@@ -66,24 +66,33 @@ sub test_conn
6666$node -> append_conf(' postgresql.conf' " log_connections = on\n "
6767$node -> start;
6868
69+ # could fail in FIPS mode
70+ my $md5_works = ($node -> psql(' postgres' " select md5('')"
71+
6972# Create 3 roles with different password methods for each one. The same
7073# password is used for all of them.
71- $node -> safe_psql(' postgres'
72- " SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';"
73- );
74- $node -> safe_psql(' postgres'
75- " SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';"
76- );
74+ is( $node -> psql(
75+ ' postgres'
76+ " SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';"
77+ ),
78+ 0,
79+ ' created user with SCRAM password'
80+ is( $node -> psql(
81+ ' postgres'
82+ " SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';"
83+ ),
84+ $md5_works ? 0 : 3,
85+ ' created user with md5 password'
7786# Set up a table for tests of SYSTEM_USER.
7887$node -> safe_psql(
7988 ' postgres'
8089 " CREATE TABLE sysuser_data (n) AS SELECT NULL FROM generate_series(1, 10);
81- GRANT ALL ON sysuser_data TO md5_role ;" );
90+ GRANT ALL ON sysuser_data TO scram_role ;" );
8291$ENV {" PGPASSWORD" ' pass'
8392
8493# Create a role that contains a comma to stress the parsing.
8594$node -> safe_psql(' postgres'
86- q{ SET password_encryption='md5 '; CREATE ROLE "md5 ,role" LOGIN PASSWORD 'pass';}
95+ q{ SET password_encryption='scram-sha-256 '; CREATE ROLE "scram ,role" LOGIN PASSWORD 'pass';}
8796);
8897
8998# Create a role with a non-default iteration count
@@ -141,8 +150,13 @@ sub test_conn
141150test_conn($node , ' user=scram_role' ' trust'
142151 log_like =>
143152 [qr //
144- test_conn($node , ' user=md5_role' ' trust'
145- log_like => [qr //
153+ SKIP:
154+ {
155+ skip " MD5 not supported" unless $md5_works ;
156+ test_conn($node , ' user=md5_role' ' trust'
157+ log_like =>
158+ [qr //
159+ }
146160
147161# SYSTEM_USER is null when not authenticated.
148162$res = $node -> safe_psql(' postgres' " SELECT SYSTEM_USER IS NULL;"
@@ -157,7 +171,7 @@ sub test_conn
157171 SET max_parallel_workers_per_gather TO 2;
158172
159173 SELECT bool_and(SYSTEM_USER IS NOT DISTINCT FROM n) FROM sysuser_data;) ,
160- connstr => " user=md5_role "
174+ connstr => " user=scram_role "
161175is($res , ' t'
162176 " users with trust authentication use SYSTEM_USER = NULL in parallel workers"
163177);
@@ -275,9 +289,14 @@ sub test_conn
275289test_conn($node , ' user=scram_role' ' password'
276290 log_like =>
277291 [qr //
278- test_conn($node , ' user=md5_role' ' password'
279- log_like =>
280- [qr //
292+ SKIP:
293+ {
294+ skip " MD5 not supported" unless $md5_works ;
295+ test_conn($node , ' user=md5_role' ' password'
296+ log_like =>
297+ [qr //
298+ );
299+ }
281300
282301# require_auth succeeds here with a plaintext password.
283302$node -> connect_ok(" user=scram_role require_auth=password"
@@ -393,59 +412,64 @@ sub test_conn
393412test_conn($node , ' user=scram_role' ' md5'
394413 log_like =>
395414 [qr //
396- test_conn($node , ' user=md5_role' ' md5'
397- log_like =>
398- [qr //
415+ SKIP:
416+ {
417+ skip " MD5 not supported" unless $md5_works ;
418+ test_conn($node , ' user=md5_role' ' md5'
419+ log_like =>
420+ [qr //
421+ }
399422
400- # require_auth succeeds with MD5 required.
401- $node -> connect_ok(" user=md5_role require_auth=md5"
402- " MD5 authentication required, works with MD5 auth"
403- $node -> connect_ok(" user=md5_role require_auth=!none"
404- " any authentication required, works with MD5 auth"
423+ # require_auth succeeds with SCRAM required.
405424$node -> connect_ok(
406- " user=md5_role require_auth=md5,scram-sha-256,password"
407- " multiple authentication types required, works with MD5 auth"
425+ " user=scram_role require_auth=scram-sha-256"
426+ " SCRAM authentication required, works with SCRAM auth"
427+ $node -> connect_ok(" user=scram_role require_auth=!none"
428+ " any authentication required, works with SCRAM auth"
429+ $node -> connect_ok(
430+ " user=scram_role require_auth=md5,scram-sha-256,password"
431+ " multiple authentication types required, works with SCRAM auth"
408432
409433# Authentication fails if other types are required.
410434$node -> connect_fails(
411- " user=md5_role require_auth=password"
412- " password authentication required, fails with MD5 auth"
435+ " user=scram_role require_auth=password"
436+ " password authentication required, fails with SCRAM auth"
413437 expected_stderr =>
414- qr /a hashed password /
438+ qr /SASL authentication /
415439);
416440$node -> connect_fails(
417- " user=md5_role require_auth=scram-sha-256 "
418- " SCRAM authentication required, fails with MD5 auth"
441+ " user=scram_role require_auth=md5 "
442+ " MD5 authentication required, fails with SCRAM auth"
419443 expected_stderr =>
420- qr /scram-sha-256 " failed: server requested a hashed password /
444+ qr /md5 " failed: server requested SASL authentication /
421445);
422446$node -> connect_fails(
423- " user=md5_role require_auth=none"
424- " all authentication types forbidden, fails with MD5 auth"
447+ " user=scram_role require_auth=none"
448+ " all authentication types forbidden, fails with SCRAM auth"
425449 expected_stderr =>
426- qr /a hashed password /
450+ qr /SASL authentication /
427451);
428452
429- # Authentication fails if MD5 is forbidden.
453+ # Authentication fails if SCRAM is forbidden.
430454$node -> connect_fails(
431- " user=md5_role require_auth=!md5 "
432- " password authentication forbidden, fails with MD5 auth"
455+ " user=scram_role require_auth=!scram-sha-256 "
456+ " password authentication forbidden, fails with SCRAM auth"
433457 expected_stderr =>
434- qr /md5 " failed: server requested a hashed password /
458+ qr /scram-sha-256 " failed: server requested SASL authentication /
435459);
436460$node -> connect_fails(
437- " user=md5_role require_auth=!password,!md5,!scram-sha-256"
438- " multiple authentication types forbidden, fails with MD5 auth"
461+ " user=scram_role require_auth=!password,!md5,!scram-sha-256"
462+ " multiple authentication types forbidden, fails with SCRAM auth"
439463 expected_stderr =>
440- qr /a hashed password /
464+ qr /SASL authentication /
441465);
442466
443467# Test SYSTEM_USER <> NULL with parallel workers.
444468$node -> safe_psql(
445469 ' postgres'
446470 " TRUNCATE sysuser_data;
447- INSERT INTO sysuser_data SELECT 'md5:md5_role ' FROM generate_series(1, 10);" ,
448- connstr => " user=md5_role "
471+ INSERT INTO sysuser_data SELECT 'md5:scram_role ' FROM generate_series(1, 10);" ,
472+ connstr => " user=scram_role "
449473$res = $node -> safe_psql(
450474 ' postgres' qq(
451475 SET min_parallel_table_scan_size TO 0;
@@ -454,7 +478,7 @@ sub test_conn
454478 SET max_parallel_workers_per_gather TO 2;
455479
456480 SELECT bool_and(SYSTEM_USER IS NOT DISTINCT FROM n) FROM sysuser_data;) ,
457- connstr => " user=md5_role "
481+ connstr => " user=scram_role "
458482is($res , ' t'
459483 " users with md5 authentication use SYSTEM_USER = md5:role in parallel workers"
460484);
@@ -490,49 +514,57 @@ sub test_conn
490514
491515append_to_file(
492516 $pgpassfile , qq!
493- *:*:*:md5_role :p\\ ass
494- *:*:*:md5 ,role:p\\ ass
517+ *:*:*:scram_role :p\\ ass
518+ *:*:*:scram ,role:p\\ ass
495519!
496520
497- test_conn($node , ' user=md5_role ' ' password from pgpass'
521+ test_conn($node , ' user=scram_role ' ' password from pgpass'
498522
499523# Testing with regular expression for username. The third regexp matches.
500- reset_pg_hba($node , ' all' ' /^.*nomatch.*$, baduser, /^md.*$' ' password'
501- test_conn($node , ' user=md5_role' ' password, matching regexp for username'
524+ reset_pg_hba($node , ' all' ' /^.*nomatch.*$, baduser, /^scr.*$' ' password'
525+ test_conn(
526+ $node ,
527+ ' user=scram_role'
528+ ' password, matching regexp for username'
529+ 0,
502530 log_like =>
503- [qr /md5_role " method=password/
531+ [qr /scram_role " method=password/
504532
505533# The third regex does not match anymore.
506- reset_pg_hba($node , ' all' ' /^.*nomatch.*$, baduser, /^m_d .*$' ' password'
507- test_conn($node , ' user=md5_role '
534+ reset_pg_hba($node , ' all' ' /^.*nomatch.*$, baduser, /^sc_r .*$' ' password'
535+ test_conn($node , ' user=scram_role '
508536 ' password, non matching regexp for username'
509537 2, log_unlike => [qr //
510538
511539# Test with a comma in the regular expression. In this case, the use of
512540# double quotes is mandatory so as this is not considered as two elements
513541# of the user name list when parsing pg_hba.conf.
514- reset_pg_hba($node , ' all' ' "/^.*5,.*e$"' ' password'
515- test_conn($node , ' user=md5,role' ' password, matching regexp for username'
542+ reset_pg_hba($node , ' all' ' "/^.*m,.*e$"' ' password'
543+ test_conn(
544+ $node ,
545+ ' user=scram,role'
546+ ' password, matching regexp for username'
547+ 0,
516548 log_like =>
517- [qr /md5 ,role" method=password/
549+ [qr /scram ,role" method=password/
518550
519551# Testing with regular expression for dbname. The third regex matches.
520552reset_pg_hba($node , ' /^.*nomatch.*$, baddb, /^regex_t.*b$' ' all'
521553 ' password'
522554test_conn(
523555 $node ,
524- ' user=md5_role dbname=regex_testdb'
556+ ' user=scram_role dbname=regex_testdb'
525557 ' password, matching regexp for dbname'
526558 0,
527559 log_like =>
528- [qr /md5_role " method=password/
560+ [qr /scram_role " method=password/
529561
530562# The third regexp does not match anymore.
531563reset_pg_hba($node , ' /^.*nomatch.*$, baddb, /^regex_t.*ba$'
532564 ' all' ' password'
533565test_conn(
534566 $node ,
535- ' user=md5_role dbname=regex_testdb'
567+ ' user=scram_role dbname=regex_testdb'
536568 ' password, non matching regexp for dbname'
537569 2, log_unlike => [qr //
538570
0 commit comments