Fix: pgsql_users.use_ssl not being enforced on frontend connections

[rahim-kanji]

Problem:

The use_ssl column in pgsql_users table was not being enforced. Clients could connect without SSL/TLS even when use_ssl=1 was configured.

Root Cause:

During PostgreSQL frontend authentication, the use_ssl value retrieved from the database was never assigned to the session object. The SSL enforcement logic was already in place, but it evaluated a session field that remained at its default value (false) regardless of the database configuration.

Solution:

Assign the retrieved use_ssl value to the session after successful authentication lookup, consistent with how other user properties (default_hostgroup, transaction_persistent, fast_forward, user_max_connections) are already being set.

Behavior After Fix:

use_ssl value	SSL connection	Non-SSL connection
1 (true)	✅ Allowed	❌ Rejected with "SSL is required"
0 (false)	✅ Allowed	✅ Allowed

Closes #5284

Summary by CodeRabbit

Release Notes

• Tests

  • Added comprehensive test suite validating SSL enforcement for PostgreSQL frontend connections across multiple configuration scenarios.

• Improvements

  • Enhanced SSL state management in PostgreSQL sessions.
  • Streamlined authentication handshake logic.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @rahim-kanji, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical security oversight in PostgreSQL frontend connections where the use_ssl configuration for users was not being honored, potentially exposing unencrypted traffic. The fix ensures that ProxySQL correctly applies the use_ssl setting from pgsql_users to the session, thereby rejecting client connections that do not meet the specified SSL requirements. This enhancement significantly improves the security posture for PostgreSQL users by guaranteeing that SSL/TLS enforcement functions as intended.

Highlights

• SSL Enforcement Fix: Corrected an issue where the use_ssl setting for PostgreSQL users was not being enforced, allowing non-SSL connections even when SSL was required.
• Session Property Assignment: The use_ssl value retrieved from the database is now correctly assigned to the session object during authentication, aligning with how other user properties are handled.
• Redundant Code Removal: The change_user_auth_switch member and related logic, which was previously used for MySQL's COM_CHANGE_USER packet handling, has been removed from PgSQL_Session as it was not relevant to PostgreSQL.
• New Test Case: A dedicated test file (pgsql-reg_test_5284_frontend_ssl_enforcement-t.cpp) has been added to thoroughly validate the SSL enforcement behavior for PostgreSQL frontend connections under various use_ssl configurations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly fixes a security issue where the use_ssl setting for PostgreSQL users was not being enforced, allowing non-SSL connections when SSL was required. The fix is straightforward and effective, assigning the use_ssl value from the database to the session object. The inclusion of a comprehensive test file is a great addition that validates the fix across different scenarios. I've added a couple of suggestions to improve the new test code's robustness and cleanliness. The PR also includes some code cleanup by removing the unused change_user_auth_switch logic, which is a welcome improvement.

[renecannao]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

These changes enforce SSL usage for PostgreSQL connections by removing authentication-switch logic, propagating SSL flags to session state, and introducing a comprehensive test validating SSL enforcement when use_ssl=1 is configured in pgsql_users.

Changes

Cohort / File(s)	Summary
Removed authentication-switch member include/PgSQL_Session.h, lib/PgSQL_Session.cpp	Eliminated change_user_auth_switch private member variable and its initialization; removed related pid-based logic from server handshake, simplifying authentication-switch handling during CONNECTING_CLIENT state
Added session-level SSL tracking lib/PgSQL_Protocol.cpp	Propagates SSL usage flag from authentication handshake to per-session state via (*myds)->sess->use_ssl = _ret_use_ssl assignment, enabling downstream SSL enforcement decisions
New SSL enforcement test test/tap/groups/groups.json, test/tap/tests/pgsql-reg_test_5284_frontend_ssl_enforcement-t.cpp	Added test group registry entry and comprehensive test suite validating SSL enforcement across seven scenarios: admin connectivity, enabling/disabling SSL requirements, and verifying non-SSL rejection when use_ssl=1

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through SSL gates,
Where use_ssl no longer waits,
Enforcement now is crystal clear—
No cleartext shall pass through here!
🔐✨

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c6ed5b9 and b1e37b3.

📒 Files selected for processing (5)

• include/PgSQL_Session.h
• lib/PgSQL_Protocol.cpp
• lib/PgSQL_Session.cpp
• test/tap/groups/groups.json
• test/tap/tests/pgsql-reg_test_5284_frontend_ssl_enforcement-t.cpp

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud