1
+ # Sets up a KDC and then runs a variety of tests to make sure that the
2
+ # GSSAPI/Kerberos authentication and encryption are working properly,
3
+ # that the options in pg_hba.conf and pg_ident.conf are handled correctly,
4
+ # and that the server-side pg_stat_gssapi view reports what we expect to
5
+ # see for each test.
6
+ #
7
+ # Since this requires setting up a full KDC, it doesn't make much sense
8
+ # to have multiple test scripts (since they'd have to also create their
9
+ # own KDC and that could cause race conditions or other problems)- so
10
+ # just add whatever other tests are needed to here.
11
+ #
12
+ # See the README for additional information.
13
+
1
14
use strict;
2
15
use warnings;
3
16
use TestLib;
6
19
7
20
if ($ENV {with_gssapi } eq ' yes' )
8
21
{
9
- plan tests => 4 ;
22
+ plan tests => 12 ;
10
23
}
11
24
else
12
25
{
50
63
51
64
my $host = ' auth-test-localhost.postgresql.example.com' ;
52
65
my $hostaddr = ' 127.0.0.1' ;
53
- my $realm = ' EXAMPLE.COM' ;
66
+ my $realm = ' EXAMPLE.COM' ;
54
67
55
68
my $krb5_conf = " ${TestLib::tmp_check} /krb5.conf" ;
56
69
my $kdc_conf = " ${TestLib::tmp_check} /kdc.conf" ;
@@ -155,18 +168,30 @@ END
155
168
156
169
sub test_access
157
170
{
158
- my ($node , $role , $expected_res , $test_name ) = @_ ;
171
+ my ($node , $role , $server_check , $expected_res , $gssencmode , $test_name )
172
+ = @_ ;
159
173
160
174
# need to connect over TCP/IP for Kerberos
161
- my $res = $node -> psql(
175
+ my ( $res , $stdoutres , $stderrres ) = $node -> psql(
162
176
' postgres' ,
163
- ' SELECT 1 ' ,
177
+ " $server_check " ,
164
178
extra_params => [
165
- ' -d' ,
166
- $node -> connstr(' postgres' ) . " host=$host hostaddr=$hostaddr " ,
167
- ' -U' , $role
179
+ ' -XAtd' ,
180
+ $node -> connstr(' postgres' )
181
+ . " host=$host hostaddr=$hostaddr $gssencmode " ,
182
+ ' -U' ,
183
+ $role
168
184
]);
169
- is($res , $expected_res , $test_name );
185
+
186
+ # If we get a query result back, it should be true.
187
+ if ($res == $expected_res and $res eq 0)
188
+ {
189
+ is($stdoutres , " t" , $test_name );
190
+ }
191
+ else
192
+ {
193
+ is($res , $expected_res , $test_name );
194
+ }
170
195
return ;
171
196
}
172
197
@@ -175,21 +200,92 @@ sub test_access
175
200
qq{ host all all $hostaddr /32 gss map=mymap} );
176
201
$node -> restart;
177
202
178
- test_access($node , ' test1' , 2 , ' fails without ticket' );
203
+ test_access($node , ' test1' , ' SELECT true ' , 2, ' ' , ' fails without ticket' );
179
204
180
205
run_log [ $kinit , ' test1' ], \$test1_password or BAIL_OUT($? );
181
206
182
- test_access($node , ' test1' , 2 , ' fails without mapping' );
207
+ test_access($node , ' test1' , ' SELECT true ' , 2, ' ' , ' fails without mapping' );
183
208
184
209
$node -> append_conf(' pg_ident.conf' , qq{ mymap /^(.*)\@ $realm \$ \\ 1} );
185
210
$node -> restart;
186
211
187
- test_access($node , ' test1' , 0, ' succeeds with mapping' );
212
+ test_access(
213
+ $node ,
214
+ ' test1' ,
215
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
216
+ 0,
217
+ ' ' ,
218
+ ' succeeds with mapping with default gssencmode and host hba' );
219
+ test_access(
220
+ $node ,
221
+ " test1" ,
222
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
223
+ 0,
224
+ " gssencmode=prefer" ,
225
+ " succeeds with GSS-encrypted access preferred with host hba" );
226
+ test_access(
227
+ $node ,
228
+ " test1" ,
229
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
230
+ 0,
231
+ " gssencmode=require" ,
232
+ " succeeds with GSS-encrypted access required with host hba" );
233
+
234
+ unlink ($node -> data_dir . ' /pg_hba.conf' );
235
+ $node -> append_conf(' pg_hba.conf' ,
236
+ qq{ hostgssenc all all $hostaddr /32 gss map=mymap} );
237
+ $node -> restart;
238
+
239
+ test_access(
240
+ $node ,
241
+ " test1" ,
242
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
243
+ 0,
244
+ " gssencmode=prefer" ,
245
+ " succeeds with GSS-encrypted access preferred and hostgssenc hba" );
246
+ test_access(
247
+ $node ,
248
+ " test1" ,
249
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
250
+ 0,
251
+ " gssencmode=require" ,
252
+ " succeeds with GSS-encrypted access required and hostgssenc hba" );
253
+ test_access($node , " test1" , ' SELECT true' , 2, " gssencmode=disable" ,
254
+ " fails with GSS encryption disabled and hostgssenc hba" );
255
+
256
+ unlink ($node -> data_dir . ' /pg_hba.conf' );
257
+ $node -> append_conf(' pg_hba.conf' ,
258
+ qq{ hostnogssenc all all $hostaddr /32 gss map=mymap} );
259
+ $node -> restart;
260
+
261
+ test_access(
262
+ $node ,
263
+ " test1" ,
264
+ ' SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
265
+ 0,
266
+ " gssencmode=prefer" ,
267
+ " succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption"
268
+ );
269
+ test_access($node , " test1" , ' SELECT true' , 2, " gssencmode=require" ,
270
+ " fails with GSS-encrypted access required and hostnogssenc hba" );
271
+ test_access(
272
+ $node ,
273
+ " test1" ,
274
+ ' SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
275
+ 0,
276
+ " gssencmode=disable" ,
277
+ " succeeds with GSS encryption disabled and hostnogssenc hba" );
188
278
189
279
truncate ($node -> data_dir . ' /pg_ident.conf' , 0);
190
280
unlink ($node -> data_dir . ' /pg_hba.conf' );
191
281
$node -> append_conf(' pg_hba.conf' ,
192
282
qq{ host all all $hostaddr /32 gss include_realm=0} );
193
283
$node -> restart;
194
284
195
- test_access($node , ' test1' , 0, ' succeeds with include_realm=0' );
285
+ test_access(
286
+ $node ,
287
+ ' test1' ,
288
+ ' SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();' ,
289
+ 0,
290
+ ' ' ,
291
+ ' succeeds with include_realm=0 and defaults' );
0 commit comments