Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8432a81

Browse files
committed
Add TAP tests for role membership in pg_hba.conf
This commit expands the coverage of pg_hba.conf with checks specific torole memberships (one "root" role combined with a member and anon-member). Coverage is added for the database keywords "samegroup"and "samerole", where the specified role has to be be a member of therole with the same name as the requested database, and '+' on the userentry, where members are allowed. These tests are plugged in theauthentication test 001_password.pl as of extra connection attemptscombined with resets of pg_hba.conf, making them rather cheap.Author: Nathan BossartReviewed-by: Tom Lane, Michael PaquierDiscussion:https://postgr.es/m/20221009211348.GB900071@nathanxps13
1 parent9fcdf2c commit8432a81

File tree

1 file changed

+126
-0
lines changed

1 file changed

+126
-0
lines changed

‎src/test/authentication/t/001_password.pl

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,4 +200,130 @@ sub test_conn
200200

201201
test_conn($node,'user=md5_role','password from pgpass', 0);
202202

203+
unlink($pgpassfile);
204+
delete$ENV{"PGPASSFILE"};
205+
206+
note"Authentication tests with specific HBA policies on roles";
207+
208+
# Create database and roles for membership tests
209+
reset_pg_hba($node,'all','all','trust');
210+
# Database and root role names match for "samerole" and "samegroup".
211+
$node->safe_psql('postgres',"CREATE DATABASE regress_regression_group;");
212+
$node->safe_psql(
213+
'postgres',
214+
qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
215+
CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
216+
CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
217+
218+
# Test role with exact matching, no members allowed.
219+
$ENV{"PGPASSWORD"} ='pass';
220+
reset_pg_hba($node,'all','regress_regression_group','scram-sha-256');
221+
test_conn(
222+
$node,
223+
'user=regress_regression_group',
224+
'scram-sha-256',
225+
0,
226+
log_like=> [
227+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
228+
]);
229+
test_conn(
230+
$node,
231+
'user=regress_member',
232+
'scram-sha-256',
233+
2,
234+
log_unlike=> [
235+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
236+
]);
237+
test_conn(
238+
$node,
239+
'user=regress_not_member',
240+
'scram-sha-256',
241+
2,
242+
log_unlike=> [
243+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
244+
]);
245+
246+
# Test role membership with '+', where all the members are allowed
247+
# to connect.
248+
reset_pg_hba($node,'all','+regress_regression_group','scram-sha-256');
249+
test_conn(
250+
$node,
251+
'user=regress_regression_group',
252+
'scram-sha-256',
253+
0,
254+
log_like=> [
255+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
256+
]);
257+
test_conn(
258+
$node,
259+
'user=regress_member',
260+
'scram-sha-256',
261+
0,
262+
log_like=> [
263+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
264+
]);
265+
test_conn(
266+
$node,
267+
'user=regress_not_member',
268+
'scram-sha-256',
269+
2,
270+
log_unlike=> [
271+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
272+
]);
273+
274+
# Test role membership is respected for samerole
275+
$ENV{"PGDATABASE"} ='regress_regression_group';
276+
reset_pg_hba($node,'samerole','all','scram-sha-256');
277+
test_conn(
278+
$node,
279+
'user=regress_regression_group',
280+
'scram-sha-256',
281+
0,
282+
log_like=> [
283+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
284+
]);
285+
test_conn(
286+
$node,
287+
'user=regress_member',
288+
'scram-sha-256',
289+
0,
290+
log_like=> [
291+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
292+
]);
293+
test_conn(
294+
$node,
295+
'user=regress_not_member',
296+
'scram-sha-256',
297+
2,
298+
log_unlike=> [
299+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
300+
]);
301+
302+
# Test role membership is respected for samegroup
303+
reset_pg_hba($node,'samegroup','all','scram-sha-256');
304+
test_conn(
305+
$node,
306+
'user=regress_regression_group',
307+
'scram-sha-256',
308+
0,
309+
log_like=> [
310+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
311+
]);
312+
test_conn(
313+
$node,
314+
'user=regress_member',
315+
'scram-sha-256',
316+
0,
317+
log_like=> [
318+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
319+
]);
320+
test_conn(
321+
$node,
322+
'user=regress_not_member',
323+
'scram-sha-256',
324+
2,
325+
log_unlike=> [
326+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
327+
]);
328+
203329
done_testing();

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp