[wip] Test client certificate authentication

Author: charmander

.travis.yml

@@ -1,68 +1,32 @@
 language: node_js
 dist: bionic
 
-before_script: |
-  yarn build
-  node packages/pg/script/create-test-tables.js postgresql:///
-
-env:
-  - CC=clang CXX=clang++ npm_config_clang=1 PGUSER=postgres PGDATABASE=postgres
-
-node_js:
-  - lts/dubnium
-  - lts/erbium
-  # node 13.7 seems to have changed behavior of async iterators exiting early on streams
-  # if 13.8 still has this problem when it comes down I'll talk to the node team about the change
-  # in the mean time...peg to 13.6
-  - 13.6
-  - 14
-
 addons:
   postgresql: '10'
 
 matrix:
   include:
-    # Run tests/paths that require password authentication
-    - node_js: lts/erbium
-      env:
-        - CC=clang CXX=clang++ npm_config_clang=1 PGUSER=postgres PGDATABASE=postgres PGPASSWORD=test-password SCRAM_TEST_PGUSER=scram_test SCRAM_TEST_PGPASSWORD=test4scram
-      before_script: |
-        sudo -u postgres sed -i \
-          -e '/^local/ s/trust$/peer/' \
-          -e '/^host/ s/trust$/md5/' \
-          /etc/postgresql/10/main/pg_hba.conf
-        sudo -u postgres psql -c "ALTER ROLE postgres PASSWORD 'test-password'; SELECT pg_reload_conf()"
-        yarn build
-        node packages/pg/script/create-test-tables.js postgresql:///
-        sudo -u postgres -- psql \
-          -c "SET password_encryption = 'scram-sha-256'" \
-          -c "CREATE ROLE scram_test login password 'test4scram'"
-
-    - node_js: lts/carbon
-      addons:
-        postgresql: '9.5'
-      dist: precise
-
-    # different PostgreSQL versions on Node LTS
-    - node_js: lts/erbium
-      addons:
-        postgresql: '9.3'
-    - node_js: lts/erbium
-      addons:
-        postgresql: '9.4'
-    - node_js: lts/erbium
-      addons:
-        postgresql: '9.5'
-    - node_js: lts/erbium
-      addons:
-        postgresql: '9.6'
-
-    # only run lint on latest Node LTS
+    # Run tests/paths with client certificate authentication
     - node_js: lts/*
-      script: yarn lint
-
-    # PostgreSQL 9.2 only works on precise
-    - node_js: lts/carbon
-      addons:
-        postgresql: '9.2'
-      dist: precise
+      env:
+        - CC=clang CXX=clang++ npm_config_clang=1 PGUSER=postgres PGDATABASE=postgres
+          PGSSLMODE=verify-full
+          PGSSLROOTCERT=$TRAVIS_BUILD_DIR/packages/pg/test/tls/test-server-ca.crt
+          PGSSLCERT=$TRAVIS_BUILD_DIR/packages/pg/test/tls/test-client.crt
+          PGSSLKEY=$TRAVIS_BUILD_DIR/packages/pg/test/tls/test-client.key
+          PG_CLIENT_CERT_TEST=1
+      before_script:
+        - |
+          cat <<'travis ci breaks heredoc' | sudo tee -a /etc/postgresql/10/main/postgresql.conf
+            ssl = on
+            ssl_cert_file = 'test-server.crt'
+            ssl_key_file = 'test-server.key'
+            ssl_ca_file = 'test-client-ca.crt'
+
+        - printf 'hostssl all all %s cert\n' 127.0.0.1/32 ::1/128 | sudo tee /etc/postgresql/10/main/pg_hba.conf
+        - sudo make -C packages/pg/test/tls install DESTDIR=/etc/postgresql/10/main
+        - sudo systemctl restart postgresql
+        - yarn build
+      script: |
+        node packages/pg/test/integration/connection-pool/test-tls.js
+        node packages/pg/test/integration/connection-pool/test-tls.js native

packages/pg/script/create-test-tables.js

@@ -1,4 +1,5 @@
 'use strict'
+var fs = require('fs')
 var args = require('../test/cli')
 var pg = require('../lib')
 
@@ -31,13 +32,31 @@ var people = [
   { name: 'Zanzabar', age: 260 },
 ]
 
-var con = new pg.Client({
+var config = {
   host: args.host,
   port: args.port,
   user: args.user,
   password: args.password,
   database: args.database,
-})
+}
+
+if (process.env.PGSSLMODE) {
+  config.ssl = {}
+
+  if (process.env.PGSSLROOTCERT) {
+    config.ssl.ca = fs.readFileSync(process.env.PGSSLROOTCERT)
+  }
+
+  if (process.env.PGSSLCERT) {
+    config.ssl.cert = fs.readFileSync(process.env.PGSSLCERT)
+  }
+
+  if (process.env.PGSSLKEY) {
+    config.ssl.key = fs.readFileSync(process.env.PGSSLKEY)
+  }
+}
+
+var con = new pg.Client(config)
 
 con.connect((err) => {
   if (err) {

packages/pg/test/integration/connection-pool/tls-tests.js

@@ -0,0 +1,23 @@
+'use strict'
+
+const fs = require('fs')
+
+const helper = require('./test-helper')
+const pg = helper.pg
+
+const suite = new helper.Suite()
+
+if (process.env.PG_CLIENT_CERT_TEST) {
+  suite.testAsync('client certificate', async () => {
+    const pool = new pg.Pool({
+      ssl: {
+        ca: fs.readFileSync(process.env.PGSSLROOTCERT),
+        cert: fs.readFileSync(process.env.PGSSLCERT),
+        key: fs.readFileSync(process.env.PGSSLKEY),
+      },
+    })
+
+    await pool.query('SELECT 1')
+    await pool.end()
+  })
+}

packages/pg/test/tls/GNUmakefile

@@ -0,0 +1,71 @@
+DESTDIR ::= /var/lib/postgres/data
+POSTGRES_USER ::= postgres
+POSTGRES_GROUP ::= postgres
+DATABASE_HOST ::= localhost
+DATABASE_USER ::= postgres
+
+all: \
+	test-server-ca.crt \
+	test-client-ca.crt \
+	test-server.key \
+	test-server.crt \
+	test-client.key \
+	test-client.crt
+
+clean:
+	rm -f \
+		test-server-ca.key \
+		test-client-ca.key \
+		test-server-ca.crt \
+		test-client-ca.crt \
+		test-server.key \
+		test-server.crt \
+		test-client.key \
+		test-client.crt
+
+install: test-server.crt test-server.key test-client-ca.crt
+	install \
+		--owner=$(POSTGRES_USER) \
+		--group=$(POSTGRES_GROUP) \
+		--mode=0600 \
+		-t $(DESTDIR) \
+		$^
+
+test-%-ca.crt: test-%-ca.key
+	openssl req -new -x509 \
+		-subj '/CN=node-postgres test $* CA' \
+		-days 3650 \
+		-key $< \
+		-out $@
+
+test-server.csr: test-server.key
+	openssl req -new \
+		-subj '/CN=$(DATABASE_HOST)' \
+		-key $< \
+		-out $@
+
+test-client.csr: test-client.key
+	openssl req -new \
+		-subj '/CN=$(DATABASE_USER)' \
+		-key $< \
+		-out $@
+
+test-%.crt: test-%.csr test-%-ca.crt test-%-ca.key
+	openssl x509 -req \
+		-CA test-$*-ca.crt \
+		-CAkey test-$*-ca.key \
+		-set_serial 1 \
+		-days 3650 \
+		-in $< \
+		-out $@
+
+%.key:
+	openssl genpkey \
+		-algorithm EC \
+		-pkeyopt ec_paramgen_curve:prime256v1 \
+		-out $@
+
+.PHONY: all clean install
+.SECONDARY: test-server-ca.key test-client-ca.key
+.INTERMEDIATE: test-server.csr test-client.csr
+.POSIX:

packages/pg/test/tls/test-client-ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAUmgAwIBAgIUNYMF06PrmjsMR6x+C8k5YZn9heAwCgYIKoZIzj0EAwIw
+JzElMCMGA1UEAwwcbm9kZS1wb3N0Z3JlcyB0ZXN0IGNsaWVudCBDQTAeFw0yMDEw
+MzExOTI1NDdaFw0zMDEwMjkxOTI1NDdaMCcxJTAjBgNVBAMMHG5vZGUtcG9zdGdy
+ZXMgdGVzdCBjbGllbnQgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASI/Efx
+Pq0P54VKPkTUOTwBH1iuYbnLpd4kAGjb1E334/p9CEBbDREVSqDjYjWswFybxKIF
+ooKXtMpEMJfymJAUo1MwUTAdBgNVHQ4EFgQU/b/FRwYZ5/VMjdesIolksiqNYK4w
+HwYDVR0jBBgwFoAU/b/FRwYZ5/VMjdesIolksiqNYK4wDwYDVR0TAQH/BAUwAwEB
+/zAKBggqhkjOPQQDAgNIADBFAiEApHFCAWGbRGqYkyiBO+gMyX6gF5oFJywUupZP
+LfgIRDACIDBZotzPe6+BIl2fU9Xgm7CxV6cCoX8bPEJKveKMnOaN
+-----END CERTIFICATE-----

packages/pg/test/tls/test-client-ca.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKsipfQWM+41FriF7
+kRxVaiNi8qY1fzLx6Dp/gUQQPG6hRANCAASI/EfxPq0P54VKPkTUOTwBH1iuYbnL
+pd4kAGjb1E334/p9CEBbDREVSqDjYjWswFybxKIFooKXtMpEMJfymJAU
+-----END PRIVATE KEY-----

packages/pg/test/tls/test-client.crt

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBITCByAIBATAKBggqhkjOPQQDAjAnMSUwIwYDVQQDDBxub2RlLXBvc3RncmVz
+IHRlc3QgY2xpZW50IENBMB4XDTIwMTAzMTE5MjU0N1oXDTMwMTAyOTE5MjU0N1ow
+EzERMA8GA1UEAwwIcG9zdGdyZXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARY
+4j5AgTLi/O/UTB8l1mX+nD9u3SW9RwN1mekcqEZqCpOPMsQEQ/HLxaKnoSTD6w/G
+NqrBnHlbMGPwEdKvV96bMAoGCCqGSM49BAMCA0gAMEUCIQDzfjm+BzmjrsIO4QRu
+Et0ShHBK3Kley3oqnzoJHCUSmAIgdF5gELQ5mlJVX3bAI8h1cKiC/L6awwg7eBDU
+S1gBTaI=
+-----END CERTIFICATE-----

packages/pg/test/tls/test-client.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL9jW07+fXy/74Ub3
+579RXm0Xpo7lnNnQleSzkTEXCrmhRANCAARY4j5AgTLi/O/UTB8l1mX+nD9u3SW9
+RwN1mekcqEZqCpOPMsQEQ/HLxaKnoSTD6w/GNqrBnHlbMGPwEdKvV96b
+-----END PRIVATE KEY-----

packages/pg/test/tls/test-server-ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAUmgAwIBAgIUD582G2ou0Lg9q7AJeAMpiQVaiPQwCgYIKoZIzj0EAwIw
+JzElMCMGA1UEAwwcbm9kZS1wb3N0Z3JlcyB0ZXN0IHNlcnZlciBDQTAeFw0yMDEw
+MzExOTI1NDdaFw0zMDEwMjkxOTI1NDdaMCcxJTAjBgNVBAMMHG5vZGUtcG9zdGdy
+ZXMgdGVzdCBzZXJ2ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT/jGRh
+FiZu96o0hfgIkep4PusTwI6P1ASFh8LgnUu2bMcIlYakQK0ap2XvCaSl9675+Lu9
+yNZaSZVA5LpFICXto1MwUTAdBgNVHQ4EFgQUHI1BK+6u7r9r1XhighuP2/eGcQUw
+HwYDVR0jBBgwFoAUHI1BK+6u7r9r1XhighuP2/eGcQUwDwYDVR0TAQH/BAUwAwEB
+/zAKBggqhkjOPQQDAgNIADBFAiALwBWN9pRpaGQ12G9ERACn8/6RtAoO4lI5RmaR
+rsTHtAIhAJxMfzNIgBAgX7vBSjHaqA08CozIctDSVag/rDlAzgy0
+-----END CERTIFICATE-----

packages/pg/test/tls/test-server-ca.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgyUd4vHDNrEFzfttP
+z+AFp3Tbyui+b3i9YDW7VqpMOIKhRANCAAT/jGRhFiZu96o0hfgIkep4PusTwI6P
+1ASFh8LgnUu2bMcIlYakQK0ap2XvCaSl9675+Lu9yNZaSZVA5LpFICXt
+-----END PRIVATE KEY-----

packages/pg/test/tls/test-server.crt

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBITCByQIBATAKBggqhkjOPQQDAjAnMSUwIwYDVQQDDBxub2RlLXBvc3RncmVz
+IHRlc3Qgc2VydmVyIENBMB4XDTIwMTAzMTE5MjU0N1oXDTMwMTAyOTE5MjU0N1ow
+FDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+4Mwi6dHeWRZ2QU19a5ykq6gJfIVJDEaJqNlWXk/5/laiGy8ScBV0YAlvk9xsfAyU
+YDxcQTjQkeC0bbzhdEPjNjAKBggqhkjOPQQDAgNHADBEAiB+DW/8Kg3tuoovAE+8
+1Pv/8OkF3MD4A1ztULkW3KJ4PwIgMn7ea3HrEQJoeSKFe1kKIgNrHftdC5kZQYj5
+uNXYpLo=
+-----END CERTIFICATE-----

packages/pg/test/tls/test-server.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBoW9xxWBH2tHiPFk
+9ajPALHyw0lHAY1DF8WvHQNodx2hRANCAATgzCLp0d5ZFnZBTX1rnKSrqAl8hUkM
+Romo2VZeT/n+VqIbLxJwFXRgCW+T3Gx8DJRgPFxBONCR4LRtvOF0Q+M2
+-----END PRIVATE KEY-----