From e308bcff5a610d6a3bbe33b3769f03f6d4533b16 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 18:02:19 +0200
Subject: Adding upstream version 248.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 t/032_ssl_key_permissions.t | 60 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 t/032_ssl_key_permissions.t

(limited to 't/032_ssl_key_permissions.t')

diff --git a/t/032_ssl_key_permissions.t b/t/032_ssl_key_permissions.t
new file mode 100644
index 0000000..929f08a
--- /dev/null
+++ b/t/032_ssl_key_permissions.t
@@ -0,0 +1,60 @@
+use strict;
+use warnings;
+
+use lib 't';
+use TestLib;
+use PgCommon;
+use Test::More tests => $PgCommon::rpm ? 1 : 3 + 19 * @MAJORS;
+
+if ($PgCommon::rpm) { pass 'No ssl key checks on RedHat'; exit; }
+
+my ($pg_uid, $pg_gid) = (getpwnam 'postgres')[2,3];
+my $ssl_cert_gid = (getgrnam 'ssl-cert')[2]; # reset permissions
+die "Could not determine ssl-cert gid" unless ($ssl_cert_gid);
+
+my $snakekey = '/etc/ssl/private/ssl-cert-snakeoil.key';
+is ((stat $snakekey)[4], 0, "$snakekey is owned by root");
+is ((stat $snakekey)[5], $ssl_cert_gid, "$snakekey group is ssl-cert");
+is ((stat $snakekey)[2], 0100640, "$snakekey mode is 0640");
+
+foreach my $version (@MAJORS) {
+    my $pkgversion = `dpkg-query -f '\${Version}' -W postgresql-$version`;
+    note "$version ($pkgversion)";
+    if ($version <= 9.1) {
+        pass "no SSL support on $version" foreach (1..19);
+        next;
+    }
+SKIP: {
+    skip "No SSL key check on <= 9.0", 19 if ($version <= 9.0);
+    program_ok (0, "pg_createcluster $version main");
+
+    my $nobody_uid = (getpwnam 'nobody')[2];
+    chown $nobody_uid, 0, $snakekey;
+    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
+        qr/private key file.*must be owned by the database user or root/s,
+        'ssl key owned by nobody refused';
+
+SKIP: {
+    skip "SSL key group check skipped on Debian oldstable packages", 4 if ($version <= 9.4 and $pkgversion !~ /pgdg/);
+    chown 0, 0, $snakekey;
+    chmod 0644, $snakekey;
+    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
+        qr/private key file.*has group or world access/,
+        'ssl key with permissions root:root 0644 refused';
+
+    chown $pg_uid, $pg_gid, $snakekey;
+    chmod 0640, $snakekey;
+    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
+        qr/private key file.*has group or world access/,
+        'ssl key with permissions postgres:postgres 0640 refused';
+}
+
+    chown 0, $ssl_cert_gid, $snakekey;
+
+    program_ok (0, "pg_dropcluster $version main --stop");
+    is ((stat $snakekey)[4], 0, "$snakekey is owned by root");
+    is ((stat $snakekey)[5], $ssl_cert_gid, "$snakekey group is ssl-cert");
+    is ((stat $snakekey)[2], 0100640, "$snakekey mode is 0640");
+    check_clean;
+}
+}
-- 
cgit v1.2.3