|
| 1 | +use strict; |
| 2 | +use warnings; |
| 3 | + |
| 4 | +use File::Copy; |
| 5 | + |
| 6 | +use TestLib; |
| 7 | +use Test::More; |
| 8 | +use PostgresNode; |
| 9 | + |
| 10 | +unless (($ENV{with_openssl} || 'no') eq 'yes') |
| 11 | +{ |
| 12 | + plan skip_all => 'SSL not supported by this build'; |
| 13 | +} |
| 14 | + |
| 15 | +my $clearpass = "FooBaR1"; |
| 16 | +my $rot13pass = "SbbOnE1"; |
| 17 | + |
| 18 | +# self-signed cert was generated like this: |
| 19 | +# system('openssl req -new -x509 -days 10000 -nodes -out server.crt -keyout server.ckey -subj "/CN=localhost"'); |
| 20 | +# add the cleartext passphrase to the key, remove the unprotected key |
| 21 | +# system("openssl rsa -aes256 -in server.ckey -out server.key -passout pass:$clearpass"); |
| 22 | +# unlink "server.ckey"; |
| 23 | + |
| 24 | + |
| 25 | +my $node = get_new_node('main'); |
| 26 | +$node->init; |
| 27 | +$node->append_conf('postgresql.conf', |
| 28 | + "ssl_passphrase.passphrase = '$rot13pass'"); |
| 29 | +$node->append_conf('postgresql.conf', |
| 30 | + "shared_preload_libraries = 'ssl_passphrase_func'"); |
| 31 | +$node->append_conf('postgresql.conf', "listen_addresses = 'localhost'"); |
| 32 | +$node->append_conf('postgresql.conf', "ssl = 'on'"); |
| 33 | + |
| 34 | +my $ddir = $node->data_dir; |
| 35 | + |
| 36 | +# install certificate and protected key |
| 37 | +copy("server.crt", $ddir); |
| 38 | +copy("server.key", $ddir); |
| 39 | +chmod 0600, "$ddir/server.key"; |
| 40 | + |
| 41 | +$node->start; |
| 42 | + |
| 43 | +# if the server is running we must have successfully transformed the passphrase |
| 44 | +ok(-e "$ddir/postmaster.pid", "postgres started"); |
| 45 | + |
| 46 | +$node->stop('fast'); |
| 47 | + |
| 48 | +# should get a warning if ssl_passphrase_command is set |
| 49 | +my $log = $node->rotate_logfile(); |
| 50 | + |
| 51 | +$node->append_conf('postgresql.conf', |
| 52 | + "ssl_passphrase_command = 'echo spl0tz'"); |
| 53 | + |
| 54 | +$node->start; |
| 55 | + |
| 56 | +$node->stop('fast'); |
| 57 | + |
| 58 | +my $log_contents = slurp_file($log); |
| 59 | + |
| 60 | +like( |
| 61 | + $log_contents, |
| 62 | + qr/WARNING.*ssl_passphrase_command setting ignored by ssl_passphrase_func module/, |
| 63 | + "ssl_passphrase_command set warning"); |
| 64 | + |
| 65 | +# set the wrong passphrase |
| 66 | +$node->append_conf('postgresql.conf', "ssl_passphrase.passphrase = 'blurfl'"); |
| 67 | + |
| 68 | +# try to start the server again |
| 69 | +my $ret = TestLib::system_log('pg_ctl', '-D', $node->data_dir, '-l', |
| 70 | + $node->logfile, 'start'); |
| 71 | + |
| 72 | + |
| 73 | +# with a bad passphrase the server should not start |
| 74 | +ok($ret, "pg_ctl fails with bad passphrase"); |
| 75 | +ok(!-e "$ddir/postmaster.pid", "postgres not started with bad passphrase"); |
| 76 | + |
| 77 | +# just in case |
| 78 | +$node->stop('fast'); |
| 79 | + |
| 80 | +done_testing(); |
0 commit comments