From 9837ba0deec314988cc0cf2e6a51dd49137b38fe Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Mon, 14 Nov 2016 14:45:44 -0800
Subject: [PATCH 7/7] Add TAP tests for authentication methods

Those are useful to test what is expected from users having either plain,
MD5-encrypted or SCRAM passwords.
---
 src/test/recovery/t/009_authentication.pl | 84 +++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 src/test/recovery/t/009_authentication.pl

diff --git a/src/test/recovery/t/009_authentication.pl b/src/test/recovery/t/009_authentication.pl
new file mode 100644
index 0000000000..4713d0b971
--- /dev/null
+++ b/src/test/recovery/t/009_authentication.pl
@@ -0,0 +1,84 @@
+# Set of tests for authentication and pg_hba.conf. The following password
+# methods are checked through this test:
+# - Plain
+# - MD5-encrypted
+# - SCRAM-encrypted
+# This test cannot run on Windows as Postgres cannot be set up with Unix
+# sockets and needs to go through SSPI.
+
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 12;
+
+# Delete pg_hba.conf from the given node, add a new entry to it
+# and then execute a reload to refresh it.
+sub reset_pg_hba
+{
+	my $node = shift;
+	my $hba_method = shift;
+
+	unlink($node->data_dir . '/pg_hba.conf');
+	$node->append_conf('pg_hba.conf', "local all all $hba_method");
+	$node->reload;
+}
+
+# Test access for a single role, useful to wrap all tests into one.
+sub test_role
+{
+	my $node = shift;
+	my $role = shift;
+	my $method = shift;
+	my $expected_res = shift;
+	my $status_string = 'failed';
+
+	$status_string = 'success' if ($expected_res eq 0);
+
+	my $res = $node->psql('postgres', 'SELECT 1', extra_params => ['-U', $role]);
+	is($res, $expected_res,
+	   "authentication $status_string for method $method, role $role");
+}
+
+SKIP:
+{
+	skip "authentication tests cannot run on Windows", 12 if ($windows_os);
+
+	# Initialize master node
+	my $node = get_new_node('master');
+	$node->init;
+	$node->start;
+
+	# Create 3 roles with different password methods for each one. The same
+	# password is used for all of them.
+	$node->safe_psql('postgres', "CREATE ROLE scram_role LOGIN PASSWORD ('pass' USING 'scram');");
+	$node->safe_psql('postgres', "CREATE ROLE md5_role LOGIN PASSWORD ('pass' USING 'md5');");
+	$node->safe_psql('postgres', "CREATE ROLE plain_role LOGIN PASSWORD ('pass' USING 'plain');");
+	$ENV{"PGPASSWORD"} = 'pass';
+
+	# For "trust" method, all users should be able to connect.
+	reset_pg_hba($node, 'trust');
+	test_role($node, 'scram_role', 'trust', 0);
+	test_role($node, 'md5_role', 'trust', 0);
+	test_role($node, 'plain_role', 'trust', 0);
+
+	# For "plain" method, users "plain_role" and "md5_role" should be able to
+	# connect.
+	reset_pg_hba($node, 'password');
+	test_role($node, 'scram_role', 'password', 2);
+	test_role($node, 'md5_role', 'password', 0);
+	test_role($node, 'plain_role', 'password', 0);
+
+	# For "scram" method, only user "scram_role" should be able to connect.
+	reset_pg_hba($node, 'scram');
+	test_role($node, 'scram_role', 'scram', 0);
+	test_role($node, 'md5_role', 'scram', 2);
+	test_role($node, 'plain_role', 'scram', 2);
+
+	# For "md5" method, users "plain_role" and "md5_role" should be able to
+	# connect.
+	reset_pg_hba($node, 'md5');
+	test_role($node, 'scram_role', 'md5', 2);
+	test_role($node, 'md5_role', 'md5', 0);
+	test_role($node, 'plain_role', 'md5', 0);
+}
-- 
2.11.0