-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
user_test.go
119 lines (103 loc) · 4.13 KB
/
user_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
// Copyright 2022 The Cockroach Authors.
//
// Use of this software is governed by the Business Source License
// included in the file licenses/BSL.txt.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0, included in the file
// licenses/APL.txt.
package server
import (
"context"
"fmt"
"sort"
"strings"
"testing"
"github.com/cockroachdb/cockroach/pkg/base"
"github.com/cockroachdb/cockroach/pkg/security/username"
"github.com/cockroachdb/cockroach/pkg/server/serverpb"
"github.com/cockroachdb/cockroach/pkg/sql/roleoption"
"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
"github.com/cockroachdb/cockroach/pkg/testutils/sqlutils"
"github.com/cockroachdb/cockroach/pkg/util/leaktest"
"github.com/cockroachdb/cockroach/pkg/util/log"
"github.com/stretchr/testify/require"
)
func TestValidRoles(t *testing.T) {
defer leaktest.AfterTest(t)()
defer log.Scope(t).Close(t)
s, sqlDB, _ := serverutils.StartServer(t, base.TestServerArgs{})
defer s.Stopper().Stop(context.Background())
ctx := context.Background()
fooUser := username.MakeSQLUsernameFromPreNormalizedString("foo")
_, err := sqlDB.Exec(fmt.Sprintf("CREATE USER %s", fooUser))
require.NoError(t, err)
for name := range roleoption.ByName {
// Test user without the role.
hasRole, err := s.(*TestServer).status.baseStatusServer.privilegeChecker.hasRoleOption(ctx, fooUser, roleoption.ByName[name])
require.NoError(t, err)
require.Equal(t, false, hasRole)
// Skip PASSWORD and DEFAULTSETTINGS options.
// Since PASSWORD still resides in system.users and
// DEFAULTSETTINGS is stored in system.database_role_settings.
if name == "PASSWORD" || name == "DEFAULTSETTINGS" {
continue
}
// Add the role and check if the role was added (or in the cases of roles starting
// with NO, that the value is not there.
extraInfo := ""
if name == "VALID UNTIL" {
extraInfo = " '3000-01-01'"
}
_, err = sqlDB.Exec(fmt.Sprintf("ALTER USER %s %s%s", fooUser, name, extraInfo))
require.NoError(t, err)
hasRole, err = s.(*TestServer).status.baseStatusServer.privilegeChecker.hasRoleOption(ctx, fooUser, roleoption.ByName[name])
require.NoError(t, err)
expectedHasRole := true
if strings.HasPrefix(name, "NO") || name == "LOGIN" || name == "SQLLOGIN" {
expectedHasRole = false
}
if name == "NOLOGIN" || name == "NOSQLLOGIN" {
expectedHasRole = true
}
require.Equal(t, expectedHasRole, hasRole)
}
}
func TestSQLRolesAPI(t *testing.T) {
defer leaktest.AfterTest(t)()
defer log.Scope(t).Close(t)
s, sqlDB, _ := serverutils.StartServer(t, base.TestServerArgs{})
defer s.Stopper().Stop(context.Background())
db := sqlutils.MakeSQLRunner(sqlDB)
var res serverpb.UserSQLRolesResponse
// Admin user.
expRoles := []string{"ADMIN"}
err := getStatusJSONProtoWithAdminOption(s, "sqlroles", &res, true)
require.NoError(t, err)
require.Equal(t, expRoles, res.Roles)
// No roles added to a non-admin user.
expRoles = []string{}
err = getStatusJSONProtoWithAdminOption(s, "sqlroles", &res, false)
require.NoError(t, err)
require.Equal(t, expRoles, res.Roles)
// One role added to the non-admin user.
db.Exec(t, fmt.Sprintf("ALTER USER %s VIEWACTIVITY", authenticatedUserNameNoAdmin().Normalized()))
expRoles = []string{"VIEWACTIVITY"}
err = getStatusJSONProtoWithAdminOption(s, "sqlroles", &res, false)
require.NoError(t, err)
require.Equal(t, expRoles, res.Roles)
// Two roles added to the non-admin user.
db.Exec(t, fmt.Sprintf("ALTER USER %s VIEWACTIVITYREDACTED", authenticatedUserNameNoAdmin().Normalized()))
expRoles = []string{"VIEWACTIVITY", "VIEWACTIVITYREDACTED"}
err = getStatusJSONProtoWithAdminOption(s, "sqlroles", &res, false)
sort.Strings(res.Roles)
require.NoError(t, err)
require.Equal(t, expRoles, res.Roles)
// Remove one role from non-admin user.
db.Exec(t, fmt.Sprintf("ALTER USER %s NOVIEWACTIVITY", authenticatedUserNameNoAdmin().Normalized()))
expRoles = []string{"VIEWACTIVITYREDACTED"}
err = getStatusJSONProtoWithAdminOption(s, "sqlroles", &res, false)
require.NoError(t, err)
require.Equal(t, expRoles, res.Roles)
}