[pgpool-hackers: 4572] Re: Proposal: new client authentication test

Tatsuo Ishii ishii at postgresql.org
Sat Mar 15 14:07:37 JST 2025 

> Currently we have 3 client authentication tests (besides SSL related
> tests). Namely:
> 
> 020.allow_clear_text_frontend_auth
> 021.pool_passwd_auth
> 022.pool_passwd_alternative_auth
> 
> Client authentication in pgpool is complicated because multiple
> configuration files such as pgpool.conf, pg_hba.conf, pool_hba.conf
> and pool_passwd are involved. The 3 tests have been added at the time
> when the feature was developed. I have been worried about those tests
> may not cover some cases.
> 
> Instead of enhancing the tests, I propose a new regression test
> 040.clent_auth (see attached patch).
> 
> The idea is a "table driven" test. The test script reads the csv file
> and performs the test. The csv file has 6 fields:
> ---
> username: the username used for the test case
> 
> pool_hba.conf: takes "scram", "md5" or "off". If "scram" or "md5", the
> user will have an entry in pool_hba.conf accordingly. If "off",
> enable_pool_hba.conf will be off.
> 
> allow_clear_text_frontend_auth: takes "on" or "off".
> 
> pool_passwd:
> takes "AES", "md5" or "off". If "AES" or "md5" the user's password
> will be stored in pool_passwd using ASE256 or md5 encryption method
> accordingly. If "off" is specified, no entry will be created.
> 
> pg_hba.conf: almost same as pool_hba.conf except this is for
> pg_hba.conf.
> 
> expected: takes "ok" or "ng". If ok, the authentication is expected to
> be succeeded. If failed, the test is regarded as failed. "ng" is
> opposite. The authentication is expected to be failed. If succeeds,
> the test regarded as failed.
> ---
> 
> By changing these fields, we can easily create test cases. Currently
> 14 test cases are proposed in the table.  The merit of this method is
> possible higher test coverage. For human, it is easier to find
> uncovered test cases in a table than in a program code.

Attached is the v2 patch. Differences from v1 include:

- Now 2 csv files are used. One is for 1 PostgreSQL node, and the
  other is for 2 PostgreSQL node. The reason we have 2 is, the test
  results are slightly different among them.

- Refactor test.sh. The main script becomes a function so that it can
  be called for both 1 or 2 node cases.

- Add more test cases: missing entries in pool_passwd.

Best reagards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v2-0001-Test-add-new-regression-test-for-client-authentic.patch
Type: application/octet-stream
Size: 11984 bytes
Desc: not available
URL: <http://www.pgpool.net/pipermail/pgpool-hackers/attachments/20250315/c1ba8dd4/attachment.obj>

More information about the pgpool-hackers mailing list