Add TAP tests for role membership in pg_hba.conf

This commit expands the coverage of pg_hba.conf with checks specific to
role memberships (one "root" role combined with a member and a
non-member).  Coverage is added for the database keywords "samegroup"
and "samerole", where the specified role has to be be a member of the
role with the same name as the requested database, and '+' on the user
entry, where members are allowed.  These tests are plugged in the
authentication test 001_password.pl as of extra connection attempts
combined with resets of pg_hba.conf, making them rather cheap.

Author: Nathan Bossart
Reviewed-by: Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/20221009211348.GB900071@nathanxps13

diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 93df77aa4e1e2c9f6015a0cdc7423f95717b9208..ea664d18f5b2f23ca4384def968d428680ce890a 100644 (file)
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -200,4 +200,130 @@ append_to_file(
 
 test_conn($node, 'user=md5_role', 'password from pgpass', 0);
 
+unlink($pgpassfile);
+delete $ENV{"PGPASSFILE"};
+
+note "Authentication tests with specific HBA policies on roles";
+
+# Create database and roles for membership tests
+reset_pg_hba($node, 'all', 'all', 'trust');
+# Database and root role names match for "samerole" and "samegroup".
+$node->safe_psql('postgres', "CREATE DATABASE regress_regression_group;");
+$node->safe_psql(
+   'postgres',
+   qq{CREATE ROLE regress_regression_group LOGIN PASSWORD 'pass';
+CREATE ROLE regress_member LOGIN SUPERUSER IN ROLE regress_regression_group PASSWORD 'pass';
+CREATE ROLE regress_not_member LOGIN SUPERUSER PASSWORD 'pass';});
+
+# Test role with exact matching, no members allowed.
+$ENV{"PGPASSWORD"} = 'pass';
+reset_pg_hba($node, 'all', 'regress_regression_group', 'scram-sha-256');
+test_conn(
+   $node,
+   'user=regress_regression_group',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_member',
+   'scram-sha-256',
+   2,
+   log_unlike => [
+       qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_not_member',
+   'scram-sha-256',
+   2,
+   log_unlike => [
+       qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+   ]);
+
+# Test role membership with '+', where all the members are allowed
+# to connect.
+reset_pg_hba($node, 'all', '+regress_regression_group', 'scram-sha-256');
+test_conn(
+   $node,
+   'user=regress_regression_group',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_member',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_not_member',
+   'scram-sha-256',
+   2,
+   log_unlike => [
+       qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+   ]);
+
+# Test role membership is respected for samerole
+$ENV{"PGDATABASE"} = 'regress_regression_group';
+reset_pg_hba($node, 'samerole', 'all', 'scram-sha-256');
+test_conn(
+   $node,
+   'user=regress_regression_group',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_member',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_not_member',
+   'scram-sha-256',
+   2,
+   log_unlike => [
+       qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+   ]);
+
+# Test role membership is respected for samegroup
+reset_pg_hba($node, 'samegroup', 'all', 'scram-sha-256');
+test_conn(
+   $node,
+   'user=regress_regression_group',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_regression_group" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_member',
+   'scram-sha-256',
+   0,
+   log_like => [
+       qr/connection authenticated: identity="regress_member" method=scram-sha-256/
+   ]);
+test_conn(
+   $node,
+   'user=regress_not_member',
+   'scram-sha-256',
+   2,
+   log_unlike => [
+       qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/
+   ]);
+
 done_testing();