From fab3feab66d39359b6131b15989ad2a3a7a6cfbd Mon Sep 17 00:00:00 2001
From: Yicheng Qin <qycqycqycqycqyc@gmail.com>
Date: Tue, 18 Aug 2015 08:13:17 -0700
Subject: [PATCH] etcdctl/role: reject non-canonical permission path

Non-canonical permission path is useless because the path received
by auth is always canonical, which is due to our ServeMux always
redirects request to canonical path().

This helps users to detect path permission setting error early.

Ref: http://godoc.org/net/http#ServeMux
---
 etcdctl/command/role_commands.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etcdctl/command/role_commands.go b/etcdctl/command/role_commands.go
index bbd90864e..96777886d 100644
--- a/etcdctl/command/role_commands.go
+++ b/etcdctl/command/role_commands.go
@@ -23,6 +23,7 @@ import (
 	"github.com/coreos/etcd/Godeps/_workspace/src/github.com/codegangsta/cli"
 	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/net/context"
 	"github.com/coreos/etcd/client"
+	"github.com/coreos/etcd/pkg/pathutil"
 )
 
 func NewRoleCommands() cli.Command {
@@ -152,6 +153,10 @@ func roleGrantRevoke(c *cli.Context, grant bool) {
 		fmt.Fprintln(os.Stderr, "No path specified; please use `-path`")
 		os.Exit(1)
 	}
+	if pathutil.CanonicalURLPath(path) != path {
+		fmt.Fprintf(os.Stderr, "Not canonical path; please use `-path=%s`\n", pathutil.CanonicalURLPath(path))
+		os.Exit(1)
+	}
 
 	read := c.Bool("read")
 	write := c.Bool("write")