Fix incorrect client authentication in some cases.

If enable_pool_hba = on, it's auth method is "password", no password
is registered in pool_passwd, and auth method in pg_hba.conf is
"scram-sha-256" or "md5", for the first time when a client connects to
pgpool, authentication is performed as expected. But if a client
connects to the cached connection, any password from the client is
accepted.

authenticate_frontend() asks password to the client and stores it in
frontend->password.  When pgpool authenticate backend,
authenticate_frontend_SCRAM() or authenticate_frontend_md5() is called
depending on pg_hba.conf setting. authenticate_frontend_*() calls
get_auth_password() to get backend cached password but it mistakenly
returned frontend->password if pool_passwd does not have an entry for
the user. Then authenticate_frontend_*() tries to challenge based on
frontend->password. As a result, they compared frontend->password
itself, which always succeed. To fix this, when get_auth_password() is
called with reauth parameter being non 0, return backend->password.

Also if enable_pool_hba = off, in some cases a client is not asked
password for the first time, or when a client connects to cached
connection, even if it should be.

If pool_hba.conf is disabled, get_backend_connection() does not call
Client_authentication(), thus frontend->password is not set. Then
pool_do_reauth() calls do_clear_text_password(). It should have called
authenticate_frontend_clear_text() to get a password from the client,
but a mistake in a if statement prevented it. The mistake was fixed in
this commit.

Pgpool-II versions affected: v4.0 or later.

Also this commit does followings:

- Remove single PostgreSQL code path to simplify the authentication
  code. As a result, following cases are no more Ok.

- Remove crypt authentication support for frontend and backend. The
  feature had not been documented and never tested. Moreover crypt
  authentication was removed long time ago in PostgreSQL (8.4, 2009).

- Add new regression test "040.client_auth". The test performs
  exhaustive client authentication tests using a test specification
  file formatted in CSV.
  The csv files have 7 fields:
  username: the username used for the test case

  pool_hba.conf: takes "scram", "md5", "password", "pam", "ldap" or
  "off". If "scram", "md5" , "password", "pam" or "ldap", the user
  will have an entry in pool_hba.conf accordingly. If "off",
  enable_pool_hba.conf will be off.

  allow_clear_text_frontend_auth: takes "on" or "off".

  pool_passwd: takes "AES", "md5" or "off". If "AES" or "md5" the
  user's password will be stored in pool_passwd using ASE256 or md5
  encryption method accordingly. If "off" is specified, no entry will
  be created.

  pg_hba.conf: almost same as pool_hba.conf except this is for
  pg_hba.conf.

  expected: takes "ok" or "fail". If ok, the authentication is
  expected to be succeeded. If failed, the test is regarded as
  failed. "fail" is opposite. The authentication is expected to be
  failed. If succeeds, the test regarded as failed.

  comment: arbitrary comment

  By changing these fields, we can easily modify or add test
  cases. The merit of this method is possible higher test
  coverage. For human, it is easier to find uncovered test cases in a
  table than in a program code.

Backpatch-through: v4.2

The patch was created by Tatsuo Ishii.

1 files changed, 26 insertions, 22 deletions

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5096c8718..791855743 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -45,10 +45,13 @@
   authentication</link> require that the user name and the password
   have been already registered on <filename>pool_passwd</filename>,
   while <link linkend="auth-password">clear text password
-  authentication</link> does not require that. Therefore, if you want
-  to avoid maintaining the <filename>pool_passwd</filename>, it would
-  be worth to check <link linkend="auth-password">clear text password
-  authentication</link>.
+  authentication</link>
+  or <xref linkend="guc-allow-clear-text-frontend-auth"> does not
+  require that.  Therefore, if you want to avoid maintaining
+  the <filename>pool_passwd</filename>, it would be worth to
+  check <link linkend="auth-password">clear text password
+  authentication</link>
+  or <xref linkend="guc-allow-clear-text-frontend-auth">.
  </para>
 
  <sect1 id="auth-pool-hba-conf">
@@ -564,7 +567,8 @@
  <sect1 id="auth-methods">
   <title>Authentication Methods</title>
   <para>
-   The following subsections describe the authentication methods in more detail.
+   The following subsections describe the authentication methods
+   specified by <filename>pool_hba.conf</filename> in more detail.
   </para>
 
   <sect2 id="auth-trust">
@@ -624,30 +628,26 @@
     <xref linkend="guc-pool-passwd"> authentication file.
    </para>
 
-   <note>
-    <para>
-     If <productname>Pgpool-II</productname> is operated in raw
-     mode or there's only 1 backend configured, you don't need to
-     setup <xref linkend="guc-pool-passwd">.
-    </para>
-   </note>
-
    <sect3 id="md5-authentication-file-format">
     <title>Authentication file format</title>
     <para>
      To use the <literal>md5</literal> authentication
-     <xref linkend="guc-pool-passwd"> authentication file
-      must contain the user password in either plain text
-      <literal>md5</literal> or <literal>AES</literal> encrypted format.
+     <xref linkend="guc-pool-passwd"> authentication file must contain
+      the user password in either plain text, <literal>AES</literal>
+      or <literal>md5</literal> encrypted format.
     </para>
     <para>
      The <xref linkend="guc-pool-passwd"> file should contain lines in the following format:
       <programlisting>
-       "username:plain_text_passwd"
+       "username:TEXT_plain_text_passwd"
+      </programlisting>
+      <programlisting>
+       "username:AES_encrypted_passwd"
       </programlisting>
       <programlisting>
-       "username:encrypted_passwd"
+       "username:md5_encrypted_passwd"
       </programlisting>
+      (Actually "_" after "TEXT", "AES" or "md5" does not exist.)
     </para>
    </sect3>
 
@@ -678,6 +678,10 @@
     <para>
      2- Add an appropriate md5 entry to <filename>pool_hba.conf</filename>.
      See <xref linkend="auth-pool-hba-conf"> for more details.
+     If <filename>pool_hba.conf</filename> is not enabled, make sure
+     that md5 authentication is specified
+     in <filename>pg_hba.conf</filename>
+     of <productname>PostgreSQL</productname>.
     </para>
     <para>
      3- After changing md5 password (in both pool_passwd
@@ -715,11 +719,12 @@
       or <literal>AES</literal> encrypted format.
 
       <programlisting>
-       "username:plain_text_passwd"
+       "username:TEXT_plain_text_passwd"
       </programlisting>
       <programlisting>
        "username:AES_encrypted_passwd"
       </programlisting>
+      (Actually "_" after "TEXT" or "AES" does not exist.)
       <note>
        <para>
 	<literal>md5</literal> type user passwords in
@@ -758,6 +763,7 @@
     <para>
      2- Add an appropriate scram-sha-256 entry to <filename>pool_hba.conf</filename>.
      See <xref linkend="auth-pool-hba-conf"> for more details.
+     If <filename>pool_hba.conf</filename> is not enabled, make sure that md5 authentication is specified in <filename>pg_hba.conf</filename> of <productname>PostgreSQL</productname>.
     </para>
     <para>
      3- After changing SCRAM password (in both pool_passwd
@@ -820,10 +826,8 @@
 
    <para>
     To enable PAM authentication, you need to create a service-configuration
-    file for <productname>Pgpool-II</productname> in the system's
+    file named for <productname>Pgpool-II</productname> in the system's
     PAM configuration directory (which is usually at <literal>"/etc/pam.d"</literal>).
-    A sample service-configuration file is installed as
-    <filename>"share/pgpool-II/pgpool.pam"</filename> under the install directory.
    </para>
 
    <note>