From 975854f07fba840a78f22bb80e99b2335ef5fc04 Mon Sep 17 00:00:00 2001 From: Hitoshi Mitake Date: Wed, 29 Mar 2023 20:46:32 +0900 Subject: [PATCH 1/2] etcdserver: protect lease timetilive with auth Signed-off-by: Hitoshi Mitake Co-authored-by: Benjamin Wang --- server/etcdserver/v3_server.go | 51 +++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go index 6fcc1b4a3e2..5b60f321554 100644 --- a/server/etcdserver/v3_server.go +++ b/server/etcdserver/v3_server.go @@ -317,7 +317,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e return -1, errors.ErrCanceled } -func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { +func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) { + rev := s.AuthStore().Revision() + if !s.AuthStore().IsAuthEnabled() { + return nil, rev + } + authInfo, err := s.AuthInfoFromCtx(ctx) + if err != nil { + return err, rev + } + if authInfo == nil { + return auth.ErrUserEmpty, rev + } + + l := s.lessor.Lookup(leaseID) + if l != nil { + for _, key := range l.Keys() { + if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil { + return err, 0 + } + } + } + + return nil, rev +} + +func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { if s.isLeader() { if err := s.waitAppliedIndex(); err != nil { return nil, err @@ -367,6 +392,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR return nil, errors.ErrCanceled } +func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { + var rev uint64 + var err error + if r.Keys { + // check RBAC permission only if Keys is true + err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID)) + if err != nil { + return nil, err + } + } + + resp, err := s.leaseTimeToLive(ctx, r) + if err != nil { + return nil, err + } + + if r.Keys { + if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() { + return nil, auth.ErrAuthOldRevision + } + } + return resp, nil +} + func (s *EtcdServer) newHeader() *pb.ResponseHeader { return &pb.ResponseHeader{ ClusterId: uint64(s.cluster.ID()), From c9b368119e4f807c7239f40cdd2434acd39d246d Mon Sep 17 00:00:00 2001 From: Hitoshi Mitake Date: Fri, 31 Mar 2023 23:07:23 +0900 Subject: [PATCH 2/2] tests: e2e and integration test for timetolive Signed-off-by: Hitoshi Mitake Co-authored-by: Benjamin Wang --- tests/e2e/ctl_v3_auth_test.go | 49 +++++++++++++++++ tests/e2e/ctl_v3_lease_test.go | 8 +++ tests/integration/v3_auth_test.go | 91 +++++++++++++++++++++++++++++-- 3 files changed, 143 insertions(+), 5 deletions(-) diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go index 5e96dd6a102..e5b65dcb23f 100644 --- a/tests/e2e/ctl_v3_auth_test.go +++ b/tests/e2e/ctl_v3_auth_test.go @@ -47,6 +47,7 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { } func TestCtlV3AuthRevisionConsistency(t *testing.T) { testCtl(t, authTestRevisionConsistency) } func TestCtlV3AuthTestCacheReload(t *testing.T) { testCtl(t, authTestCacheReload) } +func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) } func authEnable(cx ctlCtx) error { // create root user with root role @@ -634,3 +635,51 @@ func authTestCacheReload(cx ctlCtx) { cx.t.Fatal(err) } } + +func authTestLeaseTimeToLive(cx ctlCtx) { + if err := authEnable(cx); err != nil { + cx.t.Fatal(err) + } + cx.user, cx.pass = "root", "root" + + authSetupTestUser(cx) + + cx.user = "test-user" + cx.pass = "pass" + + leaseID, err := ctlV3LeaseGrant(cx, 10) + if err != nil { + cx.t.Fatal(err) + } + + err = ctlV3Put(cx, "foo", "val", leaseID) + if err != nil { + cx.t.Fatal(err) + } + + err = ctlV3LeaseTimeToLive(cx, leaseID, true) + if err != nil { + cx.t.Fatal(err) + } + + cx.user = "root" + cx.pass = "root" + err = ctlV3Put(cx, "bar", "val", leaseID) + if err != nil { + cx.t.Fatal(err) + } + + cx.user = "test-user" + cx.pass = "pass" + // the lease is attached to bar, which test-user cannot access + err = ctlV3LeaseTimeToLive(cx, leaseID, true) + if err == nil { + cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar") + } + + // without --keys, access should be allowed + err = ctlV3LeaseTimeToLive(cx, leaseID, false) + if err != nil { + cx.t.Fatal(err) + } +} diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go index 6ac44c44f24..f5bc382b6db 100644 --- a/tests/e2e/ctl_v3_lease_test.go +++ b/tests/e2e/ctl_v3_lease_test.go @@ -95,3 +95,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error { cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID) return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s revoked", leaseID)) } + +func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error { + cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID) + if withKeys { + cmdArgs = append(cmdArgs, "--keys") + } + return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID)) +} diff --git a/tests/integration/v3_auth_test.go b/tests/integration/v3_auth_test.go index 81cb0f600ee..89bbe2193ec 100644 --- a/tests/integration/v3_auth_test.go +++ b/tests/integration/v3_auth_test.go @@ -178,12 +178,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg integration.ClusterCon // wait for lease expire time.Sleep(3 * time.Second) - tresp, terr := api.Lease.LeaseTimeToLive( + tresp, terr := rootc.TimeToLive( context.TODO(), - &pb.LeaseTimeToLiveRequest{ - ID: int64(leaseID), - Keys: true, - }, + leaseID, + clientv3.WithAttachedKeys(), ) if terr != nil { t.Error(terr) @@ -585,3 +583,86 @@ func TestV3AuthWatchErrorAndWatchId0(t *testing.T) { <-watchEndCh } + +func TestV3AuthWithLeaseTimeToLive(t *testing.T) { + integration.BeforeTest(t) + clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1}) + defer clus.Terminate(t) + + users := []user{ + { + name: "user1", + password: "user1-123", + role: "role1", + key: "k1", + end: "k3", + }, + { + name: "user2", + password: "user2-123", + role: "role2", + key: "k2", + end: "k4", + }, + } + authSetupUsers(t, integration.ToGRPC(clus.Client(0)).Auth, users) + + authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth) + + user1c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer user1c.Close() + + user2c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer user2c.Close() + + leaseResp, err := user1c.Grant(context.TODO(), 90) + if err != nil { + t.Fatal(err) + } + leaseID := leaseResp.ID + _, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID)) + if err != nil { + t.Fatal(err) + } + // k2 can be accessed from both user1 and user2 + _, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID)) + if err != nil { + t.Fatal(err) + } + + _, err = user1c.TimeToLive(context.TODO(), leaseID) + if err != nil { + t.Fatal(err) + } + + _, err = user2c.TimeToLive(context.TODO(), leaseID) + if err != nil { + t.Fatal(err) + } + + _, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys()) + if err == nil { + t.Fatal("timetolive from user2 should be failed with permission denied") + } + + rootc, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"}) + if cerr != nil { + t.Fatal(cerr) + } + defer rootc.Close() + + if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil { + t.Fatal(err) + } + + _, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys()) + if err == nil { + t.Fatal("timetolive from user2 should be failed with permission denied") + } +}