I thought about writing a few [SSPI tests], and I may yet get around
> to that,
Attached is a proposed patch; I cannot send it as a PR because it is dependent on Pavel Raiskup's as yet unmerged #546. The Waffle-free build option is clearly coming, and there is little point in having SSPI tests that then cannot be turned off.
Some explanations:
- Both successful and unsuccessful authentication is tested, the latter to ensure that a configuration mistake (such as a "trust" line left in pg_hba.conf) has not caused *both* tests to succeed when they should have failed.
- Setting up to run these tests is not entirely (or at all) trivial; it requires running the database server as an account that is capable of SSPI authentication (such as a virtual service account, e.g. "NT SERVICE\PostgreSQL") on both domain member and non-member systems, or a domain user account.
- Additionally, both pg_hba.conf and, in most cases, pg_ident.conf must be configured. In particular, the user account that runs the tests must be permitted to authenticate as the database role configured in build.properties.
- The tests are not run when Waffle is disabled. I would have preferred to have a separate option to turn them off even when building with Waffle because the setup is so difficult. I could not think of a way to make Maven do this, mostly because profiles cannot be chained, and profile activation cannot use two variables, for example (!enableWaffle || disableSSPITests).
- There is an intermittent problem where testUnauthorized() fails because it gets the wrong exception: It expects SQLSTATE 28000 from the server, but sometimes it gets 08001 generated internally in the driver. No idea what causes that. I did not want to blindly accept any error as proof of failed authentication.