# This verifies that the behavior with an empty HBA config
# is equivalent to:
#     host  all root all cert-password
#     host  all all  all cert-password
#     local all all      password
# by using that explicit string and reproducing the tests
# in the test file "empty_hba".

config secure
----

set_hba
host  all root all cert-password
host  all all  all cert-password
local all all      password
----
# Active authentication configuration on this node:
# Original configuration:
# loopback all all all trust       # built-in CockroachDB default
# host  all root all cert-password
# host  all all  all cert-password
# local all all      password
#
# Interpreted configuration:
# TYPE   DATABASE USER ADDRESS METHOD        OPTIONS
loopback all      all  all     trust
host     all      root all     cert-password
host     all      all  all     cert-password
local    all      all          password

subtest root

# Root can always connect regardless.
connect user=root
----
ok defaultdb

# However root cannot connect over the unix socket because
# they do not have a password by default.
connect_unix user=root
----
ERROR: password authentication failed for user root (SQLSTATE 28P01)

# When no client cert is presented, the server would otherwise require
# password auth. However, root does not have a password.
connect user=root password=foo sslmode=verify-ca sslcert= sslkey=
----
ERROR: password authentication failed for user root (SQLSTATE 28P01)

subtest end root

subtest normaluser_cert

# User need no password, and we're presenting a client cert. All good.
connect user=testuser
----
ok defaultdb

# Empty/no password means deny password auth. Unix socket does not
# present a cert so auth fails.
connect_unix user=testuser
----
ERROR: password authentication failed for user testuser (SQLSTATE 28P01)

# Make the user need a password.
sql
ALTER USER testuser WITH PASSWORD 'pass';
----
ok

# Password now needed, but as long as we're presenting a cert it's good.
connect user=testuser
----
ok defaultdb

connect_unix user=testuser password=pass
----
ok defaultdb

# If we don't present the client certificate, the password is required.
connect user=testuser password=invalid sslmode=verify-ca sslcert= sslkey=
----
ERROR: password authentication failed for user testuser (SQLSTATE 28P01)

connect user=testuser password=pass sslmode=verify-ca sslcert= sslkey=
----
ok defaultdb

# Reset the test user to no password.
sql
DROP USER testuser; CREATE USER testuser
----
ok

subtest end normaluser_cert

subtest normaluser_nocert

# This other test user has no default cert.
sql
CREATE USER testuser_nocert;
----
ok

# Since there is no cert, no cert is going to be presented by the client
# and password auth becomes required.
connect user=testuser_nocert
----
ERROR: password authentication failed for user testuser_nocert (SQLSTATE 28P01)

# Even though the user has no password, trying to present the
# empty password fails. The user simply cannot log in.
connect user=testuser_nocert password=
----
ERROR: password authentication failed for user testuser_nocert (SQLSTATE 28P01)

sql
DROP USER testuser_nocert
----
ok

subtest end normaluser_nocert
