Skip to content

Commit

Permalink
test: validate direct JWT passing and acceptance
Browse files Browse the repository at this point in the history
Signed-off-by: Mike Crute <[email protected]>
  • Loading branch information
mcrute committed Aug 12, 2024
1 parent ac103cf commit bbd74da
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 1 deletion.
25 changes: 24 additions & 1 deletion tests/common/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,16 @@ import (

clientv3 "go.etcd.io/etcd/client/v3"
"go.etcd.io/etcd/tests/v3/framework/config"
"go.etcd.io/etcd/tests/v3/framework/e2e"
"go.etcd.io/etcd/tests/v3/framework/testutils"
)

var tokenTTL = time.Second
var defaultKeyPath = mustAbsPath("../fixtures/server.key.insecure")
var defaultAuthToken = fmt.Sprintf("jwt,pub-key=%s,priv-key=%s,sign-method=RS256,ttl=%s",
mustAbsPath("../fixtures/server.crt"), mustAbsPath("../fixtures/server.key.insecure"), tokenTTL)
mustAbsPath("../fixtures/server.crt"), defaultKeyPath, tokenTTL)
var verifyJWTOnlyAuth = fmt.Sprintf("jwt,pub-key=%s,sign-method=RS256,ttl=%s",
mustAbsPath("../fixtures/server.crt"), tokenTTL)

const (
PermissionDenied = "etcdserver: permission denied"
Expand Down Expand Up @@ -758,6 +762,25 @@ func TestAuthJWTExpire(t *testing.T) {
})
}

func TestAuthJWTOnly(t *testing.T) {
testRunner.BeforeTest(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1, AuthToken: verifyJWTOnlyAuth}))
defer clus.Close()
cc := testutils.MustClient(clus.Client())
testutils.ExecuteUntil(ctx, t, func() {
authRev, err := setupAuthAndGetRevision(cc, []authRole{testRole}, []authUser{rootUser, testUser})
require.NoErrorf(t, err, "failed to enable auth")

token, err := createSignedJWT(defaultKeyPath, testUserName, authRev)
require.NoErrorf(t, err, "failed to create test user JWT")

testUserAuthClient := testutils.MustClient(clus.Client(e2e.WithAuthToken(token)))
require.NoError(t, testUserAuthClient.Put(ctx, "foo", "bar", config.PutOptions{}))
})
}

// TestAuthRevisionConsistency ensures auth revision is the same after member restarts
func TestAuthRevisionConsistency(t *testing.T) {
testRunner.BeforeTest(t)
Expand Down
49 changes: 49 additions & 0 deletions tests/common/auth_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,11 @@ package common
import (
"context"
"fmt"
"os"
"testing"
"time"

"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/require"

"go.etcd.io/etcd/api/v3/authpb"
Expand Down Expand Up @@ -93,6 +96,29 @@ func createUsers(c interfaces.Client, users []authUser) error {
return nil
}

func createSignedJWT(keyPath, username string, authRevision uint64) (string, error) {
signMethod := jwt.GetSigningMethod("RS256")

keyBytes, err := os.ReadFile(keyPath)
if err != nil {
return "", err
}

key, err := jwt.ParseRSAPrivateKeyFromPEM(keyBytes)
if err != nil {
return "", err
}

tk := jwt.NewWithClaims(signMethod,
jwt.MapClaims{
"username": username,
"revision": authRevision,
"exp": time.Now().Add(time.Minute).Unix(),
})

return tk.SignedString(key)
}

func setupAuth(c interfaces.Client, roles []authRole, users []authUser) error {
// create roles
if err := createRoles(c, roles); err != nil {
Expand All @@ -107,6 +133,29 @@ func setupAuth(c interfaces.Client, roles []authRole, users []authUser) error {
return c.AuthEnable(context.TODO())
}

func setupAuthAndGetRevision(c interfaces.Client, roles []authRole, users []authUser) (uint64, error) {
// create roles
if err := createRoles(c, roles); err != nil {
return 0, err
}

if err := createUsers(c, users); err != nil {
return 0, err
}

// This needs to happen before enabling auth for the TestAuthJWTOnly
// test case because once auth is enabled we can no longer mint a valid
// auth token without the revision, which we won't be able to obtain
// without a valid auth token.
authrev, err := c.AuthStatus(context.TODO())
if err != nil {
return 0, err
}

// enable auth
return authrev.AuthRevision, c.AuthEnable(context.TODO())
}

func requireRolePermissionEqual(t *testing.T, expectRole authRole, actual []*authpb.Permission) {
require.Equal(t, 1, len(actual))
require.Equal(t, expectRole.permission, clientv3.PermissionType(actual[0].PermType))
Expand Down
15 changes: 15 additions & 0 deletions tests/framework/e2e/etcdctl.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type EtcdctlV3 struct {
cfg ClientConfig
endpoints []string
authConfig clientv3.AuthConfig
authToken string
}

func NewEtcdctl(cfg ClientConfig, endpoints []string, opts ...config.ClientOption) (*EtcdctlV3, error) {
Expand Down Expand Up @@ -73,6 +74,17 @@ func WithAuth(userName, password string) config.ClientOption {
}
}

func WithAuthToken(token string) config.ClientOption {
return func(c any) {
switch c := c.(type) {
case *EtcdctlV3:
c.authToken = token
case *clientv3.Config:
c.Token = token
}
}
}

func WithEndpoints(endpoints []string) config.ClientOption {
return func(c any) {
ctl := c.(*EtcdctlV3)
Expand Down Expand Up @@ -347,6 +359,9 @@ func (ctl *EtcdctlV3) flags() map[string]string {
if !ctl.authConfig.Empty() {
fmap["user"] = ctl.authConfig.Username + ":" + ctl.authConfig.Password
}
if ctl.authToken != "" {
fmap["auth-token"] = ctl.authToken
}
return fmap
}

Expand Down

0 comments on commit bbd74da

Please sign in to comment.