mirror of
https://github.com/postgres/postgres.git
synced 2025-07-28 23:42:10 +03:00
pgindent run for 9.5
This commit is contained in:
Bruce Momjian
@ -63,8 +63,8 @@ Datum
|
||||
get_altertable_subcmdtypes(PG_FUNCTION_ARGS)
|
||||
{
|
||||
CollectedCommand *cmd = (CollectedCommand *) PG_GETARG_POINTER(0);
|
||||
ArrayBuildState *astate = NULL;
|
||||
ListCell *cell;
|
||||
ArrayBuildState *astate = NULL;
|
||||
ListCell *cell;
|
||||
|
||||
if (cmd->type != SCT_AlterTable)
|
||||
elog(ERROR, "command is not ALTER TABLE");
|
||||
@ -72,8 +72,8 @@ get_altertable_subcmdtypes(PG_FUNCTION_ARGS)
|
||||
foreach(cell, cmd->d.alterTable.subcmds)
|
||||
{
|
||||
CollectedATSubcmd *sub = lfirst(cell);
|
||||
AlterTableCmd *subcmd = (AlterTableCmd *) sub->parsetree;
|
||||
const char *strtype;
|
||||
AlterTableCmd *subcmd = (AlterTableCmd *) sub->parsetree;
|
||||
const char *strtype;
|
||||
|
||||
Assert(IsA(subcmd, AlterTableCmd));
|
||||
|
||||
|
||||
@ -35,11 +35,12 @@ PG_MODULE_MAGIC;
|
||||
static row_security_policy_hook_type prev_row_security_policy_hook_permissive = NULL;
|
||||
static row_security_policy_hook_type prev_row_security_policy_hook_restrictive = NULL;
|
||||
|
||||
void _PG_init(void);
|
||||
void _PG_fini(void);
|
||||
void _PG_init(void);
|
||||
void _PG_fini(void);
|
||||
|
||||
/* Install hooks */
|
||||
void _PG_init(void)
|
||||
void
|
||||
_PG_init(void)
|
||||
{
|
||||
/* Save values for unload */
|
||||
prev_row_security_policy_hook_permissive = row_security_policy_hook_permissive;
|
||||
@ -51,7 +52,8 @@ void _PG_init(void)
|
||||
}
|
||||
|
||||
/* Uninstall hooks */
|
||||
void _PG_fini(void)
|
||||
void
|
||||
_PG_fini(void)
|
||||
{
|
||||
row_security_policy_hook_permissive = prev_row_security_policy_hook_permissive;
|
||||
row_security_policy_hook_restrictive = prev_row_security_policy_hook_restrictive;
|
||||
@ -60,20 +62,20 @@ void _PG_fini(void)
|
||||
/*
|
||||
* Return permissive policies to be added
|
||||
*/
|
||||
List*
|
||||
List *
|
||||
test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
|
||||
{
|
||||
List *policies = NIL;
|
||||
RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
|
||||
Datum role;
|
||||
FuncCall *n;
|
||||
Node *e;
|
||||
ColumnRef *c;
|
||||
ParseState *qual_pstate;
|
||||
RangeTblEntry *rte;
|
||||
List *policies = NIL;
|
||||
RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
|
||||
Datum role;
|
||||
FuncCall *n;
|
||||
Node *e;
|
||||
ColumnRef *c;
|
||||
ParseState *qual_pstate;
|
||||
RangeTblEntry *rte;
|
||||
|
||||
if (strcmp(RelationGetRelationName(relation),"rls_test_permissive")
|
||||
&& strcmp(RelationGetRelationName(relation),"rls_test_both"))
|
||||
if (strcmp(RelationGetRelationName(relation), "rls_test_permissive")
|
||||
&& strcmp(RelationGetRelationName(relation), "rls_test_both"))
|
||||
return NIL;
|
||||
|
||||
qual_pstate = make_parsestate(NULL);
|
||||
@ -88,11 +90,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
|
||||
policy->policy_id = InvalidOid;
|
||||
policy->polcmd = '*';
|
||||
policy->roles = construct_array(&role, 1, OIDOID, sizeof(Oid), true, 'i');
|
||||
|
||||
/*
|
||||
policy->qual = (Expr *) makeConst(BOOLOID, -1, InvalidOid,
|
||||
sizeof(bool), BoolGetDatum(true),
|
||||
false, true);
|
||||
*/
|
||||
* policy->qual = (Expr *) makeConst(BOOLOID, -1, InvalidOid,
|
||||
* sizeof(bool), BoolGetDatum(true), false, true);
|
||||
*/
|
||||
|
||||
n = makeFuncCall(list_make2(makeString("pg_catalog"),
|
||||
makeString("current_user")), NIL, 0);
|
||||
@ -101,11 +103,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
|
||||
c->fields = list_make1(makeString("username"));
|
||||
c->location = 0;
|
||||
|
||||
e = (Node*) makeSimpleA_Expr(AEXPR_OP, "=", (Node*) n, (Node*) c, 0);
|
||||
e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
|
||||
|
||||
policy->qual = (Expr*) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
"POLICY");
|
||||
policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
"POLICY");
|
||||
|
||||
policy->with_check_qual = copyObject(policy->qual);
|
||||
policy->hassublinks = false;
|
||||
@ -118,21 +120,21 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
|
||||
/*
|
||||
* Return restrictive policies to be added
|
||||
*/
|
||||
List*
|
||||
List *
|
||||
test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
|
||||
{
|
||||
List *policies = NIL;
|
||||
RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
|
||||
Datum role;
|
||||
FuncCall *n;
|
||||
Node *e;
|
||||
ColumnRef *c;
|
||||
ParseState *qual_pstate;
|
||||
RangeTblEntry *rte;
|
||||
List *policies = NIL;
|
||||
RowSecurityPolicy *policy = palloc0(sizeof(RowSecurityPolicy));
|
||||
Datum role;
|
||||
FuncCall *n;
|
||||
Node *e;
|
||||
ColumnRef *c;
|
||||
ParseState *qual_pstate;
|
||||
RangeTblEntry *rte;
|
||||
|
||||
|
||||
if (strcmp(RelationGetRelationName(relation),"rls_test_restrictive")
|
||||
&& strcmp(RelationGetRelationName(relation),"rls_test_both"))
|
||||
if (strcmp(RelationGetRelationName(relation), "rls_test_restrictive")
|
||||
&& strcmp(RelationGetRelationName(relation), "rls_test_both"))
|
||||
return NIL;
|
||||
|
||||
qual_pstate = make_parsestate(NULL);
|
||||
@ -155,11 +157,11 @@ test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
|
||||
c->fields = list_make1(makeString("supervisor"));
|
||||
c->location = 0;
|
||||
|
||||
e = (Node*) makeSimpleA_Expr(AEXPR_OP, "=", (Node*) n, (Node*) c, 0);
|
||||
e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
|
||||
|
||||
policy->qual = (Expr*) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
"POLICY");
|
||||
policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
"POLICY");
|
||||
|
||||
policy->with_check_qual = copyObject(policy->qual);
|
||||
policy->hassublinks = false;
|
||||
|
||||
@ -60,11 +60,15 @@ $ENV{PGPORT} = int($ENV{PGPORT}) % 65536;
|
||||
|
||||
sub tempdir
|
||||
{
|
||||
return File::Temp::tempdir('tmp_testXXXX', DIR => $ENV{TESTDIR} || cwd(), CLEANUP => 1);
|
||||
return File::Temp::tempdir(
|
||||
'tmp_testXXXX',
|
||||
DIR => $ENV{TESTDIR} || cwd(),
|
||||
CLEANUP => 1);
|
||||
}
|
||||
|
||||
sub tempdir_short
|
||||
{
|
||||
|
||||
# Use a separate temp dir outside the build tree for the
|
||||
# Unix-domain socket, to avoid file name length issues.
|
||||
return File::Temp::tempdir(CLEANUP => 1);
|
||||
@ -75,7 +79,7 @@ sub standard_initdb
|
||||
my $pgdata = shift;
|
||||
system_or_bail("initdb -D '$pgdata' -A trust -N >/dev/null");
|
||||
system_or_bail("$ENV{top_builddir}/src/test/regress/pg_regress",
|
||||
'--config-auth', $pgdata);
|
||||
'--config-auth', $pgdata);
|
||||
}
|
||||
|
||||
my ($test_server_datadir, $test_server_logfile);
|
||||
@ -90,7 +94,7 @@ sub start_test_server
|
||||
standard_initdb "$tempdir/pgdata";
|
||||
$ret = system 'pg_ctl', '-D', "$tempdir/pgdata", '-s', '-w', '-l',
|
||||
"$tempdir/logfile", '-o',
|
||||
"--fsync=off -k $tempdir_short --listen-addresses='' --log-statement=all",
|
||||
"--fsync=off -k $tempdir_short --listen-addresses='' --log-statement=all",
|
||||
'start';
|
||||
|
||||
if ($ret != 0)
|
||||
@ -185,7 +189,8 @@ sub program_options_handling_ok
|
||||
{
|
||||
my ($cmd) = @_;
|
||||
my ($stdout, $stderr);
|
||||
my $result = run [ $cmd, '--not-a-valid-option' ], '>', \$stdout, '2>', \$stderr;
|
||||
my $result = run [ $cmd, '--not-a-valid-option' ], '>', \$stdout, '2>',
|
||||
\$stderr;
|
||||
ok(!$result, "$cmd with invalid option nonzero exit code");
|
||||
isnt($stderr, '', "$cmd with invalid option prints error message");
|
||||
}
|
||||
|
||||
@ -1139,15 +1139,15 @@ spawn_process(const char *cmdline)
|
||||
/* in parent */
|
||||
return pid;
|
||||
#else
|
||||
PROCESS_INFORMATION pi;
|
||||
char *cmdline2;
|
||||
HANDLE restrictedToken;
|
||||
PROCESS_INFORMATION pi;
|
||||
char *cmdline2;
|
||||
HANDLE restrictedToken;
|
||||
|
||||
memset(&pi, 0, sizeof(pi));
|
||||
cmdline2 = psprintf("cmd /c \"%s\"", cmdline);
|
||||
|
||||
if((restrictedToken =
|
||||
CreateRestrictedProcess(cmdline2, &pi, progname)) == 0)
|
||||
if ((restrictedToken =
|
||||
CreateRestrictedProcess(cmdline2, &pi, progname)) == 0)
|
||||
exit(2);
|
||||
|
||||
CloseHandle(pi.hThread);
|
||||
@ -1973,8 +1973,9 @@ help(void)
|
||||
printf(_(" --schedule=FILE use test ordering schedule from FILE\n"));
|
||||
printf(_(" (can be used multiple times to concatenate)\n"));
|
||||
printf(_(" --temp-instance=DIR create a temporary instance in DIR\n"));
|
||||
printf(_(" --use-existing use an existing installation\n")); // XXX
|
||||
printf(_("\n"));
|
||||
printf(_(" --use-existing use an existing installation\n"));
|
||||
//XXX
|
||||
printf(_("\n"));
|
||||
printf(_("Options for \"temp-instance\" mode:\n"));
|
||||
printf(_(" --no-locale use C locale\n"));
|
||||
printf(_(" --port=PORT start postmaster on PORT\n"));
|
||||
@ -2446,8 +2447,8 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
|
||||
|
||||
/*
|
||||
* If there were no errors, remove the temp instance immediately to
|
||||
* conserve disk space. (If there were errors, we leave the instance
|
||||
* in place for possible manual investigation.)
|
||||
* conserve disk space. (If there were errors, we leave the instance in
|
||||
* place for possible manual investigation.)
|
||||
*/
|
||||
if (temp_instance && fail_count == 0 && fail_ignore_count == 0)
|
||||
{
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
/*------------------------------------------------------------------------
|
||||
*
|
||||
* regress.c
|
||||
* Code for various C-language functions defined as part of the
|
||||
* regression tests.
|
||||
* Code for various C-language functions defined as part of the
|
||||
* regression tests.
|
||||
*
|
||||
* This code is released under the terms of the PostgreSQL License.
|
||||
*
|
||||
@ -911,14 +911,14 @@ test_atomic_flag(void)
|
||||
|
||||
pg_atomic_clear_flag(&flag);
|
||||
}
|
||||
#endif /* PG_HAVE_ATOMIC_FLAG_SIMULATION */
|
||||
#endif /* PG_HAVE_ATOMIC_FLAG_SIMULATION */
|
||||
|
||||
static void
|
||||
test_atomic_uint32(void)
|
||||
{
|
||||
pg_atomic_uint32 var;
|
||||
uint32 expected;
|
||||
int i;
|
||||
uint32 expected;
|
||||
int i;
|
||||
|
||||
pg_atomic_init_u32(&var, 0);
|
||||
|
||||
@ -955,7 +955,7 @@ test_atomic_uint32(void)
|
||||
if (pg_atomic_fetch_add_u32(&var, INT_MAX) != INT_MAX)
|
||||
elog(ERROR, "pg_atomic_add_fetch_u32() #3 wrong");
|
||||
|
||||
pg_atomic_fetch_add_u32(&var, 1); /* top up to UINT_MAX */
|
||||
pg_atomic_fetch_add_u32(&var, 1); /* top up to UINT_MAX */
|
||||
|
||||
if (pg_atomic_read_u32(&var) != UINT_MAX)
|
||||
elog(ERROR, "atomic_read_u32() #2 wrong");
|
||||
@ -963,7 +963,7 @@ test_atomic_uint32(void)
|
||||
if (pg_atomic_fetch_sub_u32(&var, INT_MAX) != UINT_MAX)
|
||||
elog(ERROR, "pg_atomic_fetch_sub_u32() #2 wrong");
|
||||
|
||||
if (pg_atomic_read_u32(&var) != (uint32)INT_MAX + 1)
|
||||
if (pg_atomic_read_u32(&var) != (uint32) INT_MAX + 1)
|
||||
elog(ERROR, "atomic_read_u32() #3 wrong: %u", pg_atomic_read_u32(&var));
|
||||
|
||||
expected = pg_atomic_sub_fetch_u32(&var, INT_MAX);
|
||||
@ -1018,8 +1018,8 @@ static void
|
||||
test_atomic_uint64(void)
|
||||
{
|
||||
pg_atomic_uint64 var;
|
||||
uint64 expected;
|
||||
int i;
|
||||
uint64 expected;
|
||||
int i;
|
||||
|
||||
pg_atomic_init_u64(&var, 0);
|
||||
|
||||
@ -1083,13 +1083,13 @@ test_atomic_uint64(void)
|
||||
elog(ERROR, "pg_atomic_fetch_and_u64() #1 wrong");
|
||||
|
||||
if (pg_atomic_fetch_and_u64(&var, ~1) != 1)
|
||||
elog(ERROR, "pg_atomic_fetch_and_u64() #2 wrong: is "UINT64_FORMAT,
|
||||
elog(ERROR, "pg_atomic_fetch_and_u64() #2 wrong: is " UINT64_FORMAT,
|
||||
pg_atomic_read_u64(&var));
|
||||
/* no bits set anymore */
|
||||
if (pg_atomic_fetch_and_u64(&var, ~0) != 0)
|
||||
elog(ERROR, "pg_atomic_fetch_and_u64() #3 wrong");
|
||||
}
|
||||
#endif /* PG_HAVE_ATOMIC_U64_SUPPORT */
|
||||
#endif /* PG_HAVE_ATOMIC_U64_SUPPORT */
|
||||
|
||||
|
||||
PG_FUNCTION_INFO_V1(test_atomic_ops);
|
||||
|
||||
@ -38,74 +38,81 @@ sub copy_files
|
||||
foreach my $orig_file (@orig_files)
|
||||
{
|
||||
my $base_file = basename($orig_file);
|
||||
copy($orig_file, "$dest/$base_file") or die "Could not copy $orig_file to $dest";
|
||||
copy($orig_file, "$dest/$base_file")
|
||||
or die "Could not copy $orig_file to $dest";
|
||||
}
|
||||
}
|
||||
|
||||
sub configure_test_server_for_ssl
|
||||
{
|
||||
my $tempdir = $_[0];
|
||||
my $tempdir = $_[0];
|
||||
|
||||
# Create test users and databases
|
||||
psql 'postgres', "CREATE USER ssltestuser";
|
||||
psql 'postgres', "CREATE USER anotheruser";
|
||||
psql 'postgres', "CREATE DATABASE trustdb";
|
||||
psql 'postgres', "CREATE DATABASE certdb";
|
||||
# Create test users and databases
|
||||
psql 'postgres', "CREATE USER ssltestuser";
|
||||
psql 'postgres', "CREATE USER anotheruser";
|
||||
psql 'postgres', "CREATE DATABASE trustdb";
|
||||
psql 'postgres', "CREATE DATABASE certdb";
|
||||
|
||||
# enable logging etc.
|
||||
open CONF, ">>$tempdir/pgdata/postgresql.conf";
|
||||
print CONF "fsync=off\n";
|
||||
print CONF "log_connections=on\n";
|
||||
print CONF "log_hostname=on\n";
|
||||
print CONF "log_statement=all\n";
|
||||
# enable logging etc.
|
||||
open CONF, ">>$tempdir/pgdata/postgresql.conf";
|
||||
print CONF "fsync=off\n";
|
||||
print CONF "log_connections=on\n";
|
||||
print CONF "log_hostname=on\n";
|
||||
print CONF "log_statement=all\n";
|
||||
|
||||
# enable SSL and set up server key
|
||||
print CONF "include 'sslconfig.conf'";
|
||||
# enable SSL and set up server key
|
||||
print CONF "include 'sslconfig.conf'";
|
||||
|
||||
close CONF;
|
||||
close CONF;
|
||||
|
||||
# Copy all server certificates and keys, and client root cert, to the data dir
|
||||
copy_files("ssl/server-*.crt", "$tempdir/pgdata");
|
||||
copy_files("ssl/server-*.key", "$tempdir/pgdata");
|
||||
system_or_bail "chmod 0600 '$tempdir'/pgdata/server-*.key";
|
||||
copy_files("ssl/root+client_ca.crt", "$tempdir/pgdata");
|
||||
copy_files("ssl/root+client.crl", "$tempdir/pgdata");
|
||||
# Copy all server certificates and keys, and client root cert, to the data dir
|
||||
copy_files("ssl/server-*.crt", "$tempdir/pgdata");
|
||||
copy_files("ssl/server-*.key", "$tempdir/pgdata");
|
||||
system_or_bail "chmod 0600 '$tempdir'/pgdata/server-*.key";
|
||||
copy_files("ssl/root+client_ca.crt", "$tempdir/pgdata");
|
||||
copy_files("ssl/root+client.crl", "$tempdir/pgdata");
|
||||
|
||||
# Only accept SSL connections from localhost. Our tests don't depend on this
|
||||
# but seems best to keep it as narrow as possible for security reasons.
|
||||
#
|
||||
# When connecting to certdb, also check the client certificate.
|
||||
open HBA, ">$tempdir/pgdata/pg_hba.conf";
|
||||
print HBA "# TYPE DATABASE USER ADDRESS METHOD\n";
|
||||
print HBA "hostssl trustdb ssltestuser 127.0.0.1/32 trust\n";
|
||||
print HBA "hostssl trustdb ssltestuser ::1/128 trust\n";
|
||||
print HBA "hostssl certdb ssltestuser 127.0.0.1/32 cert\n";
|
||||
print HBA "hostssl certdb ssltestuser ::1/128 cert\n";
|
||||
close HBA;
|
||||
open HBA, ">$tempdir/pgdata/pg_hba.conf";
|
||||
print HBA
|
||||
"# TYPE DATABASE USER ADDRESS METHOD\n";
|
||||
print HBA
|
||||
"hostssl trustdb ssltestuser 127.0.0.1/32 trust\n";
|
||||
print HBA
|
||||
"hostssl trustdb ssltestuser ::1/128 trust\n";
|
||||
print HBA
|
||||
"hostssl certdb ssltestuser 127.0.0.1/32 cert\n";
|
||||
print HBA
|
||||
"hostssl certdb ssltestuser ::1/128 cert\n";
|
||||
close HBA;
|
||||
}
|
||||
|
||||
# Change the configuration to use given server cert file, and restart
|
||||
# the server so that the configuration takes effect.
|
||||
sub switch_server_cert
|
||||
{
|
||||
my $tempdir = $_[0];
|
||||
my $certfile = $_[1];
|
||||
my $tempdir = $_[0];
|
||||
my $certfile = $_[1];
|
||||
|
||||
diag "Restarting server with certfile \"$certfile\"...";
|
||||
diag "Restarting server with certfile \"$certfile\"...";
|
||||
|
||||
open SSLCONF, ">$tempdir/pgdata/sslconfig.conf";
|
||||
print SSLCONF "ssl=on\n";
|
||||
print SSLCONF "ssl_ca_file='root+client_ca.crt'\n";
|
||||
print SSLCONF "ssl_cert_file='$certfile.crt'\n";
|
||||
print SSLCONF "ssl_key_file='$certfile.key'\n";
|
||||
print SSLCONF "ssl_crl_file='root+client.crl'\n";
|
||||
close SSLCONF;
|
||||
open SSLCONF, ">$tempdir/pgdata/sslconfig.conf";
|
||||
print SSLCONF "ssl=on\n";
|
||||
print SSLCONF "ssl_ca_file='root+client_ca.crt'\n";
|
||||
print SSLCONF "ssl_cert_file='$certfile.crt'\n";
|
||||
print SSLCONF "ssl_key_file='$certfile.key'\n";
|
||||
print SSLCONF "ssl_crl_file='root+client.crl'\n";
|
||||
close SSLCONF;
|
||||
|
||||
# Stop and restart server to reload the new config. We cannot use
|
||||
# restart_test_server() because that overrides listen_addresses to only all
|
||||
# Unix domain socket connections.
|
||||
# Stop and restart server to reload the new config. We cannot use
|
||||
# restart_test_server() because that overrides listen_addresses to only all
|
||||
# Unix domain socket connections.
|
||||
|
||||
system_or_bail 'pg_ctl', 'stop', '-s', '-D', "$tempdir/pgdata", '-w';
|
||||
system_or_bail 'pg_ctl', 'start', '-s', '-D', "$tempdir/pgdata", '-w', '-l',
|
||||
"$tempdir/logfile";
|
||||
system_or_bail 'pg_ctl', 'stop', '-s', '-D', "$tempdir/pgdata", '-w';
|
||||
system_or_bail 'pg_ctl', 'start', '-s', '-D', "$tempdir/pgdata", '-w',
|
||||
'-l',
|
||||
"$tempdir/logfile";
|
||||
}
|
||||
|
||||
@ -23,9 +23,10 @@ BEGIN
|
||||
# This is the hostname used to connect to the server. This cannot be a
|
||||
# hostname, because the server certificate is always for the domain
|
||||
# postgresql-ssl-regression.test.
|
||||
my $SERVERHOSTADDR='127.0.0.1';
|
||||
my $SERVERHOSTADDR = '127.0.0.1';
|
||||
|
||||
my $tempdir = TestLib::tempdir;
|
||||
|
||||
#my $tempdir = "tmp_check";
|
||||
|
||||
|
||||
@ -33,17 +34,17 @@ my $tempdir = TestLib::tempdir;
|
||||
|
||||
my $common_connstr;
|
||||
|
||||
sub run_test_psql {
|
||||
my $connstr = $_[0];
|
||||
sub run_test_psql
|
||||
{
|
||||
my $connstr = $_[0];
|
||||
my $logstring = $_[1];
|
||||
|
||||
my $cmd = [ 'psql',
|
||||
'-A', '-t',
|
||||
'-c', "SELECT 'connected with $connstr'",
|
||||
'-d', "$connstr"
|
||||
];
|
||||
my $cmd = [
|
||||
'psql', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
|
||||
'-d', "$connstr" ];
|
||||
|
||||
open CLIENTLOG, ">>$tempdir/client-log" or die "Could not open client-log file";
|
||||
open CLIENTLOG, ">>$tempdir/client-log"
|
||||
or die "Could not open client-log file";
|
||||
print CLIENTLOG "\n# Running test: $connstr $logstring\n";
|
||||
close CLIENTLOG;
|
||||
|
||||
@ -57,14 +58,17 @@ sub run_test_psql {
|
||||
# which also contains a libpq connection string.
|
||||
#
|
||||
# The second argument is a hostname to connect to.
|
||||
sub test_connect_ok {
|
||||
sub test_connect_ok
|
||||
{
|
||||
my $connstr = $_[0];
|
||||
|
||||
my $result = run_test_psql("$common_connstr $connstr", "(should succeed)");
|
||||
my $result =
|
||||
run_test_psql("$common_connstr $connstr", "(should succeed)");
|
||||
ok($result, $connstr);
|
||||
}
|
||||
|
||||
sub test_connect_fails {
|
||||
sub test_connect_fails
|
||||
{
|
||||
my $connstr = $_[0];
|
||||
|
||||
my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
|
||||
@ -91,7 +95,8 @@ switch_server_cert($tempdir, 'server-cn-only');
|
||||
|
||||
diag "running client tests...";
|
||||
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
|
||||
|
||||
# The server should not accept non-SSL connections
|
||||
diag "test that the server doesn't accept non-SSL connections";
|
||||
@ -100,7 +105,7 @@ test_connect_fails("sslmode=disable");
|
||||
# Try without a root cert. In sslmode=require, this should work. In verify-ca
|
||||
# or verify-full mode it should fail
|
||||
diag "connect without server root cert";
|
||||
test_connect_ok ("sslrootcert=invalid sslmode=require");
|
||||
test_connect_ok("sslrootcert=invalid sslmode=require");
|
||||
test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
|
||||
test_connect_fails("sslrootcert=invalid sslmode=verify-full");
|
||||
|
||||
@ -118,42 +123,50 @@ test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
|
||||
|
||||
# And finally, with the correct root cert.
|
||||
diag "connect with correct server CA cert file";
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=require");
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
|
||||
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
|
||||
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
|
||||
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
|
||||
|
||||
# Test with cert root file that contains two certificates. The client should
|
||||
# be able to pick the right one, regardless of the order in the file.
|
||||
test_connect_ok ("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
|
||||
test_connect_ok ("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
|
||||
test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
|
||||
test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
|
||||
|
||||
diag "testing sslcrl option with a non-revoked cert";
|
||||
|
||||
# Invalid CRL filename is the same as no CRL, succeeds
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
|
||||
test_connect_ok(
|
||||
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
|
||||
|
||||
# A CRL belonging to a different CA is not accepted, fails
|
||||
test_connect_fails("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
|
||||
test_connect_fails(
|
||||
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
|
||||
|
||||
# With the correct CRL, succeeds (this cert is not revoked)
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl");
|
||||
test_connect_ok(
|
||||
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
|
||||
);
|
||||
|
||||
# Check that connecting with verify-full fails, when the hostname doesn't
|
||||
# match the hostname in the server's certificate.
|
||||
diag "test mismatch between hostname and server certificate";
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
|
||||
test_connect_ok ("sslmode=require host=wronghost.test");
|
||||
test_connect_ok ("sslmode=verify-ca host=wronghost.test");
|
||||
test_connect_ok("sslmode=require host=wronghost.test");
|
||||
test_connect_ok("sslmode=verify-ca host=wronghost.test");
|
||||
test_connect_fails("sslmode=verify-full host=wronghost.test");
|
||||
|
||||
# Test Subject Alternative Names.
|
||||
switch_server_cert($tempdir, 'server-multiple-alt-names');
|
||||
|
||||
diag "test hostname matching with X509 Subject Alternative Names";
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
|
||||
test_connect_ok ("host=dns1.alt-name.pg-ssltest.test");
|
||||
test_connect_ok ("host=dns2.alt-name.pg-ssltest.test");
|
||||
test_connect_ok ("host=foo.wildcard.pg-ssltest.test");
|
||||
test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
|
||||
test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
|
||||
test_connect_ok("host=foo.wildcard.pg-ssltest.test");
|
||||
|
||||
test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
|
||||
test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
|
||||
@ -163,9 +176,10 @@ test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
|
||||
switch_server_cert($tempdir, 'server-single-alt-name');
|
||||
|
||||
diag "test hostname matching with a single X509 Subject Alternative Name";
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
|
||||
test_connect_ok ("host=single.alt-name.pg-ssltest.test");
|
||||
test_connect_ok("host=single.alt-name.pg-ssltest.test");
|
||||
|
||||
test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
|
||||
test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
|
||||
@ -175,48 +189,58 @@ test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
|
||||
switch_server_cert($tempdir, 'server-cn-and-alt-names');
|
||||
|
||||
diag "test certificate with both a CN and SANs";
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
|
||||
|
||||
test_connect_ok ("host=dns1.alt-name.pg-ssltest.test");
|
||||
test_connect_ok ("host=dns2.alt-name.pg-ssltest.test");
|
||||
test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
|
||||
test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
|
||||
test_connect_fails("host=common-name.pg-ssltest.test");
|
||||
|
||||
# Finally, test a server certificate that has no CN or SANs. Of course, that's
|
||||
# not a very sensible certificate, but libpq should handle it gracefully.
|
||||
switch_server_cert($tempdir, 'server-no-names');
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
|
||||
|
||||
test_connect_ok ("sslmode=verify-ca host=common-name.pg-ssltest.test");
|
||||
test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
|
||||
test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
|
||||
|
||||
# Test that the CRL works
|
||||
diag "Testing client-side CRL";
|
||||
switch_server_cert($tempdir, 'server-revoked');
|
||||
|
||||
$common_connstr="user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
|
||||
$common_connstr =
|
||||
"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
|
||||
|
||||
# Without the CRL, succeeds. With it, fails.
|
||||
test_connect_ok ("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
|
||||
test_connect_fails("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl");
|
||||
test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
|
||||
test_connect_fails(
|
||||
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
|
||||
);
|
||||
|
||||
### Part 2. Server-side tests.
|
||||
###
|
||||
### Test certificate authorization.
|
||||
|
||||
diag "Testing certificate authorization...";
|
||||
$common_connstr="sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
|
||||
$common_connstr =
|
||||
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
|
||||
|
||||
# no client cert
|
||||
test_connect_fails("user=ssltestuser sslcert=invalid");
|
||||
|
||||
# correct client cert
|
||||
test_connect_ok ("user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client.key");
|
||||
test_connect_ok(
|
||||
"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client.key");
|
||||
|
||||
# client cert belonging to another user
|
||||
test_connect_fails("user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client.key");
|
||||
test_connect_fails(
|
||||
"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client.key");
|
||||
|
||||
# revoked client cert
|
||||
test_connect_fails("user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key");
|
||||
test_connect_fails(
|
||||
"user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
|
||||
);
|
||||
|
||||
|
||||
# All done! Save the log, before the temporary installation is deleted
|
||||
|
||||
Reference in New Issue
Block a user