mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
f8a290e7ca
This commit adds jwt token support in v3 auth API. Remaining major ToDos: - Currently token type isn't hidden from etcdserver. In the near future the information should be completely invisible from etcdserver package. - Configurable expiration of token. Currently tokens can be valid until keys are changed. How to use: 1. generate keys for signing and verfying jwt tokens: $ openssl genrsa -out app.rsa 1024 $ openssl rsa -in app.rsa -pubout > app.rsa.pub 2. add command line options to etcd like below: --auth-token-type jwt \ --auth-jwt-pub-key app.rsa.pub --auth-jwt-priv-key app.rsa \ --auth-jwt-sign-method RS512 3. launch etcd cluster Below is a performance comparison of serializable read w/ and w/o jwt token. Every (3) etcd node is executed on a single machine. Signing method is RS512 and key length is 1024 bit. As the results show, jwt based token introduces a performance overhead but it would be acceptable for a case that requires authentication. w/o jwt token auth (no auth): Summary: Total: 1.6172 secs. Slowest: 0.0125 secs. Fastest: 0.0001 secs. Average: 0.0002 secs. Stddev: 0.0004 secs. Requests/sec: 6183.5877 Response time histogram: 0.000 [1] | 0.001 [9982] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.003 [1] | 0.004 [1] | 0.005 [0] | 0.006 [0] | 0.008 [6] | 0.009 [0] | 0.010 [1] | 0.011 [5] | 0.013 [3] | Latency distribution: 10% in 0.0001 secs. 25% in 0.0001 secs. 50% in 0.0001 secs. 75% in 0.0001 secs. 90% in 0.0002 secs. 95% in 0.0002 secs. 99% in 0.0003 secs. w/ jwt token auth: Summary: Total: 2.5364 secs. Slowest: 0.0182 secs. Fastest: 0.0002 secs. Average: 0.0003 secs. Stddev: 0.0005 secs. Requests/sec: 3942.5185 Response time histogram: 0.000 [1] | 0.002 [9975] |∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ 0.004 [0] | 0.006 [1] | 0.007 [11] | 0.009 [2] | 0.011 [4] | 0.013 [5] | 0.015 [0] | 0.016 [0] | 0.018 [1] | Latency distribution: 10% in 0.0002 secs. 25% in 0.0002 secs. 50% in 0.0002 secs. 75% in 0.0002 secs. 90% in 0.0003 secs. 95% in 0.0003 secs. 99% in 0.0004 secs.
585 lines
14 KiB
Go
585 lines
14 KiB
Go
// Copyright 2016 The etcd Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package auth
|
|
|
|
import (
|
|
"os"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/coreos/etcd/auth/authpb"
|
|
pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
|
|
"github.com/coreos/etcd/mvcc/backend"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/net/context"
|
|
"google.golang.org/grpc/metadata"
|
|
)
|
|
|
|
func init() { BcryptCost = bcrypt.MinCost }
|
|
|
|
func dummyIndexWaiter(index uint64) <-chan struct{} {
|
|
ch := make(chan struct{})
|
|
go func() {
|
|
ch <- struct{}{}
|
|
}()
|
|
return ch
|
|
}
|
|
|
|
// TestNewAuthStoreRevision ensures newly auth store
|
|
// keeps the old revision when there are no changes.
|
|
func TestNewAuthStoreRevision(t *testing.T) {
|
|
b, tPath := backend.NewDefaultTmpBackend()
|
|
defer os.Remove(tPath)
|
|
|
|
tp, err := NewTokenProvider("simple", dummyIndexWaiter)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
as := NewAuthStore(b, tp)
|
|
err = enableAuthAndCreateRoot(as)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
old := as.Revision()
|
|
b.Close()
|
|
as.Close()
|
|
|
|
// no changes to commit
|
|
b2 := backend.NewDefaultBackend(tPath)
|
|
as = NewAuthStore(b2, tp)
|
|
new := as.Revision()
|
|
b2.Close()
|
|
as.Close()
|
|
|
|
if old != new {
|
|
t.Fatalf("expected revision %d, got %d", old, new)
|
|
}
|
|
}
|
|
|
|
func setupAuthStore(t *testing.T) (store *authStore, teardownfunc func(t *testing.T)) {
|
|
b, tPath := backend.NewDefaultTmpBackend()
|
|
|
|
tp, err := NewTokenProvider("simple", dummyIndexWaiter)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
as := NewAuthStore(b, tp)
|
|
err = enableAuthAndCreateRoot(as)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// adds a new role
|
|
_, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ua := &pb.AuthUserAddRequest{Name: "foo", Password: "bar"}
|
|
_, err = as.UserAdd(ua) // add a non-existing user
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
tearDown := func(t *testing.T) {
|
|
b.Close()
|
|
os.Remove(tPath)
|
|
as.Close()
|
|
}
|
|
return as, tearDown
|
|
}
|
|
|
|
func enableAuthAndCreateRoot(as *authStore) error {
|
|
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", Password: "root"})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = as.RoleAdd(&pb.AuthRoleAddRequest{Name: "root"})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "root", Role: "root"})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return as.AuthEnable()
|
|
}
|
|
|
|
func TestUserAdd(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
ua := &pb.AuthUserAddRequest{Name: "foo"}
|
|
_, err := as.UserAdd(ua) // add an existing user
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrUserAlreadyExist, err)
|
|
}
|
|
if err != ErrUserAlreadyExist {
|
|
t.Fatalf("expected %v, got %v", ErrUserAlreadyExist, err)
|
|
}
|
|
|
|
ua = &pb.AuthUserAddRequest{Name: ""}
|
|
_, err = as.UserAdd(ua) // add a user with empty name
|
|
if err != ErrUserEmpty {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestCheckPassword(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
// auth a non-existing user
|
|
_, err := as.CheckPassword("foo-test", "bar")
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrAuthFailed, err)
|
|
}
|
|
if err != ErrAuthFailed {
|
|
t.Fatalf("expected %v, got %v", ErrAuthFailed, err)
|
|
}
|
|
|
|
// auth an existing user with correct password
|
|
_, err = as.CheckPassword("foo", "bar")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// auth an existing user but with wrong password
|
|
_, err = as.CheckPassword("foo", "")
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrAuthFailed, err)
|
|
}
|
|
if err != ErrAuthFailed {
|
|
t.Fatalf("expected %v, got %v", ErrAuthFailed, err)
|
|
}
|
|
}
|
|
|
|
func TestUserDelete(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
// delete an existing user
|
|
ud := &pb.AuthUserDeleteRequest{Name: "foo"}
|
|
_, err := as.UserDelete(ud)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// delete a non-existing user
|
|
_, err = as.UserDelete(ud)
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
if err != ErrUserNotFound {
|
|
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
}
|
|
|
|
func TestUserChangePassword(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
ctx1 := context.WithValue(context.WithValue(context.TODO(), "index", uint64(1)), "simpleToken", "dummy")
|
|
_, err := as.Authenticate(ctx1, "foo", "bar")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = as.UserChangePassword(&pb.AuthUserChangePasswordRequest{Name: "foo", Password: "baz"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ctx2 := context.WithValue(context.WithValue(context.TODO(), "index", uint64(2)), "simpleToken", "dummy")
|
|
_, err = as.Authenticate(ctx2, "foo", "baz")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// change a non-existing user
|
|
_, err = as.UserChangePassword(&pb.AuthUserChangePasswordRequest{Name: "foo-test", Password: "bar"})
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
if err != ErrUserNotFound {
|
|
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
}
|
|
|
|
func TestRoleAdd(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
// adds a new role
|
|
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func TestUserGrant(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
// grants a role to the user
|
|
_, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// grants a role to a non-existing user
|
|
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo-test", Role: "role-test"})
|
|
if err == nil {
|
|
t.Errorf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
if err != ErrUserNotFound {
|
|
t.Errorf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
}
|
|
|
|
func TestGetUser(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
_, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
u, err := as.UserGet(&pb.AuthUserGetRequest{Name: "foo"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if u == nil {
|
|
t.Fatal("expect user not nil, got nil")
|
|
}
|
|
expected := []string{"role-test"}
|
|
if !reflect.DeepEqual(expected, u.Roles) {
|
|
t.Errorf("expected %v, got %v", expected, u.Roles)
|
|
}
|
|
}
|
|
|
|
func TestListUsers(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
ua := &pb.AuthUserAddRequest{Name: "user1", Password: "pwd1"}
|
|
_, err := as.UserAdd(ua) // add a non-existing user
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
ul, err := as.UserList(&pb.AuthUserListRequest{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !contains(ul.Users, "root") {
|
|
t.Errorf("expected %v in %v", "root", ul.Users)
|
|
}
|
|
if !contains(ul.Users, "user1") {
|
|
t.Errorf("expected %v in %v", "user1", ul.Users)
|
|
}
|
|
}
|
|
|
|
func TestRoleGrantPermission(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
perm := &authpb.Permission{
|
|
PermType: authpb.WRITE,
|
|
Key: []byte("Keys"),
|
|
RangeEnd: []byte("RangeEnd"),
|
|
}
|
|
_, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
|
|
Name: "role-test-1",
|
|
Perm: perm,
|
|
})
|
|
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
|
|
r, err := as.RoleGet(&pb.AuthRoleGetRequest{Role: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(perm, r.Perm[0]) {
|
|
t.Errorf("expected %v, got %v", perm, r.Perm[0])
|
|
}
|
|
}
|
|
|
|
func TestRoleRevokePermission(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
perm := &authpb.Permission{
|
|
PermType: authpb.WRITE,
|
|
Key: []byte("Keys"),
|
|
RangeEnd: []byte("RangeEnd"),
|
|
}
|
|
_, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
|
|
Name: "role-test-1",
|
|
Perm: perm,
|
|
})
|
|
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = as.RoleGet(&pb.AuthRoleGetRequest{Role: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = as.RoleRevokePermission(&pb.AuthRoleRevokePermissionRequest{
|
|
Role: "role-test-1",
|
|
Key: "Keys",
|
|
RangeEnd: "RangeEnd",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var r *pb.AuthRoleGetResponse
|
|
r, err = as.RoleGet(&pb.AuthRoleGetRequest{Role: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(r.Perm) != 0 {
|
|
t.Errorf("expected %v, got %v", 0, len(r.Perm))
|
|
}
|
|
}
|
|
|
|
func TestUserRevokePermission(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
_, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
u, err := as.UserGet(&pb.AuthUserGetRequest{Name: "foo"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
expected := []string{"role-test", "role-test-1"}
|
|
if !reflect.DeepEqual(expected, u.Roles) {
|
|
t.Fatalf("expected %v, got %v", expected, u.Roles)
|
|
}
|
|
|
|
_, err = as.UserRevokeRole(&pb.AuthUserRevokeRoleRequest{Name: "foo", Role: "role-test-1"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
u, err = as.UserGet(&pb.AuthUserGetRequest{Name: "foo"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
expected = []string{"role-test"}
|
|
if !reflect.DeepEqual(expected, u.Roles) {
|
|
t.Errorf("expected %v, got %v", expected, u.Roles)
|
|
}
|
|
}
|
|
|
|
func TestRoleDelete(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
_, err := as.RoleDelete(&pb.AuthRoleDeleteRequest{Role: "role-test"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
rl, err := as.RoleList(&pb.AuthRoleListRequest{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
expected := []string{"root"}
|
|
if !reflect.DeepEqual(expected, rl.Roles) {
|
|
t.Errorf("expected %v, got %v", expected, rl.Roles)
|
|
}
|
|
}
|
|
|
|
func TestAuthInfoFromCtx(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
ctx := context.Background()
|
|
ai, err := as.AuthInfoFromCtx(ctx)
|
|
if err != nil && ai != nil {
|
|
t.Errorf("expected (nil, nil), got (%v, %v)", ai, err)
|
|
}
|
|
|
|
ctx = metadata.NewContext(context.Background(), metadata.New(map[string]string{"tokens": "dummy"}))
|
|
ai, err = as.AuthInfoFromCtx(ctx)
|
|
if err != nil && ai != nil {
|
|
t.Errorf("expected (nil, nil), got (%v, %v)", ai, err)
|
|
}
|
|
|
|
ctx = context.WithValue(context.WithValue(context.TODO(), "index", uint64(1)), "simpleToken", "dummy")
|
|
resp, err := as.Authenticate(ctx, "foo", "bar")
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
|
|
ctx = metadata.NewContext(context.Background(), metadata.New(map[string]string{"token": "Invalid Token"}))
|
|
_, err = as.AuthInfoFromCtx(ctx)
|
|
if err != ErrInvalidAuthToken {
|
|
t.Errorf("expected %v, got %v", ErrInvalidAuthToken, err)
|
|
}
|
|
|
|
ctx = metadata.NewContext(context.Background(), metadata.New(map[string]string{"token": "Invalid.Token"}))
|
|
_, err = as.AuthInfoFromCtx(ctx)
|
|
if err != ErrInvalidAuthToken {
|
|
t.Errorf("expected %v, got %v", ErrInvalidAuthToken, err)
|
|
}
|
|
|
|
ctx = metadata.NewContext(context.Background(), metadata.New(map[string]string{"token": resp.Token}))
|
|
ai, err = as.AuthInfoFromCtx(ctx)
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
if ai.Username != "foo" {
|
|
t.Errorf("expected %v, got %v", "foo", ai.Username)
|
|
}
|
|
}
|
|
|
|
func TestAuthDisable(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
as.AuthDisable()
|
|
ctx := context.WithValue(context.WithValue(context.TODO(), "index", uint64(2)), "simpleToken", "dummy")
|
|
_, err := as.Authenticate(ctx, "foo", "bar")
|
|
if err != ErrAuthNotEnabled {
|
|
t.Errorf("expected %v, got %v", ErrAuthNotEnabled, err)
|
|
}
|
|
|
|
// Disabling disabled auth to make sure it can return safely if store is already disabled.
|
|
as.AuthDisable()
|
|
_, err = as.Authenticate(ctx, "foo", "bar")
|
|
if err != ErrAuthNotEnabled {
|
|
t.Errorf("expected %v, got %v", ErrAuthNotEnabled, err)
|
|
}
|
|
}
|
|
|
|
func TestIsAdminPermitted(t *testing.T) {
|
|
as, tearDown := setupAuthStore(t)
|
|
defer tearDown(t)
|
|
|
|
err := as.IsAdminPermitted(&AuthInfo{Username: "root", Revision: 1})
|
|
if err != nil {
|
|
t.Errorf("expected nil, got %v", err)
|
|
}
|
|
|
|
// invalid user
|
|
err = as.IsAdminPermitted(&AuthInfo{Username: "rooti", Revision: 1})
|
|
if err != ErrUserNotFound {
|
|
t.Errorf("expected %v, got %v", ErrUserNotFound, err)
|
|
}
|
|
|
|
// non-admin user
|
|
err = as.IsAdminPermitted(&AuthInfo{Username: "foo", Revision: 1})
|
|
if err != ErrPermissionDenied {
|
|
t.Errorf("expected %v, got %v", ErrPermissionDenied, err)
|
|
}
|
|
|
|
// disabled auth should return nil
|
|
as.AuthDisable()
|
|
err = as.IsAdminPermitted(&AuthInfo{Username: "root", Revision: 1})
|
|
if err != nil {
|
|
t.Errorf("expected nil, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestRecoverFromSnapshot(t *testing.T) {
|
|
as, _ := setupAuthStore(t)
|
|
|
|
ua := &pb.AuthUserAddRequest{Name: "foo"}
|
|
_, err := as.UserAdd(ua) // add an existing user
|
|
if err == nil {
|
|
t.Fatalf("expected %v, got %v", ErrUserAlreadyExist, err)
|
|
}
|
|
if err != ErrUserAlreadyExist {
|
|
t.Fatalf("expected %v, got %v", ErrUserAlreadyExist, err)
|
|
}
|
|
|
|
ua = &pb.AuthUserAddRequest{Name: ""}
|
|
_, err = as.UserAdd(ua) // add a user with empty name
|
|
if err != ErrUserEmpty {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
as.Close()
|
|
|
|
tp, err := NewTokenProvider("simple", dummyIndexWaiter)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
as2 := NewAuthStore(as.be, tp)
|
|
defer func(a *authStore) {
|
|
a.Close()
|
|
}(as2)
|
|
|
|
if !as2.isAuthEnabled() {
|
|
t.Fatal("recovering authStore from existing backend failed")
|
|
}
|
|
|
|
ul, err := as.UserList(&pb.AuthUserListRequest{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !contains(ul.Users, "root") {
|
|
t.Errorf("expected %v in %v", "root", ul.Users)
|
|
}
|
|
}
|
|
|
|
func contains(array []string, str string) bool {
|
|
for _, s := range array {
|
|
if s == str {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|