|
| 1 | +# Set of tests for authentication and pg_hba.conf. The following password |
| 2 | +# methods are checked through this test: |
| 3 | +# - Plain |
| 4 | +# - MD5-encrypted |
| 5 | +# - SCRAM-encrypted |
| 6 | +# This test cannot run on Windows as Postgres cannot be set up with Unix |
| 7 | +# sockets and needs to go through SSPI. |
| 8 | + |
| 9 | +use strict; |
| 10 | +use warnings; |
| 11 | +use PostgresNode; |
| 12 | +use TestLib; |
| 13 | +use Test::Moretests=> 12; |
| 14 | + |
| 15 | +# Delete pg_hba.conf from the given node, add a new entry to it |
| 16 | +# and then execute a reload to refresh it. |
| 17 | +subreset_pg_hba |
| 18 | +{ |
| 19 | +my$node =shift; |
| 20 | +my$hba_method =shift; |
| 21 | + |
| 22 | +unlink($node->data_dir .'/pg_hba.conf'); |
| 23 | +$node->append_conf('pg_hba.conf',"local all all$hba_method"); |
| 24 | +$node->reload; |
| 25 | +} |
| 26 | + |
| 27 | +# Test access for a single role, useful to wrap all tests into one. |
| 28 | +subtest_role |
| 29 | +{ |
| 30 | +my$node =shift; |
| 31 | +my$role =shift; |
| 32 | +my$method =shift; |
| 33 | +my$expected_res =shift; |
| 34 | +my$status_string ='failed'; |
| 35 | + |
| 36 | +$status_string ='success'if ($expected_reseq 0); |
| 37 | + |
| 38 | +my$res =$node->psql('postgres','SELECT 1',extra_params=> ['-U',$role]); |
| 39 | +is($res,$expected_res, |
| 40 | +"authentication$status_string for method$method, role$role"); |
| 41 | +} |
| 42 | + |
| 43 | +SKIP: |
| 44 | +{ |
| 45 | +skip"authentication tests cannot run on Windows", 12if ($windows_os); |
| 46 | + |
| 47 | +# Initialize master node |
| 48 | +my$node = get_new_node('master'); |
| 49 | +$node->init; |
| 50 | +$node->start; |
| 51 | + |
| 52 | +# Create 3 roles with different password methods for each one. The same |
| 53 | +# password is used for all of them. |
| 54 | +$node->safe_psql('postgres',"CREATE ROLE scram_role LOGIN PASSWORD ('pass' USING 'scram');"); |
| 55 | +$node->safe_psql('postgres',"CREATE ROLE md5_role LOGIN PASSWORD ('pass' USING 'md5');"); |
| 56 | +$node->safe_psql('postgres',"CREATE ROLE plain_role LOGIN PASSWORD ('pass' USING 'plain');"); |
| 57 | +$ENV{"PGPASSWORD"} ='pass'; |
| 58 | + |
| 59 | +# For "trust" method, all users should be able to connect. |
| 60 | +reset_pg_hba($node,'trust'); |
| 61 | +test_role($node,'scram_role','trust', 0); |
| 62 | +test_role($node,'md5_role','trust', 0); |
| 63 | +test_role($node,'plain_role','trust', 0); |
| 64 | + |
| 65 | +# For "plain" method, users "plain_role" and "md5_role" should be able to |
| 66 | +# connect. |
| 67 | +reset_pg_hba($node,'password'); |
| 68 | +test_role($node,'scram_role','password', 2); |
| 69 | +test_role($node,'md5_role','password', 0); |
| 70 | +test_role($node,'plain_role','password', 0); |
| 71 | + |
| 72 | +# For "scram" method, only user "scram_role" should be able to connect. |
| 73 | +reset_pg_hba($node,'scram'); |
| 74 | +test_role($node,'scram_role','scram', 0); |
| 75 | +test_role($node,'md5_role','scram', 2); |
| 76 | +test_role($node,'plain_role','scram', 2); |
| 77 | + |
| 78 | +# For "md5" method, users "plain_role" and "md5_role" should be able to |
| 79 | +# connect. |
| 80 | +reset_pg_hba($node,'md5'); |
| 81 | +test_role($node,'scram_role','md5', 2); |
| 82 | +test_role($node,'md5_role','md5', 0); |
| 83 | +test_role($node,'plain_role','md5', 0); |
| 84 | +} |