Re: [oauth] Add TLS support to OAuth tests

On Fri, Feb 27, 2026 at 11:17 AM Jonathan Gonzalez V.
<jonathan(dot)abdiel(at)gmail(dot)com> wrote:
> I'm attaching a patch that add this TLS support making use of the
> already certs system in the `src/test/ssl/` directory and just making
> the `oauth_server.py` script able to support TLS only, this removes the
> plain HTTP support from the server.

Thank you!

> My Python skills are old, but I tried to keep the modifications as
> simple as possible, even that there's an easy way to have the context
> in Python 3.14, I decided to just have a context because the function
> HTTPSServer() is only available from Python 3.14 and above, which is
> not so widely used yet, in the future for sure will be more simple to
> use that function.

Yep, we need to support back to Python 3.6.8 (which I've tested your
patch with locally).

Comments:

> Signed-off-by: Jonathan Gonzalez V. <jonathan(dot)abdiel(at)gmail(dot)com>

Note that we have no signoff convention here, at least that I'm aware
of. It's not a problem to include it, but this will be replaced by an
`Author:` line in the final commit. Submissions here fall under the
Archive Policy:

https://www.postgresql.org/about/policies/archives/

> +my $certdir = dirname(__FILE__) . "/../../../ssl/ssl";
> +$ENV{PGOAUTHCAFILE} = "$certdir/root+server_ca.crt";

I think we should inject this directory from the build system, instead
of walking across the tree.

> - my $issuer = "http://127.0.0.1:$port";
> + my $issuer = "https://localhost:$port";

Unfortunately this will cause strange bugs [1]: we aren't listening on
IPv6, but Curl will attempt to contact a DNS hostname on both IPv4 and
IPv6 simultaneously, leading to intermittent failures. So we'll need
to get the certificate's SANs working...

> +[ req ]
> +distinguished_name = req_distinguished_name
> +prompt = no
> +
> +[ req_distinguished_name ]
> +CN = localhost
> +OU = PostgreSQL test suite
> +
> +# For Subject Alternative Names
> +[ v3_req ]
> +subjectAltName = @alt_names

...which will require the v3_req section to be enabled here. (We can
move the CommonName into SANs as well, since Curl is a modern web
client.)

> -# To test against HTTP rather than HTTPS, we need to enable PGOAUTHDEBUG. But
> -# first, check to make sure the client refuses such connections by default.
> -$node->connect_fails(

I think we should keep this test; it's an important safeguard. This is
also a good chance to test the case where certificate verification
fails.

> server-ip-in-dnsname \
> + server-ip-localhost \
> server-single-alt-name \

nitpick: Though the naming scheme is not really all that well defined,
I think this probably belongs with the other -alt-name certs rather
than the -ip- certs.

--

To avoid making you play fetch-a-rock, I've attached these comments in
code form as v1.1-0002 (but you're under no obligation to take them if
you'd prefer to do it a different way :D). I also ran oauth_server.py
through Black.

Thanks!
--Jacob

[1] https://postgr.es/m/CAOYmi%2Bn4EDOOUL27_OqYT2-F2rS6S%2B3mK-ppWb2Ec92UEoUbYA%40mail.gmail.com