config secure
----

subtest auth_reject

# Smoke test: the test user can log in.
connect user=testuser show_authentication_method
----
ok defaultdb cert-password

# With a 'reject' rule, they can't log in anymore even though a later
# rule lets them.
set_hba
host all testuser all reject
host all all all cert-password
----
# Active authentication configuration on this node:
# Original configuration:
# loopback all all all trust       # built-in CockroachDB default
# host  all root all cert-password # CockroachDB mandatory rule
# host all testuser all reject
# host all all all cert-password
#
# Interpreted configuration:
# TYPE   DATABASE USER     ADDRESS METHOD        OPTIONS
loopback all      all      all     trust
host     all      root     all     cert-password
host     all      testuser all     reject
host     all      all      all     cert-password

connect user=testuser
----
ERROR: authentication rejected by configuration (SQLSTATE 28000)

subtest end


subtest auth_trust

# Create a user with a seemingly required password.
sql
CREATE USER nocert WITH PASSWORD 'required'
----
ok

# Use the "trust" auth type to auth the user even without
# a valid cert or password.
set_hba
host all nocert all trust
host all all all cert
----
# Active authentication configuration on this node:
# Original configuration:
# loopback all all all trust       # built-in CockroachDB default
# host  all root all cert-password # CockroachDB mandatory rule
# host all nocert all trust
# host all all all cert
#
# Interpreted configuration:
# TYPE   DATABASE USER   ADDRESS METHOD        OPTIONS
loopback all      all    all     trust
host     all      root   all     cert-password
host     all      nocert all     trust
host     all      all    all     cert


connect user=nocert sslcert= sslmode=require show_authentication_method
----
ok defaultdb trust

subtest auth_trust/inexistent_user

# If the user does not exist, a "trust" rule is not sufficient to
# authorize a login.

sql
DROP USER nocert
----
ok

connect user=nocert sslcert= sslmode=require
----
ERROR: password authentication failed for user nocert (SQLSTATE 28P01)


subtest end

subtest end
