GSS Auth Implementation

[AndrewJackson2020]

This PR implements GSS authentication in pgbouncer. This is a very important institutional feature that allows a client to verify its identity to a server (and vice versa) without the client ever sending its password to the server.

Since the underlying gss c functions are network blocking and synchronous I used the threaded design common to the PAM implementation and the LDAP PR #731 use for this functionality. For the CI and testing aspects of this PR I found the GSS backend encryption PR #743 helpful as well.

Sources:

• GSS auth postgres docs
• Libpq backend GSS implementation

[JelteF]

Just as with the LDAP PR it would be very helpful if someone that uses GSS could try this PR out. I can do a review to see if the code looks sensible, but I don't really know enough about GSS to do an indepth review of this (nor do I have the time to learn).

[JelteF]

FYI while cleaning up old PRs I found this one: #441

It would probably be good to check if there are any good ideas in there.

[AndrewJackson2020]

FYI while cleaning up old PRs I found this one: #441

It would probably be good to check if there are any good ideas in there.

I did see that. Definitely took some ideas from that in terms of how to interact with the GSS API from it.

[AndrewJackson2020]

Expanded the test coverage and feature set. Tried to match all of the GSS options that are available in postgres (case insensitive match, realm match, etc). I believe that I have everything covered currently with the exception of user mapping.