Skip to content

Commit

Permalink
migrate e2e auth tests to common #8
Browse files Browse the repository at this point in the history
Signed-off-by: Chao Chen <chaochn@amazon.com>
  • Loading branch information
chaochn47 committed May 10, 2023
1 parent d81d3c3 commit 0cdd36a
Show file tree
Hide file tree
Showing 3 changed files with 118 additions and 391 deletions.
115 changes: 115 additions & 0 deletions tests/common/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -736,6 +736,121 @@ func TestAuthRoleList(t *testing.T) {
})
}

func TestAuthJWTExpire(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1, AuthToken: defaultAuthToken}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar", config.PutOptions{}))
// wait an expiration of my JWT token
<-time.After(3 * time.Second)

// e2e test will generate a new token while
// integration test that re-uses the same etcd client will refresh the token on server failure.
require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar", config.PutOptions{}))
})
}

// TestAuthRevisionConsistency ensures auth revision is the same after member restarts
func TestAuthRevisionConsistency(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1, AuthToken: defaultAuthToken}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{}, []authUser{rootUser}), "failed to enable auth")
rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))

// add user
_, err := rootAuthClient.UserAdd(ctx, testUserName, testPassword, config.UserAddOptions{})
require.NoError(t, err)
// delete the same user
_, err = rootAuthClient.UserDelete(ctx, testUserName)
require.NoError(t, err)

// get node0 auth revision
aresp, err := rootAuthClient.AuthStatus(ctx)
require.NoError(t, err)
oldAuthRevision := aresp.AuthRevision

// restart the node
clus.Members()[0].Stop()
require.NoError(t, clus.Members()[0].Start(ctx))

aresp2, err := rootAuthClient.AuthStatus(ctx)
require.NoError(t, err)
newAuthRevision := aresp2.AuthRevision

require.Equal(t, oldAuthRevision, newAuthRevision)
})
}

// TestAuthTestCacheReload ensures permissions are persisted and will be reloaded after member restarts
func TestAuthTestCacheReload(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1, AuthToken: defaultAuthToken}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

// create foo since that is within the permission set
// expectation is to succeed
require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar", config.PutOptions{}))

// restart the node
clus.Members()[0].Stop()
require.NoError(t, clus.Members()[0].Start(ctx))

// nothing has changed, but it fails without refreshing cache after restart
require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar2", config.PutOptions{}))
})
}

// TestAuthLeaseTimeToLive gated lease time to live with RBAC control
func TestAuthLeaseTimeToLive(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1, AuthToken: defaultAuthToken}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))

gresp, err := testUserAuthClient.Grant(ctx, 10)
require.NoError(t, err)
leaseID := gresp.ID

require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar", config.PutOptions{LeaseID: leaseID}))
_, err = testUserAuthClient.TimeToLive(ctx, leaseID, config.LeaseOption{WithAttachedKeys: true})
require.NoError(t, err)

rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
require.NoError(t, rootAuthClient.Put(ctx, "bar", "foo", config.PutOptions{LeaseID: leaseID}))

// the lease is attached to bar, which test-user cannot access
_, err = testUserAuthClient.TimeToLive(ctx, leaseID, config.LeaseOption{WithAttachedKeys: true})
require.Errorf(t, err, "test-user must not be able to access to the lease, because it's attached to the key bar")

// without --keys, access should be allowed
_, err = testUserAuthClient.TimeToLive(ctx, leaseID, config.LeaseOption{WithAttachedKeys: false})
require.NoError(t, err)
})
}

func mustAbsPath(path string) string {
abs, err := filepath.Abs(path)
if err != nil {
Expand Down
Loading

0 comments on commit 0cdd36a

Please sign in to comment.