Skip to content

Commit

Permalink
tests: e2e and integration test for timetolive
Browse files Browse the repository at this point in the history
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
Co-authored-by: Benjamin Wang <wachao@vmware.com>
  • Loading branch information
mitake and ahrtr committed May 8, 2023
1 parent d1b1aa9 commit e38eb67
Show file tree
Hide file tree
Showing 3 changed files with 143 additions and 5 deletions.
49 changes: 49 additions & 0 deletions tests/e2e/ctl_v3_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ func TestCtlV3AuthSnapshotJWT(t *testing.T) { testCtl(t, authTestSnapsho
func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCfg(*newConfigJWT())) }
func TestCtlV3AuthRevisionConsistency(t *testing.T) { testCtl(t, authTestRevisionConsistency) }
func TestCtlV3AuthTestCacheReload(t *testing.T) { testCtl(t, authTestCacheReload) }
func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) }

func TestCtlV3AuthRecoverFromSnapshot(t *testing.T) {
testCtl(t, authTestRecoverSnapshot, withCfg(*newConfigNoTLS()), withQuorum(), withSnapshotCount(5))
Expand Down Expand Up @@ -1509,3 +1510,51 @@ func hashKVs(endpoints []string, cli *clientv3.Client) ([]*clientv3.HashKVRespon
}
return retHashKVs, nil
}

func authTestLeaseTimeToLive(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}
cx.user, cx.pass = "root", "root"

authSetupTestUser(cx)

cx.user = "test-user"
cx.pass = "pass"

leaseID, err := ctlV3LeaseGrant(cx, 10)
if err != nil {
cx.t.Fatal(err)
}

err = ctlV3Put(cx, "foo", "val", leaseID)
if err != nil {
cx.t.Fatal(err)
}

err = ctlV3LeaseTimeToLive(cx, leaseID, true)
if err != nil {
cx.t.Fatal(err)
}

cx.user = "root"
cx.pass = "root"
err = ctlV3Put(cx, "bar", "val", leaseID)
if err != nil {
cx.t.Fatal(err)
}

cx.user = "test-user"
cx.pass = "pass"
// the lease is attached to bar, which test-user cannot access
err = ctlV3LeaseTimeToLive(cx, leaseID, true)
if err == nil {
cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
}

// without --keys, access should be allowed
err = ctlV3LeaseTimeToLive(cx, leaseID, false)
if err != nil {
cx.t.Fatal(err)
}
}
8 changes: 8 additions & 0 deletions tests/e2e/ctl_v3_lease_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -300,3 +300,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
return spawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s revoked", leaseID))
}

func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
if withKeys {
cmdArgs = append(cmdArgs, "--keys")
}
return spawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
}
91 changes: 86 additions & 5 deletions tests/integration/v3_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,12 +177,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg ClusterConfig) {
// wait for lease expire
time.Sleep(3 * time.Second)

tresp, terr := api.Lease.LeaseTimeToLive(
tresp, terr := rootc.TimeToLive(
context.TODO(),
&pb.LeaseTimeToLiveRequest{
ID: int64(leaseID),
Keys: true,
},
leaseID,
clientv3.WithAttachedKeys(),
)
if terr != nil {
t.Error(terr)
Expand Down Expand Up @@ -553,3 +551,86 @@ func TestV3AuthWatchErrorAndWatchId0(t *testing.T) {

<-watchEndCh
}

func TestV3AuthWithLeaseTimeToLive(t *testing.T) {
BeforeTest(t)
clus := NewClusterV3(t, &ClusterConfig{Size: 1})
defer clus.Terminate(t)

users := []user{
{
name: "user1",
password: "user1-123",
role: "role1",
key: "k1",
end: "k3",
},
{
name: "user2",
password: "user2-123",
role: "role2",
key: "k2",
end: "k4",
},
}
authSetupUsers(t, toGRPC(clus.Client(0)).Auth, users)

authSetupRoot(t, toGRPC(clus.Client(0)).Auth)

user1c, cerr := NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user1c.Close()

user2c, cerr := NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"})
if cerr != nil {
t.Fatal(cerr)
}
defer user2c.Close()

leaseResp, err := user1c.Grant(context.TODO(), 90)
if err != nil {
t.Fatal(err)
}
leaseID := leaseResp.ID
_, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}
// k2 can be accessed from both user1 and user2
_, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID))
if err != nil {
t.Fatal(err)
}

_, err = user1c.TimeToLive(context.TODO(), leaseID)
if err != nil {
t.Fatal(err)
}

_, err = user2c.TimeToLive(context.TODO(), leaseID)
if err != nil {
t.Fatal(err)
}

_, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
if err == nil {
t.Fatal("timetolive from user2 should be failed with permission denied")
}

rootc, cerr := NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
if cerr != nil {
t.Fatal(cerr)
}
defer rootc.Close()

if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil {
t.Fatal(err)
}

_, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
if err == nil {
t.Fatal("timetolive from user2 should be failed with permission denied")
}
}

0 comments on commit e38eb67

Please sign in to comment.