Skip to content

fix(tests): stable conninfo query and SCRAM port for wrong-password test#716

Merged
NikolayS merged 1 commit intomainfrom
fix/connection-test-suite
Mar 24, 2026
Merged

fix(tests): stable conninfo query and SCRAM port for wrong-password test#716
NikolayS merged 1 commit intomainfrom
fix/connection-test-suite

Conversation

@NikolayS
Copy link
Copy Markdown
Owner

@NikolayS NikolayS commented Mar 24, 2026

Problem

Fixes two failures in tests/compat/test-connections.sh.

A1-A5: psql 18 \conninfo format change

psql 18 changed the output format of \conninfo. The tests do a literal string compare between psql and rpg output, so they fail on any machine with psql 18+. rpg is correct — the test was wrong.

Fix: Replace \conninfo with a stable SQL query across all A1-A5 tests:

SELECT current_database() AS db, current_user AS usr, inet_server_port() AS port

This returns identical output from both psql and rpg on all versions, and proves the connection succeeded.

A7: wrong-password test against trust-auth port

test_wrong_password connected to the trust-auth port (15433), where Postgres ignores the supplied password. The test expected non-zero exit but got 0 — always failing.

Fix: Add TEST_PG_SCRAM_HOST/TEST_PG_SCRAM_PORT/TEST_PG_SCRAM_USER/TEST_PG_SCRAM_PASSWORD/TEST_PG_SCRAM_DATABASE env vars. When TEST_PG_SCRAM_PORT is set, A7 runs against that SCRAM-auth instance with a wrong password and asserts non-zero exit. When not set, A7 is skipped with a clear message.

In .github/workflows/checks.yml, a second postgres service (postgres-scram) is added to the connection-tests job on port 15433. The default POSTGRES_PASSWORD triggers scram-sha-256 auth. The SCRAM env vars are passed to the test step.

Testing

Verified locally against trust-auth (port 15433) and SCRAM-auth (port 15434):

A1 PASS: TCP flags -h -p -U -d
A2 PASS: bare positional args (dbname user)
A3 PASS: URI connection string
A4 PASS: conninfo keyword=value string
A5 PASS: env vars only
A6 PASS: -d flag overrides PGDATABASE env var
A7 PASS: wrong password exits non-zero
A8 PASS: .pgpass file authentication
A9 SKIP: Unix socket (not found)

Results: 8 passed, 0 failed

Closes #715

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 24, 2026
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.79%. Comparing base (ad7def0) to head (76adfe1).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #716   +/-   ##
=======================================
  Coverage   68.79%   68.79%           
=======================================
  Files          46       46           
  Lines       30992    30992           
=======================================
  Hits        21318    21318           
  Misses       9674     9674

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@NikolayS
Copy link
Copy Markdown
Owner Author

NikolayS commented Mar 24, 2026

REV Review — PR #716: fix(tests): stable conninfo query and SCRAM port for wrong-password test

Summary

Fixes two pre-existing test failures: replaces the version-sensitive \conninfo psql metacommand with a stable SQL query that produces identical output across all psql/rpg versions, and routes the wrong-password test to a dedicated SCRAM-auth Postgres container so the test actually validates authentication rejection (trust-auth silently accepts any password).

Blocking findings

None.

Non-blocking findings

  • tests/compat/test-connections.sh line ~30: CONN_QUERY uses uppercase SELECT keyword. Per the SQL style guide, keywords must be lowercase (select current_database() AS db, ...). — INFO, guidelines-checker.

  • tests/compat/test-connections.sh line ~30: The comment # Stable SQL used in place of \conninfo for A1-A5 is slightly inaccurate — CONN_QUERY is also used in A9 (unix socket). Should say "A1–A5, A9" or "all non-SCRAM tests". — LOW, docs-reviewer.

Potential issues

  • SCRAM enforcement not explicit (confidence: 4/10): The postgres-scram CI container sets POSTGRES_PASSWORD but not POSTGRES_HOST_AUTH_METHOD=scram-sha-256. The postgres:16 Docker image defaults to scram-sha-256 when a password is set, so this works today. If the base image ever changes that default, the wrong-password test could silently degrade to md5 auth and still pass. Adding POSTGRES_HOST_AUTH_METHOD: scram-sha-256 to the service env would make the intent explicit and resilient to image changes.

  • inet_server_port() returns NULL on Unix sockets (confidence: 7/10, low impact): test_unix_socket (A9) now uses CONN_QUERY, which includes inet_server_port(). This returns NULL for Unix socket connections. Both psql and rpg return the same NULL, so the comparison still passes — but the output will show a NULL port column, which is slightly misleading if anyone reads test output. Not a correctness issue.

Test coverage

Good. The two changes together make the test suite genuinely meaningful:

  1. CONN_QUERY (select current_database() AS db, current_user AS usr, inet_server_port() AS port) produces deterministic tabular output that is identical between psql and rpg regardless of version. The previous \conninfo was a psql-internal metacommand whose output format changed in psql 18 — the replacement is strictly better.

  2. The wrong-password test (A7) was previously a no-op against a trust-auth instance. Now it runs against a real SCRAM container in CI and gracefully skips in local dev when TEST_PG_SCRAM_PORT is unset. The test is self-validating: if the container accidentally used trust auth, rpg would exit 0 and the expect_failure helper would catch it as FAIL.

CI integration is correct: health checks ensure the container is ready before tests run, the job fails the pipeline on any test failure, and no allow_failure escape hatches are present.

Verdict

APPROVE

@NikolayS NikolayS force-pushed the fix/connection-test-suite branch from 15363ac to 6f189c5 Compare March 24, 2026 01:32
@NikolayS
fix(tests): use stable SQL for conninfo tests; SCRAM port for A7
76adfe1 
A1-A5: replace \conninfo with a SQL query that returns identical output
from both psql and rpg on all versions:

  SELECT current_database() AS db, current_user AS usr, inet_server_port() AS port

psql 18 changed the \conninfo output format, breaking literal string
comparison in the test suite. rpg is correct; the test was wrong.

A7: test_wrong_password previously ran against the trust-auth port
(15433), where Postgres ignores the password — always returning exit 0.
The test expected non-zero exit, so it always failed.

Fix: add TEST_PG_SCRAM_HOST/PORT/USER/PASSWORD/DATABASE env vars. When
TEST_PG_SCRAM_PORT is set, A7 connects to that SCRAM-auth instance with
a wrong password and expects non-zero exit. When not set, A7 is skipped
with a clear message.

In checks.yml, add a postgres-scram service to the connection-tests job
(port 15433, default POSTGRES_PASSWORD=postgres which triggers
scram-sha-256) and pass the SCRAM env vars to the test step.

Closes #715
@NikolayS NikolayS force-pushed the fix/connection-test-suite branch from 6f189c5 to 76adfe1 Compare March 24, 2026 02:34
@NikolayS NikolayS merged commit c704755 into main Mar 24, 2026
16 checks passed
@NikolayS NikolayS deleted the fix/connection-test-suite branch March 24, 2026 03:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(tests): update connection test suite for psql 18 conninfo format change and trust-auth port

2 participants

@NikolayS @codecov-commenter