From 4cc1c76fe9f13aa96bae14f4fcfdf6d508af72a4 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Fri, 12 Apr 2024 19:52:39 +0300
Subject: [PATCH] Document PG_TEST_EXTRA=libpq_encryption and also check
 'kerberos'

In the libpq encryption negotiation tests, don't run the GSSAPI tests
unless PG_TEST_EXTRA='kerberos' is also set. That makes it possible to
still run most of the tests when GSSAPI support is compiled in, but
there's no MIT Kerberos installation.
---
 doc/src/sgml/regress.sgml                          | 14 +++++++++++++-
 src/interfaces/libpq/t/005_negotiate_encryption.pl | 14 ++++++++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/doc/src/sgml/regress.sgml b/doc/src/sgml/regress.sgml
index 6a27aae319..d7e78204ad 100644
--- a/doc/src/sgml/regress.sgml
+++ b/doc/src/sgml/regress.sgml
@@ -259,7 +259,7 @@ make check-world -j8 >/dev/null
    variable <varname>PG_TEST_EXTRA</varname> to a whitespace-separated list,
    for example:
 <programlisting>
-make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance'
+make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance libpq_encryption'
 </programlisting>
    The following values are currently supported:
    <variablelist>
@@ -304,6 +304,18 @@ make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance'
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><literal>libpq_encryption</literal></term>
+     <listitem>
+      <para>
+       Runs the test <filename>src/interfaces/libpq/t/005_negotiate_encryption.pl</filename>.
+       This opens TCP/IP listen sockets. If <varname>PG_TEST_EXTRA</varname>
+       also includes <literal>kerberos</literal>, additional tests that require
+       an MIT Kerberos installation are enabled.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><literal>wal_consistency_checking</literal></term>
      <listitem>
diff --git a/src/interfaces/libpq/t/005_negotiate_encryption.pl b/src/interfaces/libpq/t/005_negotiate_encryption.pl
index b369289ef1..1c37f832e7 100644
--- a/src/interfaces/libpq/t/005_negotiate_encryption.pl
+++ b/src/interfaces/libpq/t/005_negotiate_encryption.pl
@@ -83,8 +83,11 @@ if (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\blibpq_encryption\b/)
 	  'Potentially unsafe test libpq_encryption not enabled in PG_TEST_EXTRA';
 }
 
-my $ssl_supported = $ENV{with_ssl} eq 'openssl';
+# Only run the GSSAPI tests when compiled with GSSAPI support and
+# PG_TEST_EXTRA includes 'kerberos'
 my $gss_supported = $ENV{with_gssapi} eq 'yes';
+my $kerberos_enabled = $ENV{PG_TEST_EXTRA} && $ENV{PG_TEST_EXTRA} =~ /\bkerberos\b/;
+my $ssl_supported = $ENV{with_ssl} eq 'openssl';
 
 ###
 ### Prepare test server for GSSAPI and SSL authentication, with a few
@@ -118,7 +121,7 @@ my $gssuser_password = 'secret1';
 
 my $krb;
 
-if ($gss_supported != 0)
+if ($gss_supported != 0 && $kerberos_enabled != 0)
 {
 	note "setting up Kerberos";
 
@@ -197,7 +200,7 @@ hostssl       postgres        ssluser         $servercidr             trust
 
 print $hba qq{
 hostgssenc    postgres        gssuser         $servercidr             trust
-} if ($gss_supported != 0);
+} if ($gss_supported != 0 && $kerberos_enabled != 0);
 close $hba;
 $node->reload;
 
@@ -331,6 +334,7 @@ nossluser   .            disable      *              connect, authok
 SKIP:
 {
 	skip "GSSAPI/Kerberos not supported by this build" if $gss_supported == 0;
+	skip "kerberos not enabled in PG_TEST_EXTRA" if $kerberos_enabled == 0;
 
 	$krb->create_principal('gssuser', $gssuser_password);
 	$krb->create_ticket('gssuser', $gssuser_password);
@@ -413,7 +417,9 @@ nogssuser   disable      disable      *              connect, authok
 ###
 SKIP:
 {
-	skip "GSSAPI/Kerberos or SSL not supported by this build" unless ($ssl_supported && $gss_supported);
+	skip "SSL not supported by this build" if $ssl_supported == 0;
+	skip "GSSAPI/Kerberos not supported by this build" if $gss_supported == 0;
+	skip "kerberos not enabled in PG_TEST_EXTRA" if $kerberos_enabled == 0;
 
 	# Sanity check that GSSAPI is still enabled from previous test.
 	connect_test($node, 'user=testuser gssencmode=prefer sslmode=prefer', 'connect, gssaccept, authok -> gss');