blob: 5c50eba587b6cab2ab37ebb52cd4e7d52b306c9e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
|
#! /bin/sh
rm -rf TestCA1
(
./newca.sh TestCA1 C=QQ O=Org1 CN="TestCA1"
./newsite.sh TestCA1 localhost C=QQ O=Org1 L=computer OU=db
./newsite.sh TestCA1 bouncer C=QQ O=Org1 L=computer OU=Dev
./newsite.sh TestCA1 random C=QQ O=Org1 L=computer OU=Dev
) > /dev/null
export PATH=/usr/lib/postgresql/9.4/bin:$PATH
export PGDATA=$PWD/pgdata
export PGHOST=localhost
export PGPORT=6667
export EF_ALLOW_MALLOC_0=1
mkdir -p tmp
BOUNCER_LOG=tmp/test.log
BOUNCER_INI=test.ini
BOUNCER_PID=tmp/test.pid
BOUNCER_PORT=`sed -n '/^listen_port/s/listen_port.*=[^0-9]*//p' $BOUNCER_INI`
BOUNCER_EXE="../../pgbouncer"
LOGDIR=tmp
NC_PORT=6668
PG_PORT=6666
PG_LOG=$LOGDIR/pg.log
pgctl() {
pg_ctl -o "-p $PG_PORT" -D $PGDATA $@ >>$PG_LOG 2>&1
}
rm -f core
ulimit -c unlimited
for f in pgdata/postmaster.pid tmp/test.pid; do
test -f $f && { kill `cat $f` || true; }
done
mkdir -p $LOGDIR
rm -fr $BOUNCER_LOG $PG_LOG
rm -rr $PGDATA
if [ ! -d $PGDATA ]; then
echo "initdb"
mkdir $PGDATA
initdb --nosync >> $PG_LOG 2>&1
sed -r -i "/unix_socket_director/s:.*(unix_socket_director.*=).*:\\1 '/tmp':" pgdata/postgresql.conf
echo "port = $PG_PORT" >> pgdata/postgresql.conf
echo "log_connections = on" >> pgdata/postgresql.conf
echo "log_disconnections = on" >> pgdata/postgresql.conf
cp pgdata/postgresql.conf pgdata/postgresql.conf.orig
cp pgdata/pg_hba.conf pgdata/pg_hba.conf.orig
cp pgdata/pg_ident.conf pgdata/pg_ident.conf.orig
cp -p TestCA1/sites/01-localhost.crt pgdata/server.crt
cp -p TestCA1/sites/01-localhost.key pgdata/server.key
cp -p TestCA1/ca.crt pgdata/root.crt
echo '"bouncer" "zzz"' > tmp/userlist.txt
chmod 600 pgdata/server.key
chmod 600 tmp/userlist.txt
fi
pgctl start
sleep 5
echo "createdb"
psql -p $PG_PORT -l | grep p0 > /dev/null || {
psql -p $PG_PORT -c "create user bouncer" template1
createdb -p $PG_PORT p0
createdb -p $PG_PORT p1
}
$BOUNCER_EXE -d $BOUNCER_INI
sleep 1
reconf_bouncer() {
cp test.ini tmp/test.ini
for ln in "$@"; do
echo "$ln" >> tmp/test.ini
done
test -f tmp/test.pid && kill `cat tmp/test.pid`
sleep 1
$BOUNCER_EXE -v -v -v -d tmp/test.ini
}
reconf_pgsql() {
cp pgdata/postgresql.conf.orig pgdata/postgresql.conf
for ln in "$@"; do
echo "$ln" >> pgdata/postgresql.conf
done
pgctl stop
pgctl start
sleep 1
}
#
# fw hacks
#
#
# util functions
#
complete() {
test -f $BOUNCER_PID && kill `cat $BOUNCER_PID` >/dev/null 2>&1
pgctl -m fast stop
rm -f $BOUNCER_PID
}
die() {
echo $@
complete
exit 1
}
admin() {
psql -h /tmp -U pgbouncer pgbouncer -c "$@;" || die "Cannot contact bouncer!"
}
runtest() {
echo -n "`date` running $1 ... "
eval $1 >$LOGDIR/$1.log 2>&1
if [ $? -eq 0 ]; then
echo "ok"
else
echo "FAILED"
fi
date >> $LOGDIR/$1.log
# allow background processing to complete
wait
# start with fresh config
kill -HUP `cat $BOUNCER_PID`
}
psql_pg() {
psql -U bouncer -h 127.0.0.1 -p $PG_PORT "$@"
}
psql_bouncer() {
PGUSER=bouncer psql "$@"
}
# server_lifetime
test_server_ssl() {
reconf_bouncer "auth_type = trust" "server_tls_sslmode = require"
echo "hostssl all all 127.0.0.1/32 trust" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d p0 -c "select 'ssl-connect'" | tee tmp/test.tmp0
grep -q "ssl-connect" tmp/test.tmp0
rc=$?
return $rc
}
test_server_ssl_verify() {
reconf_bouncer "auth_type = trust" \
"server_tls_sslmode = verify-full" \
"server_tls_ca_file = TestCA1/ca.crt"
echo "hostssl all all 127.0.0.1/32 trust" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d p0 -c "select 'ssl-full-connect'" | tee tmp/test.tmp1
grep -q "ssl-full-connect" tmp/test.tmp1
rc=$?
return $rc
}
test_server_ssl_pg_auth() {
reconf_bouncer "auth_type = trust" \
"server_tls_sslmode = verify-full" \
"server_tls_ca_file = TestCA1/ca.crt" \
"server_tls_key_file = TestCA1/sites/02-bouncer.key" \
"server_tls_cert_file = TestCA1/sites/02-bouncer.crt"
echo "hostssl all all 127.0.0.1/32 cert" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d p0 -c "select 'ssl-cert-connect'" | tee tmp/test.tmp2
grep "ssl-cert-connect" tmp/test.tmp2
rc=$?
return $rc
}
test_client_ssl() {
reconf_bouncer "auth_type = trust" "server_tls_sslmode = prefer" \
"client_tls_sslmode = require" \
"client_tls_key_file = TestCA1/sites/01-localhost.key" \
"client_tls_cert_file = TestCA1/sites/01-localhost.crt"
echo "host all all 127.0.0.1/32 trust" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d "dbname=p0 sslmode=require" -c "select 'client-ssl-connect'" | tee tmp/test.tmp
grep -q "client-ssl-connect" tmp/test.tmp
rc=$?
return $rc
}
test_client_ssl() {
reconf_bouncer "auth_type = trust" "server_tls_sslmode = prefer" \
"client_tls_sslmode = require" \
"client_tls_key_file = TestCA1/sites/01-localhost.key" \
"client_tls_cert_file = TestCA1/sites/01-localhost.crt"
echo "host all all 127.0.0.1/32 trust" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d "dbname=p0 sslmode=verify-full sslrootcert=TestCA1/ca.crt" -c "select 'client-ssl-connect'" | tee tmp/test.tmp 2>&1
grep -q "client-ssl-connect" tmp/test.tmp
rc=$?
return $rc
}
test_client_ssl_auth() {
reconf_bouncer "auth_type = cert" "server_tls_sslmode = prefer" \
"client_tls_sslmode = verify-full" \
"client_tls_ca_file = TestCA1/ca.crt" \
"client_tls_key_file = TestCA1/sites/01-localhost.key" \
"client_tls_cert_file = TestCA1/sites/01-localhost.crt"
echo "host all all 127.0.0.1/32 trust" > pgdata/pg_hba.conf
reconf_pgsql "ssl=on" "ssl_ca_file='root.crt'"
psql_bouncer -q -d "dbname=p0 sslmode=require sslkey=TestCA1/sites/02-bouncer.key sslcert=TestCA1/sites/02-bouncer.crt" \
-c "select 'client-ssl-connect'" | tee tmp/test.tmp 2>&1
grep -q "client-ssl-connect" tmp/test.tmp
rc=$?
return $rc
}
testlist="
test_server_ssl
test_server_ssl_verify
test_server_ssl_pg_auth
test_client_ssl
test_client_ssl_auth
"
if [ $# -gt 0 ]; then
testlist="$*"
fi
for test in $testlist
do
runtest $test
done
complete
# vim: sts=0 sw=8 noet nosmarttab:
|
