dblink: Add SCRAM pass-through authentication

Matheus Alcantara <matheusssilv97@gmail.com>

From: Matheus Alcantara <matheusssilv97@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-22T14:10:38Z
Lists: pgsql-hackers

Attachments

Hi,

The attached patch enables SCRAM authentication for dblink connections when
using dblink_fdw without requiring a plain-text password on user mapping
properties. The implementation is very similar to what was implemented on
postgres_fdw [0].

To make it more closer to what was implemented on postgres_fdw a refactor was
needed on get connection routines. A connect_pg_server function was created to
centralize all the logic to actually open the connection with the foreign
server and then replace the duplicated code on dblink_get_conn and
dblink_connect to just call this new function. The main reason for this
refactor was to centralize the SCRAM logic in a single function, instead of
checking if SCRAM is enabled on both functions.

A new is_valid_dblink_fdw_option function was also created to check for valid
dblink fdw options when creating a server with CREATE SERVER command. The
is_valid_dblink_option function only checks for valid libpq options, and the
use_scram_passthrough option is only valid on CREATE SERVER options.

The documentation was also changed to include a new Foreign Data Wrapper
section to describe the SCRAM pass-through feature.

Thoughts?

[0] https://www.postgresql.org/message-id/27b29a35-9b96-46a9-bc1a-914140869dac@gmail.com

-- 
Matheus Alcantara

Commits

  1. dblink: SCRAM authentication pass-through

  2. postgres_fdw: improve security checks