1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# Copyright (c) 2021-2022, PostgreSQL Global Development Group
# Tests for peer authentication and user name map.
# The test is skipped if the platform does not support peer authentication.
use strict;
use warnings;
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Utils;
use Test::More;
# Delete pg_hba.conf from the given node, add a new entry to it
# and then execute a reload to refresh it.
sub reset_pg_hba
{
my $node = shift;
my $hba_method = shift;
unlink($node->data_dir . '/pg_hba.conf');
$node->append_conf('pg_hba.conf', "local all all $hba_method");
$node->reload;
return;
}
# Test access for a single role, useful to wrap all tests into one.
sub test_role
{
local $Test::Builder::Level = $Test::Builder::Level + 1;
my ($node, $role, $method, $expected_res, %params) = @_;
my $status_string = 'failed';
$status_string = 'success' if ($expected_res eq 0);
my $connstr = "user=$role";
my $testname =
"authentication $status_string for method $method, role $role";
if ($expected_res eq 0)
{
$node->connect_ok($connstr, $testname, %params);
}
else
{
# No checks of the error message, only the status code.
$node->connect_fails($connstr, $testname, %params);
}
}
# Find $pattern in log file of $node.
sub find_in_log
{
my ($node, $offset, $pattern) = @_;
my $log = PostgreSQL::Test::Utils::slurp_file($node->logfile, $offset);
return 0 if (length($log) <= 0);
return $log =~ m/$pattern/;
}
my $node = PostgreSQL::Test::Cluster->new('node');
$node->init;
$node->append_conf('postgresql.conf', "log_connections = on\n");
$node->start;
# Set pg_hba.conf with the peer authentication.
reset_pg_hba($node, 'peer');
# Check if peer authentication is supported on this platform.
my $log_offset = -s $node->logfile;
$node->psql('postgres');
if (find_in_log(
$node, $log_offset,
qr/peer authentication is not supported on this platform/))
{
plan skip_all => 'peer authentication is not supported on this platform';
}
# Add a database role, to use for the user name map.
$node->safe_psql('postgres', qq{CREATE ROLE testmapuser LOGIN});
# Extract as well the system user for the user name map.
my $system_user =
$node->safe_psql('postgres',
q(select (string_to_array(SYSTEM_USER, ':'))[2]));
# Tests without the user name map.
# Failure as connection is attempted with a database role not mapping
# to an authorized system user.
test_role($node, qq{testmapuser}, 'peer', 2,
log_like => [qr/Peer authentication failed for user "testmapuser"/]);
# Tests with a user name map.
$node->append_conf('pg_ident.conf', qq{mypeermap $system_user testmapuser});
reset_pg_hba($node, 'peer map=mypeermap');
# Success as the database role matches with the system user in the map.
test_role($node, qq{testmapuser}, 'peer', 0,
log_like =>
[qr/connection authenticated: identity="$system_user" method=peer/]);
done_testing();
|
