geode.apache.org by GitBox <gi...@apache.org> on 2021/10/14 01:03:13 UTC
[GitHub] [geode] jdeppe-pivotal commented on a change in pull request #6994: GEODE-9676: Limit array and string sizes for unauthenticated Radish connections
jdeppe-pivotal commented on a change in pull request #6994:
URL: https://github.com/apache/geode/pull/6994#discussion_r728551703
##########
File path: geode-for-redis/src/integrationTest/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
##########
@@ -128,4 +147,137 @@ public void givenNoSecurity_accessWithoutAuth_passes() throws Exception {
assertThat(jedis.ping()).isEqualTo("PONG");
}
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*100\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_MULTIBULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.auth(getUsername(), getPassword())).isEqualTo("OK");
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenNoSecurity_largeMultiBulkRequestsSucceed_whenNotAuthenticated()
+ throws Exception {
+ setupCacheWithoutSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*1\r\n$100000000\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_BULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+ int stringSize = ByteToCommandDecoder.UNAUTHENTICATED_MAX_BULK_STRING_LENGTH + 1;
+
+ StringBuilder largeString = new StringBuilder(stringSize);
+ for (int i = 0; i < stringSize; i++) {
+ largeString.append("a");
+ }
Review comment:
Thanks - I knew there had to be a better way.
##########
File path: geode-for-redis/src/integrationTest/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
##########
@@ -128,4 +147,137 @@ public void givenNoSecurity_accessWithoutAuth_passes() throws Exception {
assertThat(jedis.ping()).isEqualTo("PONG");
}
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*100\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_MULTIBULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.auth(getUsername(), getPassword())).isEqualTo("OK");
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenNoSecurity_largeMultiBulkRequestsSucceed_whenNotAuthenticated()
+ throws Exception {
+ setupCacheWithoutSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*1\r\n$100000000\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_BULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+ int stringSize = ByteToCommandDecoder.UNAUTHENTICATED_MAX_BULK_STRING_LENGTH + 1;
+
+ StringBuilder largeString = new StringBuilder(stringSize);
+ for (int i = 0; i < stringSize; i++) {
+ largeString.append("a");
+ }
+
+ assertThat(jedis.auth(getUsername(), getPassword())).isEqualTo("OK");
+ assertThat(jedis.set("key", largeString.toString())).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenNoSecurity_largeBulkStringRequestsSucceed_whenNotAuthenticated()
+ throws Exception {
+ setupCacheWithoutSecurity();
+ int stringSize = ByteToCommandDecoder.UNAUTHENTICATED_MAX_BULK_STRING_LENGTH + 1;
+
+ StringBuilder largeString = new StringBuilder(stringSize);
+ for (int i = 0; i < stringSize; i++) {
+ largeString.append("a");
+ }
+
+ assertThat(jedis.set("key", largeString.toString())).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenSecurity_closingConnectionLogsClientOut() throws Exception {
+ setupCacheWithSecurity();
+
+ int localPort = AvailablePortHelper.getRandomAvailableTCPPort();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort(), InetAddress.getLoopbackAddress(),
+ localPort)) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*3\r\n$4\r\nAUTH\r\n" +
+ "$" + getUsername().length() + "\r\n" + getUsername() + "\r\n" +
+ "$" + getPassword().length() + "\r\n" + getPassword() + "\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains("OK");
+ }
+
+ AtomicReference<Socket> socketRef = new AtomicReference<>(null);
+
+ await().pollInterval(Duration.ofSeconds(1))
+ .untilAsserted(() -> assertThatNoException().isThrownBy(() -> socketRef.set(
+ new Socket(BIND_ADDRESS, getPort(), InetAddress.getLoopbackAddress(), localPort))));
+
+ Socket clientSocket = socketRef.get();
+ try {
Review comment:
Nice.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org