From e49d6d8a5f83c80963ef27c446521018cde3a21c Mon Sep 17 00:00:00 2001 From: Hitoshi Mitake Date: Fri, 31 Mar 2023 23:07:23 +0900 Subject: [PATCH] tests: e2e and integration test for timetolive Signed-off-by: Hitoshi Mitake Co-authored-by: Benjamin Wang --- integration/v3_auth_test.go | 90 ++++++++++++++++++++++++++++++++-- tests/e2e/ctl_v3_auth_test.go | 49 ++++++++++++++++++ tests/e2e/ctl_v3_lease_test.go | 8 +++ 3 files changed, 142 insertions(+), 5 deletions(-) diff --git a/integration/v3_auth_test.go b/integration/v3_auth_test.go index c311792f4083..08b28476eb4d 100644 --- a/integration/v3_auth_test.go +++ b/integration/v3_auth_test.go @@ -150,12 +150,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg ClusterConfig) { // wait for lease expire time.Sleep(3 * time.Second) - tresp, terr := api.Lease.LeaseTimeToLive( + tresp, terr := rootc.TimeToLive( context.TODO(), - &pb.LeaseTimeToLiveRequest{ - ID: int64(leaseID), - Keys: true, - }, + leaseID, + clientv3.WithAttachedKeys(), ) if terr != nil { t.Error(terr) @@ -526,3 +524,85 @@ func TestV3AuthWatchErrorAndWatchId0(t *testing.T) { <-watchEndCh } + +func TestV3AuthWithLeaseTimeToLive(t *testing.T) { + clus := NewClusterV3(t, &ClusterConfig{Size: 1}) + defer clus.Terminate(t) + + users := []user{ + { + name: "user1", + password: "user1-123", + role: "role1", + key: "k1", + end: "k3", + }, + { + name: "user2", + password: "user2-123", + role: "role2", + key: "k2", + end: "k4", + }, + } + authSetupUsers(t, toGRPC(clus.Client(0)).Auth, users) + + authSetupRoot(t, toGRPC(clus.Client(0)).Auth) + + user1c, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer user1c.Close() + + user2c, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer user2c.Close() + + leaseResp, err := user1c.Grant(context.TODO(), 90) + if err != nil { + t.Fatal(err) + } + leaseID := leaseResp.ID + _, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID)) + if err != nil { + t.Fatal(err) + } + // k2 can be accessed from both user1 and user2 + _, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID)) + if err != nil { + t.Fatal(err) + } + + _, err = user1c.TimeToLive(context.TODO(), leaseID) + if err != nil { + t.Fatal(err) + } + + _, err = user2c.TimeToLive(context.TODO(), leaseID) + if err != nil { + t.Fatal(err) + } + + _, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys()) + if err == nil { + t.Fatal("timetolive from user2 should be failed with permission denied") + } + + rootc, cerr := clientv3.New(clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer rootc.Close() + + if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil { + t.Fatal(err) + } + + _, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys()) + if err == nil { + t.Fatal("timetolive from user2 should be failed with permission denied") + } +} diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go index 036721491cd3..cee257322738 100644 --- a/tests/e2e/ctl_v3_auth_test.go +++ b/tests/e2e/ctl_v3_auth_test.go @@ -68,6 +68,7 @@ func TestCtlV3AuthSnapshot(t *testing.T) { testCtl(t, authTestSnapshot) } func TestCtlV3AuthSnapshotJWT(t *testing.T) { testCtl(t, authTestSnapshot, withCfg(configJWT)) } func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCfg(configJWT)) } func TestCtlV3AuthTestCacheReload(t *testing.T) { testCtl(t, authTestCacheReload) } +func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) } func authEnableTest(cx ctlCtx) { if err := authEnable(cx); err != nil { @@ -1233,3 +1234,51 @@ func authTestCacheReload(cx ctlCtx) { cx.t.Fatal(err) } } + +func authTestLeaseTimeToLive(cx ctlCtx) { + if err := authEnable(cx); err != nil { + cx.t.Fatal(err) + } + cx.user, cx.pass = "root", "root" + + authSetupTestUser(cx) + + cx.user = "test-user" + cx.pass = "pass" + + leaseID, err := ctlV3LeaseGrant(cx, 10) + if err != nil { + cx.t.Fatal(err) + } + + err = ctlV3Put(cx, "foo", "val", leaseID) + if err != nil { + cx.t.Fatal(err) + } + + err = ctlV3LeaseTimeToLive(cx, leaseID, true) + if err != nil { + cx.t.Fatal(err) + } + + cx.user = "root" + cx.pass = "root" + err = ctlV3Put(cx, "bar", "val", leaseID) + if err != nil { + cx.t.Fatal(err) + } + + cx.user = "test-user" + cx.pass = "pass" + // the lease is attached to bar, which test-user cannot access + err = ctlV3LeaseTimeToLive(cx, leaseID, true) + if err == nil { + cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar") + } + + // without --keys, access should be allowed + err = ctlV3LeaseTimeToLive(cx, leaseID, false) + if err != nil { + cx.t.Fatal(err) + } +} diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go index 608b8ca2aa01..fce657d7e232 100644 --- a/tests/e2e/ctl_v3_lease_test.go +++ b/tests/e2e/ctl_v3_lease_test.go @@ -294,3 +294,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error { cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID) return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID)) } + +func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error { + cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID) + if withKeys { + cmdArgs = append(cmdArgs, "--keys") + } + return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s granted with", leaseID)) +}