Re: [PoC] Federated Authn/z with OAUTHBEARER

Wolfgang Walther <walther@technowledgy.de>

From: Wolfgang Walther <walther@technowledgy.de>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>, Christoph Berg <myon@debian.org>, Peter Eisentraut <peter@eisentraut.org>, Andres Freund <andres@anarazel.de>, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Daniel Gustafsson <daniel@yesql.se>, Thomas Munro <thomas.munro@gmail.com>, Nazir Bilal Yavuz <byavuz81@gmail.com>, Antonin Houska <ah@cybertec.at>
Date: 2025-04-14T17:09:55Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. meson: Fix install-quiet after clean

  2. oauth: Run Autoconf tests with correct compiler flags

  3. Link libpq with libdl if the platform needs that.

  4. Doc: correct spelling of meson switch.

  5. oauth: Correct SSL dependency for libpq-oauth.a

  6. oauth: Fix Autoconf build on macOS

  7. oauth: Move the builtin flow into a separate module

  8. Remove a stray "pgrminclude" annotation

  9. oauth: Simplify copy of PGoauthBearerRequest

  10. oauth: Improve validator docs on interruptibility

  11. oauth: Disallow synchronous DNS in libcurl

  12. oauth: Fix postcondition for set_timer on macOS

  13. oauth: Use IPv4-only issuer in oauth_validator tests

  14. Work around OAuth/EVFILT_TIMER quirk on NetBSD.

  15. oauth: Fix incorrect const markers in struct

  16. Add missing entry to oauth_validator test .gitignore

  17. cirrus: Temporarily fix libcurl link error

  18. Add support for OAUTHBEARER SASL mechanism

  19. libpq: Handle asynchronous actions during SASL

  20. require_auth: prepare for multiple SASL mechanisms

  21. Move PG_MAX_AUTH_TOKEN_LENGTH to libpq/auth.h

  22. Make SASL max message length configurable

  23. jsonapi: fully initialize dummy lexer

  24. common/jsonapi: support libpq as a client

  25. Remove fe_memutils from libpgcommon_shlib

  26. Revert ECPG's use of pnstrdup()

  27. Explicitly require password for SCRAM exchange

  28. Refactor SASL exchange to return tri-state status

Jacob Champion:
> (The [2] link is missing, I think.)

Ah, sry. This is the link:

https://github.com/wolfgangwalther/nixpkgs/commits/postgresql-libpq-curl/

It's the last two commits on that branch.

> I'm confused by this -- the build produces staticlibs alongside the
> dynamically linked ones, so that's what I've been testing against.
> What different options do you pass to configure for a "statically
> linked build"?

It's not so much the options, but more that for this build there are no 
shared libs available at buildtime at all. You can consider it a "fully 
static system". So in your case, you'd always do the configure test with 
shared libs, but I can't.

The build system passes --enable-static and --disable-shared to 
configure, but both of those are ignored by configure, as indicated by a 
WARNING immediately.

>> Not unless there is some magic in PKG_CHECK_MODULES I've never heard
>> of (which is entirely possible!). Furthermore I imagine that the
>> transitive dependencies of all its dependencies are not added either.

IIUC, the transitive dependencies would be part of libcurl's 
Libs.private / Requires.private (assuming that file is correctly 
created). So that would be taken care of, I guess.


> Does your build method currently work for dependency forests like
> libgssapi_krb5 and libldap? (I want to make sure I'm not accidentally
> doing less work than we currently support for those other deps, but
> I'm also not planning to add more feature work as part of this
> particular open item.)

We currently build libpq with neither libldap, nor libkrb5, at least for 
the static case. But I just tried on the bigger postgresql package and 
force-enabled libldap there for the static build - it fails in exactly 
the same way.

So yes, not related to your patch. I do understand that PostgreSQL's 
autoconf build system is not designed for "static only", I am certainly 
not expecting you to fix that.

I think meson will do better here, but I was not able to make that work, 
yet.


>> When I do "make -C src/interfaces/libpq-oauth", I get this error:
>>
>>     make: *** No rule to make target 'oauth-curl.o', needed by
>> 'libpq-oauth-18.so'.  Stop.
> I cannot reproduce this. The CI seems happy, too. Is this patch the
> only modification you've made to our build system, or are there more
> changes?

We apply another patch to change the default socket directory to /run, 
but that's certainly unrelated. All the other custom stuff only kicks in 
afterwards, in the installPhase, so unrelated as well.

I just tried the same thing on the bigger postgresql package, where the 
full build is run and not only libpq / libpq-oauth. It fails with the 
same error. No rule for oauth-curl.o.


> I'm about to rewrite this part somewhat, so a deep dive may not be very helpful.

OK. I will try to get meson running, at least enough to try this patch 
again. Maybe that gives better results.

Thanks,

Wolfgang