server/etcdserver: enforce auth checks for nested txn ops

Signed-off-by: Wei Fu <fuweid89@gmail.com>
(cherry picked from commit 204097b)
Signed-off-by: Wei Fu <fuweid89@gmail.com>

Author: fuweid

server/etcdserver/txn/txn.go

@@ -668,6 +668,10 @@ func IsTxnReadonly(r *pb.TxnRequest) bool {
 }
 
 func CheckTxnAuth(as auth.AuthStore, ai *auth.AuthInfo, rt *pb.TxnRequest) error {
+	return checkTxnPermission(as, ai, rt)
+}
+
+func checkTxnPermission(as auth.AuthStore, ai *auth.AuthInfo, rt *pb.TxnRequest) error {
 	for _, c := range rt.Compare {
 		if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil {
 			return err
@@ -716,6 +720,15 @@ func checkTxnReqsPermission(as auth.AuthStore, ai *auth.AuthInfo, reqs []*pb.Req
 			if err != nil {
 				return err
 			}
+		case *pb.RequestOp_RequestTxn:
+			if tv.RequestTxn == nil {
+				continue
+			}
+
+			err := checkTxnPermission(as, ai, tv.RequestTxn)
+			if err != nil {
+				return err
+			}
 		}
 	}
 

server/etcdserver/txn/txn_test.go

@@ -515,6 +515,90 @@ func TestCheckTxnAuth(t *testing.T) {
 			},
 			err: auth.ErrPermissionDenied,
 		},
+		{
+			name: "Nested txn request in range is authorized",
+			txnRequest: &pb.TxnRequest{
+				Success: []*pb.RequestOp{
+					{
+						Request: &pb.RequestOp_RequestTxn{
+							RequestTxn: &pb.TxnRequest{
+								Success: []*pb.RequestOp{inRangeRequestRange, inRangeRequestPut},
+								Failure: []*pb.RequestOp{inRangeRequestDeleteRange},
+							},
+						},
+					},
+				},
+			},
+			err: nil,
+		},
+		{
+			name: "Nested txn request out of range success case is unauthorized",
+			txnRequest: &pb.TxnRequest{
+				Success: []*pb.RequestOp{
+					{
+						Request: &pb.RequestOp_RequestTxn{
+							RequestTxn: &pb.TxnRequest{
+								Success: []*pb.RequestOp{outOfRangeRequestRange},
+							},
+						},
+					},
+				},
+			},
+			err: auth.ErrPermissionDenied,
+		},
+		{
+			name: "Nested txn request out of range failure case is unauthorized",
+			txnRequest: &pb.TxnRequest{
+				Failure: []*pb.RequestOp{
+					{
+						Request: &pb.RequestOp_RequestTxn{
+							RequestTxn: &pb.TxnRequest{
+								Failure: []*pb.RequestOp{outOfRangeRequestPut},
+							},
+						},
+					},
+				},
+			},
+			err: auth.ErrPermissionDenied,
+		},
+		{
+			name: "Nested txn request out of range delete is unauthorized",
+			txnRequest: &pb.TxnRequest{
+				Success: []*pb.RequestOp{
+					{
+						Request: &pb.RequestOp_RequestTxn{
+							RequestTxn: &pb.TxnRequest{
+								Success: []*pb.RequestOp{outOfRangeRequestDeleteRange},
+							},
+						},
+					},
+				},
+			},
+			err: auth.ErrPermissionDenied,
+		},
+		{
+			name: "Two level nested txn request out of range delete is unauthorized",
+			txnRequest: &pb.TxnRequest{
+				Success: []*pb.RequestOp{
+					{
+						Request: &pb.RequestOp_RequestTxn{
+							RequestTxn: &pb.TxnRequest{
+								Failure: []*pb.RequestOp{
+									{
+										Request: &pb.RequestOp_RequestTxn{
+											RequestTxn: &pb.TxnRequest{
+												Success: []*pb.RequestOp{outOfRangeRequestDeleteRange},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			err: auth.ErrPermissionDenied,
+		},
 	}
 
 	for _, tt := range tests {

tests/integration/v3_auth_test.go

@@ -345,6 +345,72 @@ func TestV3AuthNonAuthorizedRPCs(t *testing.T) {
 	}
 }
 
+func TestV3AuthNestedTxnPermissionDenied(t *testing.T) {
+	integration.BeforeTest(t)
+	clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1})
+	defer clus.Terminate(t)
+
+	users := []user{
+		{
+			name:     "user1",
+			password: "user1-123",
+			role:     "role1",
+			key:      "foo",
+			end:      "zoo",
+		},
+	}
+	authSetupUsers(t, integration.ToGRPC(clus.Client(0)).Auth, users)
+	authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth)
+
+	rootc, err := integration.NewClient(t, clientv3.Config{
+		Endpoints: clus.Client(0).Endpoints(),
+		Username:  "root",
+		Password:  "123",
+	})
+	require.NoError(t, err)
+	defer rootc.Close()
+
+	userc, err := integration.NewClient(t, clientv3.Config{
+		Endpoints: clus.Client(0).Endpoints(),
+		Username:  "user1",
+		Password:  "user1-123",
+	})
+	require.NoError(t, err)
+	defer userc.Close()
+
+	_, err = rootc.Put(t.Context(), "boo", "bar")
+	require.NoError(t, err)
+
+	txn := &pb.TxnRequest{
+		Success: []*pb.RequestOp{
+			{
+				Request: &pb.RequestOp_RequestTxn{
+					RequestTxn: &pb.TxnRequest{
+						Success: []*pb.RequestOp{
+							{
+								Request: &pb.RequestOp_RequestDeleteRange{
+									RequestDeleteRange: &pb.DeleteRangeRequest{
+										Key: []byte("boo"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	_, err = integration.ToGRPC(userc).KV.Txn(t.Context(), txn)
+	require.Error(t, err)
+	require.Truef(t, eqErrGRPC(err, rpctypes.ErrGRPCPermissionDenied), "got %v, expected %v", err, rpctypes.ErrGRPCPermissionDenied)
+
+	resp, err := rootc.Get(t.Context(), "boo")
+	require.NoError(t, err)
+	require.Len(t, resp.Kvs, 1)
+	require.Equal(t, resp.Kvs[0].Value, []byte("bar"))
+}
+
 func TestV3AuthOldRevConcurrent(t *testing.T) {
 	integration.BeforeTest(t)
 	clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1})