@@ -626,134 +626,171 @@ def test_libpq5_version(host):
626626def test_jit_pam_module_installed (host ):
627627 """Test that the JIT PAM module (pam_jit_pg.so) is properly installed."""
628628 # Check if gatekeeper is installed via Nix
629- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
630- if result ['succeeded' ]:
629+ result = run_ssh_command (
630+ host ["ssh" ],
631+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
632+ )
633+ if result ["succeeded" ]:
631634 print (f"\n JIT PAM module found in Nix profile:\n { result ['stdout' ]} )
632635 else :
633636 print ("\n JIT PAM module not found in postgres user's Nix profile" )
634637 assert False , "JIT PAM module (pam_jit_pg.so) not found in expected location"
635-
638+
636639 # Check if the symlink exists in the Linux PAM security directory
637- result = run_ssh_command (host ['ssh' ], "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" )
638- if result ['succeeded' ] and result ['stdout' ].strip ():
640+ result = run_ssh_command (
641+ host ["ssh" ],
642+ "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" ,
643+ )
644+ if result ["succeeded" ] and result ["stdout" ].strip ():
639645 print (f"\n JIT PAM module symlinks found:\n { result ['stdout' ]} )
640646 else :
641647 print ("\n No JIT PAM module symlinks found in /nix/store" )
642-
648+
643649 # Verify the module is a valid shared library
644- result = run_ssh_command (host ['ssh' ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so" )
645- if result ['succeeded' ]:
650+ result = run_ssh_command (
651+ host ["ssh" ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so"
652+ )
653+ if result ["succeeded" ]:
646654 print (f"\n JIT PAM module file type:\n { result ['stdout' ]} )
647- assert "shared object" in result ['stdout' ].lower () or "dynamically linked" in result ['stdout' ].lower (), \
648- "JIT PAM module is not a valid shared library"
649-
655+ assert (
656+ "shared object" in result ["stdout" ].lower ()
657+ or "dynamically linked" in result ["stdout" ].lower ()
658+ ), "JIT PAM module is not a valid shared library"
659+
650660 print ("✓ JIT PAM module is properly installed" )
651661
652662
653663def test_pam_postgresql_config (host ):
654664 """Test that the PAM configuration for PostgreSQL exists and is properly configured."""
655665 # Check PostgreSQL version to determine if PAM config should exist
656- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" )
666+ result = run_ssh_command (
667+ host ["ssh" ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1"
668+ )
657669 pg_major_version = 15 # Default
658- if result [' succeeded' and result [' stdout' strip ():
670+ if result [" succeeded" and result [" stdout" strip ():
659671 try :
660- pg_major_version = int (result [' stdout' strip ())
672+ pg_major_version = int (result [" stdout" strip ())
661673 except ValueError :
662674 pass
663-
675+
664676 print (f"\n PostgreSQL major version: { pg_major_version } )
665-
677+
666678 # PAM config should exist for non-PostgreSQL 15 versions
667679 if pg_major_version != 15 :
668680 # Check if PAM config file exists
669- result = run_ssh_command (host [' ssh' "ls -la /etc/pam.d/postgresql" )
670- if result [' succeeded'
681+ result = run_ssh_command (host [" ssh" "ls -la /etc/pam.d/postgresql" )
682+ if result [" succeeded"
671683 print (f"\n PAM config file found:\n { result ['stdout' ]} )
672-
684+
673685 # Check file permissions
674- result = run_ssh_command (host ['ssh' ], "stat -c '%a %U %G' /etc/pam.d/postgresql" )
675- if result ['succeeded' ]:
676- perms = result ['stdout' ].strip ()
686+ result = run_ssh_command (
687+ host ["ssh" ], "stat -c '%a %U %G' /etc/pam.d/postgresql"
688+ )
689+ if result ["succeeded" ]:
690+ perms = result ["stdout" ].strip ()
677691 print (f"PAM config permissions: { perms } )
678692 # Should be owned by postgres:postgres with 664 permissions
679- assert "postgres postgres" in perms , "PAM config not owned by postgres:postgres"
693+ assert (
694+ "postgres postgres" in perms
695+ ), "PAM config not owned by postgres:postgres"
680696 else :
681697 print ("\n PAM config file not found" )
682698 assert False , "PAM configuration file /etc/pam.d/postgresql not found"
683699 else :
684700 print ("\n Skipping PAM config check for PostgreSQL 15" )
685701 # For PostgreSQL 15, the PAM config should NOT exist
686- result = run_ssh_command (host [' ssh' "test -f /etc/pam.d/postgresql" )
687- if result [' succeeded'
702+ result = run_ssh_command (host [" ssh" "test -f /etc/pam.d/postgresql" )
703+ if result [" succeeded"
688704 print ("\n WARNING: PAM config exists for PostgreSQL 15 (not expected)" )
689-
705+
690706 print ("✓ PAM configuration is properly set up" )
691707
692708
693709def test_jit_pam_gatekeeper_profile (host ):
694710 """Test that the gatekeeper package is properly installed in the postgres user's Nix profile."""
695711 # Check if gatekeeper is in the postgres user's Nix profile
696- result = run_ssh_command (host ['ssh' ], "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" )
697- if result ['succeeded' ] and result ['stdout' ].strip ():
712+ result = run_ssh_command (
713+ host ["ssh" ],
714+ "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" ,
715+ )
716+ if result ["succeeded" ] and result ["stdout" ].strip ():
698717 print (f"\n Gatekeeper found in Nix profile:\n { result ['stdout' ]} )
699718 else :
700719 # Try alternative check
701- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" )
702- if result ['succeeded' ] and result ['stdout' ].strip ():
720+ result = run_ssh_command (
721+ host ["ssh" ],
722+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" ,
723+ )
724+ if result ["succeeded" ] and result ["stdout" ].strip ():
703725 print (f"\n Gatekeeper-related files in profile:\n { result ['stdout' ]} )
704726 else :
705727 print ("\n Gatekeeper not found in postgres user's Nix profile" )
706728 # This might be expected if it's installed system-wide instead
707-
729+
708730 # Check if we can find the gatekeeper derivation
709- result = run_ssh_command (host ['ssh' ], "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" )
710- if result ['succeeded' ] and result ['stdout' ].strip ():
731+ result = run_ssh_command (
732+ host ["ssh" ],
733+ "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" ,
734+ )
735+ if result ["succeeded" ] and result ["stdout" ].strip ():
711736 print (f"\n Gatekeeper derivations found:\n { result ['stdout' ]} )
712737 else :
713738 print ("\n No gatekeeper derivations found in /nix/store" )
714-
739+
715740 print ("✓ Gatekeeper package installation check completed" )
716741
717742
718743def test_jit_pam_module_dependencies (host ):
719744 """Test that the JIT PAM module has all required dependencies."""
720745 # Check dependencies of the PAM module
721- result = run_ssh_command (host ['ssh' ], "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
722- if result ['succeeded' ]:
746+ result = run_ssh_command (
747+ host ["ssh" ],
748+ "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
749+ )
750+ if result ["succeeded" ]:
723751 print (f"\n JIT PAM module dependencies:\n { result ['stdout' ]} )
724-
752+
725753 # Check for required libraries
726754 required_libs = ["libpam" , "libc" ]
727755 for lib in required_libs :
728- if lib not in result [' stdout' lower ():
756+ if lib not in result [" stdout" lower ():
729757 print (f"WARNING: Required library { lib } )
730-
758+
731759 # Check for any missing dependencies
732- if "not found" in result [' stdout' lower ():
760+ if "not found" in result [" stdout" lower ():
733761 assert False , "JIT PAM module has missing dependencies"
734762 else :
735763 print ("\n Could not check JIT PAM module dependencies" )
736-
764+
737765 print ("✓ JIT PAM module dependencies are satisfied" )
738766
739767
740768def test_jit_pam_postgresql_integration (host ):
741769 """Test that PostgreSQL can be configured to use PAM authentication."""
742770 # Check if PAM is available as an authentication method in PostgreSQL
743- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" )
744- if result ['succeeded' ]:
771+ result = run_ssh_command (
772+ host ["ssh" ],
773+ "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" ,
774+ )
775+ if result ["succeeded" ]:
745776 print (f"\n PostgreSQL PAM-related settings:\n { result ['stdout' ]} )
746-
777+
747778 # Check pg_hba.conf for potential PAM entries (even if not currently active)
748- result = run_ssh_command (host ['ssh' ], "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" )
749- if result ['succeeded' ]:
779+ result = run_ssh_command (
780+ host ["ssh" ],
781+ "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" ,
782+ )
783+ if result ["succeeded" ]:
750784 print (f"\n PAM entries in pg_hba.conf:\n { result ['stdout' ]} )
751-
785+
752786 # Verify PostgreSQL was compiled with PAM support
753- result = run_ssh_command (host ['ssh' ], "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" )
754- if result ['succeeded' ]:
787+ result = run_ssh_command (
788+ host ["ssh" ],
789+ "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" ,
790+ )
791+ if result ["succeeded" ]:
755792 print (f"\n PostgreSQL PAM compile flags:\n { result ['stdout' ]} )
756-
793+
757794 print ("✓ PostgreSQL PAM integration check completed" )
758795
759796
0 commit comments