Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb3f0be7

Browse files
Add support for OAUTHBEARER SASL mechanism
This commit implements OAUTHBEARER, RFC 7628, and OAuth 2.0 DeviceAuthorization Grants, RFC 8628. In order to use this there is anew pg_hba auth method called oauth. When speaking to a OAuth-enabled server, it looks a bit like this: $ psql 'host=example.org oauth_issuer=... oauth_client_id=...' Visithttps://oauth.example.org/login and enter the code: FPQ2-M4BGDevice authorization is currently the only supported flow so theOAuth issuer must support that in order for users to authenticate.Third-party clients may however extend this and provide their ownflows. The built-in device authorization flow is currently notsupported on Windows.In order for validation to happen server side a new framework forplugging in OAuth validation modules is added. As validation isimplementation specific, with no default specified in the standard,PostgreSQL does not ship with one built-in. Each pg_hba entry canspecify a specific validator or be left blank for the validatorinstalled as default.This adds a requirement on libcurl for the client side support,which is optional to build, but the server side has no additionalbuild requirements. In order to run the tests, Python is requiredas this adds a https server written in Python. Tests are gatedbehind PG_TEST_EXTRA as they open ports.This patch has been a multi-year project with many contributorsinvolved with reviews and in-depth discussions: Michael Paquier,Heikki Linnakangas, Zhihong Yu, Mahendrakar Srinivasarao, AndreyChudnovsky and Stephen Frost to name a few. While Jacob Championis the main author there have been some levels of hacking by others.Daniel Gustafsson contributed the validation module and various bitsand pieces; Thomas Munro wrote the client side support for kqueue.Author: Jacob Champion <jacob.champion@enterprisedb.com>Co-authored-by: Daniel Gustafsson <daniel@yesql.se>Co-authored-by: Thomas Munro <thomas.munro@gmail.com>Reviewed-by: Daniel Gustafsson <daniel@yesql.se>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Antonin Houska <ah@cybertec.at>Reviewed-by: Kashif Zeeshan <kashi.zeeshan@gmail.com>Discussion:https://postgr.es/m/d1b467a78e0e36ed85a09adf979d04cf124a9d4b.camel@vmware.com
1 parent1fd1bd8 commitb3f0be7

File tree

60 files changed

+9278
-39
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

60 files changed

+9278
-39
lines changed

‎.cirrus.tasks.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ env:
2323
MTEST_ARGS:--print-errorlogs --no-rebuild -C build
2424
PGCTLTIMEOUT:120# avoids spurious failures during parallel tests
2525
TEMP_CONFIG:${CIRRUS_WORKING_DIR}/src/tools/ci/pg_ci_base.conf
26-
PG_TEST_EXTRA:kerberos ldap ssl libpq_encryption load_balance
26+
PG_TEST_EXTRA:kerberos ldap ssl libpq_encryption load_balance oauth
2727

2828

2929
# What files to preserve in case tests fail
@@ -167,7 +167,7 @@ task:
167167
chown root:postgres /tmp/cores
168168
sysctl kern.corefile='/tmp/cores/%N.%P.core'
169169
setup_additional_packages_script:|
170-
#pkg install -y...
170+
pkg install -ycurl
171171
172172
# NB: Intentionally build without -Dllvm. The freebsd image size is already
173173
# large enough to make VM startup slow, and even without llvm freebsd
@@ -329,6 +329,7 @@ LINUX_CONFIGURE_FEATURES: &LINUX_CONFIGURE_FEATURES >-
329329
--with-gssapi
330330
--with-icu
331331
--with-ldap
332+
--with-libcurl
332333
--with-libxml
333334
--with-libxslt
334335
--with-llvm
@@ -422,8 +423,10 @@ task:
422423
EOF
423424
424425
setup_additional_packages_script:|
425-
#apt-get update
426-
#DEBIAN_FRONTEND=noninteractive apt-get -y install ...
426+
apt-get update
427+
DEBIAN_FRONTEND=noninteractive apt-get -y install \
428+
libcurl4-openssl-dev \
429+
libcurl4-openssl-dev:i386 \
427430
428431
matrix:
429432
-name:Linux - Debian Bookworm - Autoconf
@@ -799,8 +802,8 @@ task:
799802
folder:$CCACHE_DIR
800803

801804
setup_additional_packages_script:|
802-
#apt-get update
803-
#DEBIAN_FRONTEND=noninteractive apt-get -y install...
805+
apt-get update
806+
DEBIAN_FRONTEND=noninteractive apt-get -y installlibcurl4-openssl-dev
804807
805808
###
806809
# Test that code can be built with gcc/clang without warnings

‎config/programs.m4

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,3 +274,68 @@ AC_DEFUN([PGAC_CHECK_STRIP],
274274
AC_SUBST(STRIP_STATIC_LIB)
275275
AC_SUBST(STRIP_SHARED_LIB)
276276
])# PGAC_CHECK_STRIP
277+
278+
279+
280+
# PGAC_CHECK_LIBCURL
281+
# ------------------
282+
# Check for required libraries and headers, and test to see whether the current
283+
# installation of libcurl is thread-safe.
284+
285+
AC_DEFUN([PGAC_CHECK_LIBCURL],
286+
[
287+
AC_CHECK_HEADER(curl/curl.h,[],
288+
[AC_MSG_ERROR([header file <curl/curl.h> is required for --with-libcurl])])
289+
AC_CHECK_LIB(curl,curl_multi_init,[],
290+
[AC_MSG_ERROR([library 'curl' does not provide curl_multi_init])])
291+
292+
# Check to see whether the current platform supports threadsafe Curl
293+
# initialization.
294+
AC_CACHE_CHECK([for curl_global_init thread safety],[pgac_cv__libcurl_threadsafe_init],
295+
[AC_RUN_IFELSE([AC_LANG_PROGRAM([
296+
#include <curl/curl.h>
297+
],[
298+
curl_version_info_data *info;
299+
300+
if (curl_global_init(CURL_GLOBAL_ALL))
301+
return -1;
302+
303+
info = curl_version_info(CURLVERSION_NOW);
304+
#ifdef CURL_VERSION_THREADSAFE
305+
if (info->features & CURL_VERSION_THREADSAFE)
306+
return 0;
307+
#endif
308+
309+
return 1;
310+
])],
311+
[pgac_cv__libcurl_threadsafe_init=yes],
312+
[pgac_cv__libcurl_threadsafe_init=no],
313+
[pgac_cv__libcurl_threadsafe_init=unknown])])
314+
if test x"$pgac_cv__libcurl_threadsafe_init" = xyes ; then
315+
AC_DEFINE(HAVE_THREADSAFE_CURL_GLOBAL_INIT,1,
316+
[Define to 1 if curl_global_init() is guaranteed to be thread-safe.])
317+
fi
318+
319+
# Warn if a thread-friendly DNS resolver isn't built.
320+
AC_CACHE_CHECK([for curl support for asynchronous DNS],[pgac_cv__libcurl_async_dns],
321+
[AC_RUN_IFELSE([AC_LANG_PROGRAM([
322+
#include <curl/curl.h>
323+
],[
324+
curl_version_info_data *info;
325+
326+
if (curl_global_init(CURL_GLOBAL_ALL))
327+
return -1;
328+
329+
info = curl_version_info(CURLVERSION_NOW);
330+
return (info->features & CURL_VERSION_ASYNCHDNS) ? 0 : 1;
331+
])],
332+
[pgac_cv__libcurl_async_dns=yes],
333+
[pgac_cv__libcurl_async_dns=no],
334+
[pgac_cv__libcurl_async_dns=unknown])])
335+
if test x"$pgac_cv__libcurl_async_dns" != xyes ; then
336+
AC_MSG_WARN([
337+
*** The installed version of libcurl does not support asynchronous DNS
338+
*** lookups. Connection timeouts will not be honored during DNS resolution,
339+
*** which may lead to hangs in client programs.])
340+
fi
341+
])# PGAC_CHECK_LIBCURL

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp