@@ -620,134 +620,171 @@ def test_libpq5_version(host):
620620def test_jit_pam_module_installed (host ):
621621 """Test that the JIT PAM module (pam_jit_pg.so) is properly installed."""
622622 # Check if gatekeeper is installed via Nix
623- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
624- if result ['succeeded' ]:
623+ result = run_ssh_command (
624+ host ["ssh" ],
625+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
626+ )
627+ if result ["succeeded" ]:
625628 print (f"\n JIT PAM module found in Nix profile:\n { result ['stdout' ]} )
626629 else :
627630 print ("\n JIT PAM module not found in postgres user's Nix profile" )
628631 assert False , "JIT PAM module (pam_jit_pg.so) not found in expected location"
629-
632+
630633 # Check if the symlink exists in the Linux PAM security directory
631- result = run_ssh_command (host ['ssh' ], "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" )
632- if result ['succeeded' ] and result ['stdout' ].strip ():
634+ result = run_ssh_command (
635+ host ["ssh" ],
636+ "find /nix/store -type f -path '*/lib/security/pam_jit_pg.so' 2>/dev/null | head -5" ,
637+ )
638+ if result ["succeeded" ] and result ["stdout" ].strip ():
633639 print (f"\n JIT PAM module symlinks found:\n { result ['stdout' ]} )
634640 else :
635641 print ("\n No JIT PAM module symlinks found in /nix/store" )
636-
642+
637643 # Verify the module is a valid shared library
638- result = run_ssh_command (host ['ssh' ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so" )
639- if result ['succeeded' ]:
644+ result = run_ssh_command (
645+ host ["ssh" ], "file /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so"
646+ )
647+ if result ["succeeded" ]:
640648 print (f"\n JIT PAM module file type:\n { result ['stdout' ]} )
641- assert "shared object" in result ['stdout' ].lower () or "dynamically linked" in result ['stdout' ].lower (), \
642- "JIT PAM module is not a valid shared library"
643-
649+ assert (
650+ "shared object" in result ["stdout" ].lower ()
651+ or "dynamically linked" in result ["stdout" ].lower ()
652+ ), "JIT PAM module is not a valid shared library"
653+
644654 print ("✓ JIT PAM module is properly installed" )
645655
646656
647657def test_pam_postgresql_config (host ):
648658 """Test that the PAM configuration for PostgreSQL exists and is properly configured."""
649659 # Check PostgreSQL version to determine if PAM config should exist
650- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1" )
660+ result = run_ssh_command (
661+ host ["ssh" ], "sudo -u postgres psql --version | grep -oE '[0-9]+' | head -1"
662+ )
651663 pg_major_version = 15 # Default
652- if result [' succeeded' and result [' stdout' strip ():
664+ if result [" succeeded" and result [" stdout" strip ():
653665 try :
654- pg_major_version = int (result [' stdout' strip ())
666+ pg_major_version = int (result [" stdout" strip ())
655667 except ValueError :
656668 pass
657-
669+
658670 print (f"\n PostgreSQL major version: { pg_major_version } )
659-
671+
660672 # PAM config should exist for non-PostgreSQL 15 versions
661673 if pg_major_version != 15 :
662674 # Check if PAM config file exists
663- result = run_ssh_command (host [' ssh' "ls -la /etc/pam.d/postgresql" )
664- if result [' succeeded'
675+ result = run_ssh_command (host [" ssh" "ls -la /etc/pam.d/postgresql" )
676+ if result [" succeeded"
665677 print (f"\n PAM config file found:\n { result ['stdout' ]} )
666-
678+
667679 # Check file permissions
668- result = run_ssh_command (host ['ssh' ], "stat -c '%a %U %G' /etc/pam.d/postgresql" )
669- if result ['succeeded' ]:
670- perms = result ['stdout' ].strip ()
680+ result = run_ssh_command (
681+ host ["ssh" ], "stat -c '%a %U %G' /etc/pam.d/postgresql"
682+ )
683+ if result ["succeeded" ]:
684+ perms = result ["stdout" ].strip ()
671685 print (f"PAM config permissions: { perms } )
672686 # Should be owned by postgres:postgres with 664 permissions
673- assert "postgres postgres" in perms , "PAM config not owned by postgres:postgres"
687+ assert (
688+ "postgres postgres" in perms
689+ ), "PAM config not owned by postgres:postgres"
674690 else :
675691 print ("\n PAM config file not found" )
676692 assert False , "PAM configuration file /etc/pam.d/postgresql not found"
677693 else :
678694 print ("\n Skipping PAM config check for PostgreSQL 15" )
679695 # For PostgreSQL 15, the PAM config should NOT exist
680- result = run_ssh_command (host [' ssh' "test -f /etc/pam.d/postgresql" )
681- if result [' succeeded'
696+ result = run_ssh_command (host [" ssh" "test -f /etc/pam.d/postgresql" )
697+ if result [" succeeded"
682698 print ("\n WARNING: PAM config exists for PostgreSQL 15 (not expected)" )
683-
699+
684700 print ("✓ PAM configuration is properly set up" )
685701
686702
687703def test_jit_pam_gatekeeper_profile (host ):
688704 """Test that the gatekeeper package is properly installed in the postgres user's Nix profile."""
689705 # Check if gatekeeper is in the postgres user's Nix profile
690- result = run_ssh_command (host ['ssh' ], "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" )
691- if result ['succeeded' ] and result ['stdout' ].strip ():
706+ result = run_ssh_command (
707+ host ["ssh" ],
708+ "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper" ,
709+ )
710+ if result ["succeeded" ] and result ["stdout" ].strip ():
692711 print (f"\n Gatekeeper found in Nix profile:\n { result ['stdout' ]} )
693712 else :
694713 # Try alternative check
695- result = run_ssh_command (host ['ssh' ], "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" )
696- if result ['succeeded' ] and result ['stdout' ].strip ():
714+ result = run_ssh_command (
715+ host ["ssh" ],
716+ "sudo -u postgres ls -la /var/lib/postgresql/.nix-profile/ | grep -i gate" ,
717+ )
718+ if result ["succeeded" ] and result ["stdout" ].strip ():
697719 print (f"\n Gatekeeper-related files in profile:\n { result ['stdout' ]} )
698720 else :
699721 print ("\n Gatekeeper not found in postgres user's Nix profile" )
700722 # This might be expected if it's installed system-wide instead
701-
723+
702724 # Check if we can find the gatekeeper derivation
703- result = run_ssh_command (host ['ssh' ], "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" )
704- if result ['succeeded' ] and result ['stdout' ].strip ():
725+ result = run_ssh_command (
726+ host ["ssh" ],
727+ "find /nix/store -maxdepth 1 -type d -name '*gatekeeper*' 2>/dev/null | head -5" ,
728+ )
729+ if result ["succeeded" ] and result ["stdout" ].strip ():
705730 print (f"\n Gatekeeper derivations found:\n { result ['stdout' ]} )
706731 else :
707732 print ("\n No gatekeeper derivations found in /nix/store" )
708-
733+
709734 print ("✓ Gatekeeper package installation check completed" )
710735
711736
712737def test_jit_pam_module_dependencies (host ):
713738 """Test that the JIT PAM module has all required dependencies."""
714739 # Check dependencies of the PAM module
715- result = run_ssh_command (host ['ssh' ], "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" )
716- if result ['succeeded' ]:
740+ result = run_ssh_command (
741+ host ["ssh" ],
742+ "ldd /var/lib/postgresql/.nix-profile/lib/security/pam_jit_pg.so 2>/dev/null" ,
743+ )
744+ if result ["succeeded" ]:
717745 print (f"\n JIT PAM module dependencies:\n { result ['stdout' ]} )
718-
746+
719747 # Check for required libraries
720748 required_libs = ["libpam" , "libc" ]
721749 for lib in required_libs :
722- if lib not in result [' stdout' lower ():
750+ if lib not in result [" stdout" lower ():
723751 print (f"WARNING: Required library { lib } )
724-
752+
725753 # Check for any missing dependencies
726- if "not found" in result [' stdout' lower ():
754+ if "not found" in result [" stdout" lower ():
727755 assert False , "JIT PAM module has missing dependencies"
728756 else :
729757 print ("\n Could not check JIT PAM module dependencies" )
730-
758+
731759 print ("✓ JIT PAM module dependencies are satisfied" )
732760
733761
734762def test_jit_pam_postgresql_integration (host ):
735763 """Test that PostgreSQL can be configured to use PAM authentication."""
736764 # Check if PAM is available as an authentication method in PostgreSQL
737- result = run_ssh_command (host ['ssh' ], "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" )
738- if result ['succeeded' ]:
765+ result = run_ssh_command (
766+ host ["ssh" ],
767+ "sudo -u postgres psql -c \" SELECT name, setting FROM pg_settings WHERE name LIKE '%pam%';\" 2>/dev/null" ,
768+ )
769+ if result ["succeeded" ]:
739770 print (f"\n PostgreSQL PAM-related settings:\n { result ['stdout' ]} )
740-
771+
741772 # Check pg_hba.conf for potential PAM entries (even if not currently active)
742- result = run_ssh_command (host ['ssh' ], "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" )
743- if result ['succeeded' ]:
773+ result = run_ssh_command (
774+ host ["ssh" ],
775+ "grep -i pam /etc/postgresql/pg_hba.conf 2>/dev/null || echo 'No PAM entries in pg_hba.conf'" ,
776+ )
777+ if result ["succeeded" ]:
744778 print (f"\n PAM entries in pg_hba.conf:\n { result ['stdout' ]} )
745-
779+
746780 # Verify PostgreSQL was compiled with PAM support
747- result = run_ssh_command (host ['ssh' ], "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" )
748- if result ['succeeded' ]:
781+ result = run_ssh_command (
782+ host ["ssh" ],
783+ "sudo -u postgres pg_config --configure 2>/dev/null | grep -i pam || echo 'PAM compile flag not found'" ,
784+ )
785+ if result ["succeeded" ]:
749786 print (f"\n PostgreSQL PAM compile flags:\n { result ['stdout' ]} )
750-
787+
751788 print ("✓ PostgreSQL PAM integration check completed" )
752789
753790
0 commit comments