diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 0912d6cd5e..84fd3ad2e0 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -8898,6 +8898,15 @@ SELECT * FROM ft1_nopw LIMIT 1; 1111 | 2 | | | | | ft1 | (1 row) +-- unpriv user also cannot set sslcert / sslkey on the user mapping +-- first set password_required so we see the right error messages +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true'); +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt'); +ERROR: sslcert and sslkey are superuser-only +HINT: User mappings with the sslcert or sslkey options set may only be created or modified by the superuser +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key'); +ERROR: sslcert and sslkey are superuser-only +HINT: User mappings with the sslcert or sslkey options set may only be created or modified by the superuser -- We're done with the role named after a specific user and need to check the -- changes to the public mapping. DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw; diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c index 4a26056db0..c442af5bb9 100644 --- a/contrib/postgres_fdw/option.c +++ b/contrib/postgres_fdw/option.c @@ -159,6 +159,16 @@ postgres_fdw_validator(PG_FUNCTION_ARGS) errmsg("password_required=false is superuser-only"), errhint("User mappings with the password_required option set to false may only be created or modified by the superuser"))); } + else if (strcmp(def->defname, "sslcert") == 0 || + strcmp(def->defname, "sslkey") == 0) + { + /* similarly for sslcert / sslkey on user mapping */ + if (catalog == UserMappingRelationId && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("sslcert and sslkey are superuser-only"), + errhint("User mappings with the sslcert or sslkey options set may only be created or modified by the superuser"))); + } } PG_RETURN_VOID(); diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql index f2a4089e9d..acd7275c72 100644 --- a/contrib/postgres_fdw/sql/postgres_fdw.sql +++ b/contrib/postgres_fdw/sql/postgres_fdw.sql @@ -2567,6 +2567,7 @@ SELECT * FROM ft1_nopw LIMIT 1; -- Unpriv user cannot make the mapping passwordless ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD password_required 'false'); + SELECT * FROM ft1_nopw LIMIT 1; RESET ROLE; @@ -2579,6 +2580,12 @@ SET ROLE regress_nosuper; -- Should finally work now SELECT * FROM ft1_nopw LIMIT 1; +-- unpriv user also cannot set sslcert / sslkey on the user mapping +-- first set password_required so we see the right error messages +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true'); +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt'); +ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key'); + -- We're done with the role named after a specific user and need to check the -- changes to the public mapping. DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw; diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml index 812e62cb36..94992be427 100644 --- a/doc/src/sgml/postgres-fdw.sgml +++ b/doc/src/sgml/postgres-fdw.sgml @@ -130,7 +130,7 @@ - sslkey and sslpassword - these may + sslkey and sslcert - these may appear in either or both a connection and a user mapping. If both are present, the user mapping setting overrides the connection setting. @@ -139,6 +139,10 @@ + + Only superusers may create or modify user mappings with the + sslcert or sslkey settings. + Only superusers may connect to foreign servers without password authentication, so always specify the password option