Generate new LOG for "trust" connections under log_connections

Adding an extra LOG for connections that have not set an authn ID, like
when the "trust" authentication method is used, is useful for audit
purposes.

A couple of TAP tests for SSL and authentication need to be tweaked to
adapt to this new LOG generated, as some scenarios expected no logs but
they now get a hit.

Reported-by: Shaun Thomas
Author: Jacob Champion
Reviewed-by: Robert Haas, Michael Paquier
Discussion: https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 0356fe3e454e33f2eace34be04fafaf563400a53..81dabb9c273e5d6acf337f7e235c5a4f6bf8c83f 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -645,6 +645,22 @@ ClientAuthentication(Port *port)
 #endif
        }
 
+       if (Log_connections && status == STATUS_OK &&
+               !MyClientConnectionInfo.authn_id)
+       {
+               /*
+                * Normally, if log_connections is set, the call to set_authn_id()
+                * will log the connection.  However, if that function is never
+                * called, perhaps because the trust method is in use, then we handle
+                * the logging here instead.
+                */
+               ereport(LOG,
+                               errmsg("connection authenticated: user=\"%s\" method=%s "
+                                          "(%s:%d)",
+                                          port->user_name, hba_authname(port->hba->auth_method),
+                                          port->hba->sourcefile, port->hba->linenumber));
+       }
+
        if (ClientAuthentication_hook)
                (*ClientAuthentication_hook) (port, status);
 

diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 12552837a8ed61ebaee435b723d5bc4507c7780f..891860886afb894cc9e95070e4229c30549f9e40 100644 (file)
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -136,13 +136,13 @@ SKIP:
 # Create a database to test regular expression.
 $node->safe_psql('postgres', "CREATE database regex_testdb;");
 
-# For "trust" method, all users should be able to connect. These users are not
-# considered to be authenticated.
+# For "trust" method, all users should be able to connect.
 reset_pg_hba($node, 'all', 'all', 'trust');
 test_conn($node, 'user=scram_role', 'trust', 0,
-       log_unlike => [qr/connection authenticated:/]);
+       log_like =>
+         [qr/connection authenticated: user="scram_role" method=trust/]);
 test_conn($node, 'user=md5_role', 'trust', 0,
-       log_unlike => [qr/connection authenticated:/]);
+       log_like => [qr/connection authenticated: user="md5_role" method=trust/]);
 
 # SYSTEM_USER is null when not authenticated.
 $res = $node->safe_psql('postgres', "SELECT SYSTEM_USER IS NULL;");

diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 76442de063f17670217178f15356da6a1223b85f..23248d71b066a27a1f624810c39212b47f1f059a 100644 (file)
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -800,8 +800,8 @@ $node->connect_ok(
        "$common_connstr user=ssltestuser sslcert=ssl/client.crt "
          . sslkey('client.key'),
        "auth_option clientcert=verify-full succeeds with matching username and Common Name",
-       # verify-full does not provide authentication
-       log_unlike => [qr/connection authenticated:/],);
+       log_like =>
+         [qr/connection authenticated: user="ssltestuser" method=trust/],);
 
 $node->connect_fails(
        "$common_connstr user=anotheruser sslcert=ssl/client.crt "
@@ -818,8 +818,8 @@ $node->connect_ok(
        "$common_connstr user=yetanotheruser sslcert=ssl/client.crt "
          . sslkey('client.key'),
        "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name",
-       # verify-full does not provide authentication
-       log_unlike => [qr/connection authenticated:/],);
+       log_like =>
+         [qr/connection authenticated: user="yetanotheruser" method=trust/],);
 
 # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
 switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca');