Fix pg_hba_file_rules for authentication method cert

mhagander · mhagander · commit 2dbb7b9b2279 · 2022-01-26T09:58:59.000+01:00
For authentication method cert, clientcert=verify-full is implied. But
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.

Per bug #17354

Reported-By: Feike Steenbergen
Reviewed-By: Jonathan Katz
Backpatch-through: 12
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 	 */
 	if (parsedline->auth_method == uaCert)
 	{
-		parsedline->clientcert = clientCertCA;
+		/*
+		 * For auth method cert, client certificate validation is mandatory, and it implies
+		 * the level of verify-full.
+		 */
+		parsedline->clientcert = clientCertFull;
 	}
 
 	return parsedline;

Original file line number	Diff line number	Diff line change
`@@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)`
`1684`	`1684`	`*/`
`1685`	`1685`	`if (parsedline->auth_method == uaCert)`
`1686`	`1686`	`{`
`1687`		`- parsedline->clientcert = clientCertCA;`
	`1687`	`+ /*`
	`1688`	`+ * For auth method cert, client certificate validation is mandatory, and it implies`
	`1689`	`+ * the level of verify-full.`
	`1690`	`+ */`
	`1691`	`+ parsedline->clientcert = clientCertFull;`
`1688`	`1692`	`}`
`1689`	`1693`
`1690`	`1694`	`return parsedline;`