From 8432a815feb8897aabe0c6ed59f32bc47a6b2d50 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 11 Oct 2022 13:57:07 +0900
Subject: [PATCH] Add TAP tests for role membership in pg_hba.conf

This commit expands the coverage of pg_hba.conf with checks specific to
role memberships (one "root" role combined with a member and a
non-member).  Coverage is added for the database keywords "samegroup"
and "samerole", where the specified role has to be be a member of the
role with the same name as the requested database, and '+' on the user
entry, where members are allowed.  These tests are plugged in the
authentication test 001_password.pl as of extra connection attempts
combined with resets of pg_hba.conf, making them rather cheap.

Author: Nathan Bossart
Reviewed-by: Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13
---
 src/test/authentication/t/001_password.pl | 126 ++++++++++++++++++++++
 1 file changed, 126 insertions(+)

diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 93df77aa4e1..ea664d18f5b 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -200,4 +200,130 @@ append_to_file(
 
 test_conn($node, 'user=md5_role', 'password from pgpass', 0);
 
+unlink($pgpassfile);
+delete $ENV{"PGPASSFILE"};
+
+note "Authentication tests with specific HBA policies on roles";
+
+# Create database and roles for membership tests
+reset_pg_hba($node, 'all', 'all', 'trust');
+# Database and root role names match for "samerole" and "samegroup".
+$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
+$node->safe_psql(
+	'postgres',
+	qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
+CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
+CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
+
+# Test role with exact matching, no members allowed.
+$ENV{"PGPASSWORD"} = 'pass';
+reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256');
+test_conn(
+	$node,
+	'user=regress_regression_group',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_member',
+	'scram-sha-256',
+	2,
+	log_unlike => [
+		qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_not_member',
+	'scram-sha-256',
+	2,
+	log_unlike => [
+		qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+	]);
+
+# Test role membership with '+', where all the members are allowed
+# to connect.
+reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
+test_conn(
+	$node,
+	'user=regress_regression_group',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_member',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_not_member',
+	'scram-sha-256',
+	2,
+	log_unlike => [
+		qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+	]);
+
+# Test role membership is respected for samerole
+$ENV{"PGDATABASE"} = 'regress_regression_group';
+reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
+test_conn(
+	$node,
+	'user=regress_regression_group',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_member',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_not_member',
+	'scram-sha-256',
+	2,
+	log_unlike => [
+		qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+	]);
+
+# Test role membership is respected for samegroup
+reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
+test_conn(
+	$node,
+	'user=regress_regression_group',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_member',
+	'scram-sha-256',
+	0,
+	log_like => [
+		qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+	]);
+test_conn(
+	$node,
+	'user=regress_not_member',
+	'scram-sha-256',
+	2,
+	log_unlike => [
+		qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+	]);
+
 done_testing();
-- 
2.30.2