add commands-need-adminpass config option.

Author: deep011

conf/vire.conf

@@ -66,6 +66,12 @@ internal-dbs-per-databases 6
 #
 # adminpass iamadmin
 
+# Make some commands need adminpass to execute. Those commands just allowed 
+# administrator to execute. This might be useful to prevent users from 
+# doing some dangerous actions to the host running Vire.
+#
+# commands-need-adminpass flushall flushdb keys config
+
 ################################### CLIENTS ####################################
 
 # Set the max number of connected clients at the same time. By default

src/vr_command.c

@@ -216,6 +216,29 @@ void populateCommandTable(void) {
     }
 }
 
+int populateCommandsNeedAdminpass(void) {
+    struct array commands_need_adminpass;
+    sds *command_name;
+    struct redisCommand *command;
+
+    array_init(&commands_need_adminpass,1,sizeof(sds));
+    conf_server_get(CONFIG_SOPN_COMMANDSNAP,&commands_need_adminpass);
+    while (array_n(&commands_need_adminpass)) {
+        command_name = array_pop(&commands_need_adminpass);
+        command = lookupCommand(*command_name);
+        if (command == NULL) {
+            log_error("Unknow command %s for commands-need-amdminpass",
+                command_name);
+            return VR_ERROR;
+        }
+        command->needadmin = 1;
+        sdsfree(*command_name);
+    }
+    array_deinit(&commands_need_adminpass);
+
+    return VR_OK;
+}
+
 struct redisCommand *lookupCommand(sds name) {
     return dictFetchValue(server.commands, name);
 }

src/vr_command.h

@@ -90,6 +90,8 @@ typedef struct redisOpArray {
 extern dictType commandTableDictType;
 
 void populateCommandTable(void);
+int populateCommandsNeedAdminpass(void);
+
 struct redisCommand *lookupCommand(sds name);
 struct redisCommand *lookupCommandOrOriginal(sds name);
 struct redisCommand *lookupCommandByCString(char *s);

src/vr_conf.c

@@ -109,6 +109,10 @@ static conf_option conf_server_options[] = {
       CONF_FIELD_TYPE_SDS, 0,
       conf_set_password, conf_get_sds,
       offsetof(conf_server, adminpass) },
+    { (char *)CONFIG_SOPN_COMMANDSNAP,
+      CONF_FIELD_TYPE_ARRAYSDS, 1,
+      conf_set_commands_need_adminpass, conf_get_array_sds,
+      offsetof(conf_server, commands_need_adminpass) },
     { NULL, NULL, 0 }
 };
 
@@ -579,6 +583,53 @@ conf_set_array_sds(void *obj, conf_option *opt, void *data)
     return VR_OK;
 }
 
+int
+conf_set_commands_need_adminpass(void *obj, conf_option *opt, void *data)
+{
+    uint8_t *p;
+    uint32_t j;
+    conf_value **cv_sub, *cv = data;
+    struct array *gt;
+    sds *str;
+
+    if(cv->type != CONF_VALUE_TYPE_STRING && 
+        cv->type != CONF_VALUE_TYPE_ARRAY){
+        log_error("conf pool %s in the conf file is not a string or array", 
+            opt->name);
+        return VR_ERROR;
+    } else if (cv->type == CONF_VALUE_TYPE_ARRAY) {
+        cv_sub = array_get(cv->value, j);
+        if ((*cv_sub)->type != CONF_VALUE_TYPE_STRING) {
+            log_error("conf pool %s in the conf file is not a string array", 
+                opt->name);
+            return VR_ERROR;            
+        }
+    }
+
+    CONF_WLOCK();
+    p = obj;
+    gt = (struct array*)(p + opt->offset);
+
+    while (array_n(gt) > 0) {
+        str = array_pop(gt);
+        sdsfree(*str);
+    }
+
+    if (cv->type == CONF_VALUE_TYPE_STRING) {
+        str = array_push(gt);
+        *str = sdsdup(cv->value);
+    } else if (cv->type == CONF_VALUE_TYPE_ARRAY) {
+        for (j = 0; j < array_n(cv->value); j ++) {
+            cv_sub = array_get(cv->value, j);
+            str = array_push(gt);
+            *str = sdsdup((*cv_sub)->value);
+        }
+    }
+    conf->version ++;
+    CONF_UNLOCK();
+    return VR_OK;
+}
+
 int
 conf_get_array_sds(void *obj, conf_option *opt, void *data)
 {
@@ -724,6 +775,7 @@ static int conf_server_init(conf_server *cs)
     cs->requirepass = CONF_UNSET_PTR;
     cs->adminpass = CONF_UNSET_PTR;
     cs->dir = CONF_UNSET_PTR;
+    array_init(&cs->commands_need_adminpass,1,sizeof(sds));
 
     return VR_OK;
 }
@@ -768,6 +820,11 @@ static int conf_server_set_default(conf_server *cs)
     }
     cs->dir = sdsnew(CONFIG_DEFAULT_DATA_DIR);
 
+    while (array_n(&cs->commands_need_adminpass) > 0) {
+        str = array_pop(&cs->commands_need_adminpass);
+        sdsfree(*str);
+    }
+
     return VR_OK;
 }
 
@@ -809,6 +866,12 @@ static void conf_server_deinit(conf_server *cs)
         sdsfree(cs->adminpass);
         cs->adminpass = CONF_UNSET_PTR;    
     }
+
+    while (array_n(&cs->commands_need_adminpass) > 0) {
+        str = array_pop(&cs->commands_need_adminpass);
+        sdsfree(*str);
+    }
+    array_deinit(&cs->commands_need_adminpass);
 }
 
 int
@@ -1497,9 +1560,7 @@ static void addReplyConfOption(client *c,conf_option *cop)
 
 static void configGetCommand(client *c) {
     robj *o = c->argv[2];
-    void *replylen = addDeferredMultiBulkLength(c);
     char *pattern = o->ptr;
-    int matches = 0;
     conf_option *cop;
     serverAssertWithInfo(c,o,sdsEncodedObject(o));
 
@@ -1508,12 +1569,14 @@ static void configGetCommand(client *c) {
         /* Don't show adminpass if user has no right. */
         if (!strcmp(cop->name,CONFIG_SOPN_ADMINPASS) && 
             c->vel->cc.adminpass && c->authenticated < 2) {
-            /* Nothing to show */
+            addReply(c,shared.noadminerr);
         } else {
+            addReplyMultiBulkLen(c,2);
             addReplyConfOption(c,cop);
-            matches ++;
         }
     } else {
+        int matches = 0;
+        void * replylen = addDeferredMultiBulkLength(c);
         for (cop = conf_server_options; cop&&cop->name; cop++) {
             if (stringmatch(pattern,cop->name,1)) {
                 /* Don't show adminpass if user has no right. */
@@ -1525,8 +1588,8 @@ static void configGetCommand(client *c) {
                 matches ++;
             }
         }
+        setDeferredMultiBulkLength(c,replylen,matches*2);
     }
-    setDeferredMultiBulkLength(c,replylen,matches*2);
 }
 
 /*-----------------------------------------------------------------------------
@@ -1952,6 +2015,32 @@ static void rewriteConfigBindOption(struct rewriteConfigState *state) {
     rewriteConfigRewriteLine(state,option,line,force);
 }
 
+/* Rewrite the save option. */
+void rewriteConfigCommandsNAPOption(struct rewriteConfigState *state) {
+    struct array values;
+    sds *value, line;
+    int force = 1;
+    char *option = CONFIG_SOPN_COMMANDSNAP;
+
+    array_init(&values,1,sizeof(sds));
+    conf_server_get(option,&values);
+    /* Nothing to rewrite if we don't have commands that need adminpass. */
+    if (array_n(&values) == 0) {
+        array_deinit(&values);
+        rewriteConfigMarkAsProcessed(state,option);
+        return;
+    }
+
+    while(array_n(&values) > 0) {
+        value = array_pop(&values);
+        line = sdscatprintf(sdsempty(),"%s %s",option,*value);
+        rewriteConfigRewriteLine(state,option,line,force);
+        sdsfree(*value);
+    }
+    array_deinit(&values);
+    rewriteConfigMarkAsProcessed(state,option);
+}
+
 /* Rewrite the configuration file at "path".
  * If the configuration file already exists, we try at best to retain comments
  * and overall structure.
@@ -1989,6 +2078,7 @@ static int rewriteConfig(char *path) {
     rewriteConfigIntOption(state,CONFIG_SOPN_MAXCLIENTS,CONFIG_DEFAULT_MAX_CLIENTS);
     rewriteConfigSdsOption(state,CONFIG_SOPN_REQUIREPASS,NULL);
     rewriteConfigSdsOption(state,CONFIG_SOPN_ADMINPASS,NULL);
+    rewriteConfigCommandsNAPOption(state);
 
     /* Step 3: remove all the orphaned lines in the old file, that is, lines
      * that were used by a config option and are no longer used, like in case

src/vr_conf.h

@@ -17,6 +17,7 @@
 #define CONFIG_SOPN_SLOWLOGML    "slowlog-max-len"
 #define CONFIG_SOPN_REQUIREPASS  "requirepass"
 #define CONFIG_SOPN_ADMINPASS    "adminpass"
+#define CONFIG_SOPN_COMMANDSNAP  "commands-need-adminpass"
 
 #define CONFIG_RUN_ID_SIZE 40
 #define CONFIG_DEFAULT_ACTIVE_REHASHING 1
@@ -111,6 +112,7 @@ typedef struct conf_server {
 
     sds           requirepass;          /* Pass for AUTH command, or NULL */
     sds           adminpass;            /* Pass for ADMIN command, or NULL */
+    struct array  commands_need_adminpass;
 } conf_server;
 
 typedef struct vr_conf {
@@ -176,6 +178,7 @@ int conf_set_int(void *obj, conf_option *opt, void *data);
 int conf_set_longlong(void *obj, conf_option *opt, void *data);
 int conf_set_yesorno(void *obj, conf_option *opt, void *data);
 int conf_set_array_sds(void *obj, conf_option *opt, void *data);
+int conf_set_commands_need_adminpass(void *obj, conf_option *opt, void *data);
 
 int CONF_RLOCK(void);
 int CONF_WLOCK(void);

src/vr_server.c

@@ -300,16 +300,36 @@ static void createSharedObjects(void) {
     }
 }
 
-rstatus_t
+int
 init_server(struct instance *nci)
 {
-    rstatus_t status;
+    int ret;
     uint32_t i;
     redisDb *db;
+    
+    server.pid = getpid();
+    server.arch_bits = (sizeof(long) == 8) ? 64 : 32;
+    server.starttime = time(NULL);
+    get_random_hex_chars(server.runid, CONFIG_RUN_ID_SIZE);
+
+    server.commands = dictCreate(&commandTableDictType,NULL);
+    populateCommandTable();
+    server.delCommand = lookupCommandByCString("del");
+    server.multiCommand = lookupCommandByCString("multi");
+    server.lpushCommand = lookupCommandByCString("lpush");
+    server.lpopCommand = lookupCommandByCString("lpop");
+    server.rpopCommand = lookupCommandByCString("rpop");
+    server.sremCommand = lookupCommandByCString("srem");
+    server.execCommand = lookupCommandByCString("exec");
 
     conf = conf_create(nci->conf_filename);
 
-    server.pid = getpid();
+    ret = populateCommandsNeedAdminpass();
+    if (ret != VR_OK) {
+        log_error("Populate need adminpass commands failed");
+        return VR_ERROR;
+    }
+
     server.configfile = getAbsolutePath(nci->conf_filename);
     server.hz = 10;
     server.dblnum = cserver->databases;
@@ -319,23 +339,9 @@ init_server(struct instance *nci)
     server.pidfile = nci->pid_filename;
     server.executable = NULL;
     server.activerehashing = CONFIG_DEFAULT_ACTIVE_REHASHING;
-    get_random_hex_chars(server.runid, CONFIG_RUN_ID_SIZE);
-    server.arch_bits = (sizeof(long) == 8) ? 64 : 32;
-
-    server.starttime = time(NULL);
 
     server.client_max_querybuf_len = PROTO_MAX_QUERYBUF_LEN;
 
-    server.commands = dictCreate(&commandTableDictType,NULL);
-    populateCommandTable();
-    server.delCommand = lookupCommandByCString("del");
-    server.multiCommand = lookupCommandByCString("multi");
-    server.lpushCommand = lookupCommandByCString("lpush");
-    server.lpopCommand = lookupCommandByCString("lpop");
-    server.rpopCommand = lookupCommandByCString("rpop");
-    server.sremCommand = lookupCommandByCString("srem");
-    server.execCommand = lookupCommandByCString("exec");
-
     for (i = 0; i < server.dbnum; i ++) {
         db = array_push(&server.dbs);
         redisDbInit(db);
@@ -379,16 +385,16 @@ init_server(struct instance *nci)
     server.port = cserver->port;
 
     /* Init worker first */
-    status = workers_init(nci->thread_num);
-    if (status != VR_OK) {
-        log_error("init worker threads failed");
+    ret = workers_init(nci->thread_num);
+    if (ret != VR_OK) {
+        log_error("Init worker threads failed");
         return VR_ERROR;
     }
 
     /* Init master after worker init */
-    status = master_init(conf);
-    if (status != VR_OK) {
-        log_error("init master thread failed");
+    ret = master_init(conf);
+    if (ret != VR_OK) {
+        log_error("Init master thread failed");
         return VR_ERROR;
     }
 

src/vr_server.h

@@ -335,7 +335,7 @@ unsigned int dictObjHash(const void *key);
 int dictObjKeyCompare(void *privdata, const void *key1, const void *key2);
 void dictListDestructor(void *privdata, void *val);
 
-rstatus_t init_server(struct instance *nci);
+int init_server(struct instance *nci);
 
 unsigned int getLRUClock(void);