Merge pull request etcd-io#5722 from mitake/auth-v3-check-test

e2e: check runtime permission changing
adamgomulka · Jun 21, 2016 · d017814 · d017814
2 parents 8920e7c + 6fe4d9d
commit d017814
Show file tree

Hide file tree

Showing 2 changed files with 121 additions and 4 deletions.
diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
@@ -19,9 +19,10 @@ import (
 	"testing"
 )
 
-func TestCtlV3AuthEnable(t *testing.T)   { testCtl(t, authEnableTest) }
-func TestCtlV3AuthDisable(t *testing.T)  { testCtl(t, authDisableTest) }
-func TestCtlV3AuthWriteKey(t *testing.T) { testCtl(t, authCredWriteKeyTest) }
+func TestCtlV3AuthEnable(t *testing.T)     { testCtl(t, authEnableTest) }
+func TestCtlV3AuthDisable(t *testing.T)    { testCtl(t, authDisableTest) }
+func TestCtlV3AuthWriteKey(t *testing.T)   { testCtl(t, authCredWriteKeyTest) }
+func TestCtlV3AuthRoleUpdate(t *testing.T) { testCtl(t, authRoleUpdateTest) }
 
 func authEnableTest(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
@@ -113,6 +114,58 @@ func authCredWriteKeyTest(cx ctlCtx) {
 	}
 }
 
+func authRoleUpdateTest(cx ctlCtx) {
+	if err := ctlV3Put(cx, "foo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	// try put to not granted key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// grant a new key
+	cx.user, cx.pass = "root", "root"
+	if err := ctlV3RoleGrantPermission(cx, "test-role", grantingPerm{true, true, "hoo", ""}); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// try a newly granted key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// revoke the newly granted key
+	cx.user, cx.pass = "root", "root"
+	if err := ctlV3RoleRevokePermission(cx, "test-role", "hoo", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// try put to the revoked key
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// confirm a key still granted can be accessed
+	if err := ctlV3Get(cx, []string{"foo"}, []kv{{"foo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
 func ctlV3PutFailAuth(cx ctlCtx, key, val string) error {
 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication failed")
 }

diff --git a/e2e/ctl_v3_role_test.go b/e2e/ctl_v3_role_test.go
@@ -14,7 +14,10 @@
 
 package e2e
 
-import "testing"
+import (
+	"fmt"
+	"testing"
+)
 
 func TestCtlV3RoleAdd(t *testing.T)          { testCtl(t, roleAddTest) }
 func TestCtlV3RoleAddNoTLS(t *testing.T)     { testCtl(t, roleAddTest, withCfg(configNoTLS)) }
@@ -95,3 +98,64 @@ func ctlV3Role(cx ctlCtx, args []string, expStr string) error {
 
 	return spawnWithExpect(cmdArgs, expStr)
 }
+
+func ctlV3RoleGrantPermission(cx ctlCtx, rolename string, perm grantingPerm) error {
+	cmdArgs := append(cx.PrefixArgs(), "role", "grant-permission")
+	cmdArgs = append(cmdArgs, rolename)
+	cmdArgs = append(cmdArgs, grantingPermToArgs(perm)...)
+
+	proc, err := spawnCmd(cmdArgs)
+	if err != nil {
+		return err
+	}
+
+	expStr := fmt.Sprintf("Role %s updated", rolename)
+	_, err = proc.Expect(expStr)
+	return err
+}
+
+func ctlV3RoleRevokePermission(cx ctlCtx, rolename string, key, rangeEnd string) error {
+	cmdArgs := append(cx.PrefixArgs(), "role", "revoke-permission")
+	cmdArgs = append(cmdArgs, rolename)
+	cmdArgs = append(cmdArgs, key)
+	if len(rangeEnd) != 0 {
+		cmdArgs = append(cmdArgs, rangeEnd)
+	}
+
+	proc, err := spawnCmd(cmdArgs)
+	if err != nil {
+		return err
+	}
+
+	expStr := fmt.Sprintf("Permission of key %s is revoked from role %s", key, rolename)
+	_, err = proc.Expect(expStr)
+	return err
+}
+
+type grantingPerm struct {
+	read     bool
+	write    bool
+	key      string
+	rangeEnd string
+}
+
+func grantingPermToArgs(perm grantingPerm) []string {
+	permstr := ""
+
+	if perm.read {
+		permstr += "read"
+	}
+
+	if perm.write {
+		permstr += "write"
+	}
+
+	if len(permstr) == 0 {
+		panic("invalid granting permission")
+	}
+
+	if len(perm.rangeEnd) == 0 {
+		return []string{permstr, perm.key}
+	}
+	return []string{permstr, perm.key, perm.rangeEnd}
+}