From c62f01e5fe1328efe50c8ef4ca5d69de6f7eb59e Mon Sep 17 00:00:00 2001 From: Piotr Tabor Date: Tue, 5 Apr 2022 10:06:35 +0200 Subject: [PATCH] Move CheckTxnAuth to txn. --- server/etcdserver/apply/apply_auth.go | 15 +------ server/etcdserver/txn/txn.go | 56 +++++++++++++++++++++++++++ server/etcdserver/v3_server.go | 2 +- 3 files changed, 59 insertions(+), 14 deletions(-) diff --git a/server/etcdserver/apply/apply_auth.go b/server/etcdserver/apply/apply_auth.go index c42ec181f..947d82840 100644 --- a/server/etcdserver/apply/apply_auth.go +++ b/server/etcdserver/apply/apply_auth.go @@ -22,6 +22,7 @@ import ( "go.etcd.io/etcd/pkg/v3/traceutil" "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/etcdserver/api/membership" + "go.etcd.io/etcd/server/v3/etcdserver/txn" "go.etcd.io/etcd/server/v3/lease" "go.etcd.io/etcd/server/v3/storage/mvcc" ) @@ -150,20 +151,8 @@ func checkTxnReqsPermission(as auth.AuthStore, ai *auth.AuthInfo, reqs []*pb.Req return nil } -func CheckTxnAuth(as auth.AuthStore, ai *auth.AuthInfo, rt *pb.TxnRequest) error { - for _, c := range rt.Compare { - if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil { - return err - } - } - if err := checkTxnReqsPermission(as, ai, rt.Success); err != nil { - return err - } - return checkTxnReqsPermission(as, ai, rt.Failure) -} - func (aa *authApplierV3) Txn(ctx context.Context, rt *pb.TxnRequest) (*pb.TxnResponse, *traceutil.Trace, error) { - if err := CheckTxnAuth(aa.as, &aa.authInfo, rt); err != nil { + if err := txn.CheckTxnAuth(aa.as, &aa.authInfo, rt); err != nil { return nil, nil, err } return aa.applierV3.Txn(ctx, rt) diff --git a/server/etcdserver/txn/txn.go b/server/etcdserver/txn/txn.go index ab33ebd9b..7e4d5a1ab 100644 --- a/server/etcdserver/txn/txn.go +++ b/server/etcdserver/txn/txn.go @@ -22,6 +22,7 @@ import ( pb "go.etcd.io/etcd/api/v3/etcdserverpb" "go.etcd.io/etcd/api/v3/mvccpb" "go.etcd.io/etcd/pkg/v3/traceutil" + "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/etcdserver/etcderrors" "go.etcd.io/etcd/server/v3/lease" "go.etcd.io/etcd/server/v3/storage/mvcc" @@ -624,3 +625,58 @@ func IsTxnReadonly(r *pb.TxnRequest) bool { } return true } + +func CheckTxnAuth(as auth.AuthStore, ai *auth.AuthInfo, rt *pb.TxnRequest) error { + for _, c := range rt.Compare { + if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil { + return err + } + } + if err := checkTxnReqsPermission(as, ai, rt.Success); err != nil { + return err + } + return checkTxnReqsPermission(as, ai, rt.Failure) +} + +func checkTxnReqsPermission(as auth.AuthStore, ai *auth.AuthInfo, reqs []*pb.RequestOp) error { + for _, requ := range reqs { + switch tv := requ.Request.(type) { + case *pb.RequestOp_RequestRange: + if tv.RequestRange == nil { + continue + } + + if err := as.IsRangePermitted(ai, tv.RequestRange.Key, tv.RequestRange.RangeEnd); err != nil { + return err + } + + case *pb.RequestOp_RequestPut: + if tv.RequestPut == nil { + continue + } + + if err := as.IsPutPermitted(ai, tv.RequestPut.Key); err != nil { + return err + } + + case *pb.RequestOp_RequestDeleteRange: + if tv.RequestDeleteRange == nil { + continue + } + + if tv.RequestDeleteRange.PrevKv { + err := as.IsRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) + if err != nil { + return err + } + } + + err := as.IsDeleteRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) + if err != nil { + return err + } + } + } + + return nil +} diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go index abf88be2d..59113f1b9 100644 --- a/server/etcdserver/v3_server.go +++ b/server/etcdserver/v3_server.go @@ -173,7 +173,7 @@ func (s *EtcdServer) Txn(ctx context.Context, r *pb.TxnRequest) (*pb.TxnResponse var resp *pb.TxnResponse var err error chk := func(ai *auth.AuthInfo) error { - return apply2.CheckTxnAuth(s.authStore, ai, r) + return txn.CheckTxnAuth(s.authStore, ai, r) } defer func(start time.Time) {