Skip to content

Commit

Permalink
integration: add test cases for lease revoking with auth
Browse files Browse the repository at this point in the history
  • Loading branch information
mitake committed Jun 8, 2017
1 parent 0c65590 commit 7b68318
Showing 1 changed file with 156 additions and 4 deletions.
160 changes: 156 additions & 4 deletions integration/v3_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (

"golang.org/x/net/context"

"github.com/coreos/etcd/auth/authpb"
"github.com/coreos/etcd/clientv3"
"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"
pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
Expand Down Expand Up @@ -104,16 +105,167 @@ func TestV3AuthRevision(t *testing.T) {
}
}

func authSetupRoot(t *testing.T, auth pb.AuthClient) {
if _, err := auth.UserAdd(context.TODO(), &pb.AuthUserAddRequest{Name: "root", Password: "123"}); err != nil {
type user struct {
name string
password string
role string
key string
end string
}

func TestV3AuthWithLeaseRevoke(t *testing.T) {
defer testutil.AfterTest(t)
clus := NewClusterV3(t, &ClusterConfig{Size: 1})
defer clus.Terminate(t)

users := []user{
{
name: "user1",
password: "user1-123",
role: "role1",
key: "k1",
end: "k2",
},
}
authSetupUsers(t, toGRPC(clus.Client(0)).Auth, users)

authSetupRoot(t, toGRPC(clus.Client(0)).Auth)

rootc, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
if cerr != nil {
t.Fatal(cerr)
}
defer rootc.Close()

leaseResp, err := rootc.Grant(context.TODO(), 90)
if err != nil {
t.Fatal(err)
}
if _, err := auth.RoleAdd(context.TODO(), &pb.AuthRoleAddRequest{Name: "root"}); err != nil {
leaseID := leaseResp.ID
// permission of k3 isn't granted to user1
_, err = rootc.Put(context.TODO(), "k3", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}
if _, err := auth.UserGrantRole(context.TODO(), &pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil {

userc, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer userc.Close()
_, err = userc.Revoke(context.TODO(), leaseID)
if err == nil {
t.Fatal("revoking from user1 should be failed with permission denied")
}
}

func TestV3AuthWithLeaseAttach(t *testing.T) {
defer testutil.AfterTest(t)
clus := NewClusterV3(t, &ClusterConfig{Size: 1})
defer clus.Terminate(t)

users := []user{
{
name: "user1",
password: "user1-123",
role: "role1",
key: "k1",
end: "k3",
},
{
name: "user2",
password: "user2-123",
role: "role2",
key: "k2",
end: "k4",
},
}
authSetupUsers(t, toGRPC(clus.Client(0)).Auth, users)

authSetupRoot(t, toGRPC(clus.Client(0)).Auth)

user1c, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user1c.Close()

user2c, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user2c.Close()

leaseResp, err := user1c.Grant(context.TODO(), 90)
if err != nil {
t.Fatal(err)
}
leaseID := leaseResp.ID
// permission of k2 is also granted to user2
_, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}

_, err = user2c.Revoke(context.TODO(), leaseID)
if err != nil {
t.Fatal(err)
}

leaseResp, err = user1c.Grant(context.TODO(), 90)
if err != nil {
t.Fatal(err)
}
leaseID = leaseResp.ID
// permission of k1 isn't granted to user2
_, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}

_, err = user2c.Revoke(context.TODO(), leaseID)
if err == nil {
t.Fatal("revoking from user2 should be failed with permission denied")
}
}

func authSetupUsers(t *testing.T, auth pb.AuthClient, users []user) {
for _, user := range users {
if _, err := auth.UserAdd(context.TODO(), &pb.AuthUserAddRequest{Name: user.name, Password: user.password}); err != nil {
t.Fatal(err)
}
if _, err := auth.RoleAdd(context.TODO(), &pb.AuthRoleAddRequest{Name: user.role}); err != nil {
t.Fatal(err)
}
if _, err := auth.UserGrantRole(context.TODO(), &pb.AuthUserGrantRoleRequest{User: user.name, Role: user.role}); err != nil {
t.Fatal(err)
}

if len(user.key) == 0 {
continue
}

perm := &authpb.Permission{
PermType: authpb.READWRITE,
Key: []byte(user.key),
RangeEnd: []byte(user.end),
}
if _, err := auth.RoleGrantPermission(context.TODO(), &pb.AuthRoleGrantPermissionRequest{Name: user.role, Perm: perm}); err != nil {
t.Fatal(err)
}
}
}

func authSetupRoot(t *testing.T, auth pb.AuthClient) {
root := []user{
{
name: "root",
password: "123",
role: "root",
key: "",
},
}
authSetupUsers(t, auth, root)
if _, err := auth.AuthEnable(context.TODO(), &pb.AuthEnableRequest{}); err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit 7b68318

Please sign in to comment.