summaryrefslogtreecommitdiffstats
path: root/src/test/authentication/t/002_saslprep.pl
blob: 5e87e21ee9bb1dc383b821a9050c92fdffb72020 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Copyright (c) 2021-2022, PostgreSQL Global Development Group

# Test password normalization in SCRAM.
#
# This test can only run with Unix-domain sockets.

use strict;
use warnings;
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Utils;
use Test::More;
if (!$use_unix_sockets)
{
	plan skip_all =>
	  "authentication tests cannot run without Unix-domain sockets";
}

# Delete pg_hba.conf from the given node, add a new entry to it
# and then execute a reload to refresh it.
sub reset_pg_hba
{
	my $node       = shift;
	my $hba_method = shift;

	unlink($node->data_dir . '/pg_hba.conf');
	$node->append_conf('pg_hba.conf', "local all all $hba_method");
	$node->reload;
	return;
}

# Test access for a single role, useful to wrap all tests into one.
sub test_login
{
	local $Test::Builder::Level = $Test::Builder::Level + 1;

	my $node          = shift;
	my $role          = shift;
	my $password      = shift;
	my $expected_res  = shift;
	my $status_string = 'failed';

	$status_string = 'success' if ($expected_res eq 0);

	my $connstr = "user=$role";
	my $testname =
	  "authentication $status_string for role $role with password $password";

	$ENV{"PGPASSWORD"} = $password;
	if ($expected_res eq 0)
	{
		$node->connect_ok($connstr, $testname);
	}
	else
	{
		# No checks of the error message, only the status code.
		$node->connect_fails($connstr, $testname);
	}
}

# Initialize primary node. Force UTF-8 encoding, so that we can use non-ASCII
# characters in the passwords below.
my $node = PostgreSQL::Test::Cluster->new('primary');
$node->init(extra => [ '--locale=C', '--encoding=UTF8' ]);
$node->start;

# These tests are based on the example strings from RFC4013.txt,
# Section "3. Examples":
#
# #  Input            Output     Comments
# -  -----            ------     --------
# 1  I<U+00AD>X       IX         SOFT HYPHEN mapped to nothing
# 2  user             user       no transformation
# 3  USER             USER       case preserved, will not match #2
# 4  <U+00AA>         a          output is NFKC, input in ISO 8859-1
# 5  <U+2168>         IX         output is NFKC, will match #1
# 6  <U+0007>                    Error - prohibited character
# 7  <U+0627><U+0031>            Error - bidirectional check

# Create test roles.
$node->safe_psql(
	'postgres',
	"SET password_encryption='scram-sha-256';
SET client_encoding='utf8';
CREATE ROLE saslpreptest1_role LOGIN PASSWORD 'IX';
CREATE ROLE saslpreptest4a_role LOGIN PASSWORD 'a';
CREATE ROLE saslpreptest4b_role LOGIN PASSWORD E'\\xc2\\xaa';
CREATE ROLE saslpreptest6_role LOGIN PASSWORD E'foo\\x07bar';
CREATE ROLE saslpreptest7_role LOGIN PASSWORD E'foo\\u0627\\u0031bar';
");

# Require password from now on.
reset_pg_hba($node, 'scram-sha-256');

# Check that #1 and #5 are treated the same as just 'IX'
test_login($node, 'saslpreptest1_role', "I\xc2\xadX",   0);
test_login($node, 'saslpreptest1_role', "\xe2\x85\xa8", 0);

# but different from lower case 'ix'
test_login($node, 'saslpreptest1_role', "ix", 2);

# Check #4
test_login($node, 'saslpreptest4a_role', "a",        0);
test_login($node, 'saslpreptest4a_role', "\xc2\xaa", 0);
test_login($node, 'saslpreptest4b_role', "a",        0);
test_login($node, 'saslpreptest4b_role', "\xc2\xaa", 0);

# Check #6 and #7 - In PostgreSQL, contrary to the spec, if the password
# contains prohibited characters, we use it as is, without normalization.
test_login($node, 'saslpreptest6_role', "foo\x07bar", 0);
test_login($node, 'saslpreptest6_role', "foobar",     2);

test_login($node, 'saslpreptest7_role', "foo\xd8\xa71bar", 0);
test_login($node, 'saslpreptest7_role', "foo1\xd8\xa7bar", 2);
test_login($node, 'saslpreptest7_role', "foobar",          2);

done_testing();