161 lines
4.8 KiB
Diff
161 lines
4.8 KiB
Diff
From a813426b143c11dcda7fc8402bf66fee7b348470 Mon Sep 17 00:00:00 2001
|
|
From: lvxiangcong <lvxiangcong@kylinos.cn>
|
|
Date: Mon, 17 Feb 2025 13:44:51 +0800
|
|
Subject: [PATCH] backport fix cve-2023-32082
|
|
|
|
---
|
|
etcdserver/v3_server.go | 51 +++++++++++++++++++++++++++++++++-
|
|
tests/e2e/ctl_v3_auth_test.go | 49 ++++++++++++++++++++++++++++++++
|
|
tests/e2e/ctl_v3_lease_test.go | 9 ++++++
|
|
3 files changed, 108 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
|
|
index 1fa8e4e..93b2bc1 100644
|
|
--- a/etcdserver/v3_server.go
|
|
+++ b/etcdserver/v3_server.go
|
|
@@ -298,7 +298,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
|
|
return -1, ErrCanceled
|
|
}
|
|
|
|
-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
|
|
+func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
|
|
+ rev := s.AuthStore().Revision()
|
|
+ if !s.AuthStore().IsAuthEnabled() {
|
|
+ return nil, rev
|
|
+ }
|
|
+ authInfo, err := s.AuthInfoFromCtx(ctx)
|
|
+ if err != nil {
|
|
+ return err, rev
|
|
+ }
|
|
+ if authInfo == nil {
|
|
+ return auth.ErrUserEmpty, rev
|
|
+ }
|
|
+
|
|
+ l := s.lessor.Lookup(leaseID)
|
|
+ if l != nil {
|
|
+ for _, key := range l.Keys() {
|
|
+ if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
|
|
+ return err, 0
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return nil, rev
|
|
+}
|
|
+
|
|
+func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
|
|
if s.Leader() == s.ID() {
|
|
// primary; timetolive directly from leader
|
|
le := s.lessor.Lookup(lease.LeaseID(r.ID))
|
|
@@ -345,6 +370,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR
|
|
return nil, ErrCanceled
|
|
}
|
|
|
|
+func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
|
|
+ var rev uint64
|
|
+ var err error
|
|
+ if r.Keys {
|
|
+ // check RBAC permission only if Keys is true
|
|
+ err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID))
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
+ }
|
|
+
|
|
+ resp, err := s.leaseTimeToLive(ctx, r)
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
+
|
|
+ if r.Keys {
|
|
+ if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() {
|
|
+ return nil, auth.ErrAuthOldRevision
|
|
+ }
|
|
+ }
|
|
+ return resp, nil
|
|
+}
|
|
+
|
|
func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) {
|
|
ls := s.lessor.Leases()
|
|
lss := make([]*pb.LeaseStatus, len(ls))
|
|
diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
|
|
index 2142394..728eafa 100644
|
|
--- a/tests/e2e/ctl_v3_auth_test.go
|
|
+++ b/tests/e2e/ctl_v3_auth_test.go
|
|
@@ -69,6 +69,55 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf
|
|
func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
|
|
testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
|
|
}
|
|
+func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) }
|
|
+
|
|
+func authTestLeaseTimeToLive(cx ctlCtx) {
|
|
+ if err := authEnable(cx); err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+ cx.user, cx.pass = "root", "root"
|
|
+
|
|
+ authSetupTestUser(cx)
|
|
+
|
|
+ cx.user = "test-user"
|
|
+ cx.pass = "pass"
|
|
+
|
|
+ leaseID, err := ctlV3LeaseGrant(cx, 10)
|
|
+ if err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+
|
|
+ err = ctlV3Put(cx, "foo", "val", leaseID)
|
|
+ if err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+
|
|
+ err = ctlV3LeaseTimeToLive(cx, leaseID, true)
|
|
+ if err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+
|
|
+ cx.user = "root"
|
|
+ cx.pass = "root"
|
|
+ err = ctlV3Put(cx, "bar", "val", leaseID)
|
|
+ if err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+
|
|
+ cx.user = "test-user"
|
|
+ cx.pass = "pass"
|
|
+ // the lease is attached to bar, which test-user cannot access
|
|
+ err = ctlV3LeaseTimeToLive(cx, leaseID, true)
|
|
+ if err == nil {
|
|
+ cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
|
|
+ }
|
|
+
|
|
+ // without --keys, access should be allowed
|
|
+ err = ctlV3LeaseTimeToLive(cx, leaseID, false)
|
|
+ if err != nil {
|
|
+ cx.t.Fatal(err)
|
|
+ }
|
|
+}
|
|
|
|
func authEnableTest(cx ctlCtx) {
|
|
if err := authEnable(cx); err != nil {
|
|
diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go
|
|
index 608b8ca..f90b1a5 100644
|
|
--- a/tests/e2e/ctl_v3_lease_test.go
|
|
+++ b/tests/e2e/ctl_v3_lease_test.go
|
|
@@ -294,3 +294,12 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
|
|
cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
|
|
return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID))
|
|
}
|
|
+
|
|
+func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
|
|
+ cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
|
|
+ if withKeys {
|
|
+ cmdArgs = append(cmdArgs, "--keys")
|
|
+ }
|
|
+ return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
|
|
+}
|
|
+
|
|
--
|
|
2.46.0
|
|
|