test(auth): add tests for SHA256 authentication

- Adjust CI to create a user for SHA256 auth testing
- Add new integration tests for the SHA256
- Add new unit tests for SHA256

Author: happy-game

.github/workflows/ci.yml

@@ -56,16 +56,30 @@ jobs:
       PGHOST: localhost
       PGDATABASE: ci_db_test
       PGTESTNOSSL: 'true'
-      # SCRAM_TEST_PGUSER: scram_test
-      # SCRAM_TEST_PGPASSWORD: test4scram
+      SHA256_TEST_PGUSER: sha256_test
+      SHA256_TEST_PGPASSWORD: test4@scram
     steps:
       - name: Show OS
         run: |
           uname -a
-      # - run: |
-      #     psql \
-      #       -c "SET password_encryption = 'scram-sha-256'" \
-      #       -c "CREATE ROLE scram_test LOGIN PASSWORD 'test4scram'"
+      - name: Wait for GaussDB to be ready
+        run: |
+          timeout 60 bash -c 'until pg_isready -h localhost -p 5432; do sleep 2; done'
+      - name: Setup SHA256 authentication
+        run: |
+          # Wait for database to be fully started
+          sleep 15
+          
+          # Get container ID
+          CONTAINER_ID=$(docker ps --filter "ancestor=opengauss/opengauss" --format "{{.ID}}")
+          docker exec $CONTAINER_ID su - omm -c "gs_guc set -D /var/lib/opengauss/data/ -c 'password_encryption_type = 2'"
+          
+          # Add SHA256 authentication rule to pg_hba.conf
+          docker exec $CONTAINER_ID su - omm -c "gs_guc set -D /var/lib/opengauss/data/ -h 'host all sha256_test 0.0.0.0/0 sha256'"
+          docker exec $CONTAINER_ID su - omm -c "gs_ctl reload -D /var/lib/opengauss/data/"
+          sleep 5
+          
+          PGPASSWORD=openGauss@123 psql -h localhost -U ci_user -d ci_db_test -c "CREATE ROLE sha256_test login password 'test4@scram';"
       - uses: actions/checkout@v4
         with:
           persist-credentials: false

packages/pg/test/integration/client/sha256-password-tests.js

@@ -0,0 +1,102 @@
+'use strict'
+const helper = require('./../test-helper')
+const pg = helper.pg
+const suite = new helper.Suite()
+const { native } = helper.args
+const assert = require('assert')
+
+/**
+ * This test only executes if the env variables SHA256_TEST_PGUSER and
+ * SHA256_TEST_PGPASSWORD are defined. You can override additional values
+ * for the host, port and database with other SHA256_TEST_ prefixed vars.
+ * If the variables are not defined the test will be skipped.
+ *
+ * SQL to create test role:
+ *
+ *     SET password_encryption_type = 2;
+ *     CREATE ROLE sha256_test login password 'test4@scram';
+ *
+ * Add the following entries to pg_hba.conf:
+ *
+ *     host   all   sha256_test   ::1/128    sha256
+ *     host   all   sha256_test   0.0.0.0/0   sha256
+ *
+ * Then run this file with after exporting:
+ *
+ *     SHA256_TEST_PGUSER=sha256_test
+ *     SHA256_TEST_PGPASSWORD=test4@scram
+ */
+
+// Base config for SHA256 tests
+const config = {
+  user: process.env.SHA256_TEST_PGUSER,
+  password: process.env.SHA256_TEST_PGPASSWORD,
+  host: process.env.SHA256_TEST_PGHOST || 'localhost',
+  port: process.env.SHA256_TEST_PGPORT || 5432,
+  database: process.env.SHA256_TEST_PGDATABASE || 'ci_db_test',
+}
+
+if (native) {
+  suite.testAsync('skipping SHA256 tests (on native)', () => {})
+  return
+}
+if (!config.user || !config.password) {
+  suite.testAsync('skipping SHA256 tests (missing env)', () => {})
+  return
+}
+
+suite.testAsync('can connect using sha256 password authentication', async () => {
+  const client = new pg.Client(config)
+  let usingSha256 = false
+  client.connection.once('authenticationSHA256Password', () => {
+    usingSha256 = true
+  })
+  await client.connect()
+  assert.ok(usingSha256, 'Should be using SHA256 for authentication')
+
+  // Test basic query execution
+  const { rows } = await client.query('SELECT NOW()')
+  assert.strictEqual(rows.length, 1)
+
+  await client.end()
+})
+
+suite.testAsync('sha256 authentication fails when password is wrong', async () => {
+  const client = new pg.Client({
+    ...config,
+    password: config.password + 'append-something-to-make-it-bad',
+  })
+  let usingSha256 = false
+  client.connection.once('authenticationSHA256Password', () => {
+    usingSha256 = true
+  })
+  await assert.rejects(
+    () => client.connect(),
+    {
+      code: '28P01',
+    },
+    'Error code should be for a password error'
+  )
+  assert.ok(usingSha256, 'Should be using SHA256 for authentication')
+})
+
+suite.testAsync('sha256 authentication fails when password is empty', async () => {
+  const client = new pg.Client({
+    ...config,
+    // use a password function to simulate empty password
+    password: () => '',
+  })
+  let usingSha256 = false
+  client.connection.once('authenticationSHA256Password', () => {
+    usingSha256 = true
+  })
+  await assert.rejects(
+    () => client.connect(),
+    (err) => {
+      // Should fail with authentication error
+      return err.code === '28P01' || err.message.includes('password')
+    },
+    'Should fail with password-related error'
+  )
+  assert.ok(usingSha256, 'Should be using SHA256 for authentication')
+})

packages/pg/test/unit/client/sha256-password-tests.js

@@ -0,0 +1,84 @@
+'use strict'
+const helper = require('./test-helper')
+const BufferList = require('../../buffer-list')
+const crypto = require('../../../lib/crypto/utils')
+const assert = require('assert')
+const suite = new helper.Suite()
+const test = suite.test.bind(suite)
+
+test('sha256 authentication', async function () {
+  const client = helper.createClient()
+  client.password = '!'
+  // Mock SHA256 authentication data following the format expected by postgresSha256PasswordHash, similar to the MD5 test
+  // Structure: [4 bytes method][64 bytes random code][8 bytes token][4 bytes iteration]
+  const data = Buffer.alloc(80)
+  data.writeInt32BE(1, 0) // password method. in fact this data is not used in the hashing
+  data.write('A'.repeat(64), 4, 'ascii') // 64-byte random code
+  data.write('B'.repeat(8), 68, 'ascii') // 8-byte token
+  data.writeInt32BE(1000, 76) // iteration count
+
+  await client.connection.emit('authenticationSHA256Password', { data: data })
+
+  setTimeout(() =>
+    test('responds', function () {
+      assert.lengthIs(client.connection.stream.packets, 1)
+      test('should have correct encrypted data', async function () {
+        const hashedPassword = await crypto.postgresSha256PasswordHash(client.user, client.password, data)
+        assert.equalBuffers(
+          client.connection.stream.packets[0],
+          new BufferList().addCString(hashedPassword).join(true, 'p')
+        )
+      })
+    })
+  )
+})
+
+test('sha256 authentication with empty password', async function () {
+  const client = helper.createClient()
+  client.password = ''
+  const data = Buffer.alloc(80)
+  data.writeInt32BE(1, 0)
+  data.write('A'.repeat(64), 4, 'ascii')
+  data.write('B'.repeat(8), 68, 'ascii')
+  data.writeInt32BE(1000, 76)
+
+  await client.connection.emit('authenticationSHA256Password', { data: data })
+
+  setTimeout(() =>
+    test('responds with empty password', function () {
+      assert.lengthIs(client.connection.stream.packets, 1)
+      test('should have correct encrypted data for empty password', async function () {
+        const hashedPassword = await crypto.postgresSha256PasswordHash(client.user, client.password, data)
+        assert.equalBuffers(
+          client.connection.stream.packets[0],
+          new BufferList().addCString(hashedPassword).join(true, 'p')
+        )
+      })
+    })
+  )
+})
+
+test('sha256 authentication with utf-8 password', async function () {
+  const client = helper.createClient()
+  client.password = 'test_password_123'
+  const data = Buffer.alloc(80)
+  data.writeInt32BE(1, 0)
+  data.write('A'.repeat(64), 4, 'ascii')
+  data.write('B'.repeat(8), 68, 'ascii')
+  data.writeInt32BE(1000, 76)
+
+  await client.connection.emit('authenticationSHA256Password', { data: data })
+
+  setTimeout(() =>
+    test('responds with utf-8 password', function () {
+      assert.lengthIs(client.connection.stream.packets, 1)
+      test('should have correct encrypted data for utf-8 password', async function () {
+        const hashedPassword = await crypto.postgresSha256PasswordHash(client.user, client.password, data)
+        assert.equalBuffers(
+          client.connection.stream.packets[0],
+          new BufferList().addCString(hashedPassword).join(true, 'p')
+        )
+      })
+    })
+  )
+})