From b49398cf84fe4f4c6e013aa4bd8786acb285f41e Mon Sep 17 00:00:00 2001 From: Matheus Alcantara Date: Fri, 15 May 2026 12:38:48 -0300 Subject: [PATCH v2 3/3] dblink: Reject use_scram_passthrough option on foreign data wrapper The use_scram_passthrough option only makes sense for foreign server and user mapping contexts, as it controls authentication behavior for specific connections. Previously, this option was incorrectly accepted when set via ALTER FOREIGN DATA WRAPPER OPTIONS, even though it had no effect at that level. Restrict the option validation to only accept use_scram_passthrough when the context is ForeignServerRelationId or UserMappingRelationId. Discussion: https://www.postgresql.org/message-id/CAHGQGwEJ8rZjmbOvCicyr4vbuLio082bNTde0WNoSWaWr9wVcg%40mail.gmail.com --- contrib/dblink/dblink.c | 8 ++++++-- contrib/dblink/t/001_auth_scram.pl | 16 ++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index bb6fcae4974..451c3208afe 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -3115,8 +3115,12 @@ static bool is_valid_dblink_fdw_option(const PQconninfoOption *options, const char *option, Oid context) { - if (strcmp(option, "use_scram_passthrough") == 0) - return true; + /* These options are only valid for foreign server or user mapping contexts */ + if (context == ForeignServerRelationId || context == UserMappingRelationId) + { + if (strcmp(option, "use_scram_passthrough") == 0) + return true; + } return is_valid_dblink_option(options, option, context); } diff --git a/contrib/dblink/t/001_auth_scram.pl b/contrib/dblink/t/001_auth_scram.pl index b087b38e5a5..c4ecdac19f2 100644 --- a/contrib/dblink/t/001_auth_scram.pl +++ b/contrib/dblink/t/001_auth_scram.pl @@ -18,6 +18,7 @@ if (!$use_unix_sockets) } my $user = "user01"; +my $admin = "admin"; my $db0 = "db0"; # For node1 my $db1 = "db1"; # For node1 @@ -41,6 +42,7 @@ $node2->start; # Test setup $node1->safe_psql('postgres', qq'CREATE USER $user WITH password \'pass\''); +$node1->safe_psql('postgres', qq'CREATE USER $admin WITH password \'pass\' SUPERUSER'); $node2->safe_psql('postgres', qq'CREATE USER $user WITH password \'pass\''); $ENV{PGPASSWORD} = "pass"; @@ -89,6 +91,20 @@ $node2->restart; # End of test setup +# Test that adding use_scram_passthrough option on an foreign data wrapper is invalid +{ + my $connstr = $node1->connstr($db0) . qq' user=$admin'; + + my ($ret, $stdout, $stderr ) = $node1->psql($db0, + 'ALTER FOREIGN DATA WRAPPER dblink_fdw OPTIONS (add use_scram_passthrough \'true\')', + connstr => $connstr); + is($ret, 3, 'ALTER FOREIGN DATA WRAPPER should not be allowed'); + like( + $stderr, + qr\invalid option "use_scram_passthrough"\i, + 'expected ALTER FOREIGN DATA WRAPPER to fail'); +} + test_scram_keys_is_not_overwritten($node1, $db0, $fdw_invalid_server2); test_fdw_auth($node1, $db0, "t", $fdw_server, -- 2.53.0