diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go index 3158bbda1c0..3cfb74a92b7 100644 --- a/e2e/ctl_v3_auth_test.go +++ b/e2e/ctl_v3_auth_test.go @@ -19,9 +19,10 @@ import ( "testing" ) -func TestCtlV3AuthEnable(t *testing.T) { testCtl(t, authEnableTest) } -func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest) } -func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) } +func TestCtlV3AuthEnable(t *testing.T) { testCtl(t, authEnableTest) } +func TestCtlV3AuthDisable(t *testing.T) { testCtl(t, authDisableTest) } +func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) } +func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) } func authEnableTest(cx ctlCtx) { if err := authEnable(cx); err != nil { @@ -113,6 +114,58 @@ func authCredWriteKeyTest(cx ctlCtx) { } } +func authRoleUpdateTest(cx ctlCtx) { + if err := ctlV3Put(cx, "foo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + + if err := authEnable(cx); err != nil { + cx.t.Fatal(err) + } + + cx.user, cx.pass = "root", "root" + authSetupTestUser(cx) + + // try put to not granted key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil { + cx.t.Fatal(err) + } + + // grant a new key + cx.user, cx.pass = "root", "root" + if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, "hoo", ""}); err != nil { + cx.t.Fatal(err) + } + + // try a newly granted key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil { + cx.t.Fatal(err) + } + // confirm put succeeded + if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil { + cx.t.Fatal(err) + } + + // revoke the newly granted key + cx.user, cx.pass = "root", "root" + if err := ctlV3RoleRevokePermission(cx, "test-role", "hoo", ""); err != nil { + cx.t.Fatal(err) + } + + // try put to the revoked key + cx.user, cx.pass = "test-user", "pass" + if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil { + cx.t.Fatal(err) + } + + // confirm a key still granted can be accessed + if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil { + cx.t.Fatal(err) + } +} + func ctlV3PutFailAuth(cx ctlCtx, key, val string) error { return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed") } diff --git a/e2e/ctl_v3_role_test.go b/e2e/ctl_v3_role_test.go index 88c07546a90..70192af6037 100644 --- a/e2e/ctl_v3_role_test.go +++ b/e2e/ctl_v3_role_test.go @@ -14,7 +14,10 @@ package e2e -import "testing" +import ( + "fmt" + "testing" +) func TestCtlV3RoleAdd(t *testing.T) { testCtl(t, roleAddTest) } func TestCtlV3RoleAddNoTLS(t *testing.T) { testCtl(t, roleAddTest, withCfg(configNoTLS)) } @@ -95,3 +98,64 @@ func ctlV3Role(cx ctlCtx, args []string, expStr string) error { return spawnWithExpect(cmdArgs, expStr) } + +func ctlV3RoleGrantPermission(cx ctlCtx, rolename string, perm grantingPerm) error { + cmdArgs := append(cx.PrefixArgs(), "role", "grant-permission") + cmdArgs = append(cmdArgs, rolename) + cmdArgs = append(cmdArgs, grantingPermToArgs(perm)...) + + proc, err := spawnCmd(cmdArgs) + if err != nil { + return err + } + + expStr := fmt.Sprintf("Role %s updated", rolename) + _, err = proc.Expect(expStr) + return err +} + +func ctlV3RoleRevokePermission(cx ctlCtx, rolename string, key, rangeEnd string) error { + cmdArgs := append(cx.PrefixArgs(), "role", "revoke-permission") + cmdArgs = append(cmdArgs, rolename) + cmdArgs = append(cmdArgs, key) + if len(rangeEnd) != 0 { + cmdArgs = append(cmdArgs, rangeEnd) + } + + proc, err := spawnCmd(cmdArgs) + if err != nil { + return err + } + + expStr := fmt.Sprintf("Permission of key %s is revoked from role %s", key, rolename) + _, err = proc.Expect(expStr) + return err +} + +type grantingPerm struct { + read bool + write bool + key string + rangeEnd string +} + +func grantingPermToArgs(perm grantingPerm) []string { + permstr := "" + + if perm.read { + permstr += "read" + } + + if perm.write { + permstr += "write" + } + + if len(permstr) == 0 { + panic("invalid granting permission") + } + + if len(perm.rangeEnd) == 0 { + return []string{permstr, perm.key} + } + return []string{permstr, perm.key, perm.rangeEnd} +}