At 2023-05-22 09:42:44 -0400, t...@sss.pgh.pa.us wrote:
>
> Alvaro Herrera <alvhe...@alvh.no-ip.org> writes:
> > I noticed that the value that enables this feature at libpq client side
> > is 'enable'. However, for other Boolean settings like sslsni,
> > keepalives, requiressl, sslcompression, the value that enables feature
> > is '1' -- we use strings only for "enum" type of settings.
>
> > Also, it looks like connectOptions2() doesn't validate the string value.
>
> Hmm, it certainly seems like this ought to accept exactly the
> same inputs as other libpq boolean settings. I can take a look
> unless somebody else is already on it.
Here's the diff, but the 0/1 values of settings like sslsni and
sslcompression don't seem to be validated anywhere, unlike the string
options in connectOptions2, so I didn't do anything for gssdelegation.
(I've never run the Kerberos tests before, but I changed one
"gssdelegation=disable" to "gssdelegation=1" and got a test failure, so
they're probably working as expected.)
-- Abhijit
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e38a7debc3..2225e4e0ef 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2059,9 +2059,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem>
<para>
Forward (delegate) GSS credentials to the server. The default is
- <literal>disable</literal> which means credentials will not be forwarded
- to the server. Set this to <literal>enable</literal> to have
- credentials forwarded when possible.
+ <literal>0</literal> which means credentials will not be forwarded
+ to the server. Set this to <literal>1</literal> to have credentials
+ forwarded when possible.
</para>
</listitem>
</varlistentry>
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index de0e13e50d..88fd0f3d80 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
if (!pg_GSS_have_cred_cache(&conn->gcred))
conn->gcred = GSS_C_NO_CREDENTIAL;
- if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+ if (conn->gssdelegation && conn->gssdelegation[0] == '1')
gss_flags |= GSS_C_DELEG_FLAG;
maj_stat = gss_init_sec_context(&min_stat,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 786d22a770..a8584d2c68 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"GSS-library", "", 7, /* sizeof("gssapi") == 7 */
offsetof(struct pg_conn, gsslib)},
- {"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
- "GSS-delegation", "", 8, /* sizeof("disable") == 8 */
+ {"gssdelegation", "PGGSSDELEGATION", "0", NULL,
+ "GSS-delegation", "", 1,
offsetof(struct pg_conn, gssdelegation)},
{"replication", NULL, NULL, NULL,
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index c77d5cfe9f..7e373236e9 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)
if (ret != STATUS_OK)
return PGRES_POLLING_FAILED;
- if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+ if (conn->gssdelegation && conn->gssdelegation[0] == '1')
{
/* Acquire credentials if possible */
if (conn->gcred == GSS_C_NO_CREDENTIAL)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f1854f9919..0045f83cbf 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
char *krbsrvname; /* Kerberos service name */
char *gsslib; /* What GSS library to use ("gssapi" or
* "sspi") */
- char *gssdelegation; /* Try to delegate GSS credentials? */
+ char *gssdelegation; /* Try to delegate GSS credentials? (0 or 1) */
char *ssl_min_protocol_version; /* minimum TLS protocol version */
char *ssl_max_protocol_version; /* maximum TLS protocol version */
char *target_session_attrs; /* desired session properties */
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index bff26fda0c..0deb9bffc8 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=disable',
+ 'gssencmode=require gssdelegation=0',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -608,7 +608,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf1;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -668,7 +668,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=disable gssdelegation=enable',
+ 'gssencmode=disable gssdelegation=1',
'succeeds with GSS encryption disabled and hostnogssenc hba',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -700,7 +700,7 @@ test_query(
'test1',
"TABLE tf1;",
qr/^1$/s,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -711,7 +711,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -730,7 +730,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -760,7 +760,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssdelegation=enable',
+ 'gssdelegation=1',
'succeeds with include_realm=0 and defaults',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'dblink works encrypted');
test_query(
$node, 'test1', "TABLE tf1;", qr/^1$/s,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'postgres_fdw works encrypted');
# Reset pg_hba.conf, and cause a usermap failure with an authentication
