Spell the values of libpq's gssdelegation parameter as "0" and "1".

That's how other boolean options are handled, so do likewise.
The previous coding with "enable" and "disable" was seemingly
modeled on gssencmode, but that's a three-way flag.

While at it, add PGGSSDELEGATION to the set of environment
variables cleared by pg_regress and Utils.pm.

Abhijit Menon-Sen, per gripe from Alvaro Herrera

Discussion: https://postgr.es/m/20230522091609[email protected]

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e38a7debc3561755d9732bb630cae3dcb31f5a86..2225e4e0ef3f674db379f46227685f712b96a3e1 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2059,9 +2059,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <listitem>
        <para>
         Forward (delegate) GSS credentials to the server.  The default is
-        <literal>disable</literal> which means credentials will not be forwarded
-        to the server.  Set this to <literal>enable</literal> to have
-        credentials forwarded when possible.
+        <literal>0</literal> which means credentials will not be forwarded
+        to the server.  Set this to <literal>1</literal> to have credentials
+        forwarded when possible.
        </para>
       </listitem>
      </varlistentry>

diff --git a/doc/src/sgml/release-16.sgml b/doc/src/sgml/release-16.sgml
index 30f2a7d804025ce520ce39e720517c41caf6dea0..893cd8ddb0176387b81ecf4fd89c9c3fd750a388 100644 (file)
--- a/doc/src/sgml/release-16.sgml
+++ b/doc/src/sgml/release-16.sgml
@@ -953,7 +953,8 @@ Add support for Kerberos credential delegation (Stephen Frost)
 </para>
 
 <para>
-This is enabled with server variable gss_accept_delegation.
+This is enabled with server variable gss_accept_delegation
+and libpq connection parameter gssdelegation.
 </para>
 </listitem>
 

diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index de0e13e50d12ccc023130171b664c6a6b0fdc384..88fd0f3d80220c974fbb1b499c90e5b71ce27d83 100644 (file)
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
        if (!pg_GSS_have_cred_cache(&conn->gcred))
                conn->gcred = GSS_C_NO_CREDENTIAL;
 
-       if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+       if (conn->gssdelegation && conn->gssdelegation[0] == '1')
                gss_flags |= GSS_C_DELEG_FLAG;
 
        maj_stat = gss_init_sec_context(&min_stat,

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 786d22a7706e5f5af95faace92c3ca94e2c0fc36..a8584d2c684929b3ff4853cef06a4b42a8df7c89 100644 (file)
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
                "GSS-library", "", 7,   /* sizeof("gssapi") == 7 */
        offsetof(struct pg_conn, gsslib)},
 
-       {"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
-               "GSS-delegation", "", 8,        /* sizeof("disable") == 8 */
+       {"gssdelegation", "PGGSSDELEGATION", "0", NULL,
+               "GSS-delegation", "", 1,
        offsetof(struct pg_conn, gssdelegation)},
 
        {"replication", NULL, NULL, NULL,

diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index c77d5cfe9f5905e301e5f5ace48dcd67e60dd733..7e373236e92008013e64157ae2d087ae184ce68a 100644 (file)
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)
        if (ret != STATUS_OK)
                return PGRES_POLLING_FAILED;
 
-       if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+       if (conn->gssdelegation && conn->gssdelegation[0] == '1')
        {
                /* Acquire credentials if possible */
                if (conn->gcred == GSS_C_NO_CREDENTIAL)

diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f1854f9919c241941de39b9fc9fa12891088cb88..0045f83cbfde8cc98a0f08ad84426ec56e43dc90 100644 (file)
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
        char       *krbsrvname;         /* Kerberos service name */
        char       *gsslib;                     /* What GSS library to use ("gssapi" or
                                                                 * "sspi") */
-       char       *gssdelegation;      /* Try to delegate GSS credentials? */
+       char       *gssdelegation;      /* Try to delegate GSS credentials? (0 or 1) */
        char       *ssl_min_protocol_version;   /* minimum TLS protocol version */
        char       *ssl_max_protocol_version;   /* maximum TLS protocol version */
        char       *target_session_attrs;       /* desired session properties */

diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index bff26fda0c913ee5548b532c0e843aef5fb30c6a..0deb9bffc8de9e8cc435a8d577de7c6b43042b2b 100644 (file)
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
        0,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssencmode=require gssdelegation=disable',
+       'gssencmode=require gssdelegation=0',
        'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ $psql_rc = $node->psql(
        'postgres',
        "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ $psql_rc = $node->psql(
        'postgres',
        "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -608,7 +608,7 @@ $psql_rc = $node->psql(
        'postgres',
        "TABLE tf1;",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ $psql_rc = $node->psql(
        'postgres',
        "TABLE tf2;",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -668,7 +668,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssencmode=disable gssdelegation=enable',
+       'gssencmode=disable gssdelegation=1',
        'succeeds with GSS encryption disabled and hostnogssenc hba',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ test_query(
        'test1',
        "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
        qr/^1$/s,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );
 
@@ -700,7 +700,7 @@ test_query(
        'test1',
        "TABLE tf1;",
        qr/^1$/s,
-       'gssencmode=prefer gssdelegation=enable',
+       'gssencmode=prefer gssdelegation=1',
        'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );
 
@@ -711,7 +711,7 @@ $psql_rc = $node->psql(
        'postgres',
        "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -730,7 +730,7 @@ $psql_rc = $node->psql(
        'postgres',
        "TABLE tf2;",
        connstr =>
-         "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+         "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
        stdout => \$psql_out,
        stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -760,7 +760,7 @@ test_access(
        'test1',
        'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
        0,
-       'gssdelegation=enable',
+       'gssdelegation=1',
        'succeeds with include_realm=0 and defaults',
        "connection authenticated: identity=\"test1\@$realm\" method=gss",
        "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ test_query(
        'test1',
        "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
        qr/^1$/s,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'dblink works encrypted');
 
 test_query(
        $node, 'test1', "TABLE tf1;", qr/^1$/s,
-       'gssencmode=require gssdelegation=enable',
+       'gssencmode=require gssdelegation=1',
        'postgres_fdw works encrypted');
 
 # Reset pg_hba.conf, and cause a usermap failure with an authentication

diff --git a/src/test/perl/PostgreSQL/Test/Utils.pm b/src/test/perl/PostgreSQL/Test/Utils.pm
index 38cd7d830d853c3bea87757bae365fbbc9797fdc..a27fac83d2616144eadd93008681a494b40255af 100644 (file)
--- a/src/test/perl/PostgreSQL/Test/Utils.pm
+++ b/src/test/perl/PostgreSQL/Test/Utils.pm
@@ -113,6 +113,7 @@ BEGIN
          PGCONNECT_TIMEOUT
          PGDATA
          PGDATABASE
+         PGGSSDELEGATION
          PGGSSENCMODE
          PGGSSLIB
          PGHOSTADDR

diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index abf633dc08557ddb59c75f8cd6accdce3c6838ee..a546fc3d34d558f9d8f3c4638499973c265957cd 100644 (file)
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -798,6 +798,7 @@ initialize_environment(void)
                unsetenv("PGCONNECT_TIMEOUT");
                unsetenv("PGDATA");
                unsetenv("PGDATABASE");
+               unsetenv("PGGSSDELEGATION");
                unsetenv("PGGSSENCMODE");
                unsetenv("PGGSSLIB");
                /* PGHOSTADDR, see below */