Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
publics
/
etcd-io__etcd
0
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: e13c8942c3
Gałęzie Tagi
etcd-io__etcd
/
e2e
/
ctl_v3_auth_test.go

ctl_v3_auth_test.go 15 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545 
  1. // Copyright 2016 The etcd Authors
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. package e2e
    16. 

  16. 

  17. import (
    18. 

  18. 	"fmt"
    19. 

  19. 	"testing"
    20. 

  20. 

  21. 	"github.com/coreos/etcd/clientv3"
    22. 

  22. )
    23. 

  23. 

  24. func TestCtlV3AuthEnable(t *testing.T)              { testCtl(t, authEnableTest) }
    25. 

  25. func TestCtlV3AuthDisable(t *testing.T)             { testCtl(t, authDisableTest) }
    26. 

  26. func TestCtlV3AuthWriteKey(t *testing.T)            { testCtl(t, authCredWriteKeyTest) }
    27. 

  27. func TestCtlV3AuthRoleUpdate(t *testing.T)          { testCtl(t, authRoleUpdateTest) }
    28. 

  28. func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteDuringOpsTest) }
    29. 

  29. func TestCtlV3AuthRoleRevokeDuringOps(t *testing.T) { testCtl(t, authRoleRevokeDuringOpsTest) }
    30. 

  30. func TestCtlV3AuthTxn(t *testing.T)                 { testCtl(t, authTestTxn) }
    31. 

  31. func TestCtlV3AuthPerfixPerm(t *testing.T)          { testCtl(t, authTestPrefixPerm) }
    32. 

  32. func TestCtlV3AuthMemberAdd(t *testing.T)           { testCtl(t, authTestMemberAdd) }
    33. 

  33. func TestCtlV3AuthMemberRemove(t *testing.T) {
    34. 

  34. 	testCtl(t, authTestMemberRemove, withQuorum(), withNoStrictReconfig())
    35. 

  35. }
    36. 

  36. func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
    37. 

  37. 

  38. func authEnableTest(cx ctlCtx) {
    39. 

  39. 	if err := authEnable(cx); err != nil {
    40. 

  40. 		cx.t.Fatal(err)
    41. 

  41. 	}
    42. 

  42. }
    43. 

  43. 

  44. func authEnable(cx ctlCtx) error {
    45. 

  45. 	// create root user with root role
    46. 

  46. 	if err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{"root"}); err != nil {
    47. 

  47. 		return fmt.Errorf("failed to create root user %v", err)
    48. 

  48. 	}
    49. 

  49. 	if err := ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil); err != nil {
    50. 

  50. 		return fmt.Errorf("failed to grant root user root role %v", err)
    51. 

  51. 	}
    52. 

  52. 	if err := ctlV3AuthEnable(cx); err != nil {
    53. 

  53. 		return fmt.Errorf("authEnableTest ctlV3AuthEnable error (%v)", err)
    54. 

  54. 	}
    55. 

  55. 	return nil
    56. 

  56. }
    57. 

  57. 

  58. func ctlV3AuthEnable(cx ctlCtx) error {
    59. 

  59. 	cmdArgs := append(cx.PrefixArgs(), "auth", "enable")
    60. 

  60. 	return spawnWithExpect(cmdArgs, "Authentication Enabled")
    61. 

  61. }
    62. 

  62. 

  63. func authDisableTest(cx ctlCtx) {
    64. 

  64. 	// a key that isn't granted to test-user
    65. 

  65. 	if err := ctlV3Put(cx, "hoo", "a", ""); err != nil {
    66. 

  66. 		cx.t.Fatal(err)
    67. 

  67. 	}
    68. 

  68. 

  69. 	if err := authEnable(cx); err != nil {
    70. 

  70. 		cx.t.Fatal(err)
    71. 

  71. 	}
    72. 

  72. 

  73. 	cx.user, cx.pass = "root", "root"
    74. 

  74. 	authSetupTestUser(cx)
    75. 

  75. 

  76. 	// test-user doesn't have the permission, it must fail
    77. 

  77. 	cx.user, cx.pass = "test-user", "pass"
    78. 

  78. 	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
    79. 

  79. 		cx.t.Fatal(err)
    80. 

  80. 	}
    81. 

  81. 

  82. 	cx.user, cx.pass = "root", "root"
    83. 

  83. 	if err := ctlV3AuthDisable(cx); err != nil {
    84. 

  84. 		cx.t.Fatalf("authDisableTest ctlV3AuthDisable error (%v)", err)
    85. 

  85. 	}
    86. 

  86. 

  87. 	// now auth fails unconditionally, note that failed RPC is Authenticate(), not Put()
    88. 

  88. 	cx.user, cx.pass = "test-user", "pass"
    89. 

  89. 	if err := ctlV3PutFailAuthDisabled(cx, "hoo", "bar"); err != nil {
    90. 

  90. 		cx.t.Fatal(err)
    91. 

  91. 	}
    92. 

  92. 

  93. 	// now the key can be accessed
    94. 

  94. 	cx.user, cx.pass = "", ""
    95. 

  95. 	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
    96. 

  96. 		cx.t.Fatal(err)
    97. 

  97. 	}
    98. 

  98. 	// confirm put succeeded
    99. 

  99. 	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
    100. 

  100. 		cx.t.Fatal(err)
    101. 

  101. 	}
    102. 

  102. }
    103. 

  103. 

  104. func ctlV3AuthDisable(cx ctlCtx) error {
    105. 

  105. 	cmdArgs := append(cx.PrefixArgs(), "auth", "disable")
    106. 

  106. 	return spawnWithExpect(cmdArgs, "Authentication Disabled")
    107. 

  107. }
    108. 

  108. 

  109. func authCredWriteKeyTest(cx ctlCtx) {
    110. 

  110. 	// baseline key to check for failed puts
    111. 

  111. 	if err := ctlV3Put(cx, "foo", "a", ""); err != nil {
    112. 

  112. 		cx.t.Fatal(err)
    113. 

  113. 	}
    114. 

  114. 

  115. 	if err := authEnable(cx); err != nil {
    116. 

  116. 		cx.t.Fatal(err)
    117. 

  117. 	}
    118. 

  118. 

  119. 	cx.user, cx.pass = "root", "root"
    120. 

  120. 	authSetupTestUser(cx)
    121. 

  121. 

  122. 	// confirm root role can access to all keys
    123. 

  123. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    124. 

  124. 		cx.t.Fatal(err)
    125. 

  125. 	}
    126. 

  126. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
    127. 

  127. 		cx.t.Fatal(err)
    128. 

  128. 	}
    129. 

  129. 

  130. 	// try invalid user
    131. 

  131. 	cx.user, cx.pass = "a", "b"
    132. 

  132. 	if err := ctlV3PutFailAuth(cx, "foo", "bar"); err != nil {
    133. 

  133. 		cx.t.Fatal(err)
    134. 

  134. 	}
    135. 

  135. 	// confirm put failed
    136. 

  136. 	cx.user, cx.pass = "test-user", "pass"
    137. 

  137. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
    138. 

  138. 		cx.t.Fatal(err)
    139. 

  139. 	}
    140. 

  140. 

  141. 	// try good user
    142. 

  142. 	cx.user, cx.pass = "test-user", "pass"
    143. 

  143. 	if err := ctlV3Put(cx, "foo", "bar2", ""); err != nil {
    144. 

  144. 		cx.t.Fatal(err)
    145. 

  145. 	}
    146. 

  146. 	// confirm put succeeded
    147. 

  147. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
    148. 

  148. 		cx.t.Fatal(err)
    149. 

  149. 	}
    150. 

  150. 

  151. 	// try bad password
    152. 

  152. 	cx.user, cx.pass = "test-user", "badpass"
    153. 

  153. 	if err := ctlV3PutFailAuth(cx, "foo", "baz"); err != nil {
    154. 

  154. 		cx.t.Fatal(err)
    155. 

  155. 	}
    156. 

  156. 	// confirm put failed
    157. 

  157. 	cx.user, cx.pass = "test-user", "pass"
    158. 

  158. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar2"}}...); err != nil {
    159. 

  159. 		cx.t.Fatal(err)
    160. 

  160. 	}
    161. 

  161. }
    162. 

  162. 

  163. func authRoleUpdateTest(cx ctlCtx) {
    164. 

  164. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    165. 

  165. 		cx.t.Fatal(err)
    166. 

  166. 	}
    167. 

  167. 

  168. 	if err := authEnable(cx); err != nil {
    169. 

  169. 		cx.t.Fatal(err)
    170. 

  170. 	}
    171. 

  171. 

  172. 	cx.user, cx.pass = "root", "root"
    173. 

  173. 	authSetupTestUser(cx)
    174. 

  174. 

  175. 	// try put to not granted key
    176. 

  176. 	cx.user, cx.pass = "test-user", "pass"
    177. 

  177. 	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
    178. 

  178. 		cx.t.Fatal(err)
    179. 

  179. 	}
    180. 

  180. 

  181. 	// grant a new key
    182. 

  182. 	cx.user, cx.pass = "root", "root"
    183. 

  183. 	if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, "hoo", "", false}); err != nil {
    184. 

  184. 		cx.t.Fatal(err)
    185. 

  185. 	}
    186. 

  186. 

  187. 	// try a newly granted key
    188. 

  188. 	cx.user, cx.pass = "test-user", "pass"
    189. 

  189. 	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
    190. 

  190. 		cx.t.Fatal(err)
    191. 

  191. 	}
    192. 

  192. 	// confirm put succeeded
    193. 

  193. 	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
    194. 

  194. 		cx.t.Fatal(err)
    195. 

  195. 	}
    196. 

  196. 

  197. 	// revoke the newly granted key
    198. 

  198. 	cx.user, cx.pass = "root", "root"
    199. 

  199. 	if err := ctlV3RoleRevokePermission(cx, "test-role", "hoo", ""); err != nil {
    200. 

  200. 		cx.t.Fatal(err)
    201. 

  201. 	}
    202. 

  202. 

  203. 	// try put to the revoked key
    204. 

  204. 	cx.user, cx.pass = "test-user", "pass"
    205. 

  205. 	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
    206. 

  206. 		cx.t.Fatal(err)
    207. 

  207. 	}
    208. 

  208. 

  209. 	// confirm a key still granted can be accessed
    210. 

  210. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
    211. 

  211. 		cx.t.Fatal(err)
    212. 

  212. 	}
    213. 

  213. }
    214. 

  214. 

  215. func authUserDeleteDuringOpsTest(cx ctlCtx) {
    216. 

  216. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    217. 

  217. 		cx.t.Fatal(err)
    218. 

  218. 	}
    219. 

  219. 

  220. 	if err := authEnable(cx); err != nil {
    221. 

  221. 		cx.t.Fatal(err)
    222. 

  222. 	}
    223. 

  223. 

  224. 	cx.user, cx.pass = "root", "root"
    225. 

  225. 	authSetupTestUser(cx)
    226. 

  226. 

  227. 	// create a key
    228. 

  228. 	cx.user, cx.pass = "test-user", "pass"
    229. 

  229. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    230. 

  230. 		cx.t.Fatal(err)
    231. 

  231. 	}
    232. 

  232. 	// confirm put succeeded
    233. 

  233. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
    234. 

  234. 		cx.t.Fatal(err)
    235. 

  235. 	}
    236. 

  236. 

  237. 	// delete the user
    238. 

  238. 	cx.user, cx.pass = "root", "root"
    239. 

  239. 	err := ctlV3User(cx, []string{"delete", "test-user"}, "User test-user deleted", []string{})
    240. 

  240. 	if err != nil {
    241. 

  241. 		cx.t.Fatal(err)
    242. 

  242. 	}
    243. 

  243. 

  244. 	// check the user is deleted
    245. 

  245. 	cx.user, cx.pass = "test-user", "pass"
    246. 

  246. 	if err := ctlV3PutFailAuth(cx, "foo", "baz"); err != nil {
    247. 

  247. 		cx.t.Fatal(err)
    248. 

  248. 	}
    249. 

  249. }
    250. 

  250. 

  251. func authRoleRevokeDuringOpsTest(cx ctlCtx) {
    252. 

  252. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    253. 

  253. 		cx.t.Fatal(err)
    254. 

  254. 	}
    255. 

  255. 

  256. 	if err := authEnable(cx); err != nil {
    257. 

  257. 		cx.t.Fatal(err)
    258. 

  258. 	}
    259. 

  259. 

  260. 	cx.user, cx.pass = "root", "root"
    261. 

  261. 	authSetupTestUser(cx)
    262. 

  262. 

  263. 	// create a key
    264. 

  264. 	cx.user, cx.pass = "test-user", "pass"
    265. 

  265. 	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
    266. 

  266. 		cx.t.Fatal(err)
    267. 

  267. 	}
    268. 

  268. 	// confirm put succeeded
    269. 

  269. 	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
    270. 

  270. 		cx.t.Fatal(err)
    271. 

  271. 	}
    272. 

  272. 

  273. 	// create a new role
    274. 

  274. 	cx.user, cx.pass = "root", "root"
    275. 

  275. 	if err := ctlV3Role(cx, []string{"add", "test-role2"}, "Role test-role2 created"); err != nil {
    276. 

  276. 		cx.t.Fatal(err)
    277. 

  277. 	}
    278. 

  278. 	// grant a new key to the new role
    279. 

  279. 	if err := ctlV3RoleGrantPermission(cx, "test-role2", grantingPerm{true, true, "hoo", "", false}); err != nil {
    280. 

  280. 		cx.t.Fatal(err)
    281. 

  281. 	}
    282. 

  282. 	// grant the new role to the user
    283. 

  283. 	if err := ctlV3User(cx, []string{"grant-role", "test-user", "test-role2"}, "Role test-role2 is granted to user test-user", nil); err != nil {
    284. 

  284. 		cx.t.Fatal(err)
    285. 

  285. 	}
    286. 

  286. 

  287. 	// try a newly granted key
    288. 

  288. 	cx.user, cx.pass = "test-user", "pass"
    289. 

  289. 	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
    290. 

  290. 		cx.t.Fatal(err)
    291. 

  291. 	}
    292. 

  292. 	// confirm put succeeded
    293. 

  293. 	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
    294. 

  294. 		cx.t.Fatal(err)
    295. 

  295. 	}
    296. 

  296. 

  297. 	// revoke a role from the user
    298. 

  298. 	cx.user, cx.pass = "root", "root"
    299. 

  299. 	err := ctlV3User(cx, []string{"revoke-role", "test-user", "test-role"}, "Role test-role is revoked from user test-user", []string{})
    300. 

  300. 	if err != nil {
    301. 

  301. 		cx.t.Fatal(err)
    302. 

  302. 	}
    303. 

  303. 

  304. 	// check the role is revoked and permission is lost from the user
    305. 

  305. 	cx.user, cx.pass = "test-user", "pass"
    306. 

  306. 	if err := ctlV3PutFailPerm(cx, "foo", "baz"); err != nil {
    307. 

  307. 		cx.t.Fatal(err)
    308. 

  308. 	}
    309. 

  309. 

  310. 	// try a key that can be accessed from the remaining role
    311. 

  311. 	cx.user, cx.pass = "test-user", "pass"
    312. 

  312. 	if err := ctlV3Put(cx, "hoo", "bar2", ""); err != nil {
    313. 

  313. 		cx.t.Fatal(err)
    314. 

  314. 	}
    315. 

  315. 	// confirm put succeeded
    316. 

  316. 	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar2"}}...); err != nil {
    317. 

  317. 		cx.t.Fatal(err)
    318. 

  318. 	}
    319. 

  319. }
    320. 

  320. 

  321. func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
    322. 

  322. 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
    323. 

  323. }
    324. 

  324. 

  325. func ctlV3PutFailPerm(cx ctlCtx, key, val string) error {
    326. 

  326. 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "permission denied")
    327. 

  327. }
    328. 

  328. 

  329. func ctlV3PutFailAuthDisabled(cx ctlCtx, key, val string) error {
    330. 

  330. 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication is not enabled")
    331. 

  331. }
    332. 

  332. 

  333. func authSetupTestUser(cx ctlCtx) {
    334. 

  334. 	if err := ctlV3User(cx, []string{"add", "test-user", "--interactive=false"}, "User test-user created", []string{"pass"}); err != nil {
    335. 

  335. 		cx.t.Fatal(err)
    336. 

  336. 	}
    337. 

  337. 	if err := spawnWithExpect(append(cx.PrefixArgs(), "role", "add", "test-role"), "Role test-role created"); err != nil {
    338. 

  338. 		cx.t.Fatal(err)
    339. 

  339. 	}
    340. 

  340. 	if err := ctlV3User(cx, []string{"grant-role", "test-user", "test-role"}, "Role test-role is granted to user test-user", nil); err != nil {
    341. 

  341. 		cx.t.Fatal(err)
    342. 

  342. 	}
    343. 

  343. 	cmd := append(cx.PrefixArgs(), "role", "grant-permission", "test-role", "readwrite", "foo")
    344. 

  344. 	if err := spawnWithExpect(cmd, "Role test-role updated"); err != nil {
    345. 

  345. 		cx.t.Fatal(err)
    346. 

  346. 	}
    347. 

  347. }
    348. 

  348. 

  349. func authTestTxn(cx ctlCtx) {
    350. 

  350. 	// keys with 1 suffix aren't granted to test-user
    351. 

  351. 	// keys with 2 suffix are granted to test-user
    352. 

  352. 

  353. 	keys := []string{"c1", "s1", "f1"}
    354. 

  354. 	grantedKeys := []string{"c2", "s2", "f2"}
    355. 

  355. 	for _, key := range keys {
    356. 

  356. 		if err := ctlV3Put(cx, key, "v", ""); err != nil {
    357. 

  357. 			cx.t.Fatal(err)
    358. 

  358. 		}
    359. 

  359. 	}
    360. 

  360. 

  361. 	for _, key := range grantedKeys {
    362. 

  362. 		if err := ctlV3Put(cx, key, "v", ""); err != nil {
    363. 

  363. 			cx.t.Fatal(err)
    364. 

  364. 		}
    365. 

  365. 	}
    366. 

  366. 

  367. 	if err := authEnable(cx); err != nil {
    368. 

  368. 		cx.t.Fatal(err)
    369. 

  369. 	}
    370. 

  370. 

  371. 	cx.user, cx.pass = "root", "root"
    372. 

  372. 	authSetupTestUser(cx)
    373. 

  373. 

  374. 	// grant keys to test-user
    375. 

  375. 	cx.user, cx.pass = "root", "root"
    376. 

  376. 	for _, key := range grantedKeys {
    377. 

  377. 		if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, key, "", false}); err != nil {
    378. 

  378. 			cx.t.Fatal(err)
    379. 

  379. 		}
    380. 

  380. 	}
    381. 

  381. 

  382. 	// now test txn
    383. 

  383. 	cx.interactive = true
    384. 

  384. 	cx.user, cx.pass = "test-user", "pass"
    385. 

  385. 

  386. 	rqs := txnRequests{
    387. 

  387. 		compare:  []string{`version("c2") = "1"`},
    388. 

  388. 		ifSucess: []string{"get s2"},
    389. 

  389. 		ifFail:   []string{"get f2"},
    390. 

  390. 		results:  []string{"SUCCESS", "s2", "v"},
    391. 

  391. 	}
    392. 

  392. 	if err := ctlV3Txn(cx, rqs); err != nil {
    393. 

  393. 		cx.t.Fatal(err)
    394. 

  394. 	}
    395. 

  395. 

  396. 	// a key of compare case isn't granted
    397. 

  397. 	rqs = txnRequests{
    398. 

  398. 		compare:  []string{`version("c1") = "1"`},
    399. 

  399. 		ifSucess: []string{"get s2"},
    400. 

  400. 		ifFail:   []string{"get f2"},
    401. 

  401. 		results:  []string{"Error:  etcdserver: permission denied"},
    402. 

  402. 	}
    403. 

  403. 	if err := ctlV3Txn(cx, rqs); err != nil {
    404. 

  404. 		cx.t.Fatal(err)
    405. 

  405. 	}
    406. 

  406. 

  407. 	// a key of success case isn't granted
    408. 

  408. 	rqs = txnRequests{
    409. 

  409. 		compare:  []string{`version("c2") = "1"`},
    410. 

  410. 		ifSucess: []string{"get s1"},
    411. 

  411. 		ifFail:   []string{"get f2"},
    412. 

  412. 		results:  []string{"Error:  etcdserver: permission denied"},
    413. 

  413. 	}
    414. 

  414. 	if err := ctlV3Txn(cx, rqs); err != nil {
    415. 

  415. 		cx.t.Fatal(err)
    416. 

  416. 	}
    417. 

  417. 

  418. 	// a key of failure case isn't granted
    419. 

  419. 	rqs = txnRequests{
    420. 

  420. 		compare:  []string{`version("c2") = "1"`},
    421. 

  421. 		ifSucess: []string{"get s2"},
    422. 

  422. 		ifFail:   []string{"get f1"},
    423. 

  423. 		results:  []string{"Error:  etcdserver: permission denied"},
    424. 

  424. 	}
    425. 

  425. 	if err := ctlV3Txn(cx, rqs); err != nil {
    426. 

  426. 		cx.t.Fatal(err)
    427. 

  427. 	}
    428. 

  428. }
    429. 

  429. 

  430. func authTestPrefixPerm(cx ctlCtx) {
    431. 

  431. 	if err := authEnable(cx); err != nil {
    432. 

  432. 		cx.t.Fatal(err)
    433. 

  433. 	}
    434. 

  434. 

  435. 	cx.user, cx.pass = "root", "root"
    436. 

  436. 	authSetupTestUser(cx)
    437. 

  437. 

  438. 	prefix := "/prefix/" // directory like prefix
    439. 

  439. 	// grant keys to test-user
    440. 

  440. 	cx.user, cx.pass = "root", "root"
    441. 

  441. 	if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, prefix, "", true}); err != nil {
    442. 

  442. 		cx.t.Fatal(err)
    443. 

  443. 	}
    444. 

  444. 

  445. 	// try a prefix granted permission
    446. 

  446. 	cx.user, cx.pass = "test-user", "pass"
    447. 

  447. 	for i := 0; i < 10; i++ {
    448. 

  448. 		key := fmt.Sprintf("%s%d", prefix, i)
    449. 

  449. 		if err := ctlV3Put(cx, key, "val", ""); err != nil {
    450. 

  450. 			cx.t.Fatal(err)
    451. 

  451. 		}
    452. 

  452. 	}
    453. 

  453. 

  454. 	if err := ctlV3PutFailPerm(cx, clientv3.GetPrefixRangeEnd(prefix), "baz"); err != nil {
    455. 

  455. 		cx.t.Fatal(err)
    456. 

  456. 	}
    457. 

  457. }
    458. 

  458. 

  459. func authTestMemberAdd(cx ctlCtx) {
    460. 

  460. 	if err := authEnable(cx); err != nil {
    461. 

  461. 		cx.t.Fatal(err)
    462. 

  462. 	}
    463. 

  463. 

  464. 	cx.user, cx.pass = "root", "root"
    465. 

  465. 	authSetupTestUser(cx)
    466. 

  466. 

  467. 	peerURL := fmt.Sprintf("http://localhost:%d", etcdProcessBasePort+11)
    468. 

  468. 	// ordinal user cannot add a new member
    469. 

  469. 	cx.user, cx.pass = "test-user", "pass"
    470. 

  470. 	if err := ctlV3MemberAdd(cx, peerURL); err == nil {
    471. 

  471. 		cx.t.Fatalf("ordinal user must not be allowed to add a member")
    472. 

  472. 	}
    473. 

  473. 

  474. 	// root can add a new member
    475. 

  475. 	cx.user, cx.pass = "root", "root"
    476. 

  476. 	if err := ctlV3MemberAdd(cx, peerURL); err != nil {
    477. 

  477. 		cx.t.Fatal(err)
    478. 

  478. 	}
    479. 

  479. }
    480. 

  480. 

  481. func authTestMemberRemove(cx ctlCtx) {
    482. 

  482. 	if err := authEnable(cx); err != nil {
    483. 

  483. 		cx.t.Fatal(err)
    484. 

  484. 	}
    485. 

  485. 

  486. 	cx.user, cx.pass = "root", "root"
    487. 

  487. 	authSetupTestUser(cx)
    488. 

  488. 

  489. 	n1 := cx.cfg.clusterSize
    490. 

  490. 	if n1 < 2 {
    491. 

  491. 		cx.t.Fatalf("%d-node is too small to test 'member remove'", n1)
    492. 

  492. 	}
    493. 

  493. 	resp, err := getMemberList(cx)
    494. 

  494. 	if err != nil {
    495. 

  495. 		cx.t.Fatal(err)
    496. 

  496. 	}
    497. 

  497. 	if n1 != len(resp.Members) {
    498. 

  498. 		cx.t.Fatalf("expected %d, got %d", n1, len(resp.Members))
    499. 

  499. 	}
    500. 

  500. 

  501. 	var (
    502. 

  502. 		memIDToRemove = fmt.Sprintf("%x", resp.Header.MemberId)
    503. 

  503. 		clusterID     = fmt.Sprintf("%x", resp.Header.ClusterId)
    504. 

  504. 	)
    505. 

  505. 

  506. 	// ordinal user cannot remove a member
    507. 

  507. 	cx.user, cx.pass = "test-user", "pass"
    508. 

  508. 	if err = ctlV3MemberRemove(cx, memIDToRemove, clusterID); err == nil {
    509. 

  509. 		cx.t.Fatalf("ordinal user must not be allowed to remove a member")
    510. 

  510. 	}
    511. 

  511. 

  512. 	// root can remove a member
    513. 

  513. 	cx.user, cx.pass = "root", "root"
    514. 

  514. 	if err = ctlV3MemberRemove(cx, memIDToRemove, clusterID); err != nil {
    515. 

  515. 		cx.t.Fatal(err)
    516. 

  516. 	}
    517. 

  517. }
    518. 

  518. 

  519. func authTestMemberUpdate(cx ctlCtx) {
    520. 

  520. 	if err := authEnable(cx); err != nil {
    521. 

  521. 		cx.t.Fatal(err)
    522. 

  522. 	}
    523. 

  523. 

  524. 	cx.user, cx.pass = "root", "root"
    525. 

  525. 	authSetupTestUser(cx)
    526. 

  526. 

  527. 	mr, err := getMemberList(cx)
    528. 

  528. 	if err != nil {
    529. 

  529. 		cx.t.Fatal(err)
    530. 

  530. 	}
    531. 

  531. 

  532. 	// ordinal user cannot update a member
    533. 

  533. 	cx.user, cx.pass = "test-user", "pass"
    534. 

  534. 	peerURL := fmt.Sprintf("http://localhost:%d", etcdProcessBasePort+11)
    535. 

  535. 	memberID := fmt.Sprintf("%x", mr.Members[0].ID)
    536. 

  536. 	if err = ctlV3MemberUpdate(cx, memberID, peerURL); err == nil {
    537. 

  537. 		cx.t.Fatalf("ordinal user must not be allowed to update a member")
    538. 

  538. 	}
    539. 

  539. 

  540. 	// root can update a member
    541. 

  541. 	cx.user, cx.pass = "root", "root"
    542. 

  542. 	if err = ctlV3MemberUpdate(cx, memberID, peerURL); err != nil {
    543. 

  543. 		cx.t.Fatal(err)
    544. 

  544. 	}
    545. 

  545. }
    546.