database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-17 06:41:24 +03:00
Code

Move Kerberos module

Browse Source 
So that we can reuse it in new tests.

Discussion: https://www.postgresql.org/message-id/a3af4070-3556-461d-aec8-a8d794f94894@iki.fi
Reviewed-by: Jacob Champion, Matthias van de Meent
This commit is contained in:
Heikki Linnakangas 2024-04-08 02:49:30 +03:00
parent 997db123c0
commit 9f899562d4
2 changed files with 245 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
src/test/kerberos/t/001_auth.pl
View File

@ -21,6 +21,7 @@ use strict;
use warnings FATAL => 'all'; use warnings FATAL => 'all';
use PostgreSQL::Test::Utils; use PostgreSQL::Test::Utils;
use PostgreSQL::Test::Cluster; use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Kerberos;
use Test::More; use Test::More;
use Time::HiRes qw(usleep); use Time::HiRes qw(usleep);
@ -34,182 +35,27 @@ elsif (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bkerberos\b/)
'Potentially unsafe test GSSAPI/Kerberos not enabled in PG_TEST_EXTRA'; 'Potentially unsafe test GSSAPI/Kerberos not enabled in PG_TEST_EXTRA';
} }
my ($krb5_bin_dir, $krb5_sbin_dir);
if ($^O eq 'darwin' && -d "/opt/homebrew")
{
# typical paths for Homebrew on ARM
$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
}
elsif ($^O eq 'darwin')
{
# typical paths for Homebrew on Intel
$krb5_bin_dir = '/usr/local/opt/krb5/bin';
$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
}
elsif ($^O eq 'freebsd')
{
$krb5_bin_dir = '/usr/local/bin';
$krb5_sbin_dir = '/usr/local/sbin';
}
elsif ($^O eq 'linux')
{
$krb5_sbin_dir = '/usr/sbin';
}
my $krb5_config = 'krb5-config';
my $kinit = 'kinit';
my $klist = 'klist';
my $kdb5_util = 'kdb5_util';
my $kadmin_local = 'kadmin.local';
my $krb5kdc = 'krb5kdc';
if ($krb5_bin_dir && -d $krb5_bin_dir)
{
$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
$kinit = $krb5_bin_dir . '/' . $kinit;
$klist = $krb5_bin_dir . '/' . $klist;
}
if ($krb5_sbin_dir && -d $krb5_sbin_dir)
{
$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
}
my $host = 'auth-test-localhost.postgresql.example.com';
my $hostaddr = '127.0.0.1';
my $realm = 'EXAMPLE.COM';
my $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
my $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
my $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
my $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
my $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
my $kdc_port = PostgreSQL::Test::Cluster::get_free_port();
my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass"; my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass";
my $dbname = 'postgres'; my $dbname = 'postgres';
my $username = 'test1'; my $username = 'test1';
my $application = '001_auth.pl'; my $application = '001_auth.pl';
note "setting up Kerberos";
my ($stdout, $krb5_version);
run_log [ $krb5_config, '--version' ], '>', \$stdout
or BAIL_OUT("could not execute krb5-config");
BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
or BAIL_OUT("could not get Kerberos version");
$krb5_version = $1;
# Construct a pgpass file to make sure we don't use it # Construct a pgpass file to make sure we don't use it
append_to_file($pgpass, '*:*:*:*:abc123'); append_to_file($pgpass, '*:*:*:*:abc123');
chmod 0600, $pgpass or die $!; chmod 0600, $pgpass or die $!;
# Build the krb5.conf to use. note "setting up Kerberos";
#
# Explicitly specify the default (test) realm and the KDC for
# that realm to avoid the Kerberos library trying to look up
# that information in DNS, and also because we're using a
# non-standard KDC port.
#
# Also explicitly disable DNS lookups since this isn't really
# our domain and we shouldn't be causing random DNS requests
# to be sent out (not to mention that broken DNS environments
# can cause the tests to take an extra long time and timeout).
#
# Reverse DNS is explicitly disabled to avoid any issue with a
# captive portal or other cases where the reverse DNS succeeds
# and the Kerberos library uses that as the canonical name of
# the host and then tries to acquire a cross-realm ticket.
append_to_file(
$krb5_conf,
qq![logging]
default = FILE:$krb5_log
kdc = FILE:$kdc_log
[libdefaults] my $host = 'auth-test-localhost.postgresql.example.com';
dns_lookup_realm = false my $hostaddr = '127.0.0.1';
dns_lookup_kdc = false my $realm = 'EXAMPLE.COM';
default_realm = $realm
forwardable = false
rdns = false
[realms] my $krb = PostgreSQL::Test::Kerberos->new($host, $hostaddr, $realm);
$realm = {
kdc = $hostaddr:$kdc_port
}
!);
append_to_file(
$kdc_conf,
qq![kdcdefaults]
!);
# For new-enough versions of krb5, use the _listen settings rather
# than the _ports settings so that we can bind to localhost only.
if ($krb5_version >= 1.15)
{
append_to_file(
$kdc_conf,
qq!kdc_listen = $hostaddr:$kdc_port
kdc_tcp_listen = $hostaddr:$kdc_port
!);
}
else
{
append_to_file(
$kdc_conf,
qq!kdc_ports = $kdc_port
kdc_tcp_ports = $kdc_port
!);
}
append_to_file(
$kdc_conf,
qq!
[realms]
$realm = {
database_name = $kdc_datadir/principal
admin_keytab = FILE:$kdc_datadir/kadm5.keytab
acl_file = $kdc_datadir/kadm5.acl
key_stash_file = $kdc_datadir/_k5.$realm
}!);
mkdir $kdc_datadir or die;
# Ensure that we use test's config and cache files, not global ones.
$ENV{'KRB5_CONFIG'} = $krb5_conf;
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
$ENV{'KRB5CCNAME'} = $krb5_cache;
my $service_principal = "$ENV{with_krb_srvnam}/$host";
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
my $test1_password = 'secret1'; my $test1_password = 'secret1';
system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1"; $krb->create_principal('test1', $test1_password);
system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
system_or_bail $krb5kdc, '-P', $kdc_pidfile;
END
{
# take care not to change the script's exit value
my $exit_code = $?;
kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
$? = $exit_code;
}
note "setting up PostgreSQL instance"; note "setting up PostgreSQL instance";
@ -218,7 +64,7 @@ $node->init;
$node->append_conf( $node->append_conf(
'postgresql.conf', qq{ 'postgresql.conf', qq{
listen_addresses = '$hostaddr' listen_addresses = '$hostaddr'
krb_server_keyfile = '$keytab' krb_server_keyfile = '$krb->{keytab}'
log_connections = on log_connections = on
lc_messages = 'C' lc_messages = 'C'
}); });
@ -332,8 +178,7 @@ $node->restart;
test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket'); test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket');
run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); $krb->create_ticket('test1', $test1_password);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
test_access( test_access(
$node, $node,
@ -475,10 +320,8 @@ $node->append_conf(
hostgssenc all all $hostaddr/32 gss map=mymap hostgssenc all all $hostaddr/32 gss map=mymap
}); });
string_replace_file($krb5_conf, "forwardable = false", "forwardable = true"); # Re-create the ticket, with the forwardable flag set
$krb->create_ticket('test1', $test1_password, forwardable => 1);
run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
test_access( test_access(
$node, $node,

234
src/test/perl/PostgreSQL/Test/Kerberos.pm Normal file
View File

@ -0,0 +1,234 @@
# Copyright (c) 2021-2024, PostgreSQL Global Development Group
# Sets up a stand-alone KDC for testing PostgreSQL GSSAPI / Kerberos
# functionality.
package PostgreSQL::Test::Kerberos;
use strict;
use warnings FATAL => 'all';
use PostgreSQL::Test::Utils;
our ($krb5_bin_dir, $krb5_sbin_dir, $krb5_config, $kinit, $klist,
$kdb5_util, $kadmin_local, $krb5kdc,
$krb5_conf, $kdc_conf, $krb5_cache, $krb5_log, $kdc_log,
$kdc_port, $kdc_datadir, $kdc_pidfile, $keytab);
INIT
{
if ($^O eq 'darwin' && -d "/opt/homebrew")
{
# typical paths for Homebrew on ARM
$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
}
elsif ($^O eq 'darwin')
{
# typical paths for Homebrew on Intel
$krb5_bin_dir = '/usr/local/opt/krb5/bin';
$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
}
elsif ($^O eq 'freebsd')
{
$krb5_bin_dir = '/usr/local/bin';
$krb5_sbin_dir = '/usr/local/sbin';
}
elsif ($^O eq 'linux')
{
$krb5_sbin_dir = '/usr/sbin';
}
$krb5_config = 'krb5-config';
$kinit = 'kinit';
$klist = 'klist';
$kdb5_util = 'kdb5_util';
$kadmin_local = 'kadmin.local';
$krb5kdc = 'krb5kdc';
if ($krb5_bin_dir && -d $krb5_bin_dir)
{
$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
$kinit = $krb5_bin_dir . '/' . $kinit;
$klist = $krb5_bin_dir . '/' . $klist;
}
if ($krb5_sbin_dir && -d $krb5_sbin_dir)
{
$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
}
$krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
$kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
$krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
$krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
$kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
$kdc_port = PostgreSQL::Test::Cluster::get_free_port();
$kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
$kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
$keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
}
=pod
=item PostgreSQL::Test::Kerberos->new(host, hostaddr, realm, %params)
Sets up a new Kerberos realm and KDC. This function assigns a free
port for the KDC. The KDC will be shut down automatically when the
test script exits.
=over
=item host => 'auth-test-localhost.postgresql.example.com'
Hostname to use in the service principal.
=item hostaddr => '127.0.0.1'
Network interface the KDC will listen on.
=item realm => 'EXAMPLE.COM'
Name of the Kerberos realm.
=back
=cut
sub new
{
my $class = shift;
my ($host, $hostaddr, $realm) = @_;
my ($stdout, $krb5_version);
run_log [ $krb5_config, '--version' ], '>', \$stdout
or BAIL_OUT("could not execute krb5-config");
BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
or BAIL_OUT("could not get Kerberos version");
$krb5_version = $1;
# Build the krb5.conf to use.
#
# Explicitly specify the default (test) realm and the KDC for
# that realm to avoid the Kerberos library trying to look up
# that information in DNS, and also because we're using a
# non-standard KDC port.
#
# Also explicitly disable DNS lookups since this isn't really
# our domain and we shouldn't be causing random DNS requests
# to be sent out (not to mention that broken DNS environments
# can cause the tests to take an extra long time and timeout).
#
# Reverse DNS is explicitly disabled to avoid any issue with a
# captive portal or other cases where the reverse DNS succeeds
# and the Kerberos library uses that as the canonical name of
# the host and then tries to acquire a cross-realm ticket.
append_to_file(
$krb5_conf,
qq![logging]
default = FILE:$krb5_log
kdc = FILE:$kdc_log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = $realm
forwardable = false
rdns = false
[realms]
$realm = {
kdc = $hostaddr:$kdc_port
}
!);
append_to_file(
$kdc_conf,
qq![kdcdefaults]
!);
# For new-enough versions of krb5, use the _listen settings rather
# than the _ports settings so that we can bind to localhost only.
if ($krb5_version >= 1.15)
{
append_to_file(
$kdc_conf,
qq!kdc_listen = $hostaddr:$kdc_port
kdc_tcp_listen = $hostaddr:$kdc_port
!);
}
else
{
append_to_file(
$kdc_conf,
qq!kdc_ports = $kdc_port
kdc_tcp_ports = $kdc_port
!);
}
append_to_file(
$kdc_conf,
qq!
[realms]
$realm = {
database_name = $kdc_datadir/principal
admin_keytab = FILE:$kdc_datadir/kadm5.keytab
acl_file = $kdc_datadir/kadm5.acl
key_stash_file = $kdc_datadir/_k5.$realm
}!);
mkdir $kdc_datadir or BAIL_OUT("could not create directory \"$kdc_datadir\"");
# Ensure that we use test's config and cache files, not global ones.
$ENV{'KRB5_CONFIG'} = $krb5_conf;
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
$ENV{'KRB5CCNAME'} = $krb5_cache;
my $service_principal = "$ENV{with_krb_srvnam}/$host";
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
system_or_bail $krb5kdc, '-P', $kdc_pidfile;
my $self = {};
$self->{keytab} = $keytab;
bless $self, $class;
return $self;
}
sub create_principal
{
my ($self, $principal, $password) = @_;
system_or_bail $kadmin_local, '-q', "addprinc -pw $password $principal";
}
sub create_ticket
{
my ($self, $principal, $password, %params) = @_;
my @cmd = ($kinit, $principal);
push @cmd, '-f' if ($params{forwardable});
run_log [@cmd], \$password or BAIL_OUT($?);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
}
END
{
# take care not to change the script's exit value
my $exit_code = $?;
kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
$? = $exit_code;
}
1;