Updating server dependancies. Also adding github.com/jaytaylor/html2text and gopkg.in/gomail.v2 (#5748)

12 files changed, 361 insertions, 282 deletions

diff --git a/vendor/github.com/lib/pq/README.md b/vendor/github.com/lib/pq/README.md
index 5eb9e1445..7670fc87a 100644
--- a/vendor/github.com/lib/pq/README.md
+++ b/vendor/github.com/lib/pq/README.md
@@ -1,6 +1,6 @@
 # pq - A pure Go postgres driver for Go's database/sql package
 
-[![Build Status](https://travis-ci.org/lib/pq.png?branch=master)](https://travis-ci.org/lib/pq)
+[![Build Status](https://travis-ci.org/lib/pq.svg?branch=master)](https://travis-ci.org/lib/pq)
 
 ## Install
 
diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go
index 3c8f77cb6..4b2fb4462 100644
--- a/vendor/github.com/lib/pq/conn.go
+++ b/vendor/github.com/lib/pq/conn.go
@@ -133,7 +133,7 @@ type conn struct {
 // Handle driver-side settings in parsed connection string.
 func (c *conn) handleDriverSettings(o values) (err error) {
 	boolSetting := func(key string, val *bool) error {
-		if value := o.Get(key); value != "" {
+		if value, ok := o[key]; ok {
 			if value == "yes" {
 				*val = true
 			} else if value == "no" {
@@ -158,8 +158,7 @@ func (c *conn) handleDriverSettings(o values) (err error) {
 
 func (c *conn) handlePgpass(o values) {
 	// if a password was supplied, do not process .pgpass
-	_, ok := o["password"]
-	if ok {
+	if _, ok := o["password"]; ok {
 		return
 	}
 	filename := os.Getenv("PGPASSFILE")
@@ -187,11 +186,11 @@ func (c *conn) handlePgpass(o values) {
 	}
 	defer file.Close()
 	scanner := bufio.NewScanner(io.Reader(file))
-	hostname := o.Get("host")
+	hostname := o["host"]
 	ntw, _ := network(o)
-	port := o.Get("port")
-	db := o.Get("dbname")
-	username := o.Get("user")
+	port := o["port"]
+	db := o["dbname"]
+	username := o["user"]
 	// From: https://github.com/tg/pgpass/blob/master/reader.go
 	getFields := func(s string) []string {
 		fs := make([]string, 0, 5)
@@ -256,13 +255,13 @@ func DialOpen(d Dialer, name string) (_ driver.Conn, err error) {
 	// * Very low precedence defaults applied in every situation
 	// * Environment variables
 	// * Explicitly passed connection information
-	o.Set("host", "localhost")
-	o.Set("port", "5432")
+	o["host"] = "localhost"
+	o["port"] = "5432"
 	// N.B.: Extra float digits should be set to 3, but that breaks
 	// Postgres 8.4 and older, where the max is 2.
-	o.Set("extra_float_digits", "2")
+	o["extra_float_digits"] = "2"
 	for k, v := range parseEnviron(os.Environ()) {
-		o.Set(k, v)
+		o[k] = v
 	}
 
 	if strings.HasPrefix(name, "postgres://") || strings.HasPrefix(name, "postgresql://") {
@@ -277,9 +276,9 @@ func DialOpen(d Dialer, name string) (_ driver.Conn, err error) {
 	}
 
 	// Use the "fallback" application name if necessary
-	if fallback := o.Get("fallback_application_name"); fallback != "" {
-		if !o.Isset("application_name") {
-			o.Set("application_name", fallback)
+	if fallback, ok := o["fallback_application_name"]; ok {
+		if _, ok := o["application_name"]; !ok {
+			o["application_name"] = fallback
 		}
 	}
 
@@ -290,29 +289,29 @@ func DialOpen(d Dialer, name string) (_ driver.Conn, err error) {
 	// parsing its value is not worth it.  Instead, we always explicitly send
 	// client_encoding as a separate run-time parameter, which should override
 	// anything set in options.
-	if enc := o.Get("client_encoding"); enc != "" && !isUTF8(enc) {
+	if enc, ok := o["client_encoding"]; ok && !isUTF8(enc) {
 		return nil, errors.New("client_encoding must be absent or 'UTF8'")
 	}
-	o.Set("client_encoding", "UTF8")
+	o["client_encoding"] = "UTF8"
 	// DateStyle needs a similar treatment.
-	if datestyle := o.Get("datestyle"); datestyle != "" {
+	if datestyle, ok := o["datestyle"]; ok {
 		if datestyle != "ISO, MDY" {
 			panic(fmt.Sprintf("setting datestyle must be absent or %v; got %v",
 				"ISO, MDY", datestyle))
 		}
 	} else {
-		o.Set("datestyle", "ISO, MDY")
+		o["datestyle"] = "ISO, MDY"
 	}
 
 	// If a user is not provided by any other means, the last
 	// resort is to use the current operating system provided user
 	// name.
-	if o.Get("user") == "" {
+	if _, ok := o["user"]; !ok {
 		u, err := userCurrent()
 		if err != nil {
 			return nil, err
 		} else {
-			o.Set("user", u)
+			o["user"] = u
 		}
 	}
 
@@ -335,7 +334,7 @@ func DialOpen(d Dialer, name string) (_ driver.Conn, err error) {
 	cn.startup(o)
 
 	// reset the deadline, in case one was set (see dial)
-	if timeout := o.Get("connect_timeout"); timeout != "" && timeout != "0" {
+	if timeout, ok := o["connect_timeout"]; ok && timeout != "0" {
 		err = cn.c.SetDeadline(time.Time{})
 	}
 	return cn, err
@@ -349,7 +348,7 @@ func dial(d Dialer, o values) (net.Conn, error) {
 	}
 
 	// Zero or not specified means wait indefinitely.
-	if timeout := o.Get("connect_timeout"); timeout != "" && timeout != "0" {
+	if timeout, ok := o["connect_timeout"]; ok && timeout != "0" {
 		seconds, err := strconv.ParseInt(timeout, 10, 0)
 		if err != nil {
 			return nil, fmt.Errorf("invalid value for parameter connect_timeout: %s", err)
@@ -371,31 +370,18 @@ func dial(d Dialer, o values) (net.Conn, error) {
 }
 
 func network(o values) (string, string) {
-	host := o.Get("host")
+	host := o["host"]
 
 	if strings.HasPrefix(host, "/") {
-		sockPath := path.Join(host, ".s.PGSQL."+o.Get("port"))
+		sockPath := path.Join(host, ".s.PGSQL."+o["port"])
 		return "unix", sockPath
 	}
 
-	return "tcp", net.JoinHostPort(host, o.Get("port"))
+	return "tcp", net.JoinHostPort(host, o["port"])
 }
 
 type values map[string]string
 
-func (vs values) Set(k, v string) {
-	vs[k] = v
-}
-
-func (vs values) Get(k string) (v string) {
-	return vs[k]
-}
-
-func (vs values) Isset(k string) bool {
-	_, ok := vs[k]
-	return ok
-}
-
 // scanner implements a tokenizer for libpq-style option strings.
 type scanner struct {
 	s []rune
@@ -466,7 +452,7 @@ func parseOpts(name string, o values) error {
 		// Skip any whitespace after the =
 		if r, ok = s.SkipSpaces(); !ok {
 			// If we reach the end here, the last value is just an empty string as per libpq.
-			o.Set(string(keyRunes), "")
+			o[string(keyRunes)] = ""
 			break
 		}
 
@@ -501,7 +487,7 @@ func parseOpts(name string, o values) error {
 			}
 		}
 
-		o.Set(string(keyRunes), string(valRunes))
+		o[string(keyRunes)] = string(valRunes)
 	}
 
 	return nil
@@ -665,6 +651,12 @@ func (cn *conn) simpleQuery(q string) (res *rows, err error) {
 					cn: cn,
 				}
 			}
+			// Set the result and tag to the last command complete if there wasn't a
+			// query already run. Although queries usually return from here and cede
+			// control to Next, a query with zero results does not.
+			if t == 'C' && res.colNames == nil {
+				res.result, res.tag = cn.parseComplete(r.string())
+			}
 			res.done = true
 		case 'Z':
 			cn.processReadyForQuery(r)
@@ -1119,7 +1111,7 @@ func (cn *conn) auth(r *readBuf, o values) {
 		// OK
 	case 3:
 		w := cn.writeBuf('p')
-		w.string(o.Get("password"))
+		w.string(o["password"])
 		cn.send(w)
 
 		t, r := cn.recv()
@@ -1133,7 +1125,7 @@ func (cn *conn) auth(r *readBuf, o values) {
 	case 5:
 		s := string(r.next(4))
 		w := cn.writeBuf('p')
-		w.string("md5" + md5s(md5s(o.Get("password")+o.Get("user"))+s))
+		w.string("md5" + md5s(md5s(o["password"]+o["user"])+s))
 		cn.send(w)
 
 		t, r := cn.recv()
@@ -1333,6 +1325,8 @@ type rows struct {
 	colFmts  []format
 	done     bool
 	rb       readBuf
+	result   driver.Result
+	tag      string
 }
 
 func (rs *rows) Close() error {
@@ -1356,6 +1350,17 @@ func (rs *rows) Columns() []string {
 	return rs.colNames
 }
 
+func (rs *rows) Result() driver.Result {
+	if rs.result == nil {
+		return emptyRows
+	}
+	return rs.result
+}
+
+func (rs *rows) Tag() string {
+	return rs.tag
+}
+
 func (rs *rows) Next(dest []driver.Value) (err error) {
 	if rs.done {
 		return io.EOF
@@ -1373,6 +1378,9 @@ func (rs *rows) Next(dest []driver.Value) (err error) {
 		case 'E':
 			err = parseError(&rs.rb)
 		case 'C', 'I':
+			if t == 'C' {
+				rs.result, rs.tag = conn.parseComplete(rs.rb.string())
+			}
 			continue
 		case 'Z':
 			conn.processReadyForQuery(&rs.rb)
diff --git a/vendor/github.com/lib/pq/conn_go18.go b/vendor/github.com/lib/pq/conn_go18.go
index 0aca1d002..43cc35f7b 100644
--- a/vendor/github.com/lib/pq/conn_go18.go
+++ b/vendor/github.com/lib/pq/conn_go18.go
@@ -14,10 +14,7 @@ func (cn *conn) QueryContext(ctx context.Context, query string, args []driver.Na
 	for i, nv := range args {
 		list[i] = nv.Value
 	}
-	var closed chan<- struct{}
-	if ctx.Done() != nil {
-		closed = watchCancel(ctx, cn.cancel)
-	}
+	closed := cn.watchCancel(ctx)
 	r, err := cn.query(query, list)
 	if err != nil {
 		return nil, err
@@ -33,8 +30,7 @@ func (cn *conn) ExecContext(ctx context.Context, query string, args []driver.Nam
 		list[i] = nv.Value
 	}
 
-	if ctx.Done() != nil {
-		closed := watchCancel(ctx, cn.cancel)
+	if closed := cn.watchCancel(ctx); closed != nil {
 		defer close(closed)
 	}
 
@@ -53,22 +49,23 @@ func (cn *conn) BeginTx(ctx context.Context, opts driver.TxOptions) (driver.Tx,
 	if err != nil {
 		return nil, err
 	}
-	if ctx.Done() != nil {
-		cn.txnClosed = watchCancel(ctx, cn.cancel)
-	}
+	cn.txnClosed = cn.watchCancel(ctx)
 	return tx, nil
 }
 
-func watchCancel(ctx context.Context, cancel func()) chan<- struct{} {
-	closed := make(chan struct{})
-	go func() {
-		select {
-		case <-ctx.Done():
-			cancel()
-		case <-closed:
-		}
-	}()
-	return closed
+func (cn *conn) watchCancel(ctx context.Context) chan<- struct{} {
+	if done := ctx.Done(); done != nil {
+		closed := make(chan struct{})
+		go func() {
+			select {
+			case <-done:
+				cn.cancel()
+			case <-closed:
+			}
+		}()
+		return closed
+	}
+	return nil
 }
 
 func (cn *conn) cancel() {
diff --git a/vendor/github.com/lib/pq/conn_test.go b/vendor/github.com/lib/pq/conn_test.go
index 183e6dcd6..c9135b727 100644
--- a/vendor/github.com/lib/pq/conn_test.go
+++ b/vendor/github.com/lib/pq/conn_test.go
@@ -191,7 +191,7 @@ localhost:*:*:*:pass_C
 	pgpass.Close()
 
 	assertPassword := func(extra values, expected string) {
-		o := &values{
+		o := values{
 			"host":               "localhost",
 			"sslmode":            "disable",
 			"connect_timeout":    "20",
@@ -203,11 +203,11 @@ localhost:*:*:*:pass_C
 			"datestyle":          "ISO, MDY",
 		}
 		for k, v := range extra {
-			(*o)[k] = v
+			o[k] = v
 		}
-		(&conn{}).handlePgpass(*o)
-		if o.Get("password") != expected {
-			t.Fatalf("For %v expected %s got %s", extra, expected, o.Get("password"))
+		(&conn{}).handlePgpass(o)
+		if pw := o["password"]; pw != expected {
+			t.Fatalf("For %v expected %s got %s", extra, expected, pw)
 		}
 	}
 	// wrong permissions for the pgpass file means it should be ignored
@@ -686,17 +686,28 @@ func TestCloseBadConn(t *testing.T) {
 	if err := cn.Close(); err != nil {
 		t.Fatal(err)
 	}
+
+	// During the Go 1.9 cycle, https://github.com/golang/go/commit/3792db5
+	// changed this error from
+	//
+	// net.errClosing = errors.New("use of closed network connection")
+	//
+	// to
+	//
+	// internal/poll.ErrClosing = errors.New("use of closed file or network connection")
+	const errClosing = "use of closed"
+
 	// Verify write after closing fails.
 	if _, err := nc.Write(nil); err == nil {
 		t.Fatal("expected error")
-	} else if !strings.Contains(err.Error(), "use of closed network connection") {
-		t.Fatalf("expected use of closed network connection error, got %s", err)
+	} else if !strings.Contains(err.Error(), errClosing) {
+		t.Fatalf("expected %s error, got %s", errClosing, err)
 	}
 	// Verify second close fails.
 	if err := cn.Close(); err == nil {
 		t.Fatal("expected error")
-	} else if !strings.Contains(err.Error(), "use of closed network connection") {
-		t.Fatalf("expected use of closed network connection error, got %s", err)
+	} else if !strings.Contains(err.Error(), errClosing) {
+		t.Fatalf("expected %s error, got %s", errClosing, err)
 	}
 }
 
@@ -1493,3 +1504,82 @@ func TestQuoteIdentifier(t *testing.T) {
 		}
 	}
 }
+
+func TestRowsResultTag(t *testing.T) {
+	type ResultTag interface {
+		Result() driver.Result
+		Tag() string
+	}
+
+	tests := []struct {
+		query string
+		tag   string
+		ra    int64
+	}{
+		{
+			query: "CREATE TEMP TABLE temp (a int)",
+			tag:   "CREATE TABLE",
+		},
+		{
+			query: "INSERT INTO temp VALUES (1), (2)",
+			tag:   "INSERT",
+			ra:    2,
+		},
+		{
+			query: "SELECT 1",
+		},
+		// A SELECT anywhere should take precedent.
+		{
+			query: "SELECT 1; INSERT INTO temp VALUES (1), (2)",
+		},
+		{
+			query: "INSERT INTO temp VALUES (1), (2); SELECT 1",
+		},
+		// Multiple statements that don't return rows should return the last tag.
+		{
+			query: "CREATE TEMP TABLE t (a int); DROP TABLE t",
+			tag:   "DROP TABLE",
+		},
+		// Ensure a rows-returning query in any position among various tags-returing
+		// statements will prefer the rows.
+		{
+			query: "SELECT 1; CREATE TEMP TABLE t (a int); DROP TABLE t",
+		},
+		{
+			query: "CREATE TEMP TABLE t (a int); SELECT 1; DROP TABLE t",
+		},
+		{
+			query: "CREATE TEMP TABLE t (a int); DROP TABLE t; SELECT 1",
+		},
+		// Verify that an no-results query doesn't set the tag.
+		{
+			query: "CREATE TEMP TABLE t (a int); SELECT 1 WHERE FALSE; DROP TABLE t;",
+		},
+	}
+
+	// If this is the only test run, this will correct the connection string.
+	openTestConn(t).Close()
+
+	conn, err := Open("")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer conn.Close()
+	q := conn.(driver.Queryer)
+
+	for _, test := range tests {
+		if rows, err := q.Query(test.query, nil); err != nil {
+			t.Fatalf("%s: %s", test.query, err)
+		} else {
+			r := rows.(ResultTag)
+			if tag := r.Tag(); tag != test.tag {
+				t.Fatalf("%s: unexpected tag %q", test.query, tag)
+			}
+			res := r.Result()
+			if ra, _ := res.RowsAffected(); ra != test.ra {
+				t.Fatalf("%s: unexpected rows affected: %d", test.query, ra)
+			}
+			rows.Close()
+		}
+	}
+}
diff --git a/vendor/github.com/lib/pq/go18_test.go b/vendor/github.com/lib/pq/go18_test.go
index 15546d865..5d17e4d92 100644
--- a/vendor/github.com/lib/pq/go18_test.go
+++ b/vendor/github.com/lib/pq/go18_test.go
@@ -79,10 +79,7 @@ func TestContextCancelExec(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 
 	// Delay execution for just a bit until db.ExecContext has begun.
-	go func() {
-		time.Sleep(time.Millisecond * 10)
-		cancel()
-	}()
+	defer time.AfterFunc(time.Millisecond*10, cancel).Stop()
 
 	// Not canceled until after the exec has started.
 	if _, err := db.ExecContext(ctx, "select pg_sleep(1)"); err == nil {
@@ -106,10 +103,7 @@ func TestContextCancelQuery(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 
 	// Delay execution for just a bit until db.QueryContext has begun.
-	go func() {
-		time.Sleep(time.Millisecond * 10)
-		cancel()
-	}()
+	defer time.AfterFunc(time.Millisecond*10, cancel).Stop()
 
 	// Not canceled until after the exec has started.
 	if _, err := db.QueryContext(ctx, "select pg_sleep(1)"); err == nil {
@@ -137,10 +131,7 @@ func TestContextCancelBegin(t *testing.T) {
 	}
 
 	// Delay execution for just a bit until tx.Exec has begun.
-	go func() {
-		time.Sleep(time.Millisecond * 10)
-		cancel()
-	}()
+	defer time.AfterFunc(time.Millisecond*10, cancel).Stop()
 
 	// Not canceled until after the exec has started.
 	if _, err := tx.Exec("select pg_sleep(1)"); err == nil {
diff --git a/vendor/github.com/lib/pq/listen_example/doc.go b/vendor/github.com/lib/pq/listen_example/doc.go
index 5bc99f5c1..80f0a9b97 100644
--- a/vendor/github.com/lib/pq/listen_example/doc.go
+++ b/vendor/github.com/lib/pq/listen_example/doc.go
@@ -51,21 +51,15 @@ mechanism to avoid polling the database while waiting for more work to arrive.
     }
 
     func waitForNotification(l *pq.Listener) {
-        for {
-            select {
-                case <-l.Notify:
-                    fmt.Println("received notification, new work available")
-                    return
-                case <-time.After(90 * time.Second):
-                    go func() {
-                        l.Ping()
-                    }()
-                    // Check if there's more work available, just in case it takes
-                    // a while for the Listener to notice connection loss and
-                    // reconnect.
-                    fmt.Println("received no work for 90 seconds, checking for new work")
-                    return
-            }
+        select {
+            case <-l.Notify:
+                fmt.Println("received notification, new work available")
+            case <-time.After(90 * time.Second):
+                go l.Ping()
+                // Check if there's more work available, just in case it takes
+                // a while for the Listener to notice connection loss and
+                // reconnect.
+                fmt.Println("received no work for 90 seconds, checking for new work")
         }
     }
 
diff --git a/vendor/github.com/lib/pq/notify_test.go b/vendor/github.com/lib/pq/notify_test.go
index fe8941a4e..82a77e1eb 100644
--- a/vendor/github.com/lib/pq/notify_test.go
+++ b/vendor/github.com/lib/pq/notify_test.go
@@ -7,7 +7,6 @@ import (
 	"os"
 	"runtime"
 	"sync"
-	"sync/atomic"
 	"testing"
 	"time"
 )
@@ -235,15 +234,10 @@ func TestConnExecDeadlock(t *testing.T) {
 	// calls Close on the net.Conn; equivalent to a network failure
 	l.Close()
 
-	var done int32 = 0
-	go func() {
-		time.Sleep(10 * time.Second)
-		if atomic.LoadInt32(&done) != 1 {
-			panic("timed out")
-		}
-	}()
+	defer time.AfterFunc(10*time.Second, func() {
+		panic("timed out")
+	}).Stop()
 	wg.Wait()
-	atomic.StoreInt32(&done, 1)
 }
 
 // Test for ListenerConn being closed while a slow query is executing
@@ -271,15 +265,11 @@ func TestListenerConnCloseWhileQueryIsExecuting(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	var done int32 = 0
-	go func() {
-		time.Sleep(10 * time.Second)
-		if atomic.LoadInt32(&done) != 1 {
-			panic("timed out")
-		}
-	}()
+
+	defer time.AfterFunc(10*time.Second, func() {
+		panic("timed out")
+	}).Stop()
 	wg.Wait()
-	atomic.StoreInt32(&done, 1)
 }
 
 func TestNotifyExtra(t *testing.T) {
diff --git a/vendor/github.com/lib/pq/oid/types.go b/vendor/github.com/lib/pq/oid/types.go
index 03df05a61..a3390c23a 100644
--- a/vendor/github.com/lib/pq/oid/types.go
+++ b/vendor/github.com/lib/pq/oid/types.go
@@ -18,6 +18,7 @@ const (
 	T_xid              Oid = 28
 	T_cid              Oid = 29
 	T_oidvector        Oid = 30
+	T_pg_ddl_command   Oid = 32
 	T_pg_type          Oid = 71
 	T_pg_attribute     Oid = 75
 	T_pg_proc          Oid = 81
@@ -28,6 +29,7 @@ const (
 	T_pg_node_tree     Oid = 194
 	T__json            Oid = 199
 	T_smgr             Oid = 210
+	T_index_am_handler Oid = 325
 	T_point            Oid = 600
 	T_lseg             Oid = 601
 	T_path             Oid = 602
@@ -133,6 +135,9 @@ const (
 	T__uuid            Oid = 2951
 	T_txid_snapshot    Oid = 2970
 	T_fdw_handler      Oid = 3115
+	T_pg_lsn           Oid = 3220
+	T__pg_lsn          Oid = 3221
+	T_tsm_handler      Oid = 3310
 	T_anyenum          Oid = 3500
 	T_tsvector         Oid = 3614
 	T_tsquery          Oid = 3615
@@ -144,6 +149,8 @@ const (
 	T__regconfig       Oid = 3735
 	T_regdictionary    Oid = 3769
 	T__regdictionary   Oid = 3770
+	T_jsonb            Oid = 3802
+	T__jsonb           Oid = 3807
 	T_anyrange         Oid = 3831
 	T_event_trigger    Oid = 3838
 	T_int4range        Oid = 3904
@@ -158,4 +165,9 @@ const (
 	T__daterange       Oid = 3913
 	T_int8range        Oid = 3926
 	T__int8range       Oid = 3927
+	T_pg_shseclabel    Oid = 4066
+	T_regnamespace     Oid = 4089
+	T__regnamespace    Oid = 4090
+	T_regrole          Oid = 4096
+	T__regrole         Oid = 4097
 )
diff --git a/vendor/github.com/lib/pq/ssl.go b/vendor/github.com/lib/pq/ssl.go
index b282ebd92..7deb30436 100644
--- a/vendor/github.com/lib/pq/ssl.go
+++ b/vendor/github.com/lib/pq/ssl.go
@@ -15,7 +15,7 @@ import (
 func ssl(o values) func(net.Conn) net.Conn {
 	verifyCaOnly := false
 	tlsConf := tls.Config{}
-	switch mode := o.Get("sslmode"); mode {
+	switch mode := o["sslmode"]; mode {
 	// "require" is the default.
 	case "", "require":
 		// We must skip TLS's own verification since it requires full
@@ -23,15 +23,19 @@ func ssl(o values) func(net.Conn) net.Conn {
 		tlsConf.InsecureSkipVerify = true
 
 		// From http://www.postgresql.org/docs/current/static/libpq-ssl.html:
-		// Note: For backwards compatibility with earlier versions of PostgreSQL, if a
-		// root CA file exists, the behavior of sslmode=require will be the same as
-		// that of verify-ca, meaning the server certificate is validated against the
-		// CA. Relying on this behavior is discouraged, and applications that need
-		// certificate validation should always use verify-ca or verify-full.
-		if _, err := os.Stat(o.Get("sslrootcert")); err == nil {
-			verifyCaOnly = true
-		} else {
-			o.Set("sslrootcert", "")
+		//
+		// Note: For backwards compatibility with earlier versions of
+		// PostgreSQL, if a root CA file exists, the behavior of
+		// sslmode=require will be the same as that of verify-ca, meaning the
+		// server certificate is validated against the CA. Relying on this
+		// behavior is discouraged, and applications that need certificate
+		// validation should always use verify-ca or verify-full.
+		if sslrootcert, ok := o["sslrootcert"]; ok {
+			if _, err := os.Stat(sslrootcert); err == nil {
+				verifyCaOnly = true
+			} else {
+				delete(o, "sslrootcert")
+			}
 		}
 	case "verify-ca":
 		// We must skip TLS's own verification since it requires full
@@ -39,7 +43,7 @@ func ssl(o values) func(net.Conn) net.Conn {
 		tlsConf.InsecureSkipVerify = true
 		verifyCaOnly = true
 	case "verify-full":
-		tlsConf.ServerName = o.Get("host")
+		tlsConf.ServerName = o["host"]
 	case "disable":
 		return nil
 	default:
@@ -64,38 +68,43 @@ func ssl(o values) func(net.Conn) net.Conn {
 // in the user's home directory. The configured files must exist and have
 // the correct permissions.
 func sslClientCertificates(tlsConf *tls.Config, o values) {
-	sslkey := o.Get("sslkey")
-	sslcert := o.Get("sslcert")
-
-	var cinfo, kinfo os.FileInfo
-	var err error
+	// user.Current() might fail when cross-compiling. We have to ignore the
+	// error and continue without home directory defaults, since we wouldn't
+	// know from where to load them.
+	user, _ := user.Current()
+
+	// In libpq, the client certificate is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1036-L1037
+	sslcert := o["sslcert"]
+	if len(sslcert) == 0 && user != nil {
+		sslcert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt")
+	}
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1045
+	if len(sslcert) == 0 {
+		return
+	}
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1050:L1054
+	if _, err := os.Stat(sslcert); os.IsNotExist(err) {
+		return
+	} else if err != nil {
+		panic(err)
+	}
 
-	if sslcert != "" && sslkey != "" {
-		// Check that both files exist. Note that we don't do any more extensive
-		// checks than this (such as checking that the paths aren't directories);
-		// LoadX509KeyPair() will take care of the rest.
-		cinfo, err = os.Stat(sslcert)
-		if err != nil {
-			panic(err)
-		}
+	// In libpq, the ssl key is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1123-L1222
+	sslkey := o["sslkey"]
+	if len(sslkey) == 0 && user != nil {
+		sslkey = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key")
+	}
 
-		kinfo, err = os.Stat(sslkey)
-		if err != nil {
+	if len(sslkey) > 0 {
+		if err := sslKeyPermissions(sslkey); err != nil {
 			panic(err)
 		}
-	} else {
-		// Automatically find certificates from ~/.postgresql
-		sslcert, sslkey, cinfo, kinfo = sslHomeCertificates()
-
-		if cinfo == nil || kinfo == nil {
-			// No certificates to load
-			return
-		}
 	}
 
-	// The files must also have the correct permissions
-	sslCertificatePermissions(cinfo, kinfo)
-
 	cert, err := tls.LoadX509KeyPair(sslcert, sslkey)
 	if err != nil {
 		panic(err)
@@ -105,7 +114,10 @@ func sslClientCertificates(tlsConf *tls.Config, o values) {
 
 // sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting.
 func sslCertificateAuthority(tlsConf *tls.Config, o values) {
-	if sslrootcert := o.Get("sslrootcert"); sslrootcert != "" {
+	// In libpq, the root certificate is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L950-L951
+	if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 {
 		tlsConf.RootCAs = x509.NewCertPool()
 
 		cert, err := ioutil.ReadFile(sslrootcert)
@@ -113,41 +125,12 @@ func sslCertificateAuthority(tlsConf *tls.Config, o values) {
 			panic(err)
 		}
 
-		ok := tlsConf.RootCAs.AppendCertsFromPEM(cert)
-		if !ok {
+		if !tlsConf.RootCAs.AppendCertsFromPEM(cert) {
 			errorf("couldn't parse pem in sslrootcert")
 		}
 	}
 }
 
-// sslHomeCertificates returns the path and stats of certificates in the current
-// user's home directory.
-func sslHomeCertificates() (cert, key string, cinfo, kinfo os.FileInfo) {
-	user, err := user.Current()
-
-	if err != nil {
-		// user.Current() might fail when cross-compiling. We have to ignore the
-		// error and continue without client certificates, since we wouldn't know
-		// from where to load them.
-		return
-	}
-
-	cert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt")
-	key = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key")
-
-	cinfo, err = os.Stat(cert)
-	if err != nil {
-		cinfo = nil
-	}
-
-	kinfo, err = os.Stat(key)
-	if err != nil {
-		kinfo = nil
-	}
-
-	return
-}
-
 // sslVerifyCertificateAuthority carries out a TLS handshake to the server and
 // verifies the presented certificate against the CA, i.e. the one specified in
 // sslrootcert or the system CA if sslrootcert was not specified.
diff --git a/vendor/github.com/lib/pq/ssl_permissions.go b/vendor/github.com/lib/pq/ssl_permissions.go
index 33076a8da..3b7c3a2a3 100644
--- a/vendor/github.com/lib/pq/ssl_permissions.go
+++ b/vendor/github.com/lib/pq/ssl_permissions.go
@@ -4,13 +4,17 @@ package pq
 
 import "os"
 
-// sslCertificatePermissions checks the permissions on user-supplied certificate
-// files. The key file should have very little access.
+// sslKeyPermissions checks the permissions on user-supplied ssl key files.
+// The key file should have very little access.
 //
 // libpq does not check key file permissions on Windows.
-func sslCertificatePermissions(cert, key os.FileInfo) {
-	kmode := key.Mode()
-	if kmode != kmode&0600 {
-		panic(ErrSSLKeyHasWorldPermissions)
+func sslKeyPermissions(sslkey string) error {
+	info, err := os.Stat(sslkey)
+	if err != nil {
+		return err
 	}
+	if info.Mode().Perm()&0077 != 0 {
+		return ErrSSLKeyHasWorldPermissions
+	}
+	return nil
 }
diff --git a/vendor/github.com/lib/pq/ssl_test.go b/vendor/github.com/lib/pq/ssl_test.go
index f70a5fd57..3eafbfd20 100644
--- a/vendor/github.com/lib/pq/ssl_test.go
+++ b/vendor/github.com/lib/pq/ssl_test.go
@@ -6,7 +6,6 @@ import (
 	_ "crypto/sha256"
 	"crypto/x509"
 	"database/sql"
-	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -42,10 +41,13 @@ func openSSLConn(t *testing.T, conninfo string) (*sql.DB, error) {
 }
 
 func checkSSLSetup(t *testing.T, conninfo string) {
-	db, err := openSSLConn(t, conninfo)
-	if err == nil {
-		db.Close()
-		t.Fatalf("expected error with conninfo=%q", conninfo)
+	_, err := openSSLConn(t, conninfo)
+	if pge, ok := err.(*Error); ok {
+		if pge.Code.Name() != "invalid_authorization_specification" {
+			t.Fatalf("unexpected error code '%s'", pge.Code.Name())
+		}
+	} else {
+		t.Fatalf("expected %T, got %v", (*Error)(nil), err)
 	}
 }
 
@@ -150,120 +152,128 @@ func TestSSLVerifyCA(t *testing.T) {
 	checkSSLSetup(t, "sslmode=disable user=pqgossltest")
 
 	// Not OK according to the system CA
-	_, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest")
-	if err == nil {
-		t.Fatal("expected error")
+	{
+		_, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest")
+		if _, ok := err.(x509.UnknownAuthorityError); !ok {
+			t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err)
+		}
 	}
-	_, ok := err.(x509.UnknownAuthorityError)
-	if !ok {
-		t.Fatalf("expected x509.UnknownAuthorityError, got %#+v", err)
+
+	// Still not OK according to the system CA; empty sslrootcert is treated as unspecified.
+	{
+		_, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest sslrootcert=''")
+		if _, ok := err.(x509.UnknownAuthorityError); !ok {
+			t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err)
+		}
 	}
 
 	rootCertPath := filepath.Join(os.Getenv("PQSSLCERTTEST_PATH"), "root.crt")
 	rootCert := "sslrootcert=" + rootCertPath + " "
 	// No match on Common Name, but that's OK
-	_, err = openSSLConn(t, rootCert+"host=127.0.0.1 sslmode=verify-ca user=pqgossltest")
-	if err != nil {
+	if _, err := openSSLConn(t, rootCert+"host=127.0.0.1 sslmode=verify-ca user=pqgossltest"); err != nil {
 		t.Fatal(err)
 	}
 	// Everything OK
-	_, err = openSSLConn(t, rootCert+"host=postgres sslmode=verify-ca user=pqgossltest")
-	if err != nil {
+	if _, err := openSSLConn(t, rootCert+"host=postgres sslmode=verify-ca user=pqgossltest"); err != nil {
 		t.Fatal(err)
 	}
 }
 
-func getCertConninfo(t *testing.T, source string) string {
-	var sslkey string
-	var sslcert string
-
-	certpath := os.Getenv("PQSSLCERTTEST_PATH")
-
-	switch source {
-	case "missingkey":
-		sslkey = "/tmp/filedoesnotexist"
-		sslcert = filepath.Join(certpath, "postgresql.crt")
-	case "missingcert":
-		sslkey = filepath.Join(certpath, "postgresql.key")
-		sslcert = "/tmp/filedoesnotexist"
-	case "certtwice":
-		sslkey = filepath.Join(certpath, "postgresql.crt")
-		sslcert = filepath.Join(certpath, "postgresql.crt")
-	case "valid":
-		sslkey = filepath.Join(certpath, "postgresql.key")
-		sslcert = filepath.Join(certpath, "postgresql.crt")
-	default:
-		t.Fatalf("invalid source %q", source)
-	}
-	return fmt.Sprintf("sslmode=require user=pqgosslcert sslkey=%s sslcert=%s", sslkey, sslcert)
-}
-
 // Authenticate over SSL using client certificates
 func TestSSLClientCertificates(t *testing.T) {
 	maybeSkipSSLTests(t)
 	// Environment sanity check: should fail without SSL
 	checkSSLSetup(t, "sslmode=disable user=pqgossltest")
 
-	// Should also fail without a valid certificate
-	db, err := openSSLConn(t, "sslmode=require user=pqgosslcert")
-	if err == nil {
-		db.Close()
-		t.Fatal("expected error")
-	}
-	pge, ok := err.(*Error)
-	if !ok {
-		t.Fatal("expected pq.Error")
+	const baseinfo = "sslmode=require user=pqgosslcert"
+
+	// Certificate not specified, should fail
+	{
+		_, err := openSSLConn(t, baseinfo)
+		if pge, ok := err.(*Error); ok {
+			if pge.Code.Name() != "invalid_authorization_specification" {
+				t.Fatalf("unexpected error code '%s'", pge.Code.Name())
+			}
+		} else {
+			t.Fatalf("expected %T, got %v", (*Error)(nil), err)
+		}
 	}
-	if pge.Code.Name() != "invalid_authorization_specification" {
-		t.Fatalf("unexpected error code %q", pge.Code.Name())
+
+	// Empty certificate specified, should fail
+	{
+		_, err := openSSLConn(t, baseinfo+" sslcert=''")
+		if pge, ok := err.(*Error); ok {
+			if pge.Code.Name() != "invalid_authorization_specification" {
+				t.Fatalf("unexpected error code '%s'", pge.Code.Name())
+			}
+		} else {
+			t.Fatalf("expected %T, got %v", (*Error)(nil), err)
+		}
 	}
 
-	// Should work
-	db, err = openSSLConn(t, getCertConninfo(t, "valid"))
-	if err != nil {
-		t.Fatal(err)
+	// Non-existent certificate specified, should fail
+	{
+		_, err := openSSLConn(t, baseinfo+" sslcert=/tmp/filedoesnotexist")
+		if pge, ok := err.(*Error); ok {
+			if pge.Code.Name() != "invalid_authorization_specification" {
+				t.Fatalf("unexpected error code '%s'", pge.Code.Name())
+			}
+		} else {
+			t.Fatalf("expected %T, got %v", (*Error)(nil), err)
+		}
 	}
-	rows, err := db.Query("SELECT 1")
-	if err != nil {
-		t.Fatal(err)
+
+	certpath, ok := os.LookupEnv("PQSSLCERTTEST_PATH")
+	if !ok {
+		t.Fatalf("PQSSLCERTTEST_PATH not present in environment")
 	}
-	rows.Close()
-}
 
-// Test errors with ssl certificates
-func TestSSLClientCertificatesMissingFiles(t *testing.T) {
-	maybeSkipSSLTests(t)
-	// Environment sanity check: should fail without SSL
-	checkSSLSetup(t, "sslmode=disable user=pqgossltest")
+	sslcert := filepath.Join(certpath, "postgresql.crt")
 
-	// Key missing, should fail
-	_, err := openSSLConn(t, getCertConninfo(t, "missingkey"))
-	if err == nil {
-		t.Fatal("expected error")
-	}
-	// should be a PathError
-	_, ok := err.(*os.PathError)
-	if !ok {
-		t.Fatalf("expected PathError, got %#+v", err)
+	// Cert present, key not specified, should fail
+	{
+		_, err := openSSLConn(t, baseinfo+" sslcert="+sslcert)
+		if _, ok := err.(*os.PathError); !ok {
+			t.Fatalf("expected %T, got %#+v", (*os.PathError)(nil), err)
+		}
 	}
 
-	// Cert missing, should fail
-	_, err = openSSLConn(t, getCertConninfo(t, "missingcert"))
-	if err == nil {
-		t.Fatal("expected error")
+	// Cert present, empty key specified, should fail
+	{
+		_, err := openSSLConn(t, baseinfo+" sslcert="+sslcert+" sslkey=''")
+		if _, ok := err.(*os.PathError); !ok {
+			t.Fatalf("expected %T, got %#+v", (*os.PathError)(nil), err)
+		}
 	}
-	// should be a PathError
-	_, ok = err.(*os.PathError)
-	if !ok {
-		t.Fatalf("expected PathError, got %#+v", err)
+
+	// Cert present, non-existent key, should fail
+	{
+		_, err := openSSLConn(t, baseinfo+" sslcert="+sslcert+" sslkey=/tmp/filedoesnotexist")
+		if _, ok := err.(*os.PathError); !ok {
+			t.Fatalf("expected %T, got %#+v", (*os.PathError)(nil), err)
+		}
 	}
 
-	// Key has wrong permissions, should fail
-	_, err = openSSLConn(t, getCertConninfo(t, "certtwice"))
-	if err == nil {
-		t.Fatal("expected error")
+	// Key has wrong permissions (passing the cert as the key), should fail
+	if _, err := openSSLConn(t, baseinfo+" sslcert="+sslcert+" sslkey="+sslcert); err != ErrSSLKeyHasWorldPermissions {
+		t.Fatalf("expected %s, got %#+v", ErrSSLKeyHasWorldPermissions, err)
 	}
-	if err != ErrSSLKeyHasWorldPermissions {
-		t.Fatalf("expected ErrSSLKeyHasWorldPermissions, got %#+v", err)
+
+	sslkey := filepath.Join(certpath, "postgresql.key")
+
+	// Should work
+	if db, err := openSSLConn(t, baseinfo+" sslcert="+sslcert+" sslkey="+sslkey); err != nil {
+		t.Fatal(err)
+	} else {
+		rows, err := db.Query("SELECT 1")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if err := rows.Close(); err != nil {
+			t.Fatal(err)
+		}
+		if err := db.Close(); err != nil {
+			t.Fatal(err)
+		}
 	}
 }
diff --git a/vendor/github.com/lib/pq/ssl_windows.go b/vendor/github.com/lib/pq/ssl_windows.go
index 529daed22..5d2c763ce 100644
--- a/vendor/github.com/lib/pq/ssl_windows.go
+++ b/vendor/github.com/lib/pq/ssl_windows.go
@@ -2,8 +2,8 @@
 
 package pq
 
-import "os"
-
-// sslCertificatePermissions checks the permissions on user-supplied certificate
-// files. In libpq, this is a no-op on Windows.
-func sslCertificatePermissions(cert, key os.FileInfo) {}
+// sslKeyPermissions checks the permissions on user-supplied ssl key files.
+// The key file should have very little access.
+//
+// libpq does not check key file permissions on Windows.
+func sslKeyPermissions(string) error { return nil }