diff --git a/integration/complex/passthrough_auth/test_pool_pausing.sh b/integration/complex/passthrough_auth/test_pool_pausing.sh new file mode 100755 index 000000000..9180ba786 --- /dev/null +++ b/integration/complex/passthrough_auth/test_pool_pausing.sh @@ -0,0 +1,79 @@ +#!/bin/bash +set -e + +# Test that passwordless users get their pools paused when passthrough auth is enabled +# This validates the specific feature added in the PR + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +export PGPASSWORD=pgdog +export PGPORT=6432 +export PGHOST=127.0.0.1 + +echo "๐Ÿงช Testing pool pausing for passwordless users with passthrough auth..." + +# Kill any existing pgdog processes +killall -TERM pgdog 2> /dev/null || true +sleep 1 + +# Start pgdog with passthrough auth enabled +echo "๐Ÿ“ฆ Starting PgDog with passthrough auth enabled..." +${SCRIPT_DIR}/../../../target/release/pgdog \ + --config ${SCRIPT_DIR}/pgdog-enabled.toml \ + --users ${SCRIPT_DIR}/users.toml & + +PGDOG_PID=$! +sleep 2 + +# Check if pgdog started successfully (this validates pools didn't get banned) +if ! kill -0 $PGDOG_PID 2>/dev/null; then + echo "โŒ FAIL: PgDog process died (probably due to pool banning)" + exit 1 +fi + +echo "โœ… PASS: PgDog started successfully without pool banning" + +# Try to connect with the passwordless user (pgdog1) +# This should work because passthrough auth is enabled +echo "๐Ÿ”‘ Testing connection with passwordless user..." +if psql -U pgdog1 pgdog -c 'SELECT 1 AS test_connection' > /dev/null 2>&1; then + echo "โœ… PASS: Passwordless user can connect with passthrough auth" +else + echo "โŒ FAIL: Passwordless user cannot connect" + kill $PGDOG_PID 2>/dev/null || true + exit 1 +fi + +# Clean up +kill $PGDOG_PID 2>/dev/null || true +sleep 1 + +# Test that without passthrough auth, passwordless users are properly rejected +echo "๐Ÿ”’ Testing without passthrough auth (should reject passwordless user)..." +${SCRIPT_DIR}/../../../target/release/pgdog \ + --config ${SCRIPT_DIR}/pgdog-disabled.toml \ + --users ${SCRIPT_DIR}/users.toml & + +PGDOG_PID=$! +sleep 2 + +# Check if pgdog started successfully +if ! kill -0 $PGDOG_PID 2>/dev/null; then + echo "โŒ FAIL: PgDog process died when passthrough auth disabled" + exit 1 +fi + +# Try to connect with passwordless user - this should fail +echo "๐Ÿšซ Testing that passwordless user is rejected..." +if psql -U pgdog1 pgdog -c 'SELECT 1' > /dev/null 2>&1; then + echo "โŒ FAIL: Passwordless user should not be able to connect when passthrough auth disabled" + kill $PGDOG_PID 2>/dev/null || true + exit 1 +else + echo "โœ… PASS: Passwordless user properly rejected when passthrough auth disabled" +fi + +# Clean up +kill $PGDOG_PID 2>/dev/null || true +sleep 1 + +echo "๐ŸŽ‰ All tests passed! Pool pausing feature is working correctly." \ No newline at end of file diff --git a/pgdog/src/backend/databases.rs b/pgdog/src/backend/databases.rs index d35d1a35c..8c2c684bc 100644 --- a/pgdog/src/backend/databases.rs +++ b/pgdog/src/backend/databases.rs @@ -425,12 +425,27 @@ pub(crate) fn new_pool( config.multi_tenant(), ); + // Create cluster from the configuration + let cluster = Cluster::new(cluster_config); + + // If passthrough auth is enabled and user has no password, pause the pools + // to prevent connection attempts with empty credentials + let is_admin = user.database == config.admin.name && user.name == config.admin.user; + if general.passthrough_auth() && user.password().is_empty() && !is_admin { + // Pause all pools in the cluster before they attempt connections + for shard in cluster.shards() { + for pool in shard.pools() { + pool.pause(); + } + } + } + Some(( User { user: user.name.clone(), database: user.database.clone(), }, - Cluster::new(cluster_config), + cluster, )) } else { None