fe-auth-oauth.c File Reference

#include "postgres_fe.h"
#include "common/base64.h"
#include "common/hmac.h"
#include "common/jsonapi.h"
#include "common/oauth-common.h"
#include "fe-auth.h"
#include "fe-auth-oauth.h"
#include "mb/pg_wchar.h"
#include "oauth-debug.h"
#include "pg_config_paths.h"
#include "utils/memdebug.h"

Include dependency graph for fe-auth-oauth.c:

Go to the source code of this file.

Data Structures
struct	json_ctx

Macros
#define	kvsep   "\x01"
#define	ERROR_STATUS_FIELD   "status"
#define	ERROR_SCOPE_FIELD   "scope"
#define	ERROR_OPENID_CONFIGURATION_FIELD   "openid-configuration"
#define	MAX_SASL_NESTING_LEVEL   8
#define	oauth_json_has_error(ctx)    (PQExpBufferDataBroken((ctx)->errbuf) || (ctx)->errmsg)
#define	oauth_json_set_error(ctx, fmt, ...)
#define	oauth_json_set_error_internal(ctx, ...)
#define	HTTPS_SCHEME   "https://"
#define	HTTP_SCHEME   "http://"
#define	WK_PREFIX   "/.well-known/"
#define	OPENID_WK_SUFFIX   "openid-configuration"
#define	OAUTH_WK_SUFFIX   "oauth-authorization-server"
#define	MASK_BITS   ((uintptr_t) 0x55aa55aa55aa55aa)
#define	POISON_MASK(ptr)   ((void *) (((uintptr_t) ptr) ^ MASK_BITS))

Functions
static PostgresPollingStatusType	do_async (fe_oauth_state *state, PGoauthBearerRequestV2 *request)
static void	do_cleanup (fe_oauth_state *state, PGoauthBearerRequestV2 *request)
static void	poison_req_v2 (PGoauthBearerRequestV2 *request, bool poison)
static void *	oauth_init (PGconn *conn, const char *password, const char *sasl_mechanism)
static SASLStatus	oauth_exchange (void *opaq, bool final, char *input, int inputlen, char **output, int *outputlen)
static bool	oauth_channel_bound (void *opaq)
static void	oauth_free (void *opaq)
static char *	client_initial_response (PGconn *conn, bool discover)
static JsonParseErrorType	oauth_json_object_start (void *state)
static JsonParseErrorType	oauth_json_object_end (void *state)
static JsonParseErrorType	oauth_json_object_field_start (void *state, char *name, bool isnull)
static JsonParseErrorType	oauth_json_array_start (void *state)
static JsonParseErrorType	oauth_json_array_end (void *state)
static JsonParseErrorType	oauth_json_scalar (void *state, char *token, JsonTokenType type)
static char *	issuer_from_well_known_uri (PGconn *conn, const char *wkuri)
static bool	handle_oauth_sasl_error (PGconn *conn, const char *msg, int msglen)
static void	report_flow_error (PGconn *conn, const PGoauthBearerRequestV2 *request)
static PostgresPollingStatusType	run_oauth_flow (PGconn *conn)
static void	cleanup_oauth_flow (PGconn *conn)
static int	use_builtin_flow (PGconn *conn, fe_oauth_state *state, PGoauthBearerRequestV2 *request)
static bool	setup_token_request (PGconn *conn, fe_oauth_state *state)
static bool	setup_oauth_parameters (PGconn *conn)
void	pqClearOAuthToken (PGconn *conn)

Variables
const pg_fe_sasl_mech	pg_oauth_mech

Macro Definition Documentation

ERROR_OPENID_CONFIGURATION_FIELD

#define ERROR_OPENID_CONFIGURATION_FIELD   "openid-configuration"

Definition at line 165 of file fe-auth-oauth.c.

ERROR_SCOPE_FIELD

#define ERROR_SCOPE_FIELD   "scope"

Definition at line 164 of file fe-auth-oauth.c.

ERROR_STATUS_FIELD

#define ERROR_STATUS_FIELD   "status"

Definition at line 163 of file fe-auth-oauth.c.

HTTP_SCHEME

#define HTTP_SCHEME   "http://"

Definition at line 361 of file fe-auth-oauth.c.

HTTPS_SCHEME

#define HTTPS_SCHEME   "https://"

Definition at line 360 of file fe-auth-oauth.c.

kvsep

#define kvsep   "\x01"

Definition at line 101 of file fe-auth-oauth.c.

MASK_BITS

#define MASK_BITS   ((uintptr_t) 0x55aa55aa55aa55aa)

Definition at line 1455 of file fe-auth-oauth.c.

MAX_SASL_NESTING_LEVEL

#define MAX_SASL_NESTING_LEVEL   8

Definition at line 173 of file fe-auth-oauth.c.

oauth_json_has_error

#define oauth_json_has_error

(

ctx

)

(PQExpBufferDataBroken((ctx)->errbuf) || (ctx)->errmsg)

Definition at line 190 of file fe-auth-oauth.c.

oauth_json_set_error

#define oauth_json_set_error	(		ctx,
			fmt,
			...
	)

Value:

    do { \
		appendPQExpBuffer(&(ctx)->errbuf, libpq_gettext(fmt), ##__VA_ARGS__); \
        (ctx)->errmsg = (ctx)->errbuf.data; \
    } while (0)

Definition at line 193 of file fe-auth-oauth.c.

       { \
		appendPQExpBuffer(&(ctx)->errbuf, libpq_gettext(fmt), ##__VA_ARGS__); \
        (ctx)->errmsg = (ctx)->errbuf.data; \
    } while (0)

oauth_json_set_error_internal

#define oauth_json_set_error_internal	(		ctx,
			...
	)

Value:

    do { \
		appendPQExpBuffer(&(ctx)->errbuf, __VA_ARGS__); \
        (ctx)->errmsg = (ctx)->errbuf.data; \
    } while (0)

Definition at line 200 of file fe-auth-oauth.c.

       { \
		appendPQExpBuffer(&(ctx)->errbuf, __VA_ARGS__); \
        (ctx)->errmsg = (ctx)->errbuf.data; \
    } while (0)

OAUTH_WK_SUFFIX

#define OAUTH_WK_SUFFIX   "oauth-authorization-server"

Definition at line 366 of file fe-auth-oauth.c.

OPENID_WK_SUFFIX

#define OPENID_WK_SUFFIX   "openid-configuration"

Definition at line 365 of file fe-auth-oauth.c.

POISON_MASK

#define POISON_MASK

(

ptr

)

((void *) (((uintptr_t) ptr) ^ MASK_BITS))

Definition at line 1456 of file fe-auth-oauth.c.

WK_PREFIX

#define WK_PREFIX   "/.well-known/"

Definition at line 364 of file fe-auth-oauth.c.

Function Documentation

cleanup_oauth_flow()

static void cleanup_oauth_flow ( PGconn *  conn )

static

Definition at line 805 of file fe-auth-oauth.c.

{
    fe_oauth_state *state = conn->sasl_state;
    PGoauthBearerRequestV2 *request = state->async_ctx;
 
    Assert(request);
 
    do_cleanup(state, request);
    conn->altsock = PGINVALID_SOCKET;
 
    free(request);
    state->async_ctx = NULL;
}

References pg_conn::altsock, Assert, conn, do_cleanup(), fb(), free, PGINVALID_SOCKET, and pg_conn::sasl_state.

Referenced by setup_token_request().

client_initial_response()

static char * client_initial_response ( PGconn *  conn, bool  discover  )

static

Definition at line 113 of file fe-auth-oauth.c.

{
    static const char *const resp_format = "n,," kvsep "auth=%s%s" kvsep kvsep;
 
    PQExpBufferData buf;
    const char *authn_scheme;
    char       *response = NULL;
    const char *token = conn->oauth_token;
 
    if (discover)
    {
        /* Parameter discovery uses a completely empty auth value. */
        authn_scheme = token = "";
    }
    else
    {
        /*
         * Use a Bearer authentication scheme (RFC 6750, Sec. 2.1). A trailing
         * space is used as a separator.
         */
        authn_scheme = "Bearer ";
 
        /* conn->token must have been set in this case. */
        if (!token)
        {
            Assert(false);
            libpq_append_conn_error(conn,
                                    "internal error: no OAuth token was set for the connection");
            return NULL;
        }
    }
 
    initPQExpBuffer(&buf);
    appendPQExpBuffer(&buf, resp_format, authn_scheme, token);
 
    if (!PQExpBufferDataBroken(buf))
        response = strdup(buf.data);
    termPQExpBuffer(&buf);
 
    if (!response)
        libpq_append_conn_error(conn, "out of memory");
 
    return response;
}

References appendPQExpBuffer(), Assert, buf, conn, fb(), initPQExpBuffer(), kvsep, libpq_append_conn_error(), pg_conn::oauth_token, PQExpBufferDataBroken, and termPQExpBuffer().

Referenced by oauth_exchange().

do_async()

static PostgresPollingStatusType do_async ( fe_oauth_state *  state, PGoauthBearerRequestV2 *  request  )

static

Definition at line 1518 of file fe-auth-oauth.c.

{
    PostgresPollingStatusType ret;
    PGconn     *conn = state->conn;
 
    Assert(request->v1.async);
 
    if (state->v1)
        poison_req_v2(request, true);
 
    ret = request->v1.async(conn,
                            (PGoauthBearerRequest *) request,
                            &conn->altsock);
 
    if (state->v1)
        poison_req_v2(request, false);
 
    return ret;
}

References pg_conn::altsock, Assert, conn, fb(), and poison_req_v2().

Referenced by run_oauth_flow().

do_cleanup()

static void do_cleanup ( fe_oauth_state *  state, PGoauthBearerRequestV2 *  request  )

static

Definition at line 1543 of file fe-auth-oauth.c.

{
    if (!request->v1.cleanup)
        return;
 
    if (state->v1)
        poison_req_v2(request, true);
 
    request->v1.cleanup(state->conn, (PGoauthBearerRequest *) request);
 
    if (state->v1)
        poison_req_v2(request, false);
}

References fb(), and poison_req_v2().

Referenced by cleanup_oauth_flow(), and setup_token_request().

handle_oauth_sasl_error()

static bool handle_oauth_sasl_error ( PGconn *  conn, const char *  msg, int  msglen  )

static

Definition at line 520 of file fe-auth-oauth.c.

{
    JsonLexContext *lex;
    JsonSemAction sem = {0};
    JsonParseErrorType err;
    struct json_ctx ctx = {0};
    char       *errmsg = NULL;
    bool        success = false;
 
    Assert(conn->oauth_issuer_id);  /* ensured by setup_oauth_parameters() */
 
    /* Sanity check. */
    if (strlen(msg) != msglen)
    {
        libpq_append_conn_error(conn,
                                "server's error message contained an embedded NULL, and was discarded");
        return false;
    }
 
    /*
     * pg_parse_json doesn't validate the incoming UTF-8, so we have to check
     * that up front.
     */
    if (pg_encoding_verifymbstr(PG_UTF8, msg, msglen) != msglen)
    {
        libpq_append_conn_error(conn,
                                "server's error response is not valid UTF-8");
        return false;
    }
 
    lex = makeJsonLexContextCstringLen(NULL, msg, msglen, PG_UTF8, true);
    setJsonLexContextOwnsTokens(lex, true); /* must not leak on error */
 
    initPQExpBuffer(&ctx.errbuf);
    sem.semstate = &ctx;
 
    sem.object_start = oauth_json_object_start;
    sem.object_end = oauth_json_object_end;
    sem.object_field_start = oauth_json_object_field_start;
    sem.array_start = oauth_json_array_start;
    sem.array_end = oauth_json_array_end;
    sem.scalar = oauth_json_scalar;
 
    err = pg_parse_json(lex, &sem);
 
    if (err == JSON_SEM_ACTION_FAILED)
    {
        if (PQExpBufferDataBroken(ctx.errbuf))
            errmsg = libpq_gettext("out of memory");
        else if (ctx.errmsg)
            errmsg = ctx.errmsg;
        else
        {
            /*
             * Developer error: one of the action callbacks didn't call
             * oauth_json_set_error() before erroring out.
             */
            Assert(oauth_json_has_error(&ctx));
            errmsg = "<unexpected empty error>";
        }
    }
    else if (err != JSON_SUCCESS)
        errmsg = json_errdetail(err, lex);
 
    if (errmsg)
        libpq_append_conn_error(conn,
                                "failed to parse server's error response: %s",
                                errmsg);
 
    /* Don't need the error buffer or the JSON lexer anymore. */
    termPQExpBuffer(&ctx.errbuf);
    freeJsonLexContext(lex);
 
    if (errmsg)
        goto cleanup;
 
    if (ctx.discovery_uri)
    {
        char       *discovery_issuer;
 
        /*
         * The URI MUST correspond to our existing issuer, to avoid mix-ups.
         *
         * Issuer comparison is done byte-wise, rather than performing any URL
         * normalization; this follows the suggestions for issuer comparison
         * in RFC 9207 Sec. 2.4 (which requires simple string comparison) and
         * vastly simplifies things. Since this is the key protection against
         * a rogue server sending the client to an untrustworthy location,
         * simpler is better.
         */
        discovery_issuer = issuer_from_well_known_uri(conn, ctx.discovery_uri);
        if (!discovery_issuer)
            goto cleanup;       /* error message already set */
 
        if (strcmp(conn->oauth_issuer_id, discovery_issuer) != 0)
        {
            libpq_append_conn_error(conn,
                                    "server's discovery document at %s (issuer \"%s\") is incompatible with oauth_issuer (%s)",
                                    ctx.discovery_uri, discovery_issuer,
                                    conn->oauth_issuer_id);
 
            free(discovery_issuer);
            goto cleanup;
        }
 
        free(discovery_issuer);
 
        if (!conn->oauth_discovery_uri)
        {
            conn->oauth_discovery_uri = ctx.discovery_uri;
            ctx.discovery_uri = NULL;
        }
        else
        {
            /* This must match the URI we'd previously determined. */
            if (strcmp(conn->oauth_discovery_uri, ctx.discovery_uri) != 0)
            {
                libpq_append_conn_error(conn,
                                        "server's discovery document has moved to %s (previous location was %s)",
                                        ctx.discovery_uri,
                                        conn->oauth_discovery_uri);
                goto cleanup;
            }
        }
    }
 
    if (ctx.scope)
    {
        /* Servers may not override a previously set oauth_scope. */
        if (!conn->oauth_scope)
        {
            conn->oauth_scope = ctx.scope;
            ctx.scope = NULL;
        }
    }
 
    if (!ctx.status)
    {
        libpq_append_conn_error(conn,
                                "server sent error response without a status");
        goto cleanup;
    }
 
    if (strcmp(ctx.status, "invalid_token") != 0)
    {
        /*
         * invalid_token is the only error code we'll automatically retry for;
         * otherwise, just bail out now.
         */
        libpq_append_conn_error(conn,
                                "server rejected OAuth bearer token: %s",
                                ctx.status);
        goto cleanup;
    }
 
    success = true;
 
cleanup:
    free(ctx.status);
    free(ctx.scope);
    free(ctx.discovery_uri);
 
    return success;
}

References JsonSemAction::array_end, JsonSemAction::array_start, Assert, cleanup(), conn, json_ctx::discovery_uri, err(), json_ctx::errbuf, json_ctx::errmsg, errmsg, fb(), free, freeJsonLexContext(), initPQExpBuffer(), issuer_from_well_known_uri(), json_errdetail(), JSON_SEM_ACTION_FAILED, JSON_SUCCESS, libpq_append_conn_error(), libpq_gettext, makeJsonLexContextCstringLen(), pg_conn::oauth_discovery_uri, pg_conn::oauth_issuer_id, oauth_json_array_end(), oauth_json_array_start(), oauth_json_has_error, oauth_json_object_end(), oauth_json_object_field_start(), oauth_json_object_start(), oauth_json_scalar(), pg_conn::oauth_scope, JsonSemAction::object_end, JsonSemAction::object_field_start, JsonSemAction::object_start, pg_encoding_verifymbstr(), pg_parse_json(), PG_UTF8, PQExpBufferDataBroken, JsonSemAction::scalar, json_ctx::scope, sem, JsonSemAction::semstate, setJsonLexContextOwnsTokens(), json_ctx::status, success, and termPQExpBuffer().

Referenced by oauth_exchange().

issuer_from_well_known_uri()

static char * issuer_from_well_known_uri ( PGconn *  conn, const char *  wkuri  )

static

Definition at line 373 of file fe-auth-oauth.c.

{
    const char *authority_start = NULL;
    const char *wk_start;
    const char *wk_end;
    char       *issuer;
    ptrdiff_t   start_offset,
                end_offset;
    size_t      end_len;
 
    /*
     * https:// is required for issuer identifiers (RFC 8414, Sec. 2; OIDC
     * Discovery 1.0, Sec. 3). This is a case-insensitive comparison at this
     * level (but issuer identifier comparison at the level above this is
     * case-sensitive, so in practice it's probably moot).
     */
    if (pg_strncasecmp(wkuri, HTTPS_SCHEME, strlen(HTTPS_SCHEME)) == 0)
        authority_start = wkuri + strlen(HTTPS_SCHEME);
 
    if (!authority_start
        && (oauth_parse_debug_flags() & OAUTHDEBUG_UNSAFE_HTTP)
        && pg_strncasecmp(wkuri, HTTP_SCHEME, strlen(HTTP_SCHEME)) == 0)
    {
        /* Allow http:// for testing only. */
        authority_start = wkuri + strlen(HTTP_SCHEME);
    }
 
    if (!authority_start)
    {
        libpq_append_conn_error(conn,
                                "OAuth discovery URI \"%s\" must use HTTPS",
                                wkuri);
        return NULL;
    }
 
    /*
     * Well-known URIs in general may support queries and fragments, but the
     * two types we support here do not. (They must be constructed from the
     * components of issuer identifiers, which themselves may not contain any
     * queries or fragments.)
     *
     * It's important to check this first, to avoid getting tricked later by a
     * prefix buried inside a query or fragment.
     */
    if (strpbrk(authority_start, "?#") != NULL)
    {
        libpq_append_conn_error(conn,
                                "OAuth discovery URI \"%s\" must not contain query or fragment components",
                                wkuri);
        return NULL;
    }
 
    /*
     * Find the start of the .well-known prefix. IETF rules (RFC 8615) state
     * this must be at the beginning of the path component, but OIDC defined
     * it at the end instead (OIDC Discovery 1.0, Sec. 4), so we have to
     * search for it anywhere.
     */
    wk_start = strstr(authority_start, WK_PREFIX);
    if (!wk_start)
    {
        libpq_append_conn_error(conn,
                                "OAuth discovery URI \"%s\" is not a .well-known URI",
                                wkuri);
        return NULL;
    }
 
    /*
     * Now find the suffix type. We only support the two defined in OIDC
     * Discovery 1.0 and RFC 8414.
     */
    wk_end = wk_start + strlen(WK_PREFIX);
 
    if (strncmp(wk_end, OPENID_WK_SUFFIX, strlen(OPENID_WK_SUFFIX)) == 0)
        wk_end += strlen(OPENID_WK_SUFFIX);
    else if (strncmp(wk_end, OAUTH_WK_SUFFIX, strlen(OAUTH_WK_SUFFIX)) == 0)
        wk_end += strlen(OAUTH_WK_SUFFIX);
    else
        wk_end = NULL;
 
    /*
     * Even if there's a match, we still need to check to make sure the suffix
     * takes up the entire path segment, to weed out constructions like
     * "/.well-known/openid-configuration-bad".
     */
    if (!wk_end || (*wk_end != '/' && *wk_end != '\0'))
    {
        libpq_append_conn_error(conn,
                                "OAuth discovery URI \"%s\" uses an unsupported .well-known suffix",
                                wkuri);
        return NULL;
    }
 
    /*
     * Finally, make sure the .well-known components are provided either as a
     * prefix (IETF style) or as a postfix (OIDC style). In other words,
     * "https://localhost/a/.well-known/openid-configuration/b" is not allowed
     * to claim association with "https://localhost/a/b".
     */
    if (*wk_end != '\0')
    {
        /*
         * It's not at the end, so it's required to be at the beginning at the
         * path. Find the starting slash.
         */
        const char *path_start;
 
        path_start = strchr(authority_start, '/');
        Assert(path_start);     /* otherwise we wouldn't have found WK_PREFIX */
 
        if (wk_start != path_start)
        {
            libpq_append_conn_error(conn,
                                    "OAuth discovery URI \"%s\" uses an invalid format",
                                    wkuri);
            return NULL;
        }
    }
 
    /* Checks passed! Now build the issuer. */
    issuer = strdup(wkuri);
    if (!issuer)
    {
        libpq_append_conn_error(conn, "out of memory");
        return NULL;
    }
 
    /*
     * The .well-known components are from [wk_start, wk_end). Remove those to
     * form the issuer ID, by shifting the path suffix (which may be empty)
     * leftwards.
     */
    start_offset = wk_start - wkuri;
    end_offset = wk_end - wkuri;
    end_len = strlen(wk_end) + 1;   /* move the NULL terminator too */
 
    memmove(issuer + start_offset, issuer + end_offset, end_len);
 
    return issuer;
}

References Assert, conn, fb(), HTTP_SCHEME, HTTPS_SCHEME, libpq_append_conn_error(), oauth_parse_debug_flags(), OAUTH_WK_SUFFIX, OAUTHDEBUG_UNSAFE_HTTP, OPENID_WK_SUFFIX, pg_strncasecmp(), and WK_PREFIX.

Referenced by handle_oauth_sasl_error(), and setup_oauth_parameters().

oauth_channel_bound()

static bool oauth_channel_bound ( void *  opaq )

static

Definition at line 1420 of file fe-auth-oauth.c.

{
    /* This mechanism does not support channel binding. */
    return false;
}

oauth_exchange()

static SASLStatus oauth_exchange ( void *  opaq, bool  final, char *  input, int  inputlen, char **  output, int *  outputlen  )

static

Definition at line 1195 of file fe-auth-oauth.c.

{
    fe_oauth_state *state = opaq;
    PGconn     *conn = state->conn;
    bool        discover = false;
 
    *output = NULL;
    *outputlen = 0;
 
    switch (state->step)
    {
        case FE_OAUTH_INIT:
            /* We begin in the initial response phase. */
            Assert(inputlen == -1);
 
            if (!setup_oauth_parameters(conn))
                return SASL_FAILED;
 
            if (conn->oauth_token)
            {
                /*
                 * A previous connection already fetched the token; we'll use
                 * it below.
                 */
            }
            else if (conn->oauth_discovery_uri)
            {
                /*
                 * We don't have a token, but we have a discovery URI already
                 * stored. Decide whether we're using a user-provided OAuth
                 * flow or the one we have built in.
                 */
                if (!setup_token_request(conn, state))
                    return SASL_FAILED;
 
                if (conn->oauth_token)
                {
                    /*
                     * A really smart user implementation may have already
                     * given us the token (e.g. if there was an unexpired copy
                     * already cached), and we can use it immediately.
                     */
                }
                else
                {
                    /*
                     * Otherwise, we'll have to hand the connection over to
                     * our OAuth implementation.
                     *
                     * This could take a while, since it generally involves a
                     * user in the loop. To avoid consuming the server's
                     * authentication timeout, we'll continue this handshake
                     * to the end, so that the server can close its side of
                     * the connection. We'll open a second connection later
                     * once we've retrieved a token.
                     */
                    discover = true;
                }
            }
            else
            {
                /*
                 * If we don't have a token, and we don't have a discovery URI
                 * to be able to request a token, we ask the server for one
                 * explicitly.
                 */
                discover = true;
            }
 
            /*
             * Generate an initial response. This either contains a token, if
             * we have one, or an empty discovery response which is doomed to
             * fail.
             */
            *output = client_initial_response(conn, discover);
            if (!*output)
                return SASL_FAILED;
 
            *outputlen = strlen(*output);
            state->step = FE_OAUTH_BEARER_SENT;
 
            if (conn->oauth_token)
            {
                /*
                 * For the purposes of require_auth, our side of
                 * authentication is done at this point; the server will
                 * either accept the connection or send an error. Unlike
                 * SCRAM, there is no additional server data to check upon
                 * success.
                 */
                conn->client_finished_auth = true;
            }
 
            return SASL_CONTINUE;
 
        case FE_OAUTH_BEARER_SENT:
            if (final)
            {
                /*
                 * OAUTHBEARER does not make use of additional data with a
                 * successful SASL exchange, so we shouldn't get an
                 * AuthenticationSASLFinal message.
                 */
                libpq_append_conn_error(conn,
                                        "server sent unexpected additional OAuth data");
                return SASL_FAILED;
            }
 
            /*
             * An error message was sent by the server. Respond with the
             * required dummy message (RFC 7628, sec. 3.2.3).
             */
            *output = strdup(kvsep);
            if (unlikely(!*output))
            {
                libpq_append_conn_error(conn, "out of memory");
                return SASL_FAILED;
            }
            *outputlen = strlen(*output);   /* == 1 */
 
            /* Grab the settings from discovery. */
            if (!handle_oauth_sasl_error(conn, input, inputlen))
                return SASL_FAILED;
 
            if (conn->oauth_token)
            {
                /*
                 * The server rejected our token. Continue onwards towards the
                 * expected FATAL message, but mark our state to catch any
                 * unexpected "success" from the server.
                 */
                state->step = FE_OAUTH_SERVER_ERROR;
                return SASL_CONTINUE;
            }
 
            if (!conn->async_auth)
            {
                /*
                 * No OAuth flow is set up yet. Did we get enough information
                 * from the server to create one?
                 */
                if (!conn->oauth_discovery_uri)
                {
                    libpq_append_conn_error(conn,
                                            "server requires OAuth authentication, but no discovery metadata was provided");
                    return SASL_FAILED;
                }
 
                /* Yes. Set up the flow now. */
                if (!setup_token_request(conn, state))
                    return SASL_FAILED;
 
                if (conn->oauth_token)
                {
                    /*
                     * A token was available in a custom flow's cache. Skip
                     * the asynchronous processing.
                     */
                    goto reconnect;
                }
            }
 
            /*
             * Time to retrieve a token. This involves a number of HTTP
             * connections and timed waits, so we escape the synchronous auth
             * processing and tell PQconnectPoll to transfer control to our
             * async implementation.
             */
            Assert(conn->async_auth);   /* should have been set already */
            state->step = FE_OAUTH_REQUESTING_TOKEN;
            return SASL_ASYNC;
 
        case FE_OAUTH_REQUESTING_TOKEN:
 
            /*
             * We've returned successfully from token retrieval. Double-check
             * that we have what we need for the next connection.
             */
            if (!conn->oauth_token)
            {
                Assert(false);  /* should have failed before this point! */
                libpq_append_conn_error(conn,
                                        "internal error: OAuth flow did not set a token");
                return SASL_FAILED;
            }
 
            goto reconnect;
 
        case FE_OAUTH_SERVER_ERROR:
 
            /*
             * After an error, the server should send an error response to
             * fail the SASL handshake, which is handled in higher layers.
             *
             * If we get here, the server either sent *another* challenge
             * which isn't defined in the RFC, or completed the handshake
             * successfully after telling us it was going to fail. Neither is
             * acceptable.
             */
            libpq_append_conn_error(conn,
                                    "server sent additional OAuth data after error");
            return SASL_FAILED;
 
        default:
            libpq_append_conn_error(conn, "invalid OAuth exchange state");
            break;
    }
 
    Assert(false);              /* should never get here */
    return SASL_FAILED;
 
reconnect:
 
    /*
     * Despite being a failure from the point of view of SASL, we have enough
     * information to restart with a new connection.
     */
    libpq_append_conn_error(conn, "retrying connection with new bearer token");
    conn->oauth_want_retry = true;
    return SASL_FAILED;
}

References Assert, pg_conn::async_auth, pg_conn::client_finished_auth, client_initial_response(), conn, fb(), FE_OAUTH_BEARER_SENT, FE_OAUTH_INIT, FE_OAUTH_REQUESTING_TOKEN, FE_OAUTH_SERVER_ERROR, handle_oauth_sasl_error(), input, kvsep, libpq_append_conn_error(), pg_conn::oauth_discovery_uri, pg_conn::oauth_token, pg_conn::oauth_want_retry, output, SASL_ASYNC, SASL_CONTINUE, SASL_FAILED, setup_oauth_parameters(), setup_token_request(), and unlikely.

oauth_free()

static void oauth_free ( void *  opaq )

static

Definition at line 91 of file fe-auth-oauth.c.

{
    fe_oauth_state *state = opaq;
 
    /* Any async authentication state should have been cleaned up already. */
    Assert(!state->async_ctx);
 
    free(state);
}

References Assert, fb(), and free.

oauth_init()

static void * oauth_init ( PGconn *  conn, const char *  password, const char *  sasl_mechanism  )

static

Definition at line 60 of file fe-auth-oauth.c.

{
    fe_oauth_state *state;
 
    /*
     * We only support one SASL mechanism here; anything else is programmer
     * error.
     */
    Assert(sasl_mechanism != NULL);
    Assert(strcmp(sasl_mechanism, OAUTHBEARER_NAME) == 0);
 
    state = calloc(1, sizeof(*state));
    if (!state)
        return NULL;
 
    state->step = FE_OAUTH_INIT;
    state->conn = conn;
 
    return state;
}

References Assert, calloc, conn, fb(), FE_OAUTH_INIT, and OAUTHBEARER_NAME.

oauth_json_array_end()

static JsonParseErrorType oauth_json_array_end ( void *  state )

static

Definition at line 290 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    --ctx->nested;
    return JSON_SUCCESS;
}

References JSON_SUCCESS, and json_ctx::nested.

Referenced by handle_oauth_sasl_error().

oauth_json_array_start()

static JsonParseErrorType oauth_json_array_start ( void *  state )

static

Definition at line 265 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    if (!ctx->nested)
    {
        oauth_json_set_error(ctx, "top-level element must be an object");
    }
    else if (ctx->target_field)
    {
        Assert(ctx->nested == 1);
 
        oauth_json_set_error(ctx,
                             "field \"%s\" must be a string",
                             ctx->target_field_name);
    }
 
    ++ctx->nested;
    if (ctx->nested > MAX_SASL_NESTING_LEVEL)
        oauth_json_set_error(ctx, "JSON is too deeply nested");
 
    return oauth_json_has_error(ctx) ? JSON_SEM_ACTION_FAILED : JSON_SUCCESS;
}

References Assert, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, MAX_SASL_NESTING_LEVEL, json_ctx::nested, oauth_json_has_error, oauth_json_set_error, json_ctx::target_field, and json_ctx::target_field_name.

Referenced by handle_oauth_sasl_error().

oauth_json_object_end()

static JsonParseErrorType oauth_json_object_end ( void *  state )

static

Definition at line 228 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    --ctx->nested;
    return JSON_SUCCESS;
}

References JSON_SUCCESS, and json_ctx::nested.

Referenced by handle_oauth_sasl_error().

oauth_json_object_field_start()

static JsonParseErrorType oauth_json_object_field_start ( void *  state, char *  name, bool  isnull  )

static

Definition at line 237 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    /* Only top-level keys are considered. */
    if (ctx->nested == 1)
    {
        if (strcmp(name, ERROR_STATUS_FIELD) == 0)
        {
            ctx->target_field_name = ERROR_STATUS_FIELD;
            ctx->target_field = &ctx->status;
        }
        else if (strcmp(name, ERROR_SCOPE_FIELD) == 0)
        {
            ctx->target_field_name = ERROR_SCOPE_FIELD;
            ctx->target_field = &ctx->scope;
        }
        else if (strcmp(name, ERROR_OPENID_CONFIGURATION_FIELD) == 0)
        {
            ctx->target_field_name = ERROR_OPENID_CONFIGURATION_FIELD;
            ctx->target_field = &ctx->discovery_uri;
        }
    }
 
    return JSON_SUCCESS;
}

References json_ctx::discovery_uri, ERROR_OPENID_CONFIGURATION_FIELD, ERROR_SCOPE_FIELD, ERROR_STATUS_FIELD, fb(), JSON_SUCCESS, name, json_ctx::nested, json_ctx::scope, json_ctx::status, json_ctx::target_field, and json_ctx::target_field_name.

Referenced by handle_oauth_sasl_error().

oauth_json_object_start()

static JsonParseErrorType oauth_json_object_start ( void *  state )

static

Definition at line 207 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    if (ctx->target_field)
    {
        Assert(ctx->nested == 1);
 
        oauth_json_set_error(ctx,
                             "field \"%s\" must be a string",
                             ctx->target_field_name);
    }
 
    ++ctx->nested;
    if (ctx->nested > MAX_SASL_NESTING_LEVEL)
        oauth_json_set_error(ctx, "JSON is too deeply nested");
 
    return oauth_json_has_error(ctx) ? JSON_SEM_ACTION_FAILED : JSON_SUCCESS;
}

References Assert, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, MAX_SASL_NESTING_LEVEL, json_ctx::nested, oauth_json_has_error, oauth_json_set_error, json_ctx::target_field, and json_ctx::target_field_name.

Referenced by handle_oauth_sasl_error().

oauth_json_scalar()

static JsonParseErrorType oauth_json_scalar ( void *  state, char *  token, JsonTokenType  type  )

static

Definition at line 299 of file fe-auth-oauth.c.

{
    struct json_ctx *ctx = state;
 
    if (!ctx->nested)
    {
        oauth_json_set_error(ctx, "top-level element must be an object");
        return JSON_SEM_ACTION_FAILED;
    }
 
    if (ctx->target_field)
    {
        if (ctx->nested != 1)
        {
            /*
             * ctx->target_field should not have been set for nested keys.
             * Assert and don't continue any further for production builds.
             */
            Assert(false);
            oauth_json_set_error_internal(ctx,
                                          "internal error: target scalar found at nesting level %d during OAUTHBEARER parsing",
                                          ctx->nested);
            return JSON_SEM_ACTION_FAILED;
        }
 
        /*
         * We don't allow duplicate field names; error out if the target has
         * already been set.
         */
        if (*ctx->target_field)
        {
            oauth_json_set_error(ctx,
                                 "field \"%s\" is duplicated",
                                 ctx->target_field_name);
            return JSON_SEM_ACTION_FAILED;
        }
 
        /* The only fields we support are strings. */
        if (type != JSON_TOKEN_STRING)
        {
            oauth_json_set_error(ctx,
                                 "field \"%s\" must be a string",
                                 ctx->target_field_name);
            return JSON_SEM_ACTION_FAILED;
        }
 
        *ctx->target_field = strdup(token);
        if (!*ctx->target_field)
            return JSON_OUT_OF_MEMORY;
 
        ctx->target_field = NULL;
        ctx->target_field_name = NULL;
    }
    else
    {
        /* otherwise we just ignore it */
    }
 
    return JSON_SUCCESS;
}

References Assert, fb(), JSON_OUT_OF_MEMORY, JSON_SEM_ACTION_FAILED, JSON_SUCCESS, JSON_TOKEN_STRING, json_ctx::nested, oauth_json_set_error, oauth_json_set_error_internal, json_ctx::target_field, json_ctx::target_field_name, and type.

Referenced by handle_oauth_sasl_error().

poison_req_v2()

static void poison_req_v2 ( PGoauthBearerRequestV2 *  request, bool  poison  )

static

Definition at line 1467 of file fe-auth-oauth.c.

{
#ifdef USE_VALGRIND
    void       *const base = (char *) request + sizeof(request->v1);
    const size_t len = sizeof(*request) - sizeof(request->v1);
#endif
 
    if (poison)
    {
        /* Poison request->issuer with a mask to help uninstrumented builds. */
        request->issuer = POISON_MASK(request->issuer);
 
        /*
         * We'll check to make sure request->error wasn't assigned when
         * unpoisoning, so it had better not be assigned now.
         */
        Assert(!request->error);
 
        VALGRIND_MAKE_MEM_NOACCESS(base, len);
    }
    else
    {
        /*
         * XXX Using DEFINED here is technically too lax; we might catch
         * struct padding in the blast radius. But since this API has to
         * poison stack addresses, and Valgrind can't track/manage undefined
         * stack regions, we can't be any stricter without tracking the
         * original state of the memory.
         */
        VALGRIND_MAKE_MEM_DEFINED(base, len);
 
        /* Undo our mask. */
        request->issuer = POISON_MASK(request->issuer);
 
        /*
         * For uninstrumented builds, make sure request->error wasn't touched.
         */
        if (request->error)
        {
            fprintf(stderr,
                    "abort! out-of-bounds write to PGoauthBearerRequest by PQAUTHDATA_OAUTH_BEARER_TOKEN hook\n");
            abort();
        }
    }
}

References Assert, fb(), fprintf, len, POISON_MASK, VALGRIND_MAKE_MEM_DEFINED, and VALGRIND_MAKE_MEM_NOACCESS.

Referenced by do_async(), do_cleanup(), and setup_token_request().

pqClearOAuthToken()

void pqClearOAuthToken

(

PGconn *

conn

)

Definition at line 1431 of file fe-auth-oauth.c.

{
    if (!conn->oauth_token)
        return;
 
    explicit_bzero(conn->oauth_token, strlen(conn->oauth_token));
    free(conn->oauth_token);
    conn->oauth_token = NULL;
}

References conn, explicit_bzero(), fb(), free, and pg_conn::oauth_token.

Referenced by pqClosePGconn(), and PQconnectPoll().

report_flow_error()

static void report_flow_error ( PGconn *  conn, const PGoauthBearerRequestV2 *  request  )

static

Definition at line 690 of file fe-auth-oauth.c.

{
    fe_oauth_state *state = conn->sasl_state;
    const char *errmsg = request->error;
 
    /*
     * User-defined flows are called out explicitly so that the user knows who
     * to blame. Builtin flows don't need that extra message length; we expect
     * them to always fill in request->error on failure anyway.
     */
    if (state->builtin)
    {
        if (!errmsg)
        {
            /*
             * Don't turn a bug here into a crash in production, but don't
             * bother translating either.
             */
            Assert(false);
            errmsg = "builtin flow failed but did not provide an error message";
        }
 
        appendPQExpBufferStr(&conn->errorMessage, errmsg);
    }
    else
    {
        appendPQExpBufferStr(&conn->errorMessage,
                             libpq_gettext("user-defined OAuth flow failed"));
        if (errmsg)
        {
            appendPQExpBufferStr(&conn->errorMessage, ": ");
            appendPQExpBufferStr(&conn->errorMessage, errmsg);
        }
    }
 
    appendPQExpBufferChar(&conn->errorMessage, '\n');
}

References appendPQExpBufferChar(), appendPQExpBufferStr(), Assert, conn, errmsg, pg_conn::errorMessage, fb(), libpq_gettext, and pg_conn::sasl_state.

Referenced by run_oauth_flow(), and setup_token_request().

run_oauth_flow()

static PostgresPollingStatusType run_oauth_flow ( PGconn *  conn )

static

Definition at line 737 of file fe-auth-oauth.c.

{
    fe_oauth_state *state = conn->sasl_state;
    PGoauthBearerRequestV2 *request = state->async_ctx;
    PostgresPollingStatusType status;
 
    if (!request->v1.async)
    {
        Assert(!state->builtin);    /* be very noisy if our code does this */
        libpq_append_conn_error(conn,
                                "user-defined OAuth flow provided neither a token nor an async callback");
        return PGRES_POLLING_FAILED;
    }
 
    status = do_async(state, request);
 
    if (status == PGRES_POLLING_FAILED)
    {
        report_flow_error(conn, request);
        return status;
    }
    else if (status == PGRES_POLLING_OK)
    {
        /*
         * We already have a token, so copy it into the conn. (We can't hold
         * onto the original string, since it may not be safe for us to free()
         * it.)
         */
        if (!request->v1.token)
        {
            Assert(!state->builtin);
            libpq_append_conn_error(conn,
                                    "user-defined OAuth flow did not provide a token");
            return PGRES_POLLING_FAILED;
        }
 
        conn->oauth_token = strdup(request->v1.token);
        if (!conn->oauth_token)
        {
            libpq_append_conn_error(conn, "out of memory");
            return PGRES_POLLING_FAILED;
        }
 
        return PGRES_POLLING_OK;
    }
 
    /* The hook wants the client to poll the altsock. Make sure it set one. */
    if (conn->altsock == PGINVALID_SOCKET)
    {
        Assert(!state->builtin);
        libpq_append_conn_error(conn,
                                "user-defined OAuth flow did not provide a socket for polling");
        return PGRES_POLLING_FAILED;
    }
 
    return status;
}

References pg_conn::altsock, Assert, conn, do_async(), fb(), libpq_append_conn_error(), pg_conn::oauth_token, PGINVALID_SOCKET, PGRES_POLLING_FAILED, PGRES_POLLING_OK, report_flow_error(), pg_conn::sasl_state, and json_ctx::status.

Referenced by setup_token_request().

setup_oauth_parameters()

static bool setup_oauth_parameters ( PGconn *  conn )

static

Definition at line 1110 of file fe-auth-oauth.c.

{
    /*
     * This is the only function that sets conn->oauth_issuer_id. If a
     * previous connection attempt has already computed it, don't overwrite it
     * or the discovery URI. (There's no reason for them to change once
     * they're set, and handle_oauth_sasl_error() will fail the connection if
     * the server attempts to switch them on us later.)
     */
    if (conn->oauth_issuer_id)
        return true;
 
    /*---
     * To talk to a server, we require the user to provide issuer and client
     * identifiers.
     *
     * While it's possible for an OAuth client to support multiple issuers, it
     * requires additional effort to make sure the flows in use are safe -- to
     * quote RFC 9207,
     *
     *     OAuth clients that interact with only one authorization server are
     *     not vulnerable to mix-up attacks. However, when such clients decide
     *     to add support for a second authorization server in the future, they
     *     become vulnerable and need to apply countermeasures to mix-up
     *     attacks.
     *
     * For now, we allow only one.
     */
    if (!conn->oauth_issuer || !conn->oauth_client_id)
    {
        libpq_append_conn_error(conn,
                                "server requires OAuth authentication, but oauth_issuer and oauth_client_id are not both set");
        return false;
    }
 
    /*
     * oauth_issuer is interpreted differently if it's a well-known discovery
     * URI rather than just an issuer identifier.
     */
    if (strstr(conn->oauth_issuer, WK_PREFIX) != NULL)
    {
        /*
         * Convert the URI back to an issuer identifier. (This also performs
         * validation of the URI format.)
         */
        conn->oauth_issuer_id = issuer_from_well_known_uri(conn,
                                                           conn->oauth_issuer);
        if (!conn->oauth_issuer_id)
            return false;       /* error message already set */
 
        conn->oauth_discovery_uri = strdup(conn->oauth_issuer);
        if (!conn->oauth_discovery_uri)
        {
            libpq_append_conn_error(conn, "out of memory");
            return false;
        }
    }
    else
    {
        /*
         * Treat oauth_issuer as an issuer identifier. We'll ask the server
         * for the discovery URI.
         */
        conn->oauth_issuer_id = strdup(conn->oauth_issuer);
        if (!conn->oauth_issuer_id)
        {
            libpq_append_conn_error(conn, "out of memory");
            return false;
        }
    }
 
    return true;
}

References conn, fb(), issuer_from_well_known_uri(), libpq_append_conn_error(), pg_conn::oauth_client_id, pg_conn::oauth_discovery_uri, pg_conn::oauth_issuer, pg_conn::oauth_issuer_id, and WK_PREFIX.

Referenced by oauth_exchange().

setup_token_request()

static bool setup_token_request ( PGconn *  conn, fe_oauth_state *  state  )

static

Definition at line 1016 of file fe-auth-oauth.c.

{
    int         res;
    PGoauthBearerRequestV2 request = {
        .v1 = {
            .openid_configuration = conn->oauth_discovery_uri,
            .scope = conn->oauth_scope,
        },
        .issuer = conn->oauth_issuer_id,
    };
 
    Assert(request.v1.openid_configuration);
    Assert(request.issuer);
 
    /*
     * The client may have overridden the OAuth flow. Try the v2 hook first,
     * then fall back to the v1 implementation. If neither is available, try
     * the builtin flow.
     */
    res = PQauthDataHook(PQAUTHDATA_OAUTH_BEARER_TOKEN_V2, conn, &request);
    if (res == 0)
    {
        poison_req_v2(&request, true);
 
        res = PQauthDataHook(PQAUTHDATA_OAUTH_BEARER_TOKEN, conn, &request);
        state->v1 = (res != 0);
 
        poison_req_v2(&request, false);
    }
    if (res == 0)
    {
        state->builtin = true;
        res = use_builtin_flow(conn, state, &request);
    }
 
    if (res > 0)
    {
        PGoauthBearerRequestV2 *request_copy;
 
        if (request.v1.token)
        {
            /*
             * We already have a token, so copy it into the conn. (We can't
             * hold onto the original string, since it may not be safe for us
             * to free() it.)
             */
            conn->oauth_token = strdup(request.v1.token);
            if (!conn->oauth_token)
            {
                libpq_append_conn_error(conn, "out of memory");
                goto fail;
            }
 
            /* short-circuit */
            do_cleanup(state, &request);
            return true;
        }
 
        request_copy = malloc(sizeof(*request_copy));
        if (!request_copy)
        {
            libpq_append_conn_error(conn, "out of memory");
            goto fail;
        }
 
        *request_copy = request;
 
        conn->async_auth = run_oauth_flow;
        conn->cleanup_async_auth = cleanup_oauth_flow;
        state->async_ctx = request_copy;
 
        return true;
    }
 
    /*
     * Failure cases: either we tried to set up a flow and failed, or there
     * was no flow to try.
     */
    if (res < 0)
        report_flow_error(conn, &request);
    else
        libpq_append_conn_error(conn, "no OAuth flows are available (try installing the libpq-oauth package)");
 
fail:
    do_cleanup(state, &request);
    return false;
}

References Assert, pg_conn::async_auth, pg_conn::cleanup_async_auth, cleanup_oauth_flow(), conn, do_cleanup(), fb(), libpq_append_conn_error(), malloc, pg_conn::oauth_discovery_uri, pg_conn::oauth_issuer_id, pg_conn::oauth_scope, pg_conn::oauth_token, PGoauthBearerRequest::openid_configuration, poison_req_v2(), PQAUTHDATA_OAUTH_BEARER_TOKEN, PQAUTHDATA_OAUTH_BEARER_TOKEN_V2, PQauthDataHook, report_flow_error(), run_oauth_flow(), use_builtin_flow(), and PGoauthBearerRequestV2::v1.

Referenced by oauth_exchange().

use_builtin_flow()

static int use_builtin_flow ( PGconn *  conn, fe_oauth_state *  state, PGoauthBearerRequestV2 *  request  )

static

Definition at line 843 of file fe-auth-oauth.c.

{
    return 0;
}

Referenced by setup_token_request().

Variable Documentation

pg_oauth_mech

const pg_fe_sasl_mech pg_oauth_mech

Initial value:

= {
    oauth_init,
    oauth_exchange,
    oauth_channel_bound,
    oauth_free,
}

Definition at line 47 of file fe-auth-oauth.c.

                                      {
    oauth_init,
    oauth_exchange,
    oauth_channel_bound,
    oauth_free,
};

Referenced by pg_SASL_init(), pqConnectOptions2(), and PQconnectPoll().