Spell the values of libpq's gssdelegation parameter as "0" and "1".

That's how other boolean options are handled, so do likewise. The previous coding with "enable" and "disable" was seemingly modeled on gssencmode, but that's a three-way flag. While at it, add PGGSSDELEGATION to the set of environment variables cleared by pg_regress and Utils.pm. Abhijit Menon-Sen, per gripe from Alvaro Herrera Discussion: https://postgr.es/m/20230522091609.nlyuu4nolhycqs2p@alvherre.pgsql
2023-05-22 11:50:20 -04:00 · 2023-05-22 11:50:20 -04:00 · 1f9f6aa491
parent 4123455a9e
commit 1f9f6aa491
9 changed files with 34 additions and 31 deletions
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@ -2059,9 +2059,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
      <listitem>
       <para>
        Forward (delegate) GSS credentials to the server.  The default is
-        <literal>disable</literal> which means credentials will not be forwarded
-        to the server.  Set this to <literal>enable</literal> to have
-        credentials forwarded when possible.
+        <literal>0</literal> which means credentials will not be forwarded
+        to the server.  Set this to <literal>1</literal> to have credentials
+        forwarded when possible.
       </para>
      </listitem>
     </varlistentry>
--- a/doc/src/sgml/release-16.sgml
+++ b/doc/src/sgml/release-16.sgml
@ -953,7 +953,8 @@ Add support for Kerberos credential delegation (Stephen Frost)
 </para>

 <para>
-This is enabled with server variable gss_accept_delegation.
+This is enabled with server variable gss_accept_delegation
+and libpq connection parameter gssdelegation.
 </para>
 </listitem>

--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
 	if (!pg_GSS_have_cred_cache(&conn->gcred))
 		conn->gcred = GSS_C_NO_CREDENTIAL;

-	if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+	if (conn->gssdelegation && conn->gssdelegation[0] == '1')
 		gss_flags |= GSS_C_DELEG_FLAG;

 	maj_stat = gss_init_sec_context(&min_stat,
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"GSS-library", "", 7,	/* sizeof("gssapi") == 7 */
 	offsetof(struct pg_conn, gsslib)},

-	{"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
-		"GSS-delegation", "", 8,	/* sizeof("disable") == 8 */
+	{"gssdelegation", "PGGSSDELEGATION", "0", NULL,
+		"GSS-delegation", "", 1,
 	offsetof(struct pg_conn, gssdelegation)},

 	{"replication", NULL, NULL, NULL,
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)
 	if (ret != STATUS_OK)
 		return PGRES_POLLING_FAILED;

-	if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+	if (conn->gssdelegation && conn->gssdelegation[0] == '1')
 	{
 		/* Acquire credentials if possible */
 		if (conn->gcred == GSS_C_NO_CREDENTIAL)
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@ -404,7 +404,7 @@ struct pg_conn
 	char	   *krbsrvname;		/* Kerberos service name */
 	char	   *gsslib;			/* What GSS library to use ("gssapi" or
 								 * "sspi") */
-	char	   *gssdelegation;	/* Try to delegate GSS credentials? */
+	char	   *gssdelegation;	/* Try to delegate GSS credentials? (0 or 1) */
 	char	   *ssl_min_protocol_version;	/* minimum TLS protocol version */
 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
 	char	   *target_session_attrs;	/* desired session properties */
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@ -381,7 +381,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -391,7 +391,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -480,7 +480,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -490,7 +490,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -504,7 +504,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -514,7 +514,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -528,7 +528,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@ -538,7 +538,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@ -558,7 +558,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=disable',
+	'gssencmode=require gssdelegation=0',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@ -572,7 +572,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@ -589,7 +589,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@ -608,7 +608,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"TABLE tf1;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@ -626,7 +626,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"TABLE tf2;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@ -668,7 +668,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@ -680,7 +680,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=disable gssdelegation=enable',
+	'gssencmode=disable gssdelegation=1',
 	'succeeds with GSS encryption disabled and hostnogssenc hba',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@ -691,7 +691,7 @@ test_query(
 	'test1',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
 	qr/^1$/s,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );

@ -700,7 +700,7 @@ test_query(
 	'test1',
 	"TABLE tf1;",
 	qr/^1$/s,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );

@ -711,7 +711,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@ -730,7 +730,7 @@ $psql_rc = $node->psql(
 	'postgres',
 	"TABLE tf2;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@ -760,7 +760,7 @@ test_access(
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssdelegation=enable',
+	'gssdelegation=1',
 	'succeeds with include_realm=0 and defaults',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@ -771,12 +771,12 @@ test_query(
 	'test1',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
 	qr/^1$/s,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'dblink works encrypted');

 test_query(
 	$node, 'test1', "TABLE tf1;", qr/^1$/s,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'postgres_fdw works encrypted');

 # Reset pg_hba.conf, and cause a usermap failure with an authentication
--- a/src/test/perl/PostgreSQL/Test/Utils.pm
+++ b/src/test/perl/PostgreSQL/Test/Utils.pm
@ -113,6 +113,7 @@ BEGIN
 	  PGCONNECT_TIMEOUT
 	  PGDATA
 	  PGDATABASE
+	  PGGSSDELEGATION
 	  PGGSSENCMODE
 	  PGGSSLIB
 	  PGHOSTADDR
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@ -798,6 +798,7 @@ initialize_environment(void)
 		unsetenv("PGCONNECT_TIMEOUT");
 		unsetenv("PGDATA");
 		unsetenv("PGDATABASE");
+		unsetenv("PGGSSDELEGATION");
 		unsetenv("PGGSSENCMODE");
 		unsetenv("PGGSSLIB");
 		/* PGHOSTADDR, see below */