From b14ff0b43046d079fa81d289e2caab8fc7ff1d2c Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 15 Apr 2024 20:19:54 -0300
Subject: [PATCH] tests/pgsql: add checks and test for bug 6092

Ensure that pgsql metadata flags (for now, just setting whether
passwords should be logged or not) are properly processed by Suri and
logging functions.

Related to
Bug #6092
---
 .../pgsql-5000-query-results/suricata.yaml    |  3 +-
 .../pgsql/pgsql-5000-query-results/test.yaml  |  1 +
 .../README.md                                 | 12 ++++++
 .../suricata.yaml                             | 18 +++++++++
 .../test.yaml                                 | 39 +++++++++++++++++++
 .../README.md                                 | 12 ++++++
 .../suricata.yaml                             | 18 +++++++++
 .../test.yaml                                 | 19 +++++++++
 tests/pgsql/pgsql-cancel-request/test.yaml    |  1 +
 .../pgsql/pgsql-pwd-output-disabled/test.yaml |  1 +
 10 files changed, 123 insertions(+), 1 deletion(-)
 create mode 100644 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md
 create mode 100755 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md
 create mode 100755 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml

diff --git a/tests/pgsql/pgsql-5000-query-results/suricata.yaml b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
index 8434a4ffa..bade98943 100644
--- a/tests/pgsql/pgsql-5000-query-results/suricata.yaml
+++ b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
@@ -7,7 +7,8 @@ outputs:
       filetype: regular
       filename: eve.json
       types:
-        - pgsql
+        - pgsql:
+            passwords: false
 
 app-layer:
   protocols:
diff --git a/tests/pgsql/pgsql-5000-query-results/test.yaml b/tests/pgsql/pgsql-5000-query-results/test.yaml
index eac5cbc3b..4b8ecd7c0 100644
--- a/tests/pgsql/pgsql-5000-query-results/test.yaml
+++ b/tests/pgsql/pgsql-5000-query-results/test.yaml
@@ -64,6 +64,7 @@ checks:
       dest_port: 5432
       event_type: pgsql
       pcap_cnt: 29
+      not-has-key: pgsql.request.password
       pgsql.response.message: authentication_ok
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.parameter_status[10].time_zone: Etc/UTC
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md
new file mode 100644
index 000000000..7b5412e4a
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Tests that when PostgreSQL (pgsql) EVE log config is set to not log out password
+messages, it doesn't.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6092
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml
new file mode 100755
index 000000000..7db5f7016
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            #passwords: no   # enable output of passwords Default is false
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml
new file mode 100644
index 000000000..1e1070068
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml
@@ -0,0 +1,39 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+
+checks:
+# subtest 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 25
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+      pgsql.tx_id: 2
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.optional_parameters[0].database: indexer
+      pgsql.request.startup_parameters.user: indexer
+      pgsql.response.authentication_md5_password: "\\x9fi\x1A\\x8e"
+# subtest 2
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      pgsql.tx_id: 3
+      not-has-key: pgsql.request.password
+      pgsql.response.message: authentication_ok
+      pgsql.response.process_id: 61
+      pgsql.response.secret_key: 3152142766
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md
new file mode 100644
index 000000000..d9e83f7fb
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Tests that when PostgreSQL (pgsql) EVE log config is set to log password
+messages, it does.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6092
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml
new file mode 100755
index 000000000..ea7b027ae
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            passwords: yes
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml
new file mode 100644
index 000000000..87865103d
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml
@@ -0,0 +1,19 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      has-key: pgsql.request.password
+      pgsql.response.message: authentication_ok
diff --git a/tests/pgsql/pgsql-cancel-request/test.yaml b/tests/pgsql/pgsql-cancel-request/test.yaml
index 040178b1d..9485dd365 100644
--- a/tests/pgsql/pgsql-cancel-request/test.yaml
+++ b/tests/pgsql/pgsql-cancel-request/test.yaml
@@ -36,6 +36,7 @@ checks:
       dest_ip: 100.96.199.113
       dest_port: 5432
       event_type: pgsql
+      not-has-key: pgsql.request.password
       pgsql.response.message: authentication_ok
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.process_id: 28954
diff --git a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
index 3a4d57c7f..11f3442c6 100644
--- a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
+++ b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
@@ -44,6 +44,7 @@ checks:
       event_type: pgsql
       pcap_cnt: 12
       pgsql.response.message: authentication_ok
+      not-has-key: pgsql.request.password
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.parameter_status[10].time_zone: Europe/London
       pgsql.response.parameter_status[1].client_encoding: UTF8