database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Blind attempt to fix SSPI-auth case in 010_dump_connstr.pl.

Browse Source 
Up to now, pg_regress --config-auth had a hard-wired assumption
that the target cluster uses the default bootstrap superuser name.
pg_dump's 010_dump_connstr.pl TAP test uses non-default superuser
names, and was klugily getting around the restriction by listing
the desired superuser name as a role to "create".  This is pretty
confusing (or at least, it confused me).  Let's make it clearer by
allowing --config-auth mode to be told the bootstrap superuser name.
Repurpose the existing --user switch for that, since it has no
other function in --config-auth mode.

Per buildfarm.  I don't have an environment at hand in which I can
test this fix, but the buildfarm should soon show if it works.

Discussion: https://postgr.es/m/3142.1561840611@sss.pgh.pa.us
This commit is contained in:
Tom Lane
2019-06-30 13:34:45 -04:00
parent c91504b958
commit 681cca86f5
2 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/bin/pg_dump/t/010_dump_connstr.pl
View File

@ -55,8 +55,9 @@ $node->init(extra =>
# prep pg_hba.conf and pg_ident.conf # prep pg_hba.conf and pg_ident.conf
$node->run_log( $node->run_log(
[ [
$ENV{PG_REGRESS}, '--config-auth', $ENV{PG_REGRESS}, '--config-auth',
$node->data_dir, '--create-role', $node->data_dir, '--user',
$src_bootstrap_super, '--create-role',
"$username1,$username2,$username3,$username4" "$username1,$username2,$username3,$username4"
]); ]);
$node->start; $node->start;
@ -181,8 +182,9 @@ $envar_node->init(extra =>
$envar_node->run_log( $envar_node->run_log(
[ [
$ENV{PG_REGRESS}, '--config-auth', $ENV{PG_REGRESS}, '--config-auth',
$envar_node->data_dir, '--create-role', $envar_node->data_dir, '--user',
"$dst_bootstrap_super,$restore_super" $dst_bootstrap_super, '--create-role',
$restore_super
]); ]);
$envar_node->start; $envar_node->start;
@ -213,8 +215,9 @@ $cmdline_node->init(extra =>
$cmdline_node->run_log( $cmdline_node->run_log(
[ [
$ENV{PG_REGRESS}, '--config-auth', $ENV{PG_REGRESS}, '--config-auth',
$cmdline_node->data_dir, '--create-role', $cmdline_node->data_dir, '--user',
"$dst_bootstrap_super,$restore_super" $dst_bootstrap_super, '--create-role',
$restore_super
]); ]);
$cmdline_node->start; $cmdline_node->start;
$cmdline_node->run_log( $cmdline_node->run_log(

38
src/test/regress/pg_regress.c
View File

@ -965,13 +965,15 @@ current_windows_user(const char **acct, const char **dom)
* Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit * Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit
* the current OS user to authenticate as the bootstrap superuser and as any * the current OS user to authenticate as the bootstrap superuser and as any
* user named in a --create-role option. * user named in a --create-role option.
*
* In --config-auth mode, the --user switch can be used to specify the
* bootstrap superuser's name, otherwise we assume it is the default.
*/ */
static void static void
config_sspi_auth(const char *pgdata) config_sspi_auth(const char *pgdata, const char *superuser_name)
{ {
const char *accountname, const char *accountname,
*domainname; *domainname;
const char *username;
char *errstr; char *errstr;
bool have_ipv6; bool have_ipv6;
char fname[MAXPGPATH]; char fname[MAXPGPATH];
@ -980,17 +982,25 @@ config_sspi_auth(const char *pgdata)
*ident; *ident;
_stringlist *sl; _stringlist *sl;
/* /* Find out the name of the current OS user */
* "username", the initdb-chosen bootstrap superuser name, may always
* match "accountname", the value SSPI authentication discovers. The
* underlying system functions do not clearly guarantee that.
*/
current_windows_user(&accountname, &domainname); current_windows_user(&accountname, &domainname);
username = get_user_name(&errstr);
if (username == NULL) /* Determine the bootstrap superuser's name */
if (superuser_name == NULL)
{ {
fprintf(stderr, "%s: %s\n", progname, errstr); /*
exit(2); * Compute the default superuser name the same way initdb does.
*
* It's possible that this result always matches "accountname", the
* value SSPI authentication discovers. But the underlying system
* functions do not clearly guarantee that.
*/
superuser_name = get_user_name(&errstr);
if (superuser_name == NULL)
{
fprintf(stderr, "%s: %s\n", progname, errstr);
exit(2);
}
} }
/* /*
@ -1067,7 +1077,7 @@ config_sspi_auth(const char *pgdata)
* bother escaping embedded double-quote characters. * bother escaping embedded double-quote characters.
*/ */
CW(fprintf(ident, "regress \"%s@%s\" %s\n", CW(fprintf(ident, "regress \"%s@%s\" %s\n",
accountname, domainname, fmtHba(username)) >= 0); accountname, domainname, fmtHba(superuser_name)) >= 0);
for (sl = extraroles; sl; sl = sl->next) for (sl = extraroles; sl; sl = sl->next)
CW(fprintf(ident, "regress \"%s@%s\" %s\n", CW(fprintf(ident, "regress \"%s@%s\" %s\n",
accountname, domainname, fmtHba(sl->str)) >= 0); accountname, domainname, fmtHba(sl->str)) >= 0);
@ -2227,7 +2237,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
if (config_auth_datadir) if (config_auth_datadir)
{ {
#ifdef ENABLE_SSPI #ifdef ENABLE_SSPI
config_sspi_auth(config_auth_datadir); config_sspi_auth(config_auth_datadir, user);
#endif #endif
exit(0); exit(0);
} }
@ -2354,7 +2364,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
* "initdb" command, this can't truncate. * "initdb" command, this can't truncate.
*/ */
snprintf(buf, sizeof(buf), "%s/data", temp_instance); snprintf(buf, sizeof(buf), "%s/data", temp_instance);
config_sspi_auth(buf); config_sspi_auth(buf, NULL);
#elif !defined(HAVE_UNIX_SOCKETS) #elif !defined(HAVE_UNIX_SOCKETS)
#error Platform has no means to secure the test installation. #error Platform has no means to secure the test installation.
#endif #endif