Re: SCRAM pass-through authentication for postgres_fdw

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Matheus Alcantara <matheusssilv97@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-01-08T10:49:10Z
Lists: pgsql-hackers

Attachments

This patch is surprisingly compact and straightforward for providing 
such complex functionality.

I have one major code comment that needs addressing:

In src/interfaces/libpq/fe-auth-scram.c, there is:

+       memcpy(ClientKey, state->conn->scram_client_key_binary, 
SCRAM_MAX_KEY_LEN);

Here you are assuming that scram_client_key_binary has a fixed length,
but the allocation is

+       len = pg_b64_dec_len(strlen(conn->scram_client_key));
+       conn->scram_client_key_len = len;
+       conn->scram_client_key_binary = malloc(len);

And scram_client_key is passed by the client.  There needs to be some
verification that what is passed in is of the right length.

At the moment, we only support one variant of SCRAM, so all the keys 
etc. are of a fixed length.  But we should make sure that this wouldn't 
break in confusing ways in the future if that is no longer the case.

Attached are a few minor fix-up patches for your patches.  I have marked 
a couple of places where more documentation could be added.

In the future, you can squash all of this (code plus documentation) into 
one patch.

postgres_fdw has this error message:

     ereport(ERROR,
             (errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED),
              errmsg("password or GSSAPI delegated credentials required"),
              errdetail("Non-superusers must delegate GSSAPI credentials 
or provide a password in the user mapping.")));

Maybe the option of having SCRAM pass-through should be mentioned here? 
It seems sort of analogous to the delegate GSSAPI credentials case.

Finally, if you have time, maybe look into whether this could also be 
implemented in dblink.

Commits

  1. postgres_fdw and dblink should check if backend has MyProcPort

  2. postgres_fdw: SCRAM authentication pass-through