Allow ssl_passphrase_command to prompt the terminal

Previously the command could not access the terminal for a passphrase.

Backpatch-through: master

doc/src/sgml/config.sgml

@@ -1452,18 +1452,18 @@ include_dir 'conf.d'
         mechanism is used.
        </para>
        <para>
-        The command must print the passphrase to the standard output and exit
+        The command must print the passphrase to the standard output
-        with code 0.  In the parameter value, <literal>%p</literal> is
+        and exit with code 0.  It can prompt from the terminal if
-        replaced by a prompt string.  (Write <literal>%%</literal> for a
+        <option>--authprompt</option> is used.  In the parameter value,
-        literal <literal>%</literal>.)  Note that the prompt string will
+        <literal>%R</literal> represents the file descriptor number opened
-        probably contain whitespace, so be sure to quote adequately.  A single
+        to the terminal that started the server.  A file descriptor is only
-        newline is stripped from the end of the output if present.
+        available if enabled at server start.  If <literal>%R</literal>
-       </para>
+        is used and no file descriptor is available, the server will not
-       <para>
+        start.  Value <literal>%p</literal> is replaced by a pre-defined
-        The command does not actually have to prompt the user for a
+        prompt string.  (Write <literal>%%</literal> for a literal
-        passphrase.  It can read it from a file, obtain it from a keychain
+        <literal>%</literal>.)  Note that the prompt string will probably
-        facility, or similar.  It is up to the user to make sure the chosen
+        contain whitespace, so be sure to quote its use adequately.
-        mechanism is adequately secure.
+        Newlines are stripped from the end of the output if present.
        </para>
        <para>
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -1486,10 +1486,12 @@ include_dir 'conf.d'
         parameter is off (the default), then
         <varname>ssl_passphrase_command</varname> will be ignored during a
         reload and the SSL configuration will not be reloaded if a passphrase
-        is needed.  That setting is appropriate for a command that requires a
+        is needed.  This setting is appropriate for a command that requires a
-        TTY for prompting, which might not be available when the server is
+        terminal for prompting, which will likely not be available when the server is
-        running.  Setting this parameter to on might be appropriate if the
+        running.  (<option>--authprompt</option> closes the terminal file
-        passphrase is obtained from a file, for example.
+        descriptor soon after server start.)   Setting this parameter on
+        might be appropriate, for example, if the passphrase is obtained
+        from a file.
        </para>
        <para>
         This parameter can only be set in the <filename>postgresql.conf</filename>

doc/src/sgml/ref/pg_ctl-ref.sgml

@@ -380,8 +380,9 @@ PostgreSQL documentation
       <term><option>--authprompt</option></term>
       <listitem>
        <para>
-        Allows the <option>--cluster-key-command</option> command
+        Allows <option>ssl_passphrase_command</option> or
-        to prompt for a passphrase or PIN.
+        <option>cluster_key_command</option> to prompt for a passphrase
+        or PIN.
        </para>
       </listitem>
      </varlistentry>

doc/src/sgml/ref/pgupgrade.sgml

@@ -170,7 +170,9 @@ PostgreSQL documentation
      <varlistentry>
       <term><option>-R</option></term>
       <term><option>--authprompt</option></term>
-      <listitem><para>allows prompting for a passphrase or PIN
+      <listitem><para>allows <option>ssl_passphrase_command</option> or
+      <option>cluster_key_command</option> to prompt for a passphrase
+      or PIN.
       </para></listitem>
      </varlistentry>
 

src/backend/libpq/be-secure-common.c

@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#include "postmaster/postmaster.h"
 #include "common/string.h"
 #include "libpq/libpq.h"
 #include "storage/fd.h"
@@ -61,6 +62,19 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
 					appendStringInfoString(&command, prompt);
 					p++;
 					break;
+				case 'R':
+					{
+						char fd_str[20];
+
+						if (terminal_fd == -1)
+							ereport(ERROR,
+									(errcode(ERRCODE_INTERNAL_ERROR),
+									 errmsg("ssl_passphrase_command referenced %%R, but -R not specified")));
+						p++;
+						snprintf(fd_str, sizeof(fd_str), "%d", terminal_fd);
+						appendStringInfoString(&command, fd_str);
+						break;
+					}
 				case '%':
 					appendStringInfoChar(&command, '%');
 					p++;