Skip to content

Commit 91102da

Browse files
tglsfdctglsfdc
committed
In SSL tests, don't scribble on permissions of a repo file.
Modifying the permissions of a persistent file isn't really much nicer than modifying its contents, even if git doesn't currently notice it. Adjust the test script to make a copy and set the permissions of that instead. Michael Paquier, per a gripe from me. Back-patch to 9.5 where these tests were introduced. Discussion: https://postgr.es/m/14836.1494885946@sss.pgh.pa.us
1 parent 6accefd commit 91102da

File tree

2 files changed

+13
-9
lines changed

2 files changed

+13
-9
lines changed

src/test/ssl/ssl/.gitignore

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
1-
*.old
2-
new_certs_dir
1+
/*.old
2+
/new_certs_dir/
3+
/client_tmp.key

src/test/ssl/t/001_ssltests.pl

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -66,10 +66,10 @@ sub test_connect_fails
6666
ok(!$result, "$connstr (should fail)");
6767
}
6868

69-
# The client's private key must not be world-readable. Git doesn't track
70-
# permissions (except for the executable bit), so they might be wrong after
71-
# a checkout.
72-
chmod 0600, "ssl/client.key";
69+
# The client's private key must not be world-readable, so take a copy
70+
# of the key stored in the code tree and update its permissions.
71+
copy("ssl/client.key", "ssl/client_tmp.key");
72+
chmod 0600, "ssl/client_tmp.key";
7373

7474
#### Part 0. Set up the server.
7575

@@ -229,11 +229,11 @@ sub test_connect_fails
229229

230230
# correct client cert
231231
test_connect_ok(
232-
"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client.key");
232+
"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
233233

234234
# client cert belonging to another user
235235
test_connect_fails(
236-
"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client.key");
236+
"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
237237

238238
# revoked client cert
239239
test_connect_fails(
@@ -243,7 +243,10 @@ sub test_connect_fails
243243
# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
244244
switch_server_cert($node, 'server-cn-only', 'root_ca');
245245
$common_connstr =
246-
"user=ssltestuser dbname=certdb sslkey=ssl/client.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
246+
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
247247

248248
test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
249249
test_connect_fails("sslmode=require sslcert=ssl/client.crt");
250+
251+
# clean up
252+
unlink "ssl/client_tmp.key";

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy