Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

migrate auth tests to common #7 #15578

Merged
merged 1 commit into from
Mar 28, 2023
Merged

migrate auth tests to common #7 #15578

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bill-of-materials.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@
]
},
{
"project": "github.com/stretchr/testify/assert",
"project": "github.com/stretchr/testify",
"licenses": [
{
"type": "MIT License",
Expand Down
93 changes: 93 additions & 0 deletions tests/common/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -629,6 +629,99 @@ func TestAuthTestInvalidMgmt(t *testing.T) {
})
}

func TestAuthLeaseRevoke(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))

lresp, err := rootAuthClient.Grant(ctx, 10)
require.NoError(t, err)
err = rootAuthClient.Put(ctx, "key", "value", config.PutOptions{LeaseID: lresp.ID})
require.NoError(t, err)

_, err = rootAuthClient.Revoke(ctx, lresp.ID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we have a test targeting this method specifically, it would be good to assert what's returning actually.

[I know that it was not tested previously... ]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clientv3 Lease revoke response is the type alias of the proto buf generated one. It only contains ResponseHeader.

type LeaseRevokeResponse struct {
	Header               *ResponseHeader `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

I was blindly migrate the old logic to this one. How about assert the revoked lease is no longer in LeaseList response and get response is empty?

require.NoError(t, err)

_, err = rootAuthClient.Get(ctx, "key", config.GetOptions{})
require.NoError(t, err)
})
}

func TestAuthRoleGet(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

resp, err := rootAuthClient.RoleGet(ctx, testRoleName)
require.NoError(t, err)
requireRolePermissionEqual(t, testRole, resp.Perm)

// test-user can get the information of test-role because it belongs to the role
resp, err = testUserAuthClient.RoleGet(ctx, testRoleName)
require.NoError(t, err)
requireRolePermissionEqual(t, testRole, resp.Perm)
// test-user cannot get the information of root because it doesn't belong to the role
_, err = testUserAuthClient.RoleGet(ctx, rootRoleName)
require.ErrorContains(t, err, PermissionDenied)
})
}

func TestAuthUserGet(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logically this are 2 subtests, so ideally we should run them in tested t.run(...).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please point to which 2 tests? I guess root and test user, respectively?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems not a big deal to me.

testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

resp, err := rootAuthClient.UserGet(ctx, testUserName)
require.NoError(t, err)
requireUserRolesEqual(t, testUser, resp.Roles)

// test-user can get the information of test-user itself
resp, err = testUserAuthClient.UserGet(ctx, testUserName)
require.NoError(t, err)
requireUserRolesEqual(t, testUser, resp.Roles)
// test-user cannot get the information of root
_, err = testUserAuthClient.UserGet(ctx, rootUserName)
require.ErrorContains(t, err, PermissionDenied)
})
}

func TestAuthRoleList(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))

resp, err := rootAuthClient.RoleList(ctx)
require.NoError(t, err)
requireUserRolesEqual(t, testUser, resp.Roles)
})
}

func mustAbsPath(path string) string {
abs, err := filepath.Abs(path)
if err != nil {
Expand Down
16 changes: 16 additions & 0 deletions tests/common/auth_util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ package common
import (
"context"
"fmt"
"testing"

"github.com/stretchr/testify/require"

"go.etcd.io/etcd/api/v3/authpb"
clientv3 "go.etcd.io/etcd/client/v3"
"go.etcd.io/etcd/tests/v3/framework/config"
"go.etcd.io/etcd/tests/v3/framework/interfaces"
Expand Down Expand Up @@ -106,3 +110,15 @@ func setupAuth(c interfaces.Client, roles []authRole, users []authUser) error {

return nil
}

func requireRolePermissionEqual(t *testing.T, expectRole authRole, actual []*authpb.Permission) {
require.Equal(t, 1, len(actual))
require.Equal(t, expectRole.permission, clientv3.PermissionType(actual[0].PermType))
require.Equal(t, expectRole.key, string(actual[0].Key))
require.Equal(t, expectRole.keyEnd, string(actual[0].RangeEnd))
}

func requireUserRolesEqual(t *testing.T, expectUser authUser, actual []string) {
require.Equal(t, 1, len(actual))
require.Equal(t, expectUser.role, actual[0])
}
119 changes: 3 additions & 116 deletions tests/e2e/ctl_v3_auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,10 @@ import (

func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
func TestCtlV3AuthFromKeyPerm(t *testing.T) { testCtl(t, authTestFromKeyPerm) }
func TestCtlV3AuthAndWatch(t *testing.T) { testCtl(t, authTestWatch) }
func TestCtlV3AuthAndWatchJWT(t *testing.T) { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) }

func TestCtlV3AuthLeaseRevoke(t *testing.T) { testCtl(t, authLeaseTestLeaseRevoke) }

func TestCtlV3AuthRoleGet(t *testing.T) { testCtl(t, authTestRoleGet) }
func TestCtlV3AuthUserGet(t *testing.T) { testCtl(t, authTestUserGet) }
func TestCtlV3AuthRoleList(t *testing.T) { testCtl(t, authTestRoleList) }
// TestCtlV3AuthAndWatch TODO https://github.com/etcd-io/etcd/issues/7988 is the blocker of migration to common/auth_test.go
func TestCtlV3AuthAndWatch(t *testing.T) { testCtl(t, authTestWatch) }
func TestCtlV3AuthAndWatchJWT(t *testing.T) { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) }

func TestCtlV3AuthDefrag(t *testing.T) { testCtl(t, authTestDefrag) }
func TestCtlV3AuthEndpointHealth(t *testing.T) {
Expand Down Expand Up @@ -230,44 +226,6 @@ func authTestFromKeyPerm(cx ctlCtx) {
}
}

func leaseTestGrantLeasesList(cx ctlCtx) error {
id, err := ctlV3LeaseGrant(cx, 10)
if err != nil {
return fmt.Errorf("ctlV3LeaseGrant error (%v)", err)
}

cmdArgs := append(cx.PrefixArgs(), "lease", "list")
proc, err := e2e.SpawnCmd(cmdArgs, cx.envMap)
if err != nil {
return fmt.Errorf("lease list failed (%v)", err)
}
_, err = proc.Expect(id)
if err != nil {
return fmt.Errorf("lease id not in returned list (%v)", err)
}
return proc.Close()
}

func authLeaseTestLeaseRevoke(cx ctlCtx) {
cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)

// put with TTL 10 seconds and revoke
leaseID, err := ctlV3LeaseGrant(cx, 10)
if err != nil {
cx.t.Fatalf("ctlV3LeaseGrant error (%v)", err)
}
if err := ctlV3Put(cx, "key", "val", leaseID); err != nil {
cx.t.Fatalf("ctlV3Put error (%v)", err)
}
if err := ctlV3LeaseRevoke(cx, leaseID); err != nil {
cx.t.Fatalf("ctlV3LeaseRevoke error (%v)", err)
}
if err := ctlV3GetWithErr(cx, []string{"key"}, []string{"retrying of unary invoker failed"}); err != nil { // expect errors
cx.t.Fatalf("ctlV3GetWithErr error (%v)", err)
}
}

func authTestWatch(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
Expand Down Expand Up @@ -344,77 +302,6 @@ func authTestWatch(cx ctlCtx) {

}

func authTestRoleGet(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}
cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)

expected := []string{
"Role test-role",
"KV Read:", "foo",
"KV Write:", "foo",
}
if err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "role", "get", "test-role"), cx.envMap, expected...); err != nil {
cx.t.Fatal(err)
}

// test-user can get the information of test-role because it belongs to the role
cx.user, cx.pass = "test-user", "pass"
if err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "role", "get", "test-role"), cx.envMap, expected...); err != nil {
cx.t.Fatal(err)
}

// test-user cannot get the information of root because it doesn't belong to the role
expected = []string{
"Error: etcdserver: permission denied",
}
err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "role", "get", "root"), cx.envMap, expected...)
require.ErrorContains(cx.t, err, "permission denied")
}

func authTestUserGet(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}
cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)

expected := []string{
"User: test-user",
"Roles: test-role",
}

if err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "user", "get", "test-user"), cx.envMap, expected...); err != nil {
cx.t.Fatal(err)
}

// test-user can get the information of test-user itself
cx.user, cx.pass = "test-user", "pass"
if err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "user", "get", "test-user"), cx.envMap, expected...); err != nil {
cx.t.Fatal(err)
}

// test-user cannot get the information of root
expected = []string{
"Error: etcdserver: permission denied",
}
err := e2e.SpawnWithExpects(append(cx.PrefixArgs(), "user", "get", "root"), cx.envMap, expected...)
require.ErrorContains(cx.t, err, "permission denied")
}

func authTestRoleList(cx ctlCtx) {
if err := authEnable(cx); err != nil {
cx.t.Fatal(err)
}
cx.user, cx.pass = "root", "root"
authSetupTestUser(cx)
if err := e2e.SpawnWithExpectWithEnv(append(cx.PrefixArgs(), "role", "list"), cx.envMap, "test-role"); err != nil {
cx.t.Fatal(err)
}
}

func authTestDefrag(cx ctlCtx) {
maintenanceInitKeys(cx)

Expand Down