Re: [PoC] Let libpq reject unexpected authentication requests

From: Jacob Champion <jchampion(at)timescale(dot)com>
To: Michael Paquier <michael(at)paquier(dot)xyz>
Cc: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Aleksander Alekseev <aleksander(at)timescale(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>
Subject: Re: [PoC] Let libpq reject unexpected authentication requests
Date: 2023-03-14 19:14:40
Message-ID: CAAWbhmiotN3k6q5Q5SnPe=5P1V8Vq=XKkuZQf5UprPhNiUAv_A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Mar 13, 2023 at 10:39 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> 0001 was looking fine enough seen from here, so applied it after
> tweaking a few comments. That's enough to cover most of the needs of
> this thread.

Thank you very much!

> 0002 looks pretty simple as well, I think that's worth a look for this
> CF.

Cool. v17 just rebases the set over HEAD, then, for cfbot.

> I am not sure about 0003, to be honest, as I am wondering if
> there could be a better solution than tying more the mechanism names
> with the expected AUTH_REQ_* values..

Yeah, I'm not particularly excited about the approach I took. It'd be
easier if we had a second SASL method to verify the implementation...
I'd also proposed just adding an Assert, as a third option, to guide
the eventual SASL implementer back to this conversation?

--Jacob

Attachment Content-Type Size
v17-0002-require_auth-decouple-SASL-and-SCRAM.patch text/x-patch 8.1 KB
v17-0001-Add-sslcertmode-option-for-client-certificates.patch text/x-patch 17.0 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jacob Champion 2023-03-14 19:20:21 Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Previous Message Dmitry Dolgov 2023-03-14 19:04:32 Re: pg_stat_statements and "IN" conditions