fix: change default gssencmode to disable in built libpq

Fix #1136

diff --git a/docs/news.rst b/docs/news.rst
index 322a8766fcfb2f673bc914eb00e88cfe1318d18a..ebb6919e5f3e59e596be705c39933de6a2866300 100644 (file)
--- a/docs/news.rst
+++ b/docs/news.rst
@@ -30,6 +30,15 @@ Psycopg 3.3.0 (unreleased)
 
 .. rubric:: Other changes
 
+- Disable default GSSAPI preferential connection in the binary package
+  (:ticket:`#1136`).
+
+  .. warning::
+
+    Please explicitly set the gssencmode_ connection parameter or the
+    :envvar:`PGGSSENCMODE` environment variable to interact reliably with the
+    GSSAPI.
+
 - Drop support for Python 3.8 (:ticket:`#976`) and 3.9 (:ticket:`#1056`).
 
 
@@ -72,10 +81,12 @@ Psycopg 3.2.10 (unreleased)
 
     In a future Psycopg version the default in the binary package will be
     changed to ``disable``. If you need to interact with the GSSAPI reliably
-    you should explicitly set the ``gssencmode`` parameter in the connection
+    you should explicitly set the gssencmode_ parameter in the connection
     string or the :envvar:`PGGSSENCMODE` environment variable to ``prefer`` or
     ``require``.
 
+.. _gssencmode: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-GSSENCMODE
+
 
 Current release
 ---------------

diff --git a/tests/pq/test_pq.py b/tests/pq/test_pq.py
index 9a2b47334cbee0f16df465661b19d7083b790653..dfaba9822b7c7f1973edac8166e4a3b89ddce3d6 100644 (file)
--- a/tests/pq/test_pq.py
+++ b/tests/pq/test_pq.py
@@ -1,4 +1,5 @@
 import os
+import sys
 
 import pytest
 
@@ -18,6 +19,13 @@ def test_build_version():
     assert pq.__build_version__ and pq.__build_version__ >= 70400
 
 
+@pytest.mark.skipif('pq.__impl__ != "binary"')
+@pytest.mark.skipif(sys.platform == "win32", reason="libpq currently not built by us")
+def test_gssencmode_default():
+    d = [d for d in pq.Conninfo.get_defaults() if d.keyword == b"gssencmode"][0]
+    assert (d.compiled or b"").decode() == "disable"
+
+
 @pytest.mark.skipif("not os.environ.get('PSYCOPG_TEST_WANT_LIBPQ_BUILD')")
 def test_want_built_version():
     want = os.environ["PSYCOPG_TEST_WANT_LIBPQ_BUILD"]

diff --git a/tools/ci/build_libpq.sh b/tools/ci/build_libpq.sh
index 4d05bd503d2c789116803bbe9d20d8b4712a13fe..b6c60caae8d0f94047d6ff47241efab7992fbf4c 100755 (executable)
--- a/tools/ci/build_libpq.sh
+++ b/tools/ci/build_libpq.sh
@@ -233,6 +233,24 @@ if [ ! -d "${postgres_dir}" ]; then
 
     pushd "${postgres_dir}"
 
+    # Change the gssencmode default to 'disable' to avoid various troubles
+    # related to unwanted GSSAPI interaction. See #1136.
+    patch -f -p1 <<HERE
+diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
+index 454d2ea3fb7..52c64ba3292 100644
+--- a/src/interfaces/libpq/fe-connect.c
++++ b/src/interfaces/libpq/fe-connect.c
+@@ -132,7 +132,7 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options,
+ #define DefaultSSLNegotiation "postgres"
+ #ifdef ENABLE_GSS
+ #include "fe-gssapi-common.h"
+-#define DefaultGSSMode "prefer"
++#define DefaultGSSMode "disable"
+ #else
+ #define DefaultGSSMode "disable"
+ #endif
+HERE
+
     if [ "$ID" != "macos" ]; then
         # Match the default unix socket dir default with what defined on Ubuntu and
         # Red Hat, which seems the most common location