diff options
| author | Peter Eisentraut | 2017-11-18 15:07:57 +0000 |
|---|---|---|
| committer | Peter Eisentraut | 2017-11-18 15:15:54 +0000 |
| commit | 9288d62bb4b6f302bf13bb2fed3783b61385f315 (patch) | |
| tree | 2b6fa3bf8940b1f8d2ec77fc367fd750de82390d /src/test/ssl/ServerSetup.pm | |
| parent | 611fe7d4793ba6516e839dc50b5319b990283f4f (diff) | |
Support channel binding 'tls-unique' in SCRAM
This is the basic feature set using OpenSSL to support the feature. In
order to allow the frontend and the backend to fetch the sent and
expected TLS Finished messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
This commit also adds a infrastructure to facilitate the addition of
future channel binding types as well as libpq parameters to control the
SASL mechanism names and channel binding names. Those will be added by
upcoming commits.
Some tests are added to the SSL test suite to test SCRAM authentication
with channel binding.
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Diffstat (limited to 'src/test/ssl/ServerSetup.pm')
| -rw-r--r-- | src/test/ssl/ServerSetup.pm | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm index ad2e036602b..02f8028b2b6 100644 --- a/src/test/ssl/ServerSetup.pm +++ b/src/test/ssl/ServerSetup.pm @@ -57,19 +57,21 @@ sub test_connect_ok { my $common_connstr = $_[0]; my $connstr = $_[1]; + my $test_name = $_[2]; my $result = run_test_psql("$common_connstr $connstr", "(should succeed)"); - ok($result, $connstr); + ok($result, $test_name || $connstr); } sub test_connect_fails { my $common_connstr = $_[0]; my $connstr = $_[1]; + my $test_name = $_[2]; my $result = run_test_psql("$common_connstr $connstr", "(should fail)"); - ok(!$result, "$connstr (should fail)"); + ok(!$result, $test_name || "$connstr (should fail)"); } # Copy a set of files, taking into account wildcards @@ -89,8 +91,7 @@ sub copy_files sub configure_test_server_for_ssl { - my $node = $_[0]; - my $serverhost = $_[1]; + my ($node, $serverhost, $authmethod, $password, $password_enc) = @_; my $pgdata = $node->data_dir; @@ -100,6 +101,15 @@ sub configure_test_server_for_ssl $node->psql('postgres', "CREATE DATABASE trustdb"); $node->psql('postgres', "CREATE DATABASE certdb"); + # Update password of each user as needed. + if (defined($password)) + { + $node->psql('postgres', +"SET password_encryption='$password_enc'; ALTER USER ssltestuser PASSWORD '$password';"); + $node->psql('postgres', +"SET password_encryption='$password_enc'; ALTER USER anotheruser PASSWORD '$password';"); + } + # enable logging etc. open my $conf, '>>', "$pgdata/postgresql.conf"; print $conf "fsync=off\n"; @@ -129,7 +139,7 @@ sub configure_test_server_for_ssl $node->restart; # Change pg_hba after restart because hostssl requires ssl=on - configure_hba_for_ssl($node, $serverhost); + configure_hba_for_ssl($node, $serverhost, $authmethod); } # Change the configuration to use given server cert file, and reload @@ -157,8 +167,7 @@ sub switch_server_cert sub configure_hba_for_ssl { - my $node = $_[0]; - my $serverhost = $_[1]; + my ($node, $serverhost, $authmethod) = @_; my $pgdata = $node->data_dir; # Only accept SSL connections from localhost. Our tests don't depend on this @@ -169,9 +178,9 @@ sub configure_hba_for_ssl print $hba "# TYPE DATABASE USER ADDRESS METHOD\n"; print $hba -"hostssl trustdb ssltestuser $serverhost/32 trust\n"; +"hostssl trustdb ssltestuser $serverhost/32 $authmethod\n"; print $hba -"hostssl trustdb ssltestuser ::1/128 trust\n"; +"hostssl trustdb ssltestuser ::1/128 $authmethod\n"; print $hba "hostssl certdb ssltestuser $serverhost/32 cert\n"; print $hba |