|
|
@@ -24,6 +24,7 @@ func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest
|
|
|
func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) }
|
|
|
func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) }
|
|
|
func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteDuringOpsTest) }
|
|
|
+func TestCtlV3AuthRoleRevokeDuringOps(t *testing.T) { testCtl(t, authRoleRevokeDuringOpsTest) }
|
|
|
|
|
|
func authEnableTest(cx ctlCtx) {
|
|
|
if err := authEnable(cx); err != nil {
|
|
|
@@ -203,6 +204,76 @@ func authUserDeleteDuringOpsTest(cx ctlCtx) {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+func authRoleRevokeDuringOpsTest(cx ctlCtx) {
|
|
|
+ if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if err := authEnable(cx); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ cx.user, cx.pass = "root", "root"
|
|
|
+ authSetupTestUser(cx)
|
|
|
+
|
|
|
+ // create a key
|
|
|
+ cx.user, cx.pass = "test-user", "pass"
|
|
|
+ if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+ // confirm put succeeded
|
|
|
+ if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // create a new role
|
|
|
+ cx.user, cx.pass = "root", "root"
|
|
|
+ if err := ctlV3Role(cx, []string{"add", "test-role2"}, "Role test-role2 created"); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+ // grant a new key to the new role
|
|
|
+ if err := ctlV3RoleGrantPermission(cx, "test-role2", grantingPerm{true, true, "hoo", ""}); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+ // grant the new role to the user
|
|
|
+ if err := ctlV3User(cx, []string{"grant-role", "test-user", "test-role2"}, "Role test-role2 is granted to user test-user", nil); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // try a newly granted key
|
|
|
+ cx.user, cx.pass = "test-user", "pass"
|
|
|
+ if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+ // confirm put succeeded
|
|
|
+ if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // revoke a role from the user
|
|
|
+ cx.user, cx.pass = "root", "root"
|
|
|
+ err := ctlV3User(cx, []string{"revoke-role", "test-user", "test-role"}, "Role test-role is revoked from user test-user", []string{})
|
|
|
+ if err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // check the role is revoked and permission is lost from the user
|
|
|
+ cx.user, cx.pass = "test-user", "pass"
|
|
|
+ if err := ctlV3PutFailPerm(cx, "foo", "baz"); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ // try a key that can be accessed from the remaining role
|
|
|
+ cx.user, cx.pass = "test-user", "pass"
|
|
|
+ if err := ctlV3Put(cx, "hoo", "bar2", ""); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+ // confirm put succeeded
|
|
|
+ if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar2"}}...); err != nil {
|
|
|
+ cx.t.Fatal(err)
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
|
|
|
return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
|
|
|
}
|
Hitoshi Mitake