From 9f899562d420fe36305badc169550673914389b7 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 8 Apr 2024 02:49:30 +0300 Subject: [PATCH] Move Kerberos module So that we can reuse it in new tests. Discussion: https://www.postgresql.org/message-id/a3af4070-3556-461d-aec8-a8d794f94894@iki.fi Reviewed-by: Jacob Champion, Matthias van de Meent --- src/test/kerberos/t/001_auth.pl | 179 +---------------- src/test/perl/PostgreSQL/Test/Kerberos.pm | 234 ++++++++++++++++++++++ 2 files changed, 245 insertions(+), 168 deletions(-) create mode 100644 src/test/perl/PostgreSQL/Test/Kerberos.pm diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index ec311bfed8..d4f1ec5809 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -21,6 +21,7 @@ use strict; use warnings FATAL => 'all'; use PostgreSQL::Test::Utils; use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Kerberos; use Test::More; use Time::HiRes qw(usleep); @@ -34,182 +35,27 @@ elsif (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bkerberos\b/) 'Potentially unsafe test GSSAPI/Kerberos not enabled in PG_TEST_EXTRA'; } -my ($krb5_bin_dir, $krb5_sbin_dir); - -if ($^O eq 'darwin' && -d "/opt/homebrew") -{ - # typical paths for Homebrew on ARM - $krb5_bin_dir = '/opt/homebrew/opt/krb5/bin'; - $krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin'; -} -elsif ($^O eq 'darwin') -{ - # typical paths for Homebrew on Intel - $krb5_bin_dir = '/usr/local/opt/krb5/bin'; - $krb5_sbin_dir = '/usr/local/opt/krb5/sbin'; -} -elsif ($^O eq 'freebsd') -{ - $krb5_bin_dir = '/usr/local/bin'; - $krb5_sbin_dir = '/usr/local/sbin'; -} -elsif ($^O eq 'linux') -{ - $krb5_sbin_dir = '/usr/sbin'; -} - -my $krb5_config = 'krb5-config'; -my $kinit = 'kinit'; -my $klist = 'klist'; -my $kdb5_util = 'kdb5_util'; -my $kadmin_local = 'kadmin.local'; -my $krb5kdc = 'krb5kdc'; - -if ($krb5_bin_dir && -d $krb5_bin_dir) -{ - $krb5_config = $krb5_bin_dir . '/' . $krb5_config; - $kinit = $krb5_bin_dir . '/' . $kinit; - $klist = $krb5_bin_dir . '/' . $klist; -} -if ($krb5_sbin_dir && -d $krb5_sbin_dir) -{ - $kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util; - $kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local; - $krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc; -} - -my $host = 'auth-test-localhost.postgresql.example.com'; -my $hostaddr = '127.0.0.1'; -my $realm = 'EXAMPLE.COM'; - -my $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf"; -my $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf"; -my $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc"; -my $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log"; -my $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log"; -my $kdc_port = PostgreSQL::Test::Cluster::get_free_port(); -my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc"; -my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid"; -my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab"; - my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass"; my $dbname = 'postgres'; my $username = 'test1'; my $application = '001_auth.pl'; -note "setting up Kerberos"; - -my ($stdout, $krb5_version); -run_log [ $krb5_config, '--version' ], '>', \$stdout - or BAIL_OUT("could not execute krb5-config"); -BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/; -$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/ - or BAIL_OUT("could not get Kerberos version"); -$krb5_version = $1; - # Construct a pgpass file to make sure we don't use it append_to_file($pgpass, '*:*:*:*:abc123'); chmod 0600, $pgpass or die $!; -# Build the krb5.conf to use. -# -# Explicitly specify the default (test) realm and the KDC for -# that realm to avoid the Kerberos library trying to look up -# that information in DNS, and also because we're using a -# non-standard KDC port. -# -# Also explicitly disable DNS lookups since this isn't really -# our domain and we shouldn't be causing random DNS requests -# to be sent out (not to mention that broken DNS environments -# can cause the tests to take an extra long time and timeout). -# -# Reverse DNS is explicitly disabled to avoid any issue with a -# captive portal or other cases where the reverse DNS succeeds -# and the Kerberos library uses that as the canonical name of -# the host and then tries to acquire a cross-realm ticket. -append_to_file( - $krb5_conf, - qq![logging] -default = FILE:$krb5_log -kdc = FILE:$kdc_log +note "setting up Kerberos"; -[libdefaults] -dns_lookup_realm = false -dns_lookup_kdc = false -default_realm = $realm -forwardable = false -rdns = false +my $host = 'auth-test-localhost.postgresql.example.com'; +my $hostaddr = '127.0.0.1'; +my $realm = 'EXAMPLE.COM'; -[realms] -$realm = { - kdc = $hostaddr:$kdc_port -} -!); - -append_to_file( - $kdc_conf, - qq![kdcdefaults] -!); - -# For new-enough versions of krb5, use the _listen settings rather -# than the _ports settings so that we can bind to localhost only. -if ($krb5_version >= 1.15) -{ - append_to_file( - $kdc_conf, - qq!kdc_listen = $hostaddr:$kdc_port -kdc_tcp_listen = $hostaddr:$kdc_port -!); -} -else -{ - append_to_file( - $kdc_conf, - qq!kdc_ports = $kdc_port -kdc_tcp_ports = $kdc_port -!); -} -append_to_file( - $kdc_conf, - qq! -[realms] -$realm = { - database_name = $kdc_datadir/principal - admin_keytab = FILE:$kdc_datadir/kadm5.keytab - acl_file = $kdc_datadir/kadm5.acl - key_stash_file = $kdc_datadir/_k5.$realm -}!); - -mkdir $kdc_datadir or die; - -# Ensure that we use test's config and cache files, not global ones. -$ENV{'KRB5_CONFIG'} = $krb5_conf; -$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf; -$ENV{'KRB5CCNAME'} = $krb5_cache; - -my $service_principal = "$ENV{with_krb_srvnam}/$host"; - -system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0'; +my $krb = PostgreSQL::Test::Kerberos->new($host, $hostaddr, $realm); my $test1_password = 'secret1'; -system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1"; - -system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal"; -system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal"; - -system_or_bail $krb5kdc, '-P', $kdc_pidfile; - -END -{ - # take care not to change the script's exit value - my $exit_code = $?; - - kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile; - - $? = $exit_code; -} +$krb->create_principal('test1', $test1_password); note "setting up PostgreSQL instance"; @@ -218,7 +64,7 @@ $node->init; $node->append_conf( 'postgresql.conf', qq{ listen_addresses = '$hostaddr' -krb_server_keyfile = '$keytab' +krb_server_keyfile = '$krb->{keytab}' log_connections = on lc_messages = 'C' }); @@ -332,8 +178,7 @@ $node->restart; test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket'); -run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); -run_log [ $klist, '-f' ] or BAIL_OUT($?); +$krb->create_ticket('test1', $test1_password); test_access( $node, @@ -475,10 +320,8 @@ $node->append_conf( hostgssenc all all $hostaddr/32 gss map=mymap }); -string_replace_file($krb5_conf, "forwardable = false", "forwardable = true"); - -run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); -run_log [ $klist, '-f' ] or BAIL_OUT($?); +# Re-create the ticket, with the forwardable flag set +$krb->create_ticket('test1', $test1_password, forwardable => 1); test_access( $node, diff --git a/src/test/perl/PostgreSQL/Test/Kerberos.pm b/src/test/perl/PostgreSQL/Test/Kerberos.pm new file mode 100644 index 0000000000..f7810da9c1 --- /dev/null +++ b/src/test/perl/PostgreSQL/Test/Kerberos.pm @@ -0,0 +1,234 @@ + +# Copyright (c) 2021-2024, PostgreSQL Global Development Group + +# Sets up a stand-alone KDC for testing PostgreSQL GSSAPI / Kerberos +# functionality. + +package PostgreSQL::Test::Kerberos; + +use strict; +use warnings FATAL => 'all'; +use PostgreSQL::Test::Utils; + +our ($krb5_bin_dir, $krb5_sbin_dir, $krb5_config, $kinit, $klist, + $kdb5_util, $kadmin_local, $krb5kdc, + $krb5_conf, $kdc_conf, $krb5_cache, $krb5_log, $kdc_log, + $kdc_port, $kdc_datadir, $kdc_pidfile, $keytab); + +INIT +{ + if ($^O eq 'darwin' && -d "/opt/homebrew") + { + # typical paths for Homebrew on ARM + $krb5_bin_dir = '/opt/homebrew/opt/krb5/bin'; + $krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin'; + } + elsif ($^O eq 'darwin') + { + # typical paths for Homebrew on Intel + $krb5_bin_dir = '/usr/local/opt/krb5/bin'; + $krb5_sbin_dir = '/usr/local/opt/krb5/sbin'; + } + elsif ($^O eq 'freebsd') + { + $krb5_bin_dir = '/usr/local/bin'; + $krb5_sbin_dir = '/usr/local/sbin'; + } + elsif ($^O eq 'linux') + { + $krb5_sbin_dir = '/usr/sbin'; + } + + $krb5_config = 'krb5-config'; + $kinit = 'kinit'; + $klist = 'klist'; + $kdb5_util = 'kdb5_util'; + $kadmin_local = 'kadmin.local'; + $krb5kdc = 'krb5kdc'; + + if ($krb5_bin_dir && -d $krb5_bin_dir) + { + $krb5_config = $krb5_bin_dir . '/' . $krb5_config; + $kinit = $krb5_bin_dir . '/' . $kinit; + $klist = $krb5_bin_dir . '/' . $klist; + } + if ($krb5_sbin_dir && -d $krb5_sbin_dir) + { + $kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util; + $kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local; + $krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc; + } + + $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf"; + $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf"; + $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc"; + $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log"; + $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log"; + $kdc_port = PostgreSQL::Test::Cluster::get_free_port(); + $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc"; + $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid"; + $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab"; +} + +=pod + +=item PostgreSQL::Test::Kerberos->new(host, hostaddr, realm, %params) + +Sets up a new Kerberos realm and KDC. This function assigns a free +port for the KDC. The KDC will be shut down automatically when the +test script exits. + +=over + +=item host => 'auth-test-localhost.postgresql.example.com' + +Hostname to use in the service principal. + +=item hostaddr => '127.0.0.1' + +Network interface the KDC will listen on. + +=item realm => 'EXAMPLE.COM' + +Name of the Kerberos realm. + +=back + +=cut + +sub new +{ + my $class = shift; + my ($host, $hostaddr, $realm) = @_; + + my ($stdout, $krb5_version); + run_log [ $krb5_config, '--version' ], '>', \$stdout + or BAIL_OUT("could not execute krb5-config"); + BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/; + $stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/ + or BAIL_OUT("could not get Kerberos version"); + $krb5_version = $1; + + # Build the krb5.conf to use. + # + # Explicitly specify the default (test) realm and the KDC for + # that realm to avoid the Kerberos library trying to look up + # that information in DNS, and also because we're using a + # non-standard KDC port. + # + # Also explicitly disable DNS lookups since this isn't really + # our domain and we shouldn't be causing random DNS requests + # to be sent out (not to mention that broken DNS environments + # can cause the tests to take an extra long time and timeout). + # + # Reverse DNS is explicitly disabled to avoid any issue with a + # captive portal or other cases where the reverse DNS succeeds + # and the Kerberos library uses that as the canonical name of + # the host and then tries to acquire a cross-realm ticket. + append_to_file( + $krb5_conf, + qq![logging] +default = FILE:$krb5_log +kdc = FILE:$kdc_log + +[libdefaults] +dns_lookup_realm = false +dns_lookup_kdc = false +default_realm = $realm +forwardable = false +rdns = false + +[realms] +$realm = { + kdc = $hostaddr:$kdc_port +} +!); + + append_to_file( + $kdc_conf, + qq![kdcdefaults] +!); + + # For new-enough versions of krb5, use the _listen settings rather + # than the _ports settings so that we can bind to localhost only. + if ($krb5_version >= 1.15) + { + append_to_file( + $kdc_conf, + qq!kdc_listen = $hostaddr:$kdc_port +kdc_tcp_listen = $hostaddr:$kdc_port +!); + } + else + { + append_to_file( + $kdc_conf, + qq!kdc_ports = $kdc_port +kdc_tcp_ports = $kdc_port +!); + } + append_to_file( + $kdc_conf, + qq! +[realms] +$realm = { + database_name = $kdc_datadir/principal + admin_keytab = FILE:$kdc_datadir/kadm5.keytab + acl_file = $kdc_datadir/kadm5.acl + key_stash_file = $kdc_datadir/_k5.$realm +}!); + + mkdir $kdc_datadir or BAIL_OUT("could not create directory \"$kdc_datadir\""); + + # Ensure that we use test's config and cache files, not global ones. + $ENV{'KRB5_CONFIG'} = $krb5_conf; + $ENV{'KRB5_KDC_PROFILE'} = $kdc_conf; + $ENV{'KRB5CCNAME'} = $krb5_cache; + + my $service_principal = "$ENV{with_krb_srvnam}/$host"; + + system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0'; + + system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal"; + system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal"; + + system_or_bail $krb5kdc, '-P', $kdc_pidfile; + + my $self = {}; + $self->{keytab} = $keytab; + + bless $self, $class; + + return $self; +} + +sub create_principal +{ + my ($self, $principal, $password) = @_; + + system_or_bail $kadmin_local, '-q', "addprinc -pw $password $principal"; +} + +sub create_ticket +{ + my ($self, $principal, $password, %params) = @_; + + my @cmd = ($kinit, $principal); + + push @cmd, '-f' if ($params{forwardable}); + + run_log [@cmd], \$password or BAIL_OUT($?); + run_log [ $klist, '-f' ] or BAIL_OUT($?); +} + +END +{ + # take care not to change the script's exit value + my $exit_code = $?; + + kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile; + + $? = $exit_code; +} + +1;