Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit e48b19c

Browse files
committed
Generate new LOG for "trust" connections under log_connections
Adding an extra LOG for connections that have not set an authn ID, like when the "trust" authentication method is used, is useful for audit purposes. A couple of TAP tests for SSL and authentication need to be tweaked to adapt to this new LOG generated, as some scenarios expected no logs but they now get a hit. Reported-by: Shaun Thomas Author: Jacob Champion Reviewed-by: Robert Haas, Michael Paquier Discussion: https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com
1 parent 1a4fd77 commit e48b19c

File tree

3 files changed

+24
-8
lines changed

3 files changed

+24
-8
lines changed

src/backend/libpq/auth.c

+16
Original file line numberDiff line numberDiff line change
@@ -645,6 +645,22 @@ ClientAuthentication(Port *port)
645645
#endif
646646
}
647647

648+
if (Log_connections && status == STATUS_OK &&
649+
!MyClientConnectionInfo.authn_id)
650+
{
651+
/*
652+
* Normally, if log_connections is set, the call to set_authn_id()
653+
* will log the connection. However, if that function is never
654+
* called, perhaps because the trust method is in use, then we handle
655+
* the logging here instead.
656+
*/
657+
ereport(LOG,
658+
errmsg("connection authenticated: user=\"%s\" method=%s "
659+
"(%s:%d)",
660+
port->user_name, hba_authname(port->hba->auth_method),
661+
port->hba->sourcefile, port->hba->linenumber));
662+
}
663+
648664
if (ClientAuthentication_hook)
649665
(*ClientAuthentication_hook) (port, status);
650666

src/test/authentication/t/001_password.pl

+4-4
Original file line numberDiff line numberDiff line change
@@ -136,13 +136,13 @@ sub test_conn
136136
# Create a database to test regular expression.
137137
$node->safe_psql('postgres', "CREATE database regex_testdb;");
138138

139-
# For "trust" method, all users should be able to connect. These users are not
140-
# considered to be authenticated.
139+
# For "trust" method, all users should be able to connect.
141140
reset_pg_hba($node, 'all', 'all', 'trust');
142141
test_conn($node, 'user=scram_role', 'trust', 0,
143-
log_unlike => [qr/connection authenticated:/]);
142+
log_like =>
143+
[qr/connection authenticated: user="scram_role" method=trust/]);
144144
test_conn($node, 'user=md5_role', 'trust', 0,
145-
log_unlike => [qr/connection authenticated:/]);
145+
log_like => [qr/connection authenticated: user="md5_role" method=trust/]);
146146

147147
# SYSTEM_USER is null when not authenticated.
148148
$res = $node->safe_psql('postgres', "SELECT SYSTEM_USER IS NULL;");

src/test/ssl/t/001_ssltests.pl

+4-4
Original file line numberDiff line numberDiff line change
@@ -800,8 +800,8 @@ sub switch_server_cert
800800
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
801801
. sslkey('client.key'),
802802
"auth_option clientcert=verify-full succeeds with matching username and Common Name",
803-
# verify-full does not provide authentication
804-
log_unlike => [qr/connection authenticated:/],);
803+
log_like =>
804+
[qr/connection authenticated: user="ssltestuser" method=trust/],);
805805

806806
$node->connect_fails(
807807
"$common_connstr user=anotheruser sslcert=ssl/client.crt "
@@ -818,8 +818,8 @@ sub switch_server_cert
818818
"$common_connstr user=yetanotheruser sslcert=ssl/client.crt "
819819
. sslkey('client.key'),
820820
"auth_option clientcert=verify-ca succeeds with mismatching username and Common Name",
821-
# verify-full does not provide authentication
822-
log_unlike => [qr/connection authenticated:/],);
821+
log_like =>
822+
[qr/connection authenticated: user="yetanotheruser" method=trust/],);
823823

824824
# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
825825
switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca');

0 commit comments

Comments
 (0)