Skip to content

Commit 8432a81

Browse files
michaelpqmichaelpq
committed
Add TAP tests for role membership in pg_hba.conf
This commit expands the coverage of pg_hba.conf with checks specific to role memberships (one "root" role combined with a member and a non-member). Coverage is added for the database keywords "samegroup" and "samerole", where the specified role has to be be a member of the role with the same name as the requested database, and '+' on the user entry, where members are allowed. These tests are plugged in the authentication test 001_password.pl as of extra connection attempts combined with resets of pg_hba.conf, making them rather cheap. Author: Nathan Bossart Reviewed-by: Tom Lane, Michael Paquier Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13
1 parent 9fcdf2c commit 8432a81

File tree

1 file changed

+126
-0
lines changed

1 file changed

+126
-0
lines changed

src/test/authentication/t/001_password.pl

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,4 +200,130 @@ sub test_conn
200200

201201
test_conn($node, 'user=md5_role', 'password from pgpass', 0);
202202

203+
unlink($pgpassfile);
204+
delete $ENV{"PGPASSFILE"};
205+
206+
note "Authentication tests with specific HBA policies on roles";
207+
208+
# Create database and roles for membership tests
209+
reset_pg_hba($node, 'all', 'all', 'trust');
210+
# Database and root role names match for "samerole" and "samegroup".
211+
$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
212+
$node->safe_psql(
213+
'postgres',
214+
qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
215+
CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
216+
CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
217+
218+
# Test role with exact matching, no members allowed.
219+
$ENV{"PGPASSWORD"} = 'pass';
220+
reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256');
221+
test_conn(
222+
$node,
223+
'user=regress_regression_group',
224+
'scram-sha-256',
225+
0,
226+
log_like => [
227+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
228+
]);
229+
test_conn(
230+
$node,
231+
'user=regress_member',
232+
'scram-sha-256',
233+
2,
234+
log_unlike => [
235+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
236+
]);
237+
test_conn(
238+
$node,
239+
'user=regress_not_member',
240+
'scram-sha-256',
241+
2,
242+
log_unlike => [
243+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
244+
]);
245+
246+
# Test role membership with '+', where all the members are allowed
247+
# to connect.
248+
reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
249+
test_conn(
250+
$node,
251+
'user=regress_regression_group',
252+
'scram-sha-256',
253+
0,
254+
log_like => [
255+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
256+
]);
257+
test_conn(
258+
$node,
259+
'user=regress_member',
260+
'scram-sha-256',
261+
0,
262+
log_like => [
263+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
264+
]);
265+
test_conn(
266+
$node,
267+
'user=regress_not_member',
268+
'scram-sha-256',
269+
2,
270+
log_unlike => [
271+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
272+
]);
273+
274+
# Test role membership is respected for samerole
275+
$ENV{"PGDATABASE"} = 'regress_regression_group';
276+
reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
277+
test_conn(
278+
$node,
279+
'user=regress_regression_group',
280+
'scram-sha-256',
281+
0,
282+
log_like => [
283+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
284+
]);
285+
test_conn(
286+
$node,
287+
'user=regress_member',
288+
'scram-sha-256',
289+
0,
290+
log_like => [
291+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
292+
]);
293+
test_conn(
294+
$node,
295+
'user=regress_not_member',
296+
'scram-sha-256',
297+
2,
298+
log_unlike => [
299+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
300+
]);
301+
302+
# Test role membership is respected for samegroup
303+
reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
304+
test_conn(
305+
$node,
306+
'user=regress_regression_group',
307+
'scram-sha-256',
308+
0,
309+
log_like => [
310+
qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
311+
]);
312+
test_conn(
313+
$node,
314+
'user=regress_member',
315+
'scram-sha-256',
316+
0,
317+
log_like => [
318+
qr/connection authenticated: identity="regress_member" method=scram-sha-256/
319+
]);
320+
test_conn(
321+
$node,
322+
'user=regress_not_member',
323+
'scram-sha-256',
324+
2,
325+
log_unlike => [
326+
qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
327+
]);
328+
203329
done_testing();

0 commit comments

Comments
 (0)