Skip to content

Commit 8432a81

Browse files
michaelpqmichaelpq
committed
Add TAP tests for role membership in pg_hba.conf
This commit expands the coverage of pg_hba.conf with checks specific to role memberships (one "root" role combined with a member and a non-member). Coverage is added for the database keywords "samegroup" and "samerole", where the specified role has to be be a member of the role with the same name as the requested database, and '+' on the user entry, where members are allowed. These tests are plugged in the authentication test 001_password.pl as of extra connection attempts combined with resets of pg_hba.conf, making them rather cheap. Author: Nathan Bossart Reviewed-by: Tom Lane, Michael Paquier Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13
1 parent 9fcdf2c commit 8432a81

File tree

1 file changed

+126
-0
lines changed

1 file changed

+126
-0
lines changed

src/test/authentication/t/001_password.pl

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,4 +200,130 @@ sub test_conn
200200

201201
test_conn($node, 'user=md5_role', 'password from pgpass', 0);
202202

203+
unlink($pgpassfile);
204+
delete $ENV{"PGPASSFILE"};
205+
206+
note "Authentication tests with specific HBA policies on roles";
207+
208+
# Create database and roles for membership tests
209+
reset_pg_hba($node, 'all', 'all', 'trust');
210+
# Database and root role names match for "samerole" and "samegroup".
211+
$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
212+
$node->safe_psql(
213+
'postgres',
214+
qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
215+
CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
216+
CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
217+
218+
# Test role with exact matching, no members allowed.
219+
$ENV{"PGPASSWORD"} = 'pass';
220+
reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256');
221+
test_conn(
222+
$node,
223+
'user=regress_regression_group',
224+
'scram-sha-256',
225+
0,
226+
log_like => [
227+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
228+
]);
229+
test_conn(
230+
$node,
231+
'user=regress_member',
232+
'scram-sha-256',
233+
2,
234+
log_unlike => [
235+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
236+
]);
237+
test_conn(
238+
$node,
239+
'user=regress_not_member',
240+
'scram-sha-256',
241+
2,
242+
log_unlike => [
243+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
244+
]);
245+
246+
# Test role membership with '+', where all the members are allowed
247+
# to connect.
248+
reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
249+
test_conn(
250+
$node,
251+
'user=regress_regression_group',
252+
'scram-sha-256',
253+
0,
254+
log_like => [
255+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
256+
]);
257+
test_conn(
258+
$node,
259+
'user=regress_member',
260+
'scram-sha-256',
261+
0,
262+
log_like => [
263+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
264+
]);
265+
test_conn(
266+
$node,
267+
'user=regress_not_member',
268+
'scram-sha-256',
269+
2,
270+
log_unlike => [
271+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
272+
]);
273+
274+
# Test role membership is respected for samerole
275+
$ENV{"PGDATABASE"} = 'regress_regression_group';
276+
reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
277+
test_conn(
278+
$node,
279+
'user=regress_regression_group',
280+
'scram-sha-256',
281+
0,
282+
log_like => [
283+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
284+
]);
285+
test_conn(
286+
$node,
287+
'user=regress_member',
288+
'scram-sha-256',
289+
0,
290+
log_like => [
291+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
292+
]);
293+
test_conn(
294+
$node,
295+
'user=regress_not_member',
296+
'scram-sha-256',
297+
2,
298+
log_unlike => [
299+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
300+
]);
301+
302+
# Test role membership is respected for samegroup
303+
reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
304+
test_conn(
305+
$node,
306+
'user=regress_regression_group',
307+
'scram-sha-256',
308+
0,
309+
log_like => [
310+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
311+
]);
312+
test_conn(
313+
$node,
314+
'user=regress_member',
315+
'scram-sha-256',
316+
0,
317+
log_like => [
318+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
319+
]);
320+
test_conn(
321+
$node,
322+
'user=regress_not_member',
323+
'scram-sha-256',
324+
2,
325+
log_unlike => [
326+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
327+
]);
328+
203329
done_testing();

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy