open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move Kerberos module

Browse Source 
So that we can reuse it in new tests.

Discussion: https://www.postgresql.org/message-id/a3af4070-3556-461d-aec8-a8d794f94894@iki.fi
Reviewed-by: Jacob Champion, Matthias van de Meent
pull/159/head
Heikki Linnakangas 2 years ago
parent 997db123c0
commit 9f899562d4
2 changed files with 245 additions and 168 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 179
      src/test/kerberos/t/001_auth.pl
  2. 234
      src/test/perl/PostgreSQL/Test/Kerberos.pm

179
src/test/kerberos/t/001_auth.pl
Unescape View File

@ -21,6 +21,7 @@ use strict;
use warnings FATAL => 'all';
use PostgreSQL::Test::Utils;
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Kerberos;
use Test::More;
use Time::HiRes qw(usleep);
@ -34,182 +35,27 @@ elsif (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bkerberos\b/)
'Potentially unsafe test GSSAPI/Kerberos not enabled in PG_TEST_EXTRA';
}
my ($krb5_bin_dir, $krb5_sbin_dir);
if ($^O eq 'darwin' && -d "/opt/homebrew")
{
# typical paths for Homebrew on ARM
$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
}
elsif ($^O eq 'darwin')
{
# typical paths for Homebrew on Intel
$krb5_bin_dir = '/usr/local/opt/krb5/bin';
$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
}
elsif ($^O eq 'freebsd')
{
$krb5_bin_dir = '/usr/local/bin';
$krb5_sbin_dir = '/usr/local/sbin';
}
elsif ($^O eq 'linux')
{
$krb5_sbin_dir = '/usr/sbin';
}
my $krb5_config = 'krb5-config';
my $kinit = 'kinit';
my $klist = 'klist';
my $kdb5_util = 'kdb5_util';
my $kadmin_local = 'kadmin.local';
my $krb5kdc = 'krb5kdc';
if ($krb5_bin_dir && -d $krb5_bin_dir)
{
$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
$kinit = $krb5_bin_dir . '/' . $kinit;
$klist = $krb5_bin_dir . '/' . $klist;
}
if ($krb5_sbin_dir && -d $krb5_sbin_dir)
{
$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
}
my $host = 'auth-test-localhost.postgresql.example.com';
my $hostaddr = '127.0.0.1';
my $realm = 'EXAMPLE.COM';
my $krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
my $kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
my $krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
my $krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
my $kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
my $kdc_port = PostgreSQL::Test::Cluster::get_free_port();
my $kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
my $kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
my $keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
my $pgpass = "${PostgreSQL::Test::Utils::tmp_check}/.pgpass";
my $dbname = 'postgres';
my $username = 'test1';
my $application = '001_auth.pl';
note "setting up Kerberos";
my ($stdout, $krb5_version);
run_log [ $krb5_config, '--version' ], '>', \$stdout
or BAIL_OUT("could not execute krb5-config");
BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
or BAIL_OUT("could not get Kerberos version");
$krb5_version = $1;
# Construct a pgpass file to make sure we don't use it
append_to_file($pgpass, '*:*:*:*:abc123');
chmod 0600, $pgpass or die $!;
# Build the krb5.conf to use.
#
# Explicitly specify the default (test) realm and the KDC for
# that realm to avoid the Kerberos library trying to look up
# that information in DNS, and also because we're using a
# non-standard KDC port.
#
# Also explicitly disable DNS lookups since this isn't really
# our domain and we shouldn't be causing random DNS requests
# to be sent out (not to mention that broken DNS environments
# can cause the tests to take an extra long time and timeout).
#
# Reverse DNS is explicitly disabled to avoid any issue with a
# captive portal or other cases where the reverse DNS succeeds
# and the Kerberos library uses that as the canonical name of
# the host and then tries to acquire a cross-realm ticket.
append_to_file(
$krb5_conf,
qq![logging]
default = FILE:$krb5_log
kdc = FILE:$kdc_log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = $realm
forwardable = false
rdns = false
[realms]
$realm = {
kdc = $hostaddr:$kdc_port
}
!);
append_to_file(
$kdc_conf,
qq![kdcdefaults]
!);
# For new-enough versions of krb5, use the _listen settings rather
# than the _ports settings so that we can bind to localhost only.
if ($krb5_version >= 1.15)
{
append_to_file(
$kdc_conf,
qq!kdc_listen = $hostaddr:$kdc_port
kdc_tcp_listen = $hostaddr:$kdc_port
!);
}
else
{
append_to_file(
$kdc_conf,
qq!kdc_ports = $kdc_port
kdc_tcp_ports = $kdc_port
!);
}
append_to_file(
$kdc_conf,
qq!
[realms]
$realm = {
database_name = $kdc_datadir/principal
admin_keytab = FILE:$kdc_datadir/kadm5.keytab
acl_file = $kdc_datadir/kadm5.acl
key_stash_file = $kdc_datadir/_k5.$realm
}!);
mkdir $kdc_datadir or die;
# Ensure that we use test's config and cache files, not global ones.
$ENV{'KRB5_CONFIG'} = $krb5_conf;
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
$ENV{'KRB5CCNAME'} = $krb5_cache;
note "setting up Kerberos";
my $service_principal = "$ENV{with_krb_srvnam}/$host";
my $host = 'auth-test-localhost.postgresql.example.com';
my $hostaddr = '127.0.0.1';
my $realm = 'EXAMPLE.COM';
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
my $krb = PostgreSQL::Test::Kerberos->new($host, $hostaddr, $realm);
my $test1_password = 'secret1';
system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1";
system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
system_or_bail $krb5kdc, '-P', $kdc_pidfile;
END
{
# take care not to change the script's exit value
my $exit_code = $?;
kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
$? = $exit_code;
}
$krb->create_principal('test1', $test1_password);
note "setting up PostgreSQL instance";
@ -218,7 +64,7 @@ $node->init;
$node->append_conf(
'postgresql.conf', qq{
listen_addresses = '$hostaddr'
krb_server_keyfile = '$keytab'
krb_server_keyfile = '$krb->{keytab}'
log_connections = on
lc_messages = 'C'
});
@ -332,8 +178,7 @@ $node->restart;
test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket');
run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
$krb->create_ticket('test1', $test1_password);
test_access(
$node,
@ -475,10 +320,8 @@ $node->append_conf(
hostgssenc all all $hostaddr/32 gss map=mymap
});
string_replace_file($krb5_conf, "forwardable = false", "forwardable = true");
run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
# Re-create the ticket, with the forwardable flag set
$krb->create_ticket('test1', $test1_password, forwardable => 1);
test_access(
$node,

234
src/test/perl/PostgreSQL/Test/Kerberos.pm
Unescape View File

@ -0,0 +1,234 @@
# Copyright (c) 2021-2024, PostgreSQL Global Development Group
# Sets up a stand-alone KDC for testing PostgreSQL GSSAPI / Kerberos
# functionality.
package PostgreSQL::Test::Kerberos;
use strict;
use warnings FATAL => 'all';
use PostgreSQL::Test::Utils;
our ($krb5_bin_dir, $krb5_sbin_dir, $krb5_config, $kinit, $klist,
$kdb5_util, $kadmin_local, $krb5kdc,
$krb5_conf, $kdc_conf, $krb5_cache, $krb5_log, $kdc_log,
$kdc_port, $kdc_datadir, $kdc_pidfile, $keytab);
INIT
{
if ($^O eq 'darwin' && -d "/opt/homebrew")
{
# typical paths for Homebrew on ARM
$krb5_bin_dir = '/opt/homebrew/opt/krb5/bin';
$krb5_sbin_dir = '/opt/homebrew/opt/krb5/sbin';
}
elsif ($^O eq 'darwin')
{
# typical paths for Homebrew on Intel
$krb5_bin_dir = '/usr/local/opt/krb5/bin';
$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
}
elsif ($^O eq 'freebsd')
{
$krb5_bin_dir = '/usr/local/bin';
$krb5_sbin_dir = '/usr/local/sbin';
}
elsif ($^O eq 'linux')
{
$krb5_sbin_dir = '/usr/sbin';
}
$krb5_config = 'krb5-config';
$kinit = 'kinit';
$klist = 'klist';
$kdb5_util = 'kdb5_util';
$kadmin_local = 'kadmin.local';
$krb5kdc = 'krb5kdc';
if ($krb5_bin_dir && -d $krb5_bin_dir)
{
$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
$kinit = $krb5_bin_dir . '/' . $kinit;
$klist = $krb5_bin_dir . '/' . $klist;
}
if ($krb5_sbin_dir && -d $krb5_sbin_dir)
{
$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
}
$krb5_conf = "${PostgreSQL::Test::Utils::tmp_check}/krb5.conf";
$kdc_conf = "${PostgreSQL::Test::Utils::tmp_check}/kdc.conf";
$krb5_cache = "${PostgreSQL::Test::Utils::tmp_check}/krb5cc";
$krb5_log = "${PostgreSQL::Test::Utils::log_path}/krb5libs.log";
$kdc_log = "${PostgreSQL::Test::Utils::log_path}/krb5kdc.log";
$kdc_port = PostgreSQL::Test::Cluster::get_free_port();
$kdc_datadir = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc";
$kdc_pidfile = "${PostgreSQL::Test::Utils::tmp_check}/krb5kdc.pid";
$keytab = "${PostgreSQL::Test::Utils::tmp_check}/krb5.keytab";
}
=pod
=item PostgreSQL::Test::Kerberos->new(host, hostaddr, realm, %params)
Sets up a new Kerberos realm and KDC. This function assigns a free
port for the KDC. The KDC will be shut down automatically when the
test script exits.
=over
=item host => 'auth-test-localhost.postgresql.example.com'
Hostname to use in the service principal.
=item hostaddr => '127.0.0.1'
Network interface the KDC will listen on.
=item realm => 'EXAMPLE.COM'
Name of the Kerberos realm.
=back
=cut
sub new
{
my $class = shift;
my ($host, $hostaddr, $realm) = @_;
my ($stdout, $krb5_version);
run_log [ $krb5_config, '--version' ], '>', \$stdout
or BAIL_OUT("could not execute krb5-config");
BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
or BAIL_OUT("could not get Kerberos version");
$krb5_version = $1;
# Build the krb5.conf to use.
#
# Explicitly specify the default (test) realm and the KDC for
# that realm to avoid the Kerberos library trying to look up
# that information in DNS, and also because we're using a
# non-standard KDC port.
#
# Also explicitly disable DNS lookups since this isn't really
# our domain and we shouldn't be causing random DNS requests
# to be sent out (not to mention that broken DNS environments
# can cause the tests to take an extra long time and timeout).
#
# Reverse DNS is explicitly disabled to avoid any issue with a
# captive portal or other cases where the reverse DNS succeeds
# and the Kerberos library uses that as the canonical name of
# the host and then tries to acquire a cross-realm ticket.
append_to_file(
$krb5_conf,
qq![logging]
default = FILE:$krb5_log
kdc = FILE:$kdc_log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = $realm
forwardable = false
rdns = false
[realms]
$realm = {
kdc = $hostaddr:$kdc_port
}
!);
append_to_file(
$kdc_conf,
qq![kdcdefaults]
!);
# For new-enough versions of krb5, use the _listen settings rather
# than the _ports settings so that we can bind to localhost only.
if ($krb5_version >= 1.15)
{
append_to_file(
$kdc_conf,
qq!kdc_listen = $hostaddr:$kdc_port
kdc_tcp_listen = $hostaddr:$kdc_port
!);
}
else
{
append_to_file(
$kdc_conf,
qq!kdc_ports = $kdc_port
kdc_tcp_ports = $kdc_port
!);
}
append_to_file(
$kdc_conf,
qq!
[realms]
$realm = {
database_name = $kdc_datadir/principal
admin_keytab = FILE:$kdc_datadir/kadm5.keytab
acl_file = $kdc_datadir/kadm5.acl
key_stash_file = $kdc_datadir/_k5.$realm
}!);
mkdir $kdc_datadir or BAIL_OUT("could not create directory \"$kdc_datadir\"");
# Ensure that we use test's config and cache files, not global ones.
$ENV{'KRB5_CONFIG'} = $krb5_conf;
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
$ENV{'KRB5CCNAME'} = $krb5_cache;
my $service_principal = "$ENV{with_krb_srvnam}/$host";
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
system_or_bail $krb5kdc, '-P', $kdc_pidfile;
my $self = {};
$self->{keytab} = $keytab;
bless $self, $class;
return $self;
}
sub create_principal
{
my ($self, $principal, $password) = @_;
system_or_bail $kadmin_local, '-q', "addprinc -pw $password $principal";
}
sub create_ticket
{
my ($self, $principal, $password, %params) = @_;
my @cmd = ($kinit, $principal);
push @cmd, '-f' if ($params{forwardable});
run_log [@cmd], \$password or BAIL_OUT($?);
run_log [ $klist, '-f' ] or BAIL_OUT($?);
}
END
{
# take care not to change the script's exit value
my $exit_code = $?;
kill 'INT', `cat $kdc_pidfile` if defined($kdc_pidfile) && -f $kdc_pidfile;
$? = $exit_code;
}
1;
Write Preview
Loading…
Cancel
Save