Add tests for query_auth reload functionality

This change adds tests for query_auth configuration reload and also
does some refactoring.

- Now postgres containers in `docker-compose` are set to use md5 auth.
  Note that this still uses scram if the password is stored using scram.

- Current tests are:
    - Test that activating the functionality can be added without restarting.
    - Test that with a failing `query_auth`, clear text passwords are used.
    - Test that with a correct `query_auth` and without clear text passwords,
      auth works as expected.
    - Test that when we change a password in postgres and reload, the new password is obtained,
      and the pool rotated.
    - Test that we can use and ENV var to set `auth_query_password`.

Author: magec

.circleci/pgcat.toml

@@ -50,10 +50,10 @@ tls_private_key = ".circleci/server.key"
 admin_username = "admin_user"
 admin_password = "admin_pass"
 
-auth_query = "SELECT * FROM public.user_lookup('$1');"
-auth_query_user = "md5_auth_user"
-auth_query_password = "secret"
-auth_query_database = "postgres"
+# auth_query = "SELECT * FROM public.user_lookup('$1');"
+# auth_query_user = "md5_auth_user"
+# auth_query_password = "secret"
+# auth_query_database = "postgres"
 
 # pool
 # configs are structured as pool.<pool_name>

.circleci/query_auth_test.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# Query auth test
+
+set -e
+set -o xtrace
+
+export LOCAL_IP=$(hostname -i)
+
+# In config file we have this commented:
+#  [general]
+#  ...
+#  auth_query = "SELECT * FROM public.user_lookup('$1');"
+#  auth_query_user = "md5_auth_user"
+#  auth_query_password = "secret"
+#  auth_query_database = "postgres"
+#  ...
+
+# Before (sets up auth_query in postgres and pgcat)
+PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_setup.sql
+sed -i 's/^# auth_query/auth_query/' .circleci/pgcat.toml
+
+# TEST_WRONG_AUTH_QUERY BEGIN
+#    When auth_query fails...
+PGDATABASE=postgres \
+    PGPASSWORD=postgres \
+    psql -e -h 127.0.0.1 -p 5432 -U postgres -c "REVOKE ALL ON FUNCTION public.user_lookup(text) FROM public, md5_auth_user;"
+
+kill -SIGHUP $(pgrep pgcat) # Reload config
+sleep 0.2
+
+#    ... we can still connect.
+echo "When query_auth_config is wrong, we fall back to passwords set in cleartext."
+psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+
+# After
+PGDATABASE=postgres \
+    PGPASSWORD=postgres \
+    psql -e -h 127.0.0.1 -p 5432 -U postgres -c "GRANT EXECUTE ON FUNCTION public.user_lookup(text) TO md5_auth_user;"
+# TEST_WRONG_AUTH_QUERY END
+
+# TEST_AUTH_QUERY BEGIN
+#    When no passwords are specified in config file...
+sed -i 's/^password =/# password =/' .circleci/pgcat.toml
+kill -SIGHUP $(pgrep pgcat) # Reload config
+sleep 0.2
+
+#    ... we can still connect
+echo "When no passwords are specified in config file, and query_auth is set, we can still connect"
+psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+# TEST_AUTH_QUERY END
+
+# TEST_AUTH_QUERY_WITH_ENV_VAR BEGIN
+#    When no passwords are specified in config file...
+sed -i 's/^password =/# password =/' .circleci/pgcat.toml
+#    ... and no auth_query_password is set...
+sed -i 's/^auth_query_password =/# auth_query_password =/' .circleci/pgcat.toml
+kill -SIGTERM $(pgrep pgcat)
+export PGCAT_AUTH_QUERY_PASSWORD=secret
+start_pgcat "info"
+
+#    ... we can still connect
+echo "When no passwords are specified in config file, and query_auth is set using env var for password we can still connect"
+psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+# TEST_AUTH_QUERY_WITH_ENV_VAR END
+
+# TEST_PASSWORD_CHANGE BEGIN
+#    When we change the password of a user in postgres...
+PGDATABASE=postgres \
+    PGPASSWORD=postgres \
+    psql -e -h 127.0.0.1 -p 5432 -U postgres \
+    -c "ALTER USER sharding_user WITH ENCRYPTED PASSWORD 'md5b47a59331e93a520d20e90fc8a3355a4'; --- another_sharding_password"
+
+#    ... and we reload the config...
+kill -SIGHUP $(pgrep pgcat) # Reload config
+sleep 0.2
+
+#    ... we can connect using the new password
+echo "When we change pass in postgres and reload the config, the new hash is fetched."
+PGPASSWORD=another_sharding_password psql -U sharding_user -h "${LOCAL_IP}" -p 6432 -c 'SELECT 1'
+# TEST_PASSWORD_CHANGE END
+
+# After
+PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_teardown.sql
+sed -i 's/^auth_query/# auth_query/' .circleci/pgcat.toml
+sed -i 's/^# password =/password =/' .circleci/pgcat.toml
+
+kill -SIGHUP $(pgrep pgcat)
+sleep 0.2

.circleci/run_tests.sh

@@ -43,20 +43,8 @@ curl --fail localhost:9930/metrics
 export PGPASSWORD=sharding_user
 export PGDATABASE=sharded_db
 
-# Query auth test, we check that without passwords (and query auth) we can connect.
-PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_setup.sql
-sed -i 's/^password =/# password =/' .circleci/pgcat.toml
-kill -SIGTERM $(pgrep pgcat) # restart config
-start_pgcat "info"
-psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
-
-# Query auth test, we check that when we have issues executing auth_query, passwords are used.
-# Also, that reload fetches new passwords
-sed -i 's/^# password =/password =/' .circleci/pgcat.toml
-PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_wrong_setup.sql
-kill -SIGTERM $(pgrep pgcat) # restart config
-start_pgcat "info"
-psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+# Query auth test
+source .circleci/query_auth_test.sh
 
 # pgbench test
 pgbench -U sharding_user -i -h 127.0.0.1 -p 6432

tests/docker/docker-compose.yml

@@ -7,7 +7,7 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_DB: postgres
       POSTGRES_PASSWORD: postgres
-      POSTGRES_HOST_AUTH_METHOD: scram-sha-256
+      POSTGRES_HOST_AUTH_METHOD: md5
     command: ["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all", "-p", "5432"]
   pg2:
     image: postgres:14

tests/sharding/query_auth_setup.sql

@@ -1,3 +1,10 @@
+--- Sets up query_auth test config:
+---   - Change sharding_user password to use md5.
+---   - Adds a new user and a function to perform auth_query.
+
+ALTER ROLE sharding_user ENCRYPTED PASSWORD 'md5fa9d23e5a874c61a91bf37e1e4a9c86e'; --- sharding_user
+CREATE ROLE md5_auth_user ENCRYPTED PASSWORD 'md54ab2c5d00339c4b2a4e921d2dc4edec7' LOGIN; --- secret
+
 CREATE OR REPLACE FUNCTION public.user_lookup(in i_username text, out uname text, out phash text)
 RETURNS record AS $$
 BEGIN

tests/sharding/query_auth_teardown.sql

@@ -0,0 +1,9 @@
+--- Tears down query_auth test config:
+---   - Change password for sharding_user to use scram instead of md5.
+---   - Drops auth query function and user.
+
+ALTER ROLE sharding_user ENCRYPTED PASSWORD 'sharding_user' LOGIN;
+
+REVOKE ALL ON FUNCTION public.user_lookup(text) FROM public, md5_auth_user;
+DROP FUNCTION public.user_lookup(in i_username text, out uname text, out phash text);
+DROP ROLE md5_auth_user;

tests/sharding/query_auth_wrong_setup.sql

@@ -55,11 +55,9 @@ CREATE TABLE data (
 DROP ROLE IF EXISTS sharding_user;
 DROP ROLE IF EXISTS other_user;
 DROP ROLE IF EXISTS simple_user;
-DROP ROLE IF EXISTS md5_auth_user;
-CREATE ROLE sharding_user ENCRYPTED PASSWORD 'md5fa9d23e5a874c61a91bf37e1e4a9c86e' LOGIN; --- sharding_user
-CREATE ROLE other_user ENCRYPTED PASSWORD 'md5cd25b4d66ff35640188a196a4267533d' LOGIN; --- other_user
-CREATE ROLE simple_user ENCRYPTED PASSWORD 'md53c3a1ee0ead8c6c15d61b909b9dca980' LOGIN; -- simple_user
-CREATE ROLE md5_auth_user ENCRYPTED PASSWORD 'md54ab2c5d00339c4b2a4e921d2dc4edec7' LOGIN; --- secret
+CREATE ROLE sharding_user ENCRYPTED PASSWORD 'sharding_user' LOGIN;
+CREATE ROLE other_user ENCRYPTED PASSWORD 'other_user' LOGIN;
+CREATE ROLE simple_user ENCRYPTED PASSWORD 'simple_user' LOGIN;
 
 GRANT CONNECT ON DATABASE shard0  TO sharding_user;
 GRANT CONNECT ON DATABASE shard1  TO sharding_user;