diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go index 3cfb74a92b7..4d000c9c090 100644 --- a/e2e/ctl_v3_auth_test.go +++ b/e2e/ctl_v3_auth_test.go @@ -19,10 +19,12 @@ import ( "testing" ) -func TestCtlV3AuthEnable(t *testing.T) { testCtl(t, authEnableTest) } -func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest) } -func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) } -func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) } +func TestCtlV3AuthEnable(t *testing.T) { testCtl(t, authEnableTest) } +func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest) } +func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) } +func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) } +func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteDuringOpsTest) } +func TestCtlV3AuthRoleRevokeDuringOps(t *testing.T) { testCtl(t, authRoleRevokeDuringOpsTest) } func authEnableTest(cx ctlCtx) { if err := authEnable(cx); err != nil { @@ -166,6 +168,112 @@ func authRoleUpdateTest(cx ctlCtx) { } } +func authUserDeleteDuringOpsTest(cx ctlCtx) { + if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + + if err := authEnable(cx); err != nil { + cx.t.Fatal(err) + } + + cx.user, cx.pass = "root", "root" + authSetupTestUser(cx) + + // create a key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + // confirm put succeeded + if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil { + cx.t.Fatal(err) + } + + // delete the user + cx.user, cx.pass = "root", "root" + err := ctlV3User(cx, []string{"delete", "test-user"}, "User test-user deleted", []string{}) + if err != nil { + cx.t.Fatal(err) + } + + // check the user is deleted + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3PutFailAuth(cx, "foo", "baz"); err != nil { + cx.t.Fatal(err) + } +} + +func authRoleRevokeDuringOpsTest(cx ctlCtx) { + if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + + if err := authEnable(cx); err != nil { + cx.t.Fatal(err) + } + + cx.user, cx.pass = "root", "root" + authSetupTestUser(cx) + + // create a key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + // confirm put succeeded + if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil { + cx.t.Fatal(err) + } + + // create a new role + cx.user, cx.pass = "root", "root" + if err := ctlV3Role(cx, []string{"add", "test-role2"}, "Role test-role2 created"); err != nil { + cx.t.Fatal(err) + } + // grant a new key to the new role + if err := ctlV3RoleGrantPermission(cx, "test-role2", grantingPerm{true, true, "hoo", ""}); err != nil { + cx.t.Fatal(err) + } + // grant the new role to the user + if err := ctlV3User(cx, []string{"grant-role", "test-user", "test-role2"}, "Role test-role2 is granted to user test-user", nil); err != nil { + cx.t.Fatal(err) + } + + // try a newly granted key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + // confirm put succeeded + if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil { + cx.t.Fatal(err) + } + + // revoke a role from the user + cx.user, cx.pass = "root", "root" + err := ctlV3User(cx, []string{"revoke-role", "test-user", "test-role"}, "Role test-role is revoked from user test-user", []string{}) + if err != nil { + cx.t.Fatal(err) + } + + // check the role is revoked and permission is lost from the user + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3PutFailPerm(cx, "foo", "baz"); err != nil { + cx.t.Fatal(err) + } + + // try a key that can be accessed from the remaining role + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3Put(cx, "hoo", "bar2", ""); err != nil { + cx.t.Fatal(err) + } + // confirm put succeeded + if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar2"}}...); err != nil { + cx.t.Fatal(err) + } +} + func ctlV3PutFailAuth(cx ctlCtx, key, val string) error { return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed") }