diff --git a/stage_descriptions/auth-05-uv9.md b/stage_descriptions/auth-05-uv9.md index e25948c1..0059d86f 100644 --- a/stage_descriptions/auth-05-uv9.md +++ b/stage_descriptions/auth-05-uv9.md @@ -1,10 +1,25 @@ -In this stage, you'll add support for setting the default user's password. +In this stage, you'll add support for setting the `default` user's password. -### The `ACL SETUSER` command +### The `ACL SETUSER` Command -The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command can be used to modify the properties of an existing user. If this command is used with the `>` rule, it is used to add a password for the given user. Adding a password also clears the `nopass` flag from the user. +The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command modifies the properties of an existing user. -Example usage: +When the command is used with the `>` rule, it adds a password for the specified user: + +```bash +> ACL SETUSER default >mypassword +OK +``` + +The server responds with `OK` encoded as a RESP simple string (`+OK\r\n`). + +### Password Storage + +Adding a password for a user with `ACL SETUSER` has two effects: +- The password is stored as a SHA-256 hash. +- The `nopass` flag is automatically removed. + +For example: ```bash > ACL SETUSER default >mypassword @@ -12,16 +27,14 @@ OK > ACL GETUSER default 1) "flags" - 2) 1) "nopass" + 2) (empty array) 3) "passwords" 4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8" ``` -The response to the `ACL SETUSER` command is a RESP simple string: `+OK\r\n`. +Notice that the `nopass` flag is now gone from the `flags` array. Also, the `mypassword` SHA-256 hash is stored as a bulk string in the `passwords` array. -The password array in the response of `ACL GETUSER` command contains one element and is the SHA-256 hash of the password `mypassword`. - -Redis does not store the raw password specified in the `ACL SETUSER` command. Instead, it stores the SHA-256 hash of the password. While validating the password during authentication, the SHA-256 hash of the input password is calculated and matched against the stored list of SHA-256 password hashes. This is done because storing raw passwords is a security vulnerability. +Storing only the SHA-256 hash is a security best practice Redis uses to prevent password leaks if the database is compromised. ### Tests @@ -31,24 +44,23 @@ The tester will execute your program like this: $ ./your_program.sh ``` -It'll then send a `ACL GETUSER` command, specifying the `default` user +It will then send an `ACL GETUSER` command, specifying the `default` user: ```bash -$ redis-cli # Expect RESP array: ["flags", ["nopass"], "passwords", []] -> ACL GETUSER default +$ redis-cli ACL GETUSER default 1) "flags" 2) 1) "nopass" 3) "passwords" 4) (empty array) ``` -The tester will validate the following for the response of the `ACL GETUSER` command: +The tester will verify that: -- The `nopass` flag is present in the flags array -- The password array is empty +- The `nopass` flag is present in the flags array. +- The `passwords` array is empty. -It'll then send a `ACL SETUSER` command, specifying the `default` user and a password. +Next, the tester will send a `ACL SETUSER` command, specifying the `default` user and a password: ```bash # Expect: +OK\r\n @@ -56,9 +68,9 @@ It'll then send a `ACL SETUSER` command, specifying the `default` user and a pas OK ``` -The tester will validate that the response to the `ACL SETUSER` command is `+OK\r\n`. +Your server must respond with `+OK\r\n`. -It'll then send a `ACL GETUSER` command, specifying the `default` user. +Finally, the tester will send a `ACL GETUSER` command, specifying the `default` user: ```bash # Expect RESP array: ["flags", ["nopass"], "passwords", ["89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"]] @@ -69,13 +81,12 @@ It'll then send a `ACL GETUSER` command, specifying the `default` user. 4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8" ``` -The tester will validate the following for the response of the `ACL GETUSER` command: +The tester will validate the following for your response: -- The `nopass` flag is not present in the flags array -- The passwords array contains one element, and the element is the SHA-256 hash of the password, encoded as a RESP bulk string. +- The `nopass` flag is no longer present. +- The `passwords` array contains the SHA-256 hash of `mypassword` encoded as a bulk string. ### Notes - Redis uses the SHA-256 hashing algorithm for password storage. You'll need to compute the SHA-256 hash of the provided password and store it. - - The password hash should be stored as a lowercase hexadecimal string.