From 253f1025da8c8d6e52f96f764658b76eb59290ad Mon Sep 17 00:00:00 2001
From: Bruce Momjian
Date: Mon, 5 Oct 2020 15:48:40 -0400
Subject: Overhaul pg_hba.conf clientcert's API

Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.

Remove support for 'no-verify' since that is possible by just not
specifying clientcert.

Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.

Also improve the docs.

THIS IS A BACKWARD INCOMPATIBLE API CHANGE.

Reported-by: Kyotaro Horiguchi

Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com

Author: Kyotaro Horiguchi

Backpatch-through: master
---
 src/backend/libpq/hba.c | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 7b54ffc31ea..4c86fb60874 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			*err_msg = "clientcert can only be configured for \"hostssl\" rows";
 			return false;
 		}
-		if (strcmp(val, "1") == 0
-			|| strcmp(val, "verify-ca") == 0)
-		{
-			hbaline->clientcert = clientCertCA;
-		}
-		else if (strcmp(val, "verify-full") == 0)
+
+		if (strcmp(val, "verify-full") == 0)
 		{
 			hbaline->clientcert = clientCertFull;
 		}
-		else if (strcmp(val, "0") == 0
-				 || strcmp(val, "no-verify") == 0)
+		else if (strcmp(val, "verify-ca") == 0)
 		{
 			if (hbaline->auth_method == uaCert)
 			{
 				ereport(elevel,
 						(errcode(ERRCODE_CONFIG_FILE_ERROR),
-						 errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),
+						 errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
 						 errcontext("line %d of configuration file \"%s\"",
 									line_num, HbaFileName)));
-				*err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";
+				*err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
 				return false;
 			}
-			hbaline->clientcert = clientCertOff;
+
+			hbaline->clientcert = clientCertCA;
 		}
 		else
 		{
-- 
cgit v1.2.3