diff options
author | Michael Paquier | 2023-01-17 04:41:09 +0000 |
---|---|---|
committer | Michael Paquier | 2023-01-17 04:41:09 +0000 |
commit | 0b717432ff13683f9d13f007dab1c3380cae2f0d (patch) | |
tree | c69f58cd0525b297d71a467a9c8e46a4d5d128d6 | |
parent | da5800d5fa636c6e10c9c98402d872c76aa1c8d0 (diff) |
Track behavior of \1 in pg_ident.conf when quoted
Entries of pg-user in pg_ident.conf that are quoted and include '\1'
allow a replacement from a subexpression in a system user regexp. This
commit adds a test to track this behavior and a note in the
documentation, as it could be affected by the use of an AuthToken for
the pg-user in the IdentLines parsed.
This subject has come up in the discussion aimed at extending the
support of pg-user in ident entries for more patterns.
Author: Jelte Fennema
Discussion: https://postgr.es/m/CAGECzQRNow4MwkBjgPxywXdJU_K3a9+Pm78JB7De3yQwwkTDew@mail.gmail.com
-rw-r--r-- | doc/src/sgml/client-auth.sgml | 3 | ||||
-rw-r--r-- | src/test/authentication/t/003_peer.pl | 13 |
2 files changed, 16 insertions, 0 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index cc8c59206c..e4959663c4 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -960,6 +960,9 @@ mymap /^(.*)@otherdomain\.com$ guest will remove the domain part for users with system user names that end with <literal>@mydomain.com</literal>, and allow any user whose system name ends with <literal>@otherdomain.com</literal> to log in as <literal>guest</literal>. + Quoting a <replaceable>database-username</replaceable> containing + <literal>\1</literal> <emphasis>does not</emphasis> make + <literal>\1</literal> lose its special meaning. </para> <tip> diff --git a/src/test/authentication/t/003_peer.pl b/src/test/authentication/t/003_peer.pl index 966b2aa47e..e6f5fdba16 100644 --- a/src/test/authentication/t/003_peer.pl +++ b/src/test/authentication/t/003_peer.pl @@ -153,6 +153,19 @@ test_role( log_like => [qr/connection authenticated: identity="$system_user" method=peer/]); +# Success as the regular expression matches and \1 is replaced in the given +# subexpression, even if quoted. +reset_pg_ident($node, 'mypeermap', qq{/^$system_user(.*)\$}, + '"test\1mapuser"'); +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with regular expression in user name map with quoted \1 replaced', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); + # Failure as the regular expression does not include a subexpression, but # the database user contains \1, requesting a replacement. reset_pg_ident($node, 'mypeermap', qq{/^$system_user\$}, '\1testmapuser'); |