Does it need to use the mockPostgresSSLServer()? All the other SSL tests just run against PostgreSQL. Similarly, does it need to generate the certificates? For the others it's just stored in ./testdata/init (and can be re-generated with the Makefile).

Both are a lot of code to maintain.

Ah, I was trying to keep things as self-contained as possible. I'll make a new commit to just keep certs in ./testdata/init/ instead and modify the Makefile to remake them as needed. That's a better idea. Thanks.

I wasn't able to show a failing unit test until I used mockPostgresSSLServer(), because the problem being fixed is how this package does not send up the full chain and that was making Postgres sad.

Do the tests not fail if you run that new TestSSLIntermediateCA() against PostgreSQL?

Aside from the extra code to maintain, right now it also doesn't test whether this actually works with PostgreSQL: it only tests that it works with your mock, which may not necessarily be the same as what PostgreSQL does.

For simpler protocol tests that's okay (we already have pqtest.Fake), but SSL verification is probably complex adn subtle enough that it pays to test against PostgreSQL, unless this is unfeasible for some reason (although I don't see why that would be the case off-hand?)

Oh! I see your point now. Again, I was trying to make things self-contained, so that we don't have to configure an external postgres install. But of course other tests assume there is an external postgres. Let me lean into that pattern and see where it takes me.

You already need PostgreSQL to run many tests. docker compose up -d should start a PostgreSQL that should work with go test. Also see the README. Let me know if you have trouble with this.

Or you can rely on the GitHub CI.

Thanks for the push @arp242; you were absolutely correct that the test was only testing the mock server, which was insufficient.

While fixing this I got annoyed about the consistent two tests test that were failing before I started any of this, and just made the change to let them run cleanly.

Looks like there are some test failures?

Note I pushed some small fixes: notably, capturing the tt loop variable in the tests. Because go.mod specifies 1.21, it didn't use the new (well, "new") for loops and it appeared to pass as it always used the last test, which is the only one that works.

After fixing that, it consistently fails on my machine and in CI:

% go test -run TestSSLClientCertificateIntermediate

--- FAIL: TestSSLClientCertificateIntermediate (0.00s)
    --- FAIL: TestSSLClientCertificateIntermediate/file_certs (0.00s)
        ssl_test.go:200: wrong error
            want:
            have: remote error: tls: unknown certificate authority
    --- FAIL: TestSSLClientCertificateIntermediate/inline_certs (0.00s)
        ssl_test.go:200: wrong error
            want:
            have: pq: connection requires a valid client certificate (28000)
FAIL
exit status 1
FAIL    github.com/lib/pq       0.011s

Well that exposed some things. New fix incoming.

Cheers, thanks

\o/