#include "postgres_fe.h"
#include <curl/curl.h>
#include <math.h>
#include <unistd.h>
#include "common/jsonapi.h"
#include "fe-auth.h"
#include "fe-auth-oauth.h"
#include "libpq-int.h"
#include "mb/pg_wchar.h"

Include dependency graph for fe-auth-oauth-curl.c:

Data Structures
struct	provider

struct	device_authz

struct	token_error

struct	token

struct	async_ctx

struct	json_field

struct	oauth_parse

Macros
#define	MAX_OAUTH_RESPONSE_SIZE (256 * 1024)

#define	actx_error(ACTX, FMT, ...) appendPQExpBuffer(&(ACTX)->errbuf, libpq_gettext(FMT), ##__VA_ARGS__)

#define	actx_error_str(ACTX, S) appendPQExpBufferStr(&(ACTX)->errbuf, S)

#define	CHECK_MSETOPT(ACTX, OPT, VAL, FAILACTION)

#define	CHECK_SETOPT(ACTX, OPT, VAL, FAILACTION)

#define	CHECK_GETINFO(ACTX, INFO, OUT, FAILACTION)

#define	PG_OAUTH_REQUIRED true

#define	PG_OAUTH_OPTIONAL false

#define	oauth_parse_set_error(ctx, fmt, ...) appendPQExpBuffer((ctx)->errbuf, libpq_gettext(fmt), ##__VA_ARGS__)

#define	CURL_IGNORE_DEPRECATION(x) x

#define	HTTPS_SCHEME "https://"

#define	OAUTH_GRANT_TYPE_DEVICE_CODE "urn:ietf:params:oauth:grant-type:device_code"

Enumerations
enum	OAuthStep { OAUTH_STEP_INIT = 0 , OAUTH_STEP_DISCOVERY , OAUTH_STEP_DEVICE_AUTHORIZATION , OAUTH_STEP_TOKEN_REQUEST , OAUTH_STEP_WAIT_INTERVAL }

Functions
static void	free_provider (struct provider *provider)

static void	free_device_authz (struct device_authz *authz)

static void	free_token_error (struct token_error *err)

static void	free_token (struct token *tok)

static void	free_async_ctx (PGconn conn, struct async_ctx actx)

void	pg_fe_cleanup_oauth_flow (PGconn *conn)

static void	report_type_mismatch (struct oauth_parse *ctx)

static JsonParseErrorType	oauth_json_object_start (void *state)

static JsonParseErrorType	oauth_json_object_field_start (void state, char name, bool isnull)

static JsonParseErrorType	oauth_json_object_end (void *state)

static JsonParseErrorType	oauth_json_array_start (void *state)

static JsonParseErrorType	oauth_json_array_end (void *state)

static JsonParseErrorType	oauth_json_scalar (void state, char token, JsonTokenType type)

static bool	check_content_type (struct async_ctx actx, const char type)

static bool	parse_oauth_json (struct async_ctx actx, const struct json_field fields)

static bool	parse_provider (struct async_ctx actx, struct provider provider)

static double	parse_json_number (const char *s)

static int	parse_interval (struct async_ctx actx, const char interval_str)

static int	parse_expires_in (struct async_ctx actx, const char expires_in_str)

static bool	parse_device_authz (struct async_ctx actx, struct device_authz authz)

static bool	parse_token_error (struct async_ctx actx, struct token_error err)

static void	record_token_error (struct async_ctx actx, const struct token_error err)

static bool	parse_access_token (struct async_ctx actx, struct token tok)

static bool	setup_multiplexer (struct async_ctx *actx)

static int	register_socket (CURL curl, curl_socket_t socket, int what, void ctx, void *socketp)

static bool	set_timer (struct async_ctx *actx, long timeout)

static int	timer_expired (struct async_ctx *actx)

static int	register_timer (CURLM curlm, long timeout, void ctx)

static int	debug_callback (CURL handle, curl_infotype type, char data, size_t size, void *clientp)

static bool	setup_curl_handles (struct async_ctx *actx)

static size_t	append_data (char buf, size_t size, size_t nmemb, void userdata)

static bool	start_request (struct async_ctx *actx)

static PostgresPollingStatusType	drive_request (struct async_ctx *actx)

static void	append_urlencoded (PQExpBuffer buf, const char *s)

static char *	urlencode (const char *s)

static void	build_urlencoded (PQExpBuffer buf, const char key, const char value)

static bool	start_discovery (struct async_ctx actx, const char discovery_uri)

static bool	finish_discovery (struct async_ctx *actx)

static bool	check_issuer (struct async_ctx actx, PGconn conn)

static bool	check_for_device_flow (struct async_ctx *actx)

static bool	add_client_identification (struct async_ctx actx, PQExpBuffer reqbody, PGconn conn)

static bool	start_device_authz (struct async_ctx actx, PGconn conn)

static bool	finish_device_authz (struct async_ctx *actx)

static bool	start_token_request (struct async_ctx actx, PGconn conn)

static bool	finish_token_request (struct async_ctx actx, struct token tok)

static bool	handle_token_response (struct async_ctx actx, char *token)

static bool	prompt_user (struct async_ctx actx, PGconn conn)

static bool	initialize_curl (PGconn *conn)

static PostgresPollingStatusType	pg_fe_run_oauth_flow_impl (PGconn *conn)

PostgresPollingStatusType	pg_fe_run_oauth_flow (PGconn *conn)

Macro Definition Documentation

◆ actx_error

#define actx_error	(	ACTX,
		FMT,
		...
	)	appendPQExpBuffer(&(ACTX)->errbuf, libpq_gettext(FMT), ##__VA_ARGS__)

Definition at line 323 of file fe-auth-oauth-curl.c.

◆ actx_error_str

#define actx_error_str	(	ACTX,
		S
	)	appendPQExpBufferStr(&(ACTX)->errbuf, S)

Definition at line 326 of file fe-auth-oauth-curl.c.

◆ CHECK_GETINFO

#define CHECK_GETINFO	(	ACTX,
		INFO,
		OUT,
		FAILACTION
	)

Value:

    do { \
        struct async_ctx *_actx = (ACTX); \
        CURLcode    _getinfoerr = curl_easy_getinfo(_actx->curl, INFO, OUT); \
        if (_getinfoerr) { \
            actx_error(_actx, "failed to get %s from OAuth response: %s",\
                       #INFO, curl_easy_strerror(_getinfoerr)); \
            FAILACTION; \
        } \
    } while (0)

Definition at line 356 of file fe-auth-oauth-curl.c.

◆ CHECK_MSETOPT

#define CHECK_MSETOPT	(	ACTX,
		OPT,
		VAL,
		FAILACTION
	)

Value:

    do { \
        struct async_ctx *_actx = (ACTX); \
        CURLMcode   _setopterr = curl_multi_setopt(_actx->curlm, OPT, VAL); \
        if (_setopterr) { \
            actx_error(_actx, "failed to set %s on OAuth connection: %s",\
                       #OPT, curl_multi_strerror(_setopterr)); \
            FAILACTION; \
        } \
    } while (0)

Definition at line 334 of file fe-auth-oauth-curl.c.

◆ CHECK_SETOPT

#define CHECK_SETOPT	(	ACTX,
		OPT,
		VAL,
		FAILACTION
	)

Value:

    do { \
        struct async_ctx *_actx = (ACTX); \
        CURLcode    _setopterr = curl_easy_setopt(_actx->curl, OPT, VAL); \
        if (_setopterr) { \
            actx_error(_actx, "failed to set %s on OAuth connection: %s",\
                       #OPT, curl_easy_strerror(_setopterr)); \
            FAILACTION; \
        } \
    } while (0)

Definition at line 345 of file fe-auth-oauth-curl.c.

◆ CURL_IGNORE_DEPRECATION

#define CURL_IGNORE_DEPRECATION ( x ) x

Definition at line 1779 of file fe-auth-oauth-curl.c.

◆ HTTPS_SCHEME

#define HTTPS_SCHEME "https://"

Definition at line 2083 of file fe-auth-oauth-curl.c.

◆ MAX_OAUTH_RESPONSE_SIZE

#define MAX_OAUTH_RESPONSE_SIZE (256 * 1024)

Definition at line 47 of file fe-auth-oauth-curl.c.

◆ OAUTH_GRANT_TYPE_DEVICE_CODE

#define OAUTH_GRANT_TYPE_DEVICE_CODE "urn:ietf:params:oauth:grant-type:device_code"

Definition at line 2084 of file fe-auth-oauth-curl.c.

◆ oauth_parse_set_error

#define oauth_parse_set_error	(	ctx,
		fmt,
		...
	)	appendPQExpBuffer((ctx)->errbuf, libpq_gettext(fmt), ##__VA_ARGS__)

Definition at line 410 of file fe-auth-oauth-curl.c.

◆ PG_OAUTH_OPTIONAL

#define PG_OAUTH_OPTIONAL false

Definition at line 398 of file fe-auth-oauth-curl.c.

◆ PG_OAUTH_REQUIRED

#define PG_OAUTH_REQUIRED true

Definition at line 397 of file fe-auth-oauth-curl.c.

Enumeration Type Documentation

◆ OAuthStep

enum OAuthStep

Enumerator
OAUTH_STEP_INIT
OAUTH_STEP_DISCOVERY
OAUTH_STEP_DEVICE_AUTHORIZATION
OAUTH_STEP_TOKEN_REQUEST
OAUTH_STEP_WAIT_INTERVAL

Definition at line 164 of file fe-auth-oauth-curl.c.

{
    OAUTH_STEP_INIT = 0,
    OAUTH_STEP_DISCOVERY,
    OAUTH_STEP_DEVICE_AUTHORIZATION,
    OAUTH_STEP_TOKEN_REQUEST,
    OAUTH_STEP_WAIT_INTERVAL,
};

Function Documentation

◆ add_client_identification()

static bool add_client_identification	(	struct async_ctx *	actx,
		PQExpBuffer	reqbody,
		PGconn *	conn
	)

static

Definition at line 2151 of file fe-auth-oauth-curl.c.

{
    bool        success = false;
    char       *username = NULL;
    char       *password = NULL;
 
    if (conn->oauth_client_secret)  /* Zero-length secrets are permitted! */
    {
        /*----
         * Use HTTP Basic auth to send the client_id and secret. Per RFC 6749,
         * Sec. 2.3.1,
         *
         *   Including the client credentials in the request-body using the
         *   two parameters is NOT RECOMMENDED and SHOULD be limited to
         *   clients unable to directly utilize the HTTP Basic authentication
         *   scheme (or other password-based HTTP authentication schemes).
         *
         * Additionally:
         *
         *   The client identifier is encoded using the
         *   "application/x-www-form-urlencoded" encoding algorithm per Appendix
         *   B, and the encoded value is used as the username; the client
         *   password is encoded using the same algorithm and used as the
         *   password.
         *
         * (Appendix B modifies application/x-www-form-urlencoded by requiring
         * an initial UTF-8 encoding step. Since the client ID and secret must
         * both be 7-bit ASCII -- RFC 6749 Appendix A -- we don't worry about
         * that in this function.)
         *
         * client_id is not added to the request body in this case. Not only
         * would it be redundant, but some providers in the wild (e.g. Okta)
         * refuse to accept it.
         */
        username = urlencode(conn->oauth_client_id);
        password = urlencode(conn->oauth_client_secret);
 
        if (!username || !password)
        {
            actx_error(actx, "out of memory");
            goto cleanup;
        }
 
        CHECK_SETOPT(actx, CURLOPT_HTTPAUTH, CURLAUTH_BASIC, goto cleanup);
        CHECK_SETOPT(actx, CURLOPT_USERNAME, username, goto cleanup);
        CHECK_SETOPT(actx, CURLOPT_PASSWORD, password, goto cleanup);
 
        actx->used_basic_auth = true;
    }
    else
    {
        /*
         * If we're not otherwise authenticating, client_id is REQUIRED in the
         * request body.
         */
        build_urlencoded(reqbody, "client_id", conn->oauth_client_id);
 
        CHECK_SETOPT(actx, CURLOPT_HTTPAUTH, CURLAUTH_NONE, goto cleanup);
        actx->used_basic_auth = false;
    }
 
    success = true;
 
cleanup:
    free(username);
    free(password);
 
    return success;
}

References actx_error, build_urlencoded(), CHECK_SETOPT, cleanup(), conn, free, pg_conn::oauth_client_id, pg_conn::oauth_client_secret, password, success, urlencode(), async_ctx::used_basic_auth, and username.

Referenced by start_device_authz(), and start_token_request().

◆ append_data()

static size_t append_data	(	char *	buf,
		size_t	size,
		size_t	nmemb,
		void *	userdata
	)

static

Definition at line 1698 of file fe-auth-oauth-curl.c.

{
    struct async_ctx *actx = userdata;
    PQExpBuffer resp = &actx->work_data;
    size_t      len = size * nmemb;
 
    /* In case we receive data over the threshold, abort the transfer */
    if ((resp->len + len) > MAX_OAUTH_RESPONSE_SIZE)
    {
        actx_error(actx, "response is too large");
        return 0;
    }
 
    /* The data passed from libcurl is not null-terminated */
    appendBinaryPQExpBuffer(resp, buf, len);
 
    /*
     * Signal an error in order to abort the transfer in case we ran out of
     * memory in accepting the data.
     */
    if (PQExpBufferBroken(resp))
    {
        actx_error(actx, "out of memory");
        return 0;
    }
 
    return len;
}

References actx_error, appendBinaryPQExpBuffer(), buf, PQExpBufferData::len, len, MAX_OAUTH_RESPONSE_SIZE, PQExpBufferBroken, and async_ctx::work_data.

Referenced by start_request().

◆ append_urlencoded()

static void append_urlencoded	(	PQExpBuffer	buf,
		const char *	s
	)

static

Definition at line 1887 of file fe-auth-oauth-curl.c.

{
    char       *escaped;
    char       *haystack;
    char       *match;
 
    /* The first parameter to curl_easy_escape is deprecated by Curl */
    escaped = curl_easy_escape(NULL, s, 0);
    if (!escaped)
    {
        termPQExpBuffer(buf);   /* mark the buffer broken */
        return;
    }
 
    /*
     * curl_easy_escape() almost does what we want, but we need the
     * query-specific flavor which uses '+' instead of '%20' for spaces. The
     * Curl command-line tool does this with a simple search-and-replace, so
     * follow its lead.
     */
    haystack = escaped;
 
    while ((match = strstr(haystack, "%20")) != NULL)
    {
        /* Append the unmatched portion, followed by the plus sign. */
        appendBinaryPQExpBuffer(buf, haystack, match - haystack);
        appendPQExpBufferChar(buf, '+');
 
        /* Keep searching after the match. */
        haystack = match + 3 /* strlen("%20") */ ;
    }
 
    /* Push the remainder of the string onto the buffer. */
    appendPQExpBufferStr(buf, haystack);
 
    curl_free(escaped);
}

References appendBinaryPQExpBuffer(), appendPQExpBufferChar(), appendPQExpBufferStr(), buf, and termPQExpBuffer().

Referenced by build_urlencoded(), and urlencode().

◆ build_urlencoded()

static void build_urlencoded	(	PQExpBuffer	buf,
		const char *	key,
		const char *	value
	)

static

Definition at line 1945 of file fe-auth-oauth-curl.c.

{
    if (buf->len)
        appendPQExpBufferChar(buf, '&');
 
    append_urlencoded(buf, key);
    appendPQExpBufferChar(buf, '=');
    append_urlencoded(buf, value);
}

References append_urlencoded(), appendPQExpBufferChar(), buf, sort-test::key, and value.

Referenced by add_client_identification(), start_device_authz(), and start_token_request().

◆ check_content_type()

static bool check_content_type	(	struct async_ctx *	actx,
		const char *	type
	)

static

Definition at line 698 of file fe-auth-oauth-curl.c.

{
    const size_t type_len = strlen(type);
    char       *content_type;
 
    CHECK_GETINFO(actx, CURLINFO_CONTENT_TYPE, &content_type, return false);
 
    if (!content_type)
    {
        actx_error(actx, "no content type was provided");
        return false;
    }
 
    /*
     * We need to perform a length limited comparison and not compare the
     * whole string.
     */
    if (pg_strncasecmp(content_type, type, type_len) != 0)
        goto fail;
 
    /* On an exact match, we're done. */
    Assert(strlen(content_type) >= type_len);
    if (content_type[type_len] == '\0')
        return true;
 
    /*
     * Only a semicolon (optionally preceded by HTTP optional whitespace) is
     * acceptable after the prefix we checked. This marks the start of media
     * type parameters, which we currently have no use for.
     */
    for (size_t i = type_len; content_type[i]; ++i)
    {
        switch (content_type[i])
        {
            case ';':
                return true;    /* success! */
 
            case ' ':
            case '\t':
                /* HTTP optional whitespace allows only spaces and htabs. */
                break;
 
            default:
                goto fail;
        }
    }
 
fail:
    actx_error(actx, "unexpected content type: \"%s\"", content_type);
    return false;
}

References actx_error, Assert(), CHECK_GETINFO, i, pg_strncasecmp(), and type.

Referenced by parse_oauth_json().

◆ check_for_device_flow()

static bool check_for_device_flow ( struct async_ctx * actx )

static

Definition at line 2092 of file fe-auth-oauth-curl.c.

{
    const struct provider *provider = &actx->provider;
 
    Assert(provider->issuer);   /* ensured by parse_provider() */
    Assert(provider->token_endpoint);   /* ensured by parse_provider() */
 
    if (!provider->device_authorization_endpoint)
    {
        actx_error(actx,
                   "issuer \"%s\" does not provide a device authorization endpoint",
                   provider->issuer);
        return false;
    }
 
    /*
     * The original implementation checked that OAUTH_GRANT_TYPE_DEVICE_CODE
     * was present in the discovery document's grant_types_supported list. MS
     * Entra does not advertise this grant type, though, and since it doesn't
     * make sense to stand up a device_authorization_endpoint without also
     * accepting device codes at the token_endpoint, that's the only thing we
     * currently require.
     */
 
    /*
     * Although libcurl will fail later if the URL contains an unsupported
     * scheme, that error message is going to be a bit opaque. This is a
     * decent time to bail out if we're not using HTTPS for the endpoints
     * we'll use for the flow.
     */
    if (!actx->debugging)
    {
        if (pg_strncasecmp(provider->device_authorization_endpoint,
                           HTTPS_SCHEME, strlen(HTTPS_SCHEME)) != 0)
        {
            actx_error(actx,
                       "device authorization endpoint \"%s\" must use HTTPS",
                       provider->device_authorization_endpoint);
            return false;
        }
 
        if (pg_strncasecmp(provider->token_endpoint,
                           HTTPS_SCHEME, strlen(HTTPS_SCHEME)) != 0)
        {
            actx_error(actx,
                       "token endpoint \"%s\" must use HTTPS",
                       provider->token_endpoint);
            return false;
        }
    }
 
    return true;
}

References actx_error, Assert(), async_ctx::debugging, provider::device_authorization_endpoint, HTTPS_SCHEME, provider::issuer, pg_strncasecmp(), async_ctx::provider, and provider::token_endpoint.

Referenced by pg_fe_run_oauth_flow_impl().

◆ check_issuer()

static bool check_issuer	(	struct async_ctx *	actx,
		PGconn *	conn
	)

static

Definition at line 2048 of file fe-auth-oauth-curl.c.

{
    const struct provider *provider = &actx->provider;
 
    Assert(conn->oauth_issuer_id);  /* ensured by setup_oauth_parameters() */
    Assert(provider->issuer);   /* ensured by parse_provider() */
 
    /*---
     * We require strict equality for issuer identifiers -- no path or case
     * normalization, no substitution of default ports and schemes, etc. This
     * is done to match the rules in OIDC Discovery Sec. 4.3 for config
     * validation:
     *
     *    The issuer value returned MUST be identical to the Issuer URL that
     *    was used as the prefix to /.well-known/openid-configuration to
     *    retrieve the configuration information.
     *
     * as well as the rules set out in RFC 9207 for avoiding mix-up attacks:
     *
     *    Clients MUST then [...] compare the result to the issuer identifier
     *    of the authorization server where the authorization request was
     *    sent to. This comparison MUST use simple string comparison as defined
     *    in Section 6.2.1 of [RFC3986].
     */
    if (strcmp(conn->oauth_issuer_id, provider->issuer) != 0)
    {
        actx_error(actx,
                   "the issuer identifier (%s) does not match oauth_issuer (%s)",
                   provider->issuer, conn->oauth_issuer_id);
        return false;
    }
 
    return true;
}

References actx_error, Assert(), conn, provider::issuer, pg_conn::oauth_issuer_id, and async_ctx::provider.

Referenced by pg_fe_run_oauth_flow_impl().

◆ debug_callback()

static int debug_callback	(	CURL *	handle,
		curl_infotype	type,
		char *	data,
		size_t	size,
		void *	clientp
	)

static

Definition at line 1482 of file fe-auth-oauth-curl.c.

{
    const char *prefix;
    bool        printed_prefix = false;
    PQExpBufferData buf;
 
    /* Prefixes are modeled off of the default libcurl debug output. */
    switch (type)
    {
        case CURLINFO_TEXT:
            prefix = "*";
            break;
 
        case CURLINFO_HEADER_IN:    /* fall through */
        case CURLINFO_DATA_IN:
            prefix = "<";
            break;
 
        case CURLINFO_HEADER_OUT:   /* fall through */
        case CURLINFO_DATA_OUT:
            prefix = ">";
            break;
 
        default:
            return 0;
    }
 
    initPQExpBuffer(&buf);
 
    /*
     * Split the output into lines for readability; sometimes multiple headers
     * are included in a single call. We also don't allow unprintable ASCII
     * through without a basic <XX> escape.
     */
    for (int i = 0; i < size; i++)
    {
        char        c = data[i];
 
        if (!printed_prefix)
        {
            appendPQExpBuffer(&buf, "[libcurl] %s ", prefix);
            printed_prefix = true;
        }
 
        if (c >= 0x20 && c <= 0x7E)
            appendPQExpBufferChar(&buf, c);
        else if ((type == CURLINFO_HEADER_IN
                  || type == CURLINFO_HEADER_OUT
                  || type == CURLINFO_TEXT)
                 && (c == '\r' || c == '\n'))
        {
            /*
             * Don't bother emitting <0D><0A> for headers and text; it's not
             * helpful noise.
             */
        }
        else
            appendPQExpBuffer(&buf, "<%02X>", c);
 
        if (c == '\n')
        {
            appendPQExpBufferChar(&buf, c);
            printed_prefix = false;
        }
    }
 
    if (printed_prefix)
        appendPQExpBufferChar(&buf, '\n');  /* finish the line */
 
    fprintf(stderr, "%s", buf.data);
    termPQExpBuffer(&buf);
    return 0;
}

References appendPQExpBuffer(), appendPQExpBufferChar(), buf, data, fprintf, i, initPQExpBuffer(), termPQExpBuffer(), and type.

Referenced by setup_curl_handles().

◆ drive_request()

static PostgresPollingStatusType drive_request ( struct async_ctx * actx )

static

Definition at line 1787 of file fe-auth-oauth-curl.c.

{
    CURLMcode   err;
    CURLMsg    *msg;
    int         msgs_left;
    bool        done;
 
    if (actx->running)
    {
        /*---
         * There's an async request in progress. Pump the multi handle.
         *
         * curl_multi_socket_all() is officially deprecated, because it's
         * inefficient and pointless if your event loop has already handed you
         * the exact sockets that are ready. But that's not our use case --
         * our client has no way to tell us which sockets are ready. (They
         * don't even know there are sockets to begin with.)
         *
         * We can grab the list of triggered events from the multiplexer
         * ourselves, but that's effectively what curl_multi_socket_all() is
         * going to do. And there are currently no plans for the Curl project
         * to remove or break this API, so ignore the deprecation. See
         *
         *    https://curl.se/mail/lib-2024-11/0028.html
         *
         */
        CURL_IGNORE_DEPRECATION(
            err = curl_multi_socket_all(actx->curlm, &actx->running);
        )
 
        if (err)
        {
            actx_error(actx, "asynchronous HTTP request failed: %s",
                       curl_multi_strerror(err));
            return PGRES_POLLING_FAILED;
        }
 
        if (actx->running)
        {
            /* We'll come back again. */
            return PGRES_POLLING_READING;
        }
    }
 
    done = false;
    while ((msg = curl_multi_info_read(actx->curlm, &msgs_left)) != NULL)
    {
        if (msg->msg != CURLMSG_DONE)
        {
            /*
             * Future libcurl versions may define new message types; we don't
             * know how to handle them, so we'll ignore them.
             */
            continue;
        }
 
        /* First check the status of the request itself. */
        if (msg->data.result != CURLE_OK)
        {
            /*
             * If a more specific error hasn't already been reported, use
             * libcurl's description.
             */
            if (actx->errbuf.len == 0)
                actx_error_str(actx, curl_easy_strerror(msg->data.result));
 
            return PGRES_POLLING_FAILED;
        }
 
        /* Now remove the finished handle; we'll add it back later if needed. */
        err = curl_multi_remove_handle(actx->curlm, msg->easy_handle);
        if (err)
        {
            actx_error(actx, "libcurl easy handle removal failed: %s",
                       curl_multi_strerror(err));
            return PGRES_POLLING_FAILED;
        }
 
        done = true;
    }
 
    /* Sanity check. */
    if (!done)
    {
        actx_error(actx, "no result was retrieved for the finished handle");
        return PGRES_POLLING_FAILED;
    }
 
    return PGRES_POLLING_OK;
}

References actx_error, actx_error_str, CURL_IGNORE_DEPRECATION, async_ctx::curlm, err(), async_ctx::errbuf, PQExpBufferData::len, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, and async_ctx::running.

Referenced by pg_fe_run_oauth_flow_impl().

◆ finish_device_authz()

static bool finish_device_authz ( struct async_ctx * actx )

static

Definition at line 2262 of file fe-auth-oauth-curl.c.

{
    long        response_code;
 
    CHECK_GETINFO(actx, CURLINFO_RESPONSE_CODE, &response_code, return false);
 
    /*
     * Per RFC 8628, Section 3, a successful device authorization response
     * uses 200 OK.
     */
    if (response_code == 200)
    {
        actx->errctx = "failed to parse device authorization";
        if (!parse_device_authz(actx, &actx->authz))
            return false;       /* error message already set */
 
        return true;
    }
 
    /*
     * The device authorization endpoint uses the same error response as the
     * token endpoint, so the error handling roughly follows
     * finish_token_request(). The key difference is that an error here is
     * immediately fatal.
     */
    if (response_code == 400 || response_code == 401)
    {
        struct token_error err = {0};
 
        if (!parse_token_error(actx, &err))
        {
            free_token_error(&err);
            return false;
        }
 
        /* Copy the token error into the context error buffer */
        record_token_error(actx, &err);
 
        free_token_error(&err);
        return false;
    }
 
    /* Any other response codes are considered invalid */
    actx_error(actx, "unexpected response code %ld", response_code);
    return false;
}

References actx_error, async_ctx::authz, CHECK_GETINFO, err(), async_ctx::errctx, free_token_error(), parse_device_authz(), parse_token_error(), and record_token_error().

Referenced by pg_fe_run_oauth_flow_impl().

◆ finish_discovery()

static bool finish_discovery ( struct async_ctx * actx )

static

Definition at line 1983 of file fe-auth-oauth-curl.c.

{
    long        response_code;
 
    /*----
     * Now check the response. OIDC Discovery 1.0 is pretty strict:
     *
     *     A successful response MUST use the 200 OK HTTP status code and
     *     return a JSON object using the application/json content type that
     *     contains a set of Claims as its members that are a subset of the
     *     Metadata values defined in Section 3.
     *
     * Compared to standard HTTP semantics, this makes life easy -- we don't
     * need to worry about redirections (which would call the Issuer host
     * validation into question), or non-authoritative responses, or any other
     * complications.
     */
    CHECK_GETINFO(actx, CURLINFO_RESPONSE_CODE, &response_code, return false);
 
    if (response_code != 200)
    {
        actx_error(actx, "unexpected response code %ld", response_code);
        return false;
    }
 
    /*
     * Pull the fields we care about from the document.
     */
    actx->errctx = "failed to parse OpenID discovery document";
    if (!parse_provider(actx, &actx->provider))
        return false;           /* error message already set */
 
    /*
     * Fill in any defaults for OPTIONAL/RECOMMENDED fields we care about.
     */
    if (!actx->provider.grant_types_supported)
    {
        /*
         * Per Section 3, the default is ["authorization_code", "implicit"].
         */
        struct curl_slist *temp = actx->provider.grant_types_supported;
 
        temp = curl_slist_append(temp, "authorization_code");
        if (temp)
        {
            temp = curl_slist_append(temp, "implicit");
        }
 
        if (!temp)
        {
            actx_error(actx, "out of memory");
            return false;
        }
 
        actx->provider.grant_types_supported = temp;
    }
 
    return true;
}

References actx_error, CHECK_GETINFO, async_ctx::errctx, provider::grant_types_supported, parse_provider(), and async_ctx::provider.

Referenced by pg_fe_run_oauth_flow_impl().

◆ finish_token_request()

static bool finish_token_request	(	struct async_ctx *	actx,
		struct token *	tok
	)

static

Definition at line 2351 of file fe-auth-oauth-curl.c.

{
    long        response_code;
 
    CHECK_GETINFO(actx, CURLINFO_RESPONSE_CODE, &response_code, return false);
 
    /*
     * Per RFC 6749, Section 5, a successful response uses 200 OK.
     */
    if (response_code == 200)
    {
        actx->errctx = "failed to parse access token response";
        if (!parse_access_token(actx, tok))
            return false;       /* error message already set */
 
        return true;
    }
 
    /*
     * An error response uses either 400 Bad Request or 401 Unauthorized.
     * There are references online to implementations using 403 for error
     * return which would violate the specification. For now we stick to the
     * specification but we might have to revisit this.
     */
    if (response_code == 400 || response_code == 401)
    {
        if (!parse_token_error(actx, &tok->err))
            return false;
 
        return true;
    }
 
    /* Any other response codes are considered invalid */
    actx_error(actx, "unexpected response code %ld", response_code);
    return false;
}

References actx_error, CHECK_GETINFO, token::err, async_ctx::errctx, parse_access_token(), and parse_token_error().

Referenced by handle_token_response().

◆ free_async_ctx()

static void free_async_ctx	(	PGconn *	conn,
		struct async_ctx *	actx
	)

static

Definition at line 237 of file fe-auth-oauth-curl.c.

{
    /*
     * In general, none of the error cases below should ever happen if we have
     * no bugs above. But if we do hit them, surfacing those errors somehow
     * might be the only way to have a chance to debug them.
     *
     * TODO: At some point it'd be nice to have a standard way to warn about
     * teardown failures. Appending to the connection's error message only
     * helps if the bug caused a connection failure; otherwise it'll be
     * buried...
     */
 
    if (actx->curlm && actx->curl)
    {
        CURLMcode   err = curl_multi_remove_handle(actx->curlm, actx->curl);
 
        if (err)
            libpq_append_conn_error(conn,
                                    "libcurl easy handle removal failed: %s",
                                    curl_multi_strerror(err));
    }
 
    if (actx->curl)
    {
        /*
         * curl_multi_cleanup() doesn't free any associated easy handles; we
         * need to do that separately. We only ever have one easy handle per
         * multi handle.
         */
        curl_easy_cleanup(actx->curl);
    }
 
    if (actx->curlm)
    {
        CURLMcode   err = curl_multi_cleanup(actx->curlm);
 
        if (err)
            libpq_append_conn_error(conn,
                                    "libcurl multi handle cleanup failed: %s",
                                    curl_multi_strerror(err));
    }
 
    free_provider(&actx->provider);
    free_device_authz(&actx->authz);
 
    curl_slist_free_all(actx->headers);
    termPQExpBuffer(&actx->work_data);
    termPQExpBuffer(&actx->errbuf);
 
    if (actx->mux != PGINVALID_SOCKET)
        close(actx->mux);
    if (actx->timerfd >= 0)
        close(actx->timerfd);
 
    free(actx);
}

References async_ctx::authz, close, conn, async_ctx::curl, async_ctx::curlm, err(), async_ctx::errbuf, free, free_device_authz(), free_provider(), async_ctx::headers, libpq_append_conn_error(), async_ctx::mux, PGINVALID_SOCKET, async_ctx::provider, termPQExpBuffer(), async_ctx::timerfd, and async_ctx::work_data.

Referenced by pg_fe_cleanup_oauth_flow().

◆ free_device_authz()

static void free_device_authz ( struct device_authz * authz )

static

Definition at line 101 of file fe-auth-oauth-curl.c.

{
    free(authz->device_code);
    free(authz->user_code);
    free(authz->verification_uri);
    free(authz->verification_uri_complete);
    free(authz->expires_in_str);
    free(authz->interval_str);
}

References device_authz::device_code, device_authz::expires_in_str, free, device_authz::interval_str, device_authz::user_code, device_authz::verification_uri, and device_authz::verification_uri_complete.

Referenced by free_async_ctx().

◆ free_provider()

static void free_provider ( struct provider * provider )

static

Definition at line 73 of file fe-auth-oauth-curl.c.

{
    free(provider->issuer);
    free(provider->token_endpoint);
    free(provider->device_authorization_endpoint);
    curl_slist_free_all(provider->grant_types_supported);
}

References provider::device_authorization_endpoint, free, provider::grant_types_supported, provider::issuer, and provider::token_endpoint.

Referenced by free_async_ctx().

◆ free_token()

static void free_token ( struct token * tok )

static

Definition at line 152 of file fe-auth-oauth-curl.c.

{
    free(tok->access_token);
    free(tok->token_type);
    free_token_error(&tok->err);
}

References token::access_token, token::err, free, free_token_error(), and token::token_type.

Referenced by handle_token_response().

◆ free_token_error()

static void free_token_error ( struct token_error * err )

static

Definition at line 126 of file fe-auth-oauth-curl.c.

{
    free(err->error);
    free(err->error_description);
}

References err(), and free.

Referenced by finish_device_authz(), and free_token().

◆ handle_token_response()

static bool handle_token_response	(	struct async_ctx *	actx,
		char **	token
	)

static

Definition at line 2398 of file fe-auth-oauth-curl.c.

{
    bool        success = false;
    struct token tok = {0};
    const struct token_error *err;
 
    if (!finish_token_request(actx, &tok))
        goto token_cleanup;
 
    /* A successful token request gives either a token or an in-band error. */
    Assert(tok.access_token || tok.err.error);
 
    if (tok.access_token)
    {
        *token = tok.access_token;
        tok.access_token = NULL;
 
        success = true;
        goto token_cleanup;
    }
 
    /*
     * authorization_pending and slow_down are the only acceptable errors;
     * anything else and we bail. These are defined in RFC 8628, Sec. 3.5.
     */
    err = &tok.err;
    if (strcmp(err->error, "authorization_pending") != 0 &&
        strcmp(err->error, "slow_down") != 0)
    {
        record_token_error(actx, err);
        goto token_cleanup;
    }
 
    /*
     * A slow_down error requires us to permanently increase our retry
     * interval by five seconds.
     */
    if (strcmp(err->error, "slow_down") == 0)
    {
        int         prev_interval = actx->authz.interval;
 
        actx->authz.interval += 5;
        if (actx->authz.interval < prev_interval)
        {
            actx_error(actx, "slow_down interval overflow");
            goto token_cleanup;
        }
    }
 
    success = true;
 
token_cleanup:
    free_token(&tok);
    return success;
}

References token::access_token, actx_error, Assert(), async_ctx::authz, token::err, err(), token_error::error, finish_token_request(), free_token(), device_authz::interval, record_token_error(), and success.

Referenced by pg_fe_run_oauth_flow_impl().

◆ initialize_curl()

static bool initialize_curl ( PGconn * conn )

static

Definition at line 2503 of file fe-auth-oauth-curl.c.

{
    /*
     * Don't let the compiler play tricks with this variable. In the
     * HAVE_THREADSAFE_CURL_GLOBAL_INIT case, we don't care if two threads
     * enter simultaneously, but we do care if this gets set transiently to
     * PG_BOOL_YES/NO in cases where that's not the final answer.
     */
    static volatile PGTernaryBool init_successful = PG_BOOL_UNKNOWN;
#if HAVE_THREADSAFE_CURL_GLOBAL_INIT
    curl_version_info_data *info;
#endif
 
#if !HAVE_THREADSAFE_CURL_GLOBAL_INIT
 
    /*
     * Lock around the whole function. If a libpq client performs its own work
     * with libcurl, it must either ensure that Curl is initialized safely
     * before calling us (in which case our call will be a no-op), or else it
     * must guard its own calls to curl_global_init() with a registered
     * threadlock handler. See PQregisterThreadLock().
     */
    pglock_thread();
#endif
 
    /*
     * Skip initialization if we've already done it. (Curl tracks the number
     * of calls; there's no point in incrementing the counter every time we
     * connect.)
     */
    if (init_successful == PG_BOOL_YES)
        goto done;
    else if (init_successful == PG_BOOL_NO)
    {
        libpq_append_conn_error(conn,
                                "curl_global_init previously failed during OAuth setup");
        goto done;
    }
 
    /*
     * We know we've already initialized Winsock by this point (see
     * pqMakeEmptyPGconn()), so we should be able to safely skip that bit. But
     * we have to tell libcurl to initialize everything else, because other
     * pieces of our client executable may already be using libcurl for their
     * own purposes. If we initialize libcurl with only a subset of its
     * features, we could break those other clients nondeterministically, and
     * that would probably be a nightmare to debug.
     *
     * If some other part of the program has already called this, it's a
     * no-op.
     */
    if (curl_global_init(CURL_GLOBAL_ALL & ~CURL_GLOBAL_WIN32) != CURLE_OK)
    {
        libpq_append_conn_error(conn,
                                "curl_global_init failed during OAuth setup");
        init_successful = PG_BOOL_NO;
        goto done;
    }
 
#if HAVE_THREADSAFE_CURL_GLOBAL_INIT
 
    /*
     * If we determined at configure time that the Curl installation is
     * thread-safe, our job here is much easier. We simply initialize above
     * without any locking (concurrent or duplicated calls are fine in that
     * situation), then double-check to make sure the runtime setting agrees,
     * to try to catch silent downgrades.
     */
    info = curl_version_info(CURLVERSION_NOW);
    if (!(info->features & CURL_VERSION_THREADSAFE))
    {
        /*
         * In a downgrade situation, the damage is already done. Curl global
         * state may be corrupted. Be noisy.
         */
        libpq_append_conn_error(conn, "libcurl is no longer thread-safe\n"
                                "\tCurl initialization was reported thread-safe when libpq\n"
                                "\twas compiled, but the currently installed version of\n"
                                "\tlibcurl reports that it is not. Recompile libpq against\n"
                                "\tthe installed version of libcurl.");
        init_successful = PG_BOOL_NO;
        goto done;
    }
#endif
 
    init_successful = PG_BOOL_YES;
 
done:
#if !HAVE_THREADSAFE_CURL_GLOBAL_INIT
    pgunlock_thread();
#endif
    return (init_successful == PG_BOOL_YES);
}

References conn, libpq_append_conn_error(), PG_BOOL_NO, PG_BOOL_UNKNOWN, PG_BOOL_YES, pglock_thread, and pgunlock_thread.

Referenced by pg_fe_run_oauth_flow_impl().

◆ oauth_json_array_end()

static JsonParseErrorType oauth_json_array_end ( void * state )

static

Definition at line 570 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    if (ctx->active)
    {
        /*
         * Clear the target (which should be an array inside the top-level
         * object). For this to be safe, no target arrays can contain other
         * arrays; we check for that in the array_start callback.
         */
        if (ctx->nested != 2 || ctx->active->type != JSON_TOKEN_ARRAY_START)
        {
            Assert(false);
            oauth_parse_set_error(ctx,
                                  "internal error: found unexpected array end while parsing field '%s'",
                                  ctx->active->name);
            return JSON_SEM_ACTION_FAILED;
        }
 
        ctx->active = NULL;
    }
 
    --ctx->nested;
    return JSON_SUCCESS;
}

References oauth_parse::active, Assert(), JSON_SEM_ACTION_FAILED, JSON_SUCCESS, JSON_TOKEN_ARRAY_START, json_field::name, oauth_parse::nested, oauth_parse_set_error, and json_field::type.

Referenced by parse_oauth_json().

◆ oauth_json_array_start()

static JsonParseErrorType oauth_json_array_start ( void * state )

static

Definition at line 544 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    if (!ctx->nested)
    {
        oauth_parse_set_error(ctx, "top-level element must be an object");
        return JSON_SEM_ACTION_FAILED;
    }
 
    if (ctx->active)
    {
        if (ctx->active->type != JSON_TOKEN_ARRAY_START
        /* The arrays we care about must not have arrays as values. */
            || ctx->nested > 1)
        {
            report_type_mismatch(ctx);
            return JSON_SEM_ACTION_FAILED;
        }
    }
 
    ++ctx->nested;
    return JSON_SUCCESS;
}

References oauth_parse::active, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, JSON_TOKEN_ARRAY_START, oauth_parse::nested, oauth_parse_set_error, report_type_mismatch(), and json_field::type.

Referenced by parse_oauth_json().

◆ oauth_json_object_end()

static JsonParseErrorType oauth_json_object_end ( void * state )

static

Definition at line 521 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    --ctx->nested;
 
    /*
     * All fields should be fully processed by the end of the top-level
     * object.
     */
    if (!ctx->nested && ctx->active)
    {
        Assert(false);
        oauth_parse_set_error(ctx,
                              "internal error: field '%s' still active at end of object",
                              ctx->active->name);
        return JSON_SEM_ACTION_FAILED;
    }
 
    return JSON_SUCCESS;
}

References oauth_parse::active, Assert(), JSON_SEM_ACTION_FAILED, JSON_SUCCESS, json_field::name, oauth_parse::nested, and oauth_parse_set_error.

Referenced by parse_oauth_json().

◆ oauth_json_object_field_start()

static JsonParseErrorType oauth_json_object_field_start	(	void *	state,
		char *	name,
		bool	isnull
	)

static

Definition at line 466 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    /* We care only about the top-level fields. */
    if (ctx->nested == 1)
    {
        const struct json_field *field = ctx->fields;
 
        /*
         * We should never start parsing a new field while a previous one is
         * still active.
         */
        if (ctx->active)
        {
            Assert(false);
            oauth_parse_set_error(ctx,
                                  "internal error: started field '%s' before field '%s' was finished",
                                  name, ctx->active->name);
            return JSON_SEM_ACTION_FAILED;
        }
 
        while (field->name)
        {
            if (strcmp(name, field->name) == 0)
            {
                ctx->active = field;
                break;
            }
 
            ++field;
        }
 
        /*
         * We don't allow duplicate field names; error out if the target has
         * already been set.
         */
        if (ctx->active)
        {
            field = ctx->active;
 
            if ((field->type == JSON_TOKEN_ARRAY_START && *field->target.array)
                || (field->type != JSON_TOKEN_ARRAY_START && *field->target.scalar))
            {
                oauth_parse_set_error(ctx, "field \"%s\" is duplicated",
                                      field->name);
                return JSON_SEM_ACTION_FAILED;
            }
        }
    }
 
    return JSON_SUCCESS;
}

References oauth_parse::active, json_field::array, Assert(), oauth_parse::fields, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, JSON_TOKEN_ARRAY_START, name, json_field::name, oauth_parse::nested, oauth_parse_set_error, json_field::scalar, json_field::target, and json_field::type.

Referenced by parse_oauth_json().

◆ oauth_json_object_start()

static JsonParseErrorType oauth_json_object_start ( void * state )

static

Definition at line 447 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    if (ctx->active)
    {
        /*
         * Currently, none of the fields we're interested in can be or contain
         * objects, so we can reject this case outright.
         */
        report_type_mismatch(ctx);
        return JSON_SEM_ACTION_FAILED;
    }
 
    ++ctx->nested;
    return JSON_SUCCESS;
}

References oauth_parse::active, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, oauth_parse::nested, and report_type_mismatch().

Referenced by parse_oauth_json().

◆ oauth_json_scalar()

static JsonParseErrorType oauth_json_scalar	(	void *	state,
		char *	token,
		JsonTokenType	type
	)

static

Definition at line 598 of file fe-auth-oauth-curl.c.

{
    struct oauth_parse *ctx = state;
 
    if (!ctx->nested)
    {
        oauth_parse_set_error(ctx, "top-level element must be an object");
        return JSON_SEM_ACTION_FAILED;
    }
 
    if (ctx->active)
    {
        const struct json_field *field = ctx->active;
        JsonTokenType expected = field->type;
 
        /* Make sure this matches what the active field expects. */
        if (expected == JSON_TOKEN_ARRAY_START)
        {
            /* Are we actually inside an array? */
            if (ctx->nested < 2)
            {
                report_type_mismatch(ctx);
                return JSON_SEM_ACTION_FAILED;
            }
 
            /* Currently, arrays can only contain strings. */
            expected = JSON_TOKEN_STRING;
        }
 
        if (type != expected)
        {
            report_type_mismatch(ctx);
            return JSON_SEM_ACTION_FAILED;
        }
 
        if (field->type != JSON_TOKEN_ARRAY_START)
        {
            /* Ensure that we're parsing the top-level keys... */
            if (ctx->nested != 1)
            {
                Assert(false);
                oauth_parse_set_error(ctx,
                                      "internal error: scalar target found at nesting level %d",
                                      ctx->nested);
                return JSON_SEM_ACTION_FAILED;
            }
 
            /* ...and that a result has not already been set. */
            if (*field->target.scalar)
            {
                Assert(false);
                oauth_parse_set_error(ctx,
                                      "internal error: scalar field '%s' would be assigned twice",
                                      ctx->active->name);
                return JSON_SEM_ACTION_FAILED;
            }
 
            *field->target.scalar = strdup(token);
            if (!*field->target.scalar)
                return JSON_OUT_OF_MEMORY;
 
            ctx->active = NULL;
 
            return JSON_SUCCESS;
        }
        else
        {
            struct curl_slist *temp;
 
            /* The target array should be inside the top-level object. */
            if (ctx->nested != 2)
            {
                Assert(false);
                oauth_parse_set_error(ctx,
                                      "internal error: array member found at nesting level %d",
                                      ctx->nested);
                return JSON_SEM_ACTION_FAILED;
            }
 
            /* Note that curl_slist_append() makes a copy of the token. */
            temp = curl_slist_append(*field->target.array, token);
            if (!temp)
                return JSON_OUT_OF_MEMORY;
 
            *field->target.array = temp;
        }
    }
    else
    {
        /* otherwise we just ignore it */
    }
 
    return JSON_SUCCESS;
}

References oauth_parse::active, json_field::array, Assert(), JSON_OUT_OF_MEMORY, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, JSON_TOKEN_ARRAY_START, JSON_TOKEN_STRING, json_field::name, oauth_parse::nested, oauth_parse_set_error, report_type_mismatch(), json_field::scalar, json_field::target, type, and json_field::type.

Referenced by parse_oauth_json().

◆ parse_access_token()

static bool parse_access_token	(	struct async_ctx *	actx,
		struct token *	tok
	)

static

Definition at line 1069 of file fe-auth-oauth-curl.c.

{
    struct json_field fields[] = {
        {"access_token", JSON_TOKEN_STRING, {&tok->access_token}, PG_OAUTH_REQUIRED},
        {"token_type", JSON_TOKEN_STRING, {&tok->token_type}, PG_OAUTH_REQUIRED},
 
        /*---
         * We currently have no use for the following OPTIONAL fields:
         *
         * - expires_in: This will be important for maintaining a token cache,
         *               but we do not yet implement one.
         *
         * - refresh_token: Ditto.
         *
         * - scope: This is only sent when the authorization server sees fit to
         *          change our scope request. It's not clear what we should do
         *          about this; either it's been done as a matter of policy, or
         *          the user has explicitly denied part of the authorization,
         *          and either way the server-side validator is in a better
         *          place to complain if the change isn't acceptable.
         */
 
        {0},
    };
 
    return parse_oauth_json(actx, fields);
}

References token::access_token, JSON_TOKEN_STRING, parse_oauth_json(), PG_OAUTH_REQUIRED, and token::token_type.

Referenced by finish_token_request().

◆ parse_device_authz()

static bool parse_device_authz	(	struct async_ctx *	actx,
		struct device_authz *	authz
	)

static

Definition at line 955 of file fe-auth-oauth-curl.c.

{
    struct json_field fields[] = {
        {"device_code", JSON_TOKEN_STRING, {&authz->device_code}, PG_OAUTH_REQUIRED},
        {"user_code", JSON_TOKEN_STRING, {&authz->user_code}, PG_OAUTH_REQUIRED},
        {"verification_uri", JSON_TOKEN_STRING, {&authz->verification_uri}, PG_OAUTH_REQUIRED},
        {"expires_in", JSON_TOKEN_NUMBER, {&authz->expires_in_str}, PG_OAUTH_REQUIRED},
 
        /*
         * Some services (Google, Azure) spell verification_uri differently.
         * We accept either.
         */
        {"verification_url", JSON_TOKEN_STRING, {&authz->verification_uri}, PG_OAUTH_REQUIRED},
 
        /*
         * There is no evidence of verification_uri_complete being spelled
         * with "url" instead with any service provider, so only support
         * "uri".
         */
        {"verification_uri_complete", JSON_TOKEN_STRING, {&authz->verification_uri_complete}, PG_OAUTH_OPTIONAL},
        {"interval", JSON_TOKEN_NUMBER, {&authz->interval_str}, PG_OAUTH_OPTIONAL},
 
        {0},
    };
 
    if (!parse_oauth_json(actx, fields))
        return false;
 
    /*
     * Parse our numeric fields. Lexing has already completed by this time, so
     * we at least know they're valid JSON numbers.
     */
    if (authz->interval_str)
        authz->interval = parse_interval(actx, authz->interval_str);
    else
    {
        /*
         * RFC 8628 specifies 5 seconds as the default value if the server
         * doesn't provide an interval.
         */
        authz->interval = 5;
    }
 
    Assert(authz->expires_in_str);  /* ensured by parse_oauth_json() */
    authz->expires_in = parse_expires_in(actx, authz->expires_in_str);
 
    return true;
}

References Assert(), device_authz::device_code, device_authz::expires_in, device_authz::expires_in_str, device_authz::interval, device_authz::interval_str, JSON_TOKEN_NUMBER, JSON_TOKEN_STRING, parse_expires_in(), parse_interval(), parse_oauth_json(), PG_OAUTH_OPTIONAL, PG_OAUTH_REQUIRED, device_authz::user_code, device_authz::verification_uri, and device_authz::verification_uri_complete.

Referenced by finish_device_authz().

◆ parse_expires_in()

static int parse_expires_in	(	struct async_ctx *	actx,
		const char *	expires_in_str
	)

static

Definition at line 936 of file fe-auth-oauth-curl.c.

{
    double      parsed;
 
    parsed = parse_json_number(expires_in_str);
    parsed = floor(parsed);
 
    if (parsed >= INT_MAX)
        return INT_MAX;
    else if (parsed <= INT_MIN)
        return INT_MIN;
 
    return parsed;
}

References parse_json_number().

Referenced by parse_device_authz().

◆ parse_interval()

static int parse_interval	(	struct async_ctx *	actx,
		const char *	interval_str
	)

static

Definition at line 910 of file fe-auth-oauth-curl.c.

{
    double      parsed;
 
    parsed = parse_json_number(interval_str);
    parsed = ceil(parsed);
 
    if (parsed < 1)
        return actx->debugging ? 0 : 1;
 
    else if (parsed >= INT_MAX)
        return INT_MAX;
 
    return parsed;
}

References async_ctx::debugging, and parse_json_number().

Referenced by parse_device_authz().

◆ parse_json_number()

static double parse_json_number ( const char * s )

static

Definition at line 875 of file fe-auth-oauth-curl.c.

{
    double      parsed;
    int         cnt;
 
    /*
     * The JSON lexer has already validated the number, which is stricter than
     * the %f format, so we should be good to use sscanf().
     */
    cnt = sscanf(s, "%lf", &parsed);
 
    if (cnt != 1)
    {
        /*
         * Either the lexer screwed up or our assumption above isn't true, and
         * either way a developer needs to take a look.
         */
        Assert(false);
        return 0;
    }
 
    return parsed;
}

References Assert().

Referenced by parse_expires_in(), and parse_interval().

◆ parse_oauth_json()

static bool parse_oauth_json	(	struct async_ctx *	actx,
		const struct json_field *	fields
	)

static

Definition at line 757 of file fe-auth-oauth-curl.c.

{
    PQExpBuffer resp = &actx->work_data;
    JsonLexContext lex = {0};
    JsonSemAction sem = {0};
    JsonParseErrorType err;
    struct oauth_parse ctx = {0};
    bool        success = false;
 
    if (!check_content_type(actx, "application/json"))
        return false;
 
    if (strlen(resp->data) != resp->len)
    {
        actx_error(actx, "response contains embedded NULLs");
        return false;
    }
 
    /*
     * pg_parse_json doesn't validate the incoming UTF-8, so we have to check
     * that up front.
     */
    if (pg_encoding_verifymbstr(PG_UTF8, resp->data, resp->len) != resp->len)
    {
        actx_error(actx, "response is not valid UTF-8");
        return false;
    }
 
    makeJsonLexContextCstringLen(&lex, resp->data, resp->len, PG_UTF8, true);
    setJsonLexContextOwnsTokens(&lex, true);    /* must not leak on error */
 
    ctx.errbuf = &actx->errbuf;
    ctx.fields = fields;
    sem.semstate = &ctx;
 
    sem.object_start = oauth_json_object_start;
    sem.object_field_start = oauth_json_object_field_start;
    sem.object_end = oauth_json_object_end;
    sem.array_start = oauth_json_array_start;
    sem.array_end = oauth_json_array_end;
    sem.scalar = oauth_json_scalar;
 
    err = pg_parse_json(&lex, &sem);
 
    if (err != JSON_SUCCESS)
    {
        /*
         * For JSON_SEM_ACTION_FAILED, we've already written the error
         * message. Other errors come directly from pg_parse_json(), already
         * translated.
         */
        if (err != JSON_SEM_ACTION_FAILED)
            actx_error_str(actx, json_errdetail(err, &lex));
 
        goto cleanup;
    }
 
    /* Check all required fields. */
    while (fields->name)
    {
        if (fields->required
            && !*fields->target.scalar
            && !*fields->target.array)
        {
            actx_error(actx, "field \"%s\" is missing", fields->name);
            goto cleanup;
        }
 
        fields++;
    }
 
    success = true;
 
cleanup:
    freeJsonLexContext(&lex);
    return success;
}

References actx_error, actx_error_str, json_field::array, JsonSemAction::array_end, JsonSemAction::array_start, check_content_type(), cleanup(), PQExpBufferData::data, err(), async_ctx::errbuf, oauth_parse::errbuf, oauth_parse::fields, freeJsonLexContext(), json_errdetail(), JSON_SEM_ACTION_FAILED, JSON_SUCCESS, PQExpBufferData::len, makeJsonLexContextCstringLen(), json_field::name, oauth_json_array_end(), oauth_json_array_start(), oauth_json_object_end(), oauth_json_object_field_start(), oauth_json_object_start(), oauth_json_scalar(), JsonSemAction::object_end, JsonSemAction::object_field_start, JsonSemAction::object_start, pg_encoding_verifymbstr(), pg_parse_json(), PG_UTF8, json_field::required, JsonSemAction::scalar, json_field::scalar, sem, JsonSemAction::semstate, setJsonLexContextOwnsTokens(), success, json_field::target, and async_ctx::work_data.

Referenced by parse_access_token(), parse_device_authz(), parse_provider(), and parse_token_error().

◆ parse_provider()

static bool parse_provider	(	struct async_ctx *	actx,
		struct provider *	provider
	)

static

Definition at line 844 of file fe-auth-oauth-curl.c.

{
    struct json_field fields[] = {
        {"issuer", JSON_TOKEN_STRING, {&provider->issuer}, PG_OAUTH_REQUIRED},
        {"token_endpoint", JSON_TOKEN_STRING, {&provider->token_endpoint}, PG_OAUTH_REQUIRED},
 
        /*----
         * The following fields are technically REQUIRED, but we don't use
         * them anywhere yet:
         *
         * - jwks_uri
         * - response_types_supported
         * - subject_types_supported
         * - id_token_signing_alg_values_supported
         */
 
        {"device_authorization_endpoint", JSON_TOKEN_STRING, {&provider->device_authorization_endpoint}, PG_OAUTH_OPTIONAL},
        {"grant_types_supported", JSON_TOKEN_ARRAY_START, {.array = &provider->grant_types_supported}, PG_OAUTH_OPTIONAL},
 
        {0},
    };
 
    return parse_oauth_json(actx, fields);
}

References provider::device_authorization_endpoint, provider::grant_types_supported, provider::issuer, JSON_TOKEN_ARRAY_START, JSON_TOKEN_STRING, parse_oauth_json(), PG_OAUTH_OPTIONAL, PG_OAUTH_REQUIRED, and provider::token_endpoint.

Referenced by finish_discovery().

◆ parse_token_error()

static bool parse_token_error	(	struct async_ctx *	actx,
		struct token_error *	err
	)

static

Definition at line 1009 of file fe-auth-oauth-curl.c.

{
    bool        result;
    struct json_field fields[] = {
        {"error", JSON_TOKEN_STRING, {&err->error}, PG_OAUTH_REQUIRED},
 
        {"error_description", JSON_TOKEN_STRING, {&err->error_description}, PG_OAUTH_OPTIONAL},
 
        {0},
    };
 
    result = parse_oauth_json(actx, fields);
 
    /*
     * Since token errors are parsed during other active error paths, only
     * override the errctx if parsing explicitly fails.
     */
    if (!result)
        actx->errctx = "failed to parse token error response";
 
    return result;
}

References err(), async_ctx::errctx, JSON_TOKEN_STRING, parse_oauth_json(), PG_OAUTH_OPTIONAL, and PG_OAUTH_REQUIRED.

Referenced by finish_device_authz(), and finish_token_request().

◆ pg_fe_cleanup_oauth_flow()

void pg_fe_cleanup_oauth_flow ( PGconn * conn )

Definition at line 304 of file fe-auth-oauth-curl.c.

{
    fe_oauth_state *state = conn->sasl_state;
 
    if (state->async_ctx)
    {
        free_async_ctx(conn, state->async_ctx);
        state->async_ctx = NULL;
    }
 
    conn->altsock = PGINVALID_SOCKET;
}

References pg_conn::altsock, conn, free_async_ctx(), PGINVALID_SOCKET, and pg_conn::sasl_state.

Referenced by setup_token_request().

◆ pg_fe_run_oauth_flow()

PostgresPollingStatusType pg_fe_run_oauth_flow ( PGconn * conn )

Definition at line 2850 of file fe-auth-oauth-curl.c.

{
    PostgresPollingStatusType result;
#ifndef WIN32
    sigset_t    osigset;
    bool        sigpipe_pending;
    bool        masked;
 
    /*---
     * Ignore SIGPIPE on this thread during all Curl processing.
     *
     * Because we support multiple threads, we have to set up libcurl with
     * CURLOPT_NOSIGNAL, which disables its default global handling of
     * SIGPIPE. From the Curl docs:
     *
     *     libcurl makes an effort to never cause such SIGPIPE signals to
     *     trigger, but some operating systems have no way to avoid them and
     *     even on those that have there are some corner cases when they may
     *     still happen, contrary to our desire.
     *
     * Note that libcurl is also at the mercy of its DNS resolution and SSL
     * libraries; if any of them forget a MSG_NOSIGNAL then we're in trouble.
     * Modern platforms and libraries seem to get it right, so this is a
     * difficult corner case to exercise in practice, and unfortunately it's
     * not really clear whether it's necessary in all cases.
     */
    masked = (pq_block_sigpipe(&osigset, &sigpipe_pending) == 0);
#endif
 
    result = pg_fe_run_oauth_flow_impl(conn);
 
#ifndef WIN32
    if (masked)
    {
        /*
         * Undo the SIGPIPE mask. Assume we may have gotten EPIPE (we have no
         * way of knowing at this level).
         */
        pq_reset_sigpipe(&osigset, sigpipe_pending, true /* EPIPE, maybe */ );
    }
#endif
 
    return result;
}

References conn, pg_fe_run_oauth_flow_impl(), pq_block_sigpipe(), and pq_reset_sigpipe().

Referenced by setup_token_request().

◆ pg_fe_run_oauth_flow_impl()

static PostgresPollingStatusType pg_fe_run_oauth_flow_impl ( PGconn * conn )

static

Definition at line 2612 of file fe-auth-oauth-curl.c.

{
    fe_oauth_state *state = conn->sasl_state;
    struct async_ctx *actx;
 
    if (!initialize_curl(conn))
        return PGRES_POLLING_FAILED;
 
    if (!state->async_ctx)
    {
        /*
         * Create our asynchronous state, and hook it into the upper-level
         * OAuth state immediately, so any failures below won't leak the
         * context allocation.
         */
        actx = calloc(1, sizeof(*actx));
        if (!actx)
        {
            libpq_append_conn_error(conn, "out of memory");
            return PGRES_POLLING_FAILED;
        }
 
        actx->mux = PGINVALID_SOCKET;
        actx->timerfd = -1;
 
        /* Should we enable unsafe features? */
        actx->debugging = oauth_unsafe_debugging_enabled();
 
        state->async_ctx = actx;
 
        initPQExpBuffer(&actx->work_data);
        initPQExpBuffer(&actx->errbuf);
 
        if (!setup_multiplexer(actx))
            goto error_return;
 
        if (!setup_curl_handles(actx))
            goto error_return;
    }
 
    actx = state->async_ctx;
 
    do
    {
        /* By default, the multiplexer is the altsock. Reassign as desired. */
        conn->altsock = actx->mux;
 
        switch (actx->step)
        {
            case OAUTH_STEP_INIT:
                break;
 
            case OAUTH_STEP_DISCOVERY:
            case OAUTH_STEP_DEVICE_AUTHORIZATION:
            case OAUTH_STEP_TOKEN_REQUEST:
                {
                    PostgresPollingStatusType status;
 
                    status = drive_request(actx);
 
                    if (status == PGRES_POLLING_FAILED)
                        goto error_return;
                    else if (status != PGRES_POLLING_OK)
                    {
                        /* not done yet */
                        return status;
                    }
 
                    break;
                }
 
            case OAUTH_STEP_WAIT_INTERVAL:
 
                /*
                 * The client application is supposed to wait until our timer
                 * expires before calling PQconnectPoll() again, but that
                 * might not happen. To avoid sending a token request early,
                 * check the timer before continuing.
                 */
                if (!timer_expired(actx))
                {
                    conn->altsock = actx->timerfd;
                    return PGRES_POLLING_READING;
                }
 
                /* Disable the expired timer. */
                if (!set_timer(actx, -1))
                    goto error_return;
 
                break;
        }
 
        /*
         * Each case here must ensure that actx->running is set while we're
         * waiting on some asynchronous work. Most cases rely on
         * start_request() to do that for them.
         */
        switch (actx->step)
        {
            case OAUTH_STEP_INIT:
                actx->errctx = "failed to fetch OpenID discovery document";
                if (!start_discovery(actx, conn->oauth_discovery_uri))
                    goto error_return;
 
                actx->step = OAUTH_STEP_DISCOVERY;
                break;
 
            case OAUTH_STEP_DISCOVERY:
                if (!finish_discovery(actx))
                    goto error_return;
 
                if (!check_issuer(actx, conn))
                    goto error_return;
 
                actx->errctx = "cannot run OAuth device authorization";
                if (!check_for_device_flow(actx))
                    goto error_return;
 
                actx->errctx = "failed to obtain device authorization";
                if (!start_device_authz(actx, conn))
                    goto error_return;
 
                actx->step = OAUTH_STEP_DEVICE_AUTHORIZATION;
                break;
 
            case OAUTH_STEP_DEVICE_AUTHORIZATION:
                if (!finish_device_authz(actx))
                    goto error_return;
 
                actx->errctx = "failed to obtain access token";
                if (!start_token_request(actx, conn))
                    goto error_return;
 
                actx->step = OAUTH_STEP_TOKEN_REQUEST;
                break;
 
            case OAUTH_STEP_TOKEN_REQUEST:
                if (!handle_token_response(actx, &conn->oauth_token))
                    goto error_return;
 
                if (!actx->user_prompted)
                {
                    /*
                     * Now that we know the token endpoint isn't broken, give
                     * the user the login instructions.
                     */
                    if (!prompt_user(actx, conn))
                        goto error_return;
 
                    actx->user_prompted = true;
                }
 
                if (conn->oauth_token)
                    break;      /* done! */
 
                /*
                 * Wait for the required interval before issuing the next
                 * request.
                 */
                if (!set_timer(actx, actx->authz.interval * 1000))
                    goto error_return;
 
                /*
                 * No Curl requests are running, so we can simplify by having
                 * the client wait directly on the timerfd rather than the
                 * multiplexer.
                 */
                conn->altsock = actx->timerfd;
 
                actx->step = OAUTH_STEP_WAIT_INTERVAL;
                actx->running = 1;
                break;
 
            case OAUTH_STEP_WAIT_INTERVAL:
                actx->errctx = "failed to obtain access token";
                if (!start_token_request(actx, conn))
                    goto error_return;
 
                actx->step = OAUTH_STEP_TOKEN_REQUEST;
                break;
        }
 
        /*
         * The vast majority of the time, if we don't have a token at this
         * point, actx->running will be set. But there are some corner cases
         * where we can immediately loop back around; see start_request().
         */
    } while (!conn->oauth_token && !actx->running);
 
    /* If we've stored a token, we're done. Otherwise come back later. */
    return conn->oauth_token ? PGRES_POLLING_OK : PGRES_POLLING_READING;
 
error_return:
 
    /*
     * Assemble the three parts of our error: context, body, and detail. See
     * also the documentation for struct async_ctx.
     */
    if (actx->errctx)
    {
        appendPQExpBufferStr(&conn->errorMessage,
                             libpq_gettext(actx->errctx));
        appendPQExpBufferStr(&conn->errorMessage, ": ");
    }
 
    if (PQExpBufferDataBroken(actx->errbuf))
        appendPQExpBufferStr(&conn->errorMessage,
                             libpq_gettext("out of memory"));
    else
        appendPQExpBufferStr(&conn->errorMessage, actx->errbuf.data);
 
    if (actx->curl_err[0])
    {
        size_t      len;
 
        appendPQExpBuffer(&conn->errorMessage,
                          " (libcurl: %s)", actx->curl_err);
 
        /* Sometimes libcurl adds a newline to the error buffer. :( */
        len = conn->errorMessage.len;
        if (len >= 2 && conn->errorMessage.data[len - 2] == '\n')
        {
            conn->errorMessage.data[len - 2] = ')';
            conn->errorMessage.data[len - 1] = '\0';
            conn->errorMessage.len--;
        }
    }
 
    appendPQExpBufferStr(&conn->errorMessage, "\n");
 
    return PGRES_POLLING_FAILED;
}

References pg_conn::altsock, appendPQExpBuffer(), appendPQExpBufferStr(), async_ctx::authz, calloc, check_for_device_flow(), check_issuer(), conn, async_ctx::curl_err, PQExpBufferData::data, async_ctx::debugging, drive_request(), async_ctx::errbuf, async_ctx::errctx, pg_conn::errorMessage, finish_device_authz(), finish_discovery(), handle_token_response(), initialize_curl(), initPQExpBuffer(), device_authz::interval, PQExpBufferData::len, len, libpq_append_conn_error(), libpq_gettext, async_ctx::mux, pg_conn::oauth_discovery_uri, OAUTH_STEP_DEVICE_AUTHORIZATION, OAUTH_STEP_DISCOVERY, OAUTH_STEP_INIT, OAUTH_STEP_TOKEN_REQUEST, OAUTH_STEP_WAIT_INTERVAL, pg_conn::oauth_token, oauth_unsafe_debugging_enabled(), PGINVALID_SOCKET, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PQExpBufferDataBroken, prompt_user(), async_ctx::running, pg_conn::sasl_state, set_timer(), setup_curl_handles(), setup_multiplexer(), start_device_authz(), start_discovery(), start_token_request(), async_ctx::step, timer_expired(), async_ctx::timerfd, async_ctx::user_prompted, and async_ctx::work_data.

Referenced by pg_fe_run_oauth_flow().

◆ prompt_user()

static bool prompt_user	(	struct async_ctx *	actx,
		PGconn *	conn
	)

static

Definition at line 2459 of file fe-auth-oauth-curl.c.

{
    int         res;
    PGpromptOAuthDevice prompt = {
        .verification_uri = actx->authz.verification_uri,
        .user_code = actx->authz.user_code,
        .verification_uri_complete = actx->authz.verification_uri_complete,
        .expires_in = actx->authz.expires_in,
    };
 
    res = PQauthDataHook(PQAUTHDATA_PROMPT_OAUTH_DEVICE, conn, &prompt);
 
    if (!res)
    {
        /*
         * translator: The first %s is a URL for the user to visit in a
         * browser, and the second %s is a code to be copy-pasted there.
         */
        fprintf(stderr, libpq_gettext("Visit %s and enter the code: %s\n"),
                prompt.verification_uri, prompt.user_code);
    }
    else if (res < 0)
    {
        actx_error(actx, "device prompt failed");
        return false;
    }
 
    return true;
}

References actx_error, async_ctx::authz, conn, device_authz::expires_in, fprintf, libpq_gettext, PQAUTHDATA_PROMPT_OAUTH_DEVICE, PQauthDataHook, device_authz::user_code, _PGpromptOAuthDevice::user_code, device_authz::verification_uri, _PGpromptOAuthDevice::verification_uri, and device_authz::verification_uri_complete.

Referenced by pg_fe_run_oauth_flow_impl().

◆ record_token_error()

static void record_token_error	(	struct async_ctx *	actx,
		const struct token_error *	err
	)

static

Definition at line 1037 of file fe-auth-oauth-curl.c.

{
    if (err->error_description)
        appendPQExpBuffer(&actx->errbuf, "%s ", err->error_description);
    else
    {
        /*
         * Try to get some more helpful detail into the error string. A 401
         * status in particular implies that the oauth_client_secret is
         * missing or wrong.
         */
        long        response_code;
 
        CHECK_GETINFO(actx, CURLINFO_RESPONSE_CODE, &response_code, response_code = 0);
 
        if (response_code == 401)
        {
            actx_error(actx, actx->used_basic_auth
                       ? "provider rejected the oauth_client_secret"
                       : "provider requires client authentication, and no oauth_client_secret is set");
            actx_error_str(actx, " ");
        }
    }
 
    appendPQExpBuffer(&actx->errbuf, "(%s)", err->error);
}

References actx_error, actx_error_str, appendPQExpBuffer(), CHECK_GETINFO, err(), async_ctx::errbuf, and async_ctx::used_basic_auth.

Referenced by finish_device_authz(), and handle_token_response().

◆ register_socket()

static int register_socket	(	CURL *	curl,
		curl_socket_t	socket,
		int	what,
		void *	ctx,
		void *	socketp
	)

static

Definition at line 1172 of file fe-auth-oauth-curl.c.

{
#ifdef HAVE_SYS_EPOLL_H
    struct async_ctx *actx = ctx;
    struct epoll_event ev = {0};
    int         res;
    int         op = EPOLL_CTL_ADD;
 
    switch (what)
    {
        case CURL_POLL_IN:
            ev.events = EPOLLIN;
            break;
 
        case CURL_POLL_OUT:
            ev.events = EPOLLOUT;
            break;
 
        case CURL_POLL_INOUT:
            ev.events = EPOLLIN | EPOLLOUT;
            break;
 
        case CURL_POLL_REMOVE:
            op = EPOLL_CTL_DEL;
            break;
 
        default:
            actx_error(actx, "unknown libcurl socket operation: %d", what);
            return -1;
    }
 
    res = epoll_ctl(actx->mux, op, socket, &ev);
    if (res < 0 && errno == EEXIST)
    {
        /* We already had this socket in the pollset. */
        op = EPOLL_CTL_MOD;
        res = epoll_ctl(actx->mux, op, socket, &ev);
    }
 
    if (res < 0)
    {
        switch (op)
        {
            case EPOLL_CTL_ADD:
                actx_error(actx, "could not add to epoll set: %m");
                break;
 
            case EPOLL_CTL_DEL:
                actx_error(actx, "could not delete from epoll set: %m");
                break;
 
            default:
                actx_error(actx, "could not update epoll set: %m");
        }
 
        return -1;
    }
 
    return 0;
#endif
#ifdef HAVE_SYS_EVENT_H
    struct async_ctx *actx = ctx;
    struct kevent ev[2] = {{0}};
    struct kevent ev_out[2];
    struct timespec timeout = {0};
    int         nev = 0;
    int         res;
 
    switch (what)
    {
        case CURL_POLL_IN:
            EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD | EV_RECEIPT, 0, 0, 0);
            nev++;
            break;
 
        case CURL_POLL_OUT:
            EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD | EV_RECEIPT, 0, 0, 0);
            nev++;
            break;
 
        case CURL_POLL_INOUT:
            EV_SET(&ev[nev], socket, EVFILT_READ, EV_ADD | EV_RECEIPT, 0, 0, 0);
            nev++;
            EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_ADD | EV_RECEIPT, 0, 0, 0);
            nev++;
            break;
 
        case CURL_POLL_REMOVE:
 
            /*
             * We don't know which of these is currently registered, perhaps
             * both, so we try to remove both.  This means we need to tolerate
             * ENOENT below.
             */
            EV_SET(&ev[nev], socket, EVFILT_READ, EV_DELETE | EV_RECEIPT, 0, 0, 0);
            nev++;
            EV_SET(&ev[nev], socket, EVFILT_WRITE, EV_DELETE | EV_RECEIPT, 0, 0, 0);
            nev++;
            break;
 
        default:
            actx_error(actx, "unknown libcurl socket operation: %d", what);
            return -1;
    }
 
    res = kevent(actx->mux, ev, nev, ev_out, lengthof(ev_out), &timeout);
    if (res < 0)
    {
        actx_error(actx, "could not modify kqueue: %m");
        return -1;
    }
 
    /*
     * We can't use the simple errno version of kevent, because we need to
     * skip over ENOENT while still allowing a second change to be processed.
     * So we need a longer-form error checking loop.
     */
    for (int i = 0; i < res; ++i)
    {
        /*
         * EV_RECEIPT should guarantee one EV_ERROR result for every change,
         * whether successful or not. Failed entries contain a non-zero errno
         * in the data field.
         */
        Assert(ev_out[i].flags & EV_ERROR);
 
        errno = ev_out[i].data;
        if (errno && errno != ENOENT)
        {
            switch (what)
            {
                case CURL_POLL_REMOVE:
                    actx_error(actx, "could not delete from kqueue: %m");
                    break;
                default:
                    actx_error(actx, "could not add to kqueue: %m");
            }
            return -1;
        }
    }
 
    return 0;
#endif
 
    actx_error(actx, "libpq does not support multiplexer sockets on this platform");
    return -1;
}

References actx_error, Assert(), i, lengthof, async_ctx::mux, and socket.

Referenced by setup_curl_handles().

◆ register_timer()

static int register_timer	(	CURLM *	curlm,
		long	timeout,
		void *	ctx
	)

static

Definition at line 1458 of file fe-auth-oauth-curl.c.

{
    struct async_ctx *actx = ctx;
 
    /*
     * There might be an optimization opportunity here: if timeout == 0, we
     * could signal drive_request to immediately call
     * curl_multi_socket_action, rather than returning all the way up the
     * stack only to come right back. But it's not clear that the additional
     * code complexity is worth it.
     */
    if (!set_timer(actx, timeout))
        return -1;              /* actx_error already called */
 
    return 0;
}

References set_timer().

Referenced by setup_curl_handles().

◆ report_type_mismatch()

static void report_type_mismatch ( struct oauth_parse * ctx )

static

Definition at line 414 of file fe-auth-oauth-curl.c.

{
    char       *msgfmt;
 
    Assert(ctx->active);
 
    /*
     * At the moment, the only fields we're interested in are strings,
     * numbers, and arrays of strings.
     */
    switch (ctx->active->type)
    {
        case JSON_TOKEN_STRING:
            msgfmt = "field \"%s\" must be a string";
            break;
 
        case JSON_TOKEN_NUMBER:
            msgfmt = "field \"%s\" must be a number";
            break;
 
        case JSON_TOKEN_ARRAY_START:
            msgfmt = "field \"%s\" must be an array of strings";
            break;
 
        default:
            Assert(false);
            msgfmt = "field \"%s\" has unexpected type";
    }
 
    oauth_parse_set_error(ctx, msgfmt, ctx->active->name);
}

References oauth_parse::active, Assert(), JSON_TOKEN_ARRAY_START, JSON_TOKEN_NUMBER, JSON_TOKEN_STRING, json_field::name, oauth_parse_set_error, and json_field::type.

Referenced by oauth_json_array_start(), oauth_json_object_start(), and oauth_json_scalar().

◆ set_timer()

static bool set_timer	(	struct async_ctx *	actx,
		long	timeout
	)

static

Definition at line 1331 of file fe-auth-oauth-curl.c.

{
#if HAVE_SYS_EPOLL_H
    struct itimerspec spec = {0};
 
    if (timeout < 0)
    {
        /* the zero itimerspec will disarm the timer below */
    }
    else if (timeout == 0)
    {
        /*
         * A zero timeout means libcurl wants us to call back immediately.
         * That's not technically an option for timerfd, but we can make the
         * timeout ridiculously short.
         */
        spec.it_value.tv_nsec = 1;
    }
    else
    {
        spec.it_value.tv_sec = timeout / 1000;
        spec.it_value.tv_nsec = (timeout % 1000) * 1000000;
    }
 
    if (timerfd_settime(actx->timerfd, 0 /* no flags */ , &spec, NULL) < 0)
    {
        actx_error(actx, "setting timerfd to %ld: %m", timeout);
        return false;
    }
 
    return true;
#endif
#ifdef HAVE_SYS_EVENT_H
    struct kevent ev;
 
#ifdef __NetBSD__
 
    /*
     * Work around NetBSD's rejection of zero timeouts (EINVAL), a bit like
     * timerfd above.
     */
    if (timeout == 0)
        timeout = 1;
#endif
 
    /* Enable/disable the timer itself. */
    EV_SET(&ev, 1, EVFILT_TIMER, timeout < 0 ? EV_DELETE : (EV_ADD | EV_ONESHOT),
           0, timeout, 0);
    if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
    {
        actx_error(actx, "setting kqueue timer to %ld: %m", timeout);
        return false;
    }
 
    /*
     * Add/remove the timer to/from the mux. (In contrast with epoll, if we
     * allowed the timer to remain registered here after being disabled, the
     * mux queue would retain any previous stale timeout notifications and
     * remain readable.)
     */
    EV_SET(&ev, actx->timerfd, EVFILT_READ, timeout < 0 ? EV_DELETE : EV_ADD,
           0, 0, 0);
    if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
    {
        actx_error(actx, "could not update timer on kqueue: %m");
        return false;
    }
 
    return true;
#endif
 
    actx_error(actx, "libpq does not support timers on this platform");
    return false;
}

References actx_error, async_ctx::mux, and async_ctx::timerfd.

Referenced by pg_fe_run_oauth_flow_impl(), and register_timer().

◆ setup_curl_handles()

static bool setup_curl_handles ( struct async_ctx * actx )

static

Definition at line 1565 of file fe-auth-oauth-curl.c.

{
    /*
     * Create our multi handle. This encapsulates the entire conversation with
     * libcurl for this connection.
     */
    actx->curlm = curl_multi_init();
    if (!actx->curlm)
    {
        /* We don't get a lot of feedback on the failure reason. */
        actx_error(actx, "failed to create libcurl multi handle");
        return false;
    }
 
    /*
     * The multi handle tells us what to wait on using two callbacks. These
     * will manipulate actx->mux as needed.
     */
    CHECK_MSETOPT(actx, CURLMOPT_SOCKETFUNCTION, register_socket, return false);
    CHECK_MSETOPT(actx, CURLMOPT_SOCKETDATA, actx, return false);
    CHECK_MSETOPT(actx, CURLMOPT_TIMERFUNCTION, register_timer, return false);
    CHECK_MSETOPT(actx, CURLMOPT_TIMERDATA, actx, return false);
 
    /*
     * Set up an easy handle. All of our requests are made serially, so we
     * only ever need to keep track of one.
     */
    actx->curl = curl_easy_init();
    if (!actx->curl)
    {
        actx_error(actx, "failed to create libcurl handle");
        return false;
    }
 
    /*
     * Multi-threaded applications must set CURLOPT_NOSIGNAL. This requires us
     * to handle the possibility of SIGPIPE ourselves using pq_block_sigpipe;
     * see pg_fe_run_oauth_flow().
     *
     * NB: If libcurl is not built against a friendly DNS resolver (c-ares or
     * threaded), setting this option prevents DNS lookups from timing out
     * correctly. We warn about this situation at configure time.
     *
     * TODO: Perhaps there's a clever way to warn the user about synchronous
     * DNS at runtime too? It's not immediately clear how to do that in a
     * helpful way: for many standard single-threaded use cases, the user
     * might not care at all, so spraying warnings to stderr would probably do
     * more harm than good.
     */
    CHECK_SETOPT(actx, CURLOPT_NOSIGNAL, 1L, return false);
 
    if (actx->debugging)
    {
        /*
         * Set a callback for retrieving error information from libcurl, the
         * function only takes effect when CURLOPT_VERBOSE has been set so
         * make sure the order is kept.
         */
        CHECK_SETOPT(actx, CURLOPT_DEBUGFUNCTION, debug_callback, return false);
        CHECK_SETOPT(actx, CURLOPT_VERBOSE, 1L, return false);
    }
 
    CHECK_SETOPT(actx, CURLOPT_ERRORBUFFER, actx->curl_err, return false);
 
    /*
     * Only HTTPS is allowed. (Debug mode additionally allows HTTP; this is
     * intended for testing only.)
     *
     * There's a bit of unfortunate complexity around the choice of
     * CURLoption. CURLOPT_PROTOCOLS is deprecated in modern Curls, but its
     * replacement didn't show up until relatively recently.
     */
    {
#if CURL_AT_LEAST_VERSION(7, 85, 0)
        const CURLoption popt = CURLOPT_PROTOCOLS_STR;
        const char *protos = "https";
        const char *const unsafe = "https,http";
#else
        const CURLoption popt = CURLOPT_PROTOCOLS;
        long        protos = CURLPROTO_HTTPS;
        const long  unsafe = CURLPROTO_HTTPS | CURLPROTO_HTTP;
#endif
 
        if (actx->debugging)
            protos = unsafe;
 
        CHECK_SETOPT(actx, popt, protos, return false);
    }
 
    /*
     * If we're in debug mode, allow the developer to change the trusted CA
     * list. For now, this is not something we expose outside of the UNSAFE
     * mode, because it's not clear that it's useful in production: both libpq
     * and the user's browser must trust the same authorization servers for
     * the flow to work at all, so any changes to the roots are likely to be
     * done system-wide.
     */
    if (actx->debugging)
    {
        const char *env;
 
        if ((env = getenv("PGOAUTHCAFILE")) != NULL)
            CHECK_SETOPT(actx, CURLOPT_CAINFO, env, return false);
    }
 
    /*
     * Suppress the Accept header to make our request as minimal as possible.
     * (Ideally we would set it to "application/json" instead, but OpenID is
     * pretty strict when it comes to provider behavior, so we have to check
     * what comes back anyway.)
     */
    actx->headers = curl_slist_append(actx->headers, "Accept:");
    if (actx->headers == NULL)
    {
        actx_error(actx, "out of memory");
        return false;
    }
    CHECK_SETOPT(actx, CURLOPT_HTTPHEADER, actx->headers, return false);
 
    return true;
}

References actx_error, CHECK_MSETOPT, CHECK_SETOPT, async_ctx::curl, async_ctx::curl_err, async_ctx::curlm, debug_callback(), async_ctx::debugging, async_ctx::headers, register_socket(), and register_timer().

Referenced by pg_fe_run_oauth_flow_impl().

◆ setup_multiplexer()

static bool setup_multiplexer ( struct async_ctx * actx )

static

Definition at line 1111 of file fe-auth-oauth-curl.c.

{
#ifdef HAVE_SYS_EPOLL_H
    struct epoll_event ev = {.events = EPOLLIN};
 
    actx->mux = epoll_create1(EPOLL_CLOEXEC);
    if (actx->mux < 0)
    {
        actx_error(actx, "failed to create epoll set: %m");
        return false;
    }
 
    actx->timerfd = timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC);
    if (actx->timerfd < 0)
    {
        actx_error(actx, "failed to create timerfd: %m");
        return false;
    }
 
    if (epoll_ctl(actx->mux, EPOLL_CTL_ADD, actx->timerfd, &ev) < 0)
    {
        actx_error(actx, "failed to add timerfd to epoll set: %m");
        return false;
    }
 
    return true;
#endif
#ifdef HAVE_SYS_EVENT_H
    actx->mux = kqueue();
    if (actx->mux < 0)
    {
        /*- translator: the term "kqueue" (kernel queue) should not be translated */
        actx_error(actx, "failed to create kqueue: %m");
        return false;
    }
 
    /*
     * Originally, we set EVFILT_TIMER directly on the top-level multiplexer.
     * This makes it difficult to implement timer_expired(), though, so now we
     * set EVFILT_TIMER on a separate actx->timerfd, which is chained to
     * actx->mux while the timer is active.
     */
    actx->timerfd = kqueue();
    if (actx->timerfd < 0)
    {
        actx_error(actx, "failed to create timer kqueue: %m");
        return false;
    }
 
    return true;
#endif
 
    actx_error(actx, "libpq does not support the Device Authorization flow on this platform");
    return false;
}

References actx_error, async_ctx::mux, and async_ctx::timerfd.

Referenced by pg_fe_run_oauth_flow_impl().

◆ start_device_authz()

static bool start_device_authz	(	struct async_ctx *	actx,
		PGconn *	conn
	)

static

Definition at line 2232 of file fe-auth-oauth-curl.c.

{
    const char *device_authz_uri = actx->provider.device_authorization_endpoint;
    PQExpBuffer work_buffer = &actx->work_data;
 
    Assert(conn->oauth_client_id);  /* ensured by setup_oauth_parameters() */
    Assert(device_authz_uri);   /* ensured by check_for_device_flow() */
 
    /* Construct our request body. */
    resetPQExpBuffer(work_buffer);
    if (conn->oauth_scope && conn->oauth_scope[0])
        build_urlencoded(work_buffer, "scope", conn->oauth_scope);
 
    if (!add_client_identification(actx, work_buffer, conn))
        return false;
 
    if (PQExpBufferBroken(work_buffer))
    {
        actx_error(actx, "out of memory");
        return false;
    }
 
    /* Make our request. */
    CHECK_SETOPT(actx, CURLOPT_URL, device_authz_uri, return false);
    CHECK_SETOPT(actx, CURLOPT_COPYPOSTFIELDS, work_buffer->data, return false);
 
    return start_request(actx);
}

References actx_error, add_client_identification(), Assert(), build_urlencoded(), CHECK_SETOPT, conn, PQExpBufferData::data, provider::device_authorization_endpoint, pg_conn::oauth_client_id, pg_conn::oauth_scope, PQExpBufferBroken, async_ctx::provider, resetPQExpBuffer(), start_request(), and async_ctx::work_data.

Referenced by pg_fe_run_oauth_flow_impl().

◆ start_discovery()

static bool start_discovery	(	struct async_ctx *	actx,
		const char *	discovery_uri
	)

static

Definition at line 1974 of file fe-auth-oauth-curl.c.

{
    CHECK_SETOPT(actx, CURLOPT_HTTPGET, 1L, return false);
    CHECK_SETOPT(actx, CURLOPT_URL, discovery_uri, return false);
 
    return start_request(actx);
}

References CHECK_SETOPT, and start_request().

Referenced by pg_fe_run_oauth_flow_impl().

◆ start_request()

static bool start_request ( struct async_ctx * actx )

static

Definition at line 1738 of file fe-auth-oauth-curl.c.

{
    CURLMcode   err;
 
    resetPQExpBuffer(&actx->work_data);
    CHECK_SETOPT(actx, CURLOPT_WRITEFUNCTION, append_data, return false);
    CHECK_SETOPT(actx, CURLOPT_WRITEDATA, actx, return false);
 
    err = curl_multi_add_handle(actx->curlm, actx->curl);
    if (err)
    {
        actx_error(actx, "failed to queue HTTP request: %s",
                   curl_multi_strerror(err));
        return false;
    }
 
    /*
     * actx->running tracks the number of running handles, so we can
     * immediately call back if no waiting is needed.
     *
     * Even though this is nominally an asynchronous process, there are some
     * operations that can synchronously fail by this point (e.g. connections
     * to closed local ports) or even synchronously succeed if the stars align
     * (all the libcurl connection caches hit and the server is fast).
     */
    err = curl_multi_socket_action(actx->curlm, CURL_SOCKET_TIMEOUT, 0, &actx->running);
    if (err)
    {
        actx_error(actx, "asynchronous HTTP request failed: %s",
                   curl_multi_strerror(err));
        return false;
    }
 
    return true;
}

References actx_error, append_data(), CHECK_SETOPT, async_ctx::curl, async_ctx::curlm, err(), resetPQExpBuffer(), async_ctx::running, and async_ctx::work_data.

Referenced by start_device_authz(), start_discovery(), and start_token_request().

◆ start_token_request()

static bool start_token_request	(	struct async_ctx *	actx,
		PGconn *	conn
	)

static

Definition at line 2319 of file fe-auth-oauth-curl.c.

{
    const char *token_uri = actx->provider.token_endpoint;
    const char *device_code = actx->authz.device_code;
    PQExpBuffer work_buffer = &actx->work_data;
 
    Assert(conn->oauth_client_id);  /* ensured by setup_oauth_parameters() */
    Assert(token_uri);          /* ensured by parse_provider() */
    Assert(device_code);        /* ensured by parse_device_authz() */
 
    /* Construct our request body. */
    resetPQExpBuffer(work_buffer);
    build_urlencoded(work_buffer, "device_code", device_code);
    build_urlencoded(work_buffer, "grant_type", OAUTH_GRANT_TYPE_DEVICE_CODE);
 
    if (!add_client_identification(actx, work_buffer, conn))
        return false;
 
    if (PQExpBufferBroken(work_buffer))
    {
        actx_error(actx, "out of memory");
        return false;
    }
 
    /* Make our request. */
    CHECK_SETOPT(actx, CURLOPT_URL, token_uri, return false);
    CHECK_SETOPT(actx, CURLOPT_COPYPOSTFIELDS, work_buffer->data, return false);
 
    return start_request(actx);
}

References actx_error, add_client_identification(), Assert(), async_ctx::authz, build_urlencoded(), CHECK_SETOPT, conn, PQExpBufferData::data, device_authz::device_code, pg_conn::oauth_client_id, OAUTH_GRANT_TYPE_DEVICE_CODE, PQExpBufferBroken, async_ctx::provider, resetPQExpBuffer(), start_request(), provider::token_endpoint, and async_ctx::work_data.

Referenced by pg_fe_run_oauth_flow_impl().

◆ timer_expired()

static int timer_expired ( struct async_ctx * actx )

static

Definition at line 1412 of file fe-auth-oauth-curl.c.

{
#if HAVE_SYS_EPOLL_H
    struct itimerspec spec = {0};
 
    if (timerfd_gettime(actx->timerfd, &spec) < 0)
    {
        actx_error(actx, "getting timerfd value: %m");
        return -1;
    }
 
    /*
     * This implementation assumes we're using single-shot timers. If you
     * change to using intervals, you'll need to reimplement this function
     * too, possibly with the read() or select() interfaces for timerfd.
     */
    Assert(spec.it_interval.tv_sec == 0
           && spec.it_interval.tv_nsec == 0);
 
    /* If the remaining time to expiration is zero, we're done. */
    return (spec.it_value.tv_sec == 0
            && spec.it_value.tv_nsec == 0);
#endif
#ifdef HAVE_SYS_EVENT_H
    int         res;
 
    /* Is the timer queue ready? */
    res = PQsocketPoll(actx->timerfd, 1 /* forRead */ , 0, 0);
    if (res < 0)
    {
        actx_error(actx, "checking kqueue for timeout: %m");
        return -1;
    }
 
    return (res > 0);
#endif
 
    actx_error(actx, "libpq does not support timers on this platform");
    return -1;
}

References actx_error, Assert(), PQsocketPoll(), and async_ctx::timerfd.

Referenced by pg_fe_run_oauth_flow_impl().

◆ urlencode()

static char * urlencode ( const char * s )

static

Definition at line 1930 of file fe-auth-oauth-curl.c.

{
    PQExpBufferData buf;
 
    initPQExpBuffer(&buf);
    append_urlencoded(&buf, s);
 
    return PQExpBufferDataBroken(buf) ? NULL : buf.data;
}

References append_urlencoded(), buf, initPQExpBuffer(), and PQExpBufferDataBroken.

Referenced by add_client_identification().

Data Structures

Macros

Enumerations

Functions

Macro Definition Documentation

◆ actx_error

◆ actx_error_str

◆ CHECK_GETINFO

◆ CHECK_MSETOPT

◆ CHECK_SETOPT

◆ CURL_IGNORE_DEPRECATION

◆ HTTPS_SCHEME

◆ MAX_OAUTH_RESPONSE_SIZE

◆ OAUTH_GRANT_TYPE_DEVICE_CODE

◆ oauth_parse_set_error

◆ PG_OAUTH_OPTIONAL

◆ PG_OAUTH_REQUIRED

Enumeration Type Documentation

◆ OAuthStep

Function Documentation

◆ add_client_identification()

◆ append_data()

◆ append_urlencoded()

◆ build_urlencoded()

◆ check_content_type()

◆ check_for_device_flow()

◆ check_issuer()

◆ debug_callback()

◆ drive_request()

◆ finish_device_authz()

◆ finish_discovery()

◆ finish_token_request()

◆ free_async_ctx()

◆ free_device_authz()

◆ free_provider()

◆ free_token()

◆ free_token_error()

◆ handle_token_response()

◆ initialize_curl()

◆ oauth_json_array_end()

◆ oauth_json_array_start()

◆ oauth_json_object_end()

◆ oauth_json_object_field_start()

◆ oauth_json_object_start()

◆ oauth_json_scalar()

◆ parse_access_token()

◆ parse_device_authz()

◆ parse_expires_in()

◆ parse_interval()

◆ parse_json_number()

◆ parse_oauth_json()

◆ parse_provider()

◆ parse_token_error()

◆ pg_fe_cleanup_oauth_flow()

◆ pg_fe_run_oauth_flow()

◆ pg_fe_run_oauth_flow_impl()

◆ prompt_user()

◆ record_token_error()

◆ register_socket()

◆ register_timer()

◆ report_type_mismatch()

◆ set_timer()

◆ setup_curl_handles()

◆ setup_multiplexer()

◆ start_device_authz()

◆ start_discovery()

◆ start_request()

◆ start_token_request()

◆ timer_expired()

◆ urlencode()