diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2023-05-19 17:24:48 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2023-05-19 17:24:48 -0400 |
| commit | 0245f8db36f375326c2bae0c3420d3c77714e72d (patch) | |
| tree | 7ce91f23658a05ea24be4703fb06cdc6b56248f7 /src/test/ssl/t | |
| parent | df6b19fbbc20d830de91d9bea68715a39635b568 (diff) | |
| download | postgresql-0245f8db36f375326c2bae0c3420d3c77714e72d.tar.gz postgresql-0245f8db36f375326c2bae0c3420d3c77714e72d.zip | |
Pre-beta mechanical code beautification.
Run pgindent, pgperltidy, and reformat-dat-files.
This set of diffs is a bit larger than typical. We've updated to
pg_bsd_indent 2.1.2, which properly indents variable declarations that
have multi-line initialization expressions (the continuation lines are
now indented one tab stop). We've also updated to perltidy version
20230309 and changed some of its settings, which reduces its desire to
add whitespace to lines to make assignments etc. line up. Going
forward, that should make for fewer random-seeming changes to existing
code.
Discussion: https://postgr.es/m/20230428092545.qfb3y5wcu4cm75ur@alvherre.pgsql
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 104 | ||||
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 7 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 7 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Backend/OpenSSL.pm | 16 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Server.pm | 18 |
5 files changed, 82 insertions, 70 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index e7956cb1a0f..76442de063f 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -19,7 +19,8 @@ if ($ENV{with_ssl} ne 'openssl') } elsif ($ENV{PG_TEST_EXTRA} !~ /\bssl\b/) { - plan skip_all => 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; + plan skip_all => + 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; } my $ssl_server = SSL::Server->new(); @@ -78,11 +79,11 @@ note "testing password-protected keys"; switch_server_cert( $node, - certfile => 'server-cn-only', - cafile => 'root+client_ca', - keyfile => 'server-password', + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', passphrase_cmd => 'echo wrongpassword', - restart => 'no'); + restart => 'no'); command_fails( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], @@ -91,11 +92,11 @@ $node->_update_pid(0); switch_server_cert( $node, - certfile => 'server-cn-only', - cafile => 'root+client_ca', - keyfile => 'server-password', + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', passphrase_cmd => 'echo secret1', - restart => 'no'); + restart => 'no'); command_ok( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], @@ -468,7 +469,8 @@ $node->connect_fails( qr/could not get server's host name from server certificate/); # Test system trusted roots. -switch_server_cert($node, +switch_server_cert( + $node, certfile => 'server-cn-only+server_ca', keyfile => 'server-cn-only', cafile => 'root_ca'); @@ -481,13 +483,15 @@ $common_connstr = $node->connect_fails( "$common_connstr sslmode=verify-full host=common-name.pg-ssltest.test", "sslrootcert=system does not connect with private CA", - expected_stderr => qr/SSL error: (certificate verify failed|unregistered scheme)/); + expected_stderr => + qr/SSL error: (certificate verify failed|unregistered scheme)/); # Modes other than verify-full cannot be mixed with sslrootcert=system. $node->connect_fails( "$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test", "sslrootcert=system only accepts sslmode=verify-full", - expected_stderr => qr/weak sslmode "verify-ca" may not be used with sslrootcert=system/); + expected_stderr => + qr/weak sslmode "verify-ca" may not be used with sslrootcert=system/); SKIP: { @@ -503,7 +507,9 @@ SKIP: $node->connect_fails( "$common_connstr host=common-name.pg-ssltest.test.bad", "sslrootcert=system defaults to sslmode=verify-full", - expected_stderr => qr/server certificate for "common-name.pg-ssltest.test" does not match host name "common-name.pg-ssltest.test.bad"/); + expected_stderr => + qr/server certificate for "common-name.pg-ssltest.test" does not match host name "common-name.pg-ssltest.test.bad"/ + ); } # Test that the CRL works @@ -530,10 +536,10 @@ $node->connect_fails( # pg_stat_ssl command_like( [ - 'psql', '-X', - '-A', '-F', - ',', '-P', - 'null=_null_', '-d', + 'psql', '-X', + '-A', '-F', + ',', '-P', + 'null=_null_', '-d', "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], @@ -766,8 +772,8 @@ $node->connect_fails( qr/certificate authentication failed for user "anotheruser"/, # certificate authentication should be logged even on failure # temporarily(?) skip this check due to timing issue -# log_like => -# [qr/connection authenticated: identity="CN=ssltestuser" method=cert/], + # log_like => + # [qr/connection authenticated: identity="CN=ssltestuser" method=cert/], ); # revoked client cert @@ -777,10 +783,10 @@ $node->connect_fails( "certificate authorization fails with revoked client cert", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 0: certificate revoked}, -# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, -# ], + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, + # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # ], # revoked certificates should not authenticate the user log_unlike => [qr/connection authenticated:/],); @@ -818,7 +824,7 @@ $node->connect_ok( # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=certdb " + "$default_ssl_connstr user=ssltestuser dbname=certdb " . sslkey('client.key') . " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; @@ -831,26 +837,30 @@ $node->connect_fails( "intermediate client certificate is missing", expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 0: unable to get local issuer certificate}, -# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656576, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, -# ] + # log_like => [ + # qr{Client certificate verification failed at depth 0: unable to get local issuer certificate}, + # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656576, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # ] ); $node->connect_fails( - "$common_connstr sslmode=require sslcert=ssl/client-long.crt " . sslkey('client-long.key'), + "$common_connstr sslmode=require sslcert=ssl/client-long.crt " + . sslkey('client-long.key'), "logged client certificate Subjects are truncated if they're too long", expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 0: unable to get local issuer certificate}, -# qr{Failed certificate data \(unverified\): subject "\.\.\./CN=ssl-123456789012345678901234567890123456789012345678901234567890", serial number 2315418733629425152, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, -# ] + # log_like => [ + # qr{Client certificate verification failed at depth 0: unable to get local issuer certificate}, + # qr{Failed certificate data \(unverified\): subject "\.\.\./CN=ssl-123456789012345678901234567890123456789012345678901234567890", serial number 2315418733629425152, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # ] ); # Use an invalid cafile here so that the next test won't be able to verify the # client CA. -switch_server_cert($node, certfile => 'server-cn-only', cafile => 'server-cn-only'); +switch_server_cert( + $node, + certfile => 'server-cn-only', + cafile => 'server-cn-only'); # intermediate CA is provided but doesn't have a trusted root (checks error # logging for cert chain depths > 0) @@ -859,17 +869,17 @@ $node->connect_fails( "intermediate client certificate is untrusted", expected_stderr => qr/SSL error: tlsv1 alert unknown ca/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 1: unable to get local issuer certificate}, -# qr{Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite"}, -# ] + # log_like => [ + # qr{Client certificate verification failed at depth 1: unable to get local issuer certificate}, + # qr{Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite"}, + # ] ); # test server-side CRL directory switch_server_cert( $node, certfile => 'server-cn-only', - crldir => 'root+client-crldir'); + crldir => 'root+client-crldir'); # revoked client cert $node->connect_fails( @@ -878,10 +888,10 @@ $node->connect_fails( "certificate authorization fails with revoked client cert with server-side CRL directory", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 0: certificate revoked}, -# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, -# ] + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, + # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # ] ); # revoked client cert, non-ASCII subject @@ -891,10 +901,10 @@ $node->connect_fails( "certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # temporarily(?) skip this check due to timing issue -# log_like => [ -# qr{Client certificate verification failed at depth 0: certificate revoked}, -# qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, -# ] + # log_like => [ + # qr{Client certificate verification failed at depth 0: certificate revoked}, + # qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # ] ); done_testing(); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 8038135697f..28c54bdb09f 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -22,7 +22,8 @@ if ($ENV{with_ssl} ne 'openssl') } elsif ($ENV{PG_TEST_EXTRA} !~ /\bssl\b/) { - plan skip_all => 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; + plan skip_all => + 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; } my $ssl_server = SSL::Server->new(); @@ -70,7 +71,7 @@ $node->start; $ssl_server->configure_test_server_for_ssl( $node, $SERVERHOSTADDR, $SERVERHOSTCIDR, "scram-sha-256", - 'password' => "pass", + 'password' => "pass", 'password_enc' => "scram-sha-256"); switch_server_cert($node, certfile => 'server-cn-only'); $ENV{PGPASSWORD} = "pass"; @@ -117,7 +118,7 @@ $node->connect_fails( # because channel binding is not performed. Note that ssl/client.key may # be used in a different test, so the name of this temporary client key # is chosen here to be unique. -my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); +my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); my $client_tmp_key = "$cert_tempdir/client_scram.key"; copy("ssl/client.key", "$cert_tempdir/client_scram.key") or die diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index c073625213e..5306aad8023 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -20,7 +20,8 @@ if ($ENV{with_ssl} ne 'openssl') } elsif ($ENV{PG_TEST_EXTRA} !~ /\bssl\b/) { - plan skip_all => 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; + plan skip_all => + 'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA'; } #### Some configuration @@ -172,9 +173,9 @@ is($result, 'CA:FALSE|t', 'extract extension from cert'); # Sanity tests for sslcertmode, using ssl_client_cert_present() my @cases = ( - { opts => "sslcertmode=allow", present => 't' }, + { opts => "sslcertmode=allow", present => 't' }, { opts => "sslcertmode=allow sslcert=invalid", present => 'f' }, - { opts => "sslcertmode=disable", present => 'f' },); + { opts => "sslcertmode=disable", present => 'f' },); if ($supports_sslcertmode_require) { push(@cases, { opts => "sslcertmode=require", present => 't' }); diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm index b52035100a4..a762f43634f 100644 --- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -71,8 +71,8 @@ sub init chmod(0600, glob "$pgdata/server-*.key") or die "failed to change permissions on server keys: $!"; _copy_files("ssl/root+client_ca.crt", $pgdata); - _copy_files("ssl/root_ca.crt", $pgdata); - _copy_files("ssl/root+client.crl", $pgdata); + _copy_files("ssl/root_ca.crt", $pgdata); + _copy_files("ssl/root+client.crl", $pgdata); mkdir("$pgdata/root+client-crldir") or die "unable to create server CRL dir $pgdata/root+client-crldir: $!"; _copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/"); @@ -84,11 +84,11 @@ sub init # the tests. To get the full path for inclusion in connection strings, the # %key hash can be interrogated. my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); - my @keys = ( - "client.key", "client-revoked.key", - "client-der.key", "client-encrypted-pem.key", + my @keys = ( + "client.key", "client-revoked.key", + "client-der.key", "client-encrypted-pem.key", "client-encrypted-der.key", "client-dn.key", - "client_ext.key", "client-long.key", + "client_ext.key", "client-long.key", "client-revoked-utf8.key"); foreach my $keyfile (@keys) { @@ -174,13 +174,13 @@ sub set_server_cert { my ($self, $params) = @_; - $params->{cafile} = 'root+client_ca' unless defined $params->{cafile}; + $params->{cafile} = 'root+client_ca' unless defined $params->{cafile}; $params->{crlfile} = 'root+client.crl' unless defined $params->{crlfile}; $params->{keyfile} = $params->{certfile} unless defined $params->{keyfile}; my $sslconf = - "ssl_ca_file='$params->{cafile}.crt'\n" + "ssl_ca_file='$params->{cafile}.crt'\n" . "ssl_cert_file='$params->{certfile}.crt'\n" . "ssl_key_file='$params->{keyfile}.key'\n" . "ssl_crl_file='$params->{crlfile}'\n"; diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index b6344b936a5..2c5c0552227 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -94,7 +94,7 @@ sub new bless $self, $class; if ($flavor =~ /\Aopenssl\z/i) { - $self->{flavor} = 'openssl'; + $self->{flavor} = 'openssl'; $self->{backend} = SSL::Backend::OpenSSL->new(); } else @@ -115,7 +115,7 @@ string. sub sslkey { - my $self = shift; + my $self = shift; my $keyfile = shift; my $backend = $self->{backend}; @@ -143,10 +143,10 @@ sub configure_test_server_for_ssl my $self = shift; my ($node, $serverhost, $servercidr, $authmethod, %params) = @_; my $backend = $self->{backend}; - my $pgdata = $node->data_dir; + my $pgdata = $node->data_dir; my @databases = ( - 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', + 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', 'certdb_cn', 'verifydb'); # Create test users and databases @@ -229,7 +229,7 @@ Get the name of the currently used SSL backend. sub ssl_library { - my $self = shift; + my $self = shift; my $backend = $self->{backend}; return $backend->get_library(); @@ -284,11 +284,11 @@ returning. sub switch_server_cert { - my $self = shift; - my $node = shift; + my $self = shift; + my $node = shift; my $backend = $self->{backend}; - my %params = @_; - my $pgdata = $node->data_dir; + my %params = @_; + my $pgdata = $node->data_dir; open my $sslconf, '>', "$pgdata/sslconfig.conf"; print $sslconf "ssl=on\n"; |