since-v10.diff.txt

text/plain

Filename: since-v10.diff.txt
Type: text/plain
Part: 0
Message: Re: [PoC] Federated Authn/z with OAUTHBEARER
1:  e86e93f7ac8 ! 1:  5a1d1345919 oauth: Move the builtin flow into a separate module
    @@ Commit message
     
         Per request from Tom Lane and Bruce Momjian. Based on an initial patch
         by Daniel Gustafsson, who also contributed docs changes. The "bare"
    -    dlopen() concept came from Thomas Munro. Many many people reviewed the
    -    design and implementation; thank you!
    +    dlopen() concept came from Thomas Munro. Many people reviewed the design
    +    and implementation; thank you!
     
         Co-authored-by: Daniel Gustafsson <daniel@yesql.se>
         Reviewed-by: Andres Freund <andres@anarazel.de>
         Reviewed-by: Christoph Berg <myon@debian.org>
    +    Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
         Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
         Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
         Reviewed-by: Wolfgang Walther <walther@technowledgy.de>
    @@ src/interfaces/libpq-oauth/Makefile (new)
      ## src/interfaces/libpq-oauth/README (new) ##
     @@
     +libpq-oauth is an optional module implementing the Device Authorization flow for
    -+OAuth clients (RFC 8628). It was originally developed as part of libpq core and
    -+later split out as its own shared library in order to isolate its dependency on
    -+libcurl. (End users who don't want the Curl dependency can simply choose not to
    -+install this module.)
    ++OAuth clients (RFC 8628). It is maintained as its own shared library in order to
    ++isolate its dependency on libcurl. (End users who don't want the Curl dependency
    ++can simply choose not to install this module.)
     +
     +If a connection string allows the use of OAuth, and the server asks for it, and
     +a libpq client has not installed its own custom OAuth flow, libpq will attempt
    @@ src/interfaces/libpq-oauth/README (new)
     +pg_fe_run_oauth_flow and pg_fe_cleanup_oauth_flow are implementations of
     +conn->async_auth and conn->cleanup_async_auth, respectively.
     +
    ++At the moment, pg_fe_run_oauth_flow() relies on libpq's pg_g_threadlock and
    ++libpq_gettext(), which must be injected by libpq using this initialization
    ++function before the flow is run:
    ++
     +- void libpq_oauth_init(pgthreadlock_t threadlock,
     +						libpq_gettext_func gettext_impl,
     +						conn_errorMessage_func errmsg_impl,
    @@ src/interfaces/libpq-oauth/README (new)
     +						set_conn_altsock_func setaltsock_impl,
     +						set_conn_oauth_token_func settoken_impl);
     +
    -+At the moment, pg_fe_run_oauth_flow() relies on libpq's pg_g_threadlock and
    -+libpq_gettext(), which must be injected by libpq using this initialization
    -+function before the flow is run.
    -+
     +It also relies on access to several members of the PGconn struct. Not only can
     +these change positions across minor versions, but the offsets aren't necessarily
     +stable within a single minor release (conn->errorMessage, for instance, can
    @@ src/interfaces/libpq/fe-auth-oauth-curl.c => src/interfaces/libpq-oauth/oauth-cu
     +#define set_conn_altsock(CONN, VAL) do { CONN->altsock = VAL; } while (0)
     +#define set_conn_oauth_token(CONN, VAL) do { CONN->oauth_token = VAL; } while (0)
     +
    -+#endif							/* !USE_DYNAMIC_OAUTH */
    ++#endif							/* USE_DYNAMIC_OAUTH */
     +
     +/* One final guardrail against accidental inclusion... */
     +#if defined(USE_DYNAMIC_OAUTH) && defined(LIBPQ_INT_H)
    -+#error do not rely on libpq-int.h in libpq-oauth.so
    ++#error do not rely on libpq-int.h in dynamic builds of libpq-oauth
     +#endif
      
      /*
    @@ src/interfaces/libpq-oauth/oauth-utils.c (new)
     +#endif
     +
     +#ifdef LIBPQ_INT_H
    -+#error do not rely on libpq-int.h in libpq-oauth
    ++#error do not rely on libpq-int.h in dynamic builds of libpq-oauth
     +#endif
     +
     +/*