src/test/kerberos/t/001_auth.pl

   1
   2 # Copyright (c) 2021-2022, PostgreSQL Global Development Group
   3
   4 # Sets up a KDC and then runs a variety of tests to make sure that the
   5 # GSSAPI/Kerberos authentication and encryption are working properly,
   6 # that the options in pg_hba.conf and pg_ident.conf are handled correctly,
   7 # and that the server-side pg_stat_gssapi view reports what we expect to
   8 # see for each test.
   9 #
  10 # Since this requires setting up a full KDC, it doesn't make much sense
  11 # to have multiple test scripts (since they'd have to also create their
  12 # own KDC and that could cause race conditions or other problems)- so
  13 # just add whatever other tests are needed to here.
  14 #
  15 # See the README for additional information.
  16
  17 use strict;
  18 use warnings;
  19 use PostgreSQL::Test::Utils;
  20 use PostgreSQL::Test::Cluster;
  21 use Test::More;
  22 use Time::HiRes qw(usleep);
  23
  24 if ($ENV{with_gssapi} eq 'yes')
  25 {
  26         plan tests => 44;
  27 }
  28 else
  29 {
  30         plan skip_all => 'GSSAPI/Kerberos not supported by this build';
  31 }
  32
  33 my ($krb5_bin_dir, $krb5_sbin_dir);
  34
  35 if ($^O eq 'darwin')
  36 {
  37         $krb5_bin_dir  = '/usr/local/opt/krb5/bin';
  38         $krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
  39 }
  40 elsif ($^O eq 'freebsd')
  41 {
  42         $krb5_bin_dir  = '/usr/local/bin';
  43         $krb5_sbin_dir = '/usr/local/sbin';
  44 }
  45 elsif ($^O eq 'linux')
  46 {
  47         $krb5_sbin_dir = '/usr/sbin';
  48 }
  49
  50 my $krb5_config  = 'krb5-config';
  51 my $kinit        = 'kinit';
  52 my $kdb5_util    = 'kdb5_util';
  53 my $kadmin_local = 'kadmin.local';
  54 my $krb5kdc      = 'krb5kdc';
  55
  56 if ($krb5_bin_dir && -d $krb5_bin_dir)
  57 {
  58         $krb5_config = $krb5_bin_dir . '/' . $krb5_config;
  59         $kinit       = $krb5_bin_dir . '/' . $kinit;
  60 }
  61 if ($krb5_sbin_dir && -d $krb5_sbin_dir)
  62 {
  63         $kdb5_util    = $krb5_sbin_dir . '/' . $kdb5_util;
  64         $kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
  65         $krb5kdc      = $krb5_sbin_dir . '/' . $krb5kdc;
  66 }
  67
  68 my $host     = 'auth-test-localhost.postgresql.example.com';
  69 my $hostaddr = '127.0.0.1';
  70 my $realm    = 'EXAMPLE.COM';
  71
  72 my $krb5_conf   = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
  73 my $kdc_conf    = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
  74 my $krb5_cache  = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
  75 my $krb5_log    = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
  76 my $kdc_log     = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
  77 my $kdc_port    = PostgreSQL::Test::Cluster::get_free_port();
  78 my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
  79 my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
  80 my $keytab      = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
  81
  82 my $dbname      = 'postgres';
  83 my $username    = 'test1';
  84 my $application = '001_auth.pl';
  85
  86 note "setting up Kerberos";
  87
  88 my ($stdout, $krb5_version);
  89 run_log [ $krb5_config, '--version' ], '>', \$stdout
  90   or BAIL_OUT("could not execute krb5-config");
  91 BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
  92 $stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
  93   or BAIL_OUT("could not get Kerberos version");
  94 $krb5_version = $1;
  95
  96 append_to_file(
  97         $krb5_conf,
  98         qq![logging]
  99 default = FILE:$krb5_log
 100 kdc = FILE:$kdc_log
 101
 102 [libdefaults]
 103 default_realm = $realm
 104
 105 [realms]
 106 $realm = {
 107     kdc = $hostaddr:$kdc_port
 108 }!);
 109
 110 append_to_file(
 111         $kdc_conf,
 112         qq![kdcdefaults]
 113 !);
 114
 115 # For new-enough versions of krb5, use the _listen settings rather
 116 # than the _ports settings so that we can bind to localhost only.
 117 if ($krb5_version >= 1.15)
 118 {
 119         append_to_file(
 120                 $kdc_conf,
 121                 qq!kdc_listen = $hostaddr:$kdc_port
 122 kdc_tcp_listen = $hostaddr:$kdc_port
 123 !);
 124 }
 125 else
 126 {
 127         append_to_file(
 128                 $kdc_conf,
 129                 qq!kdc_ports = $kdc_port
 130 kdc_tcp_ports = $kdc_port
 131 !);
 132 }
 133 append_to_file(
 134         $kdc_conf,
 135         qq!
 136 [realms]
 137 $realm = {
 138     database_name = $kdc_datadir/principal
 139     admin_keytab = FILE:$kdc_datadir/kadm5.keytab
 140     acl_file = $kdc_datadir/kadm5.acl
 141     key_stash_file = $kdc_datadir/_k5.$realm
 142 }!);
 143
 144 mkdir $kdc_datadir or die;
 145
 146 # Ensure that we use test's config and cache files, not global ones.
 147 $ENV{'KRB5_CONFIG'}      = $krb5_conf;
 148 $ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
 149 $ENV{'KRB5CCNAME'}       = $krb5_cache;
 150
 151 my $service_principal = "$ENV{with_krb_srvnam}/$host";
 152
 153 system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
 154
 155 my $test1_password = 'secret1';
 156 system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1";
 157
 158 system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
 159 system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
 160
 161 system_or_bail $krb5kdc, '-P', $kdc_pidfile;
 162
 163 END
 164 {
 165         kill 'INT', `cat $kdc_pidfile` if -f $kdc_pidfile;
 166 }
 167
 168 note "setting up PostgreSQL instance";
 169
 170 my $node = PostgreSQL::Test::Cluster->new('node');
 171 $node->init;
 172 $node->append_conf(
 173         'postgresql.conf', qq{
 174 listen_addresses = '$hostaddr'
 175 krb_server_keyfile = '$keytab'
 176 log_connections = on
 177 lc_messages = 'C'
 178 });
 179 $node->start;
 180
 181 $node->safe_psql('postgres', 'CREATE USER test1;');
 182
 183 note "running tests";
 184
 185 # Test connection success or failure, and if success, that query returns true.
 186 sub test_access
 187 {
 188         local $Test::Builder::Level = $Test::Builder::Level + 1;
 189
 190         my ($node, $role, $query, $expected_res, $gssencmode, $test_name,
 191                 @expect_log_msgs)
 192           = @_;
 193
 194         # need to connect over TCP/IP for Kerberos
 195         my $connstr = $node->connstr('postgres')
 196           . " user=$role host=$host hostaddr=$hostaddr $gssencmode";
 197
 198         my %params = (sql => $query,);
 199
 200         if (@expect_log_msgs)
 201         {
 202                 # Match every message literally.
 203                 my @regexes = map { qr/\Q$_\E/ } @expect_log_msgs;
 204
 205                 $params{log_like} = \@regexes;
 206         }
 207
 208         if ($expected_res eq 0)
 209         {
 210                 # The result is assumed to match "true", or "t", here.
 211                 $params{expected_stdout} = qr/^t$/;
 212
 213                 $node->connect_ok($connstr, $test_name, %params);
 214         }
 215         else
 216         {
 217                 $node->connect_fails($connstr, $test_name, %params);
 218         }
 219 }
 220
 221 # As above, but test for an arbitrary query result.
 222 sub test_query
 223 {
 224         local $Test::Builder::Level = $Test::Builder::Level + 1;
 225
 226         my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_;
 227
 228         # need to connect over TCP/IP for Kerberos
 229         my $connstr = $node->connstr('postgres')
 230           . " user=$role host=$host hostaddr=$hostaddr $gssencmode";
 231
 232         $node->connect_ok(
 233                 $connstr, $test_name,
 234                 sql             => $query,
 235                 expected_stdout => $expected);
 236         return;
 237 }
 238
 239 unlink($node->data_dir . '/pg_hba.conf');
 240 $node->append_conf('pg_hba.conf',
 241         qq{host all all $hostaddr/32 gss map=mymap});
 242 $node->restart;
 243
 244 test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket');
 245
 246 run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
 247
 248 test_access(
 249         $node,
 250         'test1',
 251         'SELECT true',
 252         2,
 253         '',
 254         'fails without mapping',
 255         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 256         "no match in usermap \"mymap\" for user \"test1\"");
 257
 258 $node->append_conf('pg_ident.conf', qq{mymap  /^(.*)\@$realm\$  \\1});
 259 $node->restart;
 260
 261 test_access(
 262         $node,
 263         'test1',
 264         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 265         0,
 266         '',
 267         'succeeds with mapping with default gssencmode and host hba',
 268         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 269         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 270 );
 271
 272 test_access(
 273         $node,
 274         'test1',
 275         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 276         0,
 277         'gssencmode=prefer',
 278         'succeeds with GSS-encrypted access preferred with host hba',
 279         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 280         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 281 );
 282 test_access(
 283         $node,
 284         'test1',
 285         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 286         0,
 287         'gssencmode=require',
 288         'succeeds with GSS-encrypted access required with host hba',
 289         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 290         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 291 );
 292
 293 # Test that we can transport a reasonable amount of data.
 294 test_query(
 295         $node,
 296         'test1',
 297         'SELECT * FROM generate_series(1, 100000);',
 298         qr/^1\n.*\n1024\n.*\n9999\n.*\n100000$/s,
 299         'gssencmode=require',
 300         'receiving 100K lines works');
 301
 302 test_query(
 303         $node,
 304         'test1',
 305         "CREATE TEMP TABLE mytab (f1 int primary key);\n"
 306           . "COPY mytab FROM STDIN;\n"
 307           . join("\n", (1 .. 100000))
 308           . "\n\\.\n"
 309           . "SELECT COUNT(*) FROM mytab;",
 310         qr/^100000$/s,
 311         'gssencmode=require',
 312         'sending 100K lines works');
 313
 314 unlink($node->data_dir . '/pg_hba.conf');
 315 $node->append_conf('pg_hba.conf',
 316         qq{hostgssenc all all $hostaddr/32 gss map=mymap});
 317 $node->restart;
 318
 319 test_access(
 320         $node,
 321         'test1',
 322         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 323         0,
 324         'gssencmode=prefer',
 325         'succeeds with GSS-encrypted access preferred and hostgssenc hba',
 326         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 327         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 328 );
 329 test_access(
 330         $node,
 331         'test1',
 332         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 333         0,
 334         'gssencmode=require',
 335         'succeeds with GSS-encrypted access required and hostgssenc hba',
 336         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 337         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 338 );
 339 test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=disable',
 340         'fails with GSS encryption disabled and hostgssenc hba');
 341
 342 unlink($node->data_dir . '/pg_hba.conf');
 343 $node->append_conf('pg_hba.conf',
 344         qq{hostnogssenc all all $hostaddr/32 gss map=mymap});
 345 $node->restart;
 346
 347 test_access(
 348         $node,
 349         'test1',
 350         'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 351         0,
 352         'gssencmode=prefer',
 353         'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
 354         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 355         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
 356 );
 357 test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=require',
 358         'fails with GSS-encrypted access required and hostnogssenc hba');
 359 test_access(
 360         $node,
 361         'test1',
 362         'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 363         0,
 364         'gssencmode=disable',
 365         'succeeds with GSS encryption disabled and hostnogssenc hba',
 366         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 367         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
 368 );
 369
 370 truncate($node->data_dir . '/pg_ident.conf', 0);
 371 unlink($node->data_dir . '/pg_hba.conf');
 372 $node->append_conf('pg_hba.conf',
 373         qq{host all all $hostaddr/32 gss include_realm=0});
 374 $node->restart;
 375
 376 test_access(
 377         $node,
 378         'test1',
 379         'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
 380         0,
 381         '',
 382         'succeeds with include_realm=0 and defaults',
 383         "connection authenticated: identity=\"test1\@$realm\" method=gss",
 384         "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
 385 );
 386
 387 # Reset pg_hba.conf, and cause a usermap failure with an authentication
 388 # that has passed.
 389 unlink($node->data_dir . '/pg_hba.conf');
 390 $node->append_conf('pg_hba.conf',
 391         qq{host all all $hostaddr/32 gss include_realm=0 krb_realm=EXAMPLE.ORG});
 392 $node->restart;
 393
 394 test_access(
 395         $node,
 396         'test1',
 397         'SELECT true',
 398         2,
 399         '',
 400         'fails with wrong krb_realm, but still authenticates',
 401         "connection authenticated: identity=\"test1\@$realm\" method=gss");