# postgresql-ssl-regression.test.
my $SERVERHOSTADDR = '127.0.0.1';
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
my $common_connstr;
-sub run_test_psql
-{
- my $connstr = $_[0];
- my $logstring = $_[1];
-
- my $cmd = [
- 'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
- '-d', "$connstr" ];
-
- my $result = run_log($cmd);
- return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
- my $connstr = $_[0];
-
- my $result =
- run_test_psql("$common_connstr $connstr", "(should succeed)");
- ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
- my $connstr = $_[0];
-
- my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
- ok(!$result, "$connstr (should fail)");
-}
-
# The client's private key must not be world-readable, so take a copy
# of the key stored in the code tree and update its permissions.
copy("ssl/client.key", "ssl/client_tmp.key");
# The server should not accept non-SSL connections
note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
# Try without a root cert. In sslmode=require, this should work. In verify-ca
# or verify-full mode it should fail
note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
# Try with wrong root cert, should fail. (we're using the client CA as the
# root, but the server's key is signed by the server CA)
note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+ "sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+ "sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+ "sslrootcert=ssl/client_ca.crt sslmode=verify-full");
# Try with just the server CA's cert. This fails because the root file
# must contain the whole chain up to the root CA.
note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+ "sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
# And finally, with the correct root cert.
note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
# Test with cert root file that contains two certificates. The client should
# be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
note "testing sslcrl option with a non-revoked cert";
# Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
# A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
# With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
);
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
# Test Subject Alternative Names.
switch_server_cert($node, 'server-multiple-alt-names');
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+ "host=deep.subdomain.wildcard.pg-ssltest.test");
# Test certificate with a single Subject Alternative Name. (this gives a
# slightly different error message, that's all)
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+ "host=deep.subdomain.wildcard.pg-ssltest.test");
# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
# should be ignored when the certificate has both.
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
# Finally, test a server certificate that has no CN or SANs. Of course, that's
# not a very sensible certificate, but libpq should handle it gracefully.
$common_connstr =
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+ "sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+ "sslmode=verify-full host=common-name.pg-ssltest.test");
# Test that the CRL works
note "testing client-side CRL";
"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
# Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
);
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
# no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
# correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
# client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
# revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
);
$common_connstr =
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+ "sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
# clean up
unlink "ssl/client_tmp.key";
projects / postgresql.git / commitdiff