chore: encrypt redis default password (#2460)

Author: wangyelei

addons/redis/redis-cluster-scripts/redis-cluster-server-start.sh

@@ -567,11 +567,13 @@ build_redis_default_accounts() {
   if ! is_empty "$REDIS_REPL_PASSWORD"; then
     echo "masteruser $REDIS_REPL_USER" >> $redis_real_conf
     echo "masterauth $REDIS_REPL_PASSWORD" >> $redis_real_conf
-    echo "user $REDIS_REPL_USER on +psync +replconf +ping >$REDIS_REPL_PASSWORD" >> $redis_acl_file
+    redis_repl_password_sha256=$(echo -n "$REDIS_REPL_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user $REDIS_REPL_USER on +psync +replconf +ping #$redis_repl_password_sha256" >> $redis_acl_file
   fi
   if ! is_empty "$REDIS_DEFAULT_PASSWORD"; then
     echo "protected-mode yes" >> $redis_real_conf
-    echo "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all " >> $redis_acl_file
+    redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user default on #$redis_password_sha256 ~* &* +@all " >> $redis_acl_file
   else
     echo "protected-mode no" >> $redis_real_conf
   fi

addons/redis/redis-cluster-scripts/redis-cluster6-server-start.sh

@@ -522,11 +522,13 @@ build_redis_default_accounts() {
   if ! is_empty "$REDIS_REPL_PASSWORD"; then
     echo "masteruser $REDIS_REPL_USER" >> $redis_real_conf
     echo "masterauth $REDIS_REPL_PASSWORD" >> $redis_real_conf
-    echo "user $REDIS_REPL_USER on +psync +replconf +ping >$REDIS_REPL_PASSWORD" >> $redis_acl_file
+    redis_repl_password_sha256=$(echo -n "$REDIS_REPL_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user $REDIS_REPL_USER on +psync +replconf +ping #$redis_repl_password_sha256" >> $redis_acl_file
   fi
   if ! is_empty "$REDIS_DEFAULT_PASSWORD"; then
     echo "protected-mode yes" >> $redis_real_conf
-    echo "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all " >> $redis_acl_file
+    redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user default on #$redis_password_sha256 ~* &* +@all " >> $redis_acl_file
   else
     echo "protected-mode no" >> $redis_real_conf
   fi

addons/redis/scripts-ut-spec/redis_cluster_server_start_spec.sh

@@ -68,8 +68,10 @@ Describe "Redis Cluster Server Start Bash Script Tests"
         The contents of file "$redis_real_conf" should include "masterauth $REDIS_REPL_PASSWORD"
         The contents of file "$redis_real_conf" should include "protected-mode yes"
         The contents of file "$redis_real_conf" should include "aclfile /data/users.acl"
-        The contents of file "$redis_acl_file" should include "user $REDIS_REPL_USER on +psync +replconf +ping >$REDIS_REPL_PASSWORD"
-        The contents of file "$redis_acl_file" should include "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all"
+        redis_repl_sha256=$(echo -n "$REDIS_REPL_PASSWORD" | sha256sum | cut -d' ' -f1)
+        redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+        The contents of file "$redis_acl_file" should include "user $REDIS_REPL_USER on +psync +replconf +ping #$redis_repl_sha256"
+        The contents of file "$redis_acl_file" should include "user default on #$redis_password_sha256 ~* &* +@all"
       End
     End
 
@@ -92,7 +94,8 @@ Describe "Redis Cluster Server Start Bash Script Tests"
         The stdout should include "build redis default accounts succeeded!"
         The contents of file "$redis_real_conf" should include "protected-mode yes"
         The contents of file "$redis_real_conf" should include "aclfile /data/users.acl"
-        The contents of file "$redis_acl_file" should include "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all"
+        redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+        The contents of file "$redis_acl_file" should include "user default on #$redis_password_sha256 ~* &* +@all"
       End
     End
 

addons/redis/scripts-ut-spec/redis_start_spec.sh

@@ -89,9 +89,12 @@ Describe "Redis Start Bash Script Tests"
         The contents of file "$redis_real_conf" should include "masterauth $REDIS_REPL_PASSWORD"
         The contents of file "$redis_real_conf" should include "protected-mode yes"
         The contents of file "$redis_real_conf" should include "aclfile /data/users.acl"
-        The contents of file "$redis_acl_file" should include "user $REDIS_REPL_USER on +psync +replconf +ping >$REDIS_REPL_PASSWORD"
-        The contents of file "$redis_acl_file" should include "user $REDIS_SENTINEL_USER on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >$REDIS_SENTINEL_PASSWORD"
-        The contents of file "$redis_acl_file" should include "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all"
+        redis_repl_sha256=$(echo -n "$REDIS_REPL_PASSWORD" | sha256sum | cut -d' ' -f1)
+        redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+        redis_sentinel_password_sha256=$(echo -n "$REDIS_SENTINEL_PASSWORD" | sha256sum | cut -d' ' -f1)
+        The contents of file "$redis_acl_file" should include "user $REDIS_REPL_USER on +psync +replconf +ping #$redis_repl_sha256"
+        The contents of file "$redis_acl_file" should include "user $REDIS_SENTINEL_USER on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill #$redis_sentinel_password_sha256"
+        The contents of file "$redis_acl_file" should include "user default on #$redis_password_sha256 ~* &* +@all"
       End
     End
 
@@ -114,7 +117,8 @@ Describe "Redis Start Bash Script Tests"
         The stdout should include "build default accounts succeeded!"
         The contents of file "$redis_real_conf" should include "protected-mode yes"
         The contents of file "$redis_real_conf" should include "aclfile /data/users.acl"
-        The contents of file "$redis_acl_file" should include "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all"
+        redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+        The contents of file "$redis_acl_file" should include "user default on #$redis_password_sha256 ~* &* +@all"
       End
     End
 

addons/redis/scripts/redis-start.sh

@@ -60,14 +60,17 @@ build_redis_default_accounts() {
   if ! is_empty "$REDIS_REPL_PASSWORD"; then
     echo "masteruser $REDIS_REPL_USER" >> $redis_real_conf
     echo "masterauth $REDIS_REPL_PASSWORD" >> $redis_real_conf
-    echo "user $REDIS_REPL_USER on +psync +replconf +ping >$REDIS_REPL_PASSWORD" >> $redis_acl_file
+    redis_repl_password_sha256=$(echo -n "$REDIS_REPL_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user $REDIS_REPL_USER on +psync +replconf +ping #$redis_repl_password_sha256" >> $redis_acl_file
   fi
   if ! is_empty "$REDIS_SENTINEL_PASSWORD"; then
-    echo "user $REDIS_SENTINEL_USER on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >$REDIS_SENTINEL_PASSWORD" >> $redis_acl_file
+    redis_sentinel_password_sha256=$(echo -n "$REDIS_SENTINEL_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user $REDIS_SENTINEL_USER on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill #$redis_sentinel_password_sha256" >> $redis_acl_file
   fi
   if ! is_empty "$REDIS_DEFAULT_PASSWORD"; then
     echo "protected-mode yes" >> $redis_real_conf
-    echo "user default on >$REDIS_DEFAULT_PASSWORD ~* &* +@all " >> $redis_acl_file
+    redis_password_sha256=$(echo -n "$REDIS_DEFAULT_PASSWORD" | sha256sum | cut -d' ' -f1)
+    echo "user default on #$redis_password_sha256 ~* &* +@all " >> $redis_acl_file
   else
     echo "protected-mode no" >> $redis_real_conf
   fi