Hi hackers,
while working on [1], I thought it could also be useful to add regular
expression testing for user name mapping in the peer authentication TAP
test.
This kind of test already exists in kerberos/t/001_auth.pl but the
proposed one in the peer authentication testing would probably be more
widely tested.
Please find attached a patch proposal to do so.
[1]:
https://www.postgresql.org/message-id/4f55303e-62c1-1072-61db-fbfb30bd66c8%40gmail.com
Looking forward to your feedback,
Regards,
--
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
diff --git a/src/test/authentication/t/003_peer.pl
b/src/test/authentication/t/003_peer.pl
index fc951dea06..4e2efbe5e3 100644
--- a/src/test/authentication/t/003_peer.pl
+++ b/src/test/authentication/t/003_peer.pl
@@ -23,18 +23,34 @@ sub reset_pg_hba
return;
}
+# Delete pg_ident.conf from the given node, add a new entry to it
+# and then execute a reload to refresh it.
+sub reset_pg_ident
+{
+ my $node = shift;
+ my $map_name = shift;
+ my $system_user = shift;
+ my $pg_user = shift;
+
+ unlink($node->data_dir . '/pg_ident.conf');
+ $node->append_conf('pg_ident.conf', "$map_name $system_user $pg_user");
+ $node->reload;
+ return;
+}
+
# Test access for a single role, useful to wrap all tests into one.
sub test_role
{
local $Test::Builder::Level = $Test::Builder::Level + 1;
- my ($node, $role, $method, $expected_res, %params) = @_;
+ my ($node, $role, $method, $expected_res, $test_details, %params) = @_;
my $status_string = 'failed';
$status_string = 'success' if ($expected_res eq 0);
my $connstr = "user=$role";
my $testname =
- "authentication $status_string for method $method, role $role";
+ "authentication $status_string for method $method, role $role "
+ . $test_details;
if ($expected_res eq 0)
{
@@ -87,16 +103,43 @@ my $system_user =
# Tests without the user name map.
# Failure as connection is attempted with a database role not mapping
# to an authorized system user.
-test_role($node, qq{testmapuser}, 'peer', 2,
+test_role(
+ $node, qq{testmapuser}, 'peer', 2,
+ 'without user name map',
log_like => [qr/Peer authentication failed for user "testmapuser"/]);
# Tests with a user name map.
-$node->append_conf('pg_ident.conf', qq{mypeermap $system_user testmapuser});
+reset_pg_ident($node, 'mypeermap', $system_user, 'testmapuser');
reset_pg_hba($node, 'peer map=mypeermap');
# Success as the database role matches with the system user in the map.
-test_role($node, qq{testmapuser}, 'peer', 0,
+test_role($node, qq{testmapuser}, 'peer', 0, 'with user name map',
log_like =>
[qr/connection authenticated: identity="$system_user" method=peer/]);
+# Test with regular expression in user name map.
+my $last_system_user_char = substr($system_user, -1);
+
+# The regular expression matches.
+reset_pg_ident($node, 'mypeermap', qq{/^.*$last_system_user_char\$},
+ 'testmapuser');
+test_role(
+ $node,
+ qq{testmapuser},
+ 'peer',
+ 0,
+ 'with regular expression in user name map',
+ log_like =>
+ [qr/connection authenticated: identity="$system_user" method=peer/]);
+
+# The regular expression does not match.
+reset_pg_ident($node, 'mypeermap', '/^$', 'testmapuser');
+test_role(
+ $node,
+ qq{testmapuser},
+ 'peer',
+ 2,
+ 'with regular expression in user name map',
+ log_like => [qr/no match in usermap "mypeermap" for user
"testmapuser"/]);
+
done_testing();
