v8-0001-pgstat-report-in-earlier-with-STATE_STARTING.patch
application/octet-stream
Filename: v8-0001-pgstat-report-in-earlier-with-STATE_STARTING.patch
Type: application/octet-stream
Part: 1
Patch
Format: format-patch
Series: patch v8-0001
Subject: pgstat: report in earlier with STATE_STARTING
| File | + | − |
|---|---|---|
| doc/src/sgml/monitoring.sgml | 6 | 0 |
| src/backend/postmaster/auxprocess.c | 2 | 1 |
| src/backend/utils/activity/backend_status.c | 131 | 76 |
| src/backend/utils/adt/pgstatfuncs.c | 3 | 0 |
| src/backend/utils/init/postinit.c | 32 | 10 |
| src/include/utils/backend_status.h | 4 | 1 |
| src/test/authentication/Makefile | 4 | 0 |
| src/test/authentication/meson.build | 4 | 0 |
| src/test/authentication/t/007_pre_auth.pl | 81 | 0 |
| src/test/ssl/Makefile | 2 | 1 |
| src/test/ssl/meson.build | 1 | 0 |
| src/test/ssl/t/001_ssltests.pl | 65 | 0 |
From 81a61854bdf419d045c4b82896b8889938e41184 Mon Sep 17 00:00:00 2001
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Fri, 3 May 2024 15:54:58 -0700
Subject: [PATCH v8 1/3] pgstat: report in earlier with STATE_STARTING
Split pgstat_bestart() into three phases for better observability:
1) pgstat_bestart_initial() reports a 'starting' state while waiting for
backend initialization and client authentication to complete. Since
we hold a transaction open for a good amount of that, and some
authentication methods call out to external systems, having an early
pg_stat_activity entry helps DBAs debug when things go badly wrong.
2) pgstat_bestart_security() reports the SSL/GSS status of the
connection. Some backends don't call this at all; others call it
twice, once after transport establishment and once after client
authentication.
3) pgstat_bestart_final() reports the user and database IDs, takes the
entry out of STATE_STARTING, and reports the application_name.
TODO: should the order of those last two be swapped?
---
doc/src/sgml/monitoring.sgml | 6 +
src/backend/postmaster/auxprocess.c | 3 +-
src/backend/utils/activity/backend_status.c | 207 +++++++++++++-------
src/backend/utils/adt/pgstatfuncs.c | 3 +
src/backend/utils/init/postinit.c | 42 +++-
src/include/utils/backend_status.h | 5 +-
src/test/authentication/Makefile | 4 +
src/test/authentication/meson.build | 4 +
src/test/authentication/t/007_pre_auth.pl | 81 ++++++++
src/test/ssl/Makefile | 3 +-
src/test/ssl/meson.build | 1 +
src/test/ssl/t/001_ssltests.pl | 65 ++++++
12 files changed, 335 insertions(+), 89 deletions(-)
create mode 100644 src/test/authentication/t/007_pre_auth.pl
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index edc2470bcf9..dcb2d77adec 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -899,6 +899,12 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
Current overall state of this backend.
Possible values are:
<itemizedlist>
+ <listitem>
+ <para>
+ <literal>starting</literal>: The backend is in initial startup. Client
+ authentication is performed during this phase.
+ </para>
+ </listitem>
<listitem>
<para>
<literal>active</literal>: The backend is executing a query.
diff --git a/src/backend/postmaster/auxprocess.c b/src/backend/postmaster/auxprocess.c
index ff366ceb0fc..4f6795f7265 100644
--- a/src/backend/postmaster/auxprocess.c
+++ b/src/backend/postmaster/auxprocess.c
@@ -78,7 +78,8 @@ AuxiliaryProcessMainCommon(void)
/* Initialize backend status information */
pgstat_beinit();
- pgstat_bestart();
+ pgstat_bestart_initial();
+ pgstat_bestart_final();
/* register a before-shutdown callback for LWLock cleanup */
before_shmem_exit(ShutdownAuxiliaryProcess, 0);
diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c
index 731342799a6..f08b41054bb 100644
--- a/src/backend/utils/activity/backend_status.c
+++ b/src/backend/utils/activity/backend_status.c
@@ -253,31 +253,18 @@ pgstat_beinit(void)
on_shmem_exit(pgstat_beshutdown_hook, 0);
}
-
-/* ----------
- * pgstat_bestart() -
- *
- * Initialize this backend's entry in the PgBackendStatus array.
- * Called from InitPostgres.
- *
- * Apart from auxiliary processes, MyDatabaseId, session userid, and
- * application_name must already be set (hence, this cannot be combined
- * with pgstat_beinit). Note also that we must be inside a transaction
- * if this isn't an aux process, as we may need to do encoding conversion
- * on some strings.
- *----------
+/*
+ * Clears out a new pgstat entry, initializing it to suitable defaults and
+ * reporting STATE_STARTING. Backends should continue filling in any transport
+ * security details as needed with pgstat_bestart_security(), and must finally
+ * exit STATE_STARTING by calling pgstat_bestart_final(), once user and database
+ * IDs have been determined.
*/
void
-pgstat_bestart(void)
+pgstat_bestart_initial(void)
{
volatile PgBackendStatus *vbeentry = MyBEEntry;
PgBackendStatus lbeentry;
-#ifdef USE_SSL
- PgBackendSSLStatus lsslstatus;
-#endif
-#ifdef ENABLE_GSS
- PgBackendGSSStatus lgssstatus;
-#endif
/* pgstats state must be initialized from pgstat_beinit() */
Assert(vbeentry != NULL);
@@ -297,14 +284,6 @@ pgstat_bestart(void)
unvolatize(PgBackendStatus *, vbeentry),
sizeof(PgBackendStatus));
- /* These structs can just start from zeroes each time, though */
-#ifdef USE_SSL
- memset(&lsslstatus, 0, sizeof(lsslstatus));
-#endif
-#ifdef ENABLE_GSS
- memset(&lgssstatus, 0, sizeof(lgssstatus));
-#endif
-
/*
* Now fill in all the fields of lbeentry, except for strings that are
* out-of-line data. Those have to be handled separately, below.
@@ -315,15 +294,8 @@ pgstat_bestart(void)
lbeentry.st_activity_start_timestamp = 0;
lbeentry.st_state_start_timestamp = 0;
lbeentry.st_xact_start_timestamp = 0;
- lbeentry.st_databaseid = MyDatabaseId;
-
- /* We have userid for client-backends, wal-sender and bgworker processes */
- if (lbeentry.st_backendType == B_BACKEND
- || lbeentry.st_backendType == B_WAL_SENDER
- || lbeentry.st_backendType == B_BG_WORKER)
- lbeentry.st_userid = GetSessionUserId();
- else
- lbeentry.st_userid = InvalidOid;
+ lbeentry.st_databaseid = InvalidOid;
+ lbeentry.st_userid = InvalidOid;
/*
* We may not have a MyProcPort (eg, if this is the autovacuum process).
@@ -336,46 +308,10 @@ pgstat_bestart(void)
else
MemSet(&lbeentry.st_clientaddr, 0, sizeof(lbeentry.st_clientaddr));
-#ifdef USE_SSL
- if (MyProcPort && MyProcPort->ssl_in_use)
- {
- lbeentry.st_ssl = true;
- lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort);
- strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
- strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
- be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
- be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
- be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
- }
- else
- {
- lbeentry.st_ssl = false;
- }
-#else
lbeentry.st_ssl = false;
-#endif
-
-#ifdef ENABLE_GSS
- if (MyProcPort && MyProcPort->gss != NULL)
- {
- const char *princ = be_gssapi_get_princ(MyProcPort);
-
- lbeentry.st_gss = true;
- lgssstatus.gss_auth = be_gssapi_get_auth(MyProcPort);
- lgssstatus.gss_enc = be_gssapi_get_enc(MyProcPort);
- lgssstatus.gss_delegation = be_gssapi_get_delegation(MyProcPort);
- if (princ)
- strlcpy(lgssstatus.gss_princ, princ, NAMEDATALEN);
- }
- else
- {
- lbeentry.st_gss = false;
- }
-#else
lbeentry.st_gss = false;
-#endif
- lbeentry.st_state = STATE_UNDEFINED;
+ lbeentry.st_state = STATE_STARTING;
lbeentry.st_progress_command = PROGRESS_COMMAND_INVALID;
lbeentry.st_progress_command_target = InvalidOid;
lbeentry.st_query_id = UINT64CONST(0);
@@ -417,20 +353,139 @@ pgstat_bestart(void)
lbeentry.st_clienthostname[NAMEDATALEN - 1] = '\0';
lbeentry.st_activity_raw[pgstat_track_activity_query_size - 1] = '\0';
+ /* These structs can just start from zeroes each time */
#ifdef USE_SSL
- memcpy(lbeentry.st_sslstatus, &lsslstatus, sizeof(PgBackendSSLStatus));
+ memset(lbeentry.st_sslstatus, 0, sizeof(PgBackendSSLStatus));
#endif
#ifdef ENABLE_GSS
- memcpy(lbeentry.st_gssstatus, &lgssstatus, sizeof(PgBackendGSSStatus));
+ memset(lbeentry.st_gssstatus, 0, sizeof(PgBackendGSSStatus));
#endif
PGSTAT_END_WRITE_ACTIVITY(vbeentry);
+}
+
+/*
+ * Fill in SSL and GSS information for the pgstat entry. This is separate from
+ * pgstat_bestart_initial() so that backends may call it multiple times as
+ * security details are filled in.
+ *
+ * This should only be called from backends with a MyProcPort.
+ */
+void
+pgstat_bestart_security(void)
+{
+ volatile PgBackendStatus *beentry = MyBEEntry;
+ bool ssl = false;
+ bool gss = false;
+#ifdef USE_SSL
+ PgBackendSSLStatus lsslstatus;
+ PgBackendSSLStatus *st_sslstatus;
+#endif
+#ifdef ENABLE_GSS
+ PgBackendGSSStatus lgssstatus;
+ PgBackendGSSStatus *st_gssstatus;
+#endif
+
+ /* pgstats state must be initialized from pgstat_beinit() */
+ Assert(beentry != NULL);
+ Assert(MyProcPort); /* otherwise there's no point */
+
+#ifdef USE_SSL
+ st_sslstatus = beentry->st_sslstatus;
+ memset(&lsslstatus, 0, sizeof(lsslstatus));
+
+ if (MyProcPort->ssl_in_use)
+ {
+ ssl = true;
+ lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort);
+ strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
+ strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
+ be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
+ be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
+ be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
+ }
+#endif
+
+#ifdef ENABLE_GSS
+ st_gssstatus = beentry->st_gssstatus;
+ memset(&lgssstatus, 0, sizeof(lgssstatus));
+
+ if (MyProcPort->gss != NULL)
+ {
+ const char *princ = be_gssapi_get_princ(MyProcPort);
+
+ gss = true;
+ lgssstatus.gss_auth = be_gssapi_get_auth(MyProcPort);
+ lgssstatus.gss_enc = be_gssapi_get_enc(MyProcPort);
+ lgssstatus.gss_delegation = be_gssapi_get_delegation(MyProcPort);
+ if (princ)
+ strlcpy(lgssstatus.gss_princ, princ, NAMEDATALEN);
+ }
+#endif
+
+ /*
+ * Update my status entry, following the protocol of bumping
+ * st_changecount before and after. We use a volatile pointer here to
+ * ensure the compiler doesn't try to get cute.
+ */
+ PGSTAT_BEGIN_WRITE_ACTIVITY(beentry);
+
+ beentry->st_ssl = ssl;
+ beentry->st_gss = gss;
+
+#ifdef USE_SSL
+ memcpy(st_sslstatus, &lsslstatus, sizeof(PgBackendSSLStatus));
+#endif
+#ifdef ENABLE_GSS
+ memcpy(st_gssstatus, &lgssstatus, sizeof(PgBackendGSSStatus));
+#endif
+
+ PGSTAT_END_WRITE_ACTIVITY(beentry);
+}
+
+/*
+ * Finalizes the startup pgstat entry by filling in the user/database IDs,
+ * clearing STATE_STARTING, and reporting the application_name.
+ *
+ * We must be inside a transaction if this isn't an aux process, as we may need
+ * to do encoding conversion.
+ */
+void
+pgstat_bestart_final(void)
+{
+ volatile PgBackendStatus *beentry = MyBEEntry;
+ Oid userid;
+
+ /* pgstats state must be initialized from pgstat_beinit() */
+ Assert(beentry != NULL);
+
+ /* We have userid for client-backends, wal-sender and bgworker processes */
+ if (MyBackendType == B_BACKEND
+ || MyBackendType == B_WAL_SENDER
+ || MyBackendType == B_BG_WORKER)
+ userid = GetSessionUserId();
+ else
+ userid = InvalidOid;
+
+ /*
+ * Update my status entry, following the protocol of bumping
+ * st_changecount before and after. We use a volatile pointer here to
+ * ensure the compiler doesn't try to get cute.
+ */
+ PGSTAT_BEGIN_WRITE_ACTIVITY(beentry);
+
+ beentry->st_databaseid = MyDatabaseId;
+ beentry->st_userid = userid;
+ beentry->st_state = STATE_UNDEFINED;
+
+ PGSTAT_END_WRITE_ACTIVITY(beentry);
/* Create the backend statistics entry */
if (pgstat_tracks_backend_bktype(MyBackendType))
pgstat_create_backend(MyProcNumber);
/* Update app name to current GUC setting */
+ /* TODO: ask the list: maybe do this before setting STATE_UNDEFINED? */
if (application_name)
pgstat_report_appname(application_name);
}
diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c
index e9096a88492..c754a31253d 100644
--- a/src/backend/utils/adt/pgstatfuncs.c
+++ b/src/backend/utils/adt/pgstatfuncs.c
@@ -393,6 +393,9 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
switch (beentry->st_state)
{
+ case STATE_STARTING:
+ values[4] = CStringGetTextDatum("starting");
+ break;
case STATE_IDLE:
values[4] = CStringGetTextDatum("idle");
break;
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 01bb6a410cb..62364f6b767 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -58,6 +58,7 @@
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc_hooks.h"
+#include "utils/injection_point.h"
#include "utils/memutils.h"
#include "utils/pg_locale.h"
#include "utils/portal.h"
@@ -717,6 +718,23 @@ InitPostgres(const char *in_dbname, Oid dboid,
*/
InitProcessPhase2();
+ /* Initialize status reporting */
+ pgstat_beinit();
+
+ /*
+ * This is a convenient time to sketch in a partial pgstat entry. That
+ * way, if LWLocks or third-party authentication should happen to hang,
+ * the DBA will still be able to see what's going on.
+ */
+ if (!bootstrap)
+ {
+ pgstat_bestart_initial();
+ if (MyProcPort)
+ pgstat_bestart_security(); /* fill in any SSL/GSS info too */
+
+ INJECTION_POINT("init-pre-auth");
+ }
+
/*
* Initialize my entry in the shared-invalidation manager's array of
* per-backend data.
@@ -785,9 +803,6 @@ InitPostgres(const char *in_dbname, Oid dboid,
/* Initialize portal manager */
EnablePortalManager();
- /* Initialize status reporting */
- pgstat_beinit();
-
/*
* Load relcache entries for the shared system catalogs. This must create
* at least entries for pg_database and catalogs used for authentication.
@@ -808,8 +823,8 @@ InitPostgres(const char *in_dbname, Oid dboid,
/* The autovacuum launcher is done here */
if (AmAutoVacuumLauncherProcess())
{
- /* report this backend in the PgBackendStatus array */
- pgstat_bestart();
+ /* fill in the remainder of the PgBackendStatus array */
+ pgstat_bestart_final();
return;
}
@@ -874,6 +889,7 @@ InitPostgres(const char *in_dbname, Oid dboid,
{
/* normal multiuser case */
Assert(MyProcPort != NULL);
+
PerformAuthentication(MyProcPort);
InitializeSessionUserId(username, useroid, false);
/* ensure that auth_method is actually valid, aka authn_id is not NULL */
@@ -881,6 +897,12 @@ InitPostgres(const char *in_dbname, Oid dboid,
InitializeSystemUser(MyClientConnectionInfo.authn_id,
hba_authname(MyClientConnectionInfo.auth_method));
am_superuser = superuser();
+
+ /*
+ * Authentication may have changed SSL/GSS details for the session, so
+ * report it again.
+ */
+ pgstat_bestart_security();
}
/*
@@ -952,8 +974,8 @@ InitPostgres(const char *in_dbname, Oid dboid,
/* initialize client encoding */
InitializeClientEncoding();
- /* report this backend in the PgBackendStatus array */
- pgstat_bestart();
+ /* fill in the remainder of the PgBackendStatus array */
+ pgstat_bestart_final();
/* close the transaction we started above */
CommitTransactionCommand();
@@ -996,7 +1018,7 @@ InitPostgres(const char *in_dbname, Oid dboid,
*/
if (!bootstrap)
{
- pgstat_bestart();
+ pgstat_bestart_final();
CommitTransactionCommand();
}
return;
@@ -1196,9 +1218,9 @@ InitPostgres(const char *in_dbname, Oid dboid,
if ((flags & INIT_PG_LOAD_SESSION_LIBS) != 0)
process_session_preload_libraries();
- /* report this backend in the PgBackendStatus array */
+ /* fill in the remainder of the PgBackendStatus array */
if (!bootstrap)
- pgstat_bestart();
+ pgstat_bestart_final();
/* close the transaction we started above */
if (!bootstrap)
diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h
index d3d4ff6c5c9..1c9b4fe14d0 100644
--- a/src/include/utils/backend_status.h
+++ b/src/include/utils/backend_status.h
@@ -24,6 +24,7 @@
typedef enum BackendState
{
STATE_UNDEFINED,
+ STATE_STARTING,
STATE_IDLE,
STATE_RUNNING,
STATE_IDLEINTRANSACTION,
@@ -309,7 +310,9 @@ extern void BackendStatusShmemInit(void);
/* Initialization functions */
extern void pgstat_beinit(void);
-extern void pgstat_bestart(void);
+extern void pgstat_bestart_initial(void);
+extern void pgstat_bestart_security(void);
+extern void pgstat_bestart_final(void);
extern void pgstat_clear_backend_activity_snapshot(void);
diff --git a/src/test/authentication/Makefile b/src/test/authentication/Makefile
index c4022dc829b..8b5beced080 100644
--- a/src/test/authentication/Makefile
+++ b/src/test/authentication/Makefile
@@ -13,6 +13,10 @@ subdir = src/test/authentication
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
+EXTRA_INSTALL = src/test/modules/injection_points
+
+export enable_injection_points
+
check:
$(prove_check)
diff --git a/src/test/authentication/meson.build b/src/test/authentication/meson.build
index f6e48411c11..800b3a5ff40 100644
--- a/src/test/authentication/meson.build
+++ b/src/test/authentication/meson.build
@@ -5,6 +5,9 @@ tests += {
'sd': meson.current_source_dir(),
'bd': meson.current_build_dir(),
'tap': {
+ 'env': {
+ 'enable_injection_points': get_option('injection_points') ? 'yes' : 'no',
+ },
'tests': [
't/001_password.pl',
't/002_saslprep.pl',
@@ -12,6 +15,7 @@ tests += {
't/004_file_inclusion.pl',
't/005_sspi.pl',
't/006_login_trigger.pl',
+ 't/007_pre_auth.pl',
],
},
}
diff --git a/src/test/authentication/t/007_pre_auth.pl b/src/test/authentication/t/007_pre_auth.pl
new file mode 100644
index 00000000000..a638226dbaf
--- /dev/null
+++ b/src/test/authentication/t/007_pre_auth.pl
@@ -0,0 +1,81 @@
+
+# Copyright (c) 2021-2025, PostgreSQL Global Development Group
+
+# Tests for connection behavior prior to authentication.
+
+use strict;
+use warnings FATAL => 'all';
+
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
+use Time::HiRes qw(usleep);
+use Test::More;
+
+if ($ENV{enable_injection_points} ne 'yes')
+{
+ plan skip_all => 'Injection points not supported by this build';
+}
+
+my $node = PostgreSQL::Test::Cluster->new('primary');
+$node->init;
+$node->append_conf(
+ 'postgresql.conf', q[
+log_connections = on
+]);
+
+$node->start;
+
+# Check if the extension injection_points is available, as it may be
+# possible that this script is run with installcheck, where the module
+# would not be installed by default.
+if (!$node->check_extension('injection_points'))
+{
+ plan skip_all => 'Extension injection_points not installed';
+}
+
+$node->safe_psql('postgres', 'CREATE EXTENSION injection_points');
+
+# Connect to the server and inject a waitpoint.
+my $psql = $node->background_psql('postgres');
+$psql->query_safe("SELECT injection_points_attach('init-pre-auth', 'wait')");
+
+# From this point on, all new connections will hang during startup, just before
+# authentication. Use the $psql connection handle for server interaction.
+my $conn = $node->background_psql('postgres', wait => 0);
+
+# Wait for the connection to show up.
+my $pid;
+while (1)
+{
+ $pid = $psql->query(
+ "SELECT pid FROM pg_stat_activity WHERE state = 'starting';");
+ last if $pid ne "";
+
+ usleep(100_000);
+}
+
+note "backend $pid is authenticating";
+ok(1, 'authenticating connections are recorded in pg_stat_activity');
+
+# Detach the waitpoint and wait for the connection to complete.
+$psql->query_safe("SELECT injection_points_wakeup('init-pre-auth');");
+$conn->wait_connect();
+
+# Make sure the pgstat entry is updated eventually.
+while (1)
+{
+ my $state =
+ $psql->query("SELECT state FROM pg_stat_activity WHERE pid = $pid;");
+ last if $state eq "idle";
+
+ note "state for backend $pid is '$state'; waiting for 'idle'...";
+ usleep(100_000);
+}
+
+ok(1, 'authenticated connections reach idle state in pg_stat_activity');
+
+$psql->query_safe("SELECT injection_points_detach('init-pre-auth');");
+$psql->quit();
+$conn->quit();
+
+done_testing();
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index e8a1639db2d..2d800c4a254 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -10,12 +10,13 @@
#-------------------------------------------------------------------------
EXTRA_INSTALL = contrib/sslinfo
+EXTRA_INSTALL += src/test/modules/injection_points
subdir = src/test/ssl
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
-export OPENSSL with_ssl
+export OPENSSL enable_injection_points with_ssl
# The sslfiles targets are separated into their own file due to interactions
# with settings in Makefile.global.
diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build
index cf8b2b9303a..5ba8bdb373d 100644
--- a/src/test/ssl/meson.build
+++ b/src/test/ssl/meson.build
@@ -6,6 +6,7 @@ tests += {
'bd': meson.current_build_dir(),
'tap': {
'env': {
+ 'enable_injection_points': get_option('injection_points') ? 'yes' : 'no',
'with_ssl': ssl_library,
'OPENSSL': openssl.found() ? openssl.path() : '',
},
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 5422511d4ab..4d1ab3493db 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -7,6 +7,7 @@ use Config qw ( %Config );
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Utils;
use Test::More;
+use Time::HiRes qw(usleep);
use FindBin;
use lib $FindBin::RealBin;
@@ -71,6 +72,23 @@ $node->start;
my $result = $node->safe_psql('postgres', "SHOW ssl_library");
is($result, $ssl_server->ssl_library(), 'ssl_library parameter');
+my $injection_points_unavailable = '';
+if ($ENV{enable_injection_points} ne 'yes')
+{
+ $injection_points_unavailable =
+ 'Injection points not supported by this build';
+}
+elsif (!$node->check_extension('injection_points'))
+{
+ $injection_points_unavailable =
+ 'Extension injection_points not installed';
+}
+else
+{
+ # For ease of setup, make injection_points available for all new databases.
+ $node->safe_psql('template1', 'CREATE EXTENSION injection_points');
+}
+
$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR,
$SERVERHOSTCIDR, 'trust');
@@ -556,6 +574,53 @@ command_like(
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx,
'pg_stat_ssl view without client certificate');
+# Test that pg_stat_ssl gets filled in early, prior to authentication. Requires
+# injection point support.
+SKIP:
+{
+ skip $injection_points_unavailable, 1 if $injection_points_unavailable;
+
+ # Connect to the server and inject a waitpoint.
+ my $psql =
+ $node->background_psql('trustdb', connstr => "$common_connstr user=");
+ $psql->query_safe(
+ "SELECT injection_points_attach('init-pre-auth', 'wait')");
+
+ # From this point on, all new connections will hang during startup, just
+ # before authentication. Use the $psql connection handle for server
+ # interaction.
+ my $conn = $node->background_psql(
+ 'trustdb',
+ connstr => $common_connstr,
+ wait => 0);
+
+ # Wait for the connection to show up.
+ my $pid;
+ while (1)
+ {
+ $pid = $psql->query(
+ "SELECT pid FROM pg_stat_activity WHERE state = 'starting' AND client_addr IS NOT NULL;");
+ last if $pid ne "";
+
+ usleep(100_000);
+ }
+
+ like(
+ $psql->query(
+ "SELECT ssl, version, cipher, bits FROM pg_stat_ssl WHERE pid = $pid"
+ ),
+ qr/^t\|TLSv[\d.]+\|[\w-]+\|\d+$/,
+ 'pg_stat_ssl view is updated prior to authentication');
+
+ # Detach the waitpoint and wait for the connection to complete.
+ $psql->query_safe("SELECT injection_points_wakeup('init-pre-auth');");
+ $conn->wait_connect();
+
+ $psql->query_safe("SELECT injection_points_detach('init-pre-auth');");
+ $psql->quit();
+ $conn->quit();
+}
+
# Test min/max SSL protocol versions.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2",
--
2.34.1