From df787095e5a770ae22a505dcde94b9077dd8eb70 Mon Sep 17 00:00:00 2001 From: Zsolt Parragi Date: Wed, 17 Jun 2026 06:31:55 +0000 Subject: [PATCH 2/2] Warn when OAuth is configured on plaintext-capable HBA entries The "host", "hostnossl", and "hostnogss" connection types permit unencrypted connections, over which an OAuth bearer token would be sent in cleartext. Emit a WARNING from parse_hba_line() for such "oauth" entries, both on load (server start and reload) and when the configuration is inspected with pg_hba_file_rules(). --- src/backend/libpq/hba.c | 16 ++++++++++++++ .../modules/oauth_validator/t/001_server.pl | 22 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index d47eab2cba0..510ad52f052 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1968,6 +1968,22 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel) if (!check_oauth_validator(parsedline, elevel, err_msg)) return NULL; + /* + * The "host", "hostnossl", and "hostnogss" connection types permit + * unencrypted connections, over which the bearer token would be sent + * in cleartext (RFC 7628, Sec. 5; RFC 6750, Sec. 5.2). Warn about such + * entries on load and when inspected via pg_hba_file_rules(). + */ + if (parsedline->conntype == ctHost || + parsedline->conntype == ctHostNoSSL || + parsedline->conntype == ctHostNoGSS) + ereport(WARNING, + (errmsg("oauth authentication is enabled for a connection type that permits unencrypted connections"), + errdetail("Bearer tokens may be transmitted in cleartext."), + errhint("Use \"hostssl\" or \"hostgssenc\" to require an encrypted connection."), + errcontext("line %d of configuration file \"%s\"", + line_num, file_name))); + /* * Supplying a usermap combined with the option to skip usermapping is * nonsensical and indicates a configuration error. diff --git a/src/test/modules/oauth_validator/t/001_server.pl b/src/test/modules/oauth_validator/t/001_server.pl index ead1d7b4ffb..e4e67fecf24 100644 --- a/src/test/modules/oauth_validator/t/001_server.pl +++ b/src/test/modules/oauth_validator/t/001_server.pl @@ -713,6 +713,21 @@ $node->reload; $log_start = $node->wait_for_log(qr/reloading configuration files/, $log_start); +# pg_hba_file_rules() re-parses the file on disk, surfacing the warning about +# unencrypted connections to a superuser inspecting the configuration. +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf( + 'pg_hba.conf', qq{ +local all test oauth issuer="$issuer" scope="openid postgres" +host all test 127.0.0.1/32 oauth issuer="$issuer" scope="openid postgres" +}); +my $rules_log_start = -s $node->logfile; +$bgconn->query("SELECT NULL FROM pg_hba_file_rules;"); +ok( $node->wait_for_log( + qr/WARNING:\s+oauth authentication is enabled for a connection type that permits unencrypted connections/, + $rules_log_start), + "pg_hba_file_rules() warns about plaintext-capable OAuth entries"); + $bgconn->quit; # the tests below restart the server # @@ -849,6 +864,13 @@ $node->reload; $log_start = $node->wait_for_log(qr/reloading configuration files/, $log_start); +# The "host" entry just loaded permits unencrypted connections, so the server +# warns that the bearer token could be exposed in cleartext. +ok( $node->wait_for_log( + qr/WARNING:\s+oauth authentication is enabled for a connection type that permits unencrypted connections/, + $log_start), + "plaintext-capable OAuth HBA entry warns on reload"); + $user = "test"; my $tcp_connstr = "host=127.0.0.1 user=$user dbname=postgres" . " oauth_issuer=$issuer oauth_client_id=f02c6361-0635"; -- 2.43.0