From 697f8d266cfb33409f7ccf3319f4448477066329 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 22 Mar 2024 22:58:41 +0100 Subject: [PATCH] Revert "Add notBefore and notAfter to SSL cert info display" This reverts commit 6acb0a628eccab8764e0306582c2b7e2a1441b9b since LibreSSL didn't support ASN1_TIME_diff until OpenBSD 7.1, leaving the older OpenBSD animals in the buildfarm complaining. Per plover in the buildfarm. Discussion: https://postgr.es/m/F0DF7102-192D-4C21-96AE-9A01AE153AD1@yesql.se --- contrib/sslinfo/Makefile | 2 +- contrib/sslinfo/meson.build | 1 - contrib/sslinfo/sslinfo--1.2--1.3.sql | 12 --- contrib/sslinfo/sslinfo.c | 95 --------------------- contrib/sslinfo/sslinfo.control | 2 +- doc/src/sgml/monitoring.sgml | 20 ----- doc/src/sgml/sslinfo.sgml | 30 ------- src/backend/catalog/system_views.sql | 4 +- src/backend/libpq/be-secure-openssl.c | 78 ----------------- src/backend/utils/activity/backend_status.c | 2 - src/backend/utils/adt/pgstatfuncs.c | 46 ++++------ src/include/catalog/catversion.h | 2 +- src/include/catalog/pg_proc.dat | 6 +- src/include/libpq/libpq-be.h | 2 - src/include/utils/backend_status.h | 3 - src/test/regress/expected/rules.out | 12 ++- src/test/ssl/t/001_ssltests.pl | 10 +-- src/test/ssl/t/003_sslinfo.pl | 14 --- src/tools/pgindent/typedefs.list | 1 - 19 files changed, 34 insertions(+), 308 deletions(-) delete mode 100644 contrib/sslinfo/sslinfo--1.2--1.3.sql diff --git a/contrib/sslinfo/Makefile b/contrib/sslinfo/Makefile index 78a5a83d5c..dd1ff83b16 100644 --- a/contrib/sslinfo/Makefile +++ b/contrib/sslinfo/Makefile @@ -6,7 +6,7 @@ OBJS = \ sslinfo.o EXTENSION = sslinfo -DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql +DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql PGFILEDESC = "sslinfo - information about client SSL certificate" ifdef USE_PGXS diff --git a/contrib/sslinfo/meson.build b/contrib/sslinfo/meson.build index a4bcd21ea6..39d49a1736 100644 --- a/contrib/sslinfo/meson.build +++ b/contrib/sslinfo/meson.build @@ -26,7 +26,6 @@ install_data( 'sslinfo--1.0--1.1.sql', 'sslinfo--1.1--1.2.sql', 'sslinfo--1.2.sql', - 'sslinfo--1.2--1.3.sql', 'sslinfo.control', kwargs: contrib_data_args, ) diff --git a/contrib/sslinfo/sslinfo--1.2--1.3.sql b/contrib/sslinfo/sslinfo--1.2--1.3.sql deleted file mode 100644 index 424a11afe4..0000000000 --- a/contrib/sslinfo/sslinfo--1.2--1.3.sql +++ /dev/null @@ -1,12 +0,0 @@ -/* contrib/sslinfo/sslinfo--1.2--1.3.sql */ - --- complain if script is sourced in psql, rather than via CREATE EXTENSION -\echo Use "CREATE EXTENSION sslinfo" to load this file. \quit - -CREATE FUNCTION ssl_client_get_notbefore() RETURNS timestamptz -AS 'MODULE_PATHNAME', 'ssl_client_get_notbefore' -LANGUAGE C STRICT PARALLEL RESTRICTED; - -CREATE FUNCTION ssl_client_get_notafter() RETURNS timestamptz -AS 'MODULE_PATHNAME', 'ssl_client_get_notafter' -LANGUAGE C STRICT PARALLEL RESTRICTED; diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c index 904b203a17..5fd46b9874 100644 --- a/contrib/sslinfo/sslinfo.c +++ b/contrib/sslinfo/sslinfo.c @@ -14,12 +14,10 @@ #include #include "access/htup_details.h" -#include "common/int.h" #include "funcapi.h" #include "libpq/libpq-be.h" #include "miscadmin.h" #include "utils/builtins.h" -#include "utils/timestamp.h" /* * On Windows, includes a #define for X509_NAME, which breaks our @@ -36,7 +34,6 @@ PG_MODULE_MAGIC; static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); static Datum ASN1_STRING_to_text(ASN1_STRING *str); -static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time); /* * Function context for data persisting over repeated calls. @@ -228,66 +225,6 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName) } -/* - * Converts OpenSSL ASN1_TIME structure into timestamptz - * - * OpenSSL 1.0.2 doesn't expose a function to convert an ASN1_TIME to a tm - * struct, it's only available in 1.1.1 and onwards. Instead we can ask for the - * difference between the ASN1_TIME and a known timestamp and get the actual - * timestamp that way. Until support for OpenSSL 1.0.2 is retired we have to do - * it this way. - * - * Parameter: time - OpenSSL ASN1_TIME structure. - * Returns Datum, which can be directly returned from a C language SQL - * function. - */ -static Datum -ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts) -{ - int days; - int seconds; - const char postgres_epoch[] = "20000101000000Z"; - ASN1_TIME *ASN1_epoch; - int64 result_days; - int64 result_secs; - int64 result; - - /* Create an epoch to compare against */ - ASN1_epoch = ASN1_TIME_new(); - if (!ASN1_epoch) - ereport(ERROR, - (errcode(ERRCODE_OUT_OF_MEMORY), - errmsg("could not allocate memory for ASN1 TIME structure"))); - - /* Calculate the diff from the epoch to the certificate timestamp */ - if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) || - !ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts)) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("failed to read certificate validity"))); - - /* - * Unlike when freeing other OpenSSL memory structures, there is no error - * return on freeing ASN1 strings. - */ - ASN1_TIME_free(ASN1_epoch); - - /* - * Convert the reported date into usecs to be used as a TimestampTz. The - * date should really not overflow an int64 but rather than trusting the - * certificate we take overflow into consideration. - */ - if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) || - pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_secs) || - pg_add_s64_overflow(result_days, result_secs, &result)) - { - return TimestampTzGetDatum(0); - } - - return TimestampTzGetDatum(result); -} - - /* * Returns specified field of client certificate distinguished name * @@ -545,35 +482,3 @@ ssl_extension_info(PG_FUNCTION_ARGS) /* All done */ SRF_RETURN_DONE(funcctx); } - -/* - * Returns current client certificate notBefore timestamp in - * timestamptz data type - */ -PG_FUNCTION_INFO_V1(ssl_client_get_notbefore); -Datum -ssl_client_get_notbefore(PG_FUNCTION_ARGS) -{ - X509 *cert = MyProcPort->peer; - - if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) - PG_RETURN_NULL(); - - return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert)); -} - -/* - * Returns current client certificate notAfter timestamp in - * timestamptz data type - */ -PG_FUNCTION_INFO_V1(ssl_client_get_notafter); -Datum -ssl_client_get_notafter(PG_FUNCTION_ARGS) -{ - X509 *cert = MyProcPort->peer; - - if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) - PG_RETURN_NULL(); - - return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert)); -} diff --git a/contrib/sslinfo/sslinfo.control b/contrib/sslinfo/sslinfo.control index b53e95b7da..c7754f924c 100644 --- a/contrib/sslinfo/sslinfo.control +++ b/contrib/sslinfo/sslinfo.control @@ -1,5 +1,5 @@ # sslinfo extension comment = 'information about SSL certificates' -default_version = '1.3' +default_version = '1.2' module_pathname = '$libdir/sslinfo' relocatable = true diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml index ca6b5631d7..8736eac284 100644 --- a/doc/src/sgml/monitoring.sgml +++ b/doc/src/sgml/monitoring.sgml @@ -2292,26 +2292,6 @@ description | Waiting for a newly initialized WAL file to reach durable storage This field is truncated like client_dn. - - - - not_before text - - - Not before timestamp of the client certificate, or NULL if no client - certificate was supplied. - - - - - - not_after text - - - Not after timestamp of the client certificate, or NULL if no client - certificate was supplied. - - diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml index 2a6725cc1c..85d49f6653 100644 --- a/doc/src/sgml/sslinfo.sgml +++ b/doc/src/sgml/sslinfo.sgml @@ -240,36 +240,6 @@ emailAddress - - - - ssl_client_get_notbefore() returns timestamptz - - ssl_client_get_notbefore - - - - - Return the not before timestamp of the client - certificate. - - - - - - - ssl_client_get_notafter() returns timestamptz - - ssl_client_get_notafter - - - - - Return the not after timestamp of the client - certificate. - - - diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index 72d5caa535..f69b7f5580 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -992,9 +992,7 @@ CREATE VIEW pg_stat_ssl AS S.sslbits AS bits, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, - S.ssl_issuer_dn AS issuer_dn, - S.ssl_not_before AS not_before, - S.ssl_not_after AS not_after + S.ssl_issuer_dn AS issuer_dn FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c6cc681b2e..72e43af353 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -27,7 +27,6 @@ #include #include -#include "common/int.h" #include "common/string.h" #include "libpq/libpq.h" #include "miscadmin.h" @@ -37,7 +36,6 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" -#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -74,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); -static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -1433,24 +1430,6 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) ptr[0] = '\0'; } -void -be_tls_get_peer_not_before(Port *port, TimestampTz *ptr) -{ - if (port->peer) - *ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer)); - else - *ptr = 0; -} - -void -be_tls_get_peer_not_after(Port *port, TimestampTz *ptr) -{ - if (port->peer) - *ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer)); - else - *ptr = 0; -} - void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { @@ -1594,63 +1573,6 @@ X509_NAME_to_cstring(X509_NAME *name) return result; } -/* - * Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function - * to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and - * onwards. Instead we can ask for the difference between the ASN1_TIME and a - * known timestamp and get the actual timestamp that way. Until support for - * OpenSSL 1.0.2 is retired we have to do it this way. - */ -static TimestampTz -ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts) -{ - int days; - int seconds; - const char postgres_epoch[] = "20000101000000Z"; - ASN1_TIME *ASN1_epoch; - int64 result_days; - int64 result_seconds; - int64 result; - - /* Create an epoch to compare against */ - ASN1_epoch = ASN1_TIME_new(); - if (!ASN1_epoch) - ereport(ERROR, - (errcode(ERRCODE_OUT_OF_MEMORY), - errmsg("could not allocate memory for ASN1 TIME structure"))); - - /* - * Calculate the diff from the epoch to the certificate timestamp. - * POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch - * in the ASN.1 format. - */ - if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) || - !ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts)) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("failed to read certificate validity"))); - - /* - * Unlike when freeing other OpenSSL memory structures, there is no error - * return on freeing ASN1 strings. - */ - ASN1_TIME_free(ASN1_epoch); - - /* - * Convert the reported date into usecs to be used as a TimestampTz. The - * date should really not overflow an int64 but rather than trusting the - * certificate we take overflow into consideration. - */ - if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) || - pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_seconds) || - pg_add_s64_overflow(result_seconds, result_days, &result)) - { - return 0; - } - - return result; -} - /* * Convert TLS protocol version GUC enum to OpenSSL values * diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 121ec8956f..1ccf4c6d83 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -348,8 +348,6 @@ pgstat_bestart(void) be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); - be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before); - be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after); } else { diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 61522642cb..3876339ee1 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -302,7 +302,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 33 +#define PG_STAT_GET_ACTIVITY_COLS 31 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -394,7 +394,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[31] = true; + nulls[29] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -431,8 +431,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[31] = Int32GetDatum(leader->pid); - nulls[31] = false; + values[29] = Int32GetDatum(leader->pid); + nulls[29] = false; } else if (beentry->st_backendType == B_BG_WORKER) { @@ -440,8 +440,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) if (leader_pid != InvalidPid) { - values[31] = Int32GetDatum(leader_pid); - nulls[31] = false; + values[29] = Int32GetDatum(leader_pid); + nulls[29] = false; } } } @@ -586,45 +586,35 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else nulls[24] = true; - - if (beentry->st_sslstatus->ssl_not_before != 0) - values[25] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_before); - else - nulls[25] = true; - - if (beentry->st_sslstatus->ssl_not_after != 0) - values[26] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_after); - else - nulls[26] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ - values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials + values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials * delegated */ } else { - values[27] = BoolGetDatum(false); /* gss_auth */ - nulls[28] = true; /* No GSS principal */ - values[29] = BoolGetDatum(false); /* GSS Encryption not in + values[25] = BoolGetDatum(false); /* gss_auth */ + nulls[26] = true; /* No GSS principal */ + values[27] = BoolGetDatum(false); /* GSS Encryption not in * use */ - values[30] = BoolGetDatum(false); /* GSS credentials not + values[28] = BoolGetDatum(false); /* GSS credentials not * delegated */ } if (beentry->st_query_id == 0) - nulls[32] = true; + nulls[30] = true; else - values[32] = UInt64GetDatum(beentry->st_query_id); + values[30] = UInt64GetDatum(beentry->st_query_id); } else { @@ -654,8 +644,6 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[28] = true; nulls[29] = true; nulls[30] = true; - nulls[31] = true; - nulls[32] = true; } tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls); diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index 0fc0d19468..f042d16832 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202403223 +#define CATALOG_VERSION_NO 202403222 #endif diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index ea45b300b8..71c74350a0 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5440,9 +5440,9 @@ proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f', proretset => 't', provolatile => 's', proparallel => 'r', prorettype => 'record', proargtypes => 'int4', - proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamptz,timestamptz,bool,text,bool,bool,int4,int8}', - proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', + proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}', + proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', prosrc => 'pg_stat_get_activity' }, { oid => '8403', descr => 'describe wait events', proname => 'pg_get_wait_events', procost => '10', prorows => '250', diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 3414899ebf..4dce767751 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -294,8 +294,6 @@ extern const char *be_tls_get_cipher(Port *port); extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len); -extern void be_tls_get_peer_not_before(Port *port, TimestampTz *ptr); -extern void be_tls_get_peer_not_after(Port *port, TimestampTz *ptr); /* * Get the server certificate hash for SCRAM channel binding type diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h index d5bd4eceb6..7b7f6f59d0 100644 --- a/src/include/utils/backend_status.h +++ b/src/include/utils/backend_status.h @@ -61,9 +61,6 @@ typedef struct PgBackendSSLStatus char ssl_client_serial[NAMEDATALEN]; char ssl_issuer_dn[NAMEDATALEN]; - /* Certificate validity in postgres epoch format */ - TimestampTz ssl_not_before; - TimestampTz ssl_not_after; } PgBackendSSLStatus; /* diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index 037e83b2ad..18829ea586 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1763,7 +1763,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1883,7 +1883,7 @@ pg_stat_gssapi| SELECT pid, gss_princ AS principal, gss_enc AS encrypted, gss_delegation AS credentials_delegated - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, object, @@ -2086,7 +2086,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2119,10 +2119,8 @@ pg_stat_ssl| SELECT pid, sslbits AS bits, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, - ssl_issuer_dn AS issuer_dn, - ssl_not_before AS not_before, - ssl_not_after AS not_after - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + ssl_issuer_dn AS issuer_dn + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 90a4230413..94ff043c8e 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -538,8 +538,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -740,10 +740,10 @@ command_like( "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), '-c', - "SELECT ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before AT TIME ZONE 'UTC' AS not_before,not_after AT TIME ZONE 'UTC' AS not_after FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n - ^t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs,2023-06-29 01:01:01,2050-01-01 01:01:01\E\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 4df3a941b5..2ae5724846 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -165,20 +165,6 @@ $result = $node->safe_psql( connstr => $common_connstr); is($result, 't', "ssl_issuer_field() for commonName"); -$result = $node->safe_psql( - "certdb", - "SELECT ssl_client_get_notbefore() = not_before, " - . "not_before AT TIME ZONE 'UTC' = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); -is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); - -$result = $node->safe_psql( - "certdb", - "SELECT ssl_client_get_notafter() = not_after, " - . "not_after AT TIME ZONE 'UTC' = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); -is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); - $result = $node->safe_psql( "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index de54e9d869..e2a0525dd4 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -6,7 +6,6 @@ ASN1_INTEGER ASN1_OBJECT ASN1_OCTET_STRING ASN1_STRING -ASN1_TIME AV A_ArrayExpr A_Const