Re: [PoC] Federated Authn/z with OAUTHBEARER

On Thu, Dec 5, 2024 at 10:29 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> 1. Duplicate fields caused the previous field values to leak. (This
> was the documented FIXME; we now error out in this case.)
> 2. The array-of-strings parsing had a subtle logic bug: if field "a"
> was expected to be an array of strings, we would also accept the
> construction `"a": "1"` as if it were equivalent to `"a": ["1"]`. This
> messed up the internal tracking and tripped assertions.

My "fix" for these in v38 included a silly mistake: the
grant_types_supported array could no longer contain more than one item
without being considered duplicated. :/ I've updated the tests to
exercise this case and fixed it in v40. Fuzzers are still happy so
far.

I also made a bad assumption about the return value of
connect_ok/fails() in the server log tests, so they weren't always
checking what they should have been. These have been rewritten
entirely (and IMO the tests are more readable as a result). Some
additional negative tests have been added to oauth_validator as well.

v40 also contains:
- explicit testing for connect_timeout compatibility
- support for require_auth=oauth, including compatibility with
require_auth=!scram-sha-256
- the ability for a validator to set authn_id even if the token is not
authorized, for auditability in the logs
- the use of pq_block_sigpipe() for additional safety in the face of
CURLOPT_NOSIGNAL

I have split out the require_auth changes temporarily (0002) for ease
of review, and I plan to ping the last thread where SASL support in
require_auth was discussed [1].

Thanks!
--Jacob

[1] https://postgr.es/m/ZB5jftra/n2TbdLx%40paquier.xyz