From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 22 Mar 2022 04:21:58 +0000 (+0900)
Subject: Fix failures in SSL tests caused by out-of-tree keys and certificates
X-Git-Tag: REL_10_21~43
X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=8138bd4a567e05b77b205519c24ef6caa4b716d6;p=postgresql.git

Fix failures in SSL tests caused by out-of-tree keys and certificates

This issue is environment-sensitive, where the SSL tests could fail in
various way by feeding on defaults provided by sslcert, sslkey,
sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup,
as of ~/.postgresql/ by default.  Horiguchi-san has reported two
failures, but more advanced testing from me (aka inclusion of garbage
SSL configuration in ~/.postgresql/ for all the configuration
parameters) has showed dozens of failures that can be triggered in the
whole test suite.

History has showed that we are not good when it comes to address such
issues, fixing them locally like in dd87799, and such problems keep
appearing.  This commit strengthens the entire test suite to put an end
to this set of problems by embedding invalid default values in all the
connection strings used in the tests.  The invalid values are prefixed
in each connection string, relying on the follow-up values passed in the
connection string to enforce any invalid value previously set.  Note
that two tests related to CRLs are required to fail with certain pre-set
configurations, but we can rely on enforcing an empty value instead
after the invalid set of values.

Reported-by: Kyotaro Horiguchi
Reviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro Horiguchi
Discussion: https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.com
backpatch-through: 10
---

diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 95e38efef30..5c4a2a3d0b7 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -83,8 +83,13 @@ switch_server_cert($node, 'server-cn-only');
 
 note "running client tests";
 
+# Set of default settings for SSL parameters in connection string.  This
+# makes the tests protected against any defaults the environment may have
+# in ~/.postgresql/.
+my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid";
+
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
@@ -139,7 +144,7 @@ test_connect_ok(
 # match the hostname in the server's certificate.
 note "test mismatch between hostname and server certificate";
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
 test_connect_ok("sslmode=require host=wronghost.test");
 test_connect_ok("sslmode=verify-ca host=wronghost.test");
@@ -150,7 +155,7 @@ switch_server_cert($node, 'server-multiple-alt-names');
 
 note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
 test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
 test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
@@ -165,7 +170,7 @@ switch_server_cert($node, 'server-single-alt-name');
 
 note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
 test_connect_ok("host=single.alt-name.pg-ssltest.test");
 
@@ -178,7 +183,7 @@ switch_server_cert($node, 'server-cn-and-alt-names');
 
 note "test certificate with both a CN and SANs";
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
 test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
 test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
@@ -188,7 +193,7 @@ test_connect_fails("host=common-name.pg-ssltest.test");
 # not a very sensible certificate, but libpq should handle it gracefully.
 switch_server_cert($node, 'server-no-names');
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
 test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
 test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
@@ -198,7 +203,7 @@ note "testing client-side CRL";
 switch_server_cert($node, 'server-revoked');
 
 $common_connstr =
-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
+"$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
 test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
@@ -212,7 +217,7 @@ test_connect_fails(
 
 note "testing certificate authorization";
 $common_connstr =
-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
+"$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
 test_connect_fails("user=ssltestuser sslcert=invalid");
@@ -233,7 +238,7 @@ test_connect_fails(
 # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
 switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
-"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+"$default_ssl_connstr user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
 test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
 test_connect_fails("sslmode=require sslcert=ssl/client.crt");