vibesql-server 0.1.3

Network server with PostgreSQL wire protocol for VibeSQL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315

//! Integration tests for authentication flows
//!
//! Tests password authentication, trust authentication,
//! and authentication error handling.

mod common;

use common::{
    parse_backend_messages, start_test_server, start_test_server_with_config,
    test_config_with_password, TestClient,
};
use std::io::Write;
use tempfile::NamedTempFile;
use vibesql_server::auth::password::hash_password_argon2;

/// Test trust authentication (no password required)
#[tokio::test]
async fn test_trust_authentication() {
    let server = start_test_server().await;
    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");

    // With trust auth, startup should succeed without password
    client.send_startup("testuser", "testdb").await.expect("Failed to send startup");

    let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);

    // Should have AuthenticationOk immediately
    assert!(
        messages.iter().any(|m| m.is_auth_ok()),
        "Trust auth should send AuthenticationOk without password"
    );
    assert!(
        messages.iter().any(|m| m.is_ready_for_query()),
        "Should be ready for queries after trust auth"
    );

    client.send_terminate().await.expect("Failed to terminate");
    server.shutdown();
}

/// Test cleartext password authentication success
#[tokio::test]
async fn test_password_auth_success() {
    // Create password file with Argon2 hash
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash = hash_password_argon2("secret123").expect("Failed to hash password");
    writeln!(password_file, "testuser:{}", hash).expect("Failed to write password file");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");

    // Send startup
    client.send_startup("testuser", "testdb").await.expect("Failed to send startup");

    // Should receive password request
    let data = client.read_response().await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);

    assert!(
        messages.iter().any(|m| m.is_cleartext_password_request()),
        "Should request cleartext password"
    );

    // Send correct password
    client.send_password("secret123").await.expect("Failed to send password");

    // Should receive auth ok and ready for query
    let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);

    assert!(
        messages.iter().any(|m| m.is_auth_ok()),
        "Should receive AuthenticationOk after correct password"
    );
    assert!(
        messages.iter().any(|m| m.is_ready_for_query()),
        "Should be ready for queries after auth"
    );

    // Verify connection works
    client.send_query("SELECT 1").await.expect("Failed to send query");
    let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);
    assert!(messages.iter().any(|m| m.is_command_complete()));

    client.send_terminate().await.expect("Failed to terminate");
    server.shutdown();
}

/// Test cleartext password authentication failure
#[tokio::test]
async fn test_password_auth_failure() {
    // Create password file
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash = hash_password_argon2("correctpassword").expect("Failed to hash password");
    writeln!(password_file, "testuser:{}", hash).expect("Failed to write password file");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");

    // Send startup
    client.send_startup("testuser", "testdb").await.expect("Failed to send startup");

    // Read password request
    let _ = client.read_response().await.expect("Failed to read response");

    // Send wrong password
    client.send_password("wrongpassword").await.expect("Failed to send password");

    // Connection should be closed or error returned
    // Read whatever comes back
    let result = client.read_response().await;

    // Either the read fails (connection closed) or we get an error message
    match result {
        Ok(data) if data.is_empty() => {
            // Connection closed - expected for auth failure
        }
        Ok(_) => {
            // Got some data - could be an error message
        }
        Err(_) => {
            // Read error - connection closed
        }
    }

    server.shutdown();
}

/// Test authentication with non-existent user
#[tokio::test]
async fn test_auth_nonexistent_user() {
    // Create password file with only one user
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash = hash_password_argon2("secret").expect("Failed to hash password");
    writeln!(password_file, "existinguser:{}", hash).expect("Failed to write password file");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");

    // Try to connect as non-existent user
    client.send_startup("nonexistent", "testdb").await.expect("Failed to send startup");

    // Read password request
    let _ = client.read_response().await.expect("Failed to read response");

    // Send any password
    client.send_password("anypassword").await.expect("Failed to send password");

    // Should fail since user doesn't exist
    let result = client.read_response().await;
    match result {
        Ok(data) if data.is_empty() => {
            // Connection closed - expected
        }
        Ok(_) | Err(_) => {
            // Either got error response or connection error
        }
    }

    server.shutdown();
}

/// Test MD5 password authentication
#[tokio::test]
async fn test_md5_auth() {
    // Create password file with MD5 format
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    writeln!(password_file, "testuser:{{MD5}}secret").expect("Failed to write password file");
    password_file.flush().expect("Failed to flush");

    let mut config = test_config_with_password(password_file.path().to_path_buf());
    config.auth.method = "md5".to_string();
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");

    // Send startup
    client.send_startup("testuser", "testdb").await.expect("Failed to send startup");

    // Should receive MD5 password request with salt
    let data = client.read_response().await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);

    let md5_request = messages.iter().find(|m| m.is_md5_password_request());
    assert!(md5_request.is_some(), "Should request MD5 password");

    // Get the salt
    let salt = md5_request.unwrap().get_md5_salt().expect("Should have salt");

    // Compute MD5 response using the salt
    let md5_response =
        vibesql_server::auth::password::compute_md5_password("secret", "testuser", &salt);

    // Send MD5 password (with md5 prefix as per protocol)
    client.send_password(&format!("md5{}", md5_response)).await.expect("Failed to send password");

    // Should get auth ok
    let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);

    assert!(messages.iter().any(|m| m.is_auth_ok()), "MD5 auth should succeed");

    client.send_terminate().await.expect("Failed to terminate");
    server.shutdown();
}

/// Test multiple users in password file
#[tokio::test]
async fn test_multiple_users() {
    // Create password file with multiple users
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash1 = hash_password_argon2("password1").expect("Failed to hash password");
    let hash2 = hash_password_argon2("password2").expect("Failed to hash password");
    writeln!(password_file, "user1:{}", hash1).expect("Failed to write");
    writeln!(password_file, "user2:{}", hash2).expect("Failed to write");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    // Test user1
    {
        let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");
        client.send_startup("user1", "testdb").await.expect("Failed to send startup");
        let _ = client.read_response().await.expect("Failed to read response");
        client.send_password("password1").await.expect("Failed to send password");
        let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
        let messages = parse_backend_messages(&data);
        assert!(messages.iter().any(|m| m.is_auth_ok()), "user1 should auth successfully");
        client.send_terminate().await.expect("Failed to terminate");
    }

    // Test user2
    {
        let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");
        client.send_startup("user2", "testdb").await.expect("Failed to send startup");
        let _ = client.read_response().await.expect("Failed to read response");
        client.send_password("password2").await.expect("Failed to send password");
        let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
        let messages = parse_backend_messages(&data);
        assert!(messages.iter().any(|m| m.is_auth_ok()), "user2 should auth successfully");
        client.send_terminate().await.expect("Failed to terminate");
    }

    server.shutdown();
}

/// Test password file with comments and empty lines
#[tokio::test]
async fn test_password_file_with_comments() {
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash = hash_password_argon2("mypassword").expect("Failed to hash password");
    writeln!(password_file, "# This is a comment").expect("Failed to write");
    writeln!(password_file).expect("Failed to write empty line");
    writeln!(password_file, "testuser:{}", hash).expect("Failed to write");
    writeln!(password_file, "# Another comment").expect("Failed to write");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");
    client.send_startup("testuser", "testdb").await.expect("Failed to send startup");
    let _ = client.read_response().await.expect("Failed to read response");
    client.send_password("mypassword").await.expect("Failed to send password");
    let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
    let messages = parse_backend_messages(&data);
    assert!(
        messages.iter().any(|m| m.is_auth_ok()),
        "Should authenticate despite comments in file"
    );

    client.send_terminate().await.expect("Failed to terminate");
    server.shutdown();
}

/// Test that authenticated session maintains its identity
#[tokio::test]
async fn test_authenticated_session_identity() {
    let mut password_file = NamedTempFile::new().expect("Failed to create temp file");
    let hash = hash_password_argon2("secret").expect("Failed to hash password");
    writeln!(password_file, "myuser:{}", hash).expect("Failed to write");
    password_file.flush().expect("Failed to flush");

    let config = test_config_with_password(password_file.path().to_path_buf());
    let server = start_test_server_with_config(config).await;

    let mut client = TestClient::connect(server.addr()).await.expect("Failed to connect");
    client.send_startup("myuser", "mydb").await.expect("Failed to send startup");
    let _ = client.read_response().await.expect("Failed to read response");
    client.send_password("secret").await.expect("Failed to send password");
    let _ = client.read_until_message_type(b'Z').await.expect("Failed to read response");

    // Session should work for multiple queries
    for _ in 0..5 {
        client.send_query("SELECT 1").await.expect("Failed to send query");
        let data = client.read_until_message_type(b'Z').await.expect("Failed to read response");
        let messages = parse_backend_messages(&data);
        assert!(messages.iter().any(|m| m.is_command_complete()));
    }

    client.send_terminate().await.expect("Failed to terminate");
    server.shutdown();
}