mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

server/auth: fix auth panic bug when user changes password

Browse Source 
Signed-off-by: tangcong <tangcong506@foxmail.com>
Signed-off-by: engow <engow@hotmail.com>
This commit is contained in:
tangcong 2023-03-09 12:21:50 +08:00 committed by engow
parent b10adb6abe
commit dcb1bf6078
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/auth/store.go
View File

@ -479,7 +479,8 @@ func (as *authStore) UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*p
var password []byte var password []byte
var err error var err error
if !user.Options.NoPassword { // Backward compatible with old versions of etcd, user options is nil
if user.Options == nil || !user.Options.NoPassword {
password, err = as.selectPassword(r.Password, r.HashedPassword) password, err = as.selectPassword(r.Password, r.HashedPassword)
if err != nil { if err != nil {
return nil, ErrNoPasswordUser return nil, ErrNoPasswordUser

26
server/auth/store_test.go
View File

@ -124,6 +124,10 @@ func setupAuthStore(t *testing.T) (store *authStore, teardownfunc func(t *testin
t.Fatal(err) t.Fatal(err)
} }
// The UserAdd function cannot generate old etcd version user data (user's option is nil)
// add special users through the underlying interface
addUserWithNoOption(as)
tearDown := func(_ *testing.T) { tearDown := func(_ *testing.T) {
b.Close() b.Close()
as.Close() as.Close()
@ -131,6 +135,18 @@ func setupAuthStore(t *testing.T) (store *authStore, teardownfunc func(t *testin
return as, tearDown return as, tearDown
} }
func addUserWithNoOption(as *authStore) {
tx := as.be.BatchTx()
tx.Lock()
defer tx.Unlock()
tx.UnsafePutUser(&authpb.User{
Name: []byte("foo-no-user-options"),
Password: []byte("bar"),
})
as.commitRevision(tx)
as.refreshRangePermCache(tx)
}
func enableAuthAndCreateRoot(as *authStore) error { func enableAuthAndCreateRoot(as *authStore) error {
_, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", HashedPassword: encodePassword("root"), Options: &authpb.UserAddOptions{NoPassword: false}}) _, err := as.UserAdd(&pb.AuthUserAddRequest{Name: "root", HashedPassword: encodePassword("root"), Options: &authpb.UserAddOptions{NoPassword: false}})
if err != nil { if err != nil {
@ -202,8 +218,8 @@ func TestRecoverWithEmptyRangePermCache(t *testing.T) {
t.Fatalf("expected auth enabled got disabled") t.Fatalf("expected auth enabled got disabled")
} }
if len(as.rangePermCache) != 2 { if len(as.rangePermCache) != 3 {
t.Fatalf("rangePermCache should have permission information for 2 users (\"root\" and \"foo\"), but has %d information", len(as.rangePermCache)) t.Fatalf("rangePermCache should have permission information for 3 users (\"root\" and \"foo\",\"foo-no-user-options\"), but has %d information", len(as.rangePermCache))
} }
if _, ok := as.rangePermCache["root"]; !ok { if _, ok := as.rangePermCache["root"]; !ok {
t.Fatal("user \"root\" should be created by setupAuthStore() but doesn't exist in rangePermCache") t.Fatal("user \"root\" should be created by setupAuthStore() but doesn't exist in rangePermCache")
@ -334,6 +350,12 @@ func TestUserChangePassword(t *testing.T) {
if err != ErrUserNotFound { if err != ErrUserNotFound {
t.Fatalf("expected %v, got %v", ErrUserNotFound, err) t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
} }
// change a useruser option is nil) password
_, err = as.UserChangePassword(&pb.AuthUserChangePasswordRequest{Name: "foo-no-user-options", HashedPassword: encodePassword("bar")})
if err != nil {
t.Fatal(err)
}
} }
func TestRoleAdd(t *testing.T) { func TestRoleAdd(t *testing.T) {