|
| 1 | +# Set of tests for authentication and pg_hba.conf. The following password |
| 2 | +# methods are checked through this test: |
| 3 | +# - Plain |
| 4 | +# - MD5-encrypted |
| 5 | +# - SCRAM-encrypted |
| 6 | +# This test cannot run on Windows as Postgres cannot be set up with Unix |
| 7 | +# sockets and needs to go through SSPI. |
| 8 | + |
| 9 | +use strict; |
| 10 | +use warnings; |
| 11 | +use PostgresNode; |
| 12 | +use TestLib; |
| 13 | +use Test::More tests => 12; |
| 14 | + |
| 15 | +# Delete pg_hba.conf from the given node, add a new entry to it |
| 16 | +# and then execute a reload to refresh it. |
| 17 | +sub reset_pg_hba |
| 18 | +{ |
| 19 | + my $node = shift; |
| 20 | + my $hba_method = shift; |
| 21 | + |
| 22 | + unlink($node->data_dir . '/pg_hba.conf'); |
| 23 | + $node->append_conf('pg_hba.conf', "local all all $hba_method"); |
| 24 | + $node->reload; |
| 25 | +} |
| 26 | + |
| 27 | +# Test access for a single role, useful to wrap all tests into one. |
| 28 | +sub test_role |
| 29 | +{ |
| 30 | + my $node = shift; |
| 31 | + my $role = shift; |
| 32 | + my $method = shift; |
| 33 | + my $expected_res = shift; |
| 34 | + my $status_string = 'failed'; |
| 35 | + |
| 36 | + $status_string = 'success' if ($expected_res eq 0); |
| 37 | + |
| 38 | + my $res = $node->psql('postgres', 'SELECT 1', extra_params => ['-U', $role]); |
| 39 | + is($res, $expected_res, |
| 40 | + "authentication $status_string for method $method, role $role"); |
| 41 | +} |
| 42 | + |
| 43 | +SKIP: |
| 44 | +{ |
| 45 | + skip "authentication tests cannot run on Windows", 12 if ($windows_os); |
| 46 | + |
| 47 | + # Initialize master node |
| 48 | + my $node = get_new_node('master'); |
| 49 | + $node->init; |
| 50 | + $node->start; |
| 51 | + |
| 52 | + # Create 3 roles with different password methods for each one. The same |
| 53 | + # password is used for all of them. |
| 54 | + $node->safe_psql('postgres', "CREATE ROLE scram_role LOGIN PASSWORD ('pass' USING 'scram');"); |
| 55 | + $node->safe_psql('postgres', "CREATE ROLE md5_role LOGIN PASSWORD ('pass' USING 'md5');"); |
| 56 | + $node->safe_psql('postgres', "CREATE ROLE plain_role LOGIN PASSWORD ('pass' USING 'plain');"); |
| 57 | + $ENV{"PGPASSWORD"} = 'pass'; |
| 58 | + |
| 59 | + # For "trust" method, all users should be able to connect. |
| 60 | + reset_pg_hba($node, 'trust'); |
| 61 | + test_role($node, 'scram_role', 'trust', 0); |
| 62 | + test_role($node, 'md5_role', 'trust', 0); |
| 63 | + test_role($node, 'plain_role', 'trust', 0); |
| 64 | + |
| 65 | + # For "plain" method, users "plain_role" and "md5_role" should be able to |
| 66 | + # connect. |
| 67 | + reset_pg_hba($node, 'password'); |
| 68 | + test_role($node, 'scram_role', 'password', 2); |
| 69 | + test_role($node, 'md5_role', 'password', 0); |
| 70 | + test_role($node, 'plain_role', 'password', 0); |
| 71 | + |
| 72 | + # For "scram" method, only user "scram_role" should be able to connect. |
| 73 | + reset_pg_hba($node, 'scram'); |
| 74 | + test_role($node, 'scram_role', 'scram', 0); |
| 75 | + test_role($node, 'md5_role', 'scram', 2); |
| 76 | + test_role($node, 'plain_role', 'scram', 2); |
| 77 | + |
| 78 | + # For "md5" method, users "plain_role" and "md5_role" should be able to |
| 79 | + # connect. |
| 80 | + reset_pg_hba($node, 'md5'); |
| 81 | + test_role($node, 'scram_role', 'md5', 2); |
| 82 | + test_role($node, 'md5_role', 'md5', 0); |
| 83 | + test_role($node, 'plain_role', 'md5', 0); |
| 84 | +} |
0 commit comments