Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2bd0735

Browse files
committed
Clean up management of IP addresses in our SSL tests.
Instead of hard-wiring the netmask as /32, allow it to be specifiedwhere we specify the server address. This will ease changing thetest to use IPv6, when/if somebody wants to do that.Also remove the hard-wired pg_hba.conf entries for IPv6 (::1/128).These have never had any usefulness, because the client sideof the tests has always explicitly connected to $SERVERHOSTADDRwhich has always been set to IPv4 (127.0.0.1). All they accomplishis to break the test on non-IPv6-supporting hosts, and besidesthat they violate the express intent of the code to minimize theserver's range of allowed connections.This could be back-patched, perhaps, but for now I don't seea need to.Discussion:https://postgr.es/m/1899.1578356089@sss.pgh.pa.us
1 parente369f37 commit2bd0735

File tree

3 files changed

+21
-17
lines changed

3 files changed

+21
-17
lines changed

‎src/test/ssl/t/001_ssltests.pl‎

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@
2626
# hostname, because the server certificate is always for the domain
2727
# postgresql-ssl-regression.test.
2828
my$SERVERHOSTADDR ='127.0.0.1';
29+
# This is the pattern to use in pg_hba.conf to match incoming connections.
30+
my$SERVERHOSTCIDR ='127.0.0.1/32';
2931

3032
# Allocation of base connection string shared among multiple tests.
3133
my$common_connstr;
@@ -66,7 +68,8 @@
6668
my$result =$node->safe_psql('postgres',"SHOW ssl_library");
6769
is($result,'OpenSSL','ssl_library parameter');
6870

69-
configure_test_server_for_ssl($node,$SERVERHOSTADDR,'trust');
71+
configure_test_server_for_ssl($node,$SERVERHOSTADDR,$SERVERHOSTCIDR,
72+
'trust');
7073

7174
note"testing password-protected keys";
7275

‎src/test/ssl/t/002_scram.pl‎

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020

2121
# This is the hostname used to connect to the server.
2222
my$SERVERHOSTADDR ='127.0.0.1';
23+
# This is the pattern to use in pg_hba.conf to match incoming connections.
24+
my$SERVERHOSTCIDR ='127.0.0.1/32';
2325

2426
# Determine whether build supports tls-server-end-point.
2527
my$supports_tls_server_end_point =
@@ -43,8 +45,8 @@
4345
$node->start;
4446

4547
# Configure server for SSL connections, with password handling.
46-
configure_test_server_for_ssl($node,$SERVERHOSTADDR,"scram-sha-256",
47-
"pass","scram-sha-256");
48+
configure_test_server_for_ssl($node,$SERVERHOSTADDR,$SERVERHOSTCIDR,
49+
"scram-sha-256","pass","scram-sha-256");
4850
switch_server_cert($node,'server-cn-only');
4951
$ENV{PGPASSWORD} ="pass";
5052
$common_connstr =

‎src/test/ssl/t/SSLServer.pm‎

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -94,9 +94,12 @@ sub copy_files
9494
return;
9595
}
9696

97+
# serverhost: what to put in listen_addresses, e.g. '127.0.0.1'
98+
# servercidr: what to put in pg_hba.conf, e.g. '127.0.0.1/32'
9799
subconfigure_test_server_for_ssl
98100
{
99-
my ($node,$serverhost,$authmethod,$password,$password_enc) =@_;
101+
my ($node,$serverhost,$servercidr,$authmethod,$password,
102+
$password_enc) =@_;
100103

101104
my$pgdata =$node->data_dir;
102105

@@ -153,7 +156,7 @@ sub configure_test_server_for_ssl
153156
$node->restart;
154157

155158
# Change pg_hba after restart because hostssl requires ssl=on
156-
configure_hba_for_ssl($node,$serverhost,$authmethod);
159+
configure_hba_for_ssl($node,$servercidr,$authmethod);
157160

158161
return;
159162
}
@@ -181,32 +184,28 @@ sub switch_server_cert
181184

182185
subconfigure_hba_for_ssl
183186
{
184-
my ($node,$serverhost,$authmethod) =@_;
187+
my ($node,$servercidr,$authmethod) =@_;
185188
my$pgdata =$node->data_dir;
186189

187-
# Only accept SSL connections fromlocalhost. Our tests don't depend on this
190+
# Only accept SSL connections from$servercidr. Our tests don't depend on this
188191
# but seems best to keep it as narrow as possible for security reasons.
189192
#
190193
# When connecting to certdb, also check the client certificate.
191194
openmy$hba,'>',"$pgdata/pg_hba.conf";
192195
print$hba
193196
"# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n";
194197
print$hba
195-
"hostssl trustdb md5testuser$serverhost/32 md5\n";
198+
"hostssl trustdb md5testuser$servercidr md5\n";
196199
print$hba
197-
"hostssl trustdb all$serverhost/32$authmethod\n";
200+
"hostssl trustdb all$servercidr$authmethod\n";
198201
print$hba
199-
"hostssltrustdb all::1/128$authmethod\n";
202+
"hostsslverifydbssltestuser$servercidr$authmethodclientcert=verify-full\n";
200203
print$hba
201-
"hostssl verifydbssltestuser$serverhost/32$authmethod clientcert=verify-full\n";
204+
"hostssl verifydbanotheruser$servercidr$authmethod clientcert=verify-full\n";
202205
print$hba
203-
"hostssl verifydbanotheruser$serverhost/32$authmethod clientcert=verify-full\n";
206+
"hostssl verifydbyetanotheruser$servercidr$authmethod clientcert=verify-ca\n";
204207
print$hba
205-
"hostssl verifydb yetanotheruser$serverhost/32$authmethod clientcert=verify-ca\n";
206-
print$hba
207-
"hostssl certdb all$serverhost/32 cert\n";
208-
print$hba
209-
"hostssl certdb all ::1/128 cert\n";
208+
"hostssl certdb all$servercidr cert\n";
210209
close$hba;
211210
return;
212211
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp