Fix ssl test by copying root client-side certificates. (#893)

It seems that Postgres 14 implement more security checks around ownership of the client-side root certificate, and our symlink doesn't comply with those rules anymore in the GitHub Action environment.
hapostgres · May 12, 2022 · 753d334 · 753d334
1 parent bf07407
commit 753d334
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 5 deletions.
diff --git a/tests/test_enable_ssl.py b/tests/test_enable_ssl.py
@@ -188,7 +188,22 @@ def test_010_enable_ssl_verify_ca_monitor():
     print("%s" % p.stdout)
 
     # the root user also needs the certificates, tests are connecting with it
-    subprocess.run(["ln", "-s", client_top_directory, "/root/.postgresql"])
+    root_top_directory = "/root/.postgresql"
+    p = subprocess.run(
+        ["sudo", "install", "-d", "-m", "740", root_top_directory]
+    )
+    assert p.returncode == 0
+
+    p = subprocess.run(
+        [
+            "sudo",
+            "cp",
+            clientCert.crt,
+            clientCert.csr,
+            clientCert.key,
+            root_top_directory,
+        ]
+    )
     assert p.returncode == 0
 
     p = subprocess.run(

diff --git a/tests/test_ssl_cert.py b/tests/test_ssl_cert.py
@@ -92,11 +92,34 @@ def test_000_create_monitor():
     )
     serverCert.create_signed_certificate(cluster.cert)
 
+    # the root user also needs the certificates, tests are connecting with it
+    root_top_directory = "/root/.postgresql"
+    p = subprocess.run(
+        ["sudo", "install", "-d", "-m", "740", root_top_directory]
+    )
+    assert p.returncode == 0
+
+    p = subprocess.run(
+        [
+            "sudo",
+            "cp",
+            clientCert.crt,
+            clientCert.csr,
+            clientCert.key,
+            root_top_directory,
+        ]
+    )
+    assert p.returncode == 0
+
     p = subprocess.run(
         [
             "ls",
             "-ld",
             client_top_directory,
+            root_top_directory,
+            os.path.join(root_top_directory, "postgresql.crt"),
+            os.path.join(root_top_directory, "postgresql.csr"),
+            os.path.join(root_top_directory, "postgresql.key"),
             cluster.cert.crt,
             cluster.cert.csr,
             cluster.cert.key,
@@ -112,10 +135,6 @@ def test_000_create_monitor():
     )
     print("%s" % p.stdout)
 
-    # the root user also needs the certificates, tests are connecting with it
-    subprocess.run(["ln", "-s", client_top_directory, "/root/.postgresql"])
-    assert p.returncode == 0
-
     #
     # Now create the monitor Postgres instance with the certificates
     #