Re: [PoC] Federated Authn/z with OAUTHBEARER

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Shlok Kyal <shlok(dot)kyal(dot)oss(at)gmail(dot)com>, mahendrakar s <mahendrakarforpg(at)gmail(dot)com>, Andrey Chudnovsky <achudnovskij(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "smilingsamay(at)gmail(dot)com" <smilingsamay(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: 2024-03-01 01:08:01
Message-ID: CAOYmi+nip5GOz7paRkzucKGE4XA3z2DKS9w8KPQSNuAe=3V_2A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Feb 29, 2024 at 4:04 PM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> On Wed, Feb 28, 2024 at 9:40 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > + temp = curl_slist_append(temp, "authorization_code");
> > + if (!temp)
> > + oom = true;
> > +
> > + temp = curl_slist_append(temp, "implicit");
> > While not a bug per se, it reads a bit odd to call another operation that can
> > allocate memory when the oom flag has been set. I think we can move some
> > things around a little to make it clearer.
>
> I'm not a huge fan of nested happy paths/pyramids of doom, but in this
> case it's small enough that I'm not opposed. :D

I ended up rewriting this patch hunk a bit to handle earlier OOM
failures; let me know what you think.

--

v18 is the result of plenty of yak shaving now that the Windows build
is working. In addition to Daniel's changes as discussed upthread,
- I have rebased over v2 of the SASL-refactoring patches
- the last CompilerWarnings failure has been fixed
- the py.test suite now runs on Windows (but does not yet completely pass)
- py.test has been completely disabled for the 32-bit Debian test in
Cirrus; I don't know if there's a way to install 32-bit Python
side-by-side with 64-bit

We are now very, very close to green.

The new oauth_validator tests can't work on Windows, since the client
doesn't support OAuth there. The python/server tests can handle this
case, since they emulate the client behavior; do we want to try
something similar in Perl?

--Jacob

Attachment Content-Type Size
since-v17.diff.txt text/plain 30.6 KB
v18-0005-backend-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 39.9 KB
v18-0003-Explicitly-require-password-for-SCRAM-exchange.patch application/octet-stream 3.2 KB
v18-0002-Refactor-SASL-exchange-to-return-tri-state-statu.patch application/octet-stream 9.9 KB
v18-0001-common-jsonapi-support-FRONTEND-clients.patch application/octet-stream 20.4 KB
v18-0004-libpq-add-OAUTHBEARER-SASL-mechanism.patch application/octet-stream 118.9 KB
v18-0009-WIP-Python-OAuth-provider-implementation.patch application/octet-stream 9.7 KB
v18-0008-XXX-temporary-patches-to-build-and-test.patch application/octet-stream 3.8 KB
v18-0007-Add-pytest-suite-for-OAuth.patch application/octet-stream 173.7 KB
v18-0006-Introduce-OAuth-validator-libraries.patch application/octet-stream 32.0 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Melanie Plageman 2024-03-01 01:18:20 Re: BitmapHeapScan streaming read user and prelim refactoring
Previous Message Jeff Davis 2024-03-01 01:02:51 Re: Pre-proposal: unicode normalized text