github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/empty_hba (about) 1 # These tests exercise the code when the HBA configuration is empty. 2 # 3 # An empty config is equivalent to: 4 # 5 # host all root all cert-password 6 # host all all all cert-password 7 # local all all password 8 # 9 # The server is secure, so the test runner sets sslmode=verify-full 10 # by default for all test directives below with all other SSL settings loaded. 11 # 12 # When this is the case, client certificates are verified by the 13 # server, and password auth is not required if the client cert 14 # is valid. If the cert is invalid, the password becomes required. 15 16 config secure 17 ---- 18 19 # Set HBA to empty in case it wasn't done before. 20 set_hba 21 ---- 22 # Active authentication configuration on this node: 23 # Original configuration: 24 # host all root all cert-password # CockroachDB mandatory rule 25 # host all all all cert-password # built-in CockroachDB default 26 # local all all password # built-in CockroachDB default 27 # 28 # Interpreted configuration: 29 # TYPE DATABASE USER ADDRESS METHOD OPTIONS 30 host all root all cert-password 31 host all all all cert-password 32 local all all password 33 34 subtest root 35 36 # Root can always connect over network regardless. 37 connect user=root 38 ---- 39 ok defaultdb 40 41 # However root cannot connect over the unix socket by default 42 # because it does not have a password. 43 connect_unix user=root 44 ---- 45 ERROR: password authentication failed for user root 46 47 # When no client cert is presented, the server would otherwise require 48 # password auth. However, root does not have a password. 49 connect user=root password=foo sslmode=verify-ca sslcert= 50 ---- 51 ERROR: password authentication failed for user root 52 53 subtest end root 54 55 56 subtest normaluser_cert 57 58 # User has no password, and we're presenting a client cert. All good. 59 connect user=testuser 60 ---- 61 ok defaultdb 62 63 # Empty/no password means deny password auth. Unix socket does not 64 # present a cert so auth fails. 65 connect_unix user=testuser 66 ---- 67 ERROR: password authentication failed for user testuser 68 69 # Make the user need a password. 70 sql 71 ALTER USER testuser WITH PASSWORD 'pass'; 72 ---- 73 ok 74 75 # Password now needed, but as long as we're presenting a cert it's good. 76 connect user=testuser 77 ---- 78 ok defaultdb 79 80 # If we don't present the client certificate, the password is required. 81 connect user=testuser password=invalid sslmode=verify-ca sslcert= 82 ---- 83 ERROR: password authentication failed for user testuser 84 85 connect user=testuser password=pass sslmode=verify-ca sslcert= 86 ---- 87 ok defaultdb 88 89 connect_unix user=testuser password=pass 90 ---- 91 ok defaultdb 92 93 # Reset the test user to no password. 94 sql 95 DROP USER testuser; CREATE USER testuser 96 ---- 97 ok 98 99 subtest end normaluser_cert 100 101 subtest normaluser_nocert 102 103 # This other test user has no default cert. 104 sql 105 CREATE USER testuser_nocert 106 ---- 107 ok 108 109 # Since there is no cert, no cert is going to be presented by the client 110 # and password auth becomes required. 111 connect user=testuser_nocert 112 ---- 113 ERROR: password authentication failed for user testuser_nocert 114 115 # Even though the user has no password, trying to present the 116 # empty password fails. The user simply cannot log in. 117 connect user=testuser_nocert password= 118 ---- 119 ERROR: password authentication failed for user testuser_nocert 120 121 sql 122 DROP USER testuser_nocert 123 ---- 124 ok 125 126 subtest end normaluser_nocert 127 128 subtest unicode_user_and_username_normalization 129 130 sql 131 CREATE USER ὀδυσσεύς WITH PASSWORD '蟑♫螂'; 132 ---- 133 ok 134 135 # Check that the user can log in. 136 connect user=(ὀδυσσεύς) password=(蟑♫螂) 137 ---- 138 ok defaultdb 139 140 # Verify auth fails without password. 141 # 142 # Also verify that the username gets normalized: the username 143 # is created as 'ὀ' and we provide 'Ὀ'. 144 # 145 # (The parentheses are required so that the datadriven runner 146 # accepts the unicode characters.) 147 # 148 connect user=(Ὀδυσσεύς) password= 149 ---- 150 ERROR: password authentication failed for user ὀδυσσεύς 151 152 # The unicode password succeeds, with user normalization. 153 connect user=(Ὀδυσσεύς) password=(蟑♫螂) 154 ---- 155 ok defaultdb 156 157 subtest end