e2e: test cases of protecting membership change with auth

etcd-io · Dec 6, 2016 · d3e5e8d · d3e5e8d
1 parent 5a69781
commit d3e5e8d
Showing 1 changed file with 97 additions and 0 deletions.
diff --git a/e2e/ctl_v3_auth_test.go b/e2e/ctl_v3_auth_test.go
@@ -29,6 +29,11 @@ func TestCtlV3AuthUserDeleteDuringOps(t *testing.T) { testCtl(t, authUserDeleteD
 func TestCtlV3AuthRoleRevokeDuringOps(t *testing.T) { testCtl(t, authRoleRevokeDuringOpsTest) }
 func TestCtlV3AuthTxn(t *testing.T)                 { testCtl(t, authTestTxn) }
 func TestCtlV3AuthPerfixPerm(t *testing.T)          { testCtl(t, authTestPrefixPerm) }
+func TestCtlV3AuthMemberAdd(t *testing.T)           { testCtl(t, authTestMemberAdd) }
+func TestCtlV3AuthMemberRemove(t *testing.T) {
+	testCtl(t, authTestMemberRemove, withQuorum(), withNoStrictReconfig())
+}
+func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
 
 func authEnableTest(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
@@ -454,3 +459,95 @@ func authTestPrefixPerm(cx ctlCtx) {
 		cx.t.Fatal(err)
 	}
 }
+
+func authTestMemberAdd(cx ctlCtx) {
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	// ordinal user cannot add a new member
+	cx.user, cx.pass = "test-user", "pass"
+	peerURL := fmt.Sprintf("http://localhost:%d", etcdProcessBasePort+11)
+	cmdArgs := append(cx.PrefixArgs(), "member", "add", "newmember", fmt.Sprintf("--peer-urls=%s", peerURL))
+	if err := spawnWithExpect(cmdArgs, "Error:  etcdserver: permission denied"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// root can add a new member
+	cx.user, cx.pass = "root", "root"
+	cmdArgs = append(cx.PrefixArgs(), "member", "add", "newmember", fmt.Sprintf("--peer-urls=%s", peerURL))
+	if err := spawnWithExpect(cmdArgs, " added to cluster "); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
+func authTestMemberRemove(cx ctlCtx) {
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	n1 := cx.cfg.clusterSize
+	if n1 < 2 {
+		cx.t.Fatalf("%d-node is too small to test 'member remove'", n1)
+	}
+	resp, err := getMemberList(cx)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+	if n1 != len(resp.Members) {
+		cx.t.Fatalf("expected %d, got %d", n1, len(resp.Members))
+	}
+
+	var (
+		memIDToRemove = fmt.Sprintf("%x", resp.Header.MemberId)
+		cluserID      = fmt.Sprintf("%x", resp.Header.ClusterId)
+	)
+
+	// ordinal user cannot remove a member
+	cx.user, cx.pass = "test-user", "pass"
+	cmdArgs := append(cx.PrefixArgs(), "member", "remove", memIDToRemove)
+	if err := spawnWithExpect(cmdArgs, "Error:  etcdserver: permission denied"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// root can remove a member
+	cx.user, cx.pass = "root", "root"
+	if err = ctlV3MemberRemove(cx, memIDToRemove, cluserID); err != nil {
+		cx.t.Fatal(err)
+	}
+}
+
+func authTestMemberUpdate(cx ctlCtx) {
+	if err := authEnable(cx); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	cx.user, cx.pass = "root", "root"
+	authSetupTestUser(cx)
+
+	mr, err := getMemberList(cx)
+	if err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// ordinal user cannot update a member
+	cx.user, cx.pass = "test-user", "pass"
+	peerURL := fmt.Sprintf("http://localhost:%d", etcdProcessBasePort+11)
+	cmdArgs := append(cx.PrefixArgs(), "member", "update", fmt.Sprintf("%x", mr.Members[0].ID), fmt.Sprintf("--peer-urls=%s", peerURL))
+	if err := spawnWithExpect(cmdArgs, "Error:  etcdserver: permission denied"); err != nil {
+		cx.t.Fatal(err)
+	}
+
+	// root can update a member
+	cx.user, cx.pass = "root", "root"
+	cmdArgs = append(cx.PrefixArgs(), "member", "update", fmt.Sprintf("%x", mr.Members[0].ID), fmt.Sprintf("--peer-urls=%s", peerURL))
+	if err = spawnWithExpect(cmdArgs, " updated in cluster "); err != nil {
+		cx.t.Fatal(err)
+	}
+}