Commit 681cca86 authored by Tom Lane's avatar Tom Lane

Blind attempt to fix SSPI-auth case in 010_dump_connstr.pl.

Up to now, pg_regress --config-auth had a hard-wired assumption
that the target cluster uses the default bootstrap superuser name.
pg_dump's 010_dump_connstr.pl TAP test uses non-default superuser
names, and was klugily getting around the restriction by listing
the desired superuser name as a role to "create".  This is pretty
confusing (or at least, it confused me).  Let's make it clearer by
allowing --config-auth mode to be told the bootstrap superuser name.
Repurpose the existing --user switch for that, since it has no
other function in --config-auth mode.

Per buildfarm.  I don't have an environment at hand in which I can
test this fix, but the buildfarm should soon show if it works.

Discussion: https://postgr.es/m/3142.1561840611@sss.pgh.pa.us
parent c91504b9
......@@ -55,8 +55,9 @@ $node->init(extra =>
# prep pg_hba.conf and pg_ident.conf
$node->run_log(
[
$ENV{PG_REGRESS}, '--config-auth',
$node->data_dir, '--create-role',
$ENV{PG_REGRESS}, '--config-auth',
$node->data_dir, '--user',
$src_bootstrap_super, '--create-role',
"$username1,$username2,$username3,$username4"
]);
$node->start;
......@@ -181,8 +182,9 @@ $envar_node->init(extra =>
$envar_node->run_log(
[
$ENV{PG_REGRESS}, '--config-auth',
$envar_node->data_dir, '--create-role',
"$dst_bootstrap_super,$restore_super"
$envar_node->data_dir, '--user',
$dst_bootstrap_super, '--create-role',
$restore_super
]);
$envar_node->start;
......@@ -213,8 +215,9 @@ $cmdline_node->init(extra =>
$cmdline_node->run_log(
[
$ENV{PG_REGRESS}, '--config-auth',
$cmdline_node->data_dir, '--create-role',
"$dst_bootstrap_super,$restore_super"
$cmdline_node->data_dir, '--user',
$dst_bootstrap_super, '--create-role',
$restore_super
]);
$cmdline_node->start;
$cmdline_node->run_log(
......
......@@ -965,13 +965,15 @@ current_windows_user(const char **acct, const char **dom)
* Rewrite pg_hba.conf and pg_ident.conf to use SSPI authentication. Permit
* the current OS user to authenticate as the bootstrap superuser and as any
* user named in a --create-role option.
*
* In --config-auth mode, the --user switch can be used to specify the
* bootstrap superuser's name, otherwise we assume it is the default.
*/
static void
config_sspi_auth(const char *pgdata)
config_sspi_auth(const char *pgdata, const char *superuser_name)
{
const char *accountname,
*domainname;
const char *username;
char *errstr;
bool have_ipv6;
char fname[MAXPGPATH];
......@@ -980,17 +982,25 @@ config_sspi_auth(const char *pgdata)
*ident;
_stringlist *sl;
/*
* "username", the initdb-chosen bootstrap superuser name, may always
* match "accountname", the value SSPI authentication discovers. The
* underlying system functions do not clearly guarantee that.
*/
/* Find out the name of the current OS user */
current_windows_user(&accountname, &domainname);
username = get_user_name(&errstr);
if (username == NULL)
/* Determine the bootstrap superuser's name */
if (superuser_name == NULL)
{
fprintf(stderr, "%s: %s\n", progname, errstr);
exit(2);
/*
* Compute the default superuser name the same way initdb does.
*
* It's possible that this result always matches "accountname", the
* value SSPI authentication discovers. But the underlying system
* functions do not clearly guarantee that.
*/
superuser_name = get_user_name(&errstr);
if (superuser_name == NULL)
{
fprintf(stderr, "%s: %s\n", progname, errstr);
exit(2);
}
}
/*
......@@ -1067,7 +1077,7 @@ config_sspi_auth(const char *pgdata)
* bother escaping embedded double-quote characters.
*/
CW(fprintf(ident, "regress \"%s@%s\" %s\n",
accountname, domainname, fmtHba(username)) >= 0);
accountname, domainname, fmtHba(superuser_name)) >= 0);
for (sl = extraroles; sl; sl = sl->next)
CW(fprintf(ident, "regress \"%s@%s\" %s\n",
accountname, domainname, fmtHba(sl->str)) >= 0);
......@@ -2227,7 +2237,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
if (config_auth_datadir)
{
#ifdef ENABLE_SSPI
config_sspi_auth(config_auth_datadir);
config_sspi_auth(config_auth_datadir, user);
#endif
exit(0);
}
......@@ -2354,7 +2364,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
* "initdb" command, this can't truncate.
*/
snprintf(buf, sizeof(buf), "%s/data", temp_instance);
config_sspi_auth(buf);
config_sspi_auth(buf, NULL);
#elif !defined(HAVE_UNIX_SOCKETS)
#error Platform has no means to secure the test installation.
#endif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment