close connection when redis returns WRONGPASS

nerdrew · nerdrew · commit 4c745b136f4a · 2025-12-19T13:34:15.000-08:00
diff --git a/lib/redis_client.rb b/lib/redis_client.rb
@@ -849,6 +849,9 @@ def connect
     connect_error = CannotConnectError.with_config(error.message, config)
     connect_error.set_backtrace(error.backtrace)
     raise connect_error
+  rescue AuthenticationError
+    @raw_connection&.close
+    raise
   rescue CommandError => error
     if error.message.match?(/ERR unknown command ['`]HELLO['`]/)
       raise UnsupportedServer,
diff --git a/test/shared/redis_client_tests.rb b/test/shared/redis_client_tests.rb
@@ -328,7 +328,12 @@ def test_command_missing
   end
 
   def test_authentication
-    @redis.call("ACL", "SETUSER", "AzureDiamond", ">hunter2", "on", "+PING")
+    @redis.call("ACL", "DELUSER", "AzureDiamond")
+    @redis.call("ACL", "SETUSER", "AzureDiamond", ">hunter2", "on", "+PING", "+CLIENT")
+    @redis.call("ACL", "DELUSER", "backup_admin")
+    @redis.call("ACL", "SETUSER", "backup_admin", ">hunter2", "on", "~*", "&*", "+@all")
+    backup = new_client(username: "backup_admin", password: "hunter2")
+    backup.call("ACL", "SETUSER", "default", "off")
 
     client = new_client(username: "AzureDiamond", password: "hunter2")
     assert_equal "PONG", client.call("PING")
@@ -337,10 +342,57 @@ def test_authentication
       client.call("GET", "foo")
     end
 
+    # Wrong password
     client = new_client(username: "AzureDiamond", password: "trolilol")
-    assert_raises RedisClient::AuthenticationError do
+    error = assert_raises RedisClient::AuthenticationError do
       client.call("PING")
     end
+    assert_match(/WRONGPASS invalid username-password pair/, error.message)
+
+    # The same error is raised, this shows that the client retried AUTH and didn't fall back to the default user
+    error = assert_raises RedisClient::AuthenticationError do
+      client.call("PING")
+    end
+    assert_match(/WRONGPASS invalid username-password pair/, error.message)
+
+    # Correct password, but user disabled
+    backup.call("ACL", "SETUSER", "AzureDiamond", "<hunter2", ">trolilol", "off")
+    error = assert_raises RedisClient::AuthenticationError do
+      client.call_once("PING")
+    end
+    assert_match(/WRONGPASS invalid username-password pair/, error.message)
+
+    # Correct password, user enabled
+    backup.call("ACL", "SETUSER", "AzureDiamond", "on")
+    assert_equal "PONG", client.call_once("PING")
+    assert_match(/user=AzureDiamond/, client.call("CLIENT", "INFO"))
+
+    # Wrong username
+    client = new_client(username: "GreenOpal", password: "trolilol")
+    error = assert_raises RedisClient::AuthenticationError do
+      client.call("PING")
+    end
+    assert_match(/WRONGPASS invalid username-password pair/, error.message)
+  ensure
+    backup.call("ACL", "SETUSER", "default", "on")
+  end
+
+  def test_noauth
+    @redis.call("ACL", "DELUSER", "AzureDiamond")
+    @redis.call("ACL", "SETUSER", "AzureDiamond", ">hunter2", "on", "~*", "&*", "+@all")
+    backup = new_client(username: "AzureDiamond", password: "hunter2")
+    backup.call("ACL", "SETUSER", "default", "off")
+
+    client = new_client(protocol: 2)
+    error = assert_raises RedisClient::CommandError do
+      client.call("PING")
+    end
+    assert_match(/NOAUTH Authentication required/, error.message)
+
+    backup.call("ACL", "SETUSER", "default", "on")
+    client.call("PING")
+  ensure
+    backup.call("ACL", "SETUSER", "default", "on")
   end
 
   def test_transaction
