Add tests for LDAP

Author: CommanderKeynes

.circleci/glauth.cfg

@@ -0,0 +1,111 @@
+#################
+# glauth.conf
+
+#################
+# General configuration.
+debug = true
+
+[ldap]
+  enabled = true
+  # run on a non privileged port
+  listen = "0.0.0.0:3893"
+  tls = false
+
+[ldaps]
+  enabled = false
+#################
+# Tracing section controls the tracer configuration
+[tracing]
+  # if enabled is set to false, a no-op tracer will be used
+  enabled = true
+  # if both grpcEndpoint and httpEndpoint are unset, the default stdout provider will be used
+  # TODO add allowGRPCInsecure: right now grpc otlp is using the WithInsecure flag so traffic
+  # will always go without verifying server certificates
+  # grpcEndpoint = "otlp.monitoring.io:4317"
+  # httpEndpoint = "http://otlp.monitoring.io:4318"
+#################
+# The backend section controls the data store.
+[backend]
+  datastore = "config"
+  baseDN = "dc=example,dc=com"
+  nameformat = "cn"
+  groupformat = "ou"
+
+  # If you are using a client that requires reading the root DSE first
+  # such as SSSD
+  # anonymousdse = true
+
+  ## Configure dn format to use structures like
+  ## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN"
+  ## to help ease migrations from other LDAP systems
+  # nameformat = "uid"
+  # groupformat = "cn"
+
+  ## Configure ssh-key attribute name, default is 'sshPublicKey'
+  # sshkeyattr = "ipaSshPubKey"
+
+[behaviors]
+  # Ignore all capabilities restrictions, for instance allowing every user to perform a search
+  IgnoreCapabilities = false
+  # Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts
+  LimitFailedBinds = true
+  # How many failed login attempts are allowed before a ban is imposed
+  NumberOfFailedBinds = 3
+  # How long (in seconds) is the window for failed login attempts
+  PeriodOfFailedBinds = 10
+  # How long (in seconds) is the ban duration
+  BlockFailedBindsFor = 60
+  # Clean learnt IP addresses every N seconds
+  PruneSourceTableEvery = 600
+  # Clean learnt IP addresses not seen in N seconds
+  PruneSourcesOlderThan = 600
+
+#################
+# The users section contains a hardcoded list of valid users.
+#   to create a passSHA256:   echo -n "mysecret" | openssl dgst -sha256
+[[users]]
+  name = "admin_user"
+  uidnumber = 5001
+  primarygroup = 5501
+  mail = "admin_user@example.com"
+  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
+    [[users.customattributes]]
+    employeetype = ["Intern", "Temp"]
+    employeenumber = [12345, 54321]
+    [[users.capabilities]]
+    action = "search"
+    object = "dc=example,dc=com"
+
+# This user record shows all of the possible fields available
+[[users]]
+  name = "sharding_user"
+  givenname="John"
+  sn="Doe"
+  mail = "sharding_user@example.com"
+  uidnumber = 5002
+  primarygroup = 5501
+  loginShell = "/bin/sh"
+  homeDir = "/root"
+  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
+  sshkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3UKCEllO2IZXgqNygiVb+dDLJJwVw3AJwV34t2jzR+/tUNVeJ9XddKpYQektNHsFmY93lJw5QDSbeH/mAC4KPoUM47EriINKEelRbyG4hC/ko/e2JWqEclPS9LP7GtqGmscXXo4JFkqnKw4TIRD52XI9n1syYM9Y8rJ88fjC/Lpn+01AB0paLVIfppJU35t0Ho9doHAEfEvcQA6tcm7FLJUvklAxc8WUbdziczbRV40KzDroIkXAZRjX7vXXhh/p7XBYnA0GO8oTa2VY4dTQSeDAUJSUxbzevbL0ll9Gi1uYaTDQyE5gbn2NfJSqq0OYA+3eyGtIVjFYZgi+txSuhw== rsa-key-20160209"]
+  passappsha256 = [
+    "c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa", # TestAppPw1
+    "c9853d5f2599e90497e9f8cc671bd2022b0fb5d1bd7cfff92f079e8f8f02b8d3", # TestAppPw2
+    "4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88", # TestAppPw3
+  ]
+
+#################
+# The groups section contains a hardcoded list of valid users.
+[[groups]]
+  name = "superheros"
+  gidnumber = 5501
+
+[[groups]]
+  name = "svcaccts"
+  gidnumber = 5502
+
+[[groups]]
+  name = "vpn"
+  gidnumber = 5503
+  includegroups = [ 5501 ]
+

.circleci/pgcat.toml

@@ -49,7 +49,6 @@ tls_private_key = ".circleci/server.key"
 # Connecting to that database allows running commands like `SHOW POOLS`, `SHOW DATABASES`, etc..
 admin_username = "admin_user"
 admin_password = "admin_pass"
-admin_auth_type = "md5"
 
 # pool
 # configs are structured as pool.<pool_name>
@@ -99,7 +98,6 @@ sharding_function = "pg_bigint_hash"
 [pools.sharded_db.users.0]
 username = "sharding_user"
 password = "sharding_user"
-auth_type = "md5"
 # Maximum number of server connections that can be established for this user
 # The maximum number of connection from a single Pgcat process to any database in the cluster
 # is the sum of pool_size across all users.
@@ -109,7 +107,6 @@ statement_timeout = 0
 [pools.sharded_db.users.1]
 username = "other_user"
 password = "other_user"
-auth_type = "md5"
 pool_size = 21
 statement_timeout = 30000
 
@@ -150,7 +147,6 @@ prepared_statements_cache_size = 500
 [pools.simple_db.users.0]
 username = "simple_user"
 password = "simple_user"
-auth_type = "md5"
 pool_size = 5
 statement_timeout = 30000
 

.circleci/pgcat_ldap.toml

@@ -0,0 +1,25 @@
+
+[general]
+host = "0.0.0.0"
+port = 6432
+admin_username = "admin_user"
+admin_password = ""
+admin_auth_type = "ldap"
+admin_auth_ldapurl = "ldap://127.0.0.1:3893"
+admin_auth_ldapsuffix  = "@example.com"
+
+[pools.sharded_db.users.0]
+username = "sharding_user"
+password = "sharding_user"
+auth_type = "ldap"
+auth_ldapurl = "ldap://127.0.0.1:3893"
+auth_ldapsuffix  = "@example.com"
+pool_size = 10
+min_pool_size = 1
+pool_mode = "transaction"
+
+[pools.sharded_db.shards.0]
+servers = [
+  [ "127.0.0.1", 5432, "primary" ],
+]
+database = "shard0"

.circleci/pgcat_trust.toml

@@ -1,6 +1,5 @@
 
 [general]
-
 host = "0.0.0.0"
 port = 6432
 admin_username = "admin_user"

pgcat.minimal.toml

@@ -5,18 +5,12 @@
 
 host = "0.0.0.0"
 port = 6433
-admin_username = "jdoe"
+admin_username = "pgcat"
 admin_password = "pgcat"
-admin_auth_type = "ldap"
-admin_auth_ldapurl = "ldap://127.0.0.1:3893"
-admin_auth_ldapsuffix  = "@example.com"
 
 [pools.pgml.users.0]
-username = "jdoe"
+username = "postgres"
 password = "postgres"
-auth_type = "ldap"
-auth_ldapurl = "ldap://127.0.0.1:3893"
-auth_ldapsuffix  = "@example.com"
 pool_size = 10
 min_pool_size = 1
 pool_mode = "transaction"

pgcat.toml

@@ -76,7 +76,6 @@ verify_server_certificate = false
 admin_username = "admin_user"
 # Password to access the virtual administrative database
 admin_password = "admin_pass"
-admin_auth_type = "md5"
 
 # Default plugins that are configured on all pools.
 [plugins]
@@ -275,8 +274,6 @@ result = [
 # if `server_username` is not set.
 username = "sharding_user"
 
-auth_type = "md5"
-
 # PostgreSQL password used to authenticate the user and connect to the server
 # if `server_password` is not set.
 password = "sharding_user"
@@ -302,7 +299,6 @@ statement_timeout = 0
 [pools.sharded_db.users.1]
 username = "other_user"
 password = "other_user"
-auth_type = "md5"
 pool_size = 21
 statement_timeout = 15000
 connect_timeout = 1000
@@ -341,7 +337,6 @@ sharding_function = "pg_bigint_hash"
 [pools.simple_db.users.0]
 username = "simple_user"
 password = "simple_user"
-auth_type = "md5"
 pool_size = 5
 min_pool_size = 3
 server_lifetime = 60000

src/config.rs

@@ -208,6 +208,8 @@ impl Address {
 pub struct User {
     pub username: String,
     pub password: Option<String>,
+
+    #[serde(default = "User::default_auth_type")]
     pub auth_type: String,
     pub auth_ldapsuffix: Option<String>,
     pub auth_ldapurl: Option<String>,
@@ -245,6 +247,10 @@ impl Default for User {
 }
 
 impl User {
+    pub fn default_auth_type() -> String {
+        "md5".into()
+    }
+
     fn validate(&self) -> Result<(), Error> {
         if let Some(min_pool_size) = self.min_pool_size {
             if min_pool_size > self.pool_size {
@@ -339,7 +345,10 @@ pub struct General {
 
     pub admin_username: String,
     pub admin_password: String,
+
+    #[serde(default = "General::default_admin_auth_type")]
     pub admin_auth_type: String,
+
     pub admin_auth_ldapurl: Option<String>,
     pub admin_auth_ldapsuffix: Option<String>,
 
@@ -357,6 +366,10 @@ impl General {
         "0.0.0.0".into()
     }
 
+    pub fn default_admin_auth_type() -> String {
+        "md5".into()
+    }
+
     pub fn default_port() -> u16 {
         5432
     }

tests/docker/Dockerfile

@@ -6,6 +6,8 @@ RUN apt-get update && apt-get install llvm-11 psmisc postgresql-contrib postgres
 RUN cargo install cargo-binutils rustfilt
 RUN rustup component add llvm-tools-preview
 RUN sudo gem install bundler
+RUN wget -O /usr/bin/glauth https://github.com/glauth/glauth/releases/download/v2.3.2/glauth-linux-amd64
+RUN chmod +x /usr/bin/glauth
 RUN wget -O toxiproxy-2.4.0.deb https://github.com/Shopify/toxiproxy/releases/download/v2.4.0/toxiproxy_2.4.0_linux_$(dpkg --print-architecture).deb && \
 	sudo dpkg -i toxiproxy-2.4.0.deb
 RUN wget -O go1.21.3.linux-$(dpkg --print-architecture).tar.gz https://go.dev/dl/go1.21.3.linux-$(dpkg --print-architecture).tar.gz && \