From 68bcbdc84ea43c76dc3884ec42e65a0b1bef1ea5 Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@gmail.com>
Date: Tue, 21 Jun 2016 15:03:04 +0900
Subject: [PATCH 1/2] e2e: check user deletion during operations

---
 e2e/ctl_v3_auth_test.go | 45 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
index 3cfb74a92b7..a79d3194bb2 100644
--- a/e2e/ctl_v3_auth_test.go
+++ b/e2e/ctl_v3_auth_test.go
@@ -19,10 +19,11 @@ import (
 	"testing"
 )
 
-func TestCtlV3AuthEnable(t *testing.T)     { testCtl(t, authEnableTest) }
-func TestCtlV3AuthDisable(t *testing.T)    { testCtl(t, authDisableTest) }
-func TestCtlV3AuthWriteKey(t *testing.T)   { testCtl(t, authCredWriteKeyTest) }
-func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) }
+func TestCtlV3AuthEnable(t *testing.T)              { testCtl(t, authEnableTest) }
+func TestCtlV3AuthDisable(t *testing.T)             { testCtl(t, authDisableTest) }
+func TestCtlV3AuthWriteKey(t *testing.T)            { testCtl(t, authCredWriteKeyTest) }
+func TestCtlV3AuthRoleUpdate(t *testing.T)          { testCtl(t, authRoleUpdateTest) }
+func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteDuringOpsTest) }
 
 func authEnableTest(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
@@ -166,6 +167,42 @@ func authRoleUpdateTest(cx ctlCtx) {
 	}
 }
 
+func authUserDeleteDuringOpsTest(cx ctlCtx) {
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	// create a key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// delete the user
+	cx.user, cx.pass = "root", "root"
+	err := ctlV3User(cx, []string{"delete", "test-user"}, "User test-user deleted", []string{})
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// check the user is deleted
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailAuth(cx, "foo", "baz"); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
 func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
 }

From 4106e56d91320666665f54b613d5e0207610fb13 Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@gmail.com>
Date: Tue, 21 Jun 2016 15:13:59 +0900
Subject: [PATCH 2/2] e2e: check role revoking during operations

---
 e2e/ctl_v3_auth_test.go | 71 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
index a79d3194bb2..4d000c9c090 100644
--- a/e2e/ctl_v3_auth_test.go
+++ b/e2e/ctl_v3_auth_test.go
@@ -24,6 +24,7 @@ func TestCtlV3AuthDisable(t *testing.T)             { testCtl(t, authDisableTest
 func TestCtlV3AuthWriteKey(t *testing.T)            { testCtl(t, authCredWriteKeyTest) }
 func TestCtlV3AuthRoleUpdate(t *testing.T)          { testCtl(t, authRoleUpdateTest) }
 func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteDuringOpsTest) }
+func TestCtlV3AuthRoleRevokeDuringOps(t *testing.T) { testCtl(t, authRoleRevokeDuringOpsTest) }
 
 func authEnableTest(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
@@ -203,6 +204,76 @@ func authUserDeleteDuringOpsTest(cx ctlCtx) {
 	}
 }
 
+func authRoleRevokeDuringOpsTest(cx ctlCtx) {
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	// create a key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// create a new role
+	cx.user, cx.pass = "root", "root"
+	if err := ctlV3Role(cx, []string{"add", "test-role2"}, "Role test-role2 created"); err != nil {
+		cx.t.Fatal(err)
+	}
+	// grant a new key to the new role
+	if err := ctlV3RoleGrantPermission(cx, "test-role2", grantingPerm{true, true, "hoo", ""}); err != nil {
+		cx.t.Fatal(err)
+	}
+	// grant the new role to the user
+	if err := ctlV3User(cx, []string{"grant-role", "test-user", "test-role2"}, "Role test-role2 is granted to user test-user", nil); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// try a newly granted key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// revoke a role from the user
+	cx.user, cx.pass = "root", "root"
+	err := ctlV3User(cx, []string{"revoke-role", "test-user", "test-role"}, "Role test-role is revoked from user test-user", []string{})
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// check the role is revoked and permission is lost from the user
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailPerm(cx, "foo", "baz"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// try a key that can be accessed from the remaining role
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "hoo", "bar2", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar2"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
 func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
 }