From d3c9643761555a1e40ae5c769af985c66b055a0d Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Fri, 13 Oct 2017 14:38:41 -0700 Subject: [PATCH] auth: Fix simpleToken to respect disabled state for assign --- auth/simple_token.go | 3 ++ auth/simple_token_test.go | 67 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 auth/simple_token_test.go diff --git a/auth/simple_token.go b/auth/simple_token.go index aa30b045bd0..225791d8596 100644 --- a/auth/simple_token.go +++ b/auth/simple_token.go @@ -118,6 +118,9 @@ func (t *tokenSimple) genTokenPrefix() (string, error) { func (t *tokenSimple) assignSimpleTokenToUser(username, token string) { t.simpleTokensMu.Lock() defer t.simpleTokensMu.Unlock() + if t.simpleTokenKeeper == nil { + return + } _, ok := t.simpleTokens[token] if ok { diff --git a/auth/simple_token_test.go b/auth/simple_token_test.go new file mode 100644 index 00000000000..862b88493fe --- /dev/null +++ b/auth/simple_token_test.go @@ -0,0 +1,67 @@ +// Copyright 2017 The etcd Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package auth + +import ( + "context" + "testing" +) + +// TestSimpleTokenDisabled ensures that TokenProviderSimple behaves correctly when +// disabled. +func TestSimpleTokenDisabled(t *testing.T) { + initialState := newTokenProviderSimple(dummyIndexWaiter) + + explicitlyDisabled := newTokenProviderSimple(dummyIndexWaiter) + explicitlyDisabled.enable() + explicitlyDisabled.disable() + + for _, tp := range []*tokenSimple{initialState, explicitlyDisabled} { + ctx := context.WithValue(context.WithValue(context.TODO(), "index", uint64(1)), "simpleToken", "dummy") + token, err := tp.assign(ctx, "user1", 0) + if err != nil { + t.Fatal(err) + } + authInfo, ok := tp.info(ctx, token, 0) + if ok { + t.Errorf("expected (true, \"user1\") got (%t, %s)", ok, authInfo.Username) + } + + tp.invalidateUser("user1") // should be no-op + } +} + +// TestSimpleTokenAssign ensures that TokenProviderSimple can correctly assign a +// token, look it up with info, and invalidate it by user. +func TestSimpleTokenAssign(t *testing.T) { + tp := newTokenProviderSimple(dummyIndexWaiter) + tp.enable() + ctx := context.WithValue(context.WithValue(context.TODO(), "index", uint64(1)), "simpleToken", "dummy") + token, err := tp.assign(ctx, "user1", 0) + if err != nil { + t.Fatal(err) + } + authInfo, ok := tp.info(ctx, token, 0) + if !ok || authInfo.Username != "user1" { + t.Errorf("expected (true, \"token2\") got (%t, %s)", ok, authInfo.Username) + } + + tp.invalidateUser("user1") + + _, ok = tp.info(context.TODO(), token, 0) + if ok { + t.Errorf("expected ok == false after user is invalidated") + } +}