From e48b19c5db3185e1868391176fc040df08a149fb Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Sat, 26 Aug 2023 20:11:19 +0900 Subject: [PATCH] Generate new LOG for "trust" connections under log_connections Adding an extra LOG for connections that have not set an authn ID, like when the "trust" authentication method is used, is useful for audit purposes. A couple of TAP tests for SSL and authentication need to be tweaked to adapt to this new LOG generated, as some scenarios expected no logs but they now get a hit. Reported-by: Shaun Thomas Author: Jacob Champion Reviewed-by: Robert Haas, Michael Paquier Discussion: https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com --- src/backend/libpq/auth.c | 16 ++++++++++++++++ src/test/authentication/t/001_password.pl | 8 ++++---- src/test/ssl/t/001_ssltests.pl | 8 ++++---- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 0356fe3e45..81dabb9c27 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -645,6 +645,22 @@ ClientAuthentication(Port *port) #endif } + if (Log_connections && status == STATUS_OK && + !MyClientConnectionInfo.authn_id) + { + /* + * Normally, if log_connections is set, the call to set_authn_id() + * will log the connection. However, if that function is never + * called, perhaps because the trust method is in use, then we handle + * the logging here instead. + */ + ereport(LOG, + errmsg("connection authenticated: user=\"%s\" method=%s " + "(%s:%d)", + port->user_name, hba_authname(port->hba->auth_method), + port->hba->sourcefile, port->hba->linenumber)); + } + if (ClientAuthentication_hook) (*ClientAuthentication_hook) (port, status); diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 12552837a8..891860886a 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -136,13 +136,13 @@ SKIP: # Create a database to test regular expression. $node->safe_psql('postgres', "CREATE database regex_testdb;"); -# For "trust" method, all users should be able to connect. These users are not -# considered to be authenticated. +# For "trust" method, all users should be able to connect. reset_pg_hba($node, 'all', 'all', 'trust'); test_conn($node, 'user=scram_role', 'trust', 0, - log_unlike => [qr/connection authenticated:/]); + log_like => + [qr/connection authenticated: user="scram_role" method=trust/]); test_conn($node, 'user=md5_role', 'trust', 0, - log_unlike => [qr/connection authenticated:/]); + log_like => [qr/connection authenticated: user="md5_role" method=trust/]); # SYSTEM_USER is null when not authenticated. $res = $node->safe_psql('postgres', "SELECT SYSTEM_USER IS NULL;"); diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 76442de063..23248d71b0 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -800,8 +800,8 @@ $node->connect_ok( "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), "auth_option clientcert=verify-full succeeds with matching username and Common Name", - # verify-full does not provide authentication - log_unlike => [qr/connection authenticated:/],); + log_like => + [qr/connection authenticated: user="ssltestuser" method=trust/],); $node->connect_fails( "$common_connstr user=anotheruser sslcert=ssl/client.crt " @@ -818,8 +818,8 @@ $node->connect_ok( "$common_connstr user=yetanotheruser sslcert=ssl/client.crt " . sslkey('client.key'), "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name", - # verify-full does not provide authentication - log_unlike => [qr/connection authenticated:/],); + log_like => + [qr/connection authenticated: user="yetanotheruser" method=trust/],); # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca');