From 75d11aa9cd9f3a6af4069e481d97b896b823fecf Mon Sep 17 00:00:00 2001
From: Dan Helfman <witten@torsion.org>
Date: Thu, 25 Jan 2024 14:18:01 -0800
Subject: [PATCH] Pass the PostgreSQL "PGSSLMODE" environment variable through
 to Borg (#370).

---
 NEWS                                | 2 ++
 borgmatic/hooks/postgresql.py       | 8 +++++---
 tests/unit/hooks/test_postgresql.py | 8 ++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index d98c6236..1833430b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,6 @@
 1.8.8.dev0
+ * #370: For the PostgreSQL hook, pass the "PGSSLMODE" environment variable through to Borg when the
+   database's configuration omits the "ssl_mode" option.
  * #818: Allow the "--repository" flag to match across multiple configuration files.
  * #820: Fix broken repository detection in the "rcreate" action with Borg 1.4. The issue did not
    occur with other versions of Borg.
diff --git a/borgmatic/hooks/postgresql.py b/borgmatic/hooks/postgresql.py
index d89ac81b..d1cb2d5c 100644
--- a/borgmatic/hooks/postgresql.py
+++ b/borgmatic/hooks/postgresql.py
@@ -25,8 +25,8 @@ def make_dump_path(config):  # pragma: no cover
 
 def make_extra_environment(database, restore_connection_params=None):
     '''
-    Make the extra_environment dict from the given database configuration.
-    If restore connection params are given, this is for a restore operation.
+    Make the extra_environment dict from the given database configuration. If restore connection
+    params are given, this is for a restore operation.
     '''
     extra = dict()
 
@@ -40,7 +40,8 @@ def make_extra_environment(database, restore_connection_params=None):
     except (AttributeError, KeyError):
         pass
 
-    extra['PGSSLMODE'] = database.get('ssl_mode', 'disable')
+    if 'ssl_mode' in database:
+        extra['PGSSLMODE'] = database['ssl_mode']
     if 'ssl_cert' in database:
         extra['PGSSLCERT'] = database['ssl_cert']
     if 'ssl_key' in database:
@@ -49,6 +50,7 @@ def make_extra_environment(database, restore_connection_params=None):
         extra['PGSSLROOTCERT'] = database['ssl_root_cert']
     if 'ssl_crl' in database:
         extra['PGSSLCRL'] = database['ssl_crl']
+
     return extra
 
 
diff --git a/tests/unit/hooks/test_postgresql.py b/tests/unit/hooks/test_postgresql.py
index 6ced44aa..becf7c92 100644
--- a/tests/unit/hooks/test_postgresql.py
+++ b/tests/unit/hooks/test_postgresql.py
@@ -50,6 +50,14 @@ def test_make_extra_environment_without_cli_password_or_configured_password_does
     assert 'PGPASSWORD' not in extra
 
 
+def test_make_extra_environment_without_ssl_mode_does_not_set_ssl_mode():
+    database = {'name': 'foo'}
+
+    extra = module.make_extra_environment(database)
+
+    assert 'PGSSLMODE' not in extra
+
+
 def test_database_names_to_dump_passes_through_individual_database_name():
     database = {'name': 'foo'}