diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/interfaces/libpq/fe-auth.c | 2 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 4 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-gssapi.c | 2 | ||||
| -rw-r--r-- | src/interfaces/libpq/libpq-int.h | 2 | ||||
| -rw-r--r-- | src/test/kerberos/t/001_auth.pl | 44 | ||||
| -rw-r--r-- | src/test/perl/PostgreSQL/Test/Utils.pm | 1 | ||||
| -rw-r--r-- | src/test/regress/pg_regress.c | 1 |
7 files changed, 29 insertions, 27 deletions
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index de0e13e50d1..88fd0f3d802 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen) if (!pg_GSS_have_cred_cache(&conn->gcred)) conn->gcred = GSS_C_NO_CREDENTIAL; - if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0) + if (conn->gssdelegation && conn->gssdelegation[0] == '1') gss_flags |= GSS_C_DELEG_FLAG; maj_stat = gss_init_sec_context(&min_stat, diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 786d22a7706..a8584d2c684 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "GSS-library", "", 7, /* sizeof("gssapi") == 7 */ offsetof(struct pg_conn, gsslib)}, - {"gssdelegation", "PGGSSDELEGATION", NULL, NULL, - "GSS-delegation", "", 8, /* sizeof("disable") == 8 */ + {"gssdelegation", "PGGSSDELEGATION", "0", NULL, + "GSS-delegation", "", 1, offsetof(struct pg_conn, gssdelegation)}, {"replication", NULL, NULL, NULL, diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c index c77d5cfe9f5..7e373236e92 100644 --- a/src/interfaces/libpq/fe-secure-gssapi.c +++ b/src/interfaces/libpq/fe-secure-gssapi.c @@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn) if (ret != STATUS_OK) return PGRES_POLLING_FAILED; - if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0) + if (conn->gssdelegation && conn->gssdelegation[0] == '1') { /* Acquire credentials if possible */ if (conn->gcred == GSS_C_NO_CREDENTIAL) diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index f1854f9919c..0045f83cbfd 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -404,7 +404,7 @@ struct pg_conn char *krbsrvname; /* Kerberos service name */ char *gsslib; /* What GSS library to use ("gssapi" or * "sspi") */ - char *gssdelegation; /* Try to delegate GSS credentials? */ + char *gssdelegation; /* Try to delegate GSS credentials? (0 or 1) */ char *ssl_min_protocol_version; /* minimum TLS protocol version */ char *ssl_max_protocol_version; /* maximum TLS protocol version */ char *target_session_attrs; /* desired session properties */ diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index bff26fda0c9..0deb9bffc8d 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -381,7 +381,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -391,7 +391,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -480,7 +480,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -490,7 +490,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -504,7 +504,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -514,7 +514,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -528,7 +528,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" @@ -538,7 +538,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" @@ -558,7 +558,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=require gssdelegation=disable', + 'gssencmode=require gssdelegation=0', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" @@ -572,7 +572,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', 'dblink attempt fails without delegated credentials'); @@ -589,7 +589,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -608,7 +608,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf1;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials'); @@ -626,7 +626,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf2;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -668,7 +668,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)" @@ -680,7 +680,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=disable gssdelegation=enable', + 'gssencmode=disable gssdelegation=1', 'succeeds with GSS encryption disabled and hostnogssenc hba', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)" @@ -691,7 +691,7 @@ test_query( 'test1', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", qr/^1$/s, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)' ); @@ -700,7 +700,7 @@ test_query( 'test1', "TABLE tf1;", qr/^1$/s, - 'gssencmode=prefer gssdelegation=enable', + 'gssencmode=prefer gssdelegation=1', 'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)' ); @@ -711,7 +711,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -730,7 +730,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf2;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -760,7 +760,7 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssdelegation=enable', + 'gssdelegation=1', 'succeeds with include_realm=0 and defaults', "connection authenticated: identity=\"test1\@$realm\" method=gss", "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" @@ -771,12 +771,12 @@ test_query( 'test1', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);", qr/^1$/s, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'dblink works encrypted'); test_query( $node, 'test1', "TABLE tf1;", qr/^1$/s, - 'gssencmode=require gssdelegation=enable', + 'gssencmode=require gssdelegation=1', 'postgres_fdw works encrypted'); # Reset pg_hba.conf, and cause a usermap failure with an authentication diff --git a/src/test/perl/PostgreSQL/Test/Utils.pm b/src/test/perl/PostgreSQL/Test/Utils.pm index 38cd7d830d8..a27fac83d26 100644 --- a/src/test/perl/PostgreSQL/Test/Utils.pm +++ b/src/test/perl/PostgreSQL/Test/Utils.pm @@ -113,6 +113,7 @@ BEGIN PGCONNECT_TIMEOUT PGDATA PGDATABASE + PGGSSDELEGATION PGGSSENCMODE PGGSSLIB PGHOSTADDR diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c index abf633dc085..a546fc3d34d 100644 --- a/src/test/regress/pg_regress.c +++ b/src/test/regress/pg_regress.c @@ -798,6 +798,7 @@ initialize_environment(void) unsetenv("PGCONNECT_TIMEOUT"); unsetenv("PGDATA"); unsetenv("PGDATABASE"); + unsetenv("PGGSSDELEGATION"); unsetenv("PGGSSENCMODE"); unsetenv("PGGSSLIB"); /* PGHOSTADDR, see below */ |