Fix pg_hba_file_rules for authentication method cert

For authentication method cert, clientcert=verify-full is implied. But
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.

Per bug #17354

Reported-By: Feike Steenbergen
Reviewed-By: Jonathan Katz
Backpatch-through: 12

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index ff57ffa61c11c56fe59d7ff5269b461ffbea9269..a7f3def184e91072f9d86a7b211239bfb57a8c6f 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1684,7 +1684,11 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
         */
        if (parsedline->auth_method == uaCert)
        {
-               parsedline->clientcert = clientCertCA;
+               /*
+                * For auth method cert, client certificate validation is mandatory, and it implies
+                * the level of verify-full.
+                */
+               parsedline->clientcert = clientCertFull;
        }
 
        return parsedline;