Merge pull request #455 from codecrafters-io/auth-default

Revised Redis/Auth Instructions

Author: UdeshyaDhungana

.gitignore

@@ -1,3 +1,6 @@
 course_definition_tester
 .history/
 .idea/
+
+# MacOS
+.DS_Store

course-definition.yml

@@ -200,6 +200,19 @@ extensions:
       [geoadd-command]: https://redis.io/docs/latest/commands/geoadd/
       [geosearch-command]: https://redis.io/docs/latest/commands/geosearch/
 
+  - slug: "authentication"
+    name: "Authentication"
+    description_markdown: |
+      In this challenge extension you'll add support for default user [Authentication][redis-authentication] to your Redis implementation.
+
+      Along the way, you'll learn about commands like [ACL WHOAMI][acl-whoami-command], [ACL GETUSER][acl-getuser-command], [ACL SETUSER][acl-setuser-command], and [AUTH][auth-command], and more.
+
+      [redis-authentication]: https://redis.io/docs/latest/operate/oss_and_stack/management/security/
+      [acl-whoami-command]: https://redis.io/docs/latest/commands/acl-whoami/
+      [acl-getuser-command]: https://redis.io/docs/latest/commands/acl-getuser/
+      [acl-setuser-command]: https://redis.io/docs/latest/commands/acl-setuser/
+      [auth-command]: https://redis.io/docs/latest/commands/auth/
+
 stages:
   - slug: "jm1"
     concept_slugs:
@@ -867,3 +880,60 @@ stages:
     name: "Search within radius"
     difficulty: easy
     marketing_md: In this stage, you'll add support for searching locations near a coordinate within a given radius using the `GEOSEARCH` command.
+
+  # Authentication
+  - slug: "jn4"
+    primary_extension_slug: "authentication"
+    name: "Respond to ACL WHOAMI"
+    difficulty: easy
+    marketing_md: |
+      In this stage, you'll add support for responding to the `ACL WHOAMI` command.
+
+  - slug: "gx8"
+    primary_extension_slug: "authentication"
+    name: "Respond to ACL GETUSER"
+    difficulty: easy
+    marketing_md: |
+      In this stage, you'll add support for responding to the `ACL GETUSER` command.
+
+  - slug: "ql6"
+    primary_extension_slug: "authentication"
+    name: "The nopass flag"
+    difficulty: easy
+    marketing_md: |
+      In this stage, you'll add support for responding to the `ACL GETUSER` command with the `nopass` flag set.
+
+  - slug: "pl7"
+    primary_extension_slug: "authentication"
+    name: "The passwords property"
+    difficulty: easy
+    marketing_md: |
+      In this stage, you'll add support for responding to the `ACL GETUSER` command with the passwords property.
+
+  - slug: "uv9"
+    primary_extension_slug: "authentication"
+    name: "Setting default user password"
+    difficulty: medium
+    marketing_md: |
+      In this stage, you'll add support for setting the default user's password.
+
+  - slug: "hz3"
+    primary_extension_slug: "authentication"
+    name: "The AUTH command"
+    difficulty: medium
+    marketing_md: |
+      In this stage, you'll add support for responding to the `AUTH` command.
+
+  - slug: "nm2"
+    primary_extension_slug: "authentication"
+    name: "Enforce authentication"
+    difficulty: medium
+    marketing_md: |
+      In this stage, you'll add support for enforcing authentication for the `default` user.
+
+  - slug: "ws7"
+    primary_extension_slug: "authentication"
+    name: "Authenticate using AUTH"
+    difficulty: medium
+    marketing_md: |
+      In this stage, you'll implement enforcing authentication using the `AUTH` command.

stage_descriptions/auth-01-jn4.md

@@ -0,0 +1,44 @@
+In this stage, you'll add support for responding to the `ACL WHOAMI` command.
+
+### The `ACL WHOAMI` command
+
+The [`ACL WHOAMI`](https://redis.io/docs/latest/commands/acl-whoami/) command is used to return the username the current connection is authenticated with.
+
+In Redis, every new connection is automatically authenticated using the `default` user. This feature can be turned off, making every new connection unauthenticated at first. We'll get to that in the later stages.
+
+Example usage:
+
+```bash
+> ACL WHOAMI
+"default"
+```
+
+It returns the username of currently authenticated user, encoded as a [RESP bulk string](https://redis.io/docs/latest/develop/reference/protocol-spec/#bulk-strings).
+
+### Tests
+
+The tester will execute your program like this:
+
+```bash
+$ ./your_program.sh
+```
+
+It'll then send an `ACL WHOAMI` command.
+
+```bash
+# Expect RESP bulk string: "default"
+$ redis-cli
+> ACL WHOAMI
+"default"
+```
+
+The tester will validate that the response is the string `default`, which is RESP encoded as:
+
+```
+$7\r\n
+default\r\n
+```
+
+### Notes
+
+- In this stage, you can hardcode the response of the `ACL WHOAMI` command to be `default`. We'll get to enforcing authentication in the later stages.

stage_descriptions/auth-02-gx8.md

@@ -0,0 +1,45 @@
+In this stage, you'll add support for responding to the `ACL GETUSER` command.
+
+### The `ACL GETUSER` command
+
+The [`ACL GETUSER`](https://redis.io/docs/latest/commands/acl-getuser/) is used to retrieve the properties the specified user. In Redis, the `default` user is present from the start, without having to create it explicitly.
+
+The `ACL GETUSER` returns multiple properties of the user, among which `flags` is one. In this stage, you'll add support for responding to the `ACL GETUSER` command with only the flags property.
+
+Example usage:
+```bash
+> ACL GETUSER default
+1) "flags"
+2) (empty array)
+```
+
+The second element of the resposne is the flags array. This is because a user can have multiple flags associated with it. In this stage, you can hardcode the flags array to be an empty array.
+
+### Tests
+
+The tester will execute your program like this:
+
+```bash
+$ ./your_program.sh
+```
+
+It'll then send an `ACL GETUSER` command specifying the `default` user.
+
+```bash
+# Expect RESP array: ["flags", []]
+$ redis-cli
+> ACL GETUSER default
+1) "flags"
+2) (empty array)
+```
+
+The tester will validate the following for the response:
+
+1. The first element of the array is the string `flags`, encoded as a RESP bulk string.
+2. The second element of the array is a RESP array.
+
+### Notes
+
+- A user can have multiple flags. This is why the value of flags property is an array.
+
+- The second element of the array is the flags array, which contains the user flags. We'll get to this in the later stages.

stage_descriptions/auth-03-ql6.md

@@ -0,0 +1,43 @@
+In this stage, you'll add support for responding to the `ACL GETUSER` command with the `nopass` flag set.
+
+### The `nopass` flag
+
+The `nopass` flag is one of the user flags in Redis.
+
+- If the `nopass` flag is set for a user, the authentication succeeds with an arbitrary password for the user.
+- Setting the `nopass` flag clears the associated passwords for the given user.
+- The default user has the `nopass` flag set. Due to this, new connections are automatically authenticated as the `default` user. (This behavior can be changed, and we'll get to this in the later stages.)
+
+Example usage:
+```bash
+> ACL GETUSER default
+1) "flags"
+2) 1) "nopass"
+```
+
+The flags are encoded as a RESP array of bulk strings. Each flag is a bulk string (e.g., `nopass`). We'll get to enforcing the behavior of the `nopass` flag in later stages.
+
+In this stage, you only need to respond to the `ACL GETUSER` command with the `nopass` flag set.
+
+### Tests
+
+The tester will execute your program like this:
+
+```bash
+$ ./your_program.sh
+```
+
+It'll then send an `ACL GETUSER` command specifying the `default` user.
+
+```bash
+# Expect RESP array: ["flags", ["nopass"]]
+$ redis-cli
+> ACL GETUSER default
+1) "flags"
+2) 1) "nopass"
+```
+
+The tester will validate the following for the response:
+
+1. The first element of the array is the string `flags`, encoded as a RESP bulk string.
+2. The second element of the array is a RESP array, and contains the `nopass` flag.

stage_descriptions/auth-04-pl7.md

@@ -0,0 +1,43 @@
+In this stage, you'll add support for responding to the `ACL GETUSER` command with the passwords property.
+
+### The `passwords` property
+
+A user in the Redis ACL system can have zero or more passwords associated with them. The `ACL GETUSER` command also returns the `passwords` property of the specified user.
+
+Example usage:
+```bash
+> ACL GETUSER default
+ 1) "flags"
+ 2) 1) "nopass"
+ 3) "passwords"
+ 4) (empty array)
+```
+
+The fourth element of the response is the passwords array. The default user does not have any associated passwords unless explicitly configured. This is why the passwords array is empty for the default user.
+
+### Tests
+
+The tester will execute your program like this:
+
+```bash
+$ ./your_program.sh
+```
+
+It'll then send an `ACL GETUSER` command specifying the `default` user.
+
+```bash
+$ redis-cli
+# Expect RESP array: ["flags", ["nopass"], "passwords", []]
+> ACL GETUSER default
+ 1) "flags"
+ 2) 1) "nopass"
+ 3) "passwords"
+ 4) (empty array)
+```
+
+The tester will validate the following for the response:
+
+1. The first element of the array is the string `flags`, encoded as a RESP bulk string.
+2. The second element of the array is a RESP array and contains the `nopass` flag.
+3. The third element of the array is the string `passwords`, encoded as a RESP bulk string.
+4. The fourth element of the array is an empty array because no passwords have been specified for the default user.

stage_descriptions/auth-05-uv9.md

@@ -0,0 +1,81 @@
+In this stage, you'll add support for setting the default user's password.
+
+### The `ACL SETUSER` command
+
+The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command can be used to modify the properties of an existing user. If this command is used with the `>` rule, it is used to add a password for the given user. Adding a password also clears the `nopass` flag from the user.
+
+Example usage:
+
+```bash
+> ACL SETUSER default >mypassword
+OK
+
+> ACL GETUSER default
+ 1) "flags"
+ 2) 1) "nopass"
+ 3) "passwords"
+ 4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"
+```
+
+The response to the `ACL SETUSER` command is a RESP simple string: `+OK\r\n`.
+
+The password array in the response of `ACL GETUSER` command contains one element and is the SHA-256 hash of the password `mypassword`.
+
+Redis does not store the raw password specified in the `ACL SETUSER` command. Instead, it stores the SHA-256 hash of the password. While validating the password during authentication, the SHA-256 hash of the input password is calculated and matched against the stored list of SHA-256 password hashes. This is done because storing raw passwords is a security vulnerability.
+
+### Tests
+
+The tester will execute your program like this:
+
+```bash
+$ ./your_program.sh
+```
+
+It'll then send a `ACL GETUSER` command, specifying the `default` user
+
+```bash
+$ redis-cli
+# Expect RESP array: ["flags", ["nopass"], "passwords", []]
+> ACL GETUSER default
+1) "flags"
+2) 1) "nopass"
+3) "passwords"
+4) (empty array)
+```
+
+The tester will validate the following for the response of the `ACL GETUSER` command:
+
+- The `nopass` flag is present in the flags array
+- The password array is empty
+
+It'll then send a `ACL SETUSER` command, specifying the `default` user and a password.
+
+```bash
+# Expect: +OK\r\n
+> ACL SETUSER default >mypassword
+OK
+```
+
+The tester will validate that the response to the `ACL SETUSER` command is `+OK\r\n`.
+
+It'll then send a `ACL GETUSER` command, specifying the `default` user.
+
+```bash
+# Expect RESP array: ["flags", ["nopass"], "passwords", ["89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"]]
+> ACL GETUSER default
+1) "flags"
+2) 1) "nopass"
+3) "passwords"
+4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"
+```
+
+The tester will validate the following for the response of the `ACL GETUSER` command:
+
+- The `nopass` flag is not present in the flags array
+- The passwords array contains one element, and the element is the SHA-256 hash of the password, encoded as a RESP bulk string.
+
+### Notes
+
+- Redis uses the SHA-256 hashing algorithm for password storage. You'll need to compute the SHA-256 hash of the provided password and store it.
+
+- The password hash should be stored as a lowercase hexadecimal string.