Reset acl info fields with CONFIG RESETSTAT

These fields under INFO STATS should need to be reset: - acl_access_denied_auth - acl_access_denied_cmd - acl_access_denied_key - acl_access_denied_channel - acl_access_denied_tls_cert Signed-off-by: Binbin <binloveplay1314@qq.com>
2025-12-02 11:59:16 +08:00 · 2025-12-02 11:59:16 +08:00 · e91f9095ae
parent 4a0e20bbc9
commit e91f9095ae
3 changed files with 41 additions and 7 deletions
--- a/src/server.c
+++ b/src/server.c
@ -2772,6 +2772,11 @@ void resetServerStats(void) {
    memset(server.duration_stats, 0, sizeof(durationStats) * EL_DURATION_TYPE_NUM);
    server.el_cmd_cnt_max = 0;
    lazyfreeResetStats();
+    server.acl_info.invalid_cmd_accesses = 0;
+    server.acl_info.invalid_key_accesses = 0;
+    server.acl_info.user_auth_failures = 0;
+    server.acl_info.invalid_channel_accesses = 0;
+    server.acl_info.acl_access_denied_tls_cert = 0;
 }

 /* Make the thread killable at any time, so that kill threads functions
@ -2968,13 +2973,6 @@ void initServer(void) {
    server.repl_good_replicas_count = 0;
    server.last_sig_received = 0;

-    /* Initiate acl info struct */
-    server.acl_info.invalid_cmd_accesses = 0;
-    server.acl_info.invalid_key_accesses = 0;
-    server.acl_info.user_auth_failures = 0;
-    server.acl_info.invalid_channel_accesses = 0;
-    server.acl_info.acl_access_denied_tls_cert = 0;
-
    /* Create the timer callback, this is our way to process many background
     * operations incrementally, like eviction of unaccessed expired keys, etc. */
    if (aeCreateTimeEvent(server.el, 1, serverCron, NULL, NULL) == AE_ERR) {
--- a/tests/unit/acl.tcl
+++ b/tests/unit/acl.tcl
@ -922,6 +922,8 @@ start_server {tags {"acl external:skip"}} {
        assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
        assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
        assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
+        r config resetstat
+        assert_equal 0 [s acl_access_denied_auth]
    }

    # If a user try to access an unauthorized command the metric increases
@ -938,6 +940,8 @@ start_server {tags {"acl external:skip"}} {
        assert {[s acl_access_denied_cmd] eq [expr $current_invalid_cmd_accesses + 1]}
        assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
        assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
+        r config resetstat
+        assert_equal 0 [s acl_access_denied_cmd]
    }

    # If a user try to access an unauthorized key the metric increases
@ -954,6 +958,8 @@ start_server {tags {"acl external:skip"}} {
        assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
        assert {[s acl_access_denied_key] eq [expr $current_invalid_key_accesses + 1]}
        assert {[s acl_access_denied_channel] eq $current_invalid_channel_accesses}
+        r config resetstat
+        assert_equal 0 [s acl_access_denied_key]
    }   

    # If a user try to access an unauthorized channel the metric increases
@ -970,6 +976,8 @@ start_server {tags {"acl external:skip"}} {
        assert {[s acl_access_denied_cmd] eq $current_invalid_cmd_accesses}
        assert {[s acl_access_denied_key] eq $current_invalid_key_accesses}
        assert {[s acl_access_denied_channel] eq [expr $current_invalid_channel_accesses + 1]}
+        r config resetstat
+        assert_equal 0 [s acl_access_denied_channel]
    }
 }

--- a/tests/unit/tls.tcl
+++ b/tests/unit/tls.tcl
@ -173,5 +173,33 @@ start_server {tags {"tls"}} {

            $s close
        }
+
+        foreach {type} {deluser off} {
+            test "TLS: Auto-authenticate using tls-auth-clients-user (CN) fails when the user $type" {
+                r acl log reset
+                r config resetstat
+                r config set tls-auth-clients-user CN
+
+                if {$type eq {deluser}} {
+                    r acl deluser Client-only
+                } elseif {$type eq {off}} {
+                    r acl setuser {Client-only} off >clientpass allcommands allkeys
+                }
+
+                # With feature on but the user is not on, client should not be auto-authenticated
+                set s [valkey_client]
+
+                # verify that new log entry is added
+                set entry [lindex [r ACL LOG] 0]
+                assert_equal [dict get $entry reason] {tls-cert}
+                assert_equal [dict get $entry username] {Client-only}
+                assert_equal 1 [s acl_access_denied_tls_cert]
+
+                # Verify that the authenticated user is still 'default'
+                assert_equal [$s ACL WHOAMI] {default}
+
+                $s close
+            }
+        }
    }
 }