From 4c63611768ecca1295eeaf0f563a138d184ed28a Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Sun, 16 Apr 2023 13:17:58 -0300 Subject: [PATCH 1/8] tests: cover txn.CheckTxnAuth logic with unit tests Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 254 ++++++++++++++++++++++++++++++ 1 file changed, 254 insertions(+) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 673d363d6..af7f9b437 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -18,13 +18,17 @@ import ( "context" "strings" "testing" + "time" "go.uber.org/zap/zaptest" + "go.etcd.io/etcd/api/v3/authpb" pb "go.etcd.io/etcd/api/v3/etcdserverpb" + "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/lease" betesting "go.etcd.io/etcd/server/v3/storage/backend/testing" "go.etcd.io/etcd/server/v3/storage/mvcc" + "go.etcd.io/etcd/server/v3/storage/schema" "github.com/stretchr/testify/assert" ) @@ -94,3 +98,253 @@ func TestWriteTxnPanic(t *testing.T) { assert.Panics(t, func() { Txn(ctx, zaptest.NewLogger(t), txn, false, s, &lease.FakeLessor{}) }, "Expected panic in Txn with writes") } + +func TestCheckTxnAuth(t *testing.T) { + lg := zaptest.NewLogger(t) + + be, _ := betesting.NewDefaultTmpBackend(t) + defer betesting.Close(t, be) + + simpleTokenTTLDefault := 300 * time.Second + tokenTypeSimple := "simple" + dummyIndexWaiter := func(index uint64) <-chan struct{} { + ch := make(chan struct{}, 1) + go func() { + ch <- struct{}{} + }() + return ch + } + + tp, _ := auth.NewTokenProvider(zaptest.NewLogger(t), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault) + + as := auth.NewAuthStore(lg, schema.NewAuthBackend(lg, be), tp, 4) + + // create "root" user and "foo" user with limited range + if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}); err != nil { + t.Fatal(err) + } + if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}); err != nil { + t.Fatal(err) + } + if _, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ + Name: "rw", + Perm: &authpb.Permission{ + PermType: authpb.READWRITE, + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }); err != nil { + t.Fatal(err) + } + if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}); err != nil { + t.Fatal(err) + } + + if err := as.AuthEnable(); err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + txnRequest *pb.TxnRequest + err error + }{ + { + name: "Unauthorize out of range compare", + txnRequest: &pb.TxnRequest{ + Compare: []*pb.Compare{ + { + Key: []byte("boo"), + }, + }, + Success: []*pb.RequestOp{}, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "No error for nil request range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: nil, + }, + }, + }, + }, + err: nil, + }, + { + name: "Authorize request range in range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, + }, + err: nil, + }, + { + name: "Unauthorize request range out of range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "No error for nil request put", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: nil, + }, + }, + }, + }, + err: nil, + }, + { + name: "Authorize request pur in range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + }, + }, + }, + err: nil, + }, + { + name: "Unauthorized request pur in range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("boo"), + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "No error for nil delete range", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: nil, + }, + }, + }, + }, + err: nil, + }, + { + name: "Authorize delete range in range compare and rerquest", + txnRequest: &pb.TxnRequest{ + Compare: []*pb.Compare{ + { + Key: []byte("foo"), + }, + }, + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + }, + err: nil, + }, + { + name: "Unauthorize delete range out of range keys", + txnRequest: &pb.TxnRequest{ + Compare: []*pb.Compare{ + { + Key: []byte("foo"), + }, + }, + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "Unauthorize delete range out of range keys and PrevKv false", + txnRequest: &pb.TxnRequest{ + Compare: []*pb.Compare{ + { + Key: []byte("foo"), + }, + }, + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: false, + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := CheckTxnAuth(as, &auth.AuthInfo{Username: "foo", Revision: 8}, tt.txnRequest) + if err != tt.err { + t.Errorf("expected error to be: %v; got: %v", tt.err, err) + } + }) + } +} From 8fb839eac1d917a7027ae1fee09c621694f81ca6 Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Sun, 16 Apr 2023 16:59:50 -0300 Subject: [PATCH 2/8] Update server/etcdserver/txn/txn_test.go Signed-off-by: Marcondes Viana Co-authored-by: Marek Siarkowicz --- server/etcdserver/txn/txn_test.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index af7f9b437..4945868e3 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -159,7 +159,7 @@ func TestCheckTxnAuth(t *testing.T) { err error }{ { - name: "Unauthorize out of range compare", + name: "Out of range compare is unathorized", txnRequest: &pb.TxnRequest{ Compare: []*pb.Compare{ { @@ -171,7 +171,7 @@ func TestCheckTxnAuth(t *testing.T) { err: auth.ErrPermissionDenied, }, { - name: "No error for nil request range", + name: "Nil request range is always authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -184,7 +184,7 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Authorize request range in range", + name: "Range request in range is authorised", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -200,7 +200,7 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Unauthorize request range out of range", + name: "Range request out of range is unauthorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -216,7 +216,7 @@ func TestCheckTxnAuth(t *testing.T) { err: auth.ErrPermissionDenied, }, { - name: "No error for nil request put", + name: "Nil Put request is authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -229,7 +229,7 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Authorize request pur in range", + name: "Put request in range in authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -244,7 +244,7 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Unauthorized request pur in range", + name: "Put request out of range is unauthorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -259,7 +259,7 @@ func TestCheckTxnAuth(t *testing.T) { err: auth.ErrPermissionDenied, }, { - name: "No error for nil delete range", + name: "Nil delete request is authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { From a1a2f43f2fc6a9e599778b9b04c66f0adda80909 Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Sun, 16 Apr 2023 17:40:33 -0300 Subject: [PATCH 3/8] fix review Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 204 +++++++++++++++++++++++++++--- 1 file changed, 189 insertions(+), 15 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 4945868e3..00be6e260 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -159,7 +159,7 @@ func TestCheckTxnAuth(t *testing.T) { err error }{ { - name: "Out of range compare is unathorized", + name: "Out of range compare is unauthorized", txnRequest: &pb.TxnRequest{ Compare: []*pb.Compare{ { @@ -170,6 +170,18 @@ func TestCheckTxnAuth(t *testing.T) { }, err: auth.ErrPermissionDenied, }, + { + name: "In range compare is authorized", + txnRequest: &pb.TxnRequest{ + Compare: []*pb.Compare{ + { + Key: []byte("foo"), + }, + }, + Success: []*pb.RequestOp{}, + }, + err: nil, + }, { name: "Nil request range is always authorized", txnRequest: &pb.TxnRequest{ @@ -184,7 +196,7 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Range request in range is authorised", + name: "Range request in range is authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -196,11 +208,21 @@ func TestCheckTxnAuth(t *testing.T) { }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, }, err: nil, }, { - name: "Range request out of range is unauthorized", + name: "Range request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -212,11 +234,47 @@ func TestCheckTxnAuth(t *testing.T) { }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "Range request out of range failure case is unauthorized", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + }, + }, + }, + }, }, err: auth.ErrPermissionDenied, }, { - name: "Nil Put request is authorized", + name: "Nil Put request is always authorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -240,11 +298,20 @@ func TestCheckTxnAuth(t *testing.T) { }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + }, + }, }, err: nil, }, { - name: "Put request out of range is unauthorized", + name: "Put request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ { @@ -255,6 +322,39 @@ func TestCheckTxnAuth(t *testing.T) { }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "Put request out of range failure case is unauthorized", + txnRequest: &pb.TxnRequest{ + Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + }, + }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("boo"), + }, + }, + }, + }, }, err: auth.ErrPermissionDenied, }, @@ -272,14 +372,20 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Authorize delete range in range compare and rerquest", + name: "Delete range request in range is authorized", txnRequest: &pb.TxnRequest{ - Compare: []*pb.Compare{ + Success: []*pb.RequestOp{ { - Key: []byte("foo"), + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, }, }, - Success: []*pb.RequestOp{ + Failure: []*pb.RequestOp{ { Request: &pb.RequestOp_RequestDeleteRange{ RequestDeleteRange: &pb.DeleteRangeRequest{ @@ -294,14 +400,48 @@ func TestCheckTxnAuth(t *testing.T) { err: nil, }, { - name: "Unauthorize delete range out of range keys", + name: "Delete range request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ - Compare: []*pb.Compare{ + Success: []*pb.RequestOp{ { - Key: []byte("foo"), + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "Delete range request out of range failure case is unauthorized", + txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + Failure: []*pb.RequestOp{ { Request: &pb.RequestOp_RequestDeleteRange{ RequestDeleteRange: &pb.DeleteRangeRequest{ @@ -316,14 +456,48 @@ func TestCheckTxnAuth(t *testing.T) { err: auth.ErrPermissionDenied, }, { - name: "Unauthorize delete range out of range keys and PrevKv false", + name: "Delete range request out of range and PrevKv false success case is unauthorized", txnRequest: &pb.TxnRequest{ - Compare: []*pb.Compare{ + Success: []*pb.RequestOp{ { - Key: []byte("foo"), + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: false, + }, + }, }, }, + Failure: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + }, + err: auth.ErrPermissionDenied, + }, + { + name: "Delete range request out of range and PrevKv false failure case is unauthorized", + txnRequest: &pb.TxnRequest{ Success: []*pb.RequestOp{ + { + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + }, + }, + Failure: []*pb.RequestOp{ { Request: &pb.RequestOp_RequestDeleteRange{ RequestDeleteRange: &pb.DeleteRangeRequest{ From 41b1d36bd97ade5083a98ff1a33c6a1db4a61e68 Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Sun, 16 Apr 2023 17:44:40 -0300 Subject: [PATCH 4/8] fix review Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 00be6e260..afc9c5933 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -163,7 +163,8 @@ func TestCheckTxnAuth(t *testing.T) { txnRequest: &pb.TxnRequest{ Compare: []*pb.Compare{ { - Key: []byte("boo"), + Key: []byte("boo"), + RangeEnd: []byte("zoo"), }, }, Success: []*pb.RequestOp{}, @@ -175,7 +176,8 @@ func TestCheckTxnAuth(t *testing.T) { txnRequest: &pb.TxnRequest{ Compare: []*pb.Compare{ { - Key: []byte("foo"), + Key: []byte("foo"), + RangeEnd: []byte("zoo"), }, }, Success: []*pb.RequestOp{}, From 7a7e09d3a59db83df49b42205e195e80669b3f19 Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Sun, 16 Apr 2023 19:59:47 -0300 Subject: [PATCH 5/8] fix review: group calls Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 378 ++++++++++-------------------- 1 file changed, 119 insertions(+), 259 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index afc9c5933..3b436782c 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -153,6 +153,98 @@ func TestCheckTxnAuth(t *testing.T) { t.Fatal(err) } + inRangeCompare := &pb.Compare{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + } + + outOfRangeCompare := &pb.Compare{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + } + + nilRequestPut := &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: nil, + }, + } + + inRangeRequestPut := &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + } + + outOfRangeRequestPut := &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("boo"), + }, + }, + } + + nilRequestRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: nil, + }, + } + + inRangeRequestRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + } + + outOfRangeRequestRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + }, + }, + } + + nilRequestDeleteRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: nil, + }, + } + + inRangeRequestDeleteRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + } + + outOfRangeRequestDeleteRange := &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + } + + outOfRangeRequestDeleteRangeKvFalse := &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: false, + }, + }, + } + tests := []struct { name string txnRequest *pb.TxnRequest @@ -161,355 +253,123 @@ func TestCheckTxnAuth(t *testing.T) { { name: "Out of range compare is unauthorized", txnRequest: &pb.TxnRequest{ - Compare: []*pb.Compare{ - { - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - }, - }, - Success: []*pb.RequestOp{}, + Compare: []*pb.Compare{outOfRangeCompare}, }, err: auth.ErrPermissionDenied, }, { name: "In range compare is authorized", txnRequest: &pb.TxnRequest{ - Compare: []*pb.Compare{ - { - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - Success: []*pb.RequestOp{}, + Compare: []*pb.Compare{inRangeCompare}, }, err: nil, }, { name: "Nil request range is always authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: nil, - }, - }, - }, + Success: []*pb.RequestOp{nilRequestRange}, }, err: nil, }, { name: "Range request in range is authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestRange}, + Failure: []*pb.RequestOp{inRangeRequestRange}, }, err: nil, }, { name: "Range request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{outOfRangeRequestRange}, + Failure: []*pb.RequestOp{inRangeRequestRange}, }, err: auth.ErrPermissionDenied, }, { name: "Range request out of range failure case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestRange}, + Failure: []*pb.RequestOp{outOfRangeRequestRange}, }, err: auth.ErrPermissionDenied, }, { name: "Nil Put request is always authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: nil, - }, - }, - }, + Success: []*pb.RequestOp{nilRequestPut}, }, err: nil, }, { name: "Put request in range in authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("foo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("foo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestPut}, + Failure: []*pb.RequestOp{inRangeRequestPut}, }, err: nil, }, { name: "Put request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("boo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("foo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{outOfRangeRequestPut}, + Failure: []*pb.RequestOp{inRangeRequestPut}, }, err: auth.ErrPermissionDenied, }, { name: "Put request out of range failure case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("foo"), - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("boo"), - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestPut}, + Failure: []*pb.RequestOp{outOfRangeRequestPut}, }, err: auth.ErrPermissionDenied, }, { name: "Nil delete request is authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: nil, - }, - }, - }, + Success: []*pb.RequestOp{nilRequestDeleteRange}, }, err: nil, }, { name: "Delete range request in range is authorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestDeleteRange}, + Failure: []*pb.RequestOp{inRangeRequestDeleteRange}, }, err: nil, }, { name: "Delete range request out of range success case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, + Success: []*pb.RequestOp{outOfRangeRequestDeleteRange}, + Failure: []*pb.RequestOp{inRangeRequestDeleteRange}, }, err: auth.ErrPermissionDenied, }, { name: "Delete range request out of range failure case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestDeleteRange}, + Failure: []*pb.RequestOp{outOfRangeRequestDeleteRange}, }, err: auth.ErrPermissionDenied, }, { name: "Delete range request out of range and PrevKv false success case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: false, - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, + Success: []*pb.RequestOp{outOfRangeRequestDeleteRangeKvFalse}, + Failure: []*pb.RequestOp{inRangeRequestDeleteRange}, }, err: auth.ErrPermissionDenied, }, { name: "Delete range request out of range and PrevKv false failure case is unauthorized", txnRequest: &pb.TxnRequest{ - Success: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - }, - }, - Failure: []*pb.RequestOp{ - { - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: false, - }, - }, - }, - }, + Success: []*pb.RequestOp{inRangeRequestDeleteRange}, + Failure: []*pb.RequestOp{outOfRangeRequestDeleteRangeKvFalse}, }, err: auth.ErrPermissionDenied, }, From 3654552fe8de1243c07bf091e414ca311261a429 Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Mon, 17 Apr 2023 08:19:10 -0300 Subject: [PATCH 6/8] fix review: move setup and vars Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 283 +++++++++++++++--------------- 1 file changed, 141 insertions(+), 142 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 3b436782c..0f6ccaf2a 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -26,6 +26,7 @@ import ( pb "go.etcd.io/etcd/api/v3/etcdserverpb" "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/lease" + "go.etcd.io/etcd/server/v3/storage/backend" betesting "go.etcd.io/etcd/server/v3/storage/backend/testing" "go.etcd.io/etcd/server/v3/storage/mvcc" "go.etcd.io/etcd/server/v3/storage/schema" @@ -100,150 +101,9 @@ func TestWriteTxnPanic(t *testing.T) { } func TestCheckTxnAuth(t *testing.T) { - lg := zaptest.NewLogger(t) - be, _ := betesting.NewDefaultTmpBackend(t) defer betesting.Close(t, be) - - simpleTokenTTLDefault := 300 * time.Second - tokenTypeSimple := "simple" - dummyIndexWaiter := func(index uint64) <-chan struct{} { - ch := make(chan struct{}, 1) - go func() { - ch <- struct{}{} - }() - return ch - } - - tp, _ := auth.NewTokenProvider(zaptest.NewLogger(t), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault) - - as := auth.NewAuthStore(lg, schema.NewAuthBackend(lg, be), tp, 4) - - // create "root" user and "foo" user with limited range - if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}); err != nil { - t.Fatal(err) - } - if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}); err != nil { - t.Fatal(err) - } - if _, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ - Name: "rw", - Perm: &authpb.Permission{ - PermType: authpb.READWRITE, - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }); err != nil { - t.Fatal(err) - } - if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}); err != nil { - t.Fatal(err) - } - if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}); err != nil { - t.Fatal(err) - } - if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil { - t.Fatal(err) - } - if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}); err != nil { - t.Fatal(err) - } - - if err := as.AuthEnable(); err != nil { - t.Fatal(err) - } - - inRangeCompare := &pb.Compare{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - } - - outOfRangeCompare := &pb.Compare{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - } - - nilRequestPut := &pb.RequestOp{ - Request: &pb.RequestOp_RequestPut{ - RequestPut: nil, - }, - } - - inRangeRequestPut := &pb.RequestOp{ - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("foo"), - }, - }, - } - - outOfRangeRequestPut := &pb.RequestOp{ - Request: &pb.RequestOp_RequestPut{ - RequestPut: &pb.PutRequest{ - Key: []byte("boo"), - }, - }, - } - - nilRequestRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestRange{ - RequestRange: nil, - }, - } - - inRangeRequestRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - }, - }, - } - - outOfRangeRequestRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestRange{ - RequestRange: &pb.RangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - }, - }, - } - - nilRequestDeleteRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: nil, - }, - } - - inRangeRequestDeleteRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("foo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - } - - outOfRangeRequestDeleteRange := &pb.RequestOp{ - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: true, - }, - }, - } - - outOfRangeRequestDeleteRangeKvFalse := &pb.RequestOp{ - Request: &pb.RequestOp_RequestDeleteRange{ - RequestDeleteRange: &pb.DeleteRangeRequest{ - Key: []byte("boo"), - RangeEnd: []byte("zoo"), - PrevKv: false, - }, - }, - } + as := setupAuth(t, be) tests := []struct { name string @@ -384,3 +244,142 @@ func TestCheckTxnAuth(t *testing.T) { }) } } + +// CheckTxnAuth test setup. +func setupAuth(t *testing.T, be backend.Backend) auth.AuthStore { + lg := zaptest.NewLogger(t) + + simpleTokenTTLDefault := 300 * time.Second + tokenTypeSimple := "simple" + dummyIndexWaiter := func(index uint64) <-chan struct{} { + ch := make(chan struct{}, 1) + go func() { + ch <- struct{}{} + }() + return ch + } + + tp, _ := auth.NewTokenProvider(zaptest.NewLogger(t), tokenTypeSimple, dummyIndexWaiter, simpleTokenTTLDefault) + + as := auth.NewAuthStore(lg, schema.NewAuthBackend(lg, be), tp, 4) + + // create "root" user and "foo" user with limited range + if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}); err != nil { + t.Fatal(err) + } + if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}); err != nil { + t.Fatal(err) + } + if _, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ + Name: "rw", + Perm: &authpb.Permission{ + PermType: authpb.READWRITE, + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }); err != nil { + t.Fatal(err) + } + if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil { + t.Fatal(err) + } + if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}); err != nil { + t.Fatal(err) + } + + if err := as.AuthEnable(); err != nil { + t.Fatal(err) + } + + return as +} + +// CheckTxnAuth variables setup. +var ( + inRangeCompare = &pb.Compare{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + } + outOfRangeCompare = &pb.Compare{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + } + nilRequestPut = &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: nil, + }, + } + inRangeRequestPut = &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("foo"), + }, + }, + } + outOfRangeRequestPut = &pb.RequestOp{ + Request: &pb.RequestOp_RequestPut{ + RequestPut: &pb.PutRequest{ + Key: []byte("boo"), + }, + }, + } + nilRequestRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: nil, + }, + } + inRangeRequestRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + }, + }, + } + outOfRangeRequestRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestRange{ + RequestRange: &pb.RangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + }, + }, + } + nilRequestDeleteRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: nil, + }, + } + inRangeRequestDeleteRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("foo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + } + outOfRangeRequestDeleteRange = &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: true, + }, + }, + } + outOfRangeRequestDeleteRangeKvFalse = &pb.RequestOp{ + Request: &pb.RequestOp_RequestDeleteRange{ + RequestDeleteRange: &pb.DeleteRangeRequest{ + Key: []byte("boo"), + RangeEnd: []byte("zoo"), + PrevKv: false, + }, + }, + } +) From ecc7441ba1ee942835e2785b998d6ccb371f923f Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Tue, 18 Apr 2023 10:02:03 -0300 Subject: [PATCH 7/8] fix review: use assert lib Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 0f6ccaf2a..6062a5f44 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -32,6 +32,7 @@ import ( "go.etcd.io/etcd/server/v3/storage/schema" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestReadonlyTxnError(t *testing.T) { @@ -238,9 +239,7 @@ func TestCheckTxnAuth(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { err := CheckTxnAuth(as, &auth.AuthInfo{Username: "foo", Revision: 8}, tt.txnRequest) - if err != tt.err { - t.Errorf("expected error to be: %v; got: %v", tt.err, err) - } + assert.Equal(t, tt.err, err) }) } } @@ -265,10 +264,10 @@ func setupAuth(t *testing.T, be backend.Backend) auth.AuthStore { // create "root" user and "foo" user with limited range if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ Name: "rw", @@ -278,23 +277,23 @@ func setupAuth(t *testing.T, be backend.Backend) auth.AuthStore { RangeEnd: []byte("zoo"), }, }); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}); err != nil { - t.Fatal(err) + require.NoError(t, err) } if err := as.AuthEnable(); err != nil { - t.Fatal(err) + require.NoError(t, err) } return as From 9d14ae43c24547ad502a12b713c97362904f6bcf Mon Sep 17 00:00:00 2001 From: Marcondes Viana Date: Tue, 18 Apr 2023 10:43:13 -0300 Subject: [PATCH 8/8] fix review: remove if on error check Signed-off-by: Marcondes Viana --- server/etcdserver/txn/txn_test.go | 48 +++++++++++++++---------------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/server/etcdserver/txn/txn_test.go b/server/etcdserver/txn/txn_test.go index 6062a5f44..52937a8a0 100644 --- a/server/etcdserver/txn/txn_test.go +++ b/server/etcdserver/txn/txn_test.go @@ -263,38 +263,36 @@ func setupAuth(t *testing.T, be backend.Backend) auth.AuthStore { as := auth.NewAuthStore(lg, schema.NewAuthBackend(lg, be), tp, 4) // create "root" user and "foo" user with limited range - if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}); err != nil { - require.NoError(t, err) - } - if _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}); err != nil { - require.NoError(t, err) - } - if _, err := as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ + _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"}) + require.NoError(t, err) + + _, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "rw"}) + require.NoError(t, err) + + _, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ Name: "rw", Perm: &authpb.Permission{ PermType: authpb.READWRITE, Key: []byte("foo"), RangeEnd: []byte("zoo"), }, - }); err != nil { - require.NoError(t, err) - } - if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}); err != nil { - require.NoError(t, err) - } - if _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}); err != nil { - require.NoError(t, err) - } - if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}); err != nil { - require.NoError(t, err) - } - if _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}); err != nil { - require.NoError(t, err) - } + }) + require.NoError(t, err) - if err := as.AuthEnable(); err != nil { - require.NoError(t, err) - } + _, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "foo"}) + require.NoError(t, err) + + _, err = as.UserAdd(&pb.AuthUserAddRequest{Name: "foo", Password: "foo"}) + require.NoError(t, err) + + _, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"}) + require.NoError(t, err) + + _, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "rw"}) + require.NoError(t, err) + + err = as.AuthEnable() + require.NoError(t, err) return as }