Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 7622422

Browse files
committed
Add checks for regexes with user name map in test for peer authentication
There is already some coverage for that in the kerberos test suite, though it requires PG_TEST_EXTRA to be set as per its insecure nature. This provides coverage in a default setup, as long as peer is supported on the platform where its test is run. Author: Bertrand Drouvot Discussion: https://postgr.es/m/7f87ca27-e184-29da-15d6-8be4325ad02e@gmail.com
1 parent d575347 commit 7622422

File tree

1 file changed

+55
-5
lines changed

1 file changed

+55
-5
lines changed

src/test/authentication/t/003_peer.pl

+55-5
Original file line numberDiff line numberDiff line change
@@ -23,18 +23,34 @@ sub reset_pg_hba
2323
return;
2424
}
2525

26+
# Delete pg_ident.conf from the given node, add a new entry to it
27+
# and then execute a reload to refresh it.
28+
sub reset_pg_ident
29+
{
30+
my $node = shift;
31+
my $map_name = shift;
32+
my $system_user = shift;
33+
my $pg_user = shift;
34+
35+
unlink($node->data_dir . '/pg_ident.conf');
36+
$node->append_conf('pg_ident.conf', "$map_name $system_user $pg_user");
37+
$node->reload;
38+
return;
39+
}
40+
2641
# Test access for a single role, useful to wrap all tests into one.
2742
sub test_role
2843
{
2944
local $Test::Builder::Level = $Test::Builder::Level + 1;
3045

31-
my ($node, $role, $method, $expected_res, %params) = @_;
46+
my ($node, $role, $method, $expected_res, $test_details, %params) = @_;
3247
my $status_string = 'failed';
3348
$status_string = 'success' if ($expected_res eq 0);
3449

3550
my $connstr = "user=$role";
3651
my $testname =
37-
"authentication $status_string for method $method, role $role";
52+
"authentication $status_string for method $method, role $role "
53+
. $test_details;
3854

3955
if ($expected_res eq 0)
4056
{
@@ -87,16 +103,50 @@ sub find_in_log
87103
# Tests without the user name map.
88104
# Failure as connection is attempted with a database role not mapping
89105
# to an authorized system user.
90-
test_role($node, qq{testmapuser}, 'peer', 2,
106+
test_role(
107+
$node, qq{testmapuser}, 'peer', 2,
108+
'without user name map',
91109
log_like => [qr/Peer authentication failed for user "testmapuser"/]);
92110

93111
# Tests with a user name map.
94-
$node->append_conf('pg_ident.conf', qq{mypeermap $system_user testmapuser});
112+
reset_pg_ident($node, 'mypeermap', $system_user, 'testmapuser');
95113
reset_pg_hba($node, 'peer map=mypeermap');
96114

97115
# Success as the database role matches with the system user in the map.
98-
test_role($node, qq{testmapuser}, 'peer', 0,
116+
test_role($node, qq{testmapuser}, 'peer', 0, 'with user name map',
99117
log_like =>
100118
[qr/connection authenticated: identity="$system_user" method=peer/]);
101119

120+
# Test with regular expression in user name map.
121+
# Extract the last 3 characters from the system_user
122+
# or the entire system_user (if its length is <= -3).
123+
my $regex_test_string = substr($system_user, -3);
124+
125+
# Success as the regular expression matches.
126+
reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$},
127+
'testmapuser');
128+
test_role(
129+
$node,
130+
qq{testmapuser},
131+
'peer',
132+
0,
133+
'with regular expression in user name map',
134+
log_like =>
135+
[qr/connection authenticated: identity="$system_user" method=peer/]);
136+
137+
138+
# Concatenate system_user to system_user.
139+
$regex_test_string = $system_user . $system_user;
140+
141+
# Failure as the regular expression does not match.
142+
reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$},
143+
'testmapuser');
144+
test_role(
145+
$node,
146+
qq{testmapuser},
147+
'peer',
148+
2,
149+
'with regular expression in user name map',
150+
log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]);
151+
102152
done_testing();

0 commit comments

Comments
 (0)