diff --git a/auth/range_perm_cache_test.go b/auth/range_perm_cache_test.go index de15c57c79c..e5baa86b40c 100644 --- a/auth/range_perm_cache_test.go +++ b/auth/range_perm_cache_test.go @@ -59,3 +59,44 @@ func TestRangePermission(t *testing.T) { } } } + +func TestKeyPermission(t *testing.T) { + tests := []struct { + perms []adt.Interval + key []byte + want bool + }{ + { + []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("c")), adt.NewBytesAffineInterval([]byte("x"), []byte("z"))}, + []byte("f"), + false, + }, + { + []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("f")), adt.NewBytesAffineInterval([]byte("c"), []byte("d")), adt.NewBytesAffineInterval([]byte("f"), []byte("z"))}, + []byte("b"), + true, + }, + { + []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("d")), adt.NewBytesAffineInterval([]byte("a"), []byte("b")), adt.NewBytesAffineInterval([]byte("c"), []byte("f"))}, + []byte("d"), + true, + }, + { + []adt.Interval{adt.NewBytesAffineInterval([]byte("a"), []byte("d")), adt.NewBytesAffineInterval([]byte("a"), []byte("b")), adt.NewBytesAffineInterval([]byte("c"), []byte("f"))}, + []byte("f"), + false, + }, + } + + for i, tt := range tests { + readPerms := &adt.IntervalTree{} + for _, p := range tt.perms { + readPerms.Insert(p, struct{}{}) + } + + result := checkKeyPoint(zap.NewExample(), &unifiedRangePermissions{readPerms: readPerms}, tt.key, authpb.READ) + if result != tt.want { + t.Errorf("#%d: result=%t, want=%t", i, result, tt.want) + } + } +} diff --git a/auth/store_test.go b/auth/store_test.go index 0620f8de821..c9cbc14b76f 100644 --- a/auth/store_test.go +++ b/auth/store_test.go @@ -167,6 +167,18 @@ func TestUserAdd(t *testing.T) { } } +func TestRecover(t *testing.T) { + as, tearDown := setupAuthStore(t) + defer tearDown(t) + + as.enabled = false + as.Recover(as.be) + + if !as.IsAuthEnabled() { + t.Fatalf("expected auth enabled got disabled") + } +} + func TestCheckPassword(t *testing.T) { as, tearDown := setupAuthStore(t) defer tearDown(t) @@ -279,6 +291,73 @@ func TestUserGrant(t *testing.T) { } } +func TestHasRole(t *testing.T) { + as, tearDown := setupAuthStore(t) + defer tearDown(t) + + // grants a role to the user + _, err := as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test"}) + if err != nil { + t.Fatal(err) + } + + // checks role reflects correctly + hr := as.HasRole("foo", "role-test") + if !hr { + t.Fatal("expected role granted, got false") + } + + // checks non existent role + hr = as.HasRole("foo", "non-existent-role") + if hr { + t.Fatal("expected role not found, got true") + } + + // checks non existent user + hr = as.HasRole("nouser", "role-test") + if hr { + t.Fatal("expected user not found got true") + } +} + +func TestIsOpPermitted(t *testing.T) { + as, tearDown := setupAuthStore(t) + defer tearDown(t) + + // add new role + _, err := as.RoleAdd(&pb.AuthRoleAddRequest{Name: "role-test-1"}) + if err != nil { + t.Fatal(err) + } + + perm := &authpb.Permission{ + PermType: authpb.WRITE, + Key: []byte("Keys"), + RangeEnd: []byte("RangeEnd"), + } + + _, err = as.RoleGrantPermission(&pb.AuthRoleGrantPermissionRequest{ + Name: "role-test-1", + Perm: perm, + }) + if err != nil { + t.Fatal(err) + } + + // grants a role to the user + _, err = as.UserGrantRole(&pb.AuthUserGrantRoleRequest{User: "foo", Role: "role-test-1"}) + if err != nil { + t.Fatal(err) + } + + // check permission reflected to user + + err = as.isOpPermitted("foo", as.Revision(), perm.Key, perm.RangeEnd, perm.PermType) + if err != nil { + t.Fatal(err) + } +} + func TestGetUser(t *testing.T) { as, tearDown := setupAuthStore(t) defer tearDown(t) @@ -299,6 +378,12 @@ func TestGetUser(t *testing.T) { if !reflect.DeepEqual(expected, u.Roles) { t.Errorf("expected %v, got %v", expected, u.Roles) } + + // check non existent user + _, err = as.UserGet(&pb.AuthUserGetRequest{Name: "nouser"}) + if err == nil { + t.Errorf("expected %v, got %v", ErrUserNotFound, err) + } } func TestListUsers(t *testing.T) {