NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commite48b19c

committed

Generate new LOG for "trust" connections under log_connections

Adding an extra LOG for connections that have not set an authn ID, likewhen the "trust" authentication method is used, is useful for auditpurposes.A couple of TAP tests for SSL and authentication need to be tweaked toadapt to this new LOG generated, as some scenarios expected no logs butthey now get a hit.Reported-by: Shaun ThomasAuthor: Jacob ChampionReviewed-by: Robert Haas, Michael PaquierDiscussion:https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com

1 parent1a4fd77 commite48b19cCopy full SHA for e48b19c

File tree

3 files changed

+24

-8

lines changed

src
- backend/libpq
  - auth.c
- test
  - authentication/t
    - 001_password.pl
  - ssl/t
    - 001_ssltests.pl

3 files changed

+24

-8

lines changed

`‎src/backend/libpq/auth.c`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -645,6 +645,22 @@ ClientAuthentication(Port *port)`
`645`	`645`	`#endif`
`646`	`646`	`}`
`647`	`647`
	`648`	`+if (Log_connections&&status==STATUS_OK&&`
	`649`	`+!MyClientConnectionInfo.authn_id)`
	`650`	`+{`
	`651`	`+/*`
	`652`	`+ * Normally, if log_connections is set, the call to set_authn_id()`
	`653`	`+ * will log the connection. However, if that function is never`
	`654`	`+ * called, perhaps because the trust method is in use, then we handle`
	`655`	`+ * the logging here instead.`
	`656`	`+ */`
	`657`	`+ereport(LOG,`
	`658`	`+errmsg("connection authenticated: user=\"%s\" method=%s "`
	`659`	`+"(%s:%d)",`
	`660`	`+port->user_name,hba_authname(port->hba->auth_method),`
	`661`	`+port->hba->sourcefile,port->hba->linenumber));`
	`662`	`+}`
	`663`	`+`
`648`	`664`	`if (ClientAuthentication_hook)`
`649`	`665`	`(*ClientAuthentication_hook) (port,status);`
`650`	`666`

`‎src/test/authentication/t/001_password.pl`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -136,13 +136,13 @@ sub test_conn`
`136`	`136`	`# Create a database to test regular expression.`
`137`	`137`	`$node->safe_psql('postgres',"CREATE database regex_testdb;");`
`138`	`138`
`139`		`-# For "trust" method, all users should be able to connect. These users are not`
`140`		`-# considered to be authenticated.`
	`139`	`+# For "trust" method, all users should be able to connect.`
`141`	`140`	`reset_pg_hba($node,'all','all','trust');`
`142`	`141`	`test_conn($node,'user=scram_role','trust', 0,`
`143`		`-log_unlike=> [qr/connection authenticated:/]);`
	`142`	`+log_like=>`
	`143`	`+ [qr/connection authenticated: user="scram_role" method=trust/]);`
`144`	`144`	`test_conn($node,'user=md5_role','trust', 0,`
`145`		`-log_unlike=> [qr/connection authenticated:/]);`
	`145`	`+log_like=> [qr/connection authenticated: user="md5_role" method=trust/]);`
`146`	`146`
`147`	`147`	`# SYSTEM_USER is null when not authenticated.`
`148`	`148`	`$res =$node->safe_psql('postgres',"SELECT SYSTEM_USER IS NULL;");`

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -800,8 +800,8 @@ sub switch_server_cert`
`800`	`800`	`"$common_connstr user=ssltestuser sslcert=ssl/client.crt"`
`801`	`801`	`. sslkey('client.key'),`
`802`	`802`	`"auth_option clientcert=verify-full succeeds with matching username and Common Name",`
`803`		`-# verify-full does not provide authentication`
`804`		`-log_unlike=> [qr/connection authenticated:/],);`
	`803`	`+log_like=>`
	`804`	`+ [qr/connection authenticated: user="ssltestuser" method=trust/],);`
`805`	`805`
`806`	`806`	`$node->connect_fails(`
`807`	`807`	`"$common_connstr user=anotheruser sslcert=ssl/client.crt"`
`@@ -818,8 +818,8 @@ sub switch_server_cert`
`818`	`818`	`"$common_connstr user=yetanotheruser sslcert=ssl/client.crt"`
`819`	`819`	`. sslkey('client.key'),`
`820`	`820`	`"auth_option clientcert=verify-ca succeeds with mismatching username and Common Name",`
`821`		`-# verify-full does not provide authentication`
`822`		`-log_unlike=> [qr/connection authenticated:/],);`
	`821`	`+log_like=>`
	`822`	`+ [qr/connection authenticated: user="yetanotheruser" method=trust/],);`
`823`	`823`
`824`	`824`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`825`	`825`	`switch_server_cert($node,certfile=>'server-cn-only',cafile=>'root_ca');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite48b19c

File tree

3 files changed

3 files changed

`‎src/backend/libpq/auth.c`

`‎src/test/authentication/t/001_password.pl`

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments