Re: use has_privs_of_role() for pg_hba.conf

Sun, 09 Oct 2022 14:14:30 -0700 

On Sun, Oct 09, 2022 at 10:19:51AM +0900, Michael Paquier wrote:
> Even if the patch is at the end rejected, I think that the test is
> still useful once you switch its logic to use membership and not
> inherited privileges for the roles created, and there is zero coverage
> for "samplegroup" and its kind currently.

Here you go.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 93df77aa4e..5d4b30e5da 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -200,4 +200,52 @@ append_to_file(
 
 test_conn($node, 'user=md5_role', 'password from pgpass', 0);
 
+unlink($pgpassfile);
+delete $ENV{"PGPASSFILE"};
+
+# Create database and roles for inheritance tests
+reset_pg_hba($node, 'all', 'all', 'trust');
+$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
+$node->safe_psql('postgres', "CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';");
+$node->safe_psql('postgres', "CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';");
+$node->safe_psql('postgres', "CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';");
+
+# Test role membership is respected for +
+$ENV{"PGPASSWORD"} = 'pass';
+reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
+test_conn($node, 'user=regress_regression_group', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/]);
+test_conn($node, 'user=regress_member', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_member" method=scram-sha-256/]);
+test_conn($node, 'user=regress_not_member', 'scram-sha-256', 2,
+	log_unlike =>
+	  [qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/]);
+
+# Test role membership is respected for samerole
+$ENV{"PGDATABASE"} = 'regress_regression_group';
+reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
+test_conn($node, 'user=regress_regression_group', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/]);
+test_conn($node, 'user=regress_member', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_member" method=scram-sha-256/]);
+test_conn($node, 'user=regress_not_member', 'scram-sha-256', 2,
+	log_unlike =>
+	  [qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/]);
+
+# Test role membership is respected for samegroup
+reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
+test_conn($node, 'user=regress_regression_group', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/]);
+test_conn($node, 'user=regress_member', 'scram-sha-256', 0,
+	log_like =>
+	  [qr/connection authenticated: identity="regress_member" method=scram-sha-256/]);
+test_conn($node, 'user=regress_not_member', 'scram-sha-256', 2,
+	log_unlike =>
+	  [qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/]);
+
 done_testing();

Reply via email to