123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676 |
- // Copyright 2015 The etcd Authors
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- package auth
- import (
- "context"
- "reflect"
- "testing"
- "time"
- etcderr "github.com/coreos/etcd/error"
- "github.com/coreos/etcd/etcdserver"
- "github.com/coreos/etcd/etcdserver/etcdserverpb"
- etcdstore "github.com/coreos/etcd/store"
- )
- type fakeDoer struct{}
- func (_ fakeDoer) Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error) {
- return etcdserver.Response{}, nil
- }
- func TestCheckPassword(t *testing.T) {
- st := NewStore(fakeDoer{}, 5*time.Second)
- u := User{Password: "$2a$10$I3iddh1D..EIOXXQtsra4u8AjOtgEa2ERxVvYGfXFBJDo1omXwP.q"}
- matched := st.CheckPassword(u, "foo")
- if matched {
- t.Fatalf("expected false, got %v", matched)
- }
- }
- const testTimeout = time.Millisecond
- func TestMergeUser(t *testing.T) {
- tbl := []struct {
- input User
- merge User
- expect User
- iserr bool
- }{
- {
- User{User: "foo"},
- User{User: "bar"},
- User{},
- true,
- },
- {
- User{User: "foo"},
- User{User: "foo"},
- User{User: "foo", Roles: []string{}},
- false,
- },
- {
- User{User: "foo"},
- User{User: "foo", Grant: []string{"role1"}},
- User{User: "foo", Roles: []string{"role1"}},
- false,
- },
- {
- User{User: "foo", Roles: []string{"role1"}},
- User{User: "foo", Grant: []string{"role1"}},
- User{},
- true,
- },
- {
- User{User: "foo", Roles: []string{"role1"}},
- User{User: "foo", Revoke: []string{"role2"}},
- User{},
- true,
- },
- {
- User{User: "foo", Roles: []string{"role1"}},
- User{User: "foo", Grant: []string{"role2"}},
- User{User: "foo", Roles: []string{"role1", "role2"}},
- false,
- },
- { // empty password will not overwrite the previous password
- User{User: "foo", Password: "foo", Roles: []string{}},
- User{User: "foo", Password: ""},
- User{User: "foo", Password: "foo", Roles: []string{}},
- false,
- },
- }
- for i, tt := range tbl {
- out, err := tt.input.merge(tt.merge, passwordStore{})
- if err != nil && !tt.iserr {
- t.Fatalf("Got unexpected error on item %d", i)
- }
- if !tt.iserr {
- if !reflect.DeepEqual(out, tt.expect) {
- t.Errorf("Unequal merge expectation on item %d: got: %#v, expect: %#v", i, out, tt.expect)
- }
- }
- }
- }
- func TestMergeRole(t *testing.T) {
- tbl := []struct {
- input Role
- merge Role
- expect Role
- iserr bool
- }{
- {
- Role{Role: "foo"},
- Role{Role: "bar"},
- Role{},
- true,
- },
- {
- Role{Role: "foo"},
- Role{Role: "foo", Grant: &Permissions{KV: RWPermission{Read: []string{"/foodir"}, Write: []string{"/foodir"}}}},
- Role{Role: "foo", Permissions: Permissions{KV: RWPermission{Read: []string{"/foodir"}, Write: []string{"/foodir"}}}},
- false,
- },
- {
- Role{Role: "foo", Permissions: Permissions{KV: RWPermission{Read: []string{"/foodir"}, Write: []string{"/foodir"}}}},
- Role{Role: "foo", Revoke: &Permissions{KV: RWPermission{Read: []string{"/foodir"}, Write: []string{"/foodir"}}}},
- Role{Role: "foo", Permissions: Permissions{KV: RWPermission{Read: []string{}, Write: []string{}}}},
- false,
- },
- {
- Role{Role: "foo", Permissions: Permissions{KV: RWPermission{Read: []string{"/bardir"}}}},
- Role{Role: "foo", Revoke: &Permissions{KV: RWPermission{Read: []string{"/foodir"}}}},
- Role{},
- true,
- },
- }
- for i, tt := range tbl {
- out, err := tt.input.merge(tt.merge)
- if err != nil && !tt.iserr {
- t.Fatalf("Got unexpected error on item %d", i)
- }
- if !tt.iserr {
- if !reflect.DeepEqual(out, tt.expect) {
- t.Errorf("Unequal merge expectation on item %d: got: %#v, expect: %#v", i, out, tt.expect)
- }
- }
- }
- }
- type testDoer struct {
- get []etcdserver.Response
- put []etcdserver.Response
- getindex int
- putindex int
- explicitlyEnabled bool
- }
- func (td *testDoer) Do(_ context.Context, req etcdserverpb.Request) (etcdserver.Response, error) {
- if td.explicitlyEnabled && (req.Path == StorePermsPrefix+"/enabled") {
- t := "true"
- return etcdserver.Response{
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &t,
- },
- },
- }, nil
- }
- if (req.Method == "GET" || req.Method == "QGET") && td.get != nil {
- res := td.get[td.getindex]
- if res.Event == nil {
- td.getindex++
- return etcdserver.Response{}, &etcderr.Error{
- ErrorCode: etcderr.EcodeKeyNotFound,
- }
- }
- td.getindex++
- return res, nil
- }
- if req.Method == "PUT" && td.put != nil {
- res := td.put[td.putindex]
- if res.Event == nil {
- td.putindex++
- return etcdserver.Response{}, &etcderr.Error{
- ErrorCode: etcderr.EcodeNodeExist,
- }
- }
- td.putindex++
- return res, nil
- }
- return etcdserver.Response{}, nil
- }
- func TestAllUsers(t *testing.T) {
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Nodes: etcdstore.NodeExterns([]*etcdstore.NodeExtern{
- {
- Key: StorePermsPrefix + "/users/cat",
- },
- {
- Key: StorePermsPrefix + "/users/dog",
- },
- }),
- },
- },
- },
- },
- }
- expected := []string{"cat", "dog"}
- s := store{server: d, timeout: testTimeout, ensuredOnce: false}
- users, err := s.AllUsers()
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(users, expected) {
- t.Error("AllUsers doesn't match given store. Got", users, "expected", expected)
- }
- }
- func TestGetAndDeleteUser(t *testing.T) {
- data := `{"user": "cat", "roles" : ["animal"]}`
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &data,
- },
- },
- },
- },
- explicitlyEnabled: true,
- }
- expected := User{User: "cat", Roles: []string{"animal"}}
- s := store{server: d, timeout: testTimeout, ensuredOnce: false}
- out, err := s.GetUser("cat")
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(out, expected) {
- t.Error("GetUser doesn't match given store. Got", out, "expected", expected)
- }
- err = s.DeleteUser("cat")
- if err != nil {
- t.Error("Unexpected error", err)
- }
- }
- func TestAllRoles(t *testing.T) {
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Nodes: etcdstore.NodeExterns([]*etcdstore.NodeExtern{
- {
- Key: StorePermsPrefix + "/roles/animal",
- },
- {
- Key: StorePermsPrefix + "/roles/human",
- },
- }),
- },
- },
- },
- },
- explicitlyEnabled: true,
- }
- expected := []string{"animal", "human", "root"}
- s := store{server: d, timeout: testTimeout, ensuredOnce: false}
- out, err := s.AllRoles()
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(out, expected) {
- t.Error("AllRoles doesn't match given store. Got", out, "expected", expected)
- }
- }
- func TestGetAndDeleteRole(t *testing.T) {
- data := `{"role": "animal"}`
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/animal",
- Value: &data,
- },
- },
- },
- },
- explicitlyEnabled: true,
- }
- expected := Role{Role: "animal"}
- s := store{server: d, timeout: testTimeout, ensuredOnce: false}
- out, err := s.GetRole("animal")
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(out, expected) {
- t.Error("GetRole doesn't match given store. Got", out, "expected", expected)
- }
- err = s.DeleteRole("animal")
- if err != nil {
- t.Error("Unexpected error", err)
- }
- }
- func TestEnsure(t *testing.T) {
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Set,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix,
- Dir: true,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Set,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/",
- Dir: true,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Set,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/",
- Dir: true,
- },
- },
- },
- },
- }
- s := store{server: d, timeout: testTimeout, ensuredOnce: false}
- err := s.ensureAuthDirectories()
- if err != nil {
- t.Error("Unexpected error", err)
- }
- }
- type fastPasswordStore struct {
- }
- func (_ fastPasswordStore) CheckPassword(user User, password string) bool {
- return user.Password == password
- }
- func (_ fastPasswordStore) HashPassword(password string) (string, error) { return password, nil }
- func TestCreateAndUpdateUser(t *testing.T) {
- olduser := `{"user": "cat", "roles" : ["animal"]}`
- newuser := `{"user": "cat", "roles" : ["animal", "pet"]}`
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: nil,
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &olduser,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &olduser,
- },
- },
- },
- },
- put: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Update,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &olduser,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Update,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/users/cat",
- Value: &newuser,
- },
- },
- },
- },
- explicitlyEnabled: true,
- }
- user := User{User: "cat", Password: "meow", Roles: []string{"animal"}}
- update := User{User: "cat", Grant: []string{"pet"}}
- expected := User{User: "cat", Roles: []string{"animal", "pet"}}
- s := store{server: d, timeout: testTimeout, ensuredOnce: true, PasswordStore: fastPasswordStore{}}
- out, created, err := s.CreateOrUpdateUser(user)
- if !created {
- t.Error("Should have created user, instead updated?")
- }
- if err != nil {
- t.Error("Unexpected error", err)
- }
- out.Password = "meow"
- if !reflect.DeepEqual(out, user) {
- t.Error("UpdateUser doesn't match given update. Got", out, "expected", expected)
- }
- out, created, err = s.CreateOrUpdateUser(update)
- if created {
- t.Error("Should have updated user, instead created?")
- }
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(out, expected) {
- t.Error("UpdateUser doesn't match given update. Got", out, "expected", expected)
- }
- }
- func TestUpdateRole(t *testing.T) {
- oldrole := `{"role": "animal", "permissions" : {"kv": {"read": ["/animal"], "write": []}}}`
- newrole := `{"role": "animal", "permissions" : {"kv": {"read": ["/animal"], "write": ["/animal"]}}}`
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/animal",
- Value: &oldrole,
- },
- },
- },
- },
- put: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Update,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/animal",
- Value: &newrole,
- },
- },
- },
- },
- explicitlyEnabled: true,
- }
- update := Role{Role: "animal", Grant: &Permissions{KV: RWPermission{Read: []string{}, Write: []string{"/animal"}}}}
- expected := Role{Role: "animal", Permissions: Permissions{KV: RWPermission{Read: []string{"/animal"}, Write: []string{"/animal"}}}}
- s := store{server: d, timeout: testTimeout, ensuredOnce: true}
- out, err := s.UpdateRole(update)
- if err != nil {
- t.Error("Unexpected error", err)
- }
- if !reflect.DeepEqual(out, expected) {
- t.Error("UpdateRole doesn't match given update. Got", out, "expected", expected)
- }
- }
- func TestCreateRole(t *testing.T) {
- role := `{"role": "animal", "permissions" : {"kv": {"read": ["/animal"], "write": []}}}`
- d := &testDoer{
- put: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Create,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/animal",
- Value: &role,
- },
- },
- },
- {
- Event: nil,
- },
- },
- explicitlyEnabled: true,
- }
- r := Role{Role: "animal", Permissions: Permissions{KV: RWPermission{Read: []string{"/animal"}, Write: []string{}}}}
- s := store{server: d, timeout: testTimeout, ensuredOnce: true}
- err := s.CreateRole(Role{Role: "root"})
- if err == nil {
- t.Error("Should error creating root role")
- }
- err = s.CreateRole(r)
- if err != nil {
- t.Error("Unexpected error", err)
- }
- err = s.CreateRole(r)
- if err == nil {
- t.Error("Creating duplicate role, should error")
- }
- }
- func TestEnableAuth(t *testing.T) {
- rootUser := `{"user": "root", "password": ""}`
- guestRole := `{"role": "guest", "permissions" : {"kv": {"read": ["*"], "write": ["*"]}}}`
- trueval := "true"
- falseval := "false"
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/enabled",
- Value: &falseval,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/user/root",
- Value: &rootUser,
- },
- },
- },
- {
- Event: nil,
- },
- },
- put: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Create,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/roles/guest",
- Value: &guestRole,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Update,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/enabled",
- Value: &trueval,
- },
- },
- },
- },
- explicitlyEnabled: false,
- }
- s := store{server: d, timeout: testTimeout, ensuredOnce: true}
- err := s.EnableAuth()
- if err != nil {
- t.Error("Unexpected error", err)
- }
- }
- func TestDisableAuth(t *testing.T) {
- trueval := "true"
- falseval := "false"
- d := &testDoer{
- get: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/enabled",
- Value: &falseval,
- },
- },
- },
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Get,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/enabled",
- Value: &trueval,
- },
- },
- },
- },
- put: []etcdserver.Response{
- {
- Event: &etcdstore.Event{
- Action: etcdstore.Update,
- Node: &etcdstore.NodeExtern{
- Key: StorePermsPrefix + "/enabled",
- Value: &falseval,
- },
- },
- },
- },
- explicitlyEnabled: false,
- }
- s := store{server: d, timeout: testTimeout, ensuredOnce: true}
- err := s.DisableAuth()
- if err == nil {
- t.Error("Expected error; already disabled")
- }
- err = s.DisableAuth()
- if err != nil {
- t.Error("Unexpected error", err)
- }
- }
- func TestSimpleMatch(t *testing.T) {
- role := Role{Role: "foo", Permissions: Permissions{KV: RWPermission{Read: []string{"/foodir/*", "/fookey"}, Write: []string{"/bardir/*", "/barkey"}}}}
- if !role.HasKeyAccess("/foodir/foo/bar", false) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasKeyAccess("/fookey", false) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasRecursiveAccess("/foodir/*", false) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasRecursiveAccess("/foodir/foo*", false) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasRecursiveAccess("/bardir/*", true) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasKeyAccess("/bardir/bar/foo", true) {
- t.Fatal("role lacks expected access")
- }
- if !role.HasKeyAccess("/barkey", true) {
- t.Fatal("role lacks expected access")
- }
- if role.HasKeyAccess("/bardir/bar/foo", false) {
- t.Fatal("role has unexpected access")
- }
- if role.HasKeyAccess("/barkey", false) {
- t.Fatal("role has unexpected access")
- }
- if role.HasKeyAccess("/foodir/foo/bar", true) {
- t.Fatal("role has unexpected access")
- }
- if role.HasKeyAccess("/fookey", true) {
- t.Fatal("role has unexpected access")
- }
- }
|