diff options
author | Michael Paquier <michael@paquier.xyz> | 2022-10-11 13:57:07 +0900 |
---|---|---|
committer | Michael Paquier <michael@paquier.xyz> | 2022-10-11 13:57:07 +0900 |
commit | 8432a815feb8897aabe0c6ed59f32bc47a6b2d50 (patch) | |
tree | d7773d3ec7222b5a5ce43ef40a299e9d107ad872 | |
parent | 9fcdf2c787ac6da330165ea3cd50ec5155943a2b (diff) |
Add TAP tests for role membership in pg_hba.conf
This commit expands the coverage of pg_hba.conf with checks specific to
role memberships (one "root" role combined with a member and a
non-member). Coverage is added for the database keywords "samegroup"
and "samerole", where the specified role has to be be a member of the
role with the same name as the requested database, and '+' on the user
entry, where members are allowed. These tests are plugged in the
authentication test 001_password.pl as of extra connection attempts
combined with resets of pg_hba.conf, making them rather cheap.
Author: Nathan Bossart
Reviewed-by: Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13
-rw-r--r-- | src/test/authentication/t/001_password.pl | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 93df77aa4e1..ea664d18f5b 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -200,4 +200,130 @@ append_to_file( test_conn($node, 'user=md5_role', 'password from pgpass', 0); +unlink($pgpassfile); +delete $ENV{"PGPASSFILE"}; + +note "Authentication tests with specific HBA policies on roles"; + +# Create database and roles for membership tests +reset_pg_hba($node, 'all', 'all', 'trust'); +# Database and root role names match for "samerole" and "samegroup". +$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;"); +$node->safe_psql( + 'postgres', + qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass'; +CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass'; +CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';}); + +# Test role with exact matching, no members allowed. +$ENV{"PGPASSWORD"} = 'pass'; +reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256'); +test_conn( + $node, + 'user=regress_regression_group', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_member', + 'scram-sha-256', + 2, + log_unlike => [ + qr/connection authenticated: identity="regress_member" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_not_member', + 'scram-sha-256', + 2, + log_unlike => [ + qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/ + ]); + +# Test role membership with '+', where all the members are allowed +# to connect. +reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256'); +test_conn( + $node, + 'user=regress_regression_group', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_member', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_member" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_not_member', + 'scram-sha-256', + 2, + log_unlike => [ + qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/ + ]); + +# Test role membership is respected for samerole +$ENV{"PGDATABASE"} = 'regress_regression_group'; +reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256'); +test_conn( + $node, + 'user=regress_regression_group', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_member', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_member" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_not_member', + 'scram-sha-256', + 2, + log_unlike => [ + qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/ + ]); + +# Test role membership is respected for samegroup +reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256'); +test_conn( + $node, + 'user=regress_regression_group', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_member', + 'scram-sha-256', + 0, + log_like => [ + qr/connection authenticated: identity="regress_member" method=scram-sha-256/ + ]); +test_conn( + $node, + 'user=regress_not_member', + 'scram-sha-256', + 2, + log_unlike => [ + qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/ + ]); + done_testing(); |