1 # Test password normalization in SCRAM.
3 # This test cannot run on Windows as Postgres cannot be set up with Unix
4 # sockets and needs to go through SSPI.
13 plan skip_all => "authentication tests cannot run on Windows";
20 # Delete pg_hba.conf from the given node, add a new entry to it
21 # and then execute a reload to refresh it.
25 my $hba_method = shift;
27 unlink($node->data_dir . '/pg_hba.conf');
28 $node->append_conf('pg_hba.conf', "local all all $hba_method");
32 # Test access for a single role, useful to wrap all tests into one.
38 my $expected_res = shift;
39 my $status_string = 'failed';
41 $status_string = 'success' if ($expected_res eq 0);
43 $ENV{"PGPASSWORD"} = $password;
44 my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role ]);
45 is($res, $expected_res,
46 "authentication $status_string for role $role with password $password"
50 # Initialize master node. Force UTF-8 encoding, so that we can use non-ASCII
51 # characters in the passwords below.
52 my $node = get_new_node('master');
53 $node->init(extra => [ '--locale=C', '--encoding=UTF8' ]);
56 # These tests are based on the example strings from RFC4013.txt,
57 # Section "3. Examples":
59 # # Input Output Comments
60 # - ----- ------ --------
61 # 1 I<U+00AD>X IX SOFT HYPHEN mapped to nothing
62 # 2 user user no transformation
63 # 3 USER USER case preserved, will not match #2
64 # 4 <U+00AA> a output is NFKC, input in ISO 8859-1
65 # 5 <U+2168> IX output is NFKC, will match #1
66 # 6 <U+0007> Error - prohibited character
67 # 7 <U+0627><U+0031> Error - bidirectional check
72 "SET password_encryption='scram-sha-256';
73 SET client_encoding='utf8';
74 CREATE ROLE saslpreptest1_role LOGIN PASSWORD 'IX';
75 CREATE ROLE saslpreptest4a_role LOGIN PASSWORD 'a';
76 CREATE ROLE saslpreptest4b_role LOGIN PASSWORD E'\\xc2\\xaa';
77 CREATE ROLE saslpreptest6_role LOGIN PASSWORD E'foo\\x07bar';
78 CREATE ROLE saslpreptest7_role LOGIN PASSWORD E'foo\\u0627\\u0031bar';
81 # Require password from now on.
82 reset_pg_hba($node, 'scram-sha-256');
84 # Check that #1 and #5 are treated the same as just 'IX'
85 test_login($node, 'saslpreptest1_role', "I\xc2\xadX", 0);
86 test_login($node, 'saslpreptest1_role', "\xe2\x85\xa8", 0);
88 # but different from lower case 'ix'
89 test_login($node, 'saslpreptest1_role', "ix", 2);
92 test_login($node, 'saslpreptest4a_role', "a", 0);
93 test_login($node, 'saslpreptest4a_role', "\xc2\xaa", 0);
94 test_login($node, 'saslpreptest4b_role', "a", 0);
95 test_login($node, 'saslpreptest4b_role', "\xc2\xaa", 0);
97 # Check #6 and #7 - In PostgreSQL, contrary to the spec, if the password
98 # contains prohibited characters, we use it as is, without normalization.
99 test_login($node, 'saslpreptest6_role', "foo\x07bar", 0);
100 test_login($node, 'saslpreptest6_role', "foobar", 2);
102 test_login($node, 'saslpreptest7_role', "foo\xd8\xa71bar", 0);
103 test_login($node, 'saslpreptest7_role', "foo1\xd8\xa7bar", 2);
104 test_login($node, 'saslpreptest7_role', "foobar", 2);