From f8ff35fbc5816add4775d1aabae5700b29876439 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 13 May 2024 13:17:26 +0200 Subject: [PATCH 2/2] Use library functions to edit config in SSL tests The SSL tests were editing the postgres configuration by directly reading and writing the files rather than using append_conf() from the testcode library. --- src/test/ssl/t/SSL/Server.pm | 67 ++++++++++++++---------------------- 1 file changed, 26 insertions(+), 41 deletions(-) diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index ca4c7b567b..e690bce4ca 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -191,17 +191,14 @@ sub configure_test_server_for_ssl } # enable logging etc. - open my $conf, '>>', "$pgdata/postgresql.conf" or die $!; - print $conf "fsync=off\n"; - print $conf "log_connections=on\n"; - print $conf "log_hostname=on\n"; - print $conf "listen_addresses='$serverhost'\n"; - print $conf "log_statement=all\n"; + $node->append_conf('postgresql.conf', "fsync=off"); + $node->append_conf('postgresql.conf', "log_connections=on"); + $node->append_conf('postgresql.conf', "log_hostname=on"); + $node->append_conf('postgresql.conf', "listen_addresses='$serverhost'"); + $node->append_conf('postgresql.conf', "log_statement=all"); # enable SSL and set up server key - print $conf "include 'sslconfig.conf'\n"; - - close $conf; + $node->append_conf('postgresql.conf', "include 'sslconfig.conf'"); # SSL configuration will be placed here open my $sslconf, '>', "$pgdata/sslconfig.conf" or die $!; @@ -290,13 +287,12 @@ sub switch_server_cert my %params = @_; my $pgdata = $node->data_dir; - open my $sslconf, '>', "$pgdata/sslconfig.conf" or die $!; - print $sslconf "ssl=on\n"; - print $sslconf $backend->set_server_cert(\%params); - print $sslconf "ssl_passphrase_command='" - . $params{passphrase_cmd} . "'\n" + ok(unlink($node->data_dir . '/sslconfig.conf')); + $node->append_conf('sslconfig.conf', "ssl=on"); + $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params)); + $node->append_conf('sslconfig.conf', "ssl_passphrase_command='" . $params{passphrase_cmd} . "'") if defined $params{passphrase_cmd}; - close $sslconf; + #$node->append_conf('sslconfig.conf', "ssl_snimode=off"); return if (defined($params{restart}) && $params{restart} eq 'no'); @@ -315,34 +311,23 @@ sub _configure_hba_for_ssl # but seems best to keep it as narrow as possible for security reasons. # # When connecting to certdb, also check the client certificate. - open my $hba, '>', "$pgdata/pg_hba.conf" or die $!; - print $hba - "# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n"; - print $hba - "hostssl trustdb md5testuser $servercidr md5\n"; - print $hba - "hostssl trustdb all $servercidr $authmethod\n"; - print $hba - "hostssl verifydb ssltestuser $servercidr $authmethod clientcert=verify-full\n"; - print $hba - "hostssl verifydb anotheruser $servercidr $authmethod clientcert=verify-full\n"; - print $hba - "hostssl verifydb yetanotheruser $servercidr $authmethod clientcert=verify-ca\n"; - print $hba - "hostssl certdb all $servercidr cert\n"; - print $hba - "hostssl certdb_dn all $servercidr cert clientname=DN map=dn\n", - "hostssl certdb_dn_re all $servercidr cert clientname=DN map=dnre\n", - "hostssl certdb_cn all $servercidr cert clientname=CN map=cn\n"; - close $hba; + ok(unlink($node->data_dir . '/pg_hba.conf')); + $node->append_conf('pg_hba.conf', "# TYPE DATABASE USER ADDRESS METHOD OPTIONS"); + $node->append_conf('pg_hba.conf', "hostssl trustdb md5testuser $servercidr md5"); + $node->append_conf('pg_hba.conf', "hostssl trustdb all $servercidr $authmethod"); + $node->append_conf('pg_hba.conf', "hostssl verifydb ssltestuser $servercidr $authmethod clientcert=verify-full"); + $node->append_conf('pg_hba.conf', "hostssl verifydb anotheruser $servercidr $authmethod clientcert=verify-full"); + $node->append_conf('pg_hba.conf', "hostssl verifydb yetanotheruser $servercidr $authmethod clientcert=verify-ca"); + $node->append_conf('pg_hba.conf', "hostssl certdb all $servercidr cert"); + $node->append_conf('pg_hba.conf', "hostssl certdb_dn all $servercidr cert clientname=DN map=dn"); + $node->append_conf('pg_hba.conf', "hostssl certdb_dn_re all $servercidr cert clientname=DN map=dnre"); + $node->append_conf('pg_hba.conf', "hostssl certdb_cn all $servercidr cert clientname=CN map=cn"); # Also set the ident maps. Note: fields with commas must be quoted - open my $map, ">", "$pgdata/pg_ident.conf" or die $!; - print $map - "# MAPNAME SYSTEM-USERNAME PG-USERNAME\n", - "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser\n", - "dnre \"/^.*OU=Testing,.*\$\" ssltestuser\n", - "cn ssltestuser-dn ssltestuser\n"; + ok(unlink($node->data_dir . '/pg_ident.conf')); + $node->append_conf('pg_ident.conf', "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser"); + $node->append_conf('pg_ident.conf', "dnre \"/^.*OU=Testing,.*\$\" ssltestuser"); + $node->append_conf('pg_ident.conf', "cn ssltestuser-dn ssltestuser"); return; } -- 2.39.3 (Apple Git-146)