diff options
| author | Peter Eisentraut | 2017-11-18 15:07:57 +0000 |
|---|---|---|
| committer | Peter Eisentraut | 2017-11-18 15:15:54 +0000 |
| commit | 9288d62bb4b6f302bf13bb2fed3783b61385f315 (patch) | |
| tree | 2b6fa3bf8940b1f8d2ec77fc367fd750de82390d /src/test/ssl | |
| parent | 611fe7d4793ba6516e839dc50b5319b990283f4f (diff) | |
Support channel binding 'tls-unique' in SCRAM
This is the basic feature set using OpenSSL to support the feature. In
order to allow the frontend and the backend to fetch the sent and
expected TLS Finished messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
This commit also adds a infrastructure to facilitate the addition of
future channel binding types as well as libpq parameters to control the
SASL mechanism names and channel binding names. Those will be added by
upcoming commits.
Some tests are added to the SSL test suite to test SCRAM authentication
with channel binding.
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Diffstat (limited to 'src/test/ssl')
| -rw-r--r-- | src/test/ssl/ServerSetup.pm | 27 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 2 | ||||
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 38 |
3 files changed, 57 insertions, 10 deletions
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm index ad2e036602b..02f8028b2b6 100644 --- a/src/test/ssl/ServerSetup.pm +++ b/src/test/ssl/ServerSetup.pm @@ -57,19 +57,21 @@ sub test_connect_ok { my $common_connstr = $_[0]; my $connstr = $_[1]; + my $test_name = $_[2]; my $result = run_test_psql("$common_connstr $connstr", "(should succeed)"); - ok($result, $connstr); + ok($result, $test_name || $connstr); } sub test_connect_fails { my $common_connstr = $_[0]; my $connstr = $_[1]; + my $test_name = $_[2]; my $result = run_test_psql("$common_connstr $connstr", "(should fail)"); - ok(!$result, "$connstr (should fail)"); + ok(!$result, $test_name || "$connstr (should fail)"); } # Copy a set of files, taking into account wildcards @@ -89,8 +91,7 @@ sub copy_files sub configure_test_server_for_ssl { - my $node = $_[0]; - my $serverhost = $_[1]; + my ($node, $serverhost, $authmethod, $password, $password_enc) = @_; my $pgdata = $node->data_dir; @@ -100,6 +101,15 @@ sub configure_test_server_for_ssl $node->psql('postgres', "CREATE DATABASE trustdb"); $node->psql('postgres', "CREATE DATABASE certdb"); + # Update password of each user as needed. + if (defined($password)) + { + $node->psql('postgres', +"SET password_encryption='$password_enc'; ALTER USER ssltestuser PASSWORD '$password';"); + $node->psql('postgres', +"SET password_encryption='$password_enc'; ALTER USER anotheruser PASSWORD '$password';"); + } + # enable logging etc. open my $conf, '>>', "$pgdata/postgresql.conf"; print $conf "fsync=off\n"; @@ -129,7 +139,7 @@ sub configure_test_server_for_ssl $node->restart; # Change pg_hba after restart because hostssl requires ssl=on - configure_hba_for_ssl($node, $serverhost); + configure_hba_for_ssl($node, $serverhost, $authmethod); } # Change the configuration to use given server cert file, and reload @@ -157,8 +167,7 @@ sub switch_server_cert sub configure_hba_for_ssl { - my $node = $_[0]; - my $serverhost = $_[1]; + my ($node, $serverhost, $authmethod) = @_; my $pgdata = $node->data_dir; # Only accept SSL connections from localhost. Our tests don't depend on this @@ -169,9 +178,9 @@ sub configure_hba_for_ssl print $hba "# TYPE DATABASE USER ADDRESS METHOD\n"; print $hba -"hostssl trustdb ssltestuser $serverhost/32 trust\n"; +"hostssl trustdb ssltestuser $serverhost/32 $authmethod\n"; print $hba -"hostssl trustdb ssltestuser ::1/128 trust\n"; +"hostssl trustdb ssltestuser ::1/128 $authmethod\n"; print $hba "hostssl certdb ssltestuser $serverhost/32 cert\n"; print $hba diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 890e3051a2c..a0a06825c6d 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -32,7 +32,7 @@ $node->init; $ENV{PGHOST} = $node->host; $ENV{PGPORT} = $node->port; $node->start; -configure_test_server_for_ssl($node, $SERVERHOSTADDR); +configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust'); switch_server_cert($node, 'server-cn-only'); ### Part 1. Run client-side tests. diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl new file mode 100644 index 00000000000..25f75bd52ac --- /dev/null +++ b/src/test/ssl/t/002_scram.pl @@ -0,0 +1,38 @@ +# Test SCRAM authentication and TLS channel binding types + +use strict; +use warnings; +use PostgresNode; +use TestLib; +use Test::More tests => 1; +use ServerSetup; +use File::Copy; + +# This is the hostname used to connect to the server. +my $SERVERHOSTADDR = '127.0.0.1'; + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +# Set up the server. + +note "setting up data directory"; +my $node = get_new_node('master'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +# Configure server for SSL connections, with password handling. +configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256", + "pass", "scram-sha-256"); +switch_server_cert($node, 'server-cn-only'); +$ENV{PGPASSWORD} = "pass"; +$common_connstr = +"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR"; + +test_connect_ok($common_connstr, '', + "SCRAM authentication with default channel binding"); |