Add groups

README.md

@@ -111,7 +111,6 @@ Set up your CLion to build project in container, [manual](https://github.com/shu
 
 * [include](documentation/configuration.md#include-string)
 * [daemonize](documentation/configuration.md#daemonize-yesno)
-* [sequential\_routing](documentation/configuration.md#sequential_routing-yesno)
 * [priority](documentation/configuration.md#priority-integer)
 * [pid\_file](documentation/configuration.md#pid_file-string)
 * [unix\_socket\_dir](documentation/configuration.md#unix_socket_dir-string)

config-examples/odyssey-dev-with-watchdog.conf

@@ -45,7 +45,6 @@ listen {
 	compression yes
 }
 
-
 storage "postgres_server" {
 	type "remote"
 	host "localhost"

docker/Dockerfile

@@ -79,6 +79,7 @@ COPY ./docker/ldap /ldap
 COPY ./docker/lagpolling /lagpolling
 COPY ./docker/shell-test /shell-test
 COPY ./docker/tsa /tsa
+COPY ./docker/group /group
 COPY ./docker/xproto /xproto
 COPY ./docker/copy /copy
 COPY ./docker/gorm /gorm

docker/bin/setup

@@ -49,7 +49,7 @@ sudo -u postgres /usr/bin/pg_basebackup -D /var/lib/postgresql/14/repl -R -h loc
 sudo -u postgres /usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/14/repl/ -o '-p 5433' start
 
 # Create databases
-for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db addr_db xproto_db "spqr-console"; do
+for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db group_db addr_db xproto_db "spqr-console"; do
     sudo -u postgres createdb $database_name >> "$SETUP_LOG" 2>&1 || {
         echo "ERROR: 'createdb $database_name' failed, examine the log"
         cat "$SETUP_LOG"
@@ -63,6 +63,14 @@ mkdir /var/cores
 sudo sysctl -w kernel.core_pattern=/var/cores/core.%p.%e
 pgbench -i -h localhost -p 5432 -U postgres postgres
 
+# Create users
+psql -h localhost -p 5432 -U postgres -c "create role group1; create role group2; create user group_checker; create user group_user1; create user group_user2; create user group_user3; create user group_user4; create user group_user5; create user group_checker1; create user group_checker2;" -d group_db >> $SETUP_LOG 2>&1 || {
+    echo "ERROR: users creation failed, examine the log"
+    cat "$SETUP_LOG"
+    cat "$PG_LOG"
+    exit 1
+}
+
 # Create users
 psql -h localhost -p 5432 -U postgres -c "set password_encryption = 'scram-sha-256'; create user scram_user password 'scram_user_password';" -d scram_db >> $SETUP_LOG 2>&1 || {
     echo "ERROR: users creation failed, examine the log"

docker/entrypoint.sh

@@ -6,6 +6,13 @@ cd /test_dir/test && /usr/bin/odyssey_test
 
 setup
 
+# group
+/group/test_group.sh
+if [ $? -eq 1 ]
+then
+	exit 1
+fi
+
 # gorm
 ody-start
 /gorm/test.sh

docker/group/config.conf

@@ -0,0 +1,122 @@
+listen {
+	host "*"
+	port 6432
+}
+
+storage "postgres_server" {
+	type "remote"
+
+    host "localhost"
+	port 5432
+}
+
+database "group_db" {
+    user "group_user1" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    group "group1" {
+            authentication "md5"
+            password "password1"
+
+            storage "postgres_server"
+            storage_db "postgres"
+            storage_user "postgres"
+
+            pool_routing "internal"
+            pool "session"
+            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group1', 'member');"
+    }
+
+    user "group_user2" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    user "group_user3" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    group "group2" {
+            authentication "md5"
+            password "password2"
+
+            storage "postgres_server"
+            storage_db "postgres"
+            storage_user "postgres"
+
+            pool_routing "internal"
+            pool "session"
+            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group2', 'member');"
+    }
+
+    user "group_user4" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    user "group_user5" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+}
+
+database default {
+	user default {
+		authentication "none"
+
+		storage "postgres_server"
+		pool "session"
+		pool_size 0
+
+		pool_timeout 0
+
+		pool_ttl 1201
+
+		pool_discard no
+
+		pool_cancel yes
+
+		pool_rollback yes
+#		seconds
+		pool_client_idle_timeout 20
+#		seconds
+		pool_idle_in_transaction_timeout 20
+
+		client_fwd_error yes
+		application_name_add_host yes
+		server_lifetime 1901
+		log_debug no
+
+		quantiles "0.99,0.95,0.5"
+		client_max 107
+	}
+}
+
+unix_socket_dir "/tmp"
+unix_socket_mode "0644"
+
+log_file "/var/log/odyssey.log"
+log_format "%p %t %l [%i %s] (%c) %m\n"
+log_debug no
+log_config yes
+log_session no
+log_query no
+log_stats yes
+daemonize yes
+
+locks_dir "/tmp/odyssey"
+graceful_die_on_errors yes
+enable_online_restart yes
+bindwith_reuseport yes
+
+stats_interval 60
+
+pid_file "/var/run/odyssey.pid"

docker/group/test_group.sh

@@ -0,0 +1,81 @@
+#!/bin/bash -x
+
+set -ex
+
+/usr/bin/odyssey /group/config.conf
+
+users=("group_user1" "group_user2" "group_user3" "group_user4" "group_user5")
+for user in "${users[@]}"; do
+	psql -h localhost -p 6432 -U "$user" -c "SELECT 1" group_db >/dev/null 2>&1 || {
+		echo "ERROR: failed backend auth with correct user auth"
+
+		cat /var/log/odyssey.log
+		echo "
+
+		"
+		cat /var/log/postgresql/postgresql-14-main.log
+
+		exit 1
+	}
+done
+
+ody-stop
+
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user2;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user4;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group2 TO group_user4;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user1;" group_db
+
+/usr/bin/odyssey /group/config.conf
+
+sleep 1
+
+psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: group auth apply for over user at config"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+psql -h localhost -p 6432 -U group_user2 -c "SELECT 1" group_db >/dev/null 2>&1 && {
+	echo "ERROR: group auth not apply"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 && {
+	echo "ERROR: group auth not accepted down group"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+PGPASSWORD=password2 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: group auth not apply"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+ody-stop

docker/hba/test.sh

@@ -53,18 +53,6 @@ PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_unknown -c "SELECT
 	"
 	cat /var/log/postgresql/postgresql-14-main.log
 
-	exit 1
-}  
-
-kill -s HUP $(pgrep odyssey)
-PGPASSWORD=correct_password PGCONNECT_TIMEOUT=5 psql -h localhost -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 || {
-  echo "ERROR: unable to connect after SIGHUP"
-
-	cat /var/log/odyssey.log
-	echo "
-	"
-	cat /var/log/postgresql/postgresql-14-main.log
-
 	exit 1
 }
 

documentation/configuration.md

@@ -16,16 +16,6 @@ By default Odyssey does not run as a daemon. Set to 'yes' to enable.
 
 `daemonize no`
 
-#### sequential\_routing_ *yes|no*
-
-Try to match routes exactly in config order.
-
-By default, Odyssey tries to match all specific routes first, and then all default ones.
-It may be confusing because auth-denying default route can be overridden with more specific auth-permitting route below in the config.
-With this option set, Odyssey will match routes exactly in config order, like in HBA files.
-
-`sequential_routing no`
-
 #### priority *integer*
 
 Process priority.

scripts/install_ci.sh

@@ -1,43 +1,10 @@
 #!/usr/bin/env bash
 
-set -e
-
-if ! sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'; then
-    echo "Error adding PostgreSQL repository."
-    exit 1
-fi
-
-if ! wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -; then
-    echo "Error adding PostgreSQL repository key."
-    exit 1
-fi
-
-if ! sudo apt-get update; then
-    echo "Error updating package list."
-    exit 1
-fi
-
-if ! sudo apt-get -y --no-install-recommends install postgresql-14 postgresql-server-dev-14 libpq5 libpq-dev clang-format-11 libpam0g-dev libldap-dev; then
-    echo "Error installing PostgreSQL and its dependencies."
-    exit 1
-fi
-
-if pgrep "postgres" > /dev/null; then
-    if ! sudo pkill -9 postgres; then
-        echo "Error stopping PostgreSQL process."
-        exit 1
-    fi
-fi
-
-if ! sudo sh -c 'echo -n | openssl s_client -connect https://scan.coverity.com:443 | sed -ne "/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p" >> /etc/ssl/certs/ca-certificates.crt'; then
-    echo "Error adding SSL certificate."
-    exit 1
-fi
-
-if ! sudo apt-get clean; then
-    echo "Error cleaning apt-get cache."
-    exit 1
-fi
-
-echo "Script completed successfully."
-exit 0
+set -ex
+
+sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
+wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+sudo apt-get update
+sudo apt-get -y --no-install-recommends install postgresql-14 postgresql-server-dev-14 libpq5 libpq-dev clang-format-11 libpam0g-dev libldap-dev
+sudo pkill -9 postgres || true
+cho -n | openssl s_client -connect https://scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-

sources/CMakeLists.txt

@@ -52,7 +52,8 @@ set(od_src
     hba.c
     hba_reader.c
     hba_rule.c
-    mdb_iamproxy.c)
+    mdb_iamproxy.c
+    group.c)
 
 if (PAM_FOUND)
         list(APPEND od_src pam.c)

sources/config.c

@@ -14,7 +14,6 @@ void od_config_init(od_config_t *config)
 {
 	config->daemonize = 0;
 	config->priority = 0;
-	config->sequential_routing = 0;
 	config->log_debug = 0;
 	config->log_to_stdout = 1;
 	config->log_config = 0;
@@ -246,8 +245,6 @@ void od_config_print(od_config_t *config, od_logger_t *logger)
 	       od_config_yes_no(config->daemonize));
 	od_log(logger, "config", NULL, NULL, "priority                %d",
 	       config->priority);
-	od_log(logger, "config", NULL, NULL, "sequential_routing      %s",
-	       od_config_yes_no(config->sequential_routing));
 	if (config->pid_file)
 		od_log(logger, "config", NULL, NULL,
 		       "pid_file                %s", config->pid_file);

sources/config.h

@@ -27,7 +27,6 @@ struct od_config_listen {
 struct od_config {
 	int daemonize;
 	int priority;
-	int sequential_routing;
 	/* logging */
 	int log_to_stdout;
 	int log_debug;