diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index bfcffbdb3b..0647d7cc32 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -348,6 +348,10 @@ auth_failed(Port *port, int status, char *logdetail) * Auth methods should call this exactly once, as soon as the user is * successfully authenticated, even if they have reason to know that * authorization will fail later. + * + * The provided string will be copied into the TopMemoryContext, to match the + * lifetime of the Port, so it is safe to pass a string that is managed by an + * external library. */ static void set_authn_id(Port *port, const char *id) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index aa15877ef7..309bbc06d0 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -3128,8 +3128,8 @@ hba_authname(hbaPort *port) if (auth_method < 0 || USER_AUTH_LAST < auth_method) { - Assert((0 <= auth_method) && (auth_method <= USER_AUTH_LAST)); - return NULL; + /* Should never happen. */ + elog(FATAL, "port has out-of-bounds UserAuth: %d", auth_method); } return UserAuthName[auth_method]; diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 3ac137aebd..adeb3bce33 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -17,7 +17,7 @@ if (!$use_unix_sockets) } else { - plan tests => 19; + plan tests => 21; } @@ -126,6 +126,23 @@ unlike( $log = $node->rotate_logfile(); $node->start; +# Test that bad passwords are rejected. +$ENV{"PGPASSWORD"} = 'badpass'; +test_role($node, 'scram_role', 'scram-sha-256', 2); +$ENV{"PGPASSWORD"} = 'pass'; + +$node->stop('fast'); +$log_contents = slurp_file($log); + +# Make sure authenticated identity isn't set if the password is wrong. +unlike( + $log_contents, + qr/connection authenticated:/, + "SCRAM does not set authenticated identity with bad password"); + +$log = $node->rotate_logfile(); +$node->start; + # For "md5" method, all users should be able to connect (SCRAM # authentication will be performed for the user with a SCRAM secret.) reset_pg_hba($node, 'md5'); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index d222e086ec..c15b9c405b 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -27,7 +27,7 @@ my $SERVERHOSTCIDR = '127.0.0.1/32'; my $supports_tls_server_end_point = check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1"); -my $number_of_tests = $supports_tls_server_end_point ? 15 : 16; +my $number_of_tests = $supports_tls_server_end_point ? 11 : 12; # Allocation of base connection string shared among multiple tests. my $common_connstr; @@ -48,44 +48,14 @@ $node->start; configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, "scram-sha-256", "pass", "scram-sha-256"); switch_server_cert($node, 'server-cn-only'); +$ENV{PGPASSWORD} = "pass"; $common_connstr = "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR"; -my $log = $node->rotate_logfile(); -$node->restart; - -# Bad password -$ENV{PGPASSWORD} = "badpass"; -test_connect_fails($common_connstr, "user=ssltestuser", - qr/password authentication failed/, - "Basic SCRAM authentication with bad password"); - -$node->stop('fast'); -my $log_contents = slurp_file($log); - -unlike( - $log_contents, - qr/connection authenticated:/, - "SCRAM does not set authenticated identity with bad password"); - -$log = $node->rotate_logfile(); -$node->start; - # Default settings -$ENV{PGPASSWORD} = "pass"; test_connect_ok($common_connstr, "user=ssltestuser", "Basic SCRAM authentication with SSL"); -$node->stop('fast'); -$log_contents = slurp_file($log); - -like( - $log_contents, - qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/, - "Basic SCRAM sets the username as the authenticated identity"); - -$node->start; - # Test channel_binding test_connect_fails( $common_connstr, @@ -132,7 +102,7 @@ test_connect_fails( qr/channel binding required, but server authenticated client without channel binding/, "Cert authentication and channel_binding=require"); -$log = $node->rotate_logfile(); +my $log = $node->rotate_logfile(); $node->restart; # Certificate verification at the connection level should still work fine. @@ -142,7 +112,7 @@ test_connect_ok( "SCRAM with clientcert=verify-full and channel_binding=require"); $node->stop('fast'); -$log_contents = slurp_file($log); +my $log_contents = slurp_file($log); like( $log_contents,