diff options
| author | Michael Paquier <michael@paquier.xyz> | 2023-01-20 11:21:55 +0900 |
|---|---|---|
| committer | Michael Paquier <michael@paquier.xyz> | 2023-01-20 11:21:55 +0900 |
| commit | efb6f4a4f9b627b9447f5cd8e955d43a7066c30c (patch) | |
| tree | e2d2f0690c458563264b03d97baffdbbfe6a3c16 /src/test/authentication | |
| parent | 74739d1d3ff6b408895a5908657ffb0648df3d70 (diff) | |
| download | postgresql-efb6f4a4f9b627b9447f5cd8e955d43a7066c30c.tar.gz | |
Support the same patterns for pg-user in pg_ident.conf as in pg_hba.conf
While pg_hba.conf has support for non-literal username matches, and
this commit extends the capabilities that are supported for the
PostgreSQL user listed in an ident entry part of pg_ident.conf, with
support for:
1. The "all" keyword, where all the requested users are allowed.
2. Membership checks using the + prefix.
3. Using a regex to match against multiple roles.
1. is a feature that has been requested by Jelte Fennema, 2. something
that has been mentioned independently by Andrew Dunstan, and 3. is
something I came up with while discussing how to extend the first one,
whose implementation is facilitated by 8fea868.
This allows matching certain system users against many different
postgres users with a single line in pg_ident.conf. Without this, one
would need one line for each of the postgres users that a system user
can log in as, which can be cumbersome to maintain.
Tests are added to the TAP test of peer authentication to provide
coverage for all that.
Note that this introduces a set of backward-incompatible changes to be
able to detect the new patterns, for the following cases:
- A role named "all".
- A role prefixed with '+' characters, which is something that would not
have worked in HBA entries anyway.
- A role prefixed by a slash character, similarly to 8fea868.
Any of these can be still be handled by using quotes in the Postgres
role defined in an ident entry.
A huge advantage of this change is that the code applies the same checks
for the Postgres roles in HBA and ident entries, via the common routine
check_role().
**This compatibility change should be mentioned in the release notes.**
Author: Jelte Fennema
Discussion: https://postgr.es/m/DBBPR83MB0507FEC2E8965012990A80D0F7FC9@DBBPR83MB0507.EURPRD83.prod.outlook.com
Diffstat (limited to 'src/test/authentication')
| -rw-r--r-- | src/test/authentication/t/003_peer.pl | 160 |
1 files changed, 153 insertions, 7 deletions
diff --git a/src/test/authentication/t/003_peer.pl b/src/test/authentication/t/003_peer.pl index e6f5fdba16..a6be651ea7 100644 --- a/src/test/authentication/t/003_peer.pl +++ b/src/test/authentication/t/003_peer.pl @@ -98,8 +98,13 @@ if (find_in_log( plan skip_all => 'peer authentication is not supported on this platform'; } -# Add a database role, to use for the user name map. +# Add a database role and a group, to use for the user name map. $node->safe_psql('postgres', qq{CREATE ROLE testmapuser LOGIN}); +$node->safe_psql('postgres', "CREATE ROLE testmapgroup NOLOGIN"); +$node->safe_psql('postgres', "GRANT testmapgroup TO testmapuser"); +# Note the double quotes here. +$node->safe_psql('postgres', 'CREATE ROLE "testmapgroupliteral\\1" LOGIN'); +$node->safe_psql('postgres', 'GRANT "testmapgroupliteral\\1" TO testmapuser'); # Extract as well the system user for the user name map. my $system_user = @@ -123,12 +128,56 @@ test_role($node, qq{testmapuser}, 'peer', 0, 'with user name map', log_like => [qr/connection authenticated: identity="$system_user" method=peer/]); +# Tests with the "all" keyword. +reset_pg_ident($node, 'mypeermap', $system_user, 'all'); + +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with keyword "all" as database user in user name map', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +# Tests with the "all" keyword, but quoted (no effect here). +reset_pg_ident($node, 'mypeermap', $system_user, '"all"'); + +test_role( + $node, + qq{testmapuser}, + 'peer', + 2, + 'with quoted keyword "all" as database user in user name map', + log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]); + +# Success as the regexp of the database user matches +reset_pg_ident($node, 'mypeermap', $system_user, qq{/^testm.*\$}); +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with regexp of database user in user name map', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +# Failure as the regexp of the database user does not match. +reset_pg_ident($node, 'mypeermap', $system_user, qq{/^doesnotmatch.*\$}); +test_role( + $node, + qq{testmapuser}, + 'peer', + 2, + 'with bad regexp of database user in user name map', + log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]); + # Test with regular expression in user name map. # Extract the last 3 characters from the system_user # or the entire system_user (if its length is <= -3). my $regex_test_string = substr($system_user, -3); -# Success as the regular expression matches. +# Success as the system user regular expression matches. reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$}, 'testmapuser'); test_role( @@ -136,10 +185,33 @@ test_role( qq{testmapuser}, 'peer', 0, - 'with regular expression in user name map', + 'with regexp of system user in user name map', log_like => [qr/connection authenticated: identity="$system_user" method=peer/]); +# Success as both regular expressions match. +reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$}, + qq{/^testm.*\$}); +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with regexps for both system and database user in user name map', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +# Success as the regular expression matches and database role is the "all" +# keyword. +reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$}, 'all'); +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with regexp of system user and keyword "all" in user name map', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); # Success as the regular expression matches and \1 is replaced in the given # subexpression. @@ -179,17 +251,91 @@ test_role( ]); # Concatenate system_user to system_user. -$regex_test_string = $system_user . $system_user; +my $bad_regex_test_string = $system_user . $system_user; -# Failure as the regular expression does not match. -reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$}, +# Failure as the regexp of system user does not match. +reset_pg_ident($node, 'mypeermap', qq{/^.*$bad_regex_test_string\$}, 'testmapuser'); test_role( $node, qq{testmapuser}, 'peer', 2, - 'with regular expression in user name map', + 'with regexp of system user in user name map', + log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]); + +# Test using a group role match for the database user. +reset_pg_ident($node, 'mypeermap', $system_user, '+testmapgroup'); + +test_role($node, qq{testmapuser}, 'peer', 0, 'plain user with group', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +test_role( + $node, qq{testmapgroup}, 'peer', 2, + 'group user with group', + log_like => [qr/role "testmapgroup" is not permitted to log in/]); + +# Now apply quotes to the group match, nullifying its effect. +reset_pg_ident($node, 'mypeermap', $system_user, '"+testmapgroup"'); +test_role( + $node, + qq{testmapuser}, + 'peer', + 2, + 'plain user with quoted group name', log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]); +# Test using a regexp for the system user, with a group membership +# check for the database user. +reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$}, + '+testmapgroup'); + +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'regexp of system user as group member', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +test_role( + $node, + qq{testmapgroup}, + 'peer', + 2, + 'regexp of system user as non-member of group', + log_like => [qr/role "testmapgroup" is not permitted to log in/]); + +# Test that membership checks and regexes will use literal \1 instead of +# replacing it, as subexpression replacement is not allowed in this case. +reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string(.*)\$}, + '+testmapgroupliteral\\1'); + +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'membership check with literal \1', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + +# Do the same with a quoted regular expression for the database user this +# time. No replacement of \1 is done. +reset_pg_ident( + $node, 'mypeermap', + qq{/^.*$regex_test_string(.*)\$}, + '"/^testmapgroupliteral\\\\1$"'); + +test_role( + $node, + 'testmapgroupliteral\\\\1', + 'peer', + 0, + 'regexp of database user with literal \1', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + done_testing(); |