* Christian Ullrich wrote:
> I thought about writing a few [SSPI tests], and I may yet get around
> to that,
Attached is a proposed patch; I cannot send it as a PR because it is
dependent on Pavel Raiskup's as yet unmerged #546. The Waffle-free build
option is clearly coming, and there is little point in having SSPI tests
that then cannot be turned off.
Some explanations:
- Both successful and unsuccessful authentication is tested, the latter
to ensure that a configuration mistake (such as a "trust" line left
in pg_hba.conf) has not caused *both* tests to succeed when they
should have failed.
- Setting up to run these tests is not entirely (or at all) trivial; it
requires running the database server as an account that is capable of
SSPI authentication (such as a virtual service account, e.g.
"NT SERVICE\PostgreSQL") on both domain member and non-member
systems, or a domain user account.
- Additionally, both pg_hba.conf and, in most cases, pg_ident.conf must
be configured. In particular, the user account that runs the tests
must be permitted to authenticate as the database role configured in
build.properties.
- The tests are not run when Waffle is disabled. I would have preferred
to have a separate option to turn them off even when building with
Waffle because the setup is so difficult. I could not think of a way
to make Maven do this, mostly because profiles cannot be chained, and
profile activation cannot use two variables, for example
(!enableWaffle || disableSSPITests).
- There is an intermittent problem where testUnauthorized() fails
because it gets the wrong exception: It expects SQLSTATE 28000 from
the server, but sometimes it gets 08001 generated internally in the
driver. No idea what causes that. I did not want to blindly accept any
error as proof of failed authentication.
--
Christian
