From a9dc7f9419e4f6cac419e195618dceac74846c83 Mon Sep 17 00:00:00 2001 From: Andrew Dunstan Date: Mon, 23 Jan 2023 08:40:18 -0500 Subject: [PATCH] Add a test using ldapbindpasswd in pg_hba.conf This feature has not been covered in tests up to now. John Naylor and Andrew Dunstan Discussion: https://postgr.es/m/06005bfb-0fd7-9d08-e0e5-440f277b73b4@dunslane.net --- src/test/ldap/meson.build | 1 + src/test/ldap/t/002_bindpasswd.pl | 95 +++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 src/test/ldap/t/002_bindpasswd.pl diff --git a/src/test/ldap/meson.build b/src/test/ldap/meson.build index 1fa272c2ab1..7bf397a5457 100644 --- a/src/test/ldap/meson.build +++ b/src/test/ldap/meson.build @@ -7,6 +7,7 @@ tests += { 'tap': { 'tests': [ 't/001_auth.pl', + 't/002_bindpasswd.pl', ], 'env': { 'with_ldap': ldap.found() ? 'yes' : 'no', diff --git a/src/test/ldap/t/002_bindpasswd.pl b/src/test/ldap/t/002_bindpasswd.pl new file mode 100644 index 00000000000..bcd4aa2b742 --- /dev/null +++ b/src/test/ldap/t/002_bindpasswd.pl @@ -0,0 +1,95 @@ + +# Copyright (c) 2023, PostgreSQL Global Development Group + +use strict; +use warnings; + +use FindBin; +use lib "$FindBin::RealBin/.."; + +use File::Copy; +use File::Basename; +use LdapServer; +use PostgreSQL::Test::Utils; +use PostgreSQL::Test::Cluster; +use Test::More; + +if ($ENV{with_ldap} ne 'yes') +{ + plan skip_all => 'LDAP not supported by this build'; +} +elsif ($ENV{PG_TEST_EXTRA} !~ /\bldap\b/) +{ + plan skip_all => + 'Potentially unsafe test LDAP not enabled in PG_TEST_EXTRA'; +} +elsif (!$LdapServer::setup) +{ + plan skip_all => + "ldap tests not supported on $^O or dependencies not installed"; +} + +note "setting up LDAP server"; + +my $ldap_rootpw = 'secret'; +my $ldap = LdapServer->new($ldap_rootpw, 'users'); # no anonymous auth +$ldap->ldapadd_file('authdata.ldif'); +$ldap->ldapsetpw('uid=test1,dc=example,dc=net', 'secret1'); +$ldap->ldapsetpw('uid=test2,dc=example,dc=net', 'secret2'); + +my ($ldap_server, $ldap_port, $ldap_basedn, $ldap_rootdn) = + $ldap->prop(qw(server port basedn rootdn)); + +note "setting up PostgreSQL instance"; + +my $node = PostgreSQL::Test::Cluster->new('node'); +$node->init; +$node->append_conf('postgresql.conf', "log_connections = on\n"); +$node->start; + +$node->safe_psql('postgres', 'CREATE USER test0;'); +$node->safe_psql('postgres', 'CREATE USER test1;'); +$node->safe_psql('postgres', 'CREATE USER "test2@example.net";'); + +note "running tests"; + +sub test_access +{ + local $Test::Builder::Level = $Test::Builder::Level + 1; + + my ($node, $role, $expected_res, $test_name, %params) = @_; + my $connstr = "user=$role"; + + if ($expected_res eq 0) + { + $node->connect_ok($connstr, $test_name, %params); + } + else + { + # No checks of the error message, only the status code. + $node->connect_fails($connstr, $test_name, %params); + } +} + +note "use ldapbindpasswd"; + +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', + qq{local all all ldap ldapserver=$ldap_server ldapport=$ldap_port ldapbasedn="$ldap_basedn" ldapbinddn="$ldap_rootdn ldapbindpasswd=wrong} +); +$node->restart; + +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 2, + 'search+bind authentication fails with wrong ldapbindpasswd'); + +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', + qq{local all all ldap ldapserver=$ldap_server ldapport=$ldap_port ldapbasedn="$ldap_basedn" ldapbinddn="$ldap_rootdn" ldapbindpasswd="$ldap_rootpw"} +); +$node->restart; + +test_access($node, 'test1', 0, + 'search+bind authentication succeeds with ldapbindpasswd'); + +done_testing();