From 91102dab44c3406f21bbbc28c1032d49e0721710 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 15 May 2017 23:27:51 -0400
Subject: [PATCH] In SSL tests, don't scribble on permissions of a repo file.

Modifying the permissions of a persistent file isn't really much nicer
than modifying its contents, even if git doesn't currently notice it.
Adjust the test script to make a copy and set the permissions of that
instead.

Michael Paquier, per a gripe from me.  Back-patch to 9.5 where these
tests were introduced.

Discussion: https://postgr.es/m/14836.1494885946@sss.pgh.pa.us
---
 src/test/ssl/ssl/.gitignore    |  5 +++--
 src/test/ssl/t/001_ssltests.pl | 17 ++++++++++-------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/test/ssl/ssl/.gitignore b/src/test/ssl/ssl/.gitignore
index 8feb8643ff..10b74f0848 100644
--- a/src/test/ssl/ssl/.gitignore
+++ b/src/test/ssl/ssl/.gitignore
@@ -1,2 +1,3 @@
-*.old
-new_certs_dir
+/*.old
+/new_certs_dir/
+/client_tmp.key
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 0c69bf08a5..66fa790d12 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -66,10 +66,10 @@ sub test_connect_fails
 	ok(!$result, "$connstr (should fail)");
 }
 
-# The client's private key must not be world-readable. Git doesn't track
-# permissions (except for the executable bit), so they might be wrong after
-# a checkout.
-chmod 0600, "ssl/client.key";
+# The client's private key must not be world-readable, so take a copy
+# of the key stored in the code tree and update its permissions.
+copy("ssl/client.key", "ssl/client_tmp.key");
+chmod 0600, "ssl/client_tmp.key";
 
 #### Part 0. Set up the server.
 
@@ -229,11 +229,11 @@ test_connect_fails("user=ssltestuser sslcert=invalid");
 
 # correct client cert
 test_connect_ok(
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client.key");
+	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
 test_connect_fails(
-	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client.key");
+	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
 test_connect_fails(
@@ -243,7 +243,10 @@ test_connect_fails(
 # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
 switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
-"user=ssltestuser dbname=certdb sslkey=ssl/client.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
 test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
 test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+
+# clean up
+unlink "ssl/client_tmp.key";
-- 
2.40.0