Document PG_TEST_EXTRA=libpq_encryption and also check 'kerberos'

In the libpq encryption negotiation tests, don't run the GSSAPI tests unless PG_TEST_EXTRA='kerberos' is also set. That makes it possible to still run most of the tests when GSSAPI support is compiled in, but there's no MIT Kerberos installation.
2025-05-24 00:03:23 -04:00 · 2024-04-12 19:52:39 +03:00 · 2024-04-12 19:52:39 +03:00 · 4cc1c76fe9
commit 4cc1c76fe9
parent 65dfe9d167
2 changed files with 23 additions and 5 deletions
--- a/doc/src/sgml/regress.sgml
+++ b/doc/src/sgml/regress.sgml
@ -259,7 +259,7 @@ make check-world -j8 >/dev/null
   variable <varname>PG_TEST_EXTRA</varname> to a whitespace-separated list,
   for example:
 <programlisting>
-make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance'
+make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance libpq_encryption'
 </programlisting>
   The following values are currently supported:
   <variablelist>
@ -304,6 +304,18 @@ make check-world PG_TEST_EXTRA='kerberos ldap ssl load_balance'
     </listitem>
    </varlistentry>

+    <varlistentry>
+     <term><literal>libpq_encryption</literal></term>
+     <listitem>
+      <para>
+       Runs the test <filename>src/interfaces/libpq/t/005_negotiate_encryption.pl</filename>.
+       This opens TCP/IP listen sockets. If <varname>PG_TEST_EXTRA</varname>
+       also includes <literal>kerberos</literal>, additional tests that require
+       an MIT Kerberos installation are enabled.
+      </para>
+     </listitem>
+    </varlistentry>
+
    <varlistentry>
     <term><literal>wal_consistency_checking</literal></term>
     <listitem>
--- a/src/interfaces/libpq/t/005_negotiate_encryption.pl
+++ b/src/interfaces/libpq/t/005_negotiate_encryption.pl
@ -83,8 +83,11 @@ if (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\blibpq_encryption\b/)
 	  'Potentially unsafe test libpq_encryption not enabled in PG_TEST_EXTRA';
 }

-my $ssl_supported = $ENV{with_ssl} eq 'openssl';
+# Only run the GSSAPI tests when compiled with GSSAPI support and
+# PG_TEST_EXTRA includes 'kerberos'
 my $gss_supported = $ENV{with_gssapi} eq 'yes';
+my $kerberos_enabled = $ENV{PG_TEST_EXTRA} && $ENV{PG_TEST_EXTRA} =~ /\bkerberos\b/;
+my $ssl_supported = $ENV{with_ssl} eq 'openssl';

 ###
 ### Prepare test server for GSSAPI and SSL authentication, with a few
@ -118,7 +121,7 @@ my $gssuser_password = 'secret1';

 my $krb;

-if ($gss_supported != 0)
+if ($gss_supported != 0 && $kerberos_enabled != 0)
 {
 	note "setting up Kerberos";

@ -197,7 +200,7 @@ hostssl       postgres        ssluser         $servercidr             trust

 print $hba qq{
 hostgssenc    postgres        gssuser         $servercidr             trust
-} if ($gss_supported != 0);
+} if ($gss_supported != 0 && $kerberos_enabled != 0);
 close $hba;
 $node->reload;

@ -331,6 +334,7 @@ nossluser   .            disable      *              connect, authok
 SKIP:
 {
 	skip "GSSAPI/Kerberos not supported by this build" if $gss_supported == 0;
+	skip "kerberos not enabled in PG_TEST_EXTRA" if $kerberos_enabled == 0;

 	$krb->create_principal('gssuser', $gssuser_password);
 	$krb->create_ticket('gssuser', $gssuser_password);
@ -413,7 +417,9 @@ nogssuser   disable      disable      *              connect, authok
 ###
 SKIP:
 {
-	skip "GSSAPI/Kerberos or SSL not supported by this build" unless ($ssl_supported && $gss_supported);
+	skip "SSL not supported by this build" if $ssl_supported == 0;
+	skip "GSSAPI/Kerberos not supported by this build" if $gss_supported == 0;
+	skip "kerberos not enabled in PG_TEST_EXTRA" if $kerberos_enabled == 0;

 	# Sanity check that GSSAPI is still enabled from previous test.
 	connect_test($node, 'user=testuser gssencmode=prefer sslmode=prefer', 'connect, gssaccept, authok -> gss');