Revert "Add support for Kerberos credential delegation"

This reverts commit 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.

Per discussion and buildfarm, this depends on APIs that seem to not
be available on at least one platform (NetBSD).  Should be certainly
possible to rework to be optional on that platform if necessary but bit
late for that at this point.

Discussion: https://postgr.es/m/[email protected]

3 files changed, 2 insertions, 90 deletions

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 00ec9da284b..bc0cf26b122 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -165,7 +165,6 @@ static int	CheckCertAuth(Port *port);
  */
 char	   *pg_krb_server_keyfile;
 bool		pg_krb_caseins_users;
-bool		pg_gss_accept_deleg;
 
 
 /*----------------------------------------------------------------
@@ -919,7 +918,6 @@ pg_GSS_recvauth(Port *port)
 	int			mtype;
 	StringInfoData buf;
 	gss_buffer_desc gbuf;
-	gss_cred_id_t delegated_creds;
 
 	/*
 	 * Use the configured keytab, if there is one.  Unfortunately, Heimdal
@@ -949,9 +947,6 @@ pg_GSS_recvauth(Port *port)
 	 */
 	port->gss->ctx = GSS_C_NO_CONTEXT;
 
-	delegated_creds = GSS_C_NO_CREDENTIAL;
-	port->gss->delegated_creds = false;
-
 	/*
 	 * Loop through GSSAPI message exchange. This exchange can consist of
 	 * multiple messages sent in both directions. First message is always from
@@ -1002,7 +997,7 @@ pg_GSS_recvauth(Port *port)
 										  &port->gss->outbuf,
 										  &gflags,
 										  NULL,
-										  pg_gss_accept_deleg ? &delegated_creds : NULL);
+										  NULL);
 
 		/* gbuf no longer used */
 		pfree(buf.data);
@@ -1014,12 +1009,6 @@ pg_GSS_recvauth(Port *port)
 
 		CHECK_FOR_INTERRUPTS();
 
-		if (delegated_creds != GSS_C_NO_CREDENTIAL && gflags & GSS_C_DELEG_FLAG)
-		{
-			pg_store_delegated_credential(delegated_creds);
-			port->gss->delegated_creds = true;
-		}
-
 		if (port->gss->outbuf.length != 0)
 		{
 			/*
diff --git a/src/backend/libpq/be-gssapi-common.c b/src/backend/libpq/be-gssapi-common.c
index 64d41e52915..fb39c760d8c 100644
--- a/src/backend/libpq/be-gssapi-common.c
+++ b/src/backend/libpq/be-gssapi-common.c
@@ -92,56 +92,3 @@ pg_GSS_error(const char *errmsg,
 			(errmsg_internal("%s", errmsg),
 			 errdetail_internal("%s: %s", msg_major, msg_minor)));
 }
-
-/*
- * Store the credentials passed in into the memory cache for later usage.
- *
- * This allows credentials to be delegated to us for us to use to connect
- * to other systems with, using, e.g. postgres_fdw or dblink.
- */
-#define GSS_MEMORY_CACHE "MEMORY:"
-void
-pg_store_delegated_credential(gss_cred_id_t cred)
-{
-	OM_uint32	major,
-				minor;
-	gss_OID_set mech;
-	gss_cred_usage_t usage;
-	gss_key_value_element_desc cc;
-	gss_key_value_set_desc ccset;
-
-	cc.key = "ccache";
-	cc.value = GSS_MEMORY_CACHE;
-	ccset.count = 1;
-	ccset.elements = &cc;
-
-	/* Make the delegated credential only available to current process */
-	major = gss_store_cred_into(&minor,
-								cred,
-								GSS_C_INITIATE, /* credential only used for
-												 * starting libpq connection */
-								GSS_C_NULL_OID, /* store all */
-								true,	/* overwrite */
-								true,	/* make default */
-								&ccset,
-								&mech,
-								&usage);
-
-	if (major != GSS_S_COMPLETE)
-	{
-		pg_GSS_error("gss_store_cred", major, minor);
-	}
-
-	/* Credential stored, so we can release our credential handle. */
-	major = gss_release_cred(&minor, &cred);
-	if (major != GSS_S_COMPLETE)
-	{
-		pg_GSS_error("gss_release_cred", major, minor);
-	}
-
-	/*
-	 * Set KRB5CCNAME for this backend, so that later calls to
-	 * gss_acquire_cred will find the delegated credentials we stored.
-	 */
-	setenv("KRB5CCNAME", GSS_MEMORY_CACHE, 1);
-}
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c
index 73f8ce85549..3b55f431999 100644
--- a/src/backend/libpq/be-secure-gssapi.c
+++ b/src/backend/libpq/be-secure-gssapi.c
@@ -497,7 +497,6 @@ secure_open_gssapi(Port *port)
 	bool		complete_next = false;
 	OM_uint32	major,
 				minor;
-	gss_cred_id_t delegated_creds;
 
 	/*
 	 * Allocate subsidiary Port data for GSSAPI operations.
@@ -505,9 +504,6 @@ secure_open_gssapi(Port *port)
 	port->gss = (pg_gssinfo *)
 		MemoryContextAllocZero(TopMemoryContext, sizeof(pg_gssinfo));
 
-	delegated_creds = GSS_C_NO_CREDENTIAL;
-	port->gss->delegated_creds = false;
-
 	/*
 	 * Allocate buffers and initialize state variables.  By malloc'ing the
 	 * buffers at this point, we avoid wasting static data space in processes
@@ -592,8 +588,7 @@ secure_open_gssapi(Port *port)
 									   GSS_C_NO_CREDENTIAL, &input,
 									   GSS_C_NO_CHANNEL_BINDINGS,
 									   &port->gss->name, NULL, &output, NULL,
-									   NULL, pg_gss_accept_deleg ? &delegated_creds : NULL);
-
+									   NULL, NULL);
 		if (GSS_ERROR(major))
 		{
 			pg_GSS_error(_("could not accept GSSAPI security context"),
@@ -610,12 +605,6 @@ secure_open_gssapi(Port *port)
 			complete_next = true;
 		}
 
-		if (delegated_creds != GSS_C_NO_CREDENTIAL)
-		{
-			pg_store_delegated_credential(delegated_creds);
-			port->gss->delegated_creds = true;
-		}
-
 		/* Done handling the incoming packet, reset our buffer */
 		PqGSSRecvLength = 0;
 
@@ -742,16 +731,3 @@ be_gssapi_get_princ(Port *port)
 
 	return port->gss->princ;
 }
-
-/*
- * Return if GSSAPI delegated credentials were included on this
- * connection.
- */
-bool
-be_gssapi_get_deleg(Port *port)
-{
-	if (!port || !port->gss)
-		return NULL;
-
-	return port->gss->delegated_creds;
-}