Add option to strip prefixes upon checking user or acl.

README.md

@@ -405,10 +405,18 @@ The above example will do up to 2 retries (3 calls in total considering the orig
 
 #### Prefixes
 
-Though the plugin may have multiple backends enabled, there's a way to specify which backend must be used for a given user: prefixes. When enabled, `prefixes` allow to check if the username contains a predefined prefix in the form prefix_username and use the configured backend for that prefix. Options to enable and set prefixes are the following:
+Though the plugin may have multiple backends enabled, there's a way to specify which backend must be used for a given user: prefixes.
+When enabled, `prefixes` allow to check if the username contains a predefined prefix in the form prefix_username and use the configured backend for that prefix.
+There's also an option to strip the prefix upon checking user or acl,
+so that if a record for `username` exists on a backend with prefix `prefix`,
+then both `username` and `prefix_username` would be authenticated/authorized. Notice that the former would
+need to loop through all the backends since it carries no prefix, while the latter will only be checked by the correct backend.
+
+Options to enable and set prefixes are the following:
 
 ```
 auth_opt_check_prefix true
+auth_opt_strip_prefix true
 auth_opt_prefixes filesprefix, pgprefix, jwtprefix
 ```
 

backends/backends.go

@@ -25,6 +25,7 @@ type Backends struct {
  superuserCheckers []string
 
  checkPrefix bool
+ stripPrefix bool
  prefixes map[string]string
 
  disableSuperuser bool
@@ -76,7 +77,6 @@ func Initialize(authOpts map[string]string, logLevel log.Level, version string)
  aclCheckers: make([]string, 0),
  userCheckers: make([]string, 0),
  superuserCheckers: make([]string, 0),
- checkPrefix: false,
  prefixes: make(map[string]string),
  }
 
@@ -273,6 +273,7 @@ func (b *Backends) setPrefixes(authOpts map[string]string, backends []string) {
 
  if !ok || strings.Replace(checkPrefix, " ", "", -1) != "true" {
  b.checkPrefix = false
+ b.stripPrefix = false
 
  return
  }
@@ -282,6 +283,7 @@ func (b *Backends) setPrefixes(authOpts map[string]string, backends []string) {
  if !ok {
  log.Warn("Error: prefixes enabled but no options given, defaulting to prefixes disabled.")
  b.checkPrefix = false
+ b.stripPrefix = false
 
  return
  }
@@ -291,10 +293,15 @@ func (b *Backends) setPrefixes(authOpts map[string]string, backends []string) {
  if len(prefixes) != len(backends) {
  log.Errorf("Error: got %d backends and %d prefixes, defaulting to prefixes disabled.", len(backends), len(prefixes))
  b.checkPrefix = false
+ b.stripPrefix = false
 
  return
  }
 
+ if authOpts["strip_prefix"] == "true" {
+ b.stripPrefix = true
+ }
+
  for i, backend := range backends {
  b.prefixes[prefixes[i]] = backend
  }
@@ -355,8 +362,10 @@ func (b *Backends) AuthUnpwdCheck(username, password, clientid string) (bool, er
  return false, fmt.Errorf("backend %s not registered to check users", bename)
  }
 
- // If the backend is JWT and the token was prefixed, then strip the token. If the token was passed without a prefix it will be handled in the common case.
- if bename == jwtBackend {
+ // If the backend is JWT and the token was prefixed, then strip the token.
+ // If the token was passed without a prefix it will be handled in the common case.
+ // Also strip the prefix if the strip_prefix option was set.
+ if bename == jwtBackend || b.stripPrefix {
  prefix := b.getPrefixForBackend(bename)
  username = strings.TrimPrefix(username, prefix+"_")
  }
@@ -414,8 +423,10 @@ func (b *Backends) AuthAclCheck(clientid, username, topic string, acc int) (bool
  return b.checkAcl(username, topic, clientid, acc)
  }
 
- // If the backend is JWT and the token was prefixed, then strip the token. If the token was passed without a prefix then let it be handled in the common case.
- if bename == jwtBackend {
+ // If the backend is JWT and the token was prefixed, then strip the token.
+ // If the token was passed without a prefix then let it be handled in the common case.
+ // Also strip the prefix if the strip_prefix option was set.
+ if bename == jwtBackend || b.stripPrefix {
  prefix := b.getPrefixForBackend(bename)
  username = strings.TrimPrefix(username, prefix+"_")
  }

backends/backends_test.go

@@ -444,5 +444,53 @@ func TestBackends(t *testing.T) {
 
  redis.Halt()
  })
+
+ Convey("When strip_prefix is true, the prefix will be stripped from the username prior to conducting checks", func() {
+ authOpts["backends"] = "redis"
+ authOpts["redis_register"] = "user, acl"
+ authOpts["check_prefix"] = "true"
+ authOpts["strip_prefix"] = "true"
+ authOpts["prefixes"] = "redis"
+ delete(authOpts, "disable_superuser")
+
+ username := "redis_test1"
+ stripUsername := "test1"
+ password := username
+ passwordHash := "PBKDF2$sha512$100000$hgodnayqjfs0AOCxvsU+Zw==$dfc4LBGmZ/wB128NOD48qF5fCS+r/bsjU+oCXgT3UksAik73vIkXcPFydtbJKoIgnepNXP9t+zGIaR5wyRmXaA=="
+
+ redis, err := NewRedis(authOpts, log.DebugLevel, hashing.NewHasher(authOpts, "redis"))
+ assert.Nil(t, err)
+
+ ctx := context.Background()
+
+ // Insert a user to test auth.
+ redis.conn.Set(ctx, stripUsername, passwordHash, 0)
+ redis.conn.Set(ctx, fmt.Sprintf("%s:su", stripUsername), "true", 0)
+
+ b, err := Initialize(authOpts, log.DebugLevel, version)
+ So(err, ShouldBeNil)
+
+ userCheck, err := b.AuthUnpwdCheck(username, password, clientid)
+
+ So(err, ShouldBeNil)
+ So(userCheck, ShouldBeTrue)
+
+ redis.conn.SAdd(ctx, stripUsername+":racls", "test/redis")
+
+ aclCheck, err := b.AuthAclCheck(clientid, stripUsername, "test/redis", 1)
+ So(err, ShouldBeNil)
+ So(aclCheck, ShouldBeTrue)
+
+ userCheck, err = b.AuthUnpwdCheck(username, password, clientid)
+
+ So(err, ShouldBeNil)
+ So(userCheck, ShouldBeTrue)
+
+ aclCheck, err = b.AuthAclCheck(clientid, stripUsername, "test/redis", 1)
+ So(err, ShouldBeNil)
+ So(aclCheck, ShouldBeTrue)
+
+ redis.Halt()
+ })
  })
 }

go.sum

@@ -182,6 +182,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
@@ -318,6 +319,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=