From 8fc117f75c0b78ee9f3ad1c7707bd26f7ffe63e2 Mon Sep 17 00:00:00 2001
From: David Wheeler <hippysoyboy@gmail.com>
Date: Fri, 8 Dec 2023 13:38:46 +1100
Subject: [PATCH] Switch out pg_hba.conf for newer versions of postgres that
 use a different clientcert value

---
 driver/src/build/testing.gradle.kts           |  5 +-
 driver/src/test/docker/postgres-services.yml  | 26 ++++++
 .../resources/certdir/server/pg_hba.12+.conf  | 82 +++++++++++++++++++
 3 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 driver/src/test/resources/certdir/server/pg_hba.12+.conf

diff --git a/driver/src/build/testing.gradle.kts b/driver/src/build/testing.gradle.kts
index 5445ff176..32e5d989b 100644
--- a/driver/src/build/testing.gradle.kts
+++ b/driver/src/build/testing.gradle.kts
@@ -48,10 +48,13 @@ if ((project.properties["noDocker"] ?: false) == false) {
   }
 
   val allowSSL = checkServerKeyPermissions()
-  val serviceName = if (allowSSL) "postgres" else "postgres-nossl"
 
   for ((index, pgVersion) in pgVersions.withIndex()) {
 
+    val serviceName = when {
+      allowSSL -> if (pgVersion.toFloat() >= 12.0) "postgres12plus" else "postgres"
+      else -> "postgres-nossl"
+    }
     val pgVersionSafe = pgVersion.replace('.', '_')
 
     val curTestTask =
diff --git a/driver/src/test/docker/postgres-services.yml b/driver/src/test/docker/postgres-services.yml
index 1ea417b8b..511b84ff4 100644
--- a/driver/src/test/docker/postgres-services.yml
+++ b/driver/src/test/docker/postgres-services.yml
@@ -26,6 +26,32 @@ services:
       --ssl_cert_file=/var/lib/postgresql/server.crt
       --ssl_key_file=/var/lib/postgresql/server.key
 
+  postgres12plus:
+    image: "postgres:${PG_VERSION}-alpine"
+    ports:
+      - "5432"
+    healthcheck:
+      test: psql -c 'SELECT 1' -U test -d test
+      interval: 1s
+      timeout: 3s
+      retries: 20
+    volumes:
+      - ../resources/certdir/server/pg_hba.12+.conf:/var/lib/postgresql/pg_hba.conf
+      - ../resources/certdir/server/root.crt:/var/lib/postgresql/root.crt
+      - ../resources/certdir/server/server.crt:/var/lib/postgresql/server.crt
+      - ../resources/certdir/server/server.key:/var/lib/postgresql/server.key:ro
+    environment:
+      POSTGRES_USER: test
+      POSTGRES_PASSWORD: test
+      POSTGRES_DB: test
+    command: >-
+      --hba_file=/var/lib/postgresql/pg_hba.conf
+      --max-prepared-transactions=10
+      --ssl=on
+      --ssl_ca_file=/var/lib/postgresql/root.crt
+      --ssl_cert_file=/var/lib/postgresql/server.crt
+      --ssl_key_file=/var/lib/postgresql/server.key
+
   postgres-nossl:
     image: "postgres:${PG_VERSION}-alpine"
     ports:
diff --git a/driver/src/test/resources/certdir/server/pg_hba.12+.conf b/driver/src/test/resources/certdir/server/pg_hba.12+.conf
new file mode 100644
index 000000000..59e32b282
--- /dev/null
+++ b/driver/src/test/resources/certdir/server/pg_hba.12+.conf
@@ -0,0 +1,82 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the
+# PostgreSQL documentation for a complete description
+# of this file.  A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", a database name, or
+# a comma-separated list thereof.
+#
+# USER can be "all", a user name, a group name prefixed with "+", or
+# a comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names from
+# a separate file.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
+# the number of significant bits in the mask.  Alternatively, you can write
+# an IP address and netmask in separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", "krb5",
+# "ident", "pam", "ldap" or "cert".  Note that "password" sends passwords
+# in clear text; "md5" is preferred since it sends encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE. The available options depend on the different authentication
+# methods - refer to the "Client Authentication" section in the documentation
+# for a list of which options are available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samerole" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL listen
+# on a non-local interface via the listen_addresses configuration parameter,
+# or via the -i or -h command line switches.
+#
+
+# CAUTION: Configuring the system for local "trust" authentication allows
+# any local user to connect as any PostgreSQL user, including the database
+# superuser. If you do not trust all your local users, use another
+# authentication method.
+
+
+# TYPE    DATABASE      USER        CIDR-ADDRESS          METHOD
+
+# "local" is for Unix domain socket connections only
+local     all           all                               trust
+# IPv4 local connections:
+host      hostdb        all         0.0.0.0/0             md5
+hostnossl hostnossldb   all         0.0.0.0/0             md5
+hostssl   hostssldb     all         0.0.0.0/0             md5
+hostssl   hostsslcertdb all         0.0.0.0/0             md5    clientcert=verify-ca
+hostssl   certdb        all         0.0.0.0/0             cert
+host      test          all         0.0.0.0/0             md5
+host      testnoexts    all         0.0.0.0/0             md5