postgresql - postgresql mirror

	Commit message (Collapse)	Author	Age
*	SSL TAP test backend library independence refactoring	Daniel Gustafsson	2022-03-26
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The SSL TAP tests were tightly coupled to the OpenSSL implementation, making it hard to add support for additional SSL/TLS backends. This refactoring makes the test avoid depending on specific implementations The SSLServer Perl module is renamed SSL::Server, which in turn use SSL::Backend::X where X is the backend pointed to by with_ssl. Each backend will implement its own module responsible for setting up keys, certs and to resolve sslkey values to their implementation specific value (file paths or vault nicknames etc). Further, switch_server_cert now takes a set of named parameters rather than a fixed set which used defaults. The modules also come with POD documentation. There are a few testcases which still use OpenSSL specifics, but it's not entirely clear how to abstract those until we have another library implemented. Original patch by me, with lots of rework by Andrew Dunstan to turn it into better Perl. Discussion: https://postgr.es/m/AA18A362-CA65-4F9A-AF61-76AE318FE97C@yesql.se
*	Update copyright for 2022	Bruce Momjian	2022-01-07
\| \| \| \|	Backpatch-through: 10
*	Extend configure_test_server_for_ssl to add extensions	Daniel Gustafsson	2021-11-30
\| \| \| \| \| \| \| \| \| \| \|	In order to be able to test extensions with SSL connections, allow configure_test_server_for_ssl to create any extensions passed as an array. Each extension is created in all the test databases. Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Andrew Dunstan <andrew@dunslane.net> Reviewed-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org> Discussion: https://postgr.es/m/E23F9811-0C77-45DA-912F-D809AB140741@yesql.se
*	Move Perl test modules to a better namespace	Andrew Dunstan	2021-10-24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The five modules in our TAP test framework all had names in the top level namespace. This is unwise because, even though we're not exporting them to CPAN, the names can leak, for example if they are exported by the RPM build process. We therefore move the modules to the PostgreSQL::Test namespace. In the process PostgresNode is renamed to Cluster, and TestLib is renamed to Utils. PostgresVersion becomes simply PostgreSQL::Version, to avoid possible confusion about what it's the version of. Discussion: https://postgr.es/m/aede93a4-7d92-ef26-398f-5094944c2504@dunslane.net Reviewed by Erik Rijkers and Michael Paquier
*	Initial pgindent and pgperltidy run for v14.	Tom Lane	2021-05-12
\| \| \| \| \| \| \| \|	Also "make reformat-dat-files". The only change worthy of note is that pgindent messed up the formatting of launcher.c's struct LogicalRepWorkerId, which led me to notice that that struct wasn't used at all anymore, so I just took it out.
*	Add a copyright notice to perl files lacking one.	Andrew Dunstan	2021-05-07
\|
*	Move some client-specific routines from SSLServer to PostgresNode	Michael Paquier	2021-04-01
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	test_connect_ok() and test_connect_fails() have always been part of the SSL tests, and check if a connection to the backend should work or not, and there are sanity checks done on specific error patterns dropped by libpq if the connection fails. This was fundamentally wrong on two aspects. First, SSLServer.pm works mostly on setting up and changing the SSL configuration of a PostgresNode, and has really nothing to do with the client. Second, the situation became worse in light of b34ca595, where the SSL tests would finish by using a psql command that may not come from the same installation as the node set up. This commit moves those client routines into PostgresNode, making easier the refactoring of SSLServer to become more SSL-implementation aware. This can also be reused by the ldap, kerberos and authentication test suites for connection checks, and a follow-up patch should extend those interfaces to match with backend log patterns. Author: Michael Paquier Reviewed-by: Andrew Dunstan, Daniel Gustafsson, Álvaro Herrera Discussion: https://postgr.es/m/YGLKNBf9zyh6+WSt@paquier.xyz
*	Allow matching the DN of a client certificate for authentication	Andrew Dunstan	2021-03-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Currently we only recognize the Common Name (CN) of a certificate's subject to be matched against the user name. Thus certificates with subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same connection rights. This patch provides an option to match the whole Distinguished Name (DN) instead of just the CN. On any hba line using client certificate identity, there is an option 'clientname' which can have values of 'DN' or 'CN'. The default is 'CN', the current procedure. The DN is matched against the RFC2253 formatted DN, which looks like 'CN=fred,OU=eng'. This facility of probably best used in conjunction with an ident map. Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
*	Allow specifying CRL directory	Peter Eisentraut	2021-02-18
\| \| \| \| \| \| \| \| \| \| \| \|	Add another method to specify CRLs, hashed directory method, for both server and client side. This offers a means for server or libpq to load only CRLs that are required to verify a certificate. The CRL directory is specifed by separate GUC variables or connection options ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and sslcrl, so both methods can be used at the same time. Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
*	Correct several behavior descriptions in comments.	Noah Misch	2020-08-15
\| \| \| \| \| \| \| \| \|	Reuse cautionary language from src/test/ssl/README in src/test/kerberos/README. SLRUs have had access to six-character segments names since commit 73c986adde5d73a5e2555da9b5c8facedb146dcd, and recovery stopped calling HeapTupleHeaderAdvanceLatestRemovedXid() in commit 558a9165e081d1936573e5a7d576f5febd7fb55a. The other corrections are more self-evident.
*	Clean up management of IP addresses in our SSL tests.	Tom Lane	2020-01-06
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Instead of hard-wiring the netmask as /32, allow it to be specified where we specify the server address. This will ease changing the test to use IPv6, when/if somebody wants to do that. Also remove the hard-wired pg_hba.conf entries for IPv6 (::1/128). These have never had any usefulness, because the client side of the tests has always explicitly connected to $SERVERHOSTADDR which has always been set to IPv4 (127.0.0.1). All they accomplish is to break the test on non-IPv6-supporting hosts, and besides that they violate the express intent of the code to minimize the server's range of allowed connections. This could be back-patched, perhaps, but for now I don't see a need to. Discussion: https://postgr.es/m/1899.1578356089@sss.pgh.pa.us
*	Remove support for OpenSSL 0.9.8 and 1.0.0	Michael Paquier	2020-01-06
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Support is out of scope from all the major vendors for these versions (for example RHEL5 uses a version based on 0.9.8, and RHEL6 uses 1.0.1), and it created some extra maintenance work. Upstream has stopped support of 0.9.8 in December 2015 and of 1.0.0 in February 2016. Since b1abfec, note that the default SSL protocol version set with ssl_min_protocol_version is TLSv1.2, whose support was added in OpenSSL 1.0.1, so there is no point to enforce ssl_min_protocol_version to TLSv1 in the SSL tests. Author: Michael Paquier Reviewed-by: Daniel Gustafsson, Tom Lane Discussion: https://postgr.es/m/20191205083252.GE5064@paquier.xyz
*	Update minimum SSL version	Peter Eisentraut	2019-12-04
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Change default of ssl_min_protocol_version to TLSv1.2 (from TLSv1, which means 1.0). Older versions are still supported, just not by default. TLS 1.0 is widely deprecated, and TLS 1.1 only slightly less so. All OpenSSL versions that support TLS 1.1 also support TLS 1.2, so there would be very little reason to, say, set the default to TLS 1.1 instead on grounds of better compatibility. The test suite overrides this new setting, so it can still run with older OpenSSL versions. Discussion: https://www.postgresql.org/message-id/flat/b327f8df-da98-054d-0cc5-b76a857cfed9%402ndquadrant.com
*	Add libpq parameter 'channel_binding'.	Jeff Davis	2019-09-23
\| \| \| \| \| \| \| \| \|	Allow clients to require channel binding to enhance security against untrusted servers. Author: Jeff Davis Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/227015d8417f2b4fef03f8966dbfa5cbcc4f44da.camel%40j-davis.com
*	Add new clientcert hba option verify-full	Magnus Hagander	2019-03-09
\| \| \| \| \| \| \| \| \| \| \| \| \|	This allows a login to require both that the cn of the certificate matches (like authentication type cert) and that another authentication method (such as password or kerberos) succeeds as well. The old value of clientcert=1 maps to the new clientcert=verify-ca, clientcert=0 maps to the new clientcert=no-verify, and the new option erify-full will add the validation of the CN. Author: Julian Markwort, Marius Timmer Reviewed by: Magnus Hagander, Thomas Munro
*	Fix searchpath and module location for pg_rewind and ssl TAP tests	Andrew Dunstan	2019-02-07
	The modules RewindTest.pm and ServerSetup.pm are really only useful for TAP tests, so they really belong in the TAP test directories. In addition, ServerSetup.pm is renamed to SSLServer.pm. The test scripts have their own directories added to the search path so that the relocated modules will be found, regardless of where the tests are run from, even on modern perl where "." is no longer in the searchpath. Discussion: https://postgr.es/m/e4b0f366-269c-73c3-9c90-d9cb0f4db1f9@2ndQuadrant.com Backpatch as appropriate to 9.5