feat(cli): Add support for password credential in redis helper

Author: laero

api/proxy/credentials.go

@@ -12,6 +12,7 @@ import (
 
 const (
 	usernamePasswordCredentialType = "username_password"
+	passwordCredentialType         = "password"
 	sshPrivateKeyCredentialType    = "ssh_private_key"
 )
 
@@ -90,6 +91,18 @@ func ParseCredentials(creds []*targets.SessionCredential) (Credentials, error) {
 				continue
 			}
 
+		case passwordCredentialType:
+			// Decode attributes from credential struct
+			if err := mapstructure.Decode(cred.Credential, &upCred); err != nil {
+				return Credentials{}, err
+			}
+
+			if upCred.Password != "" {
+				upCred.Raw = cred
+				out.UsernamePassword = append(out.UsernamePassword, upCred)
+				continue
+			}
+
 		case sshPrivateKeyCredentialType:
 			// Decode attributes from credential struct
 			if err := mapstructure.Decode(cred.Credential, &spkCred); err != nil {

internal/cmd/commands/connect/redis.go

@@ -69,12 +69,14 @@ func (r *redisFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
 		case username != "":
 			args = append(args, "--user", username)
 		case c.flagUsername != "":
-			args = append(args, "--user", c.flagUsername, "--askpass")
+			args = append(args, "--user", c.flagUsername)
 		}
 
-		// Password is read by redis-cli via environment variable. The password disappears after the command exits.
 		if password != "" {
 			envs = append(envs, fmt.Sprintf("REDISCLI_AUTH=%s", password))
+		} else {
+			// prompt for password if it wasn't provided
+			envs = append(envs, "--askpass")
 		}
 	}
 

testing/internal/e2e/boundary/credential.go

@@ -202,10 +202,10 @@ func CreateStaticCredentialPrivateKeyCli(t testing.TB, ctx context.Context, cred
 	return credentialId, nil
 }
 
-// CreateStaticCredentialPasswordCli uses the cli to create a new password credential in the
+// CreateStaticCredentialUsernamePasswordCli uses the cli to create a new password credential in the
 // provided static credential store.
 // Returns the id of the new credential
-func CreateStaticCredentialPasswordCli(t testing.TB, ctx context.Context, credentialStoreId string, user string, password string) (string, error) {
+func CreateStaticCredentialUsernamePasswordCli(t testing.TB, ctx context.Context, credentialStoreId string, user string, password string) (string, error) {
 	name, err := base62.Random(16)
 	if err != nil {
 		return "", err
@@ -238,6 +238,41 @@ func CreateStaticCredentialPasswordCli(t testing.TB, ctx context.Context, creden
 	return credentialId, nil
 }
 
+// CreateStaticCredentialPasswordCli uses the cli to create a new password credential in the
+// provided static credential store.
+// Returns the id of the new credential
+func CreateStaticCredentialPasswordCli(t testing.TB, ctx context.Context, credentialStoreId string, password string) (string, error) {
+	name, err := base62.Random(16)
+	if err != nil {
+		return "", err
+	}
+
+	output := e2e.RunCommand(ctx, "boundary",
+		e2e.WithArgs(
+			"credentials", "create", "password",
+			"-credential-store-id", credentialStoreId,
+			"-password", "env://E2E_CREDENTIALS_PASSWORD",
+			"-name", fmt.Sprintf("e2e Credential %s", name),
+			"-description", "e2e",
+			"-format", "json",
+		),
+		e2e.WithEnv("E2E_CREDENTIALS_PASSWORD", password),
+	)
+	if output.Err != nil {
+		return "", fmt.Errorf("%w: %s", output.Err, string(output.Stderr))
+	}
+
+	var createCredentialsResult credentials.CredentialCreateResult
+	err = json.Unmarshal(output.Stdout, &createCredentialsResult)
+	if err != nil {
+		return "", err
+	}
+
+	credentialId := createCredentialsResult.Item.Id
+	t.Logf("Created Password Credential: %s", credentialId)
+	return credentialId, nil
+}
+
 // CreateStaticCredentialPasswordDomainCli uses the cli to create a new username password domain credential in the
 // provided static credential store.
 // Returns the id of the new credential

testing/internal/e2e/infra/docker.go

@@ -599,9 +599,19 @@ func setupRedisAuthAndUser(t testing.TB, resource *dockertest.Resource, pool *do
 	t.Helper()
 	t.Log("Configuring Redis authentication and user permissions...")
 
+	// e2e user
 	err := exec.Command(
 		"docker", "exec", config.NetworkAlias, "redis-cli",
-		"ACL", "SETUSER", config.User, "on", fmt.Sprintf(">%s", config.Password), "+@read", "+@write", "allkeys",
+		"ACL", "SETUSER", config.User, "on", fmt.Sprintf(">%s", config.Password), "+@all", "allkeys",
+	).Run()
+	if err != nil {
+		return err
+	}
+
+	// default user
+	err = exec.Command(
+		"docker", "exec", config.NetworkAlias, "redis-cli",
+		"ACL", "SETUSER", "default", fmt.Sprintf(">%s", config.Password),
 	).Run()
 	if err != nil {
 		return err

testing/internal/e2e/tests/base/credential_store_test.go

@@ -77,7 +77,7 @@ func TestCliStaticCredentialStore(t *testing.T) {
 	require.NoError(t, err)
 	privateKeyCredentialsId, err := boundary.CreateStaticCredentialPrivateKeyCli(t, ctx, storeId, c.TargetSshUser, testPemFile)
 	require.NoError(t, err)
-	pwCredentialId, err := boundary.CreateStaticCredentialPasswordCli(t, ctx, storeId, c.TargetSshUser, testPassword)
+	pwCredentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(t, ctx, storeId, c.TargetSshUser, testPassword)
 	require.NoError(t, err)
 	jsonCredentialId, err := boundary.CreateStaticCredentialJsonCli(t, ctx, storeId, testCredentialsFile)
 	require.NoError(t, err)

testing/internal/e2e/tests/base/paginate_credential_test.go

@@ -88,7 +88,7 @@ func TestCliPaginateCredentials(t *testing.T) {
 	assert.Empty(t, initialCredentials.ListToken)
 
 	// Create a new credential and destroy one of the other credentials
-	credentialId, err := boundary.CreateStaticCredentialPasswordCli(t, ctx, storeId, "user", "password")
+	credentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(t, ctx, storeId, "user", "password")
 	require.NoError(t, err)
 	output = e2e.RunCommand(ctx, "boundary",
 		e2e.WithArgs(

testing/internal/e2e/tests/base/target_tcp_connect_cassandra_test.go

@@ -82,7 +82,7 @@ func TestCliTcpTargetConnectCassandra(t *testing.T) {
 	storeId, err := boundary.CreateCredentialStoreStaticCli(t, ctx, projectId)
 	require.NoError(t, err)
 
-	credentialId, err := boundary.CreateStaticCredentialPasswordCli(
+	credentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(
 		t,
 		ctx,
 		storeId,

testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go

@@ -83,7 +83,7 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
 	storeId, err := boundary.CreateCredentialStoreStaticCli(t, ctx, projectId)
 	require.NoError(t, err)
 
-	credentialId, err := boundary.CreateStaticCredentialPasswordCli(
+	credentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(
 		t,
 		ctx,
 		storeId,

testing/internal/e2e/tests/base/target_tcp_connect_mysql_test.go

@@ -82,7 +82,7 @@ func TestCliTcpTargetConnectMysql(t *testing.T) {
 	storeId, err := boundary.CreateCredentialStoreStaticCli(t, ctx, projectId)
 	require.NoError(t, err)
 
-	credentialId, err := boundary.CreateStaticCredentialPasswordCli(
+	credentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(
 		t,
 		ctx,
 		storeId,

testing/internal/e2e/tests/base/target_tcp_connect_redis_test.go

@@ -19,14 +19,137 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// TestCliTcpTargetConnectRedis uses the boundary cli to connect to a target using `connect redis`
-func TestCliTcpTargetConnectRedis(t *testing.T) {
+type RedisContainerInfo struct {
+	Hostname string
+	Port     string
+	Username string
+	Password string
+}
+
+type BoundaryResources struct {
+	TargetId string
+	StoreId  string
+}
+
+// TestCliTcpTargetConnectRedisWithUsernamePassword uses the boundary cli to connect
+// to a target using `connect redis` with a username and password
+func TestCliTcpTargetConnectRedisWithUsernamePassword(t *testing.T) {
 	e2e.MaybeSkipTest(t)
 
-	pool, err := dockertest.NewPool("")
+	// Setup
+	ctx := context.Background()
+	redisInfo := setupRedisContainer(t, ctx)
+	resources := setupBoundaryResources(t, ctx, redisInfo)
+
+	credentialId, err := boundary.CreateStaticCredentialUsernamePasswordCli(
+		t,
+		ctx,
+		resources.StoreId,
+		redisInfo.Username,
+		redisInfo.Password,
+	)
+	require.NoError(t, err)
+
+	err = boundary.AddBrokeredCredentialSourceToTargetCli(t, ctx, resources.TargetId, credentialId)
 	require.NoError(t, err)
 
+	t.Logf("Attempting to connect to Redis target %s", resources.TargetId)
+
+	// Validation
+	cmd := exec.CommandContext(ctx,
+		"boundary",
+		"connect", "redis",
+		"-target-id", resources.TargetId,
+	)
+
+	stdin, err := cmd.StdinPipe()
+	require.NoError(t, err)
+	stdout, err := cmd.StdoutPipe()
+	require.NoError(t, err)
+	require.NoError(t, cmd.Start())
+
+	output, err := sendRedisCommand(stdin, stdout, "ACL WHOAMI\r\n")
+	require.NoError(t, err)
+	require.Equal(t, redisInfo.Username, output)
+
+	output, err = sendRedisCommand(stdin, stdout, "SET e2etestkey e2etestvalue\r\n")
+	require.NoError(t, err)
+	require.Equal(t, "OK", output)
+
+	output, err = sendRedisCommand(stdin, stdout, "GET e2etestkey\r\n")
+	require.NoError(t, err)
+	require.Equal(t, "e2etestvalue", output)
+
+	output, err = sendRedisCommand(stdin, stdout, "QUIT\r\n")
+	require.Equal(t, io.EOF, err)
+	require.Empty(t, output)
+
+	// Confirm that boundary connect has closed
+	err = cmd.Wait()
+	require.NoError(t, err)
+}
+
+// TestCliTcpTargetConnectRedisWithPassword uses the boundary cli to connect
+// to a target using `connect redis` with a password
+func TestCliTcpTargetConnectRedisWithPassword(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+
+	// Setup
 	ctx := context.Background()
+	redisInfo := setupRedisContainer(t, ctx)
+	resources := setupBoundaryResources(t, ctx, redisInfo)
+
+	credentialId, err := boundary.CreateStaticCredentialPasswordCli(
+		t,
+		ctx,
+		resources.StoreId,
+		redisInfo.Password,
+	)
+	require.NoError(t, err)
+
+	err = boundary.AddBrokeredCredentialSourceToTargetCli(t, ctx, resources.TargetId, credentialId)
+	require.NoError(t, err)
+
+	t.Logf("Attempting to connect to Redis target %s", resources.TargetId)
+
+	// Validation
+	cmd := exec.CommandContext(ctx,
+		"boundary",
+		"connect", "redis",
+		"-target-id", resources.TargetId,
+	)
+
+	stdin, err := cmd.StdinPipe()
+	require.NoError(t, err)
+	stdout, err := cmd.StdoutPipe()
+	require.NoError(t, err)
+	require.NoError(t, cmd.Start())
+
+	output, err := sendRedisCommand(stdin, stdout, "ACL WHOAMI\r\n")
+	require.NoError(t, err)
+	require.Equal(t, "default", output)
+
+	output, err = sendRedisCommand(stdin, stdout, "SET e2etestkey e2etestvalue\r\n")
+	require.NoError(t, err)
+	require.Equal(t, "OK", output)
+
+	output, err = sendRedisCommand(stdin, stdout, "GET e2etestkey\r\n")
+	require.NoError(t, err)
+	require.Equal(t, "e2etestvalue", output)
+
+	output, err = sendRedisCommand(stdin, stdout, "QUIT\r\n")
+	require.Equal(t, io.EOF, err)
+	require.Empty(t, output)
+
+	// Confirm that boundary connect has closed
+	err = cmd.Wait()
+	require.NoError(t, err)
+}
+
+// setupRedisContainer starts a Redis container and returns its connection info
+func setupRedisContainer(t *testing.T, ctx context.Context) *RedisContainerInfo {
+	pool, err := dockertest.NewPool("")
+	require.NoError(t, err)
 
 	network, err := pool.NetworksByName("e2e_cluster")
 	require.NoError(t, err, "Failed to get e2e_cluster network")
@@ -52,12 +175,22 @@ func TestCliTcpTargetConnectRedis(t *testing.T) {
 	// Wait for Redis to be ready
 	err = pool.Retry(func() error {
 		out, e := exec.CommandContext(ctx, "docker", "exec", hostname,
-			"redis-cli", "-h", hostname, "-p", port, "PING").CombinedOutput()
+			"redis-cli", "-h", hostname, "-p", port, "-a", pw, "PING").CombinedOutput()
 		t.Logf("Redis PING output: %s", out)
 		return e
 	})
 	require.NoError(t, err, "Redis container failed to start")
+	return &RedisContainerInfo{
+		Hostname: hostname,
+		Port:     port,
+		Username: user,
+		Password: pw,
+	}
+}
 
+// setupBoundaryResources sets up the following Boundary resources:
+// Org, Project, Target, Credential Store
+func setupBoundaryResources(t *testing.T, ctx context.Context, redisInfo *RedisContainerInfo) *BoundaryResources {
 	boundary.AuthenticateAdminCli(t, ctx)
 
 	orgId, err := boundary.CreateOrgCli(t, ctx)
@@ -76,55 +209,18 @@ func TestCliTcpTargetConnectRedis(t *testing.T) {
 		t,
 		ctx,
 		projectId,
-		port,
-		target.WithAddress(hostname),
+		redisInfo.Port,
+		target.WithAddress(redisInfo.Hostname),
 	)
 	require.NoError(t, err)
 
 	storeId, err := boundary.CreateCredentialStoreStaticCli(t, ctx, projectId)
 	require.NoError(t, err)
 
-	credentialId, err := boundary.CreateStaticCredentialPasswordCli(
-		t,
-		ctx,
-		storeId,
-		user,
-		pw,
-	)
-	require.NoError(t, err)
-
-	err = boundary.AddBrokeredCredentialSourceToTargetCli(t, ctx, targetId, credentialId)
-	require.NoError(t, err)
-
-	t.Logf("Attempting to connect to Redis target %s", targetId)
-
-	cmd := exec.CommandContext(ctx,
-		"boundary",
-		"connect", "redis",
-		"-target-id", targetId,
-	)
-
-	stdin, err := cmd.StdinPipe()
-	require.NoError(t, err)
-	stdout, err := cmd.StdoutPipe()
-	require.NoError(t, err)
-	require.NoError(t, cmd.Start())
-
-	output, err := sendRedisCommand(stdin, stdout, "SET e2etestkey e2etestvalue\r\n")
-	require.NoError(t, err)
-	require.Equal(t, "OK", output)
-
-	output, err = sendRedisCommand(stdin, stdout, "GET e2etestkey\r\n")
-	require.NoError(t, err)
-	require.Equal(t, "e2etestvalue", output)
-
-	output, err = sendRedisCommand(stdin, stdout, "QUIT\r\n")
-	require.Equal(t, io.EOF, err)
-	require.Empty(t, output)
-
-	// Confirm that boundary connect has closed
-	err = cmd.Wait()
-	require.NoError(t, err)
+	return &BoundaryResources{
+		TargetId: targetId,
+		StoreId:  storeId,
+	}
 }
 
 func sendRedisCommand(stdin io.WriteCloser, stdout io.ReadCloser, cmdStr string) (string, error) {