From c9532e72a762abeef0996ad8df5da9bbdedbccad Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Mon, 25 Jan 2021 09:32:44 -0800 Subject: [PATCH] test/kerberos: use a local credentials cache Previously, the Kerberos test suite pushed credentials into the user's default credentials cache. This modified any credentials the user already had, and could cause other psql invocations to misbehave later, as the GSS implementation attempted to use the globally cached test credentials. Use a local credentials cache at tmp_check/krb5cc instead. Clients can be directed to use this cache via the KRB5CCNAME environment variable. --- src/test/kerberos/t/001_auth.pl | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index 8625059149..d329cb06e3 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -75,6 +75,10 @@ my $kdc_datadir = "${TestLib::tmp_check}/krb5kdc"; my $kdc_pidfile = "${TestLib::tmp_check}/krb5kdc.pid"; my $keytab = "${TestLib::tmp_check}/krb5.keytab"; +# Avoid polluting the global credentials cache by creating our own and pointing +# psql to it later using KRB5CCNAME. +my $krb5_cache = "${TestLib::tmp_check}/krb5cc"; + my $dbname = 'postgres'; my $username = 'test1'; my $application = '001_auth.pl'; @@ -185,6 +189,9 @@ sub test_access { my ($node, $role, $query, $expected_res, $gssencmode, $test_name, $expect_log_msg) = @_; + # Use our local credentials cache. + local $ENV{KRB5CCNAME} = $krb5_cache; + # need to connect over TCP/IP for Kerberos my ($res, $stdoutres, $stderrres) = $node->psql( 'postgres', @@ -241,6 +248,9 @@ sub test_query { my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_; + # Use our local credentials cache. + local $ENV{KRB5CCNAME} = $krb5_cache; + # need to connect over TCP/IP for Kerberos my ($res, $stdoutres, $stderrres) = $node->psql( 'postgres', @@ -270,7 +280,7 @@ test_access($node, 'test1', 'SELECT true', 2, '', 'does not log unauthenticated principal', "(test1:[unknown]) FATAL: GSSAPI authentication failed"); -run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?); +run_log [ $kinit, '-c', $krb5_cache, 'test1' ], \$test1_password or BAIL_OUT($?); test_access($node, 'test1', 'SELECT true', 2, '', 'fails without mapping', ''); -- 2.25.1