|
|
|
@ -381,7 +381,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -391,7 +391,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -480,7 +480,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -490,7 +490,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -504,7 +504,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -514,7 +514,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -528,7 +528,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
|
|
|
@ -538,7 +538,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
|
|
|
@ -558,7 +558,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=require gssdelegation=disable',
|
|
|
|
|
'gssencmode=require gssdelegation=0',
|
|
|
|
|
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
|
|
|
@ -572,7 +572,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
|
|
|
|
@ -589,7 +589,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3',
|
|
|
|
@ -608,7 +608,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"TABLE tf1;",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
|
|
|
|
@ -626,7 +626,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"TABLE tf2;",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3',
|
|
|
|
@ -668,7 +668,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
|
|
|
|
@ -680,7 +680,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssencmode=disable gssdelegation=enable',
|
|
|
|
|
'gssencmode=disable gssdelegation=1',
|
|
|
|
|
'succeeds with GSS encryption disabled and hostnogssenc hba',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
|
|
|
|
@ -691,7 +691,7 @@ test_query(
|
|
|
|
|
'test1',
|
|
|
|
|
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
|
|
|
|
|
qr/^1$/s,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
@ -700,7 +700,7 @@ test_query(
|
|
|
|
|
'test1',
|
|
|
|
|
"TABLE tf1;",
|
|
|
|
|
qr/^1$/s,
|
|
|
|
|
'gssencmode=prefer gssdelegation=enable',
|
|
|
|
|
'gssencmode=prefer gssdelegation=1',
|
|
|
|
|
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
@ -711,7 +711,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3',
|
|
|
|
@ -730,7 +730,7 @@ $psql_rc = $node->psql(
|
|
|
|
|
'postgres',
|
|
|
|
|
"TABLE tf2;",
|
|
|
|
|
connstr =>
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
|
|
|
|
|
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
|
|
|
|
|
stdout => \$psql_out,
|
|
|
|
|
stderr => \$psql_stderr);
|
|
|
|
|
is($psql_rc, '3',
|
|
|
|
@ -760,7 +760,7 @@ test_access(
|
|
|
|
|
'test1',
|
|
|
|
|
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
|
|
|
|
0,
|
|
|
|
|
'gssdelegation=enable',
|
|
|
|
|
'gssdelegation=1',
|
|
|
|
|
'succeeds with include_realm=0 and defaults',
|
|
|
|
|
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
|
|
|
@ -771,12 +771,12 @@ test_query(
|
|
|
|
|
'test1',
|
|
|
|
|
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
|
|
|
|
|
qr/^1$/s,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'dblink works encrypted');
|
|
|
|
|
|
|
|
|
|
test_query(
|
|
|
|
|
$node, 'test1', "TABLE tf1;", qr/^1$/s,
|
|
|
|
|
'gssencmode=require gssdelegation=enable',
|
|
|
|
|
'gssencmode=require gssdelegation=1',
|
|
|
|
|
'postgres_fdw works encrypted');
|
|
|
|
|
|
|
|
|
|
# Reset pg_hba.conf, and cause a usermap failure with an authentication
|
|
|
|
|