Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15721 from vianamjr/txn-auth-unit-test

Browse Source 
tests: cover txn.CheckTxnAuth logic with unit tests
This commit is contained in:
Benjamin Wang 2023-04-19 05:54:55 +08:00 committed by GitHub
commit b27dec8b94
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 286 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

286
server/etcdserver/txn/txn_test.go
View File

@ -18,15 +18,21 @@ import (
"context"
"strings"
"testing"
"time"
"go.uber.org/zap/zaptest"
"go.etcd.io/etcd/api/v3/authpb"
pb "go.etcd.io/etcd/api/v3/etcdserverpb"
"go.etcd.io/etcd/server/v3/auth"
"go.etcd.io/etcd/server/v3/lease"
"go.etcd.io/etcd/server/v3/storage/backend"
betesting "go.etcd.io/etcd/server/v3/storage/backend/testing"
"go.etcd.io/etcd/server/v3/storage/mvcc"
"go.etcd.io/etcd/server/v3/storage/schema"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestReadonlyTxnError(t *testing.T) {
@ -94,3 +100,283 @@ func TestWriteTxnPanic(t *testing.T) {
assert.Panics(t, func() { Txn(ctx, zaptest.NewLogger(t), txn, false, s, &lease.FakeLessor{}) }, "Expected panic in Txn with writes")
}
func TestCheckTxnAuth(t *testing.T) {
be, _ := betesting.NewDefaultTmpBackend(t)
defer betesting.Close(t, be)
as := setupAuth(t, be)
tests := []struct {
name string
txnRequest *pb.TxnRequest
err error
}{
{
name: "Out of range compare is unauthorized",
txnRequest: &pb.TxnRequest{
Compare: []*pb.Compare{outOfRangeCompare},
},
err: auth.ErrPermissionDenied,
},
{
name: "In range compare is authorized",
txnRequest: &pb.TxnRequest{
Compare: []*pb.Compare{inRangeCompare},
},
err: nil,
},
{
name: "Nil request range is always authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{nilRequestRange},
},
err: nil,
},
{
name: "Range request in range is authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestRange},
Failure: []*pb.RequestOp{inRangeRequestRange},
},
err: nil,
},
{
name: "Range request out of range success case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{outOfRangeRequestRange},
Failure: []*pb.RequestOp{inRangeRequestRange},
},
err: auth.ErrPermissionDenied,
},
{
name: "Range request out of range failure case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestRange},
Failure: []*pb.RequestOp{outOfRangeRequestRange},
},
err: auth.ErrPermissionDenied,
},
{
name: "Nil Put request is always authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{nilRequestPut},
},
err: nil,
},
{
name: "Put request in range in authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestPut},
Failure: []*pb.RequestOp{inRangeRequestPut},
},
err: nil,
},
{
name: "Put request out of range success case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{outOfRangeRequestPut},
Failure: []*pb.RequestOp{inRangeRequestPut},
},
err: auth.ErrPermissionDenied,
},
{
name: "Put request out of range failure case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestPut},
Failure: []*pb.RequestOp{outOfRangeRequestPut},
},
err: auth.ErrPermissionDenied,
},
{
name: "Nil delete request is authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{nilRequestDeleteRange},
},
err: nil,
},
{
name: "Delete range request in range is authorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestDeleteRange},
Failure: []*pb.RequestOp{inRangeRequestDeleteRange},
},
err: nil,
},
{
name: "Delete range request out of range success case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{outOfRangeRequestDeleteRange},
Failure: []*pb.RequestOp{inRangeRequestDeleteRange},
},
err: auth.ErrPermissionDenied,
},
{
name: "Delete range request out of range failure case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestDeleteRange},
Failure: []*pb.RequestOp{outOfRangeRequestDeleteRange},
},
err: auth.ErrPermissionDenied,
},
{
name: "Delete range request out of range and PrevKv false success case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{outOfRangeRequestDeleteRangeKvFalse},
Failure: []*pb.RequestOp{inRangeRequestDeleteRange},
},
err: auth.ErrPermissionDenied,
},
{
name: "Delete range request out of range and PrevKv false failure case is unauthorized",
txnRequest: &pb.TxnRequest{
Success: []*pb.RequestOp{inRangeRequestDeleteRange},
Failure: []*pb.RequestOp{outOfRangeRequestDeleteRangeKvFalse},
},
err: auth.ErrPermissionDenied,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := CheckTxnAuth(as, &auth.AuthInfo{Username: "foo", Revision: 8}, tt.txnRequest)
assert.Equal(t, tt.err, err)
})
}
}
// CheckTxnAuth test setup.
func setupAuth(t *testing.T, be backend.Backend) auth.AuthStore {
lg := zaptest.NewLogger(t)
simpleTokenTTLDefault := 300 * time.Second
tokenTypeSimple := "simple"
dummyIndexWaiter := func(index uint64) <-chan struct{} {
ch := make(chan struct{}, 1)
go func() {
ch <- struct{}{}
}()
return ch
}
tp, _ := auth.NewTokenProvider(zaptest.NewLogger(t), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault)
as := auth.NewAuthStore(lg, schema.NewAuthBackend(lg, be), tp, 4)
// create "root" user and "foo" user with limited range
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"})
require.NoError(t, err)
_, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"})
require.NoError(t, err)
_, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
Name: "rw",
Perm: &authpb.Permission{
PermType: authpb.READWRITE,
Key: []byte("foo"),
RangeEnd: []byte("zoo"),
},
})
require.NoError(t, err)
_, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"})
require.NoError(t, err)
_, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"})
require.NoError(t, err)
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"})
require.NoError(t, err)
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"})
require.NoError(t, err)
err = as.AuthEnable()
require.NoError(t, err)
return as
}
// CheckTxnAuth variables setup.
var (
inRangeCompare = &pb.Compare{
Key: []byte("foo"),
RangeEnd: []byte("zoo"),
}
outOfRangeCompare = &pb.Compare{
Key: []byte("boo"),
RangeEnd: []byte("zoo"),
}
nilRequestPut = &pb.RequestOp{
Request: &pb.RequestOp_RequestPut{
RequestPut: nil,
},
}
inRangeRequestPut = &pb.RequestOp{
Request: &pb.RequestOp_RequestPut{
RequestPut: &pb.PutRequest{
Key: []byte("foo"),
},
},
}
outOfRangeRequestPut = &pb.RequestOp{
Request: &pb.RequestOp_RequestPut{
RequestPut: &pb.PutRequest{
Key: []byte("boo"),
},
},
}
nilRequestRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestRange{
RequestRange: nil,
},
}
inRangeRequestRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestRange{
RequestRange: &pb.RangeRequest{
Key: []byte("foo"),
RangeEnd: []byte("zoo"),
},
},
}
outOfRangeRequestRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestRange{
RequestRange: &pb.RangeRequest{
Key: []byte("boo"),
RangeEnd: []byte("zoo"),
},
},
}
nilRequestDeleteRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestDeleteRange{
RequestDeleteRange: nil,
},
}
inRangeRequestDeleteRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestDeleteRange{
RequestDeleteRange: &pb.DeleteRangeRequest{
Key: []byte("foo"),
RangeEnd: []byte("zoo"),
PrevKv: true,
},
},
}
outOfRangeRequestDeleteRange = &pb.RequestOp{
Request: &pb.RequestOp_RequestDeleteRange{
RequestDeleteRange: &pb.DeleteRangeRequest{
Key: []byte("boo"),
RangeEnd: []byte("zoo"),
PrevKv: true,
},
},
}
outOfRangeRequestDeleteRangeKvFalse = &pb.RequestOp{
Request: &pb.RequestOp_RequestDeleteRange{
RequestDeleteRange: &pb.DeleteRangeRequest{
Key: []byte("boo"),
RangeEnd: []byte("zoo"),
PrevKv: false,
},
},
}
)