summaryrefslogtreecommitdiff
path: root/src/test/ssl
Commit message (Collapse)AuthorAgeFilesLines
* Fix errormessage for missing system CA in OpenSSL 3.1Daniel Gustafsson2023-04-191-1/+3
| | | | | | | | | | | | | | | | | | | | The error message for a missing or invalid system CA when using sslrootcert=system differs based on the OpenSSL version used. In OpenSSL 1.0.1-3.0 it is reported as SSL Error, with varying degrees of helpfulness in the error message. With OpenSSL 3.1 it is reported as an SSL SYSCALL error with "Undefined error" as the error message. This fix pulls out the particular error in OpenSSL 3.1 as a certificate verify error in order to help the user better figure out what happened, and to keep the ssl test working. While there is no evidence that extracing the errors will clobber errno, this adds a guard against that regardless to also make the consistent with how we handle OpenSSL errors elsewhere. It also memorizes the output from OpenSSL 3.0 in the test in cases where the system CA isn't responding. Reported-by: Peter Eisentraut <peter.eisentraut@enterprisedb.com> Discussion: https://postgr.es/m/c39be3c5-c1a5-1e33-1024-16f527e251a4@enterprisedb.com
* Allow to use system CA pool for certificate verificationDaniel Gustafsson2023-04-053-1/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new option to libpq's sslrootcert, "system", which will load the system trusted CA roots for certificate verification. This is a more convenient way to achieve this than pointing to the system CA roots manually since the location can differ by installation and be locally adjusted by env vars in OpenSSL. When sslrootcert is set to system, sslmode is forced to be verify-full as weaker modes aren't providing much security for public CAs. Changing the location of the system roots by setting environment vars is not supported by LibreSSL so the tests will use a heuristic to determine if the system being tested is LibreSSL or OpenSSL. The workaround in .cirrus.yml is required to handle a strange interaction between homebrew and the openssl@3 formula; hopefully this can be removed in the near future. The original patch was written by Thomas Habets, which was later revived by Jacob Champion. Author: Jacob Champion <jchampion@timescale.com> Author: Thomas Habets <thomas@habets.se> Reviewed-by: Jelte Fennema <postgres@jeltef.nl> Reviewed-by: Andrew Dunstan <andrew@dunslane.net> Reviewed-by: Magnus Hagander <magnus@hagander.net> Discussion: https://www.postgresql.org/message-id/flat/CA%2BkHd%2BcJwCUxVb-Gj_0ptr3_KZPwi3%2B67vK6HnLFBK9MzuYrLA%40mail.gmail.com
* libpq: Add sslcertmode option to control client certificatesMichael Paquier2023-03-242-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sslcertmode option controls whether the server is allowed and/or required to request a certificate from the client. There are three modes: - "allow" is the default and follows the current behavior, where a configured client certificate is sent if the server requests one (via one of its default locations or sslcert). With the current implementation, will happen whenever TLS is negotiated. - "disable" causes the client to refuse to send a client certificate even if sslcert is configured or if a client certificate is available in one of its default locations. - "require" causes the client to fail if a client certificate is never sent and the server opens a connection anyway. This doesn't add any additional security, since there is no guarantee that the server is validating the certificate correctly, but it may helpful to troubleshoot more complicated TLS setups. sslcertmode=require requires SSL_CTX_set_cert_cb(), available since OpenSSL 1.0.2. Note that LibreSSL does not include it. Using a connection parameter different than require_auth has come up as the simplest design because certificate authentication does not rely directly on any of the AUTH_REQ_* codes, and one may want to require a certificate to be sent in combination of a given authentication method, like SCRAM-SHA-256. TAP tests are added in src/test/ssl/, some of them relying on sslinfo to check if a certificate has been set. These are compatible across all the versions of OpenSSL supported on HEAD (currently down to 1.0.1). Author: Jacob Champion Reviewed-by: Aleksander Alekseev, Peter Eisentraut, David G. Johnston, Michael Paquier Discussion: https://postgr.es/m/9e5a8ccddb8355ea9fa4b75a1e3a9edc88a70cd3.camel@vmware.com
* libpq: Add support for require_auth to control authorized auth methodsMichael Paquier2023-03-141-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new connection parameter require_auth allows a libpq client to define a list of comma-separated acceptable authentication types for use with the server. There is no negotiation: if the server does not present one of the allowed authentication requests, the connection attempt done by the client fails. The following keywords can be defined in the list: - password, for AUTH_REQ_PASSWORD. - md5, for AUTH_REQ_MD5. - gss, for AUTH_REQ_GSS[_CONT]. - sspi, for AUTH_REQ_SSPI and AUTH_REQ_GSS_CONT. - scram-sha-256, for AUTH_REQ_SASL[_CONT|_FIN]. - creds, for AUTH_REQ_SCM_CREDS (perhaps this should be removed entirely now). - none, to control unauthenticated connections. All the methods that can be defined in the list can be negated, like "!password", in which case the server must NOT use the listed authentication type. The special method "none" allows/disallows the use of unauthenticated connections (but it does not govern transport-level authentication via TLS or GSSAPI). Internally, the patch logic is tied to check_expected_areq(), that was used for channel_binding, ensuring that an incoming request is compatible with conn->require_auth. It also introduces a new flag, conn->client_finished_auth, which is set by various authentication routines when the client side of the handshake is finished. This signals to check_expected_areq() that an AUTH_REQ_OK from the server is expected, and allows the client to complain if the server bypasses authentication entirely, with for example the reception of a too-early AUTH_REQ_OK message. Regression tests are added in authentication TAP tests for all the keywords supported (except "creds", because it is around only for compatibility reasons). A new TAP script has been added for SSPI, as there was no script dedicated to it yet. It relies on SSPI being the default authentication method on Windows, as set by pg_regress. Author: Jacob Champion Reviewed-by: Peter Eisentraut, David G. Johnston, Michael Paquier Discussion: https://postgr.es/m/9e5a8ccddb8355ea9fa4b75a1e3a9edc88a70cd3.camel@vmware.com
* meson: Make auto the default of the ssl optionPeter Eisentraut2023-03-131-1/+1
| | | | | | | | | | The 'ssl' option is of type 'combo', but we add a choice 'auto' that simulates the behavior of a feature option. This way, openssl is used automatically by default if present, but we retain the ability to potentially select another ssl library. Author: Nazir Bilal Yavuz <byavuz81@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/ad65ffd1-a9a7-fda1-59c6-f7dc763c3051%40enterprisedb.com
* Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificatesMichael Paquier2023-02-156-4/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 1.1.1 and newer versions have added support for RSA-PSS certificates, which requires the use of a specific routine in OpenSSL to determine which hash function to use when compiling it when using channel binding in SCRAM-SHA-256. X509_get_signature_nid(), that is the original routine the channel binding code has relied on, is not able to determine which hash algorithm to use for such certificates. However, X509_get_signature_info(), new to OpenSSL 1.1.1, is able to do it. This commit switches the channel binding logic to rely on X509_get_signature_info() over X509_get_signature_nid(), which would be the choice when building with 1.1.1 or newer. The error could have been triggered on the client or the server, hence libpq and the backend need to have their related code paths patched. Note that attempting to load an RSA-PSS certificate with OpenSSL 1.1.0 or older leads to a failure due to an unsupported algorithm. The discovery of relying on X509_get_signature_info() comes from Jacob, the tests have been written by Heikki (with few tweaks from me), while I have bundled the whole together while adding the bits needed for MSVC and meson. This issue exists since channel binding exists, so backpatch all the way down. Some tests are added in 15~, triggered if compiling with OpenSSL 1.1.1 or newer, where the certificate and key files can easily be generated for RSA-PSS. Reported-by: Gunnar "Nick" Bluth Author: Jacob Champion, Heikki Linnakangas Discussion: https://postgr.es/m/17760-b6c61e752ec07060@postgresql.org Backpatch-through: 11
* Doc: make src/test/*/README match current reality.Tom Lane2023-02-071-2/+2
| | | | | | | | | Commit c3382a3c3, which moved the implementation of PG_TEST_EXTRA from src/test/Makefile into individual test scripts, broke the directions given in the subdirectory README files about how to run these tests by hand. Update. Also mention wal_consistency_checking in recovery/README --- that omission isn't the fault of c3382a3c3, but it's still an omission.
* Fix typos in comments, code and documentationMichael Paquier2023-01-031-1/+1
| | | | | | | | | | While on it, newlines are removed from the end of two elog() strings. The others are simple grammar mistakes. One comment in pg_upgrade referred incorrectly to sequences since a7e5457. Author: Justin Pryzby Discussion: https://postgr.es/m/20221230231257.GI1153@telsasoft.com Backpatch-through: 11
* Update copyright for 2023Bruce Momjian2023-01-028-8/+8
| | | | Backpatch-through: 11
* Use existing SSL certs in LDAP tests instead of generating themAndrew Dunstan2022-12-201-0/+5
| | | | | | | | The SSL test suite has a bunch of pre-existing certificates, so it's better simply to use what we already have than generate new certificates each time the LDAP tests are run. Discussion: https://postgr.es/m/bc305c7a-f390-44f2-2e82-9bcaec6108da@dunslane.net
* Add copyright notices to meson filesAndrew Dunstan2022-12-201-0/+2
| | | | Discussion: https://postgr.es/m/222b43a5-2fb3-2c1b-9cd0-375d376c8246@dunslane.net
* Make finding openssl program a configure or meson optionPeter Eisentraut2022-10-204-21/+24
| | | | | | | | | | | | | | | | | Various test suites use the "openssl" program as part of their setup. There isn't a way to override which openssl program is to be used, other than by fiddling with the path, perhaps. This has gotten increasingly problematic because different versions of openssl have different capabilities and do different things by default. This patch checks for an openssl binary in configure and meson setup, with appropriate ways to override it. This is similar to how "lz4" and "zstd" are handled, for example. The meson build system actually already did this, but the result was only used in some places. This is now applied more uniformly. Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/dc638b75-a16a-007d-9e1c-d16ed6cf0ad2%40enterprisedb.com
* meson: Add initial version of meson based build systemAndres Freund2022-09-211-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Autoconf is showing its age, fewer and fewer contributors know how to wrangle it. Recursive make has a lot of hard to resolve dependency issues and slow incremental rebuilds. Our home-grown MSVC build system is hard to maintain for developers not using Windows and runs tests serially. While these and other issues could individually be addressed with incremental improvements, together they seem best addressed by moving to a more modern build system. After evaluating different build system choices, we chose to use meson, to a good degree based on the adoption by other open source projects. We decided that it's more realistic to commit a relatively early version of the new build system and mature it in tree. This commit adds an initial version of a meson based build system. It supports building postgres on at least AIX, FreeBSD, Linux, macOS, NetBSD, OpenBSD, Solaris and Windows (however only gcc is supported on aix, solaris). For Windows/MSVC postgres can now be built with ninja (faster, particularly for incremental builds) and msbuild (supporting the visual studio GUI, but building slower). Several aspects (e.g. Windows rc file generation, PGXS compatibility, LLVM bitcode generation, documentation adjustments) are done in subsequent commits requiring further review. Other aspects (e.g. not installing test-only extensions) are not yet addressed. When building on Windows with msbuild, builds are slower when using a visual studio version older than 2019, because those versions do not support MultiToolTask, required by meson for intra-target parallelism. The plan is to remove the MSVC specific build system in src/tools/msvc soon after reaching feature parity. However, we're not planning to remove the autoconf/make build system in the near future. Likely we're going to keep at least the parts required for PGXS to keep working around until all supported versions build with meson. Some initial help for postgres developers is at https://wiki.postgresql.org/wiki/Meson With contributions from Thomas Munro, John Naylor, Stone Tickle and others. Author: Andres Freund <andres@anarazel.de> Author: Nazir Bilal Yavuz <byavuz81@gmail.com> Author: Peter Eisentraut <peter@eisentraut.org> Reviewed-By: Peter Eisentraut <peter.eisentraut@enterprisedb.com> Discussion: https://postgr.es/m/20211012083721.hvixq4pnh2pixr3j@alap3.anarazel.de
* Use \b in one more PG_TEST_EXTRA check, oversight in c3382a3c3ccAndres Freund2022-09-201-1/+1
| | | | Per off-list report from Thomas Munro.
* Refactor PG_TEST_EXTRA logic in autoconf buildAndres Freund2022-09-203-0/+12
| | | | | | | | | | | To avoid duplicating the PG_TEST_EXTRA logic in Makefiles into the upcoming meson based build definition, move the checks into the the tests themselves. That also has the advantage of making skipped tests visible. Reviewed-by: Peter Eisentraut <peter.eisentraut@enterprisedb.com> Author: Nazir Bilal Yavuz <byavuz81@gmail.com> Author: Andres Freund <andres@anarazel.de> Discussion: https://postgr.es/m/7dae5979-c6c0-cec5-7a36-76a85aa8053d@enterprisedb.com
* Remove various duplicated wordsDavid Rowley2022-09-201-1/+1
| | | | | Author: Justin Pryzby Discussion: https://postgr.es/m/20220919111000.GW31833@telsasoft.com
* Don't reflect unescaped cert data to the logsPeter Eisentraut2022-09-1310-41/+119
| | | | | | | | | | | | | | | | | | | | | | Commit 3a0e385048 introduced a new path for unauthenticated bytes from the client certificate to be printed unescaped to the logs. There are a handful of these already, but it doesn't make sense to keep making the problem worse. \x-escape any unprintable bytes. The test case introduces a revoked UTF-8 certificate. This requires the addition of the `-utf8` flag to `openssl req`. Since the existing certificates all use an ASCII subset, this won't modify the existing certificates' subjects if/when they get regenerated; this was verified experimentally with $ make sslfiles-clean $ make sslfiles Unfortunately the test can't be run in the CI yet due to a test timing issue; see 55828a6b60. Author: Jacob Champion <jchampion@timescale.com> Discussion: https://www.postgresql.org/message-id/CAAWbhmgsvHrH9wLU2kYc3pOi1KSenHSLAHBbCVmmddW6-mc_=w@mail.gmail.com
* Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.Tom Lane2022-07-161-4/+7
| | | | | | Missed one in 55828a6b6084724b08675615a4e911ad4d421cd1 :-( Discussion: https://postgr.es/m/E1oCNLk-000LCH-Af@gemulon.postgresql.org
* Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.Tom Lane2022-07-161-18/+27
| | | | | | | | | | | | | | | | Some of the test cases added by commit 3a0e38504 are failing intermittently in CI testing. It looks like, when a connection attempt fails, it's possible for psql to exit and the test script to slurp up the postmaster's log file before the connected backend has managed to write the log entry we're expecting to see. It's not clear whether that's fixable in any robust way. Pending more thought, just comment out the log_like checks. The ones in connect_ok tests should be fine, since surely the log entry should be emitted before we complete the client auth sequence. I took out all the ones in connect_fails tests though. Discussion: https://postgr.es/m/E1oCNLk-000LCH-Af@gemulon.postgresql.org
* Log details for client certificate failuresPeter Eisentraut2022-07-156-4/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, debugging client certificate verification failures is mostly limited to looking at the TLS alert code on the client side. For simple deployments, sometimes it's enough to see "sslv3 alert certificate revoked" and know exactly what needs to be fixed, but if you add any more complexity (multiple CA layers, misconfigured CA certificates, etc.), trying to debug what happened based on the TLS alert alone can be an exercise in frustration. Luckily, the server has more information about exactly what failed in the chain, and we already have the requisite callback implemented as a stub. We fill that in, collect the data, and pass the constructed error message back to the main code via a static variable. This lets us add our error details directly to the final "could not accept SSL connection" log message, as opposed to issuing intermediate LOGs. It ends up looking like LOG: connection received: host=localhost port=43112 LOG: could not accept SSL connection: certificate verify failed DETAIL: Client certificate verification failed at depth 1: unable to get local issuer certificate. Failed certificate data (unverified): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite". The length of the Subject and Issuer strings is limited to prevent malicious client certs from spamming the logs. In case the truncation makes things ambiguous, the certificate's serial number is also logged. Author: Jacob Champion <pchampion@vmware.com> Discussion: https://www.postgresql.org/message-id/flat/d13c4a5787c2a3f83705124f0391e0738c796751.camel@vmware.com
* Remove unportable testPeter Eisentraut2022-06-241-7/+0
| | | | | | | | | | | | | | | | The ssl test "IPv4 host with CIDR mask does not match" apparently has a portability problem. Some operating systems don't reject the host name specification "192.0.2.1/32" as an IP address, and that is then later rejected when the SNI is set, which results in a different error message that the test is supposed to verify. The value of the test has been questioned in the discussion, and it was suggested that removing it would be an acceptable fix, so that's what this is doing. Reported-by: Nazir Bilal Yavuz <byavuz81@gmail.com> Bug: #17522 Discussion: https://www.postgresql.org/message-id/flat/17522-bfcd5c603b5f4daa%40postgresql.org
* Pre-beta mechanical code beautification.Tom Lane2022-05-125-95/+166
| | | | | Run pgindent, pgperltidy, and reformat-dat-files. I manually fixed a couple of comments that pgindent uglified.
* Fix typos and grammar in code and test commentsMichael Paquier2022-05-111-1/+1
| | | | | | | | This fixes the grammar of some comments in a couple of tests (SQL and TAP), and in some C files. Author: Justin Pryzby Discussion: https://postgr.es/m/20220511020334.GH19626@telsasoft.com
* libpq: Allow IP address SANs in server certificatesPeter Eisentraut2022-04-0114-0/+373
| | | | | | | | | | | | | | | | | | | | | | | | | The current implementation supports exactly one IP address in a server certificate's Common Name, which is brittle (the strings must match exactly). This patch adds support for IPv4 and IPv6 addresses in a server's Subject Alternative Names. Per discussion on-list: - If the client's expected host is an IP address, we allow fallback to the Subject Common Name if an iPAddress SAN is not present, even if a dNSName is present. This matches the behavior of NSS, in violation of the relevant RFCs. - We also, counter-intuitively, match IP addresses embedded in dNSName SANs. From inspection this appears to have been the behavior since the SAN matching feature was introduced in acd08d76. - Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa. Author: Jacob Champion <pchampion@vmware.com> Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Co-authored-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com
* Add SSL tests for IP addresses in certificatesPeter Eisentraut2022-04-018-1/+147
| | | | | | | | | | This tests some scenarios that already work. A subsequent patch will introduce more functionality. Author: Jacob Champion <pchampion@vmware.com> Co-authored-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Co-authored-by: Daniel Gustafsson <daniel@yesql.se> Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com
* SSL TAP test backend library independence refactoringDaniel Gustafsson2022-03-266-322/+664
| | | | | | | | | | | | | | | | | | | | | | | The SSL TAP tests were tightly coupled to the OpenSSL implementation, making it hard to add support for additional SSL/TLS backends. This refactoring makes the test avoid depending on specific implementations The SSLServer Perl module is renamed SSL::Server, which in turn use SSL::Backend::X where X is the backend pointed to by with_ssl. Each backend will implement its own module responsible for setting up keys, certs and to resolve sslkey values to their implementation specific value (file paths or vault nicknames etc). Further, switch_server_cert now takes a set of named parameters rather than a fixed set which used defaults. The modules also come with POD documentation. There are a few testcases which still use OpenSSL specifics, but it's not entirely clear how to abstract those until we have another library implemented. Original patch by me, with lots of rework by Andrew Dunstan to turn it into better Perl. Discussion: https://postgr.es/m/AA18A362-CA65-4F9A-AF61-76AE318FE97C@yesql.se
* Fix failures in SSL tests caused by out-of-tree keys and certificatesMichael Paquier2022-03-222-16/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | This issue is environment-sensitive, where the SSL tests could fail in various way by feeding on defaults provided by sslcert, sslkey, sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup, as of ~/.postgresql/ by default. Horiguchi-san has reported two failures, but more advanced testing from me (aka inclusion of garbage SSL configuration in ~/.postgresql/ for all the configuration parameters) has showed dozens of failures that can be triggered in the whole test suite. History has showed that we are not good when it comes to address such issues, fixing them locally like in dd87799, and such problems keep appearing. This commit strengthens the entire test suite to put an end to this set of problems by embedding invalid default values in all the connection strings used in the tests. The invalid values are prefixed in each connection string, relying on the follow-up values passed in the connection string to enforce any invalid value previously set. Note that two tests related to CRLs are required to fail with certain pre-set configurations, but we can rely on enforcing an empty value instead after the invalid set of values. Reported-by: Kyotaro Horiguchi Reviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro Horiguchi Discussion: https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.com backpatch-through: 10
* Remove PostgreSQL::Test::Utils::perl2host completelyAndrew Dunstan2022-02-203-4/+4
| | | | | | | | | | | Commit f1ac4a74de disabled this processing, and as nothing has broken (as expected) here we proceed to remove the routine and adjust all the call sites. Backpatch to release 10 Discussion: https://postgr.es/m/0ba775a2-8aa0-0d56-d780-69427cf6f33d@dunslane.net Discussion: https://postgr.es/m/20220125023609.5ohu3nslxgoygihl@alap3.anarazel.de
* Replace Test::More plans with done_testingDaniel Gustafsson2022-02-113-11/+5
| | | | | | | | | | | | | | | | | | | Rather than doing manual book keeping to plan the number of tests to run in each TAP suite, conclude each run with done_testing() summing up the the number of tests that ran. This removes the need for maintaning and updating the plan count at the expense of an accurate count of remaining during the test suite runtime. This patch has been discussed a number of times, often in the context of other patches which updates tests, so a larger number of discussions can be found in the archives. Reviewed-by: Julien Rouhaud <rjuju123@gmail.com> Reviewed-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Michael Paquier <michael@paquier.xyz> Reviewed-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Discussion: https://postgr.es/m/DD399313-3D56-4666-8079-88949DAC870F@yesql.se
* Set SNI ClientHello extension to localhost in testsDaniel Gustafsson2022-02-103-9/+9
| | | | | | | | | | | | | | | | | | | | | | The connection strings in the SSL client tests were using the host set up from Cluster.pm which is a temporary pathname. When SNI is enabled we pass the host to OpenSSL in order to set the server name indication ClientHello extension via SSL_set_tlsext_host_name. OpenSSL doesn't validate the hostname apart from checking the max length, but LibreSSL checks for RFC 5890 conformance which results in errors during testing as the pathname from Cluster.pm is not a valid hostname. Fix by setting the host explicitly to localhost, as that's closer to the intent of the test. Backpatch through 14 where SNI support came in. Reported-by: Nazir Bilal Yavuz <byavuz81@gmail.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Discussion: https://postgr.es/m/17391-304f81bcf724b58b@postgresql.org Backpatch-through: 14
* Update copyright for 2022Bruce Momjian2022-01-076-6/+6
| | | | Backpatch-through: 10
* Silence perl complaint in ssl testAndrew Dunstan2021-12-051-0/+1
| | | | | | Perl's hex() function complains if its argument contains trailing white space (or in fact anything other than hex digits), so remove the offending text.
* Fix path delimiters in connection string on WindowsDaniel Gustafsson2021-12-033-1/+4
| | | | | | | | | | The temporary path generated in commit c113d8ad5 cannot be passed as-is in the connection string on Windows since the path delimiting backslashes will be treated as escape characters. Fix by converting backslash to slash as in similar path usecases in other tests. Reported-by: Andres Freund <andres@anarazel.de> Discussion: https://postgr.es/m/20211202195130.e7pprpsx4ell22sp@alap3.anarazel.de
* Fix certificate paths to use perl2hostDaniel Gustafsson2021-12-013-17/+26
| | | | | | | | | | | | | Commit c113d8ad50 moved the copying of certificates into a temporary path for the duration of the tests, instead of using the source tree. This broke the tests on msys as the absolute path wasn't adapted for the msys platform. Ensure to convert the path with perl2host before copying and passing in the connection string. While there also make certificate copying error handling uniform across all the test suites. Discussion: https://postgr.es/m/YacT3tm97xziSUFw@paquier.xyz
* Use test-specific temp path for keys during SSL testDaniel Gustafsson2021-11-303-49/+42
| | | | | | | | | | | | The SSL and SCRAM TAP test suites both use temporary copies of the supplied test keys in order to ensure correct permissions. These were however copied inside the tree using temporary filenames rather than a true temporary folder. Fix by using tmp_check supplied by PostgreSQL::Test::Utils. Spotted by Tom Lane during review of the nearby sslinfo TAP test patch. Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Discussion: https://postgr.es/m/599244.1638041239@sss.pgh.pa.us
* Add TAP tests for contrib/sslinfoDaniel Gustafsson2021-11-307-1/+204
| | | | | | | | | | | | | This adds rudimentary coverage of the sslinfo extension into the SSL test harness. The output is validated by comparing with pg_stat_ssl to provide some level of test stability should the underlying certs be slightly altered. A new cert is added to provide an extension to test against. Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Andrew Dunstan <andrew@dunslane.net> Reviewed-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org> Discussion: https://postgr.es/m/E23F9811-0C77-45DA-912F-D809AB140741@yesql.se
* Extend configure_test_server_for_ssl to add extensionsDaniel Gustafsson2021-11-302-14/+28
| | | | | | | | | | | In order to be able to test extensions with SSL connections, allow configure_test_server_for_ssl to create any extensions passed as an array. Each extension is created in all the test databases. Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Andrew Dunstan <andrew@dunslane.net> Reviewed-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org> Discussion: https://postgr.es/m/E23F9811-0C77-45DA-912F-D809AB140741@yesql.se
* Doc: improve README files associated with TAP tests.Tom Lane2021-10-311-0/+2
| | | | | | | | | | | | | Rearrange src/test/perl/README so that the first section is more clearly "how to run these tests", and the rest "how to write new tests". Add some basic info there about debugging test failures. Then, add cross-refs to that READNE from other READMEs that describe how to run TAP tests. Per suggestion from Kevin Burke, though this is not his original patch. Discussion: https://postgr.es/m/CAKcy5eiSbwiQnmCfnOnDCVC7B8fYyev3E=6pvvECP9pLE-Fcuw@mail.gmail.com
* Fix VPATH builds for src/test/ssl targetsDaniel Gustafsson2021-10-271-2/+2
| | | | | | | | | | | Commit b4c4a00ea refactored the gist of the sslfiles target into a separate makefile in order to override settings in Makefile.global. The invocation of this this file didn't however include the absolute path for VPATH builds, resulting in "make clean" failing. Fix by providing the path to the new makefile. Reported-by: Andres Freund <andres@anarazel.de> Discussion: https://postgr.es/m/20211026174152.jjcagswnbhxu7uqz@alap3.anarazel.de
* Move Perl test modules to a better namespaceAndrew Dunstan2021-10-243-8/+8
| | | | | | | | | | | | | | | The five modules in our TAP test framework all had names in the top level namespace. This is unwise because, even though we're not exporting them to CPAN, the names can leak, for example if they are exported by the RPM build process. We therefore move the modules to the PostgreSQL::Test namespace. In the process PostgresNode is renamed to Cluster, and TestLib is renamed to Utils. PostgresVersion becomes simply PostgreSQL::Version, to avoid possible confusion about what it's the version of. Discussion: https://postgr.es/m/aede93a4-7d92-ef26-398f-5094944c2504@dunslane.net Reviewed by Erik Rijkers and Michael Paquier
* Fix SSL tests on 32-bit PerlDaniel Gustafsson2021-10-211-2/+14
| | | | | | | | | | | | | The certificate serial number generation was changed in b4c4a00ea to use the current timestamp. The testharness must thus interrogate the cert for the serialnumber using "openssl x509" which emits the serial in hex format. Converting the serial to integer format to match whats in pg_stat_ssl requires a 64-bit capable Perl. This adds a fallback to checking for an integer when the tests with a 32-bit Perl. Per failure on buildfarm member prairiedog. Discussion: https://postgr.es/m/0D295F43-806D-4B3F-AB98-F941A19E0271@yesql.se
* Refactor the sslfiles Makefile target for ease of useDaniel Gustafsson2021-10-1945-652/+778
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Makefile handling of certificate and keypairs used for TLS testing had become quite difficult to work with. Adding a new cert without the need to regenerate everything was too complicated. This patch refactors the sslfiles make target such that adding a new certificate requires only adding a .config file, adding it to the top of the Makefile, and running make sslfiles. Improvements: - Interfile dependencies should be fixed, with the exception of the CRL dirs. - New certificates have serial numbers based on the current time, reducing the chance of collision. - The CA index state is created on demand and cleaned up automatically at the end of the Make run. - *.config files are now self-contained; one certificate needs one config file instead of two. - Duplication is reduced, and along with it some unneeded code (and possible copy-paste errors). - all configuration files underneath the conf/ directory. The target is moved to its own makefile in order to avoid colliding with global make settings. Author: Jacob Champion <pchampion@vmware.com> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
* Remove unused regression test certificate server-ssDaniel Gustafsson2021-08-104-56/+1
| | | | | | | | The server-ss certificate was included in e39250c64 but was never used in the TLS regression tests so remove. Author: Jacob Champion Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
* Remove unused directory from test/ssl .gitignoreDaniel Gustafsson2021-07-291-1/+0
| | | | | | | | | | The clientside log saved from the testrun was removed in 1caef31d9 but the entry in the .gitignore file remained. While this exists in older branches as well, it's mostly a cosmetical fix so no back- patching is done. Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/F8E73040-BB6F-43BF-95B4-3CEC037BE856@yesql.se
* Unify PostgresNode's new() and get_new_node() methodsAndrew Dunstan2021-07-292-2/+2
| | | | | | | | | There is only one constructor now for PostgresNode, with the idiomatic name 'new'. The method is not exported by the class, and must be called as "PostgresNode->new('name',[args])". All the TAP tests that use PostgresNode are modified accordingly. Third party scripts will need adjusting, which is a fairly mechanical process (I just used a sed script).
* Initial pgindent and pgperltidy run for v14.Tom Lane2021-05-122-5/+5
| | | | | | | | Also "make reformat-dat-files". The only change worthy of note is that pgindent messed up the formatting of launcher.c's struct LogicalRepWorkerId, which led me to notice that that struct wasn't used at all anymore, so I just took it out.
* Add a copyright notice to perl files lacking one.Andrew Dunstan2021-05-073-0/+9
|
* Remove channel binding requirement from clientcert=verify-full test.Tom Lane2021-04-071-2/+2
| | | | | | | | | | This fails on older OpenSSL versions that lack channel binding support. Since that feature is not essential to this test case, just remove it, instead of complicating matters. Per buildfarm. Jacob Champion Discussion: https://postgr.es/m/fa8dbbb58c20b1d1adf0082769f80d5466eaf485.camel@vmware.com
* Add some information about authenticated identity via log_connectionsMichael Paquier2021-04-072-11/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The "authenticated identity" is the string used by an authentication method to identify a particular user. In many common cases, this is the same as the PostgreSQL username, but for some third-party authentication methods, the identifier in use may be shortened or otherwise translated (e.g. through pg_ident user mappings) before the server stores it. To help administrators see who has actually interacted with the system, this commit adds the capability to store the original identity when authentication succeeds within the backend's Port, and generates a log entry when log_connections is enabled. The log entries generated look something like this (where a local user named "foouser" is connecting to the database as the database user called "admin"): LOG: connection received: host=[local] LOG: connection authenticated: identity="foouser" method=peer (/data/pg_hba.conf:88) LOG: connection authorized: user=admin database=postgres application_name=psql Port->authn_id is set according to the authentication method: bsd: the PostgreSQL username (aka the local username) cert: the client's Subject DN gss: the user principal ident: the remote username ldap: the final bind DN pam: the PostgreSQL username (aka PAM username) password (and all pw-challenge methods): the PostgreSQL username peer: the peer's pw_name radius: the PostgreSQL username (aka the RADIUS username) sspi: either the down-level (SAM-compatible) logon name, if compat_realm=1, or the User Principal Name if compat_realm=0 The trust auth method does not set an authenticated identity. Neither does clientcert=verify-full. Port->authn_id could be used for other purposes, like a superuser-only extra column in pg_stat_activity, but this is left as future work. PostgresNode::connect_{ok,fails}() have been modified to let tests check the backend log files for required or prohibited patterns, using the new log_like and log_unlike parameters. This uses a method based on a truncation of the existing server log file, like issues_sql_like(). Tests are added to the ldap, kerberos, authentication and SSL test suites. Author: Jacob Champion Reviewed-by: Stephen Frost, Magnus Hagander, Tom Lane, Michael Paquier Discussion: https://postgr.es/m/c55788dd1773c521c862e8e0dddb367df51222be.camel@vmware.com
* Fix some issues with SSL and Kerberos testsMichael Paquier2021-04-061-4/+4
| | | | | | | | | | The recent refactoring done in c50624c accidentally broke a portion of the kerberos tests checking after a query, so add its functionality back. Some inactive SSL tests had their arguments in an incorrect order, which would cause them to fail if they were to run. Author: Jacob Champion Discussion: https://postgr.es/m/4f5b0b3dc0b6fe9ae6a34886b4d4000f61eb567e.camel@vmware.com