cockroachdb
diff --git a/‎docs/generated/sql/bnf/stmt_block.bnf‎
Lines changed: 7 additions & 0 deletions b/‎docs/generated/sql/bnf/stmt_block.bnf‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/BUILD.bazel‎
Lines changed: 3 additions & 0 deletions b/‎pkg/BUILD.bazel‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/ccl/logictestccl/testdata/logic_test/provisioning‎
Lines changed: 45 additions & 0 deletions b/‎pkg/ccl/logictestccl/testdata/logic_test/provisioning‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist-disk/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion b/‎pkg/ccl/logictestccl/tests/fakedist-disk/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist-disk/generated_test.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/ccl/logictestccl/tests/fakedist-disk/generated_test.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist-vec-off/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion b/‎pkg/ccl/logictestccl/tests/fakedist-vec-off/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist-vec-off/generated_test.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/ccl/logictestccl/tests/fakedist-vec-off/generated_test.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion b/‎pkg/ccl/logictestccl/tests/fakedist/BUILD.bazel‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ccl/logictestccl/tests/fakedist/generated_test.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/ccl/logictestccl/tests/fakedist/generated_test.go‎
Lines changed: 7 additions & 0 deletions
@@ -1392,6 +1392,7 @@ unreserved_keyword ::=
 	| 'PRIVILEGES'
 	| 'PROCEDURE'
 	| 'PROCEDURES'
+	| 'PROVISIONSRC'
 	| 'PUBLIC'
 	| 'PUBLICATION'
 	| 'QUERIES'
@@ -3284,6 +3285,7 @@ role_option ::=
 	| password_clause
 	| valid_until_clause
 	| subject_clause
+	| provisionsrc_clause
 	| 'REPLICATION'
 	| 'NOREPLICATION'
 	| 'BYPASSRLS'
@@ -3786,6 +3788,10 @@ subject_clause ::=
 	'SUBJECT' string_or_placeholder
 	| 'SUBJECT' 'NULL'
 
+provisionsrc_clause ::=
+	'PROVISIONSRC' string_or_placeholder
+	| 'PROVISIONSRC' 'NULL'
+
 func_name_no_crdb_extra ::=
 	type_function_name_no_crdb_extra
 	| prefixed_column_path
@@ -4311,6 +4317,7 @@ bare_label_keywords ::=
 	| 'PRIVILEGES'
 	| 'PROCEDURE'
 	| 'PROCEDURES'
+	| 'PROVISIONSRC'
 	| 'PUBLIC'
 	| 'PUBLICATION'
 	| 'QUERIES'
 
@@ -338,6 +338,7 @@ ALL_TESTS = [
     "//pkg/security/certmgr:certmgr_test",
     "//pkg/security/clientcert:clientcert_test",
     "//pkg/security/password:password_test",
+    "//pkg/security/provisioning:provisioning_test",
     "//pkg/security/sessionrevival:sessionrevival_test",
     "//pkg/security/username:username_disallowed_imports_test",
     "//pkg/security/username:username_test",
@@ -1718,6 +1719,8 @@ GO_TARGETS = [
     "//pkg/security/password:password",
     "//pkg/security/password:password_test",
     "//pkg/security/pprompt:pprompt",
+    "//pkg/security/provisioning:provisioning",
+    "//pkg/security/provisioning:provisioning_test",
     "//pkg/security/securityassets:securityassets",
     "//pkg/security/securitytest:securitytest",
     "//pkg/security/sessionrevival:sessionrevival",
 
@@ -0,0 +1,45 @@
+# LogicTest: !local-mixed-24.3 !local-mixed-25.1 !local-mixed-25.2
+# Tests for parsing/validation of the PROVISIONSRC role option.
+
+statement error role "root" cannot have a PROVISIONSRC
+ALTER ROLE root PROVISIONSRC 'ldap:ldap.example.com'
+
+statement error pq: PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods \["ldap"\]
+CREATE ROLE role_with_provisioning PROVISIONSRC 'ldap.example.com'
+
+statement error pq: conflicting role options
+CREATE ROLE role_with_provisioning WITH PROVISIONSRC 'ldap:ldap.bar.com' NOSQLLOGIN
+
+statement ok
+CREATE ROLE role_with_provisioning PROVISIONSRC 'ldap:ldap.bar.com'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:ldap.bar.com
+
+statement ok
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:ldap.example.com'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:ldap.example.com
+
+statement error pq: provided IDP "\[\]!@#%#\^\$&\*" in PROVISIONSRC is non parseable: parse "\[\]!@#%#\^\$&\*": invalid URL escape "%#\^"
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:[]!@#%#^$&*'
+
+statement ok
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:foo.bar'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:foo.bar
+
@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 35,
+    shard_count = 36,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",
 
@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 35,
+    shard_count = 36,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",
 
@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 36,
+    shard_count = 37,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",