ctl_v3_role_test.go 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. // Copyright 2016 The etcd Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package e2e
  15. import (
  16. "fmt"
  17. "testing"
  18. )
  19. func TestCtlV3RoleAdd(t *testing.T) { testCtl(t, roleAddTest) }
  20. func TestCtlV3RoleAddNoTLS(t *testing.T) { testCtl(t, roleAddTest, withCfg(configNoTLS)) }
  21. func TestCtlV3RoleAddClientTLS(t *testing.T) { testCtl(t, roleAddTest, withCfg(configClientTLS)) }
  22. func TestCtlV3RoleAddPeerTLS(t *testing.T) { testCtl(t, roleAddTest, withCfg(configPeerTLS)) }
  23. func TestCtlV3RoleAddTimeout(t *testing.T) { testCtl(t, roleAddTest, withDialTimeout(0)) }
  24. func TestCtlV3RoleGrant(t *testing.T) { testCtl(t, roleGrantTest) }
  25. func roleAddTest(cx ctlCtx) {
  26. cmdSet := []struct {
  27. args []string
  28. expectedStr string
  29. }{
  30. // Add a role.
  31. {
  32. args: []string{"add", "root"},
  33. expectedStr: "Role root created",
  34. },
  35. // Try adding the same role.
  36. {
  37. args: []string{"add", "root"},
  38. expectedStr: "role name already exists",
  39. },
  40. }
  41. for i, cmd := range cmdSet {
  42. if err := ctlV3Role(cx, cmd.args, cmd.expectedStr); err != nil {
  43. if cx.dialTimeout > 0 && !isGRPCTimedout(err) {
  44. cx.t.Fatalf("roleAddTest #%d: ctlV3Role error (%v)", i, err)
  45. }
  46. }
  47. }
  48. }
  49. func roleGrantTest(cx ctlCtx) {
  50. cmdSet := []struct {
  51. args []string
  52. expectedStr string
  53. }{
  54. // Add a role.
  55. {
  56. args: []string{"add", "root"},
  57. expectedStr: "Role root created",
  58. },
  59. // Grant read permission to the role.
  60. {
  61. args: []string{"grant", "root", "read", "foo"},
  62. expectedStr: "Role root updated",
  63. },
  64. // Grant write permission to the role.
  65. {
  66. args: []string{"grant", "root", "write", "foo"},
  67. expectedStr: "Role root updated",
  68. },
  69. // Grant rw permission to the role.
  70. {
  71. args: []string{"grant", "root", "readwrite", "foo"},
  72. expectedStr: "Role root updated",
  73. },
  74. // Try granting invalid permission to the role.
  75. {
  76. args: []string{"grant", "root", "123", "foo"},
  77. expectedStr: "invalid permission type",
  78. },
  79. }
  80. for i, cmd := range cmdSet {
  81. if err := ctlV3Role(cx, cmd.args, cmd.expectedStr); err != nil {
  82. cx.t.Fatalf("roleGrantTest #%d: ctlV3Role error (%v)", i, err)
  83. }
  84. }
  85. }
  86. func ctlV3Role(cx ctlCtx, args []string, expStr string) error {
  87. cmdArgs := append(cx.PrefixArgs(), "role")
  88. cmdArgs = append(cmdArgs, args...)
  89. return spawnWithExpect(cmdArgs, expStr)
  90. }
  91. func ctlV3RoleGrantPermission(cx ctlCtx, rolename string, perm grantingPerm) error {
  92. cmdArgs := append(cx.PrefixArgs(), "role", "grant-permission")
  93. if perm.prefix {
  94. cmdArgs = append(cmdArgs, "--prefix")
  95. } else if len(perm.rangeEnd) == 1 && perm.rangeEnd[0] == '\x00' {
  96. cmdArgs = append(cmdArgs, "--from-key")
  97. }
  98. cmdArgs = append(cmdArgs, rolename)
  99. cmdArgs = append(cmdArgs, grantingPermToArgs(perm)...)
  100. proc, err := spawnCmd(cmdArgs)
  101. if err != nil {
  102. return err
  103. }
  104. expStr := fmt.Sprintf("Role %s updated", rolename)
  105. _, err = proc.Expect(expStr)
  106. return err
  107. }
  108. func ctlV3RoleRevokePermission(cx ctlCtx, rolename string, key, rangeEnd string, fromKey bool) error {
  109. cmdArgs := append(cx.PrefixArgs(), "role", "revoke-permission")
  110. cmdArgs = append(cmdArgs, rolename)
  111. cmdArgs = append(cmdArgs, key)
  112. var expStr string
  113. if len(rangeEnd) != 0 {
  114. cmdArgs = append(cmdArgs, rangeEnd)
  115. expStr = fmt.Sprintf("Permission of range [%s, %s) is revoked from role %s", key, rangeEnd, rolename)
  116. } else if fromKey {
  117. cmdArgs = append(cmdArgs, "--from-key")
  118. expStr = fmt.Sprintf("Permission of range [%s, <open ended> is revoked from role %s", key, rolename)
  119. } else {
  120. expStr = fmt.Sprintf("Permission of key %s is revoked from role %s", key, rolename)
  121. }
  122. proc, err := spawnCmd(cmdArgs)
  123. if err != nil {
  124. return err
  125. }
  126. _, err = proc.Expect(expStr)
  127. return err
  128. }
  129. type grantingPerm struct {
  130. read bool
  131. write bool
  132. key string
  133. rangeEnd string
  134. prefix bool
  135. }
  136. func grantingPermToArgs(perm grantingPerm) []string {
  137. permstr := ""
  138. if perm.read {
  139. permstr += "read"
  140. }
  141. if perm.write {
  142. permstr += "write"
  143. }
  144. if len(permstr) == 0 {
  145. panic("invalid granting permission")
  146. }
  147. if len(perm.rangeEnd) == 0 {
  148. return []string{permstr, perm.key}
  149. }
  150. if len(perm.rangeEnd) == 1 && perm.rangeEnd[0] == '\x00' {
  151. return []string{permstr, perm.key}
  152. }
  153. return []string{permstr, perm.key, perm.rangeEnd}
  154. }