Re: [PoC] Federated Authn/z with OAUTHBEARER - Mailing list pgsql-hackers
| From | Thomas Munro |
|---|---|
| Subject | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Date | |
| Msg-id | CA+hUKGL59uY=UpCHEmTL6dpzuWJBVf1Kc4bQADYDEWG9ZDCffA@mail.gmail.com Whole thread Raw |
| In response to | Re: [PoC] Federated Authn/z with OAUTHBEARER (Jacob Champion <jacob.champion@enterprisedb.com>) |
| List | pgsql-hackers |
On Tue, Mar 4, 2025 at 1:07 PM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
> # [libcurl] * getsockname() failed with errno 22: Invalid argument
Weird.
> Later, Curl reconnects via IPv6 -- this time succeeding -- but then
> the response gets mangled in some way. I assume headers are being
> truncated, based on Curl's complaint about "HTTP/0.9".
And weirder. With no evidence, I kinda wonder if that part could be a
bug in curl, if it gets a failure in an unexpected place like that and
gets confused, but let's start with the error...
> The NetBSD man pages say that EINVAL is returned when the socket is
> already shut down, suggesting some sort of bad interaction between
> Curl and the test authorization server (and/or the OS?). I wonder if
> my test server doesn't handle dual-stack setups correctly. I'll see if
> I can get ktruss working on either side.
POSIX says that about getsockname() too, as does the macOS man page,
but not those of FreeBSD, OpenBSD or Linux, but I don't think that's
the issue. (From a quick peek: FreeBSD (in_getsockaddr) asserts that
sotoinpcb(so) is not NULL so it's always able to cough up the address
from the protocol control block object, while NetBSD (tcp_sockaddr)
and macOS/XNU (in6_getsockaddr) check for NULL and return EINVAL, so
at a wild guess, there may some path somewhere that knows the socket
is shutdown in both directions and all data has been drained so it can
be destroyed, and POSIX doesn't require sockets in this state to be
able to tell you their address so that's all OK?)
It's also unspecified if you haven't called connect() or bind() (well,
POSIX actually says that the address it gives you is unspecified, not
that the error is unspecified...).
I tried on a NetBSD 9 Vagrant box I had lying around, and ... ahh:
28729 1 psql write(0x2, 0x7f7fffddf3d0, 0x24) = 36
"[libcurl] * Trying [::1]:64244...\n"
28729 1 psql setsockopt(0x9, 0x6, 0x1, 0x7f7fffde015c, 0x4) = 0
28729 1 psql setsockopt(0x9, 0xffff, 0x800, 0x7f7fffde015c, 0x4) = 0
26362 1 perl __select50 = 1
28729 1 psql connect Err#36 EINPROGRESS
26362 1 perl read = 36
28729 1 psql getsockname(0x9, 0x7f7fffde0240,
0x7f7fffde023c) Err#22 EINVAL
Other times it succeeds:
28729 1 psql connect Err#36 EINPROGRESS
28729 1 psql getsockname = 0
I think that is telling us that a non-blocking socket can be in a
state that is not yet connected enough even to tell you its local
address? That is, connect() returns without having allocated a local
address, and does that part asynchronously too? I don't know what to
think about that yet...
https://stackoverflow.com/questions/25333547/is-it-safe-to-call-getsockname-while-a-nonblocking-stream-socket-is-connecting
pgsql-hackers by date: