mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
Merge pull request #15378 from chaochn47/auth_test_split_5
migration auth tests to common #5
This commit is contained in:
Benjamin Wang
GitHub
commit
7a98ab3ae0
@ -32,8 +32,11 @@ var defaultAuthToken = fmt.Sprintf("jwt,pub-key=%s,priv-key=%s,sign-method=RS256
|
||||
mustAbsPath("../fixtures/server.crt"), mustAbsPath("../fixtures/server.key.insecure"))
|
||||
|
||||
const (
|
||||
PermissionDenied = "etcdserver: permission denied"
|
||||
AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password"
|
||||
PermissionDenied = "etcdserver: permission denied"
|
||||
AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password"
|
||||
InvalidAuthManagement = "etcdserver: invalid auth management"
|
||||
|
||||
testPeerURL = "http://localhost:20011"
|
||||
)
|
||||
|
||||
func TestAuthEnable(t *testing.T) {
|
||||
@ -565,6 +568,67 @@ func TestAuthLeaseGrantLeases(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthMemberAdd(t *testing.T) {
|
||||
testRunner.BeforeTest(t)
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
|
||||
defer clus.Close()
|
||||
cc := testutils.MustClient(clus.Client())
|
||||
testutils.ExecuteUntil(ctx, t, func() {
|
||||
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
|
||||
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
|
||||
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))
|
||||
_, err := testUserAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
|
||||
require.ErrorContains(t, err, PermissionDenied)
|
||||
_, err = rootAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
|
||||
require.NoError(t, err)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAuthMemberRemove(t *testing.T) {
|
||||
testRunner.BeforeTest(t)
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
clusterSize := 2
|
||||
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: clusterSize}))
|
||||
defer clus.Close()
|
||||
cc := testutils.MustClient(clus.Client())
|
||||
testutils.ExecuteUntil(ctx, t, func() {
|
||||
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
|
||||
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
|
||||
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))
|
||||
|
||||
memberId, clusterId := memberToRemove(ctx, t, rootAuthClient, clusterSize)
|
||||
|
||||
// ordinary user cannot remove a member
|
||||
_, err := testUserAuthClient.MemberRemove(ctx, memberId)
|
||||
require.ErrorContains(t, err, PermissionDenied)
|
||||
|
||||
// root can remove a member
|
||||
removeResp, err := rootAuthClient.MemberRemove(ctx, memberId)
|
||||
require.NoError(t, err, "MemberRemove failed")
|
||||
require.Equal(t, removeResp.Header.ClusterId, clusterId)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAuthTestInvalidMgmt(t *testing.T) {
|
||||
testRunner.BeforeTest(t)
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
|
||||
defer clus.Close()
|
||||
cc := testutils.MustClient(clus.Client())
|
||||
testutils.ExecuteUntil(ctx, t, func() {
|
||||
require.NoErrorf(t, setupAuth(cc, []authRole{}, []authUser{rootUser}), "failed to enable auth")
|
||||
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
|
||||
_, err := rootAuthClient.UserDelete(ctx, rootUserName)
|
||||
require.ErrorContains(t, err, InvalidAuthManagement)
|
||||
_, err = rootAuthClient.UserRevokeRole(ctx, rootUserName, rootRoleName)
|
||||
require.ErrorContains(t, err, InvalidAuthManagement)
|
||||
})
|
||||
}
|
||||
|
||||
func mustAbsPath(path string) string {
|
||||
abs, err := filepath.Abs(path)
|
||||
if err != nil {
|
||||
|
||||
@ -27,12 +27,7 @@ import (
|
||||
"go.etcd.io/etcd/tests/v3/framework/e2e"
|
||||
)
|
||||
|
||||
func TestCtlV3AuthMemberAdd(t *testing.T) { testCtl(t, authTestMemberAdd) }
|
||||
func TestCtlV3AuthMemberRemove(t *testing.T) {
|
||||
testCtl(t, authTestMemberRemove, withQuorum(), withDisableStrictReconfig())
|
||||
}
|
||||
func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
|
||||
func TestCtlV3AuthInvalidMgmt(t *testing.T) { testCtl(t, authTestInvalidMgmt) }
|
||||
func TestCtlV3AuthFromKeyPerm(t *testing.T) { testCtl(t, authTestFromKeyPerm) }
|
||||
func TestCtlV3AuthAndWatch(t *testing.T) { testCtl(t, authTestWatch) }
|
||||
func TestCtlV3AuthAndWatchJWT(t *testing.T) { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) }
|
||||
@ -96,51 +91,6 @@ func authSetupTestUser(cx ctlCtx) {
|
||||
}
|
||||
}
|
||||
|
||||
func authTestMemberAdd(cx ctlCtx) {
|
||||
if err := authEnable(cx); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
}
|
||||
|
||||
cx.user, cx.pass = "root", "root"
|
||||
authSetupTestUser(cx)
|
||||
|
||||
peerURL := fmt.Sprintf("http://localhost:%d", e2e.EtcdProcessBasePort+11)
|
||||
// ordinary user cannot add a new member
|
||||
cx.user, cx.pass = "test-user", "pass"
|
||||
if err := ctlV3MemberAdd(cx, peerURL, false); err == nil {
|
||||
cx.t.Fatalf("ordinary user must not be allowed to add a member")
|
||||
}
|
||||
|
||||
// root can add a new member
|
||||
cx.user, cx.pass = "root", "root"
|
||||
if err := ctlV3MemberAdd(cx, peerURL, false); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func authTestMemberRemove(cx ctlCtx) {
|
||||
if err := authEnable(cx); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
}
|
||||
|
||||
cx.user, cx.pass = "root", "root"
|
||||
authSetupTestUser(cx)
|
||||
|
||||
ep, memIDToRemove, clusterID := cx.memberToRemove()
|
||||
|
||||
// ordinary user cannot remove a member
|
||||
cx.user, cx.pass = "test-user", "pass"
|
||||
if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err == nil {
|
||||
cx.t.Fatalf("ordinary user must not be allowed to remove a member")
|
||||
}
|
||||
|
||||
// root can remove a member
|
||||
cx.user, cx.pass = "root", "root"
|
||||
if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func authTestMemberUpdate(cx ctlCtx) {
|
||||
if err := authEnable(cx); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
@ -202,20 +152,6 @@ func authTestCertCN(cx ctlCtx) {
|
||||
require.ErrorContains(cx.t, err, "permission denied")
|
||||
}
|
||||
|
||||
func authTestInvalidMgmt(cx ctlCtx) {
|
||||
if err := authEnable(cx); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
}
|
||||
|
||||
if err := ctlV3Role(cx, []string{"delete", "root"}, "Error: etcdserver: invalid auth management"); err == nil {
|
||||
cx.t.Fatal("deleting the role root must not be allowed")
|
||||
}
|
||||
|
||||
if err := ctlV3User(cx, []string{"revoke-role", "root", "root"}, "Error: etcdserver: invalid auth management", []string{}); err == nil {
|
||||
cx.t.Fatal("revoking the role root from the user root must not be allowed")
|
||||
}
|
||||
}
|
||||
|
||||
func authTestFromKeyPerm(cx ctlCtx) {
|
||||
if err := authEnable(cx); err != nil {
|
||||
cx.t.Fatal(err)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user