fivedev/five
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e83787750aaa01f7e8b9c82f5d1b97a02d4edf61
five/tests/pgserver/run.sh
CharlesKWON e83787750a feat(pgserver): SCRAM-SHA-256 authentication (Phase 5.1) 
PG14+ clients (libpq, pgx, JDBC) prefer SCRAM over MD5 when offered;
this lands the five-message exchange (SASL / SASLInitialResponse /
SASLContinue / SASLResponse / SASLFinal) so they get their preferred
path. MD5 stays as the universal fallback.

Storage stays plaintext in the in-memory role registry — per-auth we
generate a fresh salt + iter, derive SaltedPassword on the fly. Same
net security as the existing MD5 path, while matching wire output to
RFC 5802 byte for byte.

Critical detail: pgproto3's Backend multiplexes PasswordMessage,
SASLInitialResponse, and SASLResponse onto the same 'p' byte tag.
Without SetAuthType() the decoder picks PasswordMessage and the
handshake fails immediately. Switch state to AuthTypeSASL before
the client-first receive and AuthTypeSASLContinue before the
client-final receive.

Verified:
  * SCRAM math (PBKDF2 / HMAC / proof verify / server signature)
    via pinned unit test
  * Live psql round-trip — correct password accepted, wrong password
    rejected with proper SQLSTATE 28P01
  * All 6 mandatory gates green (go test, SQL 43/43, compat 56/56,
    std.ch 17/17, FRB 7/7, pgserver 11/11)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 09:24:34 +09:00

240 lines
8.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# tests/pgserver/run.sh — integration harness for the pgserver wire
# layer. Builds a bootstrap PRG that starts the server, then drives
# it from a Go-side pgx client (located alongside this script).
#
# Verified scope (Phase 3):
# * CREATE TABLE / INSERT / UPDATE / DELETE over Simple Query
# * BEGIN / COMMIT / ROLLBACK from the wire
# * Two-connection cross-visibility on shared DBF
# * Per-session ROLLBACK doesn't affect other connection
#
# Known limitation (tracked for Phase 7):
# * ≥3 concurrent connections doing in-flight INSERT/SELECT in
# their own transactions can race at the hbrdd workarea layer
# — surfaces as one worker's just-inserted row missing from its
# own SELECT. Two-connection serial use, and N-connection use
# where each goroutine completes its txn before the next starts,
# are both reliable. Multi-way append-time WA arbitration is
# deferred until the audit's "WorkArea collision under multi-
# session" Top-Risk #2 fix lands.
set -e
ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
FIVE="$ROOT/five"
PORT="${PGSERVER_TEST_PORT:-15432}"
if [ ! -x "$FIVE" ]; then
echo "five binary not found at $FIVE — run 'go build -o five ./cmd/five' first" >&2
exit 2
fi
if ! command -v psql >/dev/null 2>&1; then
echo "psql not in PATH — install PostgreSQL client tools to run this suite" >&2
exit 2
fi
work="$(mktemp -d)"
trap 'rm -rf "$work"' EXIT
# Bootstrap PRG — opens nothing, just stands up the server.
cat > "$work/boot.prg" <<EOF
PROCEDURE Main()
PG_SERVER_START( ":$PORT" )
RETURN
EOF
"$FIVE" build "$work/boot.prg" "$ROOT/_FiveSql2/src/"*.prg -o "$work/boot" >/dev/null 2>&1
"$work/boot" &
SERVER_PID=$!
sleep 1
trap "kill $SERVER_PID 2>/dev/null; rm -rf '$work'" EXIT
pass=0
total=0
ok() {
pass=$((pass+1))
total=$((total+1))
echo "PASS $1"
}
fail() {
total=$((total+1))
echo "FAIL $1"
echo "$2" | sed 's/^/ /'
}
# 1) Simple Query via psql.
out="$(psql "postgres://alice:any@127.0.0.1:$PORT/alice?sslmode=disable" \
-c "SELECT 1 AS one, 'hello' AS greet" -At 2>&1 || true)"
if echo "$out" | grep -q "1|hello"; then
ok "Simple Query: SELECT 1, 'hello'"
else
fail "Simple Query: SELECT 1, 'hello'" "$out"
fi
# 2) Multi-statement Simple Query — each ';'-separated stmt rolls
# through the engine independently. Verifies wire reuses one
# session across statements without bleed.
out="$(psql "postgres://alice:any@127.0.0.1:$PORT/alice?sslmode=disable" -At <<SQL 2>&1 || true
SELECT 'first';
SELECT 2 AS n;
SQL
)"
if echo "$out" | grep -q "first" && echo "$out" | grep -q "^2$"; then
ok "Multi-statement Simple Query"
else
fail "Multi-statement Simple Query" "$out"
fi
# Note on Extended Protocol coverage:
# psql can't drive raw Parse/Bind/Execute from -c invocations
# (PG's SQL-level PREPARE/EXECUTE is a separate feature that
# FiveSql2 doesn't parse). The Extended Protocol path is instead
# covered by hbrtl/pgserver/wire_test.go (Go unit) plus the
# pgx-driven manual sanity script in /tmp/pgs_test/. Adding a
# self-contained Go integration that bootstraps the server +
# drives pgx in one process is Phase 7 work.
# 3) Transaction control via simple query — BEGIN/COMMIT round-trip
# must leave ReadyForQuery in 'I' state so psql doesn't hang on
# the next command.
out="$(psql "postgres://alice:any@127.0.0.1:$PORT/alice?sslmode=disable" -At <<SQL 2>&1 || true
BEGIN;
SELECT 'in-txn';
COMMIT;
SELECT 'post-commit';
SQL
)"
if echo "$out" | grep -q "in-txn" && echo "$out" | grep -q "post-commit"; then
ok "Transaction control: BEGIN/COMMIT round-trip"
else
fail "Transaction control: BEGIN/COMMIT round-trip" "$out"
fi
# 4) MD5 authentication — kill the trust-mode server, restart with
# md5 + a known role, then verify both the rejection and success
# paths.
kill $SERVER_PID 2>/dev/null
wait 2>/dev/null
cat > "$work/auth.prg" <<EOF
PROCEDURE Main()
PG_ADD_ROLE( "alice", "swordfish" )
PG_SERVER_START( ":$PORT", "md5" )
RETURN
EOF
"$FIVE" build "$work/auth.prg" "$ROOT/_FiveSql2/src/"*.prg -o "$work/auth" >/dev/null 2>&1
"$work/auth" &
SERVER_PID=$!
sleep 1
trap "kill $SERVER_PID 2>/dev/null; rm -rf '$work'" EXIT
bad="$(PGPASSWORD=wrong psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=disable" \
-c "SELECT 1" 2>&1 | head -1 || true)"
if echo "$bad" | grep -qi "md5 authentication failed"; then
ok "MD5 auth: wrong password rejected"
else
fail "MD5 auth: wrong password rejected" "$bad"
fi
good="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=disable" \
-c "SELECT 'ok' AS x" -At 2>&1 || true)"
if echo "$good" | grep -q "^ok$"; then
ok "MD5 auth: correct password accepted"
else
fail "MD5 auth: correct password accepted" "$good"
fi
# 4b) SCRAM-SHA-256 — restart server in scram mode and verify both
# the rejection and success paths. PG 14+ clients prefer SCRAM when
# offered, so this is the most-exercised auth path in production.
kill $SERVER_PID 2>/dev/null
wait 2>/dev/null
cat > "$work/scram.prg" <<EOF
PROCEDURE Main()
PG_ADD_ROLE( "alice", "swordfish" )
PG_SERVER_START( ":$PORT", "scram-sha-256" )
RETURN
EOF
"$FIVE" build "$work/scram.prg" "$ROOT/_FiveSql2/src/"*.prg -o "$work/scram" >/dev/null 2>&1
"$work/scram" &
SERVER_PID=$!
sleep 1
trap "kill $SERVER_PID 2>/dev/null; rm -rf '$work'" EXIT
scram_bad="$(PGPASSWORD=wrong psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=disable" \
-c "SELECT 1" 2>&1 | head -1 || true)"
if echo "$scram_bad" | grep -qi "SCRAM authentication failed"; then
ok "SCRAM-SHA-256: wrong password rejected"
else
fail "SCRAM-SHA-256: wrong password rejected" "$scram_bad"
fi
scram_good="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=disable" \
-c "SELECT 'scram-ok' AS x" -At 2>&1 || true)"
if echo "$scram_good" | grep -q "^scram-ok$"; then
ok "SCRAM-SHA-256: correct password accepted"
else
fail "SCRAM-SHA-256: correct password accepted" "$scram_good"
fi
# 5) TLS — restart server with self-signed cert + allowlist and
# connect via psql sslmode=require.
kill $SERVER_PID 2>/dev/null
wait 2>/dev/null
cat > "$work/tls.prg" <<EOF
PROCEDURE Main()
PG_TLS_SELF_SIGNED( "$work/cert.pem", "$work/key.pem", "localhost" )
PG_ADD_ROLE( "alice", "swordfish" )
PG_ALLOW_IP( "127.0.0.1/32" )
PG_SERVER_START( ":$PORT", "md5" )
RETURN
EOF
"$FIVE" build "$work/tls.prg" "$ROOT/_FiveSql2/src/"*.prg -o "$work/tls" >/dev/null 2>&1
"$work/tls" &
SERVER_PID=$!
sleep 1
trap "kill $SERVER_PID 2>/dev/null; rm -rf '$work'" EXIT
tls_out="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=require" \
-c "SELECT 'tls-ok' AS x" -At 2>&1 || true)"
if echo "$tls_out" | grep -q "^tls-ok$"; then
ok "TLS handshake + MD5 auth via sslmode=require"
else
fail "TLS handshake + MD5 auth via sslmode=require" "$tls_out"
fi
# 6) pg_catalog stubs — BI-tool metadata probes must succeed
# (DBeaver / Tableau / pgAdmin send dozens of these on connect;
# we cover the common shapes so the connection doesn't error
# out before the tool gets to a real query).
ver_out="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=require" \
-c 'SELECT version()' -At 2>&1 || true)"
if echo "$ver_out" | grep -q 'PostgreSQL'; then
ok "Catalog probe: SELECT version()"
else
fail "Catalog probe: SELECT version()" "$ver_out"
fi
ns_out="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=require" \
-c 'SELECT * FROM pg_namespace' -At 2>&1 || true)"
if echo "$ns_out" | grep -q '|public|'; then
ok "Catalog probe: pg_namespace lists public + pg_catalog"
else
fail "Catalog probe: pg_namespace" "$ns_out"
fi
show_out="$(PGPASSWORD=swordfish psql "postgres://alice@127.0.0.1:$PORT/alice?sslmode=require" \
-c 'SHOW server_version_num' -At 2>&1 || true)"
if echo "$show_out" | grep -q '^140000$'; then
ok "Catalog probe: SHOW server_version_num"
else
fail "Catalog probe: SHOW server_version_num" "$show_out"
fi
echo "================================================================"
echo " pgserver integration: $pass / $total passed"
echo "================================================================"
[ $pass -eq $total ]
Reference in New Issue View Git Blame Copy Permalink