feat(context): support unquoted identifiers for CIPHERSTASH.KEYSET_NAME

Add support for unquoted PostgreSQL identifiers when setting keyset name
via SET CIPHERSTASH.KEYSET_NAME. Previously only quoted strings and
numbers were accepted; now valid PG identifiers work without quotes.

Update tests to validate the new behavior and adjust invalid test cases.

Author: tobyhede

packages/cipherstash-proxy-integration/src/multitenant/set_keyset_name.rs

@@ -115,6 +115,12 @@ mod tests {
         let result = client.simple_query(&sql).await;
         assert!(result.is_ok());
 
+        // SET TENANT_1 WITHOUT QUOTES
+        // VALID AS LONG AS NAME IS A VALID PG IDENTIFIER
+        let sql = format!("SET CIPHERSTASH.KEYSET_NAME = {tenant_keyset_name_1}");
+        let result = client.simple_query(&sql).await;
+        assert!(result.is_ok());
+
         // INSERT
         let tenant_1_id = random_id();
         let encrypted_text = "hello";
@@ -372,8 +378,8 @@ mod tests {
 
         // Test cases that should potentially fail or be handled gracefully
         let invalid_cases = vec![
-            format!("SET CIPHERSTASH.KEYSET_NAME = {tenant_keyset_name_1}"), // unquoted string
-            format!("SET CIPHERSTASH.KEYSET_NAME = NULL"),                   // null value
+            format!("SET CIPHERSTASH.KEYSET_NAME = test-1"), // unquoted string that is NOT a valid pg Identifier
+            format!("SET CIPHERSTASH.KEYSET_NAME = NULL"),   // null value
         ];
 
         for invalid_sql in invalid_cases {

packages/cipherstash-proxy/src/postgresql/context/mod.rs

@@ -446,17 +446,20 @@ where
         }) = statement
         {
             if variable == &*SQL_SETTING_NAME_KEYSET_NAME {
-                if let Some(Expr::Value(ValueWithSpan { value, .. })) = values.first() {
-                    let keyset_name = match value {
-                        Value::SingleQuotedString(s) | Value::DoubleQuotedString(s) => s.clone(),
-                        Value::Number(n, _) => n.to_string(),
-                        _ => {
-                            let err = EncryptError::KeysetNameCouldNotBeSet;
-                            warn!(target: CONTEXT, client_id = self.client_id, msg = err.to_string());
-                            return Ok(None);
+                // Try to extract keyset name from Value (quoted string/number) or Identifier (unquoted)
+                let keyset_name = match values.first() {
+                    Some(Expr::Value(ValueWithSpan { value, .. })) => match value {
+                        Value::SingleQuotedString(s) | Value::DoubleQuotedString(s) => {
+                            Some(s.clone())
                         }
-                    };
-
+                        Value::Number(n, _) => Some(n.to_string()),
+                        _ => None,
+                    },
+                    Some(Expr::Identifier(ident)) => Some(ident.value.clone()),
+                    _ => None,
+                };
+
+                if let Some(keyset_name) = keyset_name {
                     debug!(target: CONTEXT, client_id = self.client_id, msg = "Set KeysetName", ?keyset_name);
 
                     let identifier = KeysetIdentifier(IdentifiedBy::Name(keyset_name.into()));
@@ -469,7 +472,7 @@ where
                 } else {
                     let err = EncryptError::KeysetNameCouldNotBeSet;
                     warn!(target: CONTEXT, client_id = self.client_id, msg = err.to_string());
-                    // We let the database handle any syntax errors to avoid complexifying the fronted flow (more)
+                    // We let the database handle any syntax errors to avoid complexifying the frontend flow
                 }
             }
         }