1# Set of tests for authentication and pg_hba.conf. The following password 2# methods are checked through this test: 3# - Plain 4# - MD5-encrypted 5# - SCRAM-encrypted 6# This test can only run with Unix-domain sockets. 7 8use strict; 9use warnings; 10use PostgresNode; 11use TestLib; 12use Test::More; 13if (!$use_unix_sockets) 14{ 15 plan skip_all => 16 "authentication tests cannot run without Unix-domain sockets"; 17} 18else 19{ 20 plan tests => 13; 21} 22 23 24# Delete pg_hba.conf from the given node, add a new entry to it 25# and then execute a reload to refresh it. 26sub reset_pg_hba 27{ 28 my $node = shift; 29 my $hba_method = shift; 30 31 unlink($node->data_dir . '/pg_hba.conf'); 32 $node->append_conf('pg_hba.conf', "local all all $hba_method"); 33 $node->reload; 34 return; 35} 36 37# Test access for a single role, useful to wrap all tests into one. 38sub test_role 39{ 40 my $node = shift; 41 my $role = shift; 42 my $method = shift; 43 my $expected_res = shift; 44 my $status_string = 'failed'; 45 46 $status_string = 'success' if ($expected_res eq 0); 47 48 local $Test::Builder::Level = $Test::Builder::Level + 1; 49 50 my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role, '-w' ]); 51 is($res, $expected_res, 52 "authentication $status_string for method $method, role $role"); 53 return; 54} 55 56# Initialize master node 57my $node = get_new_node('master'); 58$node->init; 59$node->start; 60 61# Create 3 roles with different password methods for each one. The same 62# password is used for all of them. 63$node->safe_psql('postgres', 64 "SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';" 65); 66$node->safe_psql('postgres', 67 "SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';" 68); 69$ENV{"PGPASSWORD"} = 'pass'; 70 71# For "trust" method, all users should be able to connect. 72reset_pg_hba($node, 'trust'); 73test_role($node, 'scram_role', 'trust', 0); 74test_role($node, 'md5_role', 'trust', 0); 75 76# For plain "password" method, all users should also be able to connect. 77reset_pg_hba($node, 'password'); 78test_role($node, 'scram_role', 'password', 0); 79test_role($node, 'md5_role', 'password', 0); 80 81# For "scram-sha-256" method, user "scram_role" should be able to connect. 82reset_pg_hba($node, 'scram-sha-256'); 83test_role($node, 'scram_role', 'scram-sha-256', 0); 84test_role($node, 'md5_role', 'scram-sha-256', 2); 85 86# For "md5" method, all users should be able to connect (SCRAM 87# authentication will be performed for the user with a SCRAM secret.) 88reset_pg_hba($node, 'md5'); 89test_role($node, 'scram_role', 'md5', 0); 90test_role($node, 'md5_role', 'md5', 0); 91 92# Tests for channel binding without SSL. 93# Using the password authentication method; channel binding can't work 94reset_pg_hba($node, 'password'); 95$ENV{"PGCHANNELBINDING"} = 'require'; 96test_role($node, 'scram_role', 'scram-sha-256', 2); 97# SSL not in use; channel binding still can't work 98reset_pg_hba($node, 'scram-sha-256'); 99$ENV{"PGCHANNELBINDING"} = 'require'; 100test_role($node, 'scram_role', 'scram-sha-256', 2); 101 102# Test .pgpass processing; but use a temp file, don't overwrite the real one! 103my $pgpassfile = "${TestLib::tmp_check}/pgpass"; 104 105delete $ENV{"PGPASSWORD"}; 106delete $ENV{"PGCHANNELBINDING"}; 107$ENV{"PGPASSFILE"} = $pgpassfile; 108 109unlink($pgpassfile); 110append_to_file($pgpassfile, qq! 111# This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. 112*:*:postgres:scram_role:pass:this is not part of the password. 113!); 114chmod 0600, $pgpassfile or die; 115 116reset_pg_hba($node, 'password'); 117test_role($node, 'scram_role', 'password from pgpass', 0); 118test_role($node, 'md5_role', 'password from pgpass', 2); 119 120append_to_file($pgpassfile, qq! 121*:*:*:md5_role:p\\ass 122!); 123 124test_role($node, 'md5_role', 'password from pgpass', 0); 125