server/auth: protect rangePermCache with a RW lock
Signed-off-by: Hitoshi Mitake <h.mitake@gmail.com>
This commit is contained in:
Hitoshi Mitake
@ -27,6 +27,7 @@ import (
|
||||
"go.etcd.io/etcd/api/v3/authpb"
|
||||
pb "go.etcd.io/etcd/api/v3/etcdserverpb"
|
||||
"go.etcd.io/etcd/api/v3/v3rpc/rpctypes"
|
||||
"go.etcd.io/etcd/pkg/v3/adt"
|
||||
"go.etcd.io/etcd/server/v3/mvcc/backend"
|
||||
betesting "go.etcd.io/etcd/server/v3/mvcc/backend/testing"
|
||||
|
||||
@ -153,7 +154,8 @@ func TestUserAdd(t *testing.T) {
|
||||
as, tearDown := setupAuthStore(t)
|
||||
defer tearDown(t)
|
||||
|
||||
ua := &pb.AuthUserAddRequest{Name: "foo", Options: &authpb.UserAddOptions{NoPassword: false}}
|
||||
const userName = "foo"
|
||||
ua := &pb.AuthUserAddRequest{Name: userName, Options: &authpb.UserAddOptions{NoPassword: false}}
|
||||
_, err := as.UserAdd(ua) // add an existing user
|
||||
if err == nil {
|
||||
t.Fatalf("expected %v, got %v", ErrUserAlreadyExist, err)
|
||||
@ -167,6 +169,11 @@ func TestUserAdd(t *testing.T) {
|
||||
if err != ErrUserEmpty {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if _, ok := as.rangePermCache[userName]; !ok {
|
||||
t.Fatalf("user %s should be added but it doesn't exist in rangePermCache", userName)
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
func TestRecover(t *testing.T) {
|
||||
@ -216,7 +223,8 @@ func TestUserDelete(t *testing.T) {
|
||||
defer tearDown(t)
|
||||
|
||||
// delete an existing user
|
||||
ud := &pb.AuthUserDeleteRequest{Name: "foo"}
|
||||
const userName = "foo"
|
||||
ud := &pb.AuthUserDeleteRequest{Name: userName}
|
||||
_, err := as.UserDelete(ud)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
@ -230,6 +238,47 @@ func TestUserDelete(t *testing.T) {
|
||||
if err != ErrUserNotFound {
|
||||
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
||||
}
|
||||
|
||||
if _, ok := as.rangePermCache[userName]; ok {
|
||||
t.Fatalf("user %s should be deleted but it exists in rangePermCache", userName)
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
func TestUserDeleteAndPermCache(t *testing.T) {
|
||||
as, tearDown := setupAuthStore(t)
|
||||
defer tearDown(t)
|
||||
|
||||
// delete an existing user
|
||||
const deletedUserName = "foo"
|
||||
ud := &pb.AuthUserDeleteRequest{Name: deletedUserName}
|
||||
_, err := as.UserDelete(ud)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// delete a non-existing user
|
||||
_, err = as.UserDelete(ud)
|
||||
if err != ErrUserNotFound {
|
||||
t.Fatalf("expected %v, got %v", ErrUserNotFound, err)
|
||||
}
|
||||
|
||||
if _, ok := as.rangePermCache[deletedUserName]; ok {
|
||||
t.Fatalf("user %s should be deleted but it exists in rangePermCache", deletedUserName)
|
||||
}
|
||||
|
||||
// add a new user
|
||||
const newUser = "bar"
|
||||
ua := &pb.AuthUserAddRequest{Name: newUser, HashedPassword: encodePassword("pwd1"), Options: &authpb.UserAddOptions{NoPassword: false}}
|
||||
_, err = as.UserAdd(ua)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if _, ok := as.rangePermCache[newUser]; !ok {
|
||||
t.Fatalf("user %s should exist but it doesn't exist in rangePermCache", deletedUserName)
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
func TestUserChangePassword(t *testing.T) {
|
||||
@ -524,17 +573,44 @@ func TestUserRevokePermission(t *testing.T) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"})
|
||||
const userName = "foo"
|
||||
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: userName, Role: "role-test"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test-1"})
|
||||
_, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: userName, Role: "role-test-1"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
u, err := as.UserGet(&pb.AuthUserGetRequest{Name: "foo"})
|
||||
perm := &authpb.Permission{
|
||||
PermType: authpb.WRITE,
|
||||
Key: []byte("WriteKeyBegin"),
|
||||
RangeEnd: []byte("WriteKeyEnd"),
|
||||
}
|
||||
_, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
|
||||
Name: "role-test-1",
|
||||
Perm: perm,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if _, ok := as.rangePermCache[userName]; !ok {
|
||||
t.Fatalf("User %s should have its entry in rangePermCache", userName)
|
||||
}
|
||||
unifiedPerm := as.rangePermCache[userName]
|
||||
pt1 := adt.NewBytesAffinePoint([]byte("WriteKeyBegin"))
|
||||
if !unifiedPerm.writePerms.Contains(pt1) {
|
||||
t.Fatal("rangePermCache should contain WriteKeyBegin")
|
||||
}
|
||||
pt2 := adt.NewBytesAffinePoint([]byte("OutOfRange"))
|
||||
if unifiedPerm.writePerms.Contains(pt2) {
|
||||
t.Fatal("rangePermCache should not contain OutOfRange")
|
||||
}
|
||||
|
||||
u, err := as.UserGet(&pb.AuthUserGetRequest{Name: userName})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@ -544,12 +620,12 @@ func TestUserRevokePermission(t *testing.T) {
|
||||
t.Fatalf("expected %v, got %v", expected, u.Roles)
|
||||
}
|
||||
|
||||
_, err = as.UserRevokeRole(&pb.AuthUserRevokeRoleRequest{Name: "foo", Role: "role-test-1"})
|
||||
_, err = as.UserRevokeRole(&pb.AuthUserRevokeRoleRequest{Name: userName, Role: "role-test-1"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
u, err = as.UserGet(&pb.AuthUserGetRequest{Name: "foo"})
|
||||
u, err = as.UserGet(&pb.AuthUserGetRequest{Name: userName})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user