NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit284cbae

committed

Allow tests to pass in OpenSSL FIPS mode (TAP tests)

Some tests using md5 authentication have to be skipped. In othercases, we can rewrite the tests to use a different authenticationmethod.Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Reviewed-by: Daniel Gustafsson <daniel@yesql.se>Discussion:https://www.postgresql.org/message-id/flat/dbbd927f-ef1f-c9a1-4ec6-c759778ac852%40enterprisedb.com

1 parent7955928 commit284cbaeCopy full SHA for 284cbae

File tree

2 files changed

+112

-69

lines changed

src/test
- authentication/t
  - 001_password.pl
- ssl/t
  - 002_scram.pl

2 files changed

+112

-69

lines changed

`‎src/test/authentication/t/001_password.pl`

Lines changed: 89 additions & 57 deletions

Original file line number	Diff line number	Diff line change
`@@ -66,24 +66,33 @@ sub test_conn`
`66`	`66`	`$node->append_conf('postgresql.conf',"log_connections = on\n");`
`67`	`67`	`$node->start;`
`68`	`68`
	`69`	`+# could fail in FIPS mode`
	`70`	`+my$md5_works = ($node->psql('postgres',"select md5('')") == 0);`
	`71`	`+`
`69`	`72`	`# Create 3 roles with different password methods for each one. The same`
`70`	`73`	`# password is used for all of them.`
`71`		`-$node->safe_psql('postgres',`
`72`		`-"SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';"`
`73`		`-);`
`74`		`-$node->safe_psql('postgres',`
`75`		`-"SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';"`
`76`		`-);`
	`74`	`+is($node->psql(`
	`75`	`+'postgres',`
	`76`	`+"SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';"`
	`77`	`+),`
	`78`	`+0,`
	`79`	`+'created user with SCRAM password');`
	`80`	`+is($node->psql(`
	`81`	`+'postgres',`
	`82`	`+"SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';"`
	`83`	`+),`
	`84`	`+$md5_works ? 0 : 3,`
	`85`	`+'created user with md5 password');`
`77`	`86`	`# Set up a table for tests of SYSTEM_USER.`
`78`	`87`	`$node->safe_psql(`
`79`	`88`	`'postgres',`
`80`	`89`	`"CREATE TABLE sysuser_data (n) AS SELECT NULL FROM generate_series(1, 10);`
`81`		`- GRANT ALL ON sysuser_data TOmd5_role;");`
	`90`	`+ GRANT ALL ON sysuser_data TOscram_role;");`
`82`	`91`	`$ENV{"PGPASSWORD"} ='pass';`
`83`	`92`
`84`	`93`	`# Create a role that contains a comma to stress the parsing.`
`85`	`94`	`$node->safe_psql('postgres',`
`86`		`-q{SET password_encryption='md5'; CREATE ROLE "md5,role" LOGIN PASSWORD 'pass';}`
	`95`	`+q{SET password_encryption='scram-sha-256'; CREATE ROLE "scram,role" LOGIN PASSWORD 'pass';}`
`87`	`96`	`);`
`88`	`97`
`89`	`98`	`# Create a role with a non-default iteration count`
`@@ -141,8 +150,13 @@ sub test_conn`
`141`	`150`	`test_conn($node,'user=scram_role','trust', 0,`
`142`	`151`	`log_like=>`
`143`	`152`	`[qr/connection authenticated: user="scram_role" method=trust/]);`
`144`		`-test_conn($node,'user=md5_role','trust', 0,`
`145`		`-log_like=> [qr/connection authenticated: user="md5_role" method=trust/]);`
	`153`	`+SKIP:`
	`154`	`+{`
	`155`	`+skip"MD5 not supported"unless$md5_works;`
	`156`	`+test_conn($node,'user=md5_role','trust', 0,`
	`157`	`+log_like=>`
	`158`	`+ [qr/connection authenticated: user="md5_role" method=trust/]);`
	`159`	`+}`
`146`	`160`
`147`	`161`	`# SYSTEM_USER is null when not authenticated.`
`148`	`162`	`$res =$node->safe_psql('postgres',"SELECT SYSTEM_USER IS NULL;");`
`@@ -157,7 +171,7 @@ sub test_conn`
`157`	`171`	`SET max_parallel_workers_per_gather TO 2;`
`158`	`172`
`159`	`173`	`SELECT bool_and(SYSTEM_USER IS NOT DISTINCT FROM n) FROM sysuser_data;),`
`160`		`-connstr=>"user=md5_role");`
	`174`	`+connstr=>"user=scram_role");`
`161`	`175`	`is($res,'t',`
`162`	`176`	`"users with trust authentication use SYSTEM_USER = NULL in parallel workers"`
`163`	`177`	`);`
`@@ -275,9 +289,14 @@ sub test_conn`
`275`	`289`	`test_conn($node,'user=scram_role','password', 0,`
`276`	`290`	`log_like=>`
`277`	`291`	`[qr/connection authenticated: identity="scram_role" method=password/]);`
`278`		`-test_conn($node,'user=md5_role','password', 0,`
`279`		`-log_like=>`
`280`		`- [qr/connection authenticated: identity="md5_role" method=password/]);`
	`292`	`+SKIP:`
	`293`	`+{`
	`294`	`+skip"MD5 not supported"unless$md5_works;`
	`295`	`+test_conn($node,'user=md5_role','password', 0,`
	`296`	`+log_like=>`
	`297`	`+ [qr/connection authenticated: identity="md5_role" method=password/]`
	`298`	`+);`
	`299`	`+}`
`281`	`300`
`282`	`301`	`# require_auth succeeds here with a plaintext password.`
`283`	`302`	`$node->connect_ok("user=scram_role require_auth=password",`
`@@ -393,59 +412,64 @@ sub test_conn`
`393`	`412`	`test_conn($node,'user=scram_role','md5', 0,`
`394`	`413`	`log_like=>`
`395`	`414`	`[qr/connection authenticated: identity="scram_role" method=md5/]);`
`396`		`-test_conn($node,'user=md5_role','md5', 0,`
`397`		`-log_like=>`
`398`		`- [qr/connection authenticated: identity="md5_role" method=md5/]);`
	`415`	`+SKIP:`
	`416`	`+{`
	`417`	`+skip"MD5 not supported"unless$md5_works;`
	`418`	`+test_conn($node,'user=md5_role','md5', 0,`
	`419`	`+log_like=>`
	`420`	`+ [qr/connection authenticated: identity="md5_role" method=md5/]);`
	`421`	`+}`
`399`	`422`
`400`		`-# require_auth succeeds with MD5 required.`
`401`		`-$node->connect_ok("user=md5_role require_auth=md5",`
`402`		`-"MD5 authentication required, works with MD5 auth");`
`403`		`-$node->connect_ok("user=md5_role require_auth=!none",`
`404`		`-"any authentication required, works with MD5 auth");`
	`423`	`+# require_auth succeeds with SCRAM required.`
`405`	`424`	`$node->connect_ok(`
`406`		`-"user=md5_role require_auth=md5,scram-sha-256,password",`
`407`		`-"multiple authentication types required, works with MD5 auth");`
	`425`	`+"user=scram_role require_auth=scram-sha-256",`
	`426`	`+"SCRAM authentication required, works with SCRAM auth");`
	`427`	`+$node->connect_ok("user=scram_role require_auth=!none",`
	`428`	`+"any authentication required, works with SCRAM auth");`
	`429`	`+$node->connect_ok(`
	`430`	`+"user=scram_role require_auth=md5,scram-sha-256,password",`
	`431`	`+"multiple authentication types required, works with SCRAM auth");`
`408`	`432`
`409`	`433`	`# Authentication fails if other types are required.`
`410`	`434`	`$node->connect_fails(`
`411`		`-"user=md5_role require_auth=password",`
`412`		`-"password authentication required, fails withMD5 auth",`
	`435`	`+"user=scram_role require_auth=password",`
	`436`	`+"password authentication required, fails withSCRAM auth",`
`413`	`437`	`expected_stderr=>`
`414`		`-qr/authentication method requirement "password" failed: server requesteda hashed password/`
	`438`	`+qr/authentication method requirement "password" failed: server requestedSASL authentication/`
`415`	`439`	`);`
`416`	`440`	`$node->connect_fails(`
`417`		`-"user=md5_role require_auth=scram-sha-256",`
`418`		`-"SCRAM authentication required, fails withMD5 auth",`
	`441`	`+"user=scram_role require_auth=md5",`
	`442`	`+"MD5 authentication required, fails withSCRAM auth",`
`419`	`443`	`expected_stderr=>`
`420`		`-qr/authentication method requirement "scram-sha-256" failed: server requesteda hashed password/`
	`444`	`+qr/authentication method requirement "md5" failed: server requestedSASL authentication/`
`421`	`445`	`);`
`422`	`446`	`$node->connect_fails(`
`423`		`-"user=md5_role require_auth=none",`
`424`		`-"all authentication types forbidden, fails withMD5 auth",`
	`447`	`+"user=scram_role require_auth=none",`
	`448`	`+"all authentication types forbidden, fails withSCRAM auth",`
`425`	`449`	`expected_stderr=>`
`426`		`-qr/authentication method requirement "none" failed: server requesteda hashed password/`
	`450`	`+qr/authentication method requirement "none" failed: server requestedSASL authentication/`
`427`	`451`	`);`
`428`	`452`
`429`		`-# Authentication fails ifMD5 is forbidden.`
	`453`	`+# Authentication fails ifSCRAM is forbidden.`
`430`	`454`	`$node->connect_fails(`
`431`		`-"user=md5_role require_auth=!md5",`
`432`		`-"password authentication forbidden, fails withMD5 auth",`
	`455`	`+"user=scram_role require_auth=!scram-sha-256",`
	`456`	`+"password authentication forbidden, fails withSCRAM auth",`
`433`	`457`	`expected_stderr=>`
`434`		`-qr/authentication method requirement "!md5" failed: server requesteda hashed password/`
	`458`	`+qr/authentication method requirement "!scram-sha-256" failed: server requestedSASL authentication/`
`435`	`459`	`);`
`436`	`460`	`$node->connect_fails(`
`437`		`-"user=md5_role require_auth=!password,!md5,!scram-sha-256",`
`438`		`-"multiple authentication types forbidden, fails withMD5 auth",`
	`461`	`+"user=scram_role require_auth=!password,!md5,!scram-sha-256",`
	`462`	`+"multiple authentication types forbidden, fails withSCRAM auth",`
`439`	`463`	`expected_stderr=>`
`440`		`-qr/authentication method requirement "!password,!md5,!scram-sha-256" failed: server requesteda hashed password/`
	`464`	`+qr/authentication method requirement "!password,!md5,!scram-sha-256" failed: server requestedSASL authentication/`
`441`	`465`	`);`
`442`	`466`
`443`	`467`	`# Test SYSTEM_USER <> NULL with parallel workers.`
`444`	`468`	`$node->safe_psql(`
`445`	`469`	`'postgres',`
`446`	`470`	`"TRUNCATE sysuser_data;`
`447`		`-INSERT INTO sysuser_data SELECT 'md5:md5_role' FROM generate_series(1, 10);",`
`448`		`-connstr=>"user=md5_role");`
	`471`	`+INSERT INTO sysuser_data SELECT 'md5:scram_role' FROM generate_series(1, 10);",`
	`472`	`+connstr=>"user=scram_role");`
`449`	`473`	`$res =$node->safe_psql(`
`450`	`474`	`'postgres',qq(`
`451`	`475`	`SET min_parallel_table_scan_size TO 0;`
`@@ -454,7 +478,7 @@ sub test_conn`
`454`	`478`	`SET max_parallel_workers_per_gather TO 2;`
`455`	`479`
`456`	`480`	`SELECT bool_and(SYSTEM_USER IS NOT DISTINCT FROM n) FROM sysuser_data;),`
`457`		`-connstr=>"user=md5_role");`
	`481`	`+connstr=>"user=scram_role");`
`458`	`482`	`is($res,'t',`
`459`	`483`	`"users with md5 authentication use SYSTEM_USER = md5:role in parallel workers"`
`460`	`484`	`);`
`@@ -490,49 +514,57 @@ sub test_conn`
`490`	`514`
`491`	`515`	`append_to_file(`
`492`	`516`	`$pgpassfile,qq!`
`493`		`-::*:md5_role:p\\ass`
`494`		`-::*:md5,role:p\\ass`
	`517`	`+::*:scram_role:p\\ass`
	`518`	`+::*:scram,role:p\\ass`
`495`	`519`	`!);`
`496`	`520`
`497`		`-test_conn($node,'user=md5_role','password from pgpass', 0);`
	`521`	`+test_conn($node,'user=scram_role','password from pgpass', 0);`
`498`	`522`
`499`	`523`	`# Testing with regular expression for username. The third regexp matches.`
`500`		`-reset_pg_hba($node,'all','/^.nomatch.$, baduser, /^md.*$','password');`
`501`		`-test_conn($node,'user=md5_role','password, matching regexp for username', 0,`
	`524`	`+reset_pg_hba($node,'all','/^.nomatch.$, baduser, /^scr.*$','password');`
	`525`	`+test_conn(`
	`526`	`+$node,`
	`527`	`+'user=scram_role',`
	`528`	`+'password, matching regexp for username',`
	`529`	`+0,`
`502`	`530`	`log_like=>`
`503`		`- [qr/connection authenticated: identity="md5_role" method=password/]);`
	`531`	`+ [qr/connection authenticated: identity="scram_role" method=password/]);`
`504`	`532`
`505`	`533`	`# The third regex does not match anymore.`
`506`		`-reset_pg_hba($node,'all','/^.nomatch.$, baduser, /^m_d.*$','password');`
`507`		`-test_conn($node,'user=md5_role',`
	`534`	`+reset_pg_hba($node,'all','/^.nomatch.$, baduser, /^sc_r.*$','password');`
	`535`	`+test_conn($node,'user=scram_role',`
`508`	`536`	`'password, non matching regexp for username',`
`509`	`537`	`2,log_unlike=> [qr/connection authenticated:/]);`
`510`	`538`
`511`	`539`	`# Test with a comma in the regular expression. In this case, the use of`
`512`	`540`	`# double quotes is mandatory so as this is not considered as two elements`
`513`	`541`	`# of the user name list when parsing pg_hba.conf.`
`514`		`-reset_pg_hba($node,'all','"/^.5,.e$"','password');`
`515`		`-test_conn($node,'user=md5,role','password, matching regexp for username', 0,`
	`542`	`+reset_pg_hba($node,'all','"/^.m,.e$"','password');`
	`543`	`+test_conn(`
	`544`	`+$node,`
	`545`	`+'user=scram,role',`
	`546`	`+'password, matching regexp for username',`
	`547`	`+0,`
`516`	`548`	`log_like=>`
`517`		`- [qr/connection authenticated: identity="md5,role" method=password/]);`
	`549`	`+ [qr/connection authenticated: identity="scram,role" method=password/]);`
`518`	`550`
`519`	`551`	`# Testing with regular expression for dbname. The third regex matches.`
`520`	`552`	`reset_pg_hba($node,'/^.nomatch.$, baddb, /^regex_t.*b$','all',`
`521`	`553`	`'password');`
`522`	`554`	`test_conn(`
`523`	`555`	`$node,`
`524`		`-'user=md5_role dbname=regex_testdb',`
	`556`	`+'user=scram_role dbname=regex_testdb',`
`525`	`557`	`'password, matching regexp for dbname',`
`526`	`558`	`0,`
`527`	`559`	`log_like=>`
`528`		`- [qr/connection authenticated: identity="md5_role" method=password/]);`
	`560`	`+ [qr/connection authenticated: identity="scram_role" method=password/]);`
`529`	`561`
`530`	`562`	`# The third regexp does not match anymore.`
`531`	`563`	`reset_pg_hba($node,'/^.nomatch.$, baddb, /^regex_t.*ba$',`
`532`	`564`	`'all','password');`
`533`	`565`	`test_conn(`
`534`	`566`	`$node,`
`535`		`-'user=md5_role dbname=regex_testdb',`
	`567`	`+'user=scram_role dbname=regex_testdb',`
`536`	`568`	`'password, non matching regexp for dbname',`
`537`	`569`	`2,log_unlike=> [qr/connection authenticated:/]);`
`538`	`570`

`‎src/test/ssl/t/002_scram.pl`

Lines changed: 23 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,9 @@ sub switch_server_cert`
`64`	`64`	`$ENV{PGPORT} =$node->port;`
`65`	`65`	`$node->start;`
`66`	`66`
	`67`	`+# could fail in FIPS mode`
	`68`	`+my$md5_works = ($node->psql('postgres',"select md5('')") == 0);`
	`69`	`+`
`67`	`70`	`# Configure server for SSL connections, with password handling.`
`68`	`71`	`$ssl_server->configure_test_server_for_ssl(`
`69`	`72`	`$node,$SERVERHOSTADDR,$SERVERHOSTCIDR,`
`@@ -91,12 +94,16 @@ sub switch_server_cert`
`91`	`94`	`"SCRAM with SSL and channel_binding=require");`
`92`	`95`
`93`	`96`	`# Now test when the user has an MD5-encrypted password; should fail`
`94`		`-$node->connect_fails(`
`95`		`-"$common_connstr user=md5testuser channel_binding=require",`
`96`		`-"MD5 with SSL and channel_binding=require",`
`97`		`-expected_stderr=>`
`98`		`-qr/channel binding required but not supported by server's authentication request/`
`99`		`-);`
	`97`	`+SKIP:`
	`98`	`+{`
	`99`	`+skip"MD5 not supported"unless$md5_works;`
	`100`	`+$node->connect_fails(`
	`101`	`+"$common_connstr user=md5testuser channel_binding=require",`
	`102`	`+"MD5 with SSL and channel_binding=require",`
	`103`	`+expected_stderr=>`
	`104`	`+qr/channel binding required but not supported by server's authentication request/`
	`105`	`+);`
	`106`	`+}`
`100`	`107`
`101`	`108`	`# Now test with auth method 'cert' by connecting to 'certdb'. Should fail,`
`102`	`109`	`# because channel binding is not performed. Note that ssl/client.key may`
`@@ -130,12 +137,16 @@ sub switch_server_cert`
`130`	`137`	`"$common_connstr user=ssltestuser channel_binding=disable require_auth=scram-sha-256",`
`131`	`138`	`"SCRAM with SSL, channel_binding=disable, and require_auth=scram-sha-256"`
`132`	`139`	`);`
`133`		`-$node->connect_fails(`
`134`		`-"$common_connstr user=md5testuser require_auth=md5 channel_binding=require",`
`135`		`-"channel_binding can fail even when require_auth succeeds",`
`136`		`-expected_stderr=>`
`137`		`-qr/channel binding required but not supported by server's authentication request/`
`138`		`-);`
	`140`	`+SKIP:`
	`141`	`+{`
	`142`	`+skip"MD5 not supported"unless$md5_works;`
	`143`	`+$node->connect_fails(`
	`144`	`+"$common_connstr user=md5testuser require_auth=md5 channel_binding=require",`
	`145`	`+"channel_binding can fail even when require_auth succeeds",`
	`146`	`+expected_stderr=>`
	`147`	`+qr/channel binding required but not supported by server's authentication request/`
	`148`	`+);`
	`149`	`+}`
`139`	`150`	`$node->connect_ok(`
`140`	`151`	`"$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256",`
`141`	`152`	`"SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256"`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit284cbae

File tree

2 files changed

2 files changed

`‎src/test/authentication/t/001_password.pl`

`‎src/test/ssl/t/002_scram.pl`

0 commit comments