On Fri, Apr 02, 2021 at 12:03:21AM +0000, Jacob Champion wrote: > On Thu, 2021-04-01 at 10:21 +0900, Michael Paquier wrote: > > This stuff can take advantage of 0d1a3343, and I > > think that we should make the kerberos, ldap, authentication and SSL > > test suites just use connect_ok() and connect_fails() from > > PostgresNode.pm. They just need to be extended a bit with a new > > argument for the log pattern check. > > v16, attached, migrates all tests in those suites to connect_ok/fails > (in the first two patches), and also adds the log pattern matching (in > the final feature patch).
Thanks. I have been looking at 0001 and 0002, and found the addition of %params to connect_ok() and connect_fails() confusing first, as this is only required for the 12th test of 001_password.pl (failure to grab a password for md5_role not located in a pgpass file with PGPASSWORD not set). Instead of falling into a trap where the tests could remain stuck, I think that we could just pass down -w from connect_ok() and connect_fails() to PostgresNode::psql. This change made also the parameter handling of the kerberos tests more confusing on two points: - PostgresNode::psql uses a query as an argument, so there was a mix between the query passed down within the set of parameters, but then removed from the list. - PostgresNode::psql uses already -XAt so there is no need to define it again. > A since-v15 diff is attached, but it should be viewed with suspicion > since I've rebased on top of the new SSL tests at the same time. That did not seem that suspicious to me ;) Anyway, after looking at 0003, the main patch, it becomes quite clear that the need to match logs depending on like() or unlike() is much more elegant once we have use of parameters in connect_ok() and connect_fails(), but I think that it is a mistake to pass down blindly the parameters to psql and delete some of them on the way while keeping the others. The existing code of HEAD only requires a SQL query or some expected stderr or stdout output, so let's make all that parameterized first. Attached is what I have come up with as the first building piece, which is basically a combination of 0001 and 0002, except that I modified things so as the number of arguments remains minimal for all the routines. This avoids the manipulation of the list of parameters passed down to PostgresNode::psql. The arguments for the optional query, the expected stdout and stderr are part of the parameter set (0001 was not doing that). For the main patch, this will need to be extended with two more parameters in each routine: log_like and log_unlike to match for the log patterns, handled as arrays of regexes. That's what 0003 is basically doing already. As a whole, this is a consolidation of its own, so let's apply this part first. -- Michael
From a184fe1e6488ca9a5f7c98ab02ae428e05a84449 Mon Sep 17 00:00:00 2001
From: Michael Paquier <mich...@paquier.xyz>
Date: Fri, 2 Apr 2021 13:44:39 +0900
Subject: [PATCH v18] Plug more TAP test suites with new PostgresNode's new
routines
This switches the kerberos, ldap and authentication to use connect_ok()
and connect_fails() recently introduced in PostgresNode.pm. The SSL
tests need some extra juggling to accomodate with the changes.
---
src/test/authentication/t/001_password.pl | 17 +++-
src/test/authentication/t/002_saslprep.pl | 18 +++-
src/test/kerberos/t/001_auth.pl | 41 +++-----
src/test/ldap/t/001_auth.pl | 15 ++-
src/test/perl/PostgresNode.pm | 67 +++++++++---
src/test/ssl/t/001_ssltests.pl | 118 +++++++++++-----------
src/test/ssl/t/002_scram.pl | 16 +--
7 files changed, 170 insertions(+), 122 deletions(-)
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 36a616d7c7..4d5e304de1 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -46,12 +46,19 @@ sub test_role
$status_string = 'success' if ($expected_res eq 0);
- local $Test::Builder::Level = $Test::Builder::Level + 1;
+ my $connstr = "user=$role";
+ my $testname = "authentication $status_string for method $method, role $role";
- my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role, '-w' ]);
- is($res, $expected_res,
- "authentication $status_string for method $method, role $role");
- return;
+ if ($expected_res eq 0)
+ {
+ $node->connect_ok($connstr, $testname);
+ }
+ else
+ {
+ # No match pattern checks are done here on errors, only the
+ # status code.
+ $node->connect_fails($connstr, $testname);
+ }
}
# Initialize primary node
diff --git a/src/test/authentication/t/002_saslprep.pl b/src/test/authentication/t/002_saslprep.pl
index 0aaab090ec..530344a5d6 100644
--- a/src/test/authentication/t/002_saslprep.pl
+++ b/src/test/authentication/t/002_saslprep.pl
@@ -41,12 +41,20 @@ sub test_login
$status_string = 'success' if ($expected_res eq 0);
+ my $connstr = "user=$role";
+ my $testname = "authentication $status_string for role $role with password $password";
+
$ENV{"PGPASSWORD"} = $password;
- my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role ]);
- is($res, $expected_res,
- "authentication $status_string for role $role with password $password"
- );
- return;
+ if ($expected_res eq 0)
+ {
+ $node->connect_ok($connstr, $testname);
+ }
+ else
+ {
+ # No match pattern checks are done here on errors, only the
+ # status code
+ $node->connect_fails($connstr, $testname);
+ }
}
# Initialize primary node. Force UTF-8 encoding, so that we can use non-ASCII
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 38e9ef7b1f..31fdc49b86 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -20,7 +20,7 @@ use Time::HiRes qw(usleep);
if ($ENV{with_gssapi} eq 'yes')
{
- plan tests => 26;
+ plan tests => 30;
}
else
{
@@ -185,25 +185,18 @@ sub test_access
my ($node, $role, $query, $expected_res, $gssencmode, $test_name, $expect_log_msg) = @_;
# need to connect over TCP/IP for Kerberos
- my ($res, $stdoutres, $stderrres) = $node->psql(
- 'postgres',
- "$query",
- extra_params => [
- '-XAtd',
- $node->connstr('postgres')
- . " host=$host hostaddr=$hostaddr $gssencmode",
- '-U',
- $role
- ]);
+ my $connstr = $node->connstr('postgres') .
+ " user=$role host=$host hostaddr=$hostaddr $gssencmode";
- # If we get a query result back, it should be true.
- if ($res == $expected_res and $res eq 0)
+ if ($expected_res eq 0)
{
- is($stdoutres, "t", $test_name);
+ # The result is assumed to match "true", or "t", here.
+ $node->connect_ok($connstr, $test_name, sql => $query,
+ expected_stdout => qr/t/);
}
else
{
- is($res, $expected_res, $test_name);
+ $node->connect_fails($connstr, $test_name);
}
# Verify specified log message is logged in the log file.
@@ -227,20 +220,12 @@ sub test_query
my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_;
# need to connect over TCP/IP for Kerberos
- my ($res, $stdoutres, $stderrres) = $node->psql(
- 'postgres',
- "$query",
- extra_params => [
- '-XAtd',
- $node->connstr('postgres')
- . " host=$host hostaddr=$hostaddr $gssencmode",
- '-U',
- $role
- ]);
+ my $connstr = $node->connstr('postgres') .
+ " user=$role host=$host hostaddr=$hostaddr $gssencmode";
- is($res, 0, $test_name);
- like($stdoutres, $expected, $test_name);
- is($stderrres, "", $test_name);
+ my ($stdoutres, $stderrres);
+
+ $node->connect_ok($connstr, $test_name, $query, $expected);
return;
}
diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 3bc7672451..b08ba6b281 100644
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -163,12 +163,17 @@ note "running tests";
sub test_access
{
my ($node, $role, $expected_res, $test_name) = @_;
+ my $connstr = "user=$role";
- my $res =
- $node->psql('postgres', undef,
- extra_params => [ '-U', $role, '-c', 'SELECT 1' ]);
- is($res, $expected_res, $test_name);
- return;
+ if ($expected_res eq 0)
+ {
+ $node->connect_ok($connstr, $test_name);
+ }
+ else
+ {
+ # Currently, we don't check the error message, just the code.
+ $node->connect_fails($connstr, $test_name);
+ }
}
note "simple bind";
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index d6e10544bb..ba1407e761 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -1860,52 +1860,95 @@ sub interactive_psql
=pod
-=item $node->connect_ok($connstr, $test_name)
+=item $node->connect_ok($connstr, $test_name, %params)
Attempt a connection with a custom connection string. This is expected
to succeed.
+=over
+
+=item sql => B<value>
+
+If this parameter is set, this query is used for the connection attempt
+instead of the default.
+
+=item expected_stdout => B<value>
+
+If this regular expression is set, matches it with the output generated.
+
+=back
+
=cut
sub connect_ok
{
local $Test::Builder::Level = $Test::Builder::Level + 1;
- my ($self, $connstr, $test_name) = @_;
- my ($ret, $stdout, $stderr) = $self->psql(
+ my ($self, $connstr, $test_name, %params) = @_;
+
+ my $sql;
+ if (defined($params{sql}))
+ {
+ $sql = $params{sql};
+ }
+ else
+ {
+ $sql = "SELECT \$\$connected with $connstr\$\$";
+ }
+
+ my ($ret, $stdout, $stderr) = $self->psql(
'postgres',
- "SELECT \$\$connected with $connstr\$\$",
+ $sql,
+ extra_params => [ '-w'],
connstr => "$connstr",
on_error_stop => 0);
- ok($ret == 0, $test_name);
+ is($ret, 0, $test_name);
+
+ if (defined($params{expected_stdout}))
+ {
+ like($stdout, $params{expected_stdout}, "$test_name: matches");
+ }
}
=pod
-=item $node->connect_fails($connstr, $expected_stderr, $test_name)
+=item $node->connect_fails($connstr, $test_name, %params)
Attempt a connection with a custom connection string. This is expected
-to fail with a message that matches the regular expression
-$expected_stderr.
+to fail. The generated error message can be checked by specifying the
+regular expression $expected_stderr for a match.
+
+=over
+
+=item expected_stderr => B<value>
+
+If this regular expression is set, matches it with the output generated.
+
+=back
=cut
sub connect_fails
{
local $Test::Builder::Level = $Test::Builder::Level + 1;
- my ($self, $connstr, $expected_stderr, $test_name) = @_;
+ my ($self, $connstr, $test_name, %params) = @_;
my ($ret, $stdout, $stderr) = $self->psql(
'postgres',
"SELECT \$\$connected with $connstr\$\$",
+ extra_params => [ '-w'],
connstr => "$connstr");
- ok($ret != 0, $test_name);
- like($stderr, $expected_stderr, "$test_name: matches");
+ isnt($ret, 0, $test_name);
+
+ if (defined($params{expected_stderr}))
+ {
+ like($stderr, $params{expected_stderr}, "$test_name: matches");
+ }
}
=pod
-=item $node->poll_query_until($dbname, $query [, $expected ])
+=item $node->poll_query_until($dbname, $query [, $expected )
Run B<$query> repeatedly, until it returns the B<$expected> result
('t', or SQL boolean true, by default).
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index b1a63f279c..21beef01aa 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -137,8 +137,8 @@ $common_connstr =
# The server should not accept non-SSL connections.
$node->connect_fails(
"$common_connstr sslmode=disable",
- qr/\Qno pg_hba.conf entry\E/,
- "server doesn't accept non-SSL connections");
+ "server doesn't accept non-SSL connections",
+ expected_stderr => qr/\Qno pg_hba.conf entry\E/);
# Try without a root cert. In sslmode=require, this should work. In verify-ca
# or verify-full mode it should fail.
@@ -147,34 +147,34 @@ $node->connect_ok(
"connect without server root cert sslmode=require");
$node->connect_fails(
"$common_connstr sslrootcert=invalid sslmode=verify-ca",
- qr/root certificate file "invalid" does not exist/,
- "connect without server root cert sslmode=verify-ca");
+ "connect without server root cert sslmode=verify-ca",
+ expected_stderr => qr/root certificate file "invalid" does not exist/);
$node->connect_fails(
"$common_connstr sslrootcert=invalid sslmode=verify-full",
- qr/root certificate file "invalid" does not exist/,
- "connect without server root cert sslmode=verify-full");
+ "connect without server root cert sslmode=verify-full",
+ expected_stderr => qr/root certificate file "invalid" does not exist/);
# Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.)
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require",
- qr/SSL error/,
- "connect with wrong server root cert sslmode=require");
+ "connect with wrong server root cert sslmode=require",
+ expected_stderr => qr/SSL error/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
- qr/SSL error/,
- "connect with wrong server root cert sslmode=verify-ca");
+ "connect with wrong server root cert sslmode=verify-ca",
+ expected_stderr => qr/SSL error/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full",
- qr/SSL error/,
- "connect with wrong server root cert sslmode=verify-full");
+ "connect with wrong server root cert sslmode=verify-full",
+ expected_stderr => qr/SSL error/);
# Try with just the server CA's cert. This fails because the root file
# must contain the whole chain up to the root CA.
$node->connect_fails(
"$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
- qr/SSL error/,
- "connect with server CA cert, without root CA");
+ "connect with server CA cert, without root CA",
+ expected_stderr => qr/SSL error/);
# And finally, with the correct root cert.
$node->connect_ok(
@@ -206,14 +206,14 @@ $node->connect_ok(
# A CRL belonging to a different CA is not accepted, fails
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
- qr/SSL error/,
- "CRL belonging to a different CA");
+ "CRL belonging to a different CA",
+ expected_stderr => qr/SSL error/);
# The same for CRL directory
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
- qr/SSL error/,
- "directory CRL belonging to a different CA");
+ "directory CRL belonging to a different CA",
+ expected_stderr => qr/SSL error/);
# With the correct CRL, succeeds (this cert is not revoked)
$node->connect_ok(
@@ -237,8 +237,8 @@ $node->connect_ok(
"mismatch between host name and server certificate sslmode=verify-ca");
$node->connect_fails(
"$common_connstr sslmode=verify-full host=wronghost.test",
- qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/,
- "mismatch between host name and server certificate sslmode=verify-full");
+ "mismatch between host name and server certificate sslmode=verify-full",
+ expected_stderr => qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/);
# Test Subject Alternative Names.
switch_server_cert($node, 'server-multiple-alt-names');
@@ -257,12 +257,12 @@ $node->connect_ok("$common_connstr host=foo.wildcard.pg-ssltest.test",
$node->connect_fails(
"$common_connstr host=wronghost.alt-name.pg-ssltest.test",
- qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/,
- "host name not matching with X.509 Subject Alternative Names");
+ "host name not matching with X.509 Subject Alternative Names",
+ expected_stderr => qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/);
$node->connect_fails(
"$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test",
- qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/,
- "host name not matching with X.509 Subject Alternative Names wildcard");
+ "host name not matching with X.509 Subject Alternative Names wildcard",
+ expected_stderr => qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/);
# Test certificate with a single Subject Alternative Name. (this gives a
# slightly different error message, that's all)
@@ -277,12 +277,12 @@ $node->connect_ok(
$node->connect_fails(
"$common_connstr host=wronghost.alt-name.pg-ssltest.test",
- qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/,
- "host name not matching with a single X.509 Subject Alternative Name");
+ "host name not matching with a single X.509 Subject Alternative Name",
+ expected_stderr => qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/);
$node->connect_fails(
"$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test",
- qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/,
- "host name not matching with a single X.509 Subject Alternative Name wildcard"
+ "host name not matching with a single X.509 Subject Alternative Name wildcard",
+ expected_stderr => qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/
);
# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
@@ -298,8 +298,8 @@ $node->connect_ok("$common_connstr host=dns2.alt-name.pg-ssltest.test",
"certificate with both a CN and SANs 2");
$node->connect_fails(
"$common_connstr host=common-name.pg-ssltest.test",
- qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/,
- "certificate with both a CN and SANs ignores CN");
+ "certificate with both a CN and SANs ignores CN",
+ expected_stderr => qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/);
# Finally, test a server certificate that has no CN or SANs. Of course, that's
# not a very sensible certificate, but libpq should handle it gracefully.
@@ -313,8 +313,8 @@ $node->connect_ok(
$node->connect_fails(
$common_connstr . " "
. "sslmode=verify-full host=common-name.pg-ssltest.test",
- qr/could not get server's host name from server certificate/,
- "server certificate without CN or SANs sslmode=verify-full");
+ "server certificate without CN or SANs sslmode=verify-full",
+ expected_stderr => qr/could not get server's host name from server certificate/);
# Test that the CRL works
switch_server_cert($node, 'server-revoked');
@@ -328,12 +328,12 @@ $node->connect_ok(
"connects without client-side CRL");
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
- qr/SSL error/,
- "does not connect with client-side CRL file");
+ "does not connect with client-side CRL file",
+ expected_stderr => qr/SSL error/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
- qr/SSL error/,
- "does not connect with client-side CRL directory");
+ "does not connect with client-side CRL directory",
+ expected_stderr => qr/SSL error/);
# pg_stat_ssl
command_like(
@@ -355,16 +355,16 @@ $node->connect_ok(
"connection success with correct range of TLS protocol versions");
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1",
- qr/invalid SSL protocol version range/,
- "connection failure with incorrect range of TLS protocol versions");
+ "connection failure with incorrect range of TLS protocol versions",
+ expected_stderr => qr/invalid SSL protocol version range/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls",
- qr/invalid ssl_min_protocol_version value/,
- "connection failure with an incorrect SSL protocol minimum bound");
+ "connection failure with an incorrect SSL protocol minimum bound",
+ expected_stderr => qr/invalid ssl_min_protocol_version value/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls",
- qr/invalid ssl_max_protocol_version value/,
- "connection failure with an incorrect SSL protocol maximum bound");
+ "connection failure with an incorrect SSL protocol maximum bound",
+ expected_stderr => qr/invalid ssl_max_protocol_version value/);
### Server-side tests.
###
@@ -378,8 +378,8 @@ $common_connstr =
# no client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=invalid",
- qr/connection requires a valid client certificate/,
- "certificate authorization fails without client cert");
+ "certificate authorization fails without client cert",
+ expected_stderr => qr/connection requires a valid client certificate/);
# correct client cert in unencrypted PEM
$node->connect_ok(
@@ -408,8 +408,8 @@ $node->connect_ok(
# correct client cert in encrypted PEM with wrong password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong'",
- qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!,
- "certificate authorization fails with correct client cert and wrong password in encrypted PEM format"
+ "certificate authorization fails with correct client cert and wrong password in encrypted PEM format",
+ expected_stderr => qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!
);
@@ -446,14 +446,14 @@ TODO:
# correct client cert in encrypted PEM with empty password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword=''",
- qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!,
+ expected_stderr => qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!,
"certificate authorization fails with correct client cert and empty password in encrypted PEM format"
);
# correct client cert in encrypted PEM with no password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key",
- qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!,
+ expected_stderr => qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!,
"certificate authorization fails with correct client cert and no password in encrypted PEM format"
);
@@ -485,22 +485,22 @@ SKIP:
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_wrongperms_tmp.key",
- qr!\Qprivate key file "ssl/client_wrongperms_tmp.key" has group or world access\E!,
- "certificate authorization fails because of file permissions");
+ "certificate authorization fails because of file permissions",
+ expected_stderr => qr!\Qprivate key file "ssl/client_wrongperms_tmp.key" has group or world access\E!);
}
# client cert belonging to another user
$node->connect_fails(
"$common_connstr user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
- qr/certificate authentication failed for user "anotheruser"/,
- "certificate authorization fails with client cert belonging to another user"
+ "certificate authorization fails with client cert belonging to another user",
+ expected_stderr => qr/certificate authentication failed for user "anotheruser"/
);
# revoked client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
- qr/SSL error/,
- "certificate authorization fails with revoked client cert");
+ "certificate authorization fails with revoked client cert",
+ expected_stderr => qr/SSL error/);
# Check that connecting with auth-option verify-full in pg_hba:
# works, iff username matches Common Name
@@ -515,8 +515,8 @@ $node->connect_ok(
$node->connect_fails(
"$common_connstr user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
- qr/FATAL/,
- "auth_option clientcert=verify-full fails with mismatching username and Common Name"
+ "auth_option clientcert=verify-full fails with mismatching username and Common Name",
+ expected_stderr => qr/FATAL/,
);
# Check that connecting with auth-optionverify-ca in pg_hba :
@@ -536,7 +536,7 @@ $node->connect_ok(
"intermediate client certificate is provided by client");
$node->connect_fails(
$common_connstr . " " . "sslmode=require sslcert=ssl/client.crt",
- qr/SSL error/, "intermediate client certificate is missing");
+ "intermediate client certificate is missing", expected_stderr => qr/SSL error/);
# test server-side CRL directory
switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
@@ -544,8 +544,8 @@ switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
# revoked client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
- qr/SSL error/,
- "certificate authorization fails with revoked client cert with server-side CRL directory");
+ "certificate authorization fails with revoked client cert with server-side CRL directory",
+ expected_stderr => qr/SSL error/);
# clean up
foreach my $key (@keys)
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index e31650b931..640b95099a 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -60,8 +60,8 @@ $node->connect_ok(
# Test channel_binding
$node->connect_fails(
"$common_connstr user=ssltestuser channel_binding=invalid_value",
- qr/invalid channel_binding value: "invalid_value"/,
- "SCRAM with SSL and channel_binding=invalid_value");
+ "SCRAM with SSL and channel_binding=invalid_value",
+ expected_stderr => qr/invalid channel_binding value: "invalid_value"/);
$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
if ($supports_tls_server_end_point)
@@ -74,15 +74,15 @@ else
{
$node->connect_fails(
"$common_connstr user=ssltestuser channel_binding=require",
- qr/channel binding is required, but server did not offer an authentication method that supports channel binding/,
- "SCRAM with SSL and channel_binding=require");
+ "SCRAM with SSL and channel_binding=require",
+ expected_stderr => qr/channel binding is required, but server did not offer an authentication method that supports channel binding/);
}
# Now test when the user has an MD5-encrypted password; should fail
$node->connect_fails(
"$common_connstr user=md5testuser channel_binding=require",
- qr/channel binding required but not supported by server's authentication request/,
- "MD5 with SSL and channel_binding=require");
+ "MD5 with SSL and channel_binding=require",
+ expected_stderr => qr/channel binding required but not supported by server's authentication request/);
# Now test with auth method 'cert' by connecting to 'certdb'. Should fail,
# because channel binding is not performed. Note that ssl/client.key may
@@ -93,8 +93,8 @@ copy("ssl/client.key", $client_tmp_key);
chmod 0600, $client_tmp_key;
$node->connect_fails(
"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=certdb user=ssltestuser channel_binding=require",
- qr/channel binding required, but server authenticated client without channel binding/,
- "Cert authentication and channel_binding=require");
+ "Cert authentication and channel_binding=require",
+ expected_stderr => qr/channel binding required, but server authenticated client without channel binding/);
# clean up
unlink($client_tmp_key);
--
2.31.0
signature.asc
Description: PGP signature
