@@ -631,134 +631,171 @@ def test_libpq5_version(host):
631631def test_jit_pam_module_installed (host ):
632632 """Test that the JIT PAM module (pam_jit_pg.so) is properly installed."""
633633 # Check if gatekeeper is installed via Nix
634- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
635- if result ['succeeded' ]:
634+ result = run_ssh_command (
635+ host ["ssh" ],
636+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
637+ )
638+ if result ["succeeded" ]:
636639 print (f"\n JIT PAM module found in Nix profile:\n { result ['stdout' ]} )
637640 else :
638641 print ("\n JIT PAM module not found in postgres user's Nix profile" )
639642 assert False , "JIT PAM module (pam_jit_pg.so) not found in expected location"
640-
643+
641644 # Check if the symlink exists in the Linux PAM security directory
642- result = run_ssh_command (host ['ssh' ], "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" )
643- if result ['succeeded' ] and result ['stdout' ].strip ():
645+ result = run_ssh_command (
646+ host ["ssh" ],
647+ "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" ,
648+ )
649+ if result ["succeeded" ] and result ["stdout" ].strip ():
644650 print (f"\n JIT PAM module symlinks found:\n { result ['stdout' ]} )
645651 else :
646652 print ("\n No JIT PAM module symlinks found in /nix/store" )
647-
653+
648654 # Verify the module is a valid shared library
649- result = run_ssh_command (host ['ssh' ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so" )
650- if result ['succeeded' ]:
655+ result = run_ssh_command (
656+ host ["ssh" ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so"
657+ )
658+ if result ["succeeded" ]:
651659 print (f"\n JIT PAM module file type:\n { result ['stdout' ]} )
652- assert "shared object" in result ['stdout' ].lower () or "dynamically linked" in result ['stdout' ].lower (), \
653- "JIT PAM module is not a valid shared library"
654-
660+ assert (
661+ "shared object" in result ["stdout" ].lower ()
662+ or "dynamically linked" in result ["stdout" ].lower ()
663+ ), "JIT PAM module is not a valid shared library"
664+
655665 print ("✓ JIT PAM module is properly installed" )
656666
657667
658668def test_pam_postgresql_config (host ):
659669 """Test that the PAM configuration for PostgreSQL exists and is properly configured."""
660670 # Check PostgreSQL version to determine if PAM config should exist
661- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" )
671+ result = run_ssh_command (
672+ host ["ssh" ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1"
673+ )
662674 pg_major_version = 15 # Default
663- if result [' succeeded' and result [' stdout' strip ():
675+ if result [" succeeded" and result [" stdout" strip ():
664676 try :
665- pg_major_version = int (result [' stdout' strip ())
677+ pg_major_version = int (result [" stdout" strip ())
666678 except ValueError :
667679 pass
668-
680+
669681 print (f"\n PostgreSQL major version: { pg_major_version } )
670-
682+
671683 # PAM config should exist for non-PostgreSQL 15 versions
672684 if pg_major_version != 15 :
673685 # Check if PAM config file exists
674- result = run_ssh_command (host [' ssh' "ls -la /etc/pam.d/postgresql" )
675- if result [' succeeded'
686+ result = run_ssh_command (host [" ssh" "ls -la /etc/pam.d/postgresql" )
687+ if result [" succeeded"
676688 print (f"\n PAM config file found:\n { result ['stdout' ]} )
677-
689+
678690 # Check file permissions
679- result = run_ssh_command (host ['ssh' ], "stat -c '%a %U %G' /etc/pam.d/postgresql" )
680- if result ['succeeded' ]:
681- perms = result ['stdout' ].strip ()
691+ result = run_ssh_command (
692+ host ["ssh" ], "stat -c '%a %U %G' /etc/pam.d/postgresql"
693+ )
694+ if result ["succeeded" ]:
695+ perms = result ["stdout" ].strip ()
682696 print (f"PAM config permissions: { perms } )
683697 # Should be owned by postgres:postgres with 664 permissions
684- assert "postgres postgres" in perms , "PAM config not owned by postgres:postgres"
698+ assert (
699+ "postgres postgres" in perms
700+ ), "PAM config not owned by postgres:postgres"
685701 else :
686702 print ("\n PAM config file not found" )
687703 assert False , "PAM configuration file /etc/pam.d/postgresql not found"
688704 else :
689705 print ("\n Skipping PAM config check for PostgreSQL 15" )
690706 # For PostgreSQL 15, the PAM config should NOT exist
691- result = run_ssh_command (host [' ssh' "test -f /etc/pam.d/postgresql" )
692- if result [' succeeded'
707+ result = run_ssh_command (host [" ssh" "test -f /etc/pam.d/postgresql" )
708+ if result [" succeeded"
693709 print ("\n WARNING: PAM config exists for PostgreSQL 15 (not expected)" )
694-
710+
695711 print ("✓ PAM configuration is properly set up" )
696712
697713
698714def test_jit_pam_gatekeeper_profile (host ):
699715 """Test that the gatekeeper package is properly installed in the postgres user's Nix profile."""
700716 # Check if gatekeeper is in the postgres user's Nix profile
701- result = run_ssh_command (host ['ssh' ], "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" )
702- if result ['succeeded' ] and result ['stdout' ].strip ():
717+ result = run_ssh_command (
718+ host ["ssh" ],
719+ "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" ,
720+ )
721+ if result ["succeeded" ] and result ["stdout" ].strip ():
703722 print (f"\n Gatekeeper found in Nix profile:\n { result ['stdout' ]} )
704723 else :
705724 # Try alternative check
706- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" )
707- if result ['succeeded' ] and result ['stdout' ].strip ():
725+ result = run_ssh_command (
726+ host ["ssh" ],
727+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" ,
728+ )
729+ if result ["succeeded" ] and result ["stdout" ].strip ():
708730 print (f"\n Gatekeeper-related files in profile:\n { result ['stdout' ]} )
709731 else :
710732 print ("\n Gatekeeper not found in postgres user's Nix profile" )
711733 # This might be expected if it's installed system-wide instead
712-
734+
713735 # Check if we can find the gatekeeper derivation
714- result = run_ssh_command (host ['ssh' ], "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" )
715- if result ['succeeded' ] and result ['stdout' ].strip ():
736+ result = run_ssh_command (
737+ host ["ssh" ],
738+ "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" ,
739+ )
740+ if result ["succeeded" ] and result ["stdout" ].strip ():
716741 print (f"\n Gatekeeper derivations found:\n { result ['stdout' ]} )
717742 else :
718743 print ("\n No gatekeeper derivations found in /nix/store" )
719-
744+
720745 print ("✓ Gatekeeper package installation check completed" )
721746
722747
723748def test_jit_pam_module_dependencies (host ):
724749 """Test that the JIT PAM module has all required dependencies."""
725750 # Check dependencies of the PAM module
726- result = run_ssh_command (host ['ssh' ], "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
727- if result ['succeeded' ]:
751+ result = run_ssh_command (
752+ host ["ssh" ],
753+ "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
754+ )
755+ if result ["succeeded" ]:
728756 print (f"\n JIT PAM module dependencies:\n { result ['stdout' ]} )
729-
757+
730758 # Check for required libraries
731759 required_libs = ["libpam" , "libc" ]
732760 for lib in required_libs :
733- if lib not in result [' stdout' lower ():
761+ if lib not in result [" stdout" lower ():
734762 print (f"WARNING: Required library { lib } )
735-
763+
736764 # Check for any missing dependencies
737- if "not found" in result [' stdout' lower ():
765+ if "not found" in result [" stdout" lower ():
738766 assert False , "JIT PAM module has missing dependencies"
739767 else :
740768 print ("\n Could not check JIT PAM module dependencies" )
741-
769+
742770 print ("✓ JIT PAM module dependencies are satisfied" )
743771
744772
745773def test_jit_pam_postgresql_integration (host ):
746774 """Test that PostgreSQL can be configured to use PAM authentication."""
747775 # Check if PAM is available as an authentication method in PostgreSQL
748- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" )
749- if result ['succeeded' ]:
776+ result = run_ssh_command (
777+ host ["ssh" ],
778+ "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" ,
779+ )
780+ if result ["succeeded" ]:
750781 print (f"\n PostgreSQL PAM-related settings:\n { result ['stdout' ]} )
751-
782+
752783 # Check pg_hba.conf for potential PAM entries (even if not currently active)
753- result = run_ssh_command (host ['ssh' ], "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" )
754- if result ['succeeded' ]:
784+ result = run_ssh_command (
785+ host ["ssh" ],
786+ "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" ,
787+ )
788+ if result ["succeeded" ]:
755789 print (f"\n PAM entries in pg_hba.conf:\n { result ['stdout' ]} )
756-
790+
757791 # Verify PostgreSQL was compiled with PAM support
758- result = run_ssh_command (host ['ssh' ], "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" )
759- if result ['succeeded' ]:
792+ result = run_ssh_command (
793+ host ["ssh" ],
794+ "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" ,
795+ )
796+ if result ["succeeded" ]:
760797 print (f"\n PostgreSQL PAM compile flags:\n { result ['stdout' ]} )
761-
798+
762799 print ("✓ PostgreSQL PAM integration check completed" )
763800
764801
0 commit comments