Overhaul pg_hba.conf clientcert's API

bmomjian · bmomjian · commit 253f1025da8c · 2020-10-05T15:48:50.000-04:00
Since PG 12, clientcert no longer supported only on/off, so remove 1/0 as possible values, and instead support only the text strings 'verify-ca' and 'verify-full'. Remove support for 'no-verify' since that is possible by just not specifying clientcert. Also, throw an error if 'verify-ca' is used and 'cert' authentication is used, since cert authentication requires verify-full. Also improve the docs. THIS IS A BACKWARD INCOMPATIBLE API CHANGE. Reported-by: Kyotaro Horiguchi Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com Author: Kyotaro Horiguchi Backpatch-through: master
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
@@ -2044,13 +2044,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
    </para>
 
    <para>
-    In a <filename>pg_hba.conf</filename> record specifying certificate
-    authentication, the authentication option <literal>clientcert</literal> is
-    assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
-    and it cannot be turned off since a client certificate is necessary for this
-    method. What the <literal>cert</literal> method adds to the basic
-    <literal>clientcert</literal> certificate validity test is a check that the
-    <literal>cn</literal> attribute matches the database user name.
+    It is redundant to use the <literal>clientcert</literal> option with
+    <literal>cert</literal> authentication because <literal>cert</literal>
+    authentication is effectively <literal>trust</literal> authentication
+    with <literal>clientcert=verify-full</literal>.
    </para>
   </sect1>
 
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
@@ -2345,9 +2345,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    The <literal>clientcert</literal> authentication option is available for
    all authentication methods, but only in <filename>pg_hba.conf</filename> lines
    specified as <literal>hostssl</literal>.  When <literal>clientcert</literal> is
-   not specified or is set to <literal>no-verify</literal>, the server will still
-   verify any presented client certificates against its CA file, if one is
-   configured &mdash; but it will not insist that a client certificate be presented.
+   not specified, the server verifies the client certificate against its CA
+   file only if a client certificate is presented and the CA is configured.
   </para>
 
   <para>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 			*err_msg = "clientcert can only be configured for \"hostssl\" rows";
 			return false;
 		}
-		if (strcmp(val, "1") == 0
-			|| strcmp(val, "verify-ca") == 0)
-		{
-			hbaline->clientcert = clientCertCA;
-		}
-		else if (strcmp(val, "verify-full") == 0)
+
+		if (strcmp(val, "verify-full") == 0)
 		{
 			hbaline->clientcert = clientCertFull;
 		}
-		else if (strcmp(val, "0") == 0
-				 || strcmp(val, "no-verify") == 0)
+		else if (strcmp(val, "verify-ca") == 0)
 		{
 			if (hbaline->auth_method == uaCert)
 			{
 				ereport(elevel,
 						(errcode(ERRCODE_CONFIG_FILE_ERROR),
-						 errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),
+						 errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
 						 errcontext("line %d of configuration file \"%s\"",
 									line_num, HbaFileName)));
-				*err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";
+				*err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
 				return false;
 			}
-			hbaline->clientcert = clientCertOff;
+
+			hbaline->clientcert = clientCertCA;
 		}
 		else
 		{

Original file line number	Diff line number	Diff line change
`@@ -1730,29 +1730,25 @@ parse_hba_auth_opt(char name, char val, HbaLine *hbaline,`
`1730`	`1730`	`*err_msg = "clientcert can only be configured for \"hostssl\" rows";`
`1731`	`1731`	`return false;`
`1732`	`1732`	`}`
`1733`		`- if (strcmp(val, "1") == 0`
`1734`		`- \|\| strcmp(val, "verify-ca") == 0)`
`1735`		`- {`
`1736`		`- hbaline->clientcert = clientCertCA;`
`1737`		`- }`
`1738`		`- else if (strcmp(val, "verify-full") == 0)`
	`1733`	`+`
	`1734`	`+ if (strcmp(val, "verify-full") == 0)`
`1739`	`1735`	`{`
`1740`	`1736`	`hbaline->clientcert = clientCertFull;`
`1741`	`1737`	`}`
`1742`		`- else if (strcmp(val, "0") == 0`
`1743`		`- \|\| strcmp(val, "no-verify") == 0)`
	`1738`	`+ else if (strcmp(val, "verify-ca") == 0)`
`1744`	`1739`	`{`
`1745`	`1740`	`if (hbaline->auth_method == uaCert)`
`1746`	`1741`	`{`
`1747`	`1742`	`ereport(elevel,`
`1748`	`1743`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`1749`		`- errmsg("clientcert cannot be set to \"no-verify\" when using \"cert\" authentication"),`
	`1744`	`+ errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"),`
`1750`	`1745`	`errcontext("line %d of configuration file \"%s\"",`
`1751`	`1746`	`line_num, HbaFileName)));`
`1752`		`- *err_msg = "clientcert cannot be set to \"no-verify\" when using \"cert\" authentication";`
	`1747`	`+ *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";`
`1753`	`1748`	`return false;`
`1754`	`1749`	`}`
`1755`		`- hbaline->clientcert = clientCertOff;`
	`1750`	`+`
	`1751`	`+ hbaline->clientcert = clientCertCA;`
`1756`	`1752`	`}`
`1757`	`1753`	`else`
`1758`	`1754`	`{`