Test "options=-crole=" and "ALTER DATABASE SET role".

Commit 7b88529 fixed a regression
spanning these features, but it didn't test them.  It did test code
paths sufficient for their present implementations, so no back-patch.

Reported by Matthew Woodcraft.

Discussion: https://postgr.es/m/87iksnsbhx.fsf@golux.woodcraft.me.uk

Author: nmisch

src/test/modules/unsafe_tests/Makefile

@@ -2,6 +2,8 @@
 
 REGRESS = rolenames setconfig alter_system_table guc_privs
 REGRESS_OPTS = \
+	--create-role=regress_authenticated_user_db_sr \
+	--create-role=regress_authenticated_user_db_ssa \
 	--create-role=regress_authenticated_user_sr \
 	--create-role=regress_authenticated_user_ssa
 

src/test/modules/unsafe_tests/expected/setconfig.out

@@ -1,24 +1,92 @@
 -- This is borderline unsafe in that an additional login-capable user exists
 -- during the test run.  Under installcheck, a too-permissive pg_hba.conf
 -- might allow unwanted logins as regress_authenticated_user_ssa.
+-- Setup catalog state.
+ALTER USER regress_authenticated_user_db_ssa superuser;
 ALTER USER regress_authenticated_user_ssa superuser;
 CREATE ROLE regress_session_user;
 CREATE ROLE regress_current_user;
+GRANT regress_current_user TO regress_authenticated_user_db_sr;
 GRANT regress_current_user TO regress_authenticated_user_sr;
+GRANT regress_session_user TO regress_authenticated_user_db_ssa;
 GRANT regress_session_user TO regress_authenticated_user_ssa;
+DO $$BEGIN EXECUTE format(
+	'ALTER DATABASE %I SET session_authorization = regress_session_user',
+	current_catalog); END$$;
 ALTER ROLE regress_authenticated_user_ssa
 	SET session_authorization = regress_session_user;
 ALTER ROLE regress_authenticated_user_sr SET ROLE = regress_current_user;
-\c - regress_authenticated_user_sr
+-- Test ALTER DATABASE consequences
+-- The longstanding historical behavior is that session_authorization in
+-- setconfig has no effect.  Hence, session_user remains
+-- regress_authenticated_user_ssa.  See comment in InitializeSessionUserId().
+\c - regress_authenticated_user_db_ssa
+SELECT current_user, session_user;
+           current_user            |           session_user            
+-----------------------------------+-----------------------------------
+ regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
+(1 row)
+
+-- We document "The DEFAULT and RESET forms reset the session and current user
+-- identifiers to be the originally authenticated user name."  If we let
+-- session_authorization in setconfig have an effect, we'll need to decide
+-- whether to make RESET differ from DEFAULT.
+RESET SESSION AUTHORIZATION;
+SELECT current_user, session_user;
+           current_user            |           session_user            
+-----------------------------------+-----------------------------------
+ regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
+(1 row)
+
+DO $$BEGIN
+	EXECUTE format(
+		'ALTER DATABASE %I RESET session_authorization', current_catalog);
+	EXECUTE format(
+		'ALTER DATABASE %I SET role = regress_current_user', current_catalog);
+END$$;
+\c - regress_authenticated_user_db_sr
+SELECT current_user, session_user;
+     current_user     |           session_user           
+----------------------+----------------------------------
+ regress_current_user | regress_authenticated_user_db_sr
+(1 row)
+
+-- Back to superuser, to reverse ALTER DATABASE
+\c - regress_authenticated_user_db_ssa
+SELECT current_user, session_user;
+     current_user     |           session_user            
+----------------------+-----------------------------------
+ regress_current_user | regress_authenticated_user_db_ssa
+(1 row)
+
+SET ROLE NONE;
+DO $$BEGIN EXECUTE format(
+	'ALTER DATABASE %I RESET role', current_catalog); END$$;
+-- Test connection string options
+\c -reuse-previous=on "user=regress_authenticated_user_db_sr options=-crole=regress_current_user"
+SELECT current_user, session_user;
+     current_user     |           session_user           
+----------------------+----------------------------------
+ regress_current_user | regress_authenticated_user_db_sr
+(1 row)
+
+-- As above, session_authorization has no effect.
+\c -reuse-previous=on "user=regress_authenticated_user_db_ssa options=-csession_authorization=regress_session_user"
+SELECT current_user, session_user;
+           current_user            |           session_user            
+-----------------------------------+-----------------------------------
+ regress_authenticated_user_db_ssa | regress_authenticated_user_db_ssa
+(1 row)
+
+-- Test ALTER ROLE consequences
+\c  -reuse-previous=on "user=regress_authenticated_user_sr options="
 SELECT current_user, session_user;
      current_user     |         session_user          
 ----------------------+-------------------------------
  regress_current_user | regress_authenticated_user_sr
 (1 row)
 
--- The longstanding historical behavior is that session_authorization in
--- setconfig has no effect.  Hence, session_user remains
--- regress_authenticated_user_ssa.  See comment in InitializeSessionUserId().
+-- As above, session_authorization has no effect.
 \c - regress_authenticated_user_ssa
 SELECT current_user, session_user;
           current_user          |          session_user          

src/test/modules/unsafe_tests/meson.build

@@ -11,7 +11,9 @@ tests += {
       'alter_system_table',
       'guc_privs',
     ],
-    'regress_args': ['--create-role=regress_authenticated_user_sr',
+    'regress_args': ['--create-role=regress_authenticated_user_db_sr',
+                     '--create-role=regress_authenticated_user_db_ssa',
+                     '--create-role=regress_authenticated_user_sr',
                      '--create-role=regress_authenticated_user_ssa'],
     'runningcheck': false,
   },

src/test/modules/unsafe_tests/sql/setconfig.sql

@@ -2,21 +2,70 @@
 -- during the test run.  Under installcheck, a too-permissive pg_hba.conf
 -- might allow unwanted logins as regress_authenticated_user_ssa.
 
+-- Setup catalog state.
+ALTER USER regress_authenticated_user_db_ssa superuser;
 ALTER USER regress_authenticated_user_ssa superuser;
 CREATE ROLE regress_session_user;
 CREATE ROLE regress_current_user;
+GRANT regress_current_user TO regress_authenticated_user_db_sr;
 GRANT regress_current_user TO regress_authenticated_user_sr;
+GRANT regress_session_user TO regress_authenticated_user_db_ssa;
 GRANT regress_session_user TO regress_authenticated_user_ssa;
+DO $$BEGIN EXECUTE format(
+	'ALTER DATABASE %I SET session_authorization = regress_session_user',
+	current_catalog); END$$;
 ALTER ROLE regress_authenticated_user_ssa
 	SET session_authorization = regress_session_user;
 ALTER ROLE regress_authenticated_user_sr SET ROLE = regress_current_user;
 
-\c - regress_authenticated_user_sr
-SELECT current_user, session_user;
+
+-- Test ALTER DATABASE consequences
 
 -- The longstanding historical behavior is that session_authorization in
 -- setconfig has no effect.  Hence, session_user remains
 -- regress_authenticated_user_ssa.  See comment in InitializeSessionUserId().
+\c - regress_authenticated_user_db_ssa
+SELECT current_user, session_user;
+-- We document "The DEFAULT and RESET forms reset the session and current user
+-- identifiers to be the originally authenticated user name."  If we let
+-- session_authorization in setconfig have an effect, we'll need to decide
+-- whether to make RESET differ from DEFAULT.
+RESET SESSION AUTHORIZATION;
+SELECT current_user, session_user;
+DO $$BEGIN
+	EXECUTE format(
+		'ALTER DATABASE %I RESET session_authorization', current_catalog);
+	EXECUTE format(
+		'ALTER DATABASE %I SET role = regress_current_user', current_catalog);
+END$$;
+
+\c - regress_authenticated_user_db_sr
+SELECT current_user, session_user;
+
+-- Back to superuser, to reverse ALTER DATABASE
+\c - regress_authenticated_user_db_ssa
+SELECT current_user, session_user;
+SET ROLE NONE;
+DO $$BEGIN EXECUTE format(
+	'ALTER DATABASE %I RESET role', current_catalog); END$$;
+
+
+-- Test connection string options
+
+\c -reuse-previous=on "user=regress_authenticated_user_db_sr options=-crole=regress_current_user"
+SELECT current_user, session_user;
+
+-- As above, session_authorization has no effect.
+\c -reuse-previous=on "user=regress_authenticated_user_db_ssa options=-csession_authorization=regress_session_user"
+SELECT current_user, session_user;
+
+
+-- Test ALTER ROLE consequences
+
+\c  -reuse-previous=on "user=regress_authenticated_user_sr options="
+SELECT current_user, session_user;
+
+-- As above, session_authorization has no effect.
 \c - regress_authenticated_user_ssa
 SELECT current_user, session_user;
 RESET SESSION AUTHORIZATION;