Add checks for regexes with user name map in test for peer authentication

There is already some coverage for that in the kerberos test suite,
though it requires PG_TEST_EXTRA to be set as per its insecure nature.
This provides coverage in a default setup, as long as peer is supported
on the platform where its test is run.

Author: Bertrand Drouvot
Discussion: https://postgr.es/m/7f87ca27-e184-29da-15d6-8be4325ad02e@gmail.com

diff --git a/src/test/authentication/t/003_peer.pl b/src/test/authentication/t/003_peer.pl
index fc951dea0648cb5643209d137b7e055f1b2778ff..ce8408a4f8c97ac7d4df48765d2ffdb7178f3725 100644 (file)
--- a/src/test/authentication/t/003_peer.pl
+++ b/src/test/authentication/t/003_peer.pl
@@ -23,18 +23,34 @@ sub reset_pg_hba
        return;
 }
 
+# Delete pg_ident.conf from the given node, add a new entry to it
+# and then execute a reload to refresh it.
+sub reset_pg_ident
+{
+       my $node        = shift;
+       my $map_name    = shift;
+       my $system_user = shift;
+       my $pg_user     = shift;
+
+       unlink($node->data_dir . '/pg_ident.conf');
+       $node->append_conf('pg_ident.conf', "$map_name $system_user $pg_user");
+       $node->reload;
+       return;
+}
+
 # Test access for a single role, useful to wrap all tests into one.
 sub test_role
 {
        local $Test::Builder::Level = $Test::Builder::Level + 1;
 
-       my ($node, $role, $method, $expected_res, %params) = @_;
+       my ($node, $role, $method, $expected_res, $test_details, %params) = @_;
        my $status_string = 'failed';
        $status_string = 'success' if ($expected_res eq 0);
 
        my $connstr = "user=$role";
        my $testname =
-         "authentication $status_string for method $method, role $role";
+         "authentication $status_string for method $method, role $role "
+         . $test_details;
 
        if ($expected_res eq 0)
        {
@@ -87,16 +103,50 @@ my $system_user =
 # Tests without the user name map.
 # Failure as connection is attempted with a database role not mapping
 # to an authorized system user.
-test_role($node, qq{testmapuser}, 'peer', 2,
+test_role(
+       $node, qq{testmapuser}, 'peer', 2,
+       'without user name map',
        log_like => [qr/Peer authentication failed for user "testmapuser"/]);
 
 # Tests with a user name map.
-$node->append_conf('pg_ident.conf', qq{mypeermap $system_user testmapuser});
+reset_pg_ident($node, 'mypeermap', $system_user, 'testmapuser');
 reset_pg_hba($node, 'peer map=mypeermap');
 
 # Success as the database role matches with the system user in the map.
-test_role($node, qq{testmapuser}, 'peer', 0,
+test_role($node, qq{testmapuser}, 'peer', 0, 'with user name map',
        log_like =>
          [qr/connection authenticated: identity="$system_user" method=peer/]);
 
+# Test with regular expression in user name map.
+# Extract the last 3 characters from the system_user
+# or the entire system_user (if its length is <= -3).
+my $regex_test_string = substr($system_user, -3);
+
+# Success as the regular expression matches.
+reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$},
+       'testmapuser');
+test_role(
+       $node,
+       qq{testmapuser},
+       'peer',
+       0,
+       'with regular expression in user name map',
+       log_like =>
+         [qr/connection authenticated: identity="$system_user" method=peer/]);
+
+
+# Concatenate system_user to system_user.
+$regex_test_string = $system_user . $system_user;
+
+# Failure as the regular expression does not match.
+reset_pg_ident($node, 'mypeermap', qq{/^.*$regex_test_string\$},
+       'testmapuser');
+test_role(
+       $node,
+       qq{testmapuser},
+       'peer',
+       2,
+       'with regular expression in user name map',
+       log_like => [qr/no match in usermap "mypeermap" for user "testmapuser"/]);
+
 done_testing();