From 81a61854bdf419d045c4b82896b8889938e41184 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Fri, 3 May 2024 15:54:58 -0700 Subject: [PATCH v8 1/3] pgstat: report in earlier with STATE_STARTING Split pgstat_bestart() into three phases for better observability: 1) pgstat_bestart_initial() reports a 'starting' state while waiting for backend initialization and client authentication to complete. Since we hold a transaction open for a good amount of that, and some authentication methods call out to external systems, having an early pg_stat_activity entry helps DBAs debug when things go badly wrong. 2) pgstat_bestart_security() reports the SSL/GSS status of the connection. Some backends don't call this at all; others call it twice, once after transport establishment and once after client authentication. 3) pgstat_bestart_final() reports the user and database IDs, takes the entry out of STATE_STARTING, and reports the application_name. TODO: should the order of those last two be swapped? --- doc/src/sgml/monitoring.sgml | 6 + src/backend/postmaster/auxprocess.c | 3 +- src/backend/utils/activity/backend_status.c | 207 +++++++++++++------- src/backend/utils/adt/pgstatfuncs.c | 3 + src/backend/utils/init/postinit.c | 42 +++- src/include/utils/backend_status.h | 5 +- src/test/authentication/Makefile | 4 + src/test/authentication/meson.build | 4 + src/test/authentication/t/007_pre_auth.pl | 81 ++++++++ src/test/ssl/Makefile | 3 +- src/test/ssl/meson.build | 1 + src/test/ssl/t/001_ssltests.pl | 65 ++++++ 12 files changed, 335 insertions(+), 89 deletions(-) create mode 100644 src/test/authentication/t/007_pre_auth.pl diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml index edc2470bcf9..dcb2d77adec 100644 --- a/doc/src/sgml/monitoring.sgml +++ b/doc/src/sgml/monitoring.sgml @@ -899,6 +899,12 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser Current overall state of this backend. Possible values are: + + + starting: The backend is in initial startup. Client + authentication is performed during this phase. + + active: The backend is executing a query. diff --git a/src/backend/postmaster/auxprocess.c b/src/backend/postmaster/auxprocess.c index ff366ceb0fc..4f6795f7265 100644 --- a/src/backend/postmaster/auxprocess.c +++ b/src/backend/postmaster/auxprocess.c @@ -78,7 +78,8 @@ AuxiliaryProcessMainCommon(void) /* Initialize backend status information */ pgstat_beinit(); - pgstat_bestart(); + pgstat_bestart_initial(); + pgstat_bestart_final(); /* register a before-shutdown callback for LWLock cleanup */ before_shmem_exit(ShutdownAuxiliaryProcess, 0); diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 731342799a6..f08b41054bb 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -253,31 +253,18 @@ pgstat_beinit(void) on_shmem_exit(pgstat_beshutdown_hook, 0); } - -/* ---------- - * pgstat_bestart() - - * - * Initialize this backend's entry in the PgBackendStatus array. - * Called from InitPostgres. - * - * Apart from auxiliary processes, MyDatabaseId, session userid, and - * application_name must already be set (hence, this cannot be combined - * with pgstat_beinit). Note also that we must be inside a transaction - * if this isn't an aux process, as we may need to do encoding conversion - * on some strings. - *---------- +/* + * Clears out a new pgstat entry, initializing it to suitable defaults and + * reporting STATE_STARTING. Backends should continue filling in any transport + * security details as needed with pgstat_bestart_security(), and must finally + * exit STATE_STARTING by calling pgstat_bestart_final(), once user and database + * IDs have been determined. */ void -pgstat_bestart(void) +pgstat_bestart_initial(void) { volatile PgBackendStatus *vbeentry = MyBEEntry; PgBackendStatus lbeentry; -#ifdef USE_SSL - PgBackendSSLStatus lsslstatus; -#endif -#ifdef ENABLE_GSS - PgBackendGSSStatus lgssstatus; -#endif /* pgstats state must be initialized from pgstat_beinit() */ Assert(vbeentry != NULL); @@ -297,14 +284,6 @@ pgstat_bestart(void) unvolatize(PgBackendStatus *, vbeentry), sizeof(PgBackendStatus)); - /* These structs can just start from zeroes each time, though */ -#ifdef USE_SSL - memset(&lsslstatus, 0, sizeof(lsslstatus)); -#endif -#ifdef ENABLE_GSS - memset(&lgssstatus, 0, sizeof(lgssstatus)); -#endif - /* * Now fill in all the fields of lbeentry, except for strings that are * out-of-line data. Those have to be handled separately, below. @@ -315,15 +294,8 @@ pgstat_bestart(void) lbeentry.st_activity_start_timestamp = 0; lbeentry.st_state_start_timestamp = 0; lbeentry.st_xact_start_timestamp = 0; - lbeentry.st_databaseid = MyDatabaseId; - - /* We have userid for client-backends, wal-sender and bgworker processes */ - if (lbeentry.st_backendType == B_BACKEND - || lbeentry.st_backendType == B_WAL_SENDER - || lbeentry.st_backendType == B_BG_WORKER) - lbeentry.st_userid = GetSessionUserId(); - else - lbeentry.st_userid = InvalidOid; + lbeentry.st_databaseid = InvalidOid; + lbeentry.st_userid = InvalidOid; /* * We may not have a MyProcPort (eg, if this is the autovacuum process). @@ -336,46 +308,10 @@ pgstat_bestart(void) else MemSet(&lbeentry.st_clientaddr, 0, sizeof(lbeentry.st_clientaddr)); -#ifdef USE_SSL - if (MyProcPort && MyProcPort->ssl_in_use) - { - lbeentry.st_ssl = true; - lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort); - strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN); - strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN); - be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); - be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); - be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); - } - else - { - lbeentry.st_ssl = false; - } -#else lbeentry.st_ssl = false; -#endif - -#ifdef ENABLE_GSS - if (MyProcPort && MyProcPort->gss != NULL) - { - const char *princ = be_gssapi_get_princ(MyProcPort); - - lbeentry.st_gss = true; - lgssstatus.gss_auth = be_gssapi_get_auth(MyProcPort); - lgssstatus.gss_enc = be_gssapi_get_enc(MyProcPort); - lgssstatus.gss_delegation = be_gssapi_get_delegation(MyProcPort); - if (princ) - strlcpy(lgssstatus.gss_princ, princ, NAMEDATALEN); - } - else - { - lbeentry.st_gss = false; - } -#else lbeentry.st_gss = false; -#endif - lbeentry.st_state = STATE_UNDEFINED; + lbeentry.st_state = STATE_STARTING; lbeentry.st_progress_command = PROGRESS_COMMAND_INVALID; lbeentry.st_progress_command_target = InvalidOid; lbeentry.st_query_id = UINT64CONST(0); @@ -417,20 +353,139 @@ pgstat_bestart(void) lbeentry.st_clienthostname[NAMEDATALEN - 1] = '\0'; lbeentry.st_activity_raw[pgstat_track_activity_query_size - 1] = '\0'; + /* These structs can just start from zeroes each time */ #ifdef USE_SSL - memcpy(lbeentry.st_sslstatus, &lsslstatus, sizeof(PgBackendSSLStatus)); + memset(lbeentry.st_sslstatus, 0, sizeof(PgBackendSSLStatus)); #endif #ifdef ENABLE_GSS - memcpy(lbeentry.st_gssstatus, &lgssstatus, sizeof(PgBackendGSSStatus)); + memset(lbeentry.st_gssstatus, 0, sizeof(PgBackendGSSStatus)); #endif PGSTAT_END_WRITE_ACTIVITY(vbeentry); +} + +/* + * Fill in SSL and GSS information for the pgstat entry. This is separate from + * pgstat_bestart_initial() so that backends may call it multiple times as + * security details are filled in. + * + * This should only be called from backends with a MyProcPort. + */ +void +pgstat_bestart_security(void) +{ + volatile PgBackendStatus *beentry = MyBEEntry; + bool ssl = false; + bool gss = false; +#ifdef USE_SSL + PgBackendSSLStatus lsslstatus; + PgBackendSSLStatus *st_sslstatus; +#endif +#ifdef ENABLE_GSS + PgBackendGSSStatus lgssstatus; + PgBackendGSSStatus *st_gssstatus; +#endif + + /* pgstats state must be initialized from pgstat_beinit() */ + Assert(beentry != NULL); + Assert(MyProcPort); /* otherwise there's no point */ + +#ifdef USE_SSL + st_sslstatus = beentry->st_sslstatus; + memset(&lsslstatus, 0, sizeof(lsslstatus)); + + if (MyProcPort->ssl_in_use) + { + ssl = true; + lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort); + strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN); + strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN); + be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); + be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); + be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); + } +#endif + +#ifdef ENABLE_GSS + st_gssstatus = beentry->st_gssstatus; + memset(&lgssstatus, 0, sizeof(lgssstatus)); + + if (MyProcPort->gss != NULL) + { + const char *princ = be_gssapi_get_princ(MyProcPort); + + gss = true; + lgssstatus.gss_auth = be_gssapi_get_auth(MyProcPort); + lgssstatus.gss_enc = be_gssapi_get_enc(MyProcPort); + lgssstatus.gss_delegation = be_gssapi_get_delegation(MyProcPort); + if (princ) + strlcpy(lgssstatus.gss_princ, princ, NAMEDATALEN); + } +#endif + + /* + * Update my status entry, following the protocol of bumping + * st_changecount before and after. We use a volatile pointer here to + * ensure the compiler doesn't try to get cute. + */ + PGSTAT_BEGIN_WRITE_ACTIVITY(beentry); + + beentry->st_ssl = ssl; + beentry->st_gss = gss; + +#ifdef USE_SSL + memcpy(st_sslstatus, &lsslstatus, sizeof(PgBackendSSLStatus)); +#endif +#ifdef ENABLE_GSS + memcpy(st_gssstatus, &lgssstatus, sizeof(PgBackendGSSStatus)); +#endif + + PGSTAT_END_WRITE_ACTIVITY(beentry); +} + +/* + * Finalizes the startup pgstat entry by filling in the user/database IDs, + * clearing STATE_STARTING, and reporting the application_name. + * + * We must be inside a transaction if this isn't an aux process, as we may need + * to do encoding conversion. + */ +void +pgstat_bestart_final(void) +{ + volatile PgBackendStatus *beentry = MyBEEntry; + Oid userid; + + /* pgstats state must be initialized from pgstat_beinit() */ + Assert(beentry != NULL); + + /* We have userid for client-backends, wal-sender and bgworker processes */ + if (MyBackendType == B_BACKEND + || MyBackendType == B_WAL_SENDER + || MyBackendType == B_BG_WORKER) + userid = GetSessionUserId(); + else + userid = InvalidOid; + + /* + * Update my status entry, following the protocol of bumping + * st_changecount before and after. We use a volatile pointer here to + * ensure the compiler doesn't try to get cute. + */ + PGSTAT_BEGIN_WRITE_ACTIVITY(beentry); + + beentry->st_databaseid = MyDatabaseId; + beentry->st_userid = userid; + beentry->st_state = STATE_UNDEFINED; + + PGSTAT_END_WRITE_ACTIVITY(beentry); /* Create the backend statistics entry */ if (pgstat_tracks_backend_bktype(MyBackendType)) pgstat_create_backend(MyProcNumber); /* Update app name to current GUC setting */ + /* TODO: ask the list: maybe do this before setting STATE_UNDEFINED? */ if (application_name) pgstat_report_appname(application_name); } diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index e9096a88492..c754a31253d 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -393,6 +393,9 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) switch (beentry->st_state) { + case STATE_STARTING: + values[4] = CStringGetTextDatum("starting"); + break; case STATE_IDLE: values[4] = CStringGetTextDatum("idle"); break; diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index 01bb6a410cb..62364f6b767 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -58,6 +58,7 @@ #include "utils/builtins.h" #include "utils/fmgroids.h" #include "utils/guc_hooks.h" +#include "utils/injection_point.h" #include "utils/memutils.h" #include "utils/pg_locale.h" #include "utils/portal.h" @@ -717,6 +718,23 @@ InitPostgres(const char *in_dbname, Oid dboid, */ InitProcessPhase2(); + /* Initialize status reporting */ + pgstat_beinit(); + + /* + * This is a convenient time to sketch in a partial pgstat entry. That + * way, if LWLocks or third-party authentication should happen to hang, + * the DBA will still be able to see what's going on. + */ + if (!bootstrap) + { + pgstat_bestart_initial(); + if (MyProcPort) + pgstat_bestart_security(); /* fill in any SSL/GSS info too */ + + INJECTION_POINT("init-pre-auth"); + } + /* * Initialize my entry in the shared-invalidation manager's array of * per-backend data. @@ -785,9 +803,6 @@ InitPostgres(const char *in_dbname, Oid dboid, /* Initialize portal manager */ EnablePortalManager(); - /* Initialize status reporting */ - pgstat_beinit(); - /* * Load relcache entries for the shared system catalogs. This must create * at least entries for pg_database and catalogs used for authentication. @@ -808,8 +823,8 @@ InitPostgres(const char *in_dbname, Oid dboid, /* The autovacuum launcher is done here */ if (AmAutoVacuumLauncherProcess()) { - /* report this backend in the PgBackendStatus array */ - pgstat_bestart(); + /* fill in the remainder of the PgBackendStatus array */ + pgstat_bestart_final(); return; } @@ -874,6 +889,7 @@ InitPostgres(const char *in_dbname, Oid dboid, { /* normal multiuser case */ Assert(MyProcPort != NULL); + PerformAuthentication(MyProcPort); InitializeSessionUserId(username, useroid, false); /* ensure that auth_method is actually valid, aka authn_id is not NULL */ @@ -881,6 +897,12 @@ InitPostgres(const char *in_dbname, Oid dboid, InitializeSystemUser(MyClientConnectionInfo.authn_id, hba_authname(MyClientConnectionInfo.auth_method)); am_superuser = superuser(); + + /* + * Authentication may have changed SSL/GSS details for the session, so + * report it again. + */ + pgstat_bestart_security(); } /* @@ -952,8 +974,8 @@ InitPostgres(const char *in_dbname, Oid dboid, /* initialize client encoding */ InitializeClientEncoding(); - /* report this backend in the PgBackendStatus array */ - pgstat_bestart(); + /* fill in the remainder of the PgBackendStatus array */ + pgstat_bestart_final(); /* close the transaction we started above */ CommitTransactionCommand(); @@ -996,7 +1018,7 @@ InitPostgres(const char *in_dbname, Oid dboid, */ if (!bootstrap) { - pgstat_bestart(); + pgstat_bestart_final(); CommitTransactionCommand(); } return; @@ -1196,9 +1218,9 @@ InitPostgres(const char *in_dbname, Oid dboid, if ((flags & INIT_PG_LOAD_SESSION_LIBS) != 0) process_session_preload_libraries(); - /* report this backend in the PgBackendStatus array */ + /* fill in the remainder of the PgBackendStatus array */ if (!bootstrap) - pgstat_bestart(); + pgstat_bestart_final(); /* close the transaction we started above */ if (!bootstrap) diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h index d3d4ff6c5c9..1c9b4fe14d0 100644 --- a/src/include/utils/backend_status.h +++ b/src/include/utils/backend_status.h @@ -24,6 +24,7 @@ typedef enum BackendState { STATE_UNDEFINED, + STATE_STARTING, STATE_IDLE, STATE_RUNNING, STATE_IDLEINTRANSACTION, @@ -309,7 +310,9 @@ extern void BackendStatusShmemInit(void); /* Initialization functions */ extern void pgstat_beinit(void); -extern void pgstat_bestart(void); +extern void pgstat_bestart_initial(void); +extern void pgstat_bestart_security(void); +extern void pgstat_bestart_final(void); extern void pgstat_clear_backend_activity_snapshot(void); diff --git a/src/test/authentication/Makefile b/src/test/authentication/Makefile index c4022dc829b..8b5beced080 100644 --- a/src/test/authentication/Makefile +++ b/src/test/authentication/Makefile @@ -13,6 +13,10 @@ subdir = src/test/authentication top_builddir = ../../.. include $(top_builddir)/src/Makefile.global +EXTRA_INSTALL = src/test/modules/injection_points + +export enable_injection_points + check: $(prove_check) diff --git a/src/test/authentication/meson.build b/src/test/authentication/meson.build index f6e48411c11..800b3a5ff40 100644 --- a/src/test/authentication/meson.build +++ b/src/test/authentication/meson.build @@ -5,6 +5,9 @@ tests += { 'sd': meson.current_source_dir(), 'bd': meson.current_build_dir(), 'tap': { + 'env': { + 'enable_injection_points': get_option('injection_points') ? 'yes' : 'no', + }, 'tests': [ 't/001_password.pl', 't/002_saslprep.pl', @@ -12,6 +15,7 @@ tests += { 't/004_file_inclusion.pl', 't/005_sspi.pl', 't/006_login_trigger.pl', + 't/007_pre_auth.pl', ], }, } diff --git a/src/test/authentication/t/007_pre_auth.pl b/src/test/authentication/t/007_pre_auth.pl new file mode 100644 index 00000000000..a638226dbaf --- /dev/null +++ b/src/test/authentication/t/007_pre_auth.pl @@ -0,0 +1,81 @@ + +# Copyright (c) 2021-2025, PostgreSQL Global Development Group + +# Tests for connection behavior prior to authentication. + +use strict; +use warnings FATAL => 'all'; + +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Time::HiRes qw(usleep); +use Test::More; + +if ($ENV{enable_injection_points} ne 'yes') +{ + plan skip_all => 'Injection points not supported by this build'; +} + +my $node = PostgreSQL::Test::Cluster->new('primary'); +$node->init; +$node->append_conf( + 'postgresql.conf', q[ +log_connections = on +]); + +$node->start; + +# Check if the extension injection_points is available, as it may be +# possible that this script is run with installcheck, where the module +# would not be installed by default. +if (!$node->check_extension('injection_points')) +{ + plan skip_all => 'Extension injection_points not installed'; +} + +$node->safe_psql('postgres', 'CREATE EXTENSION injection_points'); + +# Connect to the server and inject a waitpoint. +my $psql = $node->background_psql('postgres'); +$psql->query_safe("SELECT injection_points_attach('init-pre-auth', 'wait')"); + +# From this point on, all new connections will hang during startup, just before +# authentication. Use the $psql connection handle for server interaction. +my $conn = $node->background_psql('postgres', wait => 0); + +# Wait for the connection to show up. +my $pid; +while (1) +{ + $pid = $psql->query( + "SELECT pid FROM pg_stat_activity WHERE state = 'starting';"); + last if $pid ne ""; + + usleep(100_000); +} + +note "backend $pid is authenticating"; +ok(1, 'authenticating connections are recorded in pg_stat_activity'); + +# Detach the waitpoint and wait for the connection to complete. +$psql->query_safe("SELECT injection_points_wakeup('init-pre-auth');"); +$conn->wait_connect(); + +# Make sure the pgstat entry is updated eventually. +while (1) +{ + my $state = + $psql->query("SELECT state FROM pg_stat_activity WHERE pid = $pid;"); + last if $state eq "idle"; + + note "state for backend $pid is '$state'; waiting for 'idle'..."; + usleep(100_000); +} + +ok(1, 'authenticated connections reach idle state in pg_stat_activity'); + +$psql->query_safe("SELECT injection_points_detach('init-pre-auth');"); +$psql->quit(); +$conn->quit(); + +done_testing(); diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index e8a1639db2d..2d800c4a254 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -10,12 +10,13 @@ #------------------------------------------------------------------------- EXTRA_INSTALL = contrib/sslinfo +EXTRA_INSTALL += src/test/modules/injection_points subdir = src/test/ssl top_builddir = ../../.. include $(top_builddir)/src/Makefile.global -export OPENSSL with_ssl +export OPENSSL enable_injection_points with_ssl # The sslfiles targets are separated into their own file due to interactions # with settings in Makefile.global. diff --git a/src/test/ssl/meson.build b/src/test/ssl/meson.build index cf8b2b9303a..5ba8bdb373d 100644 --- a/src/test/ssl/meson.build +++ b/src/test/ssl/meson.build @@ -6,6 +6,7 @@ tests += { 'bd': meson.current_build_dir(), 'tap': { 'env': { + 'enable_injection_points': get_option('injection_points') ? 'yes' : 'no', 'with_ssl': ssl_library, 'OPENSSL': openssl.found() ? openssl.path() : '', }, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 5422511d4ab..4d1ab3493db 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -7,6 +7,7 @@ use Config qw ( %Config ); use PostgreSQL::Test::Cluster; use PostgreSQL::Test::Utils; use Test::More; +use Time::HiRes qw(usleep); use FindBin; use lib $FindBin::RealBin; @@ -71,6 +72,23 @@ $node->start; my $result = $node->safe_psql('postgres', "SHOW ssl_library"); is($result, $ssl_server->ssl_library(), 'ssl_library parameter'); +my $injection_points_unavailable = ''; +if ($ENV{enable_injection_points} ne 'yes') +{ + $injection_points_unavailable = + 'Injection points not supported by this build'; +} +elsif (!$node->check_extension('injection_points')) +{ + $injection_points_unavailable = + 'Extension injection_points not installed'; +} +else +{ + # For ease of setup, make injection_points available for all new databases. + $node->safe_psql('template1', 'CREATE EXTENSION injection_points'); +} + $ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, 'trust'); @@ -556,6 +574,53 @@ command_like( ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); +# Test that pg_stat_ssl gets filled in early, prior to authentication. Requires +# injection point support. +SKIP: +{ + skip $injection_points_unavailable, 1 if $injection_points_unavailable; + + # Connect to the server and inject a waitpoint. + my $psql = + $node->background_psql('trustdb', connstr => "$common_connstr user="); + $psql->query_safe( + "SELECT injection_points_attach('init-pre-auth', 'wait')"); + + # From this point on, all new connections will hang during startup, just + # before authentication. Use the $psql connection handle for server + # interaction. + my $conn = $node->background_psql( + 'trustdb', + connstr => $common_connstr, + wait => 0); + + # Wait for the connection to show up. + my $pid; + while (1) + { + $pid = $psql->query( + "SELECT pid FROM pg_stat_activity WHERE state = 'starting' AND client_addr IS NOT NULL;"); + last if $pid ne ""; + + usleep(100_000); + } + + like( + $psql->query( + "SELECT ssl, version, cipher, bits FROM pg_stat_ssl WHERE pid = $pid" + ), + qr/^t\|TLSv[\d.]+\|[\w-]+\|\d+$/, + 'pg_stat_ssl view is updated prior to authentication'); + + # Detach the waitpoint and wait for the connection to complete. + $psql->query_safe("SELECT injection_points_wakeup('init-pre-auth');"); + $conn->wait_connect(); + + $psql->query_safe("SELECT injection_points_detach('init-pre-auth');"); + $psql->quit(); + $conn->quit(); +} + # Test min/max SSL protocol versions. $node->connect_ok( "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", -- 2.34.1