libpq: Add oauth_ca_file option to change CAs without debugging
PG18 hid the PGOAUTHCAFILE envvar behind PGOAUTHDEBUG=UNSAFE, because I
thought that any "real" production usage of private CA certificates
would have them added to the Curl system trust store. But there are use
cases, such as containerized environments, that prefer to manage custom
CA settings more granularly; some of them consider envvar configuration
of certificates to be standard practice.
Move PGOAUTHCAFILE out from under the debug flag, and add an
oauth_ca_file option to libpq to configure trusted CAs per connection.
Patch by Jonathan Gonzalez V., with some additional wordsmithing and
test organization by me.
Author: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Zsolt Parragi <zsolt.parragi@percona.com>
Discussion: https://postgr.es/m/16a91d02795cb991963326a902afa764e4d721db.camel%40gmail.com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/993368113c432832862db29f927c206dab0c0b8a
Modified Files
--------------
doc/src/sgml/libpq.sgml | 40 +++++++++++--
src/interfaces/libpq-oauth/oauth-curl.c | 26 ++++-----
src/interfaces/libpq/fe-connect.c | 5 ++
src/interfaces/libpq/libpq-int.h | 1 +
src/test/modules/oauth_validator/t/001_server.pl | 67 ++++++++++++++--------
src/test/modules/oauth_validator/t/OAuth/Server.pm | 2 +-
6 files changed, 96 insertions(+), 45 deletions(-)
