mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add TAP tests for role membership in pg_hba.conf

Browse Source 
This commit expands the coverage of pg_hba.conf with checks specific to
role memberships (one "root" role combined with a member and a
non-member).  Coverage is added for the database keywords "samegroup"
and "samerole", where the specified role has to be be a member of the
role with the same name as the requested database, and '+' on the user
entry, where members are allowed.  These tests are plugged in the
authentication test 001_password.pl as of extra connection attempts
combined with resets of pg_hba.conf, making them rather cheap.

Author: Nathan Bossart
Reviewed-by: Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13
This commit is contained in:
Michael Paquier 2022-10-11 13:57:07 +09:00
parent 9fcdf2c787
commit 8432a815fe
1 changed files with 126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
src/test/authentication/t/001_password.pl
View File

@ -200,4 +200,130 @@ append_to_file(
test_conn($node, 'user=md5_role', 'password from pgpass', 0); test_conn($node, 'user=md5_role', 'password from pgpass', 0);
unlink($pgpassfile);
delete $ENV{"PGPASSFILE"};
note "Authentication tests with specific HBA policies on roles";
# Create database and roles for membership tests
reset_pg_hba($node, 'all', 'all', 'trust');
# Database and root role names match for "samerole" and "samegroup".
$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
$node->safe_psql(
'postgres',
qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
# Test role with exact matching, no members allowed.
$ENV{"PGPASSWORD"} = 'pass';
reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256');
test_conn(
$node,
'user=regress_regression_group',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_member',
'scram-sha-256',
2,
log_unlike => [
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_not_member',
'scram-sha-256',
2,
log_unlike => [
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
]);
# Test role membership with '+', where all the members are allowed
# to connect.
reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
test_conn(
$node,
'user=regress_regression_group',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_member',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_not_member',
'scram-sha-256',
2,
log_unlike => [
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
]);
# Test role membership is respected for samerole
$ENV{"PGDATABASE"} = 'regress_regression_group';
reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
test_conn(
$node,
'user=regress_regression_group',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_member',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_not_member',
'scram-sha-256',
2,
log_unlike => [
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
]);
# Test role membership is respected for samegroup
reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
test_conn(
$node,
'user=regress_regression_group',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_member',
'scram-sha-256',
0,
log_like => [
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
]);
test_conn(
$node,
'user=regress_not_member',
'scram-sha-256',
2,
log_unlike => [
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
]);
done_testing(); done_testing();