Merge pull request #10141 from essamhassan/9734_improve_auth_coverage

9734 improve auth coverage

auth/range_perm_cache_test.go

@@ -59,3 +59,44 @@ func TestRangePermission(t *testing.T) {
  }
  }
 }
+
+func TestKeyPermission(t *testing.T) {
+ tests := []struct {
+ perms []adt.Interval
+ key []byte
+ want bool
+ }{
+ {
+ []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("c")), adt.NewBytesAffineInterval([]byte("x"), []byte("z"))},
+ []byte("f"),
+ false,
+ },
+ {
+ []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("f")), adt.NewBytesAffineInterval([]byte("c"), []byte("d")), adt.NewBytesAffineInterval([]byte("f"), []byte("z"))},
+ []byte("b"),
+ true,
+ },
+ {
+ []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("d")), adt.NewBytesAffineInterval([]byte("a"), []byte("b")), adt.NewBytesAffineInterval([]byte("c"), []byte("f"))},
+ []byte("d"),
+ true,
+ },
+ {
+ []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("d")), adt.NewBytesAffineInterval([]byte("a"), []byte("b")), adt.NewBytesAffineInterval([]byte("c"), []byte("f"))},
+ []byte("f"),
+ false,
+ },
+ }
+
+ for i, tt := range tests {
+ readPerms := &adt.IntervalTree{}
+ for _, p := range tt.perms {
+ readPerms.Insert(p, struct{}{})
+ }
+
+ result := checkKeyPoint(zap.NewExample(), &unifiedRangePermissions{readPerms: readPerms}, tt.key, authpb.READ)
+ if result != tt.want {
+ t.Errorf("#%d: result=%t, want=%t", i, result, tt.want)
+ }
+ }
+}

auth/store_test.go

@@ -167,6 +167,18 @@ func TestUserAdd(t *testing.T) {
  }
 }
 
+func TestRecover(t *testing.T) {
+ as, tearDown := setupAuthStore(t)
+ defer tearDown(t)
+
+ as.enabled = false
+ as.Recover(as.be)
+
+ if !as.IsAuthEnabled() {
+ t.Fatalf("expected auth enabled got disabled")
+ }
+}
+
 func TestCheckPassword(t *testing.T) {
  as, tearDown := setupAuthStore(t)
  defer tearDown(t)
@@ -279,6 +291,73 @@ func TestUserGrant(t *testing.T) {
  }
 }
 
+func TestHasRole(t *testing.T) {
+ as, tearDown := setupAuthStore(t)
+ defer tearDown(t)
+
+ // grants a role to the user
+ _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"})
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // checks role reflects correctly
+ hr := as.HasRole("foo", "role-test")
+ if !hr {
+ t.Fatal("expected role granted, got false")
+ }
+
+ // checks non existent role
+ hr = as.HasRole("foo", "non-existent-role")
+ if hr {
+ t.Fatal("expected role not found, got true")
+ }
+
+ // checks non existent user
+ hr = as.HasRole("nouser", "role-test")
+ if hr {
+ t.Fatal("expected user not found got true")
+ }
+}
+
+func TestIsOpPermitted(t *testing.T) {
+ as, tearDown := setupAuthStore(t)
+ defer tearDown(t)
+
+ // add new role
+ _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"})
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ perm := &authpb.Permission{
+ PermType: authpb.WRITE,
+ Key: []byte("Keys"),
+ RangeEnd: []byte("RangeEnd"),
+ }
+
+ _, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{
+ Name: "role-test-1",
+ Perm: perm,
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // grants a role to the user
+ _, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test-1"})
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // check permission reflected to user
+
+ err = as.isOpPermitted("foo", as.Revision(), perm.Key, perm.RangeEnd, perm.PermType)
+ if err != nil {
+ t.Fatal(err)
+ }
+}
+
 func TestGetUser(t *testing.T) {
  as, tearDown := setupAuthStore(t)
  defer tearDown(t)
@@ -299,6 +378,12 @@ func TestGetUser(t *testing.T) {
  if !reflect.DeepEqual(expected, u.Roles) {
  t.Errorf("expected %v, got %v", expected, u.Roles)
  }
+
+ // check non existent user
+ _, err = as.UserGet(&pb.AuthUserGetRequest{Name: "nouser"})
+ if err == nil {
+ t.Errorf("expected %v, got %v", ErrUserNotFound, err)
+ }
 }
 
 func TestListUsers(t *testing.T) {