From: Fatih Acar <facar@scaleway.com>
Date: Mon, 26 Sep 2022 15:27:11 +0000 (+0200)
Subject: BUG/MINOR: checks: update pgsql regex on auth packet
X-Git-Tag: v2.7-dev8~81
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d6fb7a3eb0a9754348ec15be14a017a1c84df0f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: checks: update pgsql regex on auth packet

This patch adds support to the following authentication methods:

- AUTH_REQ_GSS (7)
- AUTH_REQ_SSPI (9)
- AUTH_REQ_SASL (10)

Note that since AUTH_REQ_SASL allows multiple authentication mechanisms
such as SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, the auth payload length may
vary since the method is sent in plaintext. In order to allow this, the
regex now matches any payload length.

This partially fixes Github issue #1508 since user authentication is
still broken but should restore pre-2.2 behavior.

This should be backported up to 2.2.

Signed-off-by: Fatih Acar <facar@scaleway.com>
---

diff --git a/reg-tests/checks/pgsql-check.vtc b/reg-tests/checks/pgsql-check.vtc
index 417932ee9b..2c9c65b0e0 100644
--- a/reg-tests/checks/pgsql-check.vtc
+++ b/reg-tests/checks/pgsql-check.vtc
@@ -23,6 +23,11 @@ server s3 {
   send "Not a PostgreSQL response"
 } -start
 
+server s4 {
+  recv 23
+  sendhex "52000000170000000A534352414D2D5348412D3235360000"
+} -start
+
 syslog S1 -level notice {
     recv
     expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be1/srv succeeded, reason: Layer7 check passed.+info: \"PostgreSQL server is ok\".+check duration: [[:digit:]]+ms, status: 1/1 UP."
@@ -38,6 +43,10 @@ syslog S3 -level notice {
     expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be3/srv failed, reason: Layer7 wrong status.+info: \"PostgreSQL unknown error\".+check duration: [[:digit:]]+ms, status: 0/1 DOWN."
 } -start
 
+syslog S4 -level notice {
+    recv
+    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be4/srv succeeded, reason: Layer7 check passed.+info: \"PostgreSQL server is ok\".+check duration: [[:digit:]]+ms, status: 1/1 UP."
+} -start
 
 haproxy h1 -conf {
     defaults
@@ -64,6 +73,12 @@ haproxy h1 -conf {
         option pgsql-check user postgres
         server srv ${s3_addr}:${s3_port} check inter 1s rise 1 fall 1
 
+    backend be4
+        log ${S4_addr}:${S4_port} daemon
+        option log-health-checks
+        option pgsql-check user postgres
+        server srv ${s4_addr}:${s4_port} check inter 1s rise 1 fall 1
+
     listen pgsql1
         bind "fd@${pgsql}"
         tcp-request inspect-delay 100ms
@@ -75,3 +90,4 @@ haproxy h1 -conf {
 syslog S1 -wait
 syslog S2 -wait
 syslog S3 -wait
+syslog S4 -wait
diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 5ef1c69cbd..366a8d09cd 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -4517,7 +4517,7 @@ int proxy_parse_pgsql_check_opt(char **args, int cur_arg, struct proxy *curpx, c
 	chk->index = 2;
 	LIST_APPEND(&rs->rules, &chk->list);
 
-	chk = parse_tcpcheck_expect((char *[]){"tcp-check", "expect", "rbinary", "^52000000(08|0A|0C)000000(00|02|03|04|05|06)",
+	chk = parse_tcpcheck_expect((char *[]){"tcp-check", "expect", "rbinary", "^52000000[A-Z0-9]{2}000000(00|02|03|04|05|06|07|09|0A)",
 				               "min-recv", "9",
 				               "error-status", "L7STS",
 				               "on-success", "PostgreSQL server is ok",