diff options
| author | Stephen Frost <sfrost@snowman.net> | 2023-04-07 21:58:04 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2023-04-07 21:58:04 -0400 |
| commit | 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454 (patch) | |
| tree | f113304aa44d7738041273a8f1ead0a53af0d320 /src/test | |
| parent | edc627ae27632ae2be0e435aca02ed38005cb55f (diff) | |
| download | postgresql-3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.tar.gz postgresql-3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.zip | |
Add support for Kerberos credential delegation
Support GSSAPI/Kerberos credentials being delegated to the server by a
client. With this, a user authenticating to PostgreSQL using Kerberos
(GSSAPI) credentials can choose to delegate their credentials to the
PostgreSQL server (which can choose to accept them, or not), allowing
the server to then use those delegated credentials to connect to
another service, such as with postgres_fdw or dblink or theoretically
any other service which is able to be authenticated using Kerberos.
Both postgres_fdw and dblink are changed to allow non-superuser
password-less connections but only when GSSAPI credentials have been
delegated to the server by the client and GSSAPI is used to
authenticate to the remote system.
Authors: Stephen Frost, Peifeng Qiu
Reviewed-By: David Christensen
Discussion: https://postgr.es/m/CO1PR05MB8023CC2CB575E0FAAD7DF4F8A8E29@CO1PR05MB8023.namprd05.prod.outlook.com
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/kerberos/Makefile | 3 | ||||
| -rw-r--r-- | src/test/kerberos/t/001_auth.pl | 331 | ||||
| -rw-r--r-- | src/test/perl/PostgreSQL/Test/Utils.pm | 27 | ||||
| -rw-r--r-- | src/test/regress/expected/rules.out | 11 |
4 files changed, 336 insertions, 36 deletions
diff --git a/src/test/kerberos/Makefile b/src/test/kerberos/Makefile index 7765f3f93b1..f460d2c0e70 100644 --- a/src/test/kerberos/Makefile +++ b/src/test/kerberos/Makefile @@ -13,6 +13,9 @@ subdir = src/test/kerberos top_builddir = ../../.. include $(top_builddir)/src/Makefile.global +EXTRA_INSTALL += contrib/postgres_fdw +EXTRA_INSTALL += contrib/dblink + export with_gssapi with_krb_srvnam check: diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index 458246b4d71..bf12752529a 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -7,6 +7,9 @@ # that the server-side pg_stat_gssapi view reports what we expect to # see for each test and that SYSTEM_USER returns what we expect to see. # +# Also test that GSSAPI delegation is working properly and that those +# credentials can be used to make dblink / postgres_fdw connections. +# # Since this requires setting up a full KDC, it doesn't make much sense # to have multiple test scripts (since they'd have to also create their # own KDC and that could cause race conditions or other problems)- so @@ -56,6 +59,7 @@ elsif ($^O eq 'linux') my $krb5_config = 'krb5-config'; my $kinit = 'kinit'; +my $klist = 'klist'; my $kdb5_util = 'kdb5_util'; my $kadmin_local = 'kadmin.local'; my $krb5kdc = 'krb5kdc'; @@ -64,6 +68,7 @@ if ($krb5_bin_dir && -d $krb5_bin_dir) { $krb5_config = $krb5_bin_dir . '/' . $krb5_config; $kinit = $krb5_bin_dir . '/' . $kinit; + $klist = $krb5_bin_dir . '/' . $klist; } if ($krb5_sbin_dir && -d $krb5_sbin_dir) { @@ -86,6 +91,8 @@ my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc"; my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid"; my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab"; +my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass"; + my $dbname = 'postgres'; my $username = 'test1'; my $application = '001_auth.pl'; @@ -100,6 +107,14 @@ $stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/ or BAIL_OUT("could not get Kerberos version"); $krb5_version = $1; +# Construct a pgpass file to make sure we don't use it +append_to_file( + $pgpass, + '*:*:*:*:abc123' +); + +chmod 0600, $pgpass; + # Build the krb5.conf to use. # # Explicitly specify the default (test) realm and the KDC for @@ -126,12 +141,14 @@ kdc = FILE:$kdc_log dns_lookup_realm = false dns_lookup_kdc = false default_realm = $realm +forwardable = false rdns = false [realms] $realm = { kdc = $hostaddr:$kdc_port -}!); +} +!); append_to_file( $kdc_conf, @@ -204,7 +221,28 @@ lc_messages = 'C' }); $node->start; +my $port = $node->port(); + $node->safe_psql('postgres', 'CREATE USER test1;'); +$node->safe_psql('postgres', "CREATE USER test2 WITH ENCRYPTED PASSWORD 'abc123';"); +$node->safe_psql('postgres', 'CREATE EXTENSION postgres_fdw;'); +$node->safe_psql('postgres', 'CREATE EXTENSION dblink;'); +$node->safe_psql('postgres', "CREATE SERVER s1 FOREIGN DATA WRAPPER postgres_fdw OPTIONS (host '$host', hostaddr '$hostaddr', port '$port', dbname 'postgres');"); +$node->safe_psql('postgres', "CREATE SERVER s2 FOREIGN DATA WRAPPER postgres_fdw OPTIONS (port '$port', dbname 'postgres', passfile '$pgpass');"); + +$node->safe_psql('postgres', 'GRANT USAGE ON FOREIGN SERVER s1 TO test1;'); + +$node->safe_psql('postgres', "CREATE USER MAPPING FOR test1 SERVER s1 OPTIONS (user 'test1');"); +$node->safe_psql('postgres', "CREATE USER MAPPING FOR test1 SERVER s2 OPTIONS (user 'test2');"); + +$node->safe_psql('postgres', "CREATE TABLE t1 (c1 int);"); +$node->safe_psql('postgres', "INSERT INTO t1 VALUES (1);"); +$node->safe_psql('postgres', "CREATE FOREIGN TABLE tf1 (c1 int) SERVER s1 OPTIONS (schema_name 'public', table_name 't1');"); +$node->safe_psql('postgres', "GRANT SELECT ON t1 TO test1;"); +$node->safe_psql('postgres', "GRANT SELECT ON tf1 TO test1;"); + +$node->safe_psql('postgres', "CREATE FOREIGN TABLE tf2 (c1 int) SERVER s2 OPTIONS (schema_name 'public', table_name 't1');"); +$node->safe_psql('postgres', "GRANT SELECT ON tf2 TO test1;"); # Set up a table for SYSTEM_USER parallel worker testing. $node->safe_psql('postgres', @@ -271,12 +309,16 @@ sub test_query unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', - qq{host all all $hostaddr/32 gss map=mymap}); + qq{ +local all test2 scram-sha-256 +host all all $hostaddr/32 gss map=mymap +}); $node->restart; test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket'); run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); +run_log [ $klist, '-f' ] or BAIL_OUT($?); test_access( $node, @@ -294,35 +336,58 @@ $node->restart; test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, '', - 'succeeds with mapping with default gssencmode and host hba', + 'succeeds with mapping with default gssencmode and host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, 'gssencmode=prefer', - 'succeeds with GSS-encrypted access preferred with host hba', + 'succeeds with GSS-encrypted access preferred with host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" ); + test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, 'gssencmode=require', - 'succeeds with GSS-encrypted access required with host hba', + 'succeeds with GSS-encrypted access required with host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" ); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', + 0, + 'gssencmode=prefer gssdeleg=enable', + 'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', + 0, + 'gssencmode=require gssdeleg=enable', + 'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); + + # Test that we can transport a reasonable amount of data. test_query( $node, @@ -389,29 +454,164 @@ test_query( unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', - qq{hostgssenc all all $hostaddr/32 gss map=mymap}); + qq{ + local all test2 scram-sha-256 + hostgssenc all all $hostaddr/32 gss map=mymap +}); + +string_replace_file($krb5_conf, "forwardable = false", "forwardable = true"); + +run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); +run_log [ $klist, '-f' ] or BAIL_OUT($?); + +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=prefer gssdeleg=enable', + 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=require gssdeleg=enable', + 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); + +$node->append_conf('postgresql.conf', + qq{gss_accept_deleg=off}); +$node->restart; + +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=prefer gssdeleg=enable', + 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=require gssdeleg=enable', + 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); + +$node->append_conf('postgresql.conf', + qq{gss_accept_deleg=on}); $node->restart; test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=prefer gssdeleg=enable', + 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" +); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', + 0, + 'gssencmode=require gssdeleg=enable', + 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded', + "connection authenticated: identity=\"test1\@$realm\" method=gss", + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" +); +test_access( + $node, + 'test1', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, 'gssencmode=prefer', - 'succeeds with GSS-encrypted access preferred and hostgssenc hba', + 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=require', - 'succeeds with GSS-encrypted access required and hostgssenc hba', + 'gssencmode=require gssdeleg=disable', + 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" +); + +my $psql_out = ''; +my $psql_stderr = ''; +my $psql_rc = ''; + +$psql_rc = $node->psql( + 'postgres', + "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + stdout => \$psql_out, + stderr => \$psql_stderr +); +is($psql_rc,'3','dblink attempt fails without delegated credentials'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'dblink does not work without delegated credentials'); +like($psql_out, qr/^$/,'dblink does not work without delegated credentials'); + +$psql_out = ''; +$psql_stderr = ''; + +$psql_rc = $node->psql( + 'postgres', + "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + stdout => \$psql_out, + stderr => \$psql_stderr ); +is($psql_rc,'3','dblink does not work without delegated credentials and with passfile'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'dblink does not work without delegated credentials and with passfile'); +like($psql_out, qr/^$/,'dblink does not work without delegated credentials and with passfile'); + +$psql_out = ''; +$psql_stderr = ''; + +$psql_rc = $node->psql( + 'postgres', + "TABLE tf1;", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + stdout => \$psql_out, + stderr => \$psql_stderr +); +is($psql_rc,'3','postgres_fdw does not work without delegated credentials'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'postgres_fdw does not work without delegated credentials'); +like($psql_out, qr/^$/,'postgres_fdw does not work without delegated credentials'); + +$psql_out = ''; +$psql_stderr = ''; + +$psql_rc = $node->psql( + 'postgres', + "TABLE tf2;", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + stdout => \$psql_out, + stderr => \$psql_stderr +); +is($psql_rc,'3','postgres_fdw does not work without delegated credentials and with passfile'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'postgres_fdw does not work without delegated credentials and with passfile'); +like($psql_out, qr/^$/,'postgres_fdw does not work without delegated credentials and with passfile'); + test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=disable', 'fails with GSS encryption disabled and hostgssenc hba'); @@ -427,54 +627,123 @@ $node->connect_ok( unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', - qq{hostnogssenc all all $hostaddr/32 gss map=mymap}); + qq{ + local all test2 scram-sha-256 + hostnogssenc all all $hostaddr/32 gss map=mymap +}); $node->restart; test_access( $node, 'test1', - 'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=prefer', + 'gssencmode=prefer gssdeleg=enable', 'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)" ); test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=require', 'fails with GSS-encrypted access required and hostnogssenc hba'); test_access( $node, 'test1', - 'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=disable', + 'gssencmode=disable gssdeleg=enable', 'succeeds with GSS encryption disabled and hostnogssenc hba', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)" +); + +test_query( + $node, + 'test1', + "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", + qr/^1$/s, + 'gssencmode=prefer gssdeleg=enable', + 'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'); + +test_query( + $node, + 'test1', + "TABLE tf1;", + qr/^1$/s, + 'gssencmode=prefer gssdeleg=enable', + 'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'); + +$psql_out = ''; +$psql_stderr = ''; + +$psql_rc = $node->psql( + 'postgres', + "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable", + stdout => \$psql_out, + stderr => \$psql_stderr +); +is($psql_rc,'3','dblink does not work with delegated credentials and with passfile'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'dblink does not work with delegated credentials and with passfile'); +like($psql_out, qr/^$/,'dblink does not work with delegated credentials and with passfile'); + +$psql_out = ''; +$psql_stderr = ''; + +$psql_rc = $node->psql( + 'postgres', + "TABLE tf2;", + connstr => "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable", + stdout => \$psql_out, + stderr => \$psql_stderr ); +is($psql_rc,'3','postgres_fdw does not work with delegated credentials and with passfile'); +like($psql_stderr, qr/password or GSSAPI delegated credentials required/,'postgres_fdw does not work with delegated credentials and with passfile'); +like($psql_out, qr/^$/,'postgres_fdw does not work with delegated credentials and with passfile'); truncate($node->data_dir . '/pg_ident.conf', 0); unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', - qq{host all all $hostaddr/32 gss include_realm=0}); + qq{ + local all test2 scram-sha-256 + host all all $hostaddr/32 gss include_realm=0 +}); $node->restart; test_access( $node, 'test1', - 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();', + 'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - '', + 'gssdeleg=enable', 'succeeds with include_realm=0 and defaults', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" ); +test_query( + $node, + 'test1', + "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);", + qr/^1$/s, + 'gssencmode=require gssdeleg=enable', + 'dblink works encrypted'); + +test_query( + $node, + 'test1', + "TABLE tf1;", + qr/^1$/s, + 'gssencmode=require gssdeleg=enable', + 'postgres_fdw works encrypted'); + # Reset pg_hba.conf, and cause a usermap failure with an authentication # that has passed. unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', - qq{host all all $hostaddr/32 gss include_realm=0 krb_realm=EXAMPLE.ORG}); + qq{ + local all test2 scram-sha-256 + host all all $hostaddr/32 gss include_realm=0 krb_realm=EXAMPLE.ORG +}); $node->restart; test_access( diff --git a/src/test/perl/PostgreSQL/Test/Utils.pm b/src/test/perl/PostgreSQL/Test/Utils.pm index 878e12b15ed..9249954b499 100644 --- a/src/test/perl/PostgreSQL/Test/Utils.pm +++ b/src/test/perl/PostgreSQL/Test/Utils.pm @@ -65,6 +65,7 @@ our @EXPORT = qw( slurp_dir slurp_file append_to_file + string_replace_file check_mode_recursive chmod_recursive check_pg_config @@ -549,6 +550,32 @@ sub append_to_file =pod +=item string_replace_file(filename, find, replace) + +Find and replace string of a given file. + +=cut + +sub string_replace_file +{ + my ($filename, $find, $replace) = @_; + open(my $in, '<', $filename); + my $content; + while(<$in>) + { + $_ =~ s/$find/$replace/; + $content = $content.$_; + } + close $in; + open(my $out, '>', $filename); + print $out $content; + close($out); + + return; +} + +=pod + =item check_mode_recursive(dir, expected_dir_mode, expected_file_mode, ignore_list) Check that all file/dir modes in a directory match the expected values, diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index d939d8067e0..8337bac5dbe 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1759,7 +1759,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1874,8 +1874,9 @@ pg_stat_database_conflicts| SELECT oid AS datid, pg_stat_gssapi| SELECT pid, gss_auth AS gss_authenticated, gss_princ AS principal, - gss_enc AS encrypted - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid, query_id) + gss_enc AS encrypted, + gss_deleg AS credentials_delegated + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, io_object, @@ -2073,7 +2074,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2107,7 +2108,7 @@ pg_stat_ssl| SELECT pid, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, ssl_issuer_dn AS issuer_dn - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, |