Only superuser can set sslcert/sslkey in postgres_fdw user mappings

Othrwise there is a security risk.

Discussion: https://postgr.es/m/20200109103014.GA4192@msg.df7cb.de

contrib/postgres_fdw/expected/postgres_fdw.out

@@ -8898,6 +8898,15 @@ SELECT * FROM ft1_nopw LIMIT 1;
  1111 |  2 |    |    |    |    | ft1        | 
 (1 row)
 
+-- unpriv user also cannot set sslcert / sslkey on the user mapping
+-- first set password_required so we see the right error messages
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt');
+ERROR:  sslcert and sslkey are superuser-only
+HINT:  User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key');
+ERROR:  sslcert and sslkey are superuser-only
+HINT:  User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
 -- We're done with the role named after a specific user and need to check the
 -- changes to the public mapping.
 DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw;

contrib/postgres_fdw/option.c

@@ -159,6 +159,16 @@ postgres_fdw_validator(PG_FUNCTION_ARGS)
 						 errmsg("password_required=false is superuser-only"),
 						 errhint("User mappings with the password_required option set to false may only be created or modified by the superuser")));
 		}
+		else if (strcmp(def->defname, "sslcert") == 0 ||
+				 strcmp(def->defname, "sslkey") == 0)
+		{
+			/* similarly for sslcert / sslkey on user mapping */
+			if (catalog == UserMappingRelationId && !superuser())
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("sslcert and sslkey are superuser-only"),
+						 errhint("User mappings with the sslcert or sslkey options set may only be created or modified by the superuser")));
+		}
 	}
 
 	PG_RETURN_VOID();

contrib/postgres_fdw/sql/postgres_fdw.sql

@@ -2567,6 +2567,7 @@ SELECT * FROM ft1_nopw LIMIT 1;
 -- Unpriv user cannot make the mapping passwordless
 ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD password_required 'false');
 
+
 SELECT * FROM ft1_nopw LIMIT 1;
 
 RESET ROLE;
@@ -2579,6 +2580,12 @@ SET ROLE regress_nosuper;
 -- Should finally work now
 SELECT * FROM ft1_nopw LIMIT 1;
 
+-- unpriv user also cannot set sslcert / sslkey on the user mapping
+-- first set password_required so we see the right error messages
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key');
+
 -- We're done with the role named after a specific user and need to check the
 -- changes to the public mapping.
 DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw;

doc/src/sgml/postgres-fdw.sgml

@@ -130,7 +130,7 @@
      </listitem>
      <listitem>
       <para>
-       <literal>sslkey</literal> and <literal>sslpassword</literal> - these may
+       <literal>sslkey</literal> and <literal>sslcert</literal> - these may
        appear in <emphasis>either or both</emphasis> a connection and a user
        mapping. If both are present, the user mapping setting overrides the
        connection setting.
@@ -139,6 +139,10 @@
     </itemizedlist>
    </para>
 
+   <para>
+    Only superusers may create or modify user mappings with the
+    <literal>sslcert</literal> or <literal>sslkey</literal> settings.
+   </para>
    <para>
     Only superusers may connect to foreign servers without password
     authentication, so always specify the <literal>password</literal> option