github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/empty_hba (about)

     1  # These tests exercise the code when the HBA configuration is empty.
     2  #
     3  # An empty config is equivalent to:
     4  #
     5  #     host   all root all cert-password
     6  #     host   all all  all cert-password
     7  #     local  all all      password
     8  #
     9  # The server is secure, so the test runner sets sslmode=verify-full
    10  # by default for all test directives below with all other SSL settings loaded.
    11  #
    12  # When this is the case, client certificates are verified by the
    13  # server, and password auth is not required if the client cert
    14  # is valid. If the cert is invalid, the password becomes required.
    15  
    16  config secure
    17  ----
    18  
    19  # Set HBA to empty in case it wasn't done before.
    20  set_hba
    21  ----
    22  # Active authentication configuration on this node:
    23  # Original configuration:
    24  # host  all root all cert-password # CockroachDB mandatory rule
    25  # host  all all  all cert-password # built-in CockroachDB default
    26  # local all all      password      # built-in CockroachDB default
    27  #
    28  # Interpreted configuration:
    29  # TYPE DATABASE USER ADDRESS METHOD        OPTIONS
    30  host   all      root all     cert-password
    31  host   all      all  all     cert-password
    32  local  all      all          password
    33  
    34  subtest root
    35  
    36  # Root can always connect over network regardless.
    37  connect user=root
    38  ----
    39  ok defaultdb
    40  
    41  # However root cannot connect over the unix socket by default
    42  # because it does not have a password.
    43  connect_unix user=root
    44  ----
    45  ERROR: password authentication failed for user root
    46  
    47  # When no client cert is presented, the server would otherwise require
    48  # password auth. However, root does not have a password.
    49  connect user=root password=foo sslmode=verify-ca sslcert=
    50  ----
    51  ERROR: password authentication failed for user root
    52  
    53  subtest end root
    54  
    55  
    56  subtest normaluser_cert
    57  
    58  # User has no password, and we're presenting a client cert. All good.
    59  connect user=testuser
    60  ----
    61  ok defaultdb
    62  
    63  # Empty/no password means deny password auth. Unix socket does not
    64  # present a cert so auth fails.
    65  connect_unix user=testuser
    66  ----
    67  ERROR: password authentication failed for user testuser
    68  
    69  # Make the user need a password.
    70  sql
    71  ALTER USER testuser WITH PASSWORD 'pass';
    72  ----
    73  ok
    74  
    75  # Password now needed, but as long as we're presenting a cert it's good.
    76  connect user=testuser
    77  ----
    78  ok defaultdb
    79  
    80  # If we don't present the client certificate, the password is required.
    81  connect user=testuser password=invalid sslmode=verify-ca sslcert=
    82  ----
    83  ERROR: password authentication failed for user testuser
    84  
    85  connect user=testuser password=pass sslmode=verify-ca sslcert=
    86  ----
    87  ok defaultdb
    88  
    89  connect_unix user=testuser password=pass
    90  ----
    91  ok defaultdb
    92  
    93  # Reset the test user to no password.
    94  sql
    95  DROP USER testuser; CREATE USER testuser
    96  ----
    97  ok
    98  
    99  subtest end normaluser_cert
   100  
   101  subtest normaluser_nocert
   102  
   103  # This other test user has no default cert.
   104  sql
   105  CREATE USER testuser_nocert
   106  ----
   107  ok
   108  
   109  # Since there is no cert, no cert is going to be presented by the client
   110  # and password auth becomes required.
   111  connect user=testuser_nocert
   112  ----
   113  ERROR: password authentication failed for user testuser_nocert
   114  
   115  # Even though the user has no password, trying to present the
   116  # empty password fails. The user simply cannot log in.
   117  connect user=testuser_nocert password=
   118  ----
   119  ERROR: password authentication failed for user testuser_nocert
   120  
   121  sql
   122  DROP USER testuser_nocert
   123  ----
   124  ok
   125  
   126  subtest end normaluser_nocert
   127  
   128  subtest unicode_user_and_username_normalization
   129  
   130  sql
   131  CREATE USER ὀδυσσεύς WITH PASSWORD '蟑♫螂';
   132  ----
   133  ok
   134  
   135  # Check that the user can log in.
   136  connect user=(ὀδυσσεύς) password=(蟑♫螂)
   137  ----
   138  ok defaultdb
   139  
   140  # Verify auth fails without password.
   141  #
   142  # Also verify that the username gets normalized: the username
   143  # is created as 'ὀ' and we provide 'Ὀ'.
   144  #
   145  # (The parentheses are required so that the datadriven runner
   146  # accepts the unicode characters.)
   147  #
   148  connect user=(Ὀδυσσεύς) password=
   149  ----
   150  ERROR: password authentication failed for user ὀδυσσεύς
   151  
   152  # The unicode password succeeds, with user normalization.
   153  connect user=(Ὀδυσσεύς) password=(蟑♫螂)
   154  ----
   155  ok defaultdb
   156  
   157  subtest end