From: Remi Gacogne Date: Tue, 30 Mar 2021 15:55:23 +0000 (+0200) Subject: dnsdist: Make hashed passwords more transparent to use X-Git-Tag: dnsdist-1.7.0-alpha1~12^2~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfe95ada4a0a981c1bd4c9bc5185cd6d491a35d6;p=thirdparty%2Fpdns.git dnsdist: Make hashed passwords more transparent to use --- diff --git a/pdns/credentials.cc b/pdns/credentials.cc new file mode 100644 index 0000000000..c25ed3c195 --- /dev/null +++ b/pdns/credentials.cc @@ -0,0 +1,146 @@ +/* + * This file is part of PowerDNS or dnsdist. + * Copyright -- PowerDNS.COM B.V. and its contributors + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as + * published by the Free Software Foundation. + * + * In addition, for the avoidance of any doubt, permission is granted to + * link this program with OpenSSL and to (re)distribute the binaries + * produced as the result of such linking. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include "config.h" + +#include + +#ifdef HAVE_LIBSODIUM +#include +#endif + +#include "credentials.hh" + +std::string hashPassword(const std::string& password) +{ +#ifdef HAVE_LIBSODIUM + std::string result; + result.resize(crypto_pwhash_STRBYTES); + sodium_mlock(result.data(), result.size()); + + int res = crypto_pwhash_str(const_cast(result.c_str()), + password.c_str(), + password.size(), + crypto_pwhash_OPSLIMIT_INTERACTIVE, + crypto_pwhash_MEMLIMIT_INTERACTIVE); + if (res != 0) { + throw std::runtime_error("Error while hashing the supplied password"); + } + + return result; +#else + throw std::runtime_error("Hashing a password requires libsodium support, and it is not available"); +#endif +} + +bool verifyPassword(const std::string& hash, const std::string& password) +{ +#ifdef HAVE_LIBSODIUM + if (hash.size() > crypto_pwhash_STRBYTES) { + throw std::runtime_error("Invalid password hash supplied for verification, size is " + std::to_string(hash.size()) + ", expected at most " + std::to_string(crypto_pwhash_STRBYTES)); + } + + return crypto_pwhash_str_verify(hash.c_str(), + password.c_str(), + password.size()) == 0; +#else + throw std::runtime_error("Verifying a hashed password requires libsodium support, and it is not available"); +#endif +} + +bool isPasswordHashed(const std::string& password) +{ +#ifdef HAVE_LIBSODIUM + if (password.size() > crypto_pwhash_STRBYTES) { + return false; + } + + int res = crypto_pwhash_str_needs_rehash(password.c_str(), + crypto_pwhash_OPSLIMIT_INTERACTIVE, + crypto_pwhash_MEMLIMIT_INTERACTIVE); + + if (res == -1) { + return false; + } + /* 1 means a rehashing is needed (different parameters), 0 is fine. + Either way this is a valid hash */ + return true; +#else + return false; +#endif +} + +/* if the password is in cleartext and hashing is available, + the hashed form will be kept in memory */ +CredentialsHolder::CredentialsHolder(std::string&& password) +{ + bool locked = false; + + if (isHashingAvailable()) { + d_hashed = true; + + if (!isPasswordHashed(password)) { + d_credentials = hashPassword(password); + locked = true; + } + else { + d_credentials = std::move(password); + } + } + else { + d_credentials = std::move(password); + } + + if (!locked) { +#ifdef HAVE_LIBSODIUM + sodium_mlock(d_credentials.data(), d_credentials.size()); +#endif + } + +} + +CredentialsHolder::~CredentialsHolder() +{ +#ifdef HAVE_LIBSODIUM + sodium_munlock(d_credentials.data(), d_credentials.size()); +#endif +} + +bool CredentialsHolder::matches(const std::string& password) const +{ + if (d_hashed) { + return verifyPassword(d_credentials, password); + } + else { +#warning FIXME: would be better to do a poor-man hashing using burtle and a random seed first + return password == d_credentials; + } +} + +bool CredentialsHolder::isHashingAvailable() +{ +#ifdef HAVE_LIBSODIUM + return true; +#else + return false; +#endif +} + diff --git a/pdns/credentials.hh b/pdns/credentials.hh new file mode 100644 index 0000000000..1b5a67f679 --- /dev/null +++ b/pdns/credentials.hh @@ -0,0 +1,52 @@ +/* + * This file is part of PowerDNS or dnsdist. + * Copyright -- PowerDNS.COM B.V. and its contributors + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as + * published by the Free Software Foundation. + * + * In addition, for the avoidance of any doubt, permission is granted to + * link this program with OpenSSL and to (re)distribute the binaries + * produced as the result of such linking. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#pragma once + +#include + +std::string hashPassword(const std::string& password); +bool verifyPassword(const std::string& hash, const std::string& password); +bool isPasswordHashed(const std::string& password); + +class CredentialsHolder +{ +public: + /* if the password is in cleartext and hashing is available, + the hashed form will be kept in memory */ + CredentialsHolder(std::string&& password); + ~CredentialsHolder(); + + CredentialsHolder(const CredentialsHolder&) = delete; + CredentialsHolder& operator=(const CredentialsHolder&) = delete; + + bool matches(const std::string& password) const; + bool isHashed() const + { + return d_hashed; + } + + static bool isHashingAvailable(); + +private: + std::string d_credentials; + bool d_hashed{false}; +}; diff --git a/pdns/dnsdist-console.cc b/pdns/dnsdist-console.cc index 2600cd46d4..4e8be9822b 100644 --- a/pdns/dnsdist-console.cc +++ b/pdns/dnsdist-console.cc @@ -629,7 +629,7 @@ const std::vector g_consoleKeywords{ { "setUDPMultipleMessagesVectorSize", true, "n", "set the size of the vector passed to recvmmsg() to receive UDP messages. Default to 1 which means that the feature is disabled and recvmsg() is used instead" }, { "setUDPTimeout", true, "n", "set the maximum time dnsdist will wait for a response from a backend over UDP, in seconds" }, { "setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged" }, - { "setWebserverConfig", true, "[{hashedPassword=string, apiKey=string, customHeaders, statsRequireAuthentication}]", "Updates webserver configuration" }, + { "setWebserverConfig", true, "[{password=string, apiKey=string, customHeaders, statsRequireAuthentication}]", "Updates webserver configuration" }, { "setWeightedBalancingFactor", true, "factor", "Set the balancing factor for bounded-load weighted policies (whashed, wrandom)" }, { "setWHashedPertubation", true, "value", "Set the hash perturbation value to be used in the whashed policy instead of a random one, allowing to have consistent whashed results on different instance" }, { "show", true, "string", "outputs `string`" }, diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 20b6237b12..8bdc9551bc 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -919,7 +919,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) g_carbon.setState(ours); }); - luaCtx.writeFunction("webserver", [client,configCheck](const std::string& address, const boost::optional password, const boost::optional apiKey, const boost::optional > customHeaders, const boost::optional acl) { + luaCtx.writeFunction("webserver", [client,configCheck](const std::string& address, boost::optional password, boost::optional apiKey, const boost::optional > customHeaders, const boost::optional acl) { setLuaSideEffect(); ComboAddress local; try { @@ -944,13 +944,17 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) SListen(sock, 5); auto launch=[sock, local, password, apiKey, customHeaders, acl]() { if (password) { - warnlog("Passing a plain-text password to 'webserver()' is deprecated, please use 'setWebserverConfig()' instead."); - auto hashed = hashPassword(*password); - setWebserverPassword(std::move(hashed)); + auto holder = make_unique(std::string(*password)); + if (!holder->isHashed() && holder->isHashingAvailable()) { + warnlog("Passing a plain-text password to 'webserver()' is deprecated, please use 'setWebserverConfig()' instead."); + } + + setWebserverPassword(std::move(holder)); } if (apiKey) { - setWebserverAPIKey(apiKey); + auto holder = make_unique(std::string(*apiKey)); + setWebserverAPIKey(std::move(holder)); } if (customHeaders) { @@ -987,24 +991,23 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) } if (vars->count("password")) { - warnlog("Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is deprecated, please generate a hashed one using 'hashPassword()' and pass it via 'hashedPassword' instead."); - - const std::string password = boost::get(vars->at("password")); - auto hashed = hashPassword(password); - setWebserverPassword(std::move(hashed)); - } - - if (vars->count("hashedPassword")) { - std::string hashedPassword = boost::get(vars->at("hashedPassword")); - sodium_mlock(hashedPassword.data(), hashedPassword.size()); + std::string password = boost::get(vars->at("password")); + auto holder = make_unique(std::move(password)); + if (!holder->isHashed() && holder->isHashingAvailable()) { + warnlog("Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is deprecated, please generate a hashed one using 'hashPassword()' instead."); + } - setWebserverPassword(std::move(hashedPassword)); + setWebserverPassword(std::move(holder)); } if (vars->count("apiKey")) { - const std::string apiKey = boost::get(vars->at("apiKey")); + std::string apiKey = boost::get(vars->at("apiKey")); + auto holder = make_unique(std::move(apiKey)); + if (!holder->isHashed() && holder->isHashingAvailable()) { + warnlog("Passing a plain-text API key via the 'apiKey' parameter to 'setWebserverConfig()' is deprecated, please generate a hashed one using 'hashPassword()' instead."); + } - setWebserverAPIKey(apiKey); + setWebserverAPIKey(std::move(holder)); } if (vars->count("acl")) { diff --git a/pdns/dnsdist-web.cc b/pdns/dnsdist-web.cc index d416b1a25c..5fc86119c6 100644 --- a/pdns/dnsdist-web.cc +++ b/pdns/dnsdist-web.cc @@ -51,8 +51,8 @@ struct WebserverConfig } NetmaskGroup acl; - std::string password; - std::string apiKey; + std::unique_ptr password; + std::unique_ptr apiKey; boost::optional > customHeaders; bool statsRequireAuthentication{true}; }; @@ -197,21 +197,21 @@ static void apiSaveACL(const NetmaskGroup& nmg) apiWriteConfigFile("acl", content); } -static bool checkAPIKey(const YaHTTP::Request& req, const string& expectedApiKey) +static bool checkAPIKey(const YaHTTP::Request& req, const std::unique_ptr& apiKey) { - if (expectedApiKey.empty()) { + if (!apiKey) { return false; } const auto header = req.headers.find("x-api-key"); if (header != req.headers.end()) { - return (header->second == expectedApiKey); + return apiKey->matches(header->second); } return false; } -static bool checkWebPassword(const YaHTTP::Request& req, const string &expected_password) +static bool checkWebPassword(const YaHTTP::Request& req, const std::unique_ptr& password) { static const char basicStr[] = "basic "; @@ -227,7 +227,10 @@ static bool checkWebPassword(const YaHTTP::Request& req, const string &expected_ stringtok(cparts, plain, ":"); if (cparts.size() == 2) { - return verifyPassword(g_webserverConfig.password, cparts.at(1)); + if (password) { + return password->matches(cparts.at(1)); + } + return true; } } @@ -1458,18 +1461,18 @@ static void connectionThread(WebClientConnection&& conn) } } -void setWebserverAPIKey(const boost::optional apiKey) +void setWebserverAPIKey(std::unique_ptr&& apiKey) { auto config = g_webserverConfig.lock(); if (apiKey) { - config->apiKey = *apiKey; + config->apiKey = std::move(apiKey); } else { - config->apiKey.clear(); + config->apiKey.reset(); } } -void setWebserverPassword(std::string&& password) +void setWebserverPassword(std::unique_ptr&& password) { g_webserverConfig.lock()->password = std::move(password); } @@ -1502,7 +1505,7 @@ void dnsdistWebserverThread(int sock, const ComboAddress& local) setThreadName("dnsdist/webserv"); warnlog("Webserver launched on %s", local.toStringWithPort()); - if (g_webserverConfig.lock()->password.empty()) { + if (!g_webserverConfig.lock()->password) { warnlog("Webserver launched on %s without a password set!", local.toStringWithPort()); } diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 4419c422fc..ab7f661490 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -130,6 +130,7 @@ dnsdist_SOURCES = \ capabilities.cc capabilities.hh \ circular_buffer.hh \ connection-management.hh \ + credentials.cc credentials.hh \ dns.cc dns.hh \ dnscrypt.cc dnscrypt.hh \ dnsdist-backend.cc \ diff --git a/pdns/dnsdistdist/credentials.cc b/pdns/dnsdistdist/credentials.cc new file mode 120000 index 0000000000..385b2128df --- /dev/null +++ b/pdns/dnsdistdist/credentials.cc @@ -0,0 +1 @@ +../credentials.cc \ No newline at end of file diff --git a/pdns/dnsdistdist/credentials.hh b/pdns/dnsdistdist/credentials.hh new file mode 120000 index 0000000000..2c60bfff8f --- /dev/null +++ b/pdns/dnsdistdist/credentials.hh @@ -0,0 +1 @@ +../credentials.hh \ No newline at end of file diff --git a/pdns/dnsdistdist/dnsdist-web.hh b/pdns/dnsdistdist/dnsdist-web.hh index 937d33c1e0..110d638d07 100644 --- a/pdns/dnsdistdist/dnsdist-web.hh +++ b/pdns/dnsdistdist/dnsdist-web.hh @@ -1,7 +1,9 @@ #pragma once -void setWebserverAPIKey(const boost::optional apiKey); -void setWebserverPassword(std::string&& password); +#include "credentials.hh" + +void setWebserverAPIKey(std::unique_ptr&& apiKey); +void setWebserverPassword(std::unique_ptr&& password); void setWebserverACL(const std::string& acl); void setWebserverCustomHeaders(const boost::optional > customHeaders); void setWebserverStatsRequireAuthentication(bool); diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 1d279b9c83..97e21d5f79 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -334,7 +334,7 @@ Webserver configuration ``statsRequireAuthentication``, ``maxConcurrentConnections`` optional parameters added. .. versionchanged:: 1.7.0 - The optional ``password`` parameter has been deprecated and replaced with ``hashedPassword``. + The optional ``password`` parameter now accepts hashed passwords. Setup webserver configuration. See :func:`webserver`. @@ -342,8 +342,7 @@ Webserver configuration Options: - * ``password=newPassword``: string - Changes the password used to access the internal webserver. Deprecated, please use ``hashedPassword`` instead - * ``hashedPassword=newPassword``: string - Set the password used to access the internal webserver. The new password needs to be hashed and salted via the :func:`hashPassword` command + * ``password=newPassword``: string - Set the password used to access the internal webserver. Since 1.7.0 the password needs to be hashed and salted via the :func:`hashPassword` command * ``apiKey=newKey``: string - Changes the API Key (set to an empty string do disable it) * ``custom_headers={[str]=str,...}``: map of string - Allows setting custom headers and removing the defaults. * ``acl=newACL``: string - List of IP addresses, as a string, that are allowed to open a connection to the web server. Defaults to "127.0.0.1, ::1". diff --git a/pdns/sodcrypto.cc b/pdns/sodcrypto.cc index 6ca218b7b7..b92c6e0e53 100644 --- a/pdns/sodcrypto.cc +++ b/pdns/sodcrypto.cc @@ -352,32 +352,3 @@ std::string Base64Encode (const std::string& vby) }; return retval; }; - -std::string hashPassword(const std::string& password) -{ - std::string result; - result.resize(crypto_pwhash_STRBYTES); - sodium_mlock(result.data(), result.size()); - - int res = crypto_pwhash_str(const_cast(result.c_str()), - password.c_str(), - password.size(), - crypto_pwhash_OPSLIMIT_INTERACTIVE, - crypto_pwhash_MEMLIMIT_INTERACTIVE); - if (res != 0) { - throw std::runtime_error("Error while hashing the supplied password"); - } - - return result; -} - -bool verifyPassword(const std::string& hash, const std::string& password) -{ - if (hash.size() > crypto_pwhash_STRBYTES) { - throw std::runtime_error("Invalid password hash supplied for verification, size is " + std::to_string(hash.size()) + ", expected at most " + std::to_string(crypto_pwhash_STRBYTES)); - } - - return crypto_pwhash_str_verify(hash.c_str(), - password.c_str(), - password.size()) == 0; -} diff --git a/pdns/sodcrypto.hh b/pdns/sodcrypto.hh index 69c05a29f4..ca35631455 100644 --- a/pdns/sodcrypto.hh +++ b/pdns/sodcrypto.hh @@ -76,6 +76,3 @@ std::string sodEncryptSym(const std::string& msg, const std::string& key, Sodium std::string sodDecryptSym(const std::string& msg, const std::string& key, SodiumNonce&); std::string newKey(); bool sodIsValidKey(const std::string& key); - -std::string hashPassword(const std::string& password); -bool verifyPassword(const std::string& hash, const std::string& password); diff --git a/regression-tests.dnsdist/test_API.py b/regression-tests.dnsdist/test_API.py index 8cc83e18f8..03ab9de9d2 100644 --- a/regression-tests.dnsdist/test_API.py +++ b/regression-tests.dnsdist/test_API.py @@ -20,7 +20,7 @@ class APITestsBase(DNSDistTest): setACL({"127.0.0.1/32", "::1/128"}) newServer{address="127.0.0.1:%s", pool={'', 'mypool'}} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ class TestAPIBasics(APITestsBase): @@ -349,7 +349,7 @@ class TestAPIServerDown(APITestsBase): newServer{address="127.0.0.1:%s"} getServer(0):setDown() webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ def testServerDownNoLatencyLocalhost(self): @@ -374,7 +374,7 @@ class TestAPIWritable(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) setAPIWritable(true, "%s") """ @@ -450,7 +450,7 @@ class TestAPICustomHeaders(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer({address="127.0.0.1:%s"}) webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s", customHeaders={["X-Frame-Options"]="", ["X-Custom"]="custom"} }) + setWebserverConfig({password="%s", apiKey="%s", customHeaders={["X-Frame-Options"]="", ["X-Custom"]="custom"} }) """ def testBasicHeaders(self): @@ -495,7 +495,7 @@ class TestStatsWithoutAuthentication(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer({address="127.0.0.1:%s"}) webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s", statsRequireAuthentication=false }) + setWebserverConfig({password="%s", apiKey="%s", statsRequireAuthentication=false }) """ def testAuth(self): @@ -551,7 +551,7 @@ class TestAPIAuth(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ def testBasicAuthChange(self): @@ -560,7 +560,7 @@ class TestAPIAuth(APITestsBase): """ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath - self.sendConsoleCommand('setWebserverConfig({{hashedPassword="{}"}})'.format(self._webServerBasicAuthPasswordNewHashed)) + self.sendConsoleCommand('setWebserverConfig({{password="{}"}})'.format(self._webServerBasicAuthPasswordNewHashed)) r = requests.get(url, auth=('whatever', self._webServerBasicAuthPasswordNew), timeout=self._webTimeout) self.assertTrue(r) @@ -618,7 +618,7 @@ class TestAPIACL(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s", acl="192.0.2.1"}) + setWebserverConfig({password="%s", apiKey="%s", acl="192.0.2.1"}) """ def testACLChange(self): @@ -646,7 +646,7 @@ class TestCustomLuaEndpoint(APITestsBase): setACL({"127.0.0.1/32", "::1/128"}) newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s"}) + setWebserverConfig({password="%s"}) function customHTTPHandler(req, resp) if req.path ~= '/foo' then @@ -704,7 +704,7 @@ class TestWebConcurrentConnections(APITestsBase): _config_template = """ newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s", maxConcurrentConnections=%d}) + setWebserverConfig({password="%s", apiKey="%s", maxConcurrentConnections=%d}) """ def testConcurrentConnections(self): diff --git a/regression-tests.dnsdist/test_DynBlocks.py b/regression-tests.dnsdist/test_DynBlocks.py index d0c5f34c86..fed5abde78 100644 --- a/regression-tests.dnsdist/test_DynBlocks.py +++ b/regression-tests.dnsdist/test_DynBlocks.py @@ -567,7 +567,7 @@ class TestDynBlockQPS(DynBlocksTest): end newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKey'] @@ -592,7 +592,7 @@ class TestDynBlockGroupQPS(DynBlocksTest): end newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKey'] @@ -1148,7 +1148,7 @@ class TestDynBlockGroupNoOp(DynBlocksTest): newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKey'] @@ -1212,7 +1212,7 @@ class TestDynBlockGroupWarning(DynBlocksTest): newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_dynBlockWarningQPS', '_testServerPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKey'] diff --git a/regression-tests.dnsdist/test_Prometheus.py b/regression-tests.dnsdist/test_Prometheus.py index 50176e1367..be92ae2fa9 100644 --- a/regression-tests.dnsdist/test_Prometheus.py +++ b/regression-tests.dnsdist/test_Prometheus.py @@ -17,7 +17,7 @@ class TestPrometheus(DNSDistTest): _config_template = """ newServer{address="127.0.0.1:%s"} webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ def checkPrometheusContentBasic(self, content): diff --git a/regression-tests.dnsdist/test_TCPFastOpen.py b/regression-tests.dnsdist/test_TCPFastOpen.py index 3a5025f446..0ce7b76537 100644 --- a/regression-tests.dnsdist/test_TCPFastOpen.py +++ b/regression-tests.dnsdist/test_TCPFastOpen.py @@ -24,7 +24,7 @@ class TestBrokenTCPFastOpen(DNSDistTest): _config_template = """ newServer{address="127.0.0.1:%s", useClientSubnet=true, tcpFastOpen=true, retries=%d } webserver("127.0.0.1:%s") - setWebserverConfig({hashedPassword="%s", apiKey="%s"}) + setWebserverConfig({password="%s", apiKey="%s"}) """ @classmethod