I didn't include the authentication TAP tests that Michael wrote in the main SCRAM commit last week. The main issue was that the new test was tacked on the src/test/recovery test suite, for lack of a better place. I propose that we add a whole new src/test/authentication directory for it. It would also be logical to merge src/test/ssl into it, but the SSL test suite has some complicated setup steps, to create the certificates, and it cannot be safely run on a multi-user system. So probably best to keep it separate, after all.

While looking at the test, I noticed that the SCRAM patch didn't include support for logging in with plain 'password' authentication, when the user has a SCRAM verifier stored in pg_authid. That was an oversight. If the client gives the server the plain password, it's easy for the server to verify that it matches the SCRAM verifier.

Attached patches add the TAP test suite, and implement plain 'password' authentication for users with SCRAM verifier. Any comments?

- Heikki

Attachment: 0001-Allow-plaintext-password-authentication-when-user-ha.patch
Description: application/download

Attachment: 0002-Add-TAP-tests-for-password-based-authentication-meth.patch
Description: application/download

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to