diff --git a/src/acl.c b/src/acl.c index 0c3ccb7f6d..667974211d 100644 --- a/src/acl.c +++ b/src/acl.c @@ -506,7 +506,7 @@ void ACLFreeUserAndKillClients(user *u) { * more defensive to set the default user and put * it in non authenticated mode. */ c->user = DefaultUser; - c->authenticated = 0; + c->flags &= ~CLIENT_AUTHENTICATED; /* We will write replies to this client later, so we can't * close it directly even if async. */ if (c == server.current_client) { @@ -1494,7 +1494,7 @@ void addAuthErrReply(client *c, robj *err) { * The return value is AUTH_OK on success (valid username / password pair) & AUTH_ERR otherwise. */ int checkPasswordBasedAuth(client *c, robj *username, robj *password) { if (ACLCheckUserCredentials(username, password) == C_OK) { - c->authenticated = 1; + c->flags |= CLIENT_AUTHENTICATED; c->user = ACLGetUserByName(username->ptr, sdslen(username->ptr)); moduleNotifyUserChanged(c); return AUTH_OK; diff --git a/src/module.c b/src/module.c index e7416c7926..f149443c80 100644 --- a/src/module.c +++ b/src/module.c @@ -7917,7 +7917,7 @@ int checkModuleAuthentication(client *c, robj *username, robj *password, robj ** } if (c->flags & CLIENT_MODULE_AUTH_HAS_RESULT) { c->flags &= ~CLIENT_MODULE_AUTH_HAS_RESULT; - if (c->authenticated) return AUTH_OK; + if (c->flags & CLIENT_AUTHENTICATED) return AUTH_OK; } return AUTH_ERR; } @@ -9465,7 +9465,7 @@ void revokeClientAuthentication(client *c) { moduleNotifyUserChanged(c); c->user = DefaultUser; - c->authenticated = 0; + c->flags &= ~CLIENT_AUTHENTICATED; /* We will write replies to this client later, so we can't close it * directly even if async. */ if (c == server.current_client) { @@ -9787,7 +9787,7 @@ static int authenticateClientWithUser(ValkeyModuleCtx *ctx, moduleNotifyUserChanged(ctx->client); ctx->client->user = user; - ctx->client->authenticated = 1; + ctx->client->flags |= CLIENT_AUTHENTICATED; if (clientHasModuleAuthInProgress(ctx->client)) { ctx->client->flags |= CLIENT_MODULE_AUTH_HAS_RESULT; diff --git a/src/networking.c b/src/networking.c index 78f36b8170..2bbe012050 100644 --- a/src/networking.c +++ b/src/networking.c @@ -104,14 +104,18 @@ static void clientSetDefaultAuth(client *c) { /* If the default user does not require authentication, the user is * directly authenticated. */ c->user = DefaultUser; - c->authenticated = (c->user->flags & USER_FLAG_NOPASS) && !(c->user->flags & USER_FLAG_DISABLED); + if ((c->user->flags & USER_FLAG_NOPASS) && !(c->user->flags & USER_FLAG_DISABLED)) { + c->flags |= CLIENT_AUTHENTICATED; + } else { + c->flags &= ~CLIENT_AUTHENTICATED; + } } int authRequired(client *c) { /* Check if the user is authenticated. This check is skipped in case * the default user is flagged as "nopass" and is active. */ - int auth_required = - (!(DefaultUser->flags & USER_FLAG_NOPASS) || (DefaultUser->flags & USER_FLAG_DISABLED)) && !c->authenticated; + int auth_required = (!(DefaultUser->flags & USER_FLAG_NOPASS) || (DefaultUser->flags & USER_FLAG_DISABLED)) && + !(c->flags & CLIENT_AUTHENTICATED); return auth_required; } @@ -3642,7 +3646,7 @@ void helloCommand(client *c) { } /* At this point we need to be authenticated to continue. */ - if (!c->authenticated) { + if (!(c->flags & CLIENT_AUTHENTICATED)) { addReplyError(c, "-NOAUTH HELLO must be called with the client already " "authenticated, otherwise the HELLO AUTH " "option can be used to authenticate the client and " diff --git a/src/replication.c b/src/replication.c index dad6a6d0a2..2c47136228 100644 --- a/src/replication.c +++ b/src/replication.c @@ -1721,12 +1721,11 @@ void replicationCreateMasterClient(connection *conn, int dbid) { * to pass the execution to a background thread and unblock after the * execution is done. This is the reason why we allow blocking the replication * connection. */ - server.primary->flags |= CLIENT_PRIMARY; + server.primary->flags |= (CLIENT_PRIMARY | CLIENT_AUTHENTICATED); /* Allocate a private query buffer for the primary client instead of using the shared query buffer. * This is done because the primary's query buffer data needs to be preserved for my sub-replicas to use. */ server.primary->querybuf = sdsempty(); - server.primary->authenticated = 1; server.primary->reploff = server.primary_initial_offset; server.primary->read_reploff = server.primary->reploff; server.primary->user = NULL; /* This client can do everything. */ @@ -3306,7 +3305,7 @@ void replicationResurrectCachedMaster(connection *conn) { server.primary->conn = conn; connSetPrivateData(server.primary->conn, server.primary); server.primary->flags &= ~(CLIENT_CLOSE_AFTER_REPLY | CLIENT_CLOSE_ASAP); - server.primary->authenticated = 1; + server.primary->flags |= CLIENT_AUTHENTICATED; server.primary->last_interaction = server.unixtime; server.repl_state = REPL_STATE_CONNECTED; server.repl_down_since = 0; diff --git a/src/server.h b/src/server.h index a9819a4df8..bf16a1893d 100644 --- a/src/server.h +++ b/src/server.h @@ -427,6 +427,7 @@ extern int configOOMScoreAdjValuesDefaults[CONFIG_OOM_COUNT]; #define CLIENT_MODULE_PREVENT_REPL_PROP (1ULL << 49) /* Module client do not want to propagate to replica */ #define CLIENT_REPROCESSING_COMMAND (1ULL << 50) /* The client is re-processing the command. */ #define CLIENT_REPLICATION_DONE (1ULL << 51) /* Indicate that replication has been done on the client */ +#define CLIENT_AUTHENTICATED (1ULL << 52) /* Indicate a client has successfully authenticated */ /* Client block type (btype field in client structure) * if CLIENT_BLOCKED flag is set. */ @@ -1238,7 +1239,6 @@ typedef struct client { dictEntry *cur_script; /* Cached pointer to the dictEntry of the script being executed. */ time_t last_interaction; /* Time of the last interaction, used for timeout */ time_t obuf_soft_limit_reached_time; - int authenticated; /* Needed when the default user requires auth. */ int repl_state; /* Replication state if this is a replica. */ int repl_start_cmd_stream_on_ack; /* Install replica write handler on first ACK. */ int repldbfd; /* Replication DB file descriptor. */