2 # Copyright (c) 2021-2022, PostgreSQL Global Development Group
4 # Sets up a KDC and then runs a variety of tests to make sure that the
5 # GSSAPI/Kerberos authentication and encryption are working properly,
6 # that the options in pg_hba.conf and pg_ident.conf are handled correctly,
7 # and that the server-side pg_stat_gssapi view reports what we expect to
10 # Since this requires setting up a full KDC, it doesn't make much sense
11 # to have multiple test scripts (since they'd have to also create their
12 # own KDC and that could cause race conditions or other problems)- so
13 # just add whatever other tests are needed to here.
15 # See the README for additional information.
19 use PostgreSQL
::Test
::Utils
;
20 use PostgreSQL
::Test
::Cluster
;
22 use Time
::HiRes
qw(usleep);
24 if ($ENV{with_gssapi
} eq 'yes')
30 plan skip_all
=> 'GSSAPI/Kerberos not supported by this build';
33 my ($krb5_bin_dir, $krb5_sbin_dir);
37 $krb5_bin_dir = '/usr/local/opt/krb5/bin';
38 $krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
40 elsif ($^O
eq 'freebsd')
42 $krb5_bin_dir = '/usr/local/bin';
43 $krb5_sbin_dir = '/usr/local/sbin';
45 elsif ($^O
eq 'linux')
47 $krb5_sbin_dir = '/usr/sbin';
50 my $krb5_config = 'krb5-config';
52 my $kdb5_util = 'kdb5_util';
53 my $kadmin_local = 'kadmin.local';
54 my $krb5kdc = 'krb5kdc';
56 if ($krb5_bin_dir && -d
$krb5_bin_dir)
58 $krb5_config = $krb5_bin_dir . '/' . $krb5_config;
59 $kinit = $krb5_bin_dir . '/' . $kinit;
61 if ($krb5_sbin_dir && -d
$krb5_sbin_dir)
63 $kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
64 $kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
65 $krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
68 my $host = 'auth-test-localhost.postgresql.example.com';
69 my $hostaddr = '127.0.0.1';
70 my $realm = 'EXAMPLE.COM';
72 my $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
73 my $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
74 my $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
75 my $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
76 my $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
77 my $kdc_port = PostgreSQL
::Test
::Cluster
::get_free_port
();
78 my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
79 my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
80 my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
82 my $dbname = 'postgres';
83 my $username = 'test1';
84 my $application = '001_auth.pl';
86 note
"setting up Kerberos";
88 my ($stdout, $krb5_version);
89 run_log
[ $krb5_config, '--version' ], '>', \
$stdout
90 or BAIL_OUT
("could not execute krb5-config");
91 BAIL_OUT
("Heimdal is not supported") if $stdout =~ m/heimdal/;
92 $stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
93 or BAIL_OUT
("could not get Kerberos version");
99 default = FILE
:$krb5_log
103 default_realm
= $realm
107 kdc
= $hostaddr:$kdc_port
115 # For new-enough versions of krb5, use the _listen settings rather
116 # than the _ports settings so that we can bind to localhost only.
117 if ($krb5_version >= 1.15)
121 qq!kdc_listen
= $hostaddr:$kdc_port
122 kdc_tcp_listen
= $hostaddr:$kdc_port
129 qq!kdc_ports
= $kdc_port
130 kdc_tcp_ports
= $kdc_port
138 database_name
= $kdc_datadir/principal
139 admin_keytab
= FILE
:$kdc_datadir/kadm5
.keytab
140 acl_file
= $kdc_datadir/kadm5
.acl
141 key_stash_file
= $kdc_datadir/_k5
.$realm
144 mkdir $kdc_datadir or die;
146 # Ensure that we use test's config and cache files, not global ones.
147 $ENV{'KRB5_CONFIG'} = $krb5_conf;
148 $ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
149 $ENV{'KRB5CCNAME'} = $krb5_cache;
151 my $service_principal = "$ENV{with_krb_srvnam}/$host";
153 system_or_bail
$kdb5_util, 'create', '-s', '-P', 'secret0';
155 my $test1_password = 'secret1';
156 system_or_bail
$kadmin_local, '-q', "addprinc -pw $test1_password test1";
158 system_or_bail
$kadmin_local, '-q', "addprinc -randkey $service_principal";
159 system_or_bail
$kadmin_local, '-q', "ktadd -k $keytab $service_principal";
161 system_or_bail
$krb5kdc, '-P', $kdc_pidfile;
165 kill 'INT', `cat $kdc_pidfile` if -f
$kdc_pidfile;
168 note
"setting up PostgreSQL instance";
170 my $node = PostgreSQL
::Test
::Cluster
->new('node');
173 'postgresql.conf', qq{
174 listen_addresses
= '$hostaddr'
175 krb_server_keyfile
= '$keytab'
181 $node->safe_psql('postgres', 'CREATE USER test1;');
183 note
"running tests";
185 # Test connection success or failure, and if success, that query returns true.
188 local $Test::Builder
::Level
= $Test::Builder
::Level
+ 1;
190 my ($node, $role, $query, $expected_res, $gssencmode, $test_name,
194 # need to connect over TCP/IP for Kerberos
195 my $connstr = $node->connstr('postgres')
196 . " user=$role host=$host hostaddr=$hostaddr $gssencmode";
198 my %params = (sql
=> $query,);
200 if (@expect_log_msgs)
202 # Match every message literally.
203 my @regexes = map { qr/\Q$_\E/ } @expect_log_msgs;
205 $params{log_like
} = \
@regexes;
208 if ($expected_res eq 0)
210 # The result is assumed to match "true", or "t", here.
211 $params{expected_stdout
} = qr/^t$/;
213 $node->connect_ok($connstr, $test_name, %params);
217 $node->connect_fails($connstr, $test_name, %params);
221 # As above, but test for an arbitrary query result.
224 local $Test::Builder
::Level
= $Test::Builder
::Level
+ 1;
226 my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_;
228 # need to connect over TCP/IP for Kerberos
229 my $connstr = $node->connstr('postgres')
230 . " user=$role host=$host hostaddr=$hostaddr $gssencmode";
233 $connstr, $test_name,
235 expected_stdout
=> $expected);
239 unlink($node->data_dir . '/pg_hba.conf');
240 $node->append_conf('pg_hba.conf',
241 qq{host all all
$hostaddr/32 gss
map=mymap
});
244 test_access
($node, 'test1', 'SELECT true', 2, '', 'fails without ticket');
246 run_log
[ $kinit, 'test1' ], \
$test1_password or BAIL_OUT
($?
);
254 'fails without mapping',
255 "connection authenticated: identity=\"test1\@$realm\" method=gss",
256 "no match in usermap \"mymap\" for user \"test1\"");
258 $node->append_conf('pg_ident.conf', qq{mymap
/^(.*)\@
$realm\
$ \\1});
264 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
267 'succeeds with mapping with default gssencmode and host hba',
268 "connection authenticated: identity=\"test1\@$realm\" method=gss",
269 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
275 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
278 'succeeds with GSS-encrypted access preferred with host hba',
279 "connection authenticated: identity=\"test1\@$realm\" method=gss",
280 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
285 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
287 'gssencmode=require',
288 'succeeds with GSS-encrypted access required with host hba',
289 "connection authenticated: identity=\"test1\@$realm\" method=gss",
290 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
293 # Test that we can transport a reasonable amount of data.
297 'SELECT * FROM generate_series(1, 100000);',
298 qr/^1\n.*\n1024\n.*\n9999\n.*\n100000$/s,
299 'gssencmode=require',
300 'receiving 100K lines works');
305 "CREATE TEMP TABLE mytab (f1 int primary key);\n"
306 . "COPY mytab FROM STDIN;\n"
307 . join("\n", (1 .. 100000))
309 . "SELECT COUNT(*) FROM mytab;",
311 'gssencmode=require',
312 'sending 100K lines works');
314 unlink($node->data_dir . '/pg_hba.conf');
315 $node->append_conf('pg_hba.conf',
316 qq{hostgssenc all all
$hostaddr/32 gss
map=mymap
});
322 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
325 'succeeds with GSS-encrypted access preferred and hostgssenc hba',
326 "connection authenticated: identity=\"test1\@$realm\" method=gss",
327 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
332 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
334 'gssencmode=require',
335 'succeeds with GSS-encrypted access required and hostgssenc hba',
336 "connection authenticated: identity=\"test1\@$realm\" method=gss",
337 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
339 test_access
($node, 'test1', 'SELECT true', 2, 'gssencmode=disable',
340 'fails with GSS encryption disabled and hostgssenc hba');
342 unlink($node->data_dir . '/pg_hba.conf');
343 $node->append_conf('pg_hba.conf',
344 qq{hostnogssenc all all
$hostaddr/32 gss
map=mymap
});
350 'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
353 'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
354 "connection authenticated: identity=\"test1\@$realm\" method=gss",
355 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
357 test_access
($node, 'test1', 'SELECT true', 2, 'gssencmode=require',
358 'fails with GSS-encrypted access required and hostnogssenc hba');
362 'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
364 'gssencmode=disable',
365 'succeeds with GSS encryption disabled and hostnogssenc hba',
366 "connection authenticated: identity=\"test1\@$realm\" method=gss",
367 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
370 truncate($node->data_dir . '/pg_ident.conf', 0);
371 unlink($node->data_dir . '/pg_hba.conf');
372 $node->append_conf('pg_hba.conf',
373 qq{host all all
$hostaddr/32 gss include_realm
=0});
379 'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
382 'succeeds with include_realm=0 and defaults',
383 "connection authenticated: identity=\"test1\@$realm\" method=gss",
384 "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
387 # Reset pg_hba.conf, and cause a usermap failure with an authentication
389 unlink($node->data_dir . '/pg_hba.conf');
390 $node->append_conf('pg_hba.conf',
391 qq{host all all
$hostaddr/32 gss include_realm
=0 krb_realm
=EXAMPLE
.ORG
});
400 'fails with wrong krb_realm, but still authenticates',
401 "connection authenticated: identity=\"test1\@$realm\" method=gss");