Spell the values of libpq's gssdelegation parameter as "0" and "1".

tglsfdc · tglsfdc · commit 1f9f6aa49198 · 2023-05-22T11:50:27.000-04:00
That's how other boolean options are handled, so do likewise. The previous coding with "enable" and "disable" was seemingly modeled on gssencmode, but that's a three-way flag. While at it, add PGGSSDELEGATION to the set of environment variables cleared by pg_regress and Utils.pm. Abhijit Menon-Sen, per gripe from Alvaro Herrera Discussion: https://postgr.es/m/20230522091609.nlyuu4nolhycqs2p@alvherre.pgsql
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
@@ -2059,9 +2059,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <listitem>
        <para>
         Forward (delegate) GSS credentials to the server.  The default is
-        <literal>disable</literal> which means credentials will not be forwarded
-        to the server.  Set this to <literal>enable</literal> to have
-        credentials forwarded when possible.
+        <literal>0</literal> which means credentials will not be forwarded
+        to the server.  Set this to <literal>1</literal> to have credentials
+        forwarded when possible.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/release-16.sgml b/doc/src/sgml/release-16.sgml
@@ -953,7 +953,8 @@ Add support for Kerberos credential delegation (Stephen Frost)
 </para>
 
 <para>
-This is enabled with server variable gss_accept_delegation.
+This is enabled with server variable gss_accept_delegation
+and libpq connection parameter gssdelegation.
 </para>
 </listitem>
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
 	if (!pg_GSS_have_cred_cache(&conn->gcred))
 		conn->gcred = GSS_C_NO_CREDENTIAL;
 
-	if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+	if (conn->gssdelegation && conn->gssdelegation[0] == '1')
 		gss_flags |= GSS_C_DELEG_FLAG;
 
 	maj_stat = gss_init_sec_context(&min_stat,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
@@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"GSS-library", "", 7,	/* sizeof("gssapi") == 7 */
 	offsetof(struct pg_conn, gsslib)},
 
-	{"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
-		"GSS-delegation", "", 8,	/* sizeof("disable") == 8 */
+	{"gssdelegation", "PGGSSDELEGATION", "0", NULL,
+		"GSS-delegation", "", 1,
 	offsetof(struct pg_conn, gssdelegation)},
 
 	{"replication", NULL, NULL, NULL,
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)
 	if (ret != STATUS_OK)
 		return PGRES_POLLING_FAILED;
 
-	if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+	if (conn->gssdelegation && conn->gssdelegation[0] == '1')
 	{
 		/* Acquire credentials if possible */
 		if (conn->gcred == GSS_C_NO_CREDENTIAL)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
 	char	   *krbsrvname;		/* Kerberos service name */
 	char	   *gsslib;			/* What GSS library to use ("gssapi" or
 								 * "sspi") */
-	char	   *gssdelegation;	/* Try to delegate GSS credentials? */
+	char	   *gssdelegation;	/* Try to delegate GSS credentials? (0 or 1) */
 	char	   *ssl_min_protocol_version;	/* minimum TLS protocol version */
 	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */
 	char	   *target_session_attrs;	/* desired session properties */
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=require gssdelegation=disable',
+	'gssencmode=require gssdelegation=0',
 	'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ sub test_query
 	'postgres',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ sub test_query
 	'postgres',
 	"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -608,7 +608,7 @@ sub test_query
 	'postgres',
 	"TABLE tf1;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ sub test_query
 	'postgres',
 	"TABLE tf2;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -668,7 +668,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssencmode=disable gssdelegation=enable',
+	'gssencmode=disable gssdelegation=1',
 	'succeeds with GSS encryption disabled and hostnogssenc hba',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ sub test_query
 	'test1',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
 	qr/^1$/s,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );
 
@@ -700,7 +700,7 @@ sub test_query
 	'test1',
 	"TABLE tf1;",
 	qr/^1$/s,
-	'gssencmode=prefer gssdelegation=enable',
+	'gssencmode=prefer gssdelegation=1',
 	'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
 );
 
@@ -711,7 +711,7 @@ sub test_query
 	'postgres',
 	"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -730,7 +730,7 @@ sub test_query
 	'postgres',
 	"TABLE tf2;",
 	connstr =>
-	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+	  "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
 	stdout => \$psql_out,
 	stderr => \$psql_stderr);
 is($psql_rc, '3',
@@ -760,7 +760,7 @@ sub test_query
 	'test1',
 	'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
 	0,
-	'gssdelegation=enable',
+	'gssdelegation=1',
 	'succeeds with include_realm=0 and defaults',
 	"connection authenticated: identity=\"test1\@$realm\" method=gss",
 	"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ sub test_query
 	'test1',
 	"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
 	qr/^1$/s,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'dblink works encrypted');
 
 test_query(
 	$node, 'test1', "TABLE tf1;", qr/^1$/s,
-	'gssencmode=require gssdelegation=enable',
+	'gssencmode=require gssdelegation=1',
 	'postgres_fdw works encrypted');
 
 # Reset pg_hba.conf, and cause a usermap failure with an authentication
diff --git a/src/test/perl/PostgreSQL/Test/Utils.pm b/src/test/perl/PostgreSQL/Test/Utils.pm
@@ -113,6 +113,7 @@ BEGIN
 	  PGCONNECT_TIMEOUT
 	  PGDATA
 	  PGDATABASE
+	  PGGSSDELEGATION
 	  PGGSSENCMODE
 	  PGGSSLIB
 	  PGHOSTADDR
diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
@@ -798,6 +798,7 @@ initialize_environment(void)
 		unsetenv("PGCONNECT_TIMEOUT");
 		unsetenv("PGDATA");
 		unsetenv("PGDATABASE");
+		unsetenv("PGGSSDELEGATION");
 		unsetenv("PGGSSENCMODE");
 		unsetenv("PGGSSLIB");
 		/* PGHOSTADDR, see below */

Original file line number	Diff line number	Diff line change
`@@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)`
`622`	`622`	`if (ret != STATUS_OK)`
`623`	`623`	`return PGRES_POLLING_FAILED;`
`624`	`624`
`625`		`- if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)`
	`625`	`+ if (conn->gssdelegation && conn->gssdelegation[0] == '1')`
`626`	`626`	`{`
`627`	`627`	`/* Acquire credentials if possible */`
`628`	`628`	`if (conn->gcred == GSS_C_NO_CREDENTIAL)`