From 66107b865303186b1c44429355ffa82fd55f34c4 Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@lab.ntt.co.jp>
Date: Wed, 22 Jun 2016 15:43:43 +0900
Subject: [PATCH 1/2] auth: invalidate every token in disabling auth

---
 auth/store.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/auth/store.go b/auth/store.go
index a98ec5d6a..4ba76db0b 100644
--- a/auth/store.go
+++ b/auth/store.go
@@ -184,6 +184,10 @@ func (as *authStore) AuthDisable() {
 	as.enabled = false
 	as.enabledMu.Unlock()
 
+	as.simpleTokensMu.Lock()
+	as.simpleTokens = make(map[string]string) // invalidate all tokens
+	as.simpleTokensMu.Unlock()
+
 	plog.Noticef("Authentication disabled")
 }
 

From 745e1e2cf94d3221e4481ae9081e9e87bdd7320b Mon Sep 17 00:00:00 2001
From: Hitoshi Mitake <mitake.hitoshi@lab.ntt.co.jp>
Date: Wed, 22 Jun 2016 15:54:04 +0900
Subject: [PATCH 2/2] e2e: enhance the test case of auth disabling

---
 e2e/ctl_v3_auth_test.go | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
index 4d000c9c0..1b3f0a4c5 100644
--- a/e2e/ctl_v3_auth_test.go
+++ b/e2e/ctl_v3_auth_test.go
@@ -52,9 +52,44 @@ func ctlV3AuthEnable(cx ctlCtx) error {
 }
 
 func authDisableTest(cx ctlCtx) {
+	// a key that isn't granted to test-user
+	if err := ctlV3Put(cx, "hoo", "a", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	// test-user doesn't have the permission, it must fail
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailPerm(cx, "hoo", "bar"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
 	if err := ctlV3AuthDisable(cx); err != nil {
 		cx.t.Fatalf("authDisableTest ctlV3AuthDisable error (%v)", err)
 	}
+
+	// now auth fails unconditionally, note that failed RPC is Authenticate(), not Put()
+	cx.user, cx.pass = "test-user", "pass"
+	if err := ctlV3PutFailAuthDisabled(cx, "hoo", "bar"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// now the key can be accessed
+	cx.user, cx.pass = "", ""
+	if err := ctlV3Put(cx, "hoo", "bar", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	// confirm put succeeded
+	if err := ctlV3Get(cx, []string{"hoo"}, []kv{{"hoo", "bar"}}...); err != nil {
+		cx.t.Fatal(err)
+	}
 }
 
 func ctlV3AuthDisable(cx ctlCtx) error {
@@ -282,6 +317,10 @@ func ctlV3PutFailPerm(cx ctlCtx, key, val string) error {
 	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "permission denied")
 }
 
+func ctlV3PutFailAuthDisabled(cx ctlCtx, key, val string) error {
+	return spawnWithExpect(append(cx.PrefixArgs(), "put", key, val), "authentication is not enabled")
+}
+
 func ctlV3GetFailPerm(cx ctlCtx, key string) error {
 	return spawnWithExpect(append(cx.PrefixArgs(), "get", key), "permission denied")
 }