Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #5722 from mitake/auth-v3-check-test

e2e: check runtime permission changing
Xiang Li 9 years ago
parent
8920e7c4d5 6fe4d9d30a
commit
d017814eaa
2 changed files with 121 additions and 4 deletions
Split View Show Diff Stats
  1. 56 3
      e2e/ctl_v3_auth_test.go
  2. 65 1
      e2e/ctl_v3_role_test.go

+ 56 - 3
e2e/ctl_v3_auth_test.go
View File 

@@ -19,9 +19,10 @@ import (
 
 	"testing"
 
 )
 
 
-func TestCtlV3AuthEnable(t *testing.T)   { testCtl(t, authEnableTest) }
 
-func TestCtlV3AuthDisable(t *testing.T)  { testCtl(t, authDisableTest) }
 
-func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) }
 
+func TestCtlV3AuthEnable(t *testing.T)     { testCtl(t, authEnableTest) }
 
+func TestCtlV3AuthDisable(t *testing.T)    { testCtl(t, authDisableTest) }
 
+func TestCtlV3AuthWriteKey(t *testing.T)   { testCtl(t, authCredWriteKeyTest) }
 
+func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) }
 
 
 func authEnableTest(cx ctlCtx) {
 
 	if err := authEnable(cx); err != nil {
 
@@ -113,6 +114,58 @@ func authCredWriteKeyTest(cx ctlCtx) {
 
 	}
 
 }
 
 
+func authRoleUpdateTest(cx ctlCtx) {
 
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	if err := authEnable(cx); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	cx.user, cx.pass = "root", "root"
 
+	authSetupTestUser(cx)
 
+
 
+	// try put to not granted key
 
+	cx.user, cx.pass = "test-user", "pass"
 
+	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	// grant a new key
 
+	cx.user, cx.pass = "root", "root"
 
+	if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, "hoo", ""}); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	// try a newly granted key
 
+	cx.user, cx.pass = "test-user", "pass"
 
+	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+	// confirm put succeeded
 
+	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	// revoke the newly granted key
 
+	cx.user, cx.pass = "root", "root"
 
+	if err := ctlV3RoleRevokePermission(cx, "test-role", "hoo", ""); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	// try put to the revoked key
 
+	cx.user, cx.pass = "test-user", "pass"
 
+	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+
 
+	// confirm a key still granted can be accessed
 
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
 
+		cx.t.Fatal(err)
 
+	}
 
+}
 
+
 
 func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
 
 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
 
 }

+ 65 - 1
e2e/ctl_v3_role_test.go
View File 

@@ -14,7 +14,10 @@
 
 
 package e2e
 
 
-import "testing"
 
+import (
 
+	"fmt"
 
+	"testing"
 
+)
 
 
 func TestCtlV3RoleAdd(t *testing.T)          { testCtl(t, roleAddTest) }
 
 func TestCtlV3RoleAddNoTLS(t *testing.T)     { testCtl(t, roleAddTest, withCfg(configNoTLS)) }
 
@@ -95,3 +98,64 @@ func ctlV3Role(cx ctlCtx, args []string, expStr string) error {
 
 
 	return spawnWithExpect(cmdArgs, expStr)
 
 }
 
+
 
+func ctlV3RoleGrantPermission(cx ctlCtx, rolename string, perm grantingPerm) error {
 
+	cmdArgs := append(cx.PrefixArgs(), "role", "grant-permission")
 
+	cmdArgs = append(cmdArgs, rolename)
 
+	cmdArgs = append(cmdArgs, grantingPermToArgs(perm)...)
 
+
 
+	proc, err := spawnCmd(cmdArgs)
 
+	if err != nil {
 
+		return err
 
+	}
 
+
 
+	expStr := fmt.Sprintf("Role %s updated", rolename)
 
+	_, err = proc.Expect(expStr)
 
+	return err
 
+}
 
+
 
+func ctlV3RoleRevokePermission(cx ctlCtx, rolename string, key, rangeEnd string) error {
 
+	cmdArgs := append(cx.PrefixArgs(), "role", "revoke-permission")
 
+	cmdArgs = append(cmdArgs, rolename)
 
+	cmdArgs = append(cmdArgs, key)
 
+	if len(rangeEnd) != 0 {
 
+		cmdArgs = append(cmdArgs, rangeEnd)
 
+	}
 
+
 
+	proc, err := spawnCmd(cmdArgs)
 
+	if err != nil {
 
+		return err
 
+	}
 
+
 
+	expStr := fmt.Sprintf("Permission of key %s is revoked from role %s", key, rolename)
 
+	_, err = proc.Expect(expStr)
 
+	return err
 
+}
 
+
 
+type grantingPerm struct {
 
+	read     bool
 
+	write    bool
 
+	key      string
 
+	rangeEnd string
 
+}
 
+
 
+func grantingPermToArgs(perm grantingPerm) []string {
 
+	permstr := ""
 
+
 
+	if perm.read {
 
+		permstr += "read"
 
+	}
 
+
 
+	if perm.write {
 
+		permstr += "write"
 
+	}
 
+
 
+	if len(permstr) == 0 {
 
+		panic("invalid granting permission")
 
+	}
 
+
 
+	if len(perm.rangeEnd) == 0 {
 
+		return []string{permstr, perm.key}
 
+	}
 
+	return []string{permstr, perm.key, perm.rangeEnd}
 
+}