Skip to content

Commit

Permalink
Merge pull request #15378 from chaochn47/auth_test_split_5
Browse files Browse the repository at this point in the history
migration auth tests to common #5
  • Loading branch information
ahrtr authored Mar 3, 2023
2 parents 69ce1aa + c002e09 commit 7a98ab3
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 66 deletions.
68 changes: 66 additions & 2 deletions tests/common/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,11 @@ var defaultAuthToken = fmt.Sprintf("jwt,pub-key=%s,priv-key=%s,sign-method=RS256
mustAbsPath("../fixtures/server.crt"), mustAbsPath("../fixtures/server.key.insecure"))

const (
PermissionDenied = "etcdserver: permission denied"
AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password"
PermissionDenied = "etcdserver: permission denied"
AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password"
InvalidAuthManagement = "etcdserver: invalid auth management"

testPeerURL = "http://localhost:20011"
)

func TestAuthEnable(t *testing.T) {
Expand Down Expand Up @@ -565,6 +568,67 @@ func TestAuthLeaseGrantLeases(t *testing.T) {
}
}

func TestAuthMemberAdd(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))
_, err := testUserAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
require.ErrorContains(t, err, PermissionDenied)
_, err = rootAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
require.NoError(t, err)
})
}

func TestAuthMemberRemove(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clusterSize := 2
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: clusterSize}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

memberId, clusterId := memberToRemove(ctx, t, rootAuthClient, clusterSize)

// ordinary user cannot remove a member
_, err := testUserAuthClient.MemberRemove(ctx, memberId)
require.ErrorContains(t, err, PermissionDenied)

// root can remove a member
removeResp, err := rootAuthClient.MemberRemove(ctx, memberId)
require.NoError(t, err, "MemberRemove failed")
require.Equal(t, removeResp.Header.ClusterId, clusterId)
})
}

func TestAuthTestInvalidMgmt(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{}, []authUser{rootUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
_, err := rootAuthClient.UserDelete(ctx, rootUserName)
require.ErrorContains(t, err, InvalidAuthManagement)
_, err = rootAuthClient.UserRevokeRole(ctx, rootUserName, rootRoleName)
require.ErrorContains(t, err, InvalidAuthManagement)
})
}

func mustAbsPath(path string) string {
abs, err := filepath.Abs(path)
if err != nil {
Expand Down
64 changes: 0 additions & 64 deletions tests/e2e/ctl_v3_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,7 @@ import (
"go.etcd.io/etcd/tests/v3/framework/e2e"
)

func TestCtlV3AuthMemberAdd(t *testing.T) { testCtl(t, authTestMemberAdd) }
func TestCtlV3AuthMemberRemove(t *testing.T) {
testCtl(t, authTestMemberRemove, withQuorum(), withDisableStrictReconfig())
}
func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
func TestCtlV3AuthInvalidMgmt(t *testing.T) { testCtl(t, authTestInvalidMgmt) }
func TestCtlV3AuthFromKeyPerm(t *testing.T) { testCtl(t, authTestFromKeyPerm) }
func TestCtlV3AuthAndWatch(t *testing.T) { testCtl(t, authTestWatch) }
func TestCtlV3AuthAndWatchJWT(t *testing.T) { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) }
Expand Down Expand Up @@ -96,51 +91,6 @@ func authSetupTestUser(cx ctlCtx) {
}
}

func authTestMemberAdd(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}

cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)

peerURL := fmt.Sprintf("http://localhost:%d", e2e.EtcdProcessBasePort+11)
// ordinary user cannot add a new member
cx.user, cx.pass = "test-user", "pass"
if err := ctlV3MemberAdd(cx, peerURL, false); err == nil {
cx.t.Fatalf("ordinary user must not be allowed to add a member")
}

// root can add a new member
cx.user, cx.pass = "root", "root"
if err := ctlV3MemberAdd(cx, peerURL, false); err != nil {
cx.t.Fatal(err)
}
}

func authTestMemberRemove(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}

cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)

ep, memIDToRemove, clusterID := cx.memberToRemove()

// ordinary user cannot remove a member
cx.user, cx.pass = "test-user", "pass"
if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err == nil {
cx.t.Fatalf("ordinary user must not be allowed to remove a member")
}

// root can remove a member
cx.user, cx.pass = "root", "root"
if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err != nil {
cx.t.Fatal(err)
}
}

func authTestMemberUpdate(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
Expand Down Expand Up @@ -202,20 +152,6 @@ func authTestCertCN(cx ctlCtx) {
require.ErrorContains(cx.t, err, "permission denied")
}

func authTestInvalidMgmt(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}

if err := ctlV3Role(cx, []string{"delete", "root"}, "Error: etcdserver: invalid auth management"); err == nil {
cx.t.Fatal("deleting the role root must not be allowed")
}

if err := ctlV3User(cx, []string{"revoke-role", "root", "root"}, "Error: etcdserver: invalid auth management", []string{}); err == nil {
cx.t.Fatal("revoking the role root from the user root must not be allowed")
}
}

func authTestFromKeyPerm(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
Expand Down

0 comments on commit 7a98ab3

Please sign in to comment.