Skip to content

Commit

Permalink
Merge pull request etcd-io#15512 from engow/automated-cherry-pick-of-…
Browse files Browse the repository at this point in the history
…#15432-origin-release-3.5

[3.5] server/auth: fix auth panic bug when user changes password
  • Loading branch information
ahrtr authored and tjungblu committed Jul 26, 2023
2 parents 0c3b29e + 2c55b53 commit 841a6f4
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 3 deletions.
3 changes: 2 additions & 1 deletion server/auth/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,8 @@ func (as *authStore) UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*p
var password []byte
var err error

if !user.Options.NoPassword {
// Backward compatible with old versions of etcd, user options is nil
if user.Options == nil || !user.Options.NoPassword {
password, err = as.selectPassword(r.Password, r.HashedPassword)
if err != nil {
return nil, ErrNoPasswordUser
Expand Down
25 changes: 23 additions & 2 deletions server/auth/store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,13 +125,28 @@ func setupAuthStore(t *testing.T) (store *authStore, teardownfunc func(t *testin
t.Fatal(err)
}

// The UserAdd function cannot generate old etcd version user data (user's option is nil)
// add special users through the underlying interface
err = addUserWithNoOption(as)
if err != nil {
t.Fatal(err)
}

tearDown := func(_ *testing.T) {
b.Close()
as.Close()
}
return as, tearDown
}

func addUserWithNoOption(as *authStore) error {
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "foo-no-user-options", Password: "bar"})
if err != nil {
return err
}
return nil
}

func enableAuthAndCreateRoot(as *authStore) error {
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", HashedPassword: encodePassword("root"), Options: &authpb.UserAddOptions{NoPassword: false}})
if err != nil {
Expand Down Expand Up @@ -203,8 +218,8 @@ func TestRecoverWithEmptyRangePermCache(t *testing.T) {
t.Fatalf("expected auth enabled got disabled")
}

if len(as.rangePermCache) != 2 {
t.Fatalf("rangePermCache should have permission information for 2 users (\"root\" and \"foo\"), but has %d information", len(as.rangePermCache))
if len(as.rangePermCache) != 3 {
t.Fatalf("rangePermCache should have permission information for 3 users (\"root\" and \"foo\",\"foo-no-user-options\"), but has %d information", len(as.rangePermCache))
}
if _, ok := as.rangePermCache["root"]; !ok {
t.Fatal("user \"root\" should be created by setupAuthStore() but doesn't exist in rangePermCache")
Expand Down Expand Up @@ -335,6 +350,12 @@ func TestUserChangePassword(t *testing.T) {
if err != ErrUserNotFound {
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
}

// change a user(user option is nil) password
_, err = as.UserChangePassword(&pb.AuthUserChangePasswordRequest{Name: "foo-no-user-options", HashedPassword: encodePassword("bar")})
if err != nil {
t.Fatal(err)
}
}

func TestRoleAdd(t *testing.T) {
Expand Down

0 comments on commit 841a6f4

Please sign in to comment.