Re: [PoC] Federated Authn/z with OAUTHBEARER

Tue, 20 Feb 2024 17:00:59 -0800 

Hi all,

v14 rebases over latest and fixes a warning when assertions are
disabled. 0006 is temporary and hacks past a couple of issues I have
not yet root caused -- one of which makes me wonder if 0001 needs to
be considered alongside the recent pg_combinebackup and incremental
JSON work...?

--Jacob

1:  e7f87668ab ! 1:  b6e8358f44 common/jsonapi: support FRONTEND clients
    @@ Commit message
         We can now partially revert b44669b2ca, now that json_errdetail() works
         correctly.
     
    - ## src/bin/pg_verifybackup/parse_manifest.c ##
    -@@ src/bin/pg_verifybackup/parse_manifest.c: 
json_parse_manifest(JsonManifestParseContext *context, char *buffer,
    -   /* Run the actual JSON parser. */
    -   json_error = pg_parse_json(lex, &sem);
    -   if (json_error != JSON_SUCCESS)
    --          json_manifest_parse_failure(context, "parsing failed");
    -+          json_manifest_parse_failure(context, json_errdetail(json_error, 
lex));
    -   if (parse.state != JM_EXPECT_EOF)
    -           json_manifest_parse_failure(context, "manifest ended 
unexpectedly");
    - 
    -
      ## src/bin/pg_verifybackup/t/005_bad_manifest.pl ##
     @@ src/bin/pg_verifybackup/t/005_bad_manifest.pl: use Test::More;
      my $tempdir = PostgreSQL::Test::Utils::tempdir;
    @@ src/common/Makefile: override CPPFLAGS += 
-DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\""
     +override CPPFLAGS := -DFRONTEND -I. -I$(top_srcdir)/src/common 
-I$(libpq_srcdir) $(CPPFLAGS)
      LIBS += $(PTHREAD_LIBS)
      
    - # If you add objects here, see also src/tools/msvc/Mkvcbuild.pm
    + OBJS_COMMON = \
     
      ## src/common/jsonapi.c ##
     @@
    @@ src/common/meson.build: foreach name, opts : pgcommon_variants
              'dependencies': opts['dependencies'] + [ssl],
            }
     
    + ## src/common/parse_manifest.c ##
    +@@ src/common/parse_manifest.c: 
json_parse_manifest(JsonManifestParseContext *context, char *buffer,
    +   /* Run the actual JSON parser. */
    +   json_error = pg_parse_json(lex, &sem);
    +   if (json_error != JSON_SUCCESS)
    +-          json_manifest_parse_failure(context, "parsing failed");
    ++          json_manifest_parse_failure(context, json_errdetail(json_error, 
lex));
    +   if (parse.state != JM_EXPECT_EOF)
    +           json_manifest_parse_failure(context, "manifest ended 
unexpectedly");
    + 
    +
      ## src/include/common/jsonapi.h ##
     @@
      #ifndef JSONAPI_H
2:  0ab79a168f ! 2:  5fa08a8033 libpq: add OAUTHBEARER SASL mechanism
    @@ Commit message
         - fix libcurl initialization thread-safety
         - harden the libcurl flow implementation
         - figure out pgsocket/int difference on Windows
    +    - fix intermittent failure in the cleanup callback tests (race
    +      condition?)
         - ...and more.
     
      ## configure ##
    @@ src/interfaces/libpq/Makefile: endif
      endif
     
      ## src/interfaces/libpq/exports.txt ##
    -@@ src/interfaces/libpq/exports.txt: PQclosePrepared           188
    - PQclosePortal             189
    - PQsendClosePrepared       190
    +@@ src/interfaces/libpq/exports.txt: PQsendClosePrepared       190
      PQsendClosePortal         191
    -+PQsetAuthDataHook         192
    -+PQgetAuthDataHook         193
    -+PQdefaultAuthDataHook     194
    + PQchangePassword          192
    + PQsendPipelineSync        193
    ++PQsetAuthDataHook         194
    ++PQgetAuthDataHook         195
    ++PQdefaultAuthDataHook     196
     
      ## src/interfaces/libpq/fe-auth-oauth-curl.c (new) ##
     @@
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c (new)
     +   */
     +  cnt = sscanf(interval_str, "%f", &parsed);
     +
    -+  Assert(cnt == 1); /* otherwise the lexer screwed up */
    ++  if (cnt != 1)
    ++  {
    ++          /*
    ++           * Either the lexer screwed up or our assumption above isn't 
true, and
    ++           * either way a developer needs to take a look.
    ++           */
    ++          Assert(cnt == 1);
    ++          return 1; /* don't fall through in release builds */
    ++  }
    ++
     +  parsed = ceilf(parsed);
     +
     +  if (parsed < 1)
    @@ src/interfaces/libpq/fe-auth.c: pg_fe_sendauth(AuthRequest areq, int 
payloadlen,
                        {
                                /* Use this message if pg_SASL_continue didn't 
supply one */
                                if (conn->errorMessage.len == oldmsglen)
    -@@ src/interfaces/libpq/fe-auth.c: PQencryptPasswordConn(PGconn *conn, 
const char *passwd, const char *user,
    - 
    -   return crypt_pwd;
    +@@ src/interfaces/libpq/fe-auth.c: PQchangePassword(PGconn *conn, const 
char *user, const char *passwd)
    +           }
    +   }
      }
     +
     +PQauthDataHook_type PQauthDataHook = PQdefaultAuthDataHook;
    @@ src/interfaces/libpq/fe-connect.c: keep_going:                           
                /* We will come back to here
                case CONNECTION_AUTH_OK:
                        {
                                /*
    -@@ src/interfaces/libpq/fe-connect.c: makeEmptyPGconn(void)
    +@@ src/interfaces/libpq/fe-connect.c: pqMakeEmptyPGconn(void)
        conn->verbosity = PQERRORS_DEFAULT;
        conn->show_context = PQSHOW_CONTEXT_ERRORS;
        conn->sock = PGINVALID_SOCKET;
    @@ src/interfaces/libpq/libpq-fe.h: extern int      PQenv2encoding(void);
     +
      extern char *PQencryptPassword(const char *passwd, const char *user);
      extern char *PQencryptPasswordConn(PGconn *conn, const char *passwd, 
const char *user, const char *algorithm);
    + extern PGresult *PQchangePassword(PGconn *conn, const char *user, const 
char *passwd);
      
     +typedef int (*PQauthDataHook_type) (PGAuthData type, PGconn *conn, void 
*data);
     +extern void       PQsetAuthDataHook(PQauthDataHook_type hook);
3:  fb0cc3f87e ! 3:  13cf3f80b8 backend: add OAUTHBEARER SASL mechanism
    @@ src/backend/libpq/hba.c: parse_hba_auth_opt(char *name, char *val, 
HbaLine *hbal
     
      ## src/backend/libpq/meson.build ##
     @@
    - # Copyright (c) 2022-2023, PostgreSQL Global Development Group
    + # Copyright (c) 2022-2024, PostgreSQL Global Development Group
      
      backend_sources += files(
     +  'auth-oauth.c',
4:  153347752c = 4:  83a55ba4eb Add pytest suite for OAuth
5:  8b85e542a7 ! 5:  49a3b2dfd1 squash! Add pytest suite for OAuth
    @@ .cirrus.tasks.yml: task:
        # NB: Intentionally build without -Dllvm. The freebsd image size is 
already
        # large enough to make VM startup slow, and even without llvm freebsd
     @@ .cirrus.tasks.yml: task:
    -         --buildtype=debug \
    -         -Dcassert=true -Duuid=bsd -Dtcl_version=tcl86 -Ddtrace=auto \
    +         -Dcassert=true -Dinjection_points=true \
    +         -Duuid=bsd -Dtcl_version=tcl86 -Ddtrace=auto \
              -DPG_TEST_EXTRA="$PG_TEST_EXTRA" \
     +        -Doauth=curl \
              -Dextra_lib_dirs=/usr/local/lib 
-Dextra_include_dirs=/usr/local/include/ \
-:  ---------- > 6:  a68494323f XXX temporary patches to build and test

Attachment: v14-0003-backend-add-OAUTHBEARER-SASL-mechanism.patch.gz
Description: GNU Zip compressed data

Attachment: v14-0001-common-jsonapi-support-FRONTEND-clients.patch.gz
Description: GNU Zip compressed data

Attachment: v14-0002-libpq-add-OAUTHBEARER-SASL-mechanism.patch.gz
Description: GNU Zip compressed data

Attachment: v14-0004-Add-pytest-suite-for-OAuth.patch.gz
Description: GNU Zip compressed data

Attachment: v14-0005-squash-Add-pytest-suite-for-OAuth.patch.gz
Description: GNU Zip compressed data

Attachment: v14-0006-XXX-temporary-patches-to-build-and-test.patch.gz
Description: GNU Zip compressed data

Reply via email to