Clean up management of IP addresses in our SSL tests.

Instead of hard-wiring the netmask as /32, allow it to be specified
where we specify the server address.  This will ease changing the
test to use IPv6, when/if somebody wants to do that.

Also remove the hard-wired pg_hba.conf entries for IPv6 (::1/128).
These have never had any usefulness, because the client side
of the tests has always explicitly connected to $SERVERHOSTADDR
which has always been set to IPv4 (127.0.0.1).  All they accomplish
is to break the test on non-IPv6-supporting hosts, and besides
that they violate the express intent of the code to minimize the
server's range of allowed connections.

This could be back-patched, perhaps, but for now I don't see
a need to.

Discussion: https://postgr.es/m/1899.1578356089@sss.pgh.pa.us

diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 93e2b7947a6fdb347b1a2021cede83461ee3190a..83fcd5e839a2510c3d8b042635b9964bdc869b88 100644 (file)
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -26,6 +26,8 @@ else
 # hostname, because the server certificate is always for the domain
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
+# This is the pattern to use in pg_hba.conf to match incoming connections.
+my $SERVERHOSTCIDR = '127.0.0.1/32';
 
 # Allocation of base connection string shared among multiple tests.
 my $common_connstr;
@@ -66,7 +68,8 @@ $node->start;
 my $result = $node->safe_psql('postgres', "SHOW ssl_library");
 is($result, 'OpenSSL', 'ssl_library parameter');
 
-configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust');
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR,
+   'trust');
 
 note "testing password-protected keys";
 

diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index c08aa19aee5affa621ee2febe7ab64141fe5120b..a6642f88592e2ace31838c4a12b87961744ed306 100644 (file)
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -20,6 +20,8 @@ if ($ENV{with_openssl} ne 'yes')
 
 # This is the hostname used to connect to the server.
 my $SERVERHOSTADDR = '127.0.0.1';
+# This is the pattern to use in pg_hba.conf to match incoming connections.
+my $SERVERHOSTCIDR = '127.0.0.1/32';
 
 # Determine whether build supports tls-server-end-point.
 my $supports_tls_server_end_point =
@@ -43,8 +45,8 @@ $ENV{PGPORT} = $node->port;
 $node->start;
 
 # Configure server for SSL connections, with password handling.
-configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
-   "pass", "scram-sha-256");
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR,
+   "scram-sha-256", "pass", "scram-sha-256");
 switch_server_cert($node, 'server-cn-only');
 $ENV{PGPASSWORD} = "pass";
 $common_connstr =

diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index 005955a2ff736ea094c4bee504c47a66f8566026..1e392b8fbf614f820c275dedf77af2364f17a6ed 100644 (file)
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -94,9 +94,12 @@ sub copy_files
    return;
 }
 
+# serverhost: what to put in listen_addresses, e.g. '127.0.0.1'
+# servercidr: what to put in pg_hba.conf, e.g. '127.0.0.1/32'
 sub configure_test_server_for_ssl
 {
-   my ($node, $serverhost, $authmethod, $password, $password_enc) = @_;
+   my ($node, $serverhost, $servercidr, $authmethod, $password,
+       $password_enc) = @_;
 
    my $pgdata = $node->data_dir;
 
@@ -153,7 +156,7 @@ sub configure_test_server_for_ssl
    $node->restart;
 
    # Change pg_hba after restart because hostssl requires ssl=on
-   configure_hba_for_ssl($node, $serverhost, $authmethod);
+   configure_hba_for_ssl($node, $servercidr, $authmethod);
 
    return;
 }
@@ -181,10 +184,10 @@ sub switch_server_cert
 
 sub configure_hba_for_ssl
 {
-   my ($node, $serverhost, $authmethod) = @_;
+   my ($node, $servercidr, $authmethod) = @_;
    my $pgdata = $node->data_dir;
 
-   # Only accept SSL connections from localhost. Our tests don't depend on this
+   # Only accept SSL connections from $servercidr. Our tests don't depend on this
    # but seems best to keep it as narrow as possible for security reasons.
    #
    # When connecting to certdb, also check the client certificate.
@@ -192,21 +195,17 @@ sub configure_hba_for_ssl
    print $hba
      "# TYPE  DATABASE        USER            ADDRESS                 METHOD             OPTIONS\n";
    print $hba
-     "hostssl trustdb         md5testuser     $serverhost/32            md5\n";
+     "hostssl trustdb         md5testuser     $servercidr            md5\n";
    print $hba
-     "hostssl trustdb         all             $serverhost/32            $authmethod\n";
+     "hostssl trustdb         all             $servercidr            $authmethod\n";
    print $hba
-     "hostssl trustdb         all             ::1/128                 $authmethod\n";
+     "hostssl verifydb        ssltestuser     $servercidr            $authmethod        clientcert=verify-full\n";
    print $hba
-     "hostssl verifydb        ssltestuser     $serverhost/32          $authmethod        clientcert=verify-full\n";
+     "hostssl verifydb        anotheruser     $servercidr            $authmethod        clientcert=verify-full\n";
    print $hba
-     "hostssl verifydb        anotheruser     $serverhost/32          $authmethod        clientcert=verify-full\n";
+     "hostssl verifydb        yetanotheruser  $servercidr            $authmethod        clientcert=verify-ca\n";
    print $hba
-     "hostssl verifydb        yetanotheruser  $serverhost/32          $authmethod        clientcert=verify-ca\n";
-   print $hba
-     "hostssl certdb          all             $serverhost/32            cert\n";
-   print $hba
-     "hostssl certdb          all             ::1/128                 cert\n";
+     "hostssl certdb          all             $servercidr            cert\n";
    close $hba;
    return;
 }