pkg/sql/pgwire/testdata/auth/scram

config secure
----

sql
CREATE USER foo WITH PASSWORD 'abc';
SET CLUSTER SETTING server.user_login.password_encryption = 'scram-sha-256';
CREATE USER abc WITH PASSWORD 'abc'
----
ok

subtest conn_plaintext

# This subtest checks that a plaintext password provided by a SQL client
# can still be used when the stored credentials for the target user
# use the SCRAM encoding.

set_hba
host all abc all password
----
# Active authentication configuration on this node:
# Original configuration:
# host  all root all cert-password # CockroachDB mandatory rule
# host all abc all password
#
# Interpreted configuration:
# TYPE DATABASE USER ADDRESS METHOD        OPTIONS
host   all      root all     cert-password
host   all      abc  all     password

# User abc has SCRAM credentials, but 'mistake' is not its password.
# Expect authn error.
connect user=abc password=mistake
----
ERROR: password authentication failed for user abc (SQLSTATE 28000)

authlog 5
.*client_connection_end
----
5 {"EventType":"client_connection_start","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
6 {"EventType":"client_authentication_info","Info":"HBA rule: host all abc all password","InstanceID":1,"Method":"password","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl"}
7 {"Detail":"password authentication failed for user abc","EventType":"client_authentication_failed","InstanceID":1,"Method":"password","Network":"tcp","Reason":6,"RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl","User":"abc"}
8 {"Duration":"NNN","EventType":"client_session_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
9 {"Duration":"NNN","EventType":"client_connection_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}

connect user=abc password=abc
----
ok defaultdb

authlog 5
.*client_connection_end
----
10 {"EventType":"client_connection_start","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
11 {"EventType":"client_authentication_info","Info":"HBA rule: host all abc all password","InstanceID":1,"Method":"password","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl"}
12 {"EventType":"client_authentication_ok","InstanceID":1,"Method":"password","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl","User":"abc"}
13 {"Duration":"NNN","EventType":"client_session_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
14 {"Duration":"NNN","EventType":"client_connection_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}


subtest end

subtest only_scram

set_hba
host all foo all scram-sha-256
host all abc all scram-sha-256
----
# Active authentication configuration on this node:
# Original configuration:
# host  all root all cert-password # CockroachDB mandatory rule
# host all foo all scram-sha-256
# host all abc all scram-sha-256
#
# Interpreted configuration:
# TYPE DATABASE USER ADDRESS METHOD        OPTIONS
host   all      root all     cert-password
host   all      foo  all     scram-sha-256
host   all      abc  all     scram-sha-256

subtest only_scram/conn_scram

# For now (testing), foo does not have SCRAM credentials.
connect user=foo password=abc
----
ERROR: password authentication failed for user foo (SQLSTATE 28000)

authlog 7
.*client_connection_end
----
15 {"EventType":"client_connection_start","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
16 {"EventType":"client_authentication_info","Info":"HBA rule: host all foo all scram-sha-256","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"foo","Timestamp":"XXX","Transport":"hostssl"}
17 {"EventType":"client_authentication_info","Info":"user password hash not in SCRAM format","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"foo","Timestamp":"XXX","Transport":"hostssl","User":"foo"}
18 {"EventType":"client_authentication_info","Info":"scram handshake error: user password hash not in SCRAM format","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"foo","Timestamp":"XXX","Transport":"hostssl","User":"foo"}
19 {"Detail":"password authentication failed for user foo","EventType":"client_authentication_failed","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","Reason":6,"RemoteAddress":"XXX","SystemIdentity":"foo","Timestamp":"XXX","Transport":"hostssl","User":"foo"}
20 {"Duration":"NNN","EventType":"client_session_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
21 {"Duration":"NNN","EventType":"client_connection_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}

# User abc has SCRAM credentials, but 'mistake' is not its password.
# Expect authn error.
connect user=abc password=mistake
----
ERROR: password authentication failed for user abc (SQLSTATE 28000)

authlog 6
.*client_connection_end
----
22 {"EventType":"client_connection_start","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
23 {"EventType":"client_authentication_info","Info":"HBA rule: host all abc all scram-sha-256","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl"}
24 {"EventType":"client_authentication_info","Info":"scram handshake error: challenge proof invalid","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl","User":"abc"}
25 {"Detail":"password authentication failed for user abc","EventType":"client_authentication_failed","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","Reason":6,"RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl","User":"abc"}
26 {"Duration":"NNN","EventType":"client_session_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
27 {"Duration":"NNN","EventType":"client_connection_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}


connect user=abc password=abc
----
ok defaultdb

authlog 5
.*client_connection_end
----
28 {"EventType":"client_connection_start","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
29 {"EventType":"client_authentication_info","Info":"HBA rule: host all abc all scram-sha-256","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl"}
30 {"EventType":"client_authentication_ok","InstanceID":1,"Method":"scram-sha-256","Network":"tcp","RemoteAddress":"XXX","SystemIdentity":"abc","Timestamp":"XXX","Transport":"hostssl","User":"abc"}
31 {"Duration":"NNN","EventType":"client_session_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}
32 {"Duration":"NNN","EventType":"client_connection_end","InstanceID":1,"Network":"tcp","RemoteAddress":"XXX","Timestamp":"XXX"}

subtest end

subtest end


subtest scram_cert

set_hba
host all all all cert-scram-sha-256
----
# Active authentication configuration on this node:
# Original configuration:
# host  all root all cert-password # CockroachDB mandatory rule
# host all all all cert-scram-sha-256
#
# Interpreted configuration:
# TYPE DATABASE USER ADDRESS METHOD             OPTIONS
host   all      root all     cert-password
host   all      all  all     cert-scram-sha-256

subtest scram_cert/cert

# testuser is presenting a valid TLS client cert.

connect user=testuser
----
ok defaultdb

subtest end

subtest scram_cert/scram

connect user=foo password=abc
----
ERROR: password authentication failed for user foo (SQLSTATE 28000)


connect user=abc password=abc
----
ok defaultdb

subtest end

subtest end