Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vGGg9-00BBFe-R4 for pgsql-hackers@arkaria.postgresql.org; Tue, 04 Nov 2025 13:02:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vGGg8-00DpfZ-RC for pgsql-hackers@arkaria.postgresql.org; Tue, 04 Nov 2025 13:02:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vGGg8-00Dpdz-Dn for pgsql-hackers@lists.postgresql.org; Tue, 04 Nov 2025 13:02:27 +0000 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vGGg5-005PGN-2L for pgsql-hackers@postgresql.org; Tue, 04 Nov 2025 13:02:26 +0000 Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-47728f914a4so28492435e9.1 for ; Tue, 04 Nov 2025 05:02:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762261344; x=1762866144; darn=postgresql.org; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=uR9XRjNLH67mjEwv6g/uV1PgKp2Cv0NP4+nfWYPtc30=; b=VT17vqUqXJJa/vbGWNnRFrlcFbfRUEOE/u7nqUh9wfia0KplQVGjPdeBhapic+UK5Y o1Ryxp6afCVbzsKnkbfLjxIEGs+bF/q13owcYvi/uGHTss1Fvlv9FBTIiXZOwQt31m3P mMLf65XO9KFqMGN/jGejvRPTy+XmsPBVgT4ufWDxXqHQIOcYkf9J8ycyXjQAromzDLpR Uleo0dI5X9nbrTMWReBX0Vftf56/Ev3+TS+je7MFvemWQGI0bxnNi4y/XkM+OuM3BV+h n9ac79oVo2tLbOEY/Qit3IaOtDxD3DSTNy/TkoIDysNvV6BEoV14x9qrN6r7GhJVXkVa VlFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762261344; x=1762866144; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uR9XRjNLH67mjEwv6g/uV1PgKp2Cv0NP4+nfWYPtc30=; b=IsaNefARL2c3KJ/ST2nbBAdyNKOjBAMlWQjs4cJg52MbCQmkwDNwcNhup5T7lIMYrh isOXL3eZBuge6mSj3Ao/JB7m7/QwKSDuQ4T6mlWm6PShrneFlKqGej/DqSPt9TLJ0X42 w9v5ady7bmopsGguR2cQHwDtzBcBdyBiSL+ENCs8vQPENiGcKiN1odHh2J7eBwRRfTln 6B1EXpg3fFdFtt8gjzIJYUNULevjLBjajmi6vjSPQPGo9jJt0XRxPWFPLQ9wpdIWOOw0 GI5LiNfzEpVYaLHyMOlSKdR+B/htWNFTtuvzVS4O0d7n9MnlO/XMPzjn5kP/QeL25tOM Limg== X-Gm-Message-State: AOJu0Yz3Y9mGFAhTaQFZGretGypUB46E9vfB7j6Ol7W+f038y4+Y9UwA AFzoZgt78l0h81qwfHtEFH2PkIEmPeqq2HZewNVjEBcI7/r6SjWstIgHie8tDXbv8Q== X-Gm-Gg: ASbGncsnWUEE0rRV7qMD6EXQWeerRriMda9X4PlMUK/aSdOFzChD0tgkL2QZO/tveHf 9bTYml1Jo3x8aFR/Rup8tbkrFNcATRgg/YbTJ9DKo4u0YuvajJu+B5asH5ZZSUsGbxeVDvS7kiO 9gXv8Uf2UUs0Pq+SZ+zFiC9oS+OXLFrwynxHtIJEu12WmgWxdPD51Vy1FJwTvXAsIJU8oljALAQ dR4+ghXzpT48mQEdmgBm0uvlIrMKFONJWj1jL7jnlddZa5N5BAxsHAegimiVxBmwt7WjZWNVL/S YV2env5t5BVQt+sNcVQn5K9CvZ5w3xjPhMnTYbk6+Aq8fBpn8WBQlnUMoS60xiH3pIBBAqXxTjq hm9+PeSCkU9VYT36Un0fp+K7aV9/H9WjWweAjGNX6qi/4KFrC4JxjOK2CtiquVgxfBowgTZoy5b sOh6RGvBDFM7fb9/s5vbWFquXkfAu/slViUJMH8aF5WFcGqKuYxk2U1Vd5B/P5MkHSpVkmKHCW5 suLeU+rkxU= X-Google-Smtp-Source: AGHT+IHhTnbJ74KgZvnha0NK3VfWcbPD6BNj5NYYRK/O6mTAsT2At3AzmphojF7zLOkAhkWM0BvHrg== X-Received: by 2002:a05:600c:3b0f:b0:477:10c4:b4e with SMTP id 5b1f17b1804b1-477308b22d2mr143055935e9.41.1762261342826; Tue, 04 Nov 2025 05:02:22 -0800 (PST) Received: from [192.168.5.56] (net-93-145-27-202.cust.vodafonedsl.it. [93.145.27.202]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-429dc1fdef7sm4854733f8f.43.2025.11.04.05.02.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Nov 2025 05:02:21 -0800 (PST) Message-ID: <7a0e58c5fdaa3686ea0a157ff937fe38954cda8c.camel@gmail.com> Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode From: "Jonathan Gonzalez V." To: Jacob Champion , Daniel Gustafsson Cc: PostgreSQL Hackers In-Reply-To: References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> Autocrypt: addr=jonathan.abdiel@gmail.com; prefer-encrypt=mutual; keydata=mQINBF1Rbm8BEADc2lW3toboDjMLry1spo/hxUiMKlA+CDCMwXPZPvyB4TGCQAVYnU+gS NgBJ8H7CF8ghllm9OYeqdRoRvr1unQN5RUShUWTsLhznUu5KV0KfhFbEjQyH7lDeVCzMRNr5r27QT RrmycqAacistMqtjfnsG/j8+HQU9tLrOdnhsxIRUZN/guHBEwx3LVp77lf9HMWabnSgGQVOqhUzA6 P97j8oWRwQNDZjHFVf5k4HMHJRp8OzcvXUOSa+ynH33xBsrLPDza0X6y7pZlfYbmjXdwU/XKSd7oB 4BeChFbrmdilIeSAGKLAHURH9jKeRxDt9pzYMvsIiK9UZlThnEgAVM2IqQzhnzd4jxG13Hi8HZ82O 2Ng4n36kVh5uz0NoIGJ6Guw9R+gqHHxbeSdt8S0P+2VO80UTX+hF7OPbLjE7w8wsTt37Ekp+jRxUs RooShDvnUENiw+TkyPszUZ0k9BZmfwcaC3++WDYyWvGK20wty3ZZMjl69SDdQXQaRu8E59leIpKw6 p8HBBAGZgytVPUN61w52r9dgX9RW0ujBrEztRNWPaDauedKGCXrL678mq7KwYW6Rg+y9orvZJPLUq Z7/m8RJUaeuJdz2LJ2bioUJ2BaPX7YxXdqMm9LZWknzy/pyF8iZHXD5D3H+WNJROlcQ6TQNLqUB11 KRK0koNeqiNbwARAQABtDlKb25hdGhhbiBHb256YWxleiBWLiA8am9uYXRoYW4uZ29uemFsZXpAZW 50ZXJwcmlzZWRiLmNvbT6JAlQEEwEKAD4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD6 5ytnQRUDy/MNDze8Kc6UcxQUCZ6trnAUJDDswrQAKCRBDze8Kc6UcxaPWD/4lqAiJJjJaB1DXblDi 9SKUSCDg9jGAj9rZUjIsI4bhznxtMwGQfaH7AlmjYtnOgUNZJz1cQ8v2Qv2gR2sXu5BCosPCuOuww +v5vUa+88ydXxnUOs1fVwXrqSKciohhEuZA5vYfcSolgHavEjF4v/W+SB8+7CyJm4sEZauk2Q8gHp In0l2zpTDig2pyp/POM+8FFWzq8fDgMc9AjU+ePIfqMXXSCcLUB8mAUaBrYU3Ezwa/29H5fhvKBJ6 fIFgr4V7dPlTaMhMRlG7Kt4aecjp2TMhoH5da1a2r7CUFHDx7RL7UEMaNYJnEa2IhcwH06cdQl7BY lBhfzy2dvfYvNTrhiUGGLRIS4xwsxJtRYBytOKYO6rZLjsEgHcW3B8DHG3YALc1BVpdCFj030jZ/y oaiHxjs9ZPUuUVqnp21hE5MwczKLzutDk2Mm8hYtGpfAxikOetFkiYxKeBVQsN6za4ff/iLKNrZfj qEk7E28NEg0fY4eYoMXZT8WlTRJOancVVuRtjLyQ+D4hET2qBIMhoXQ27YPWowmG6oxyM531j89wt OTsH3yuV4VnWc02MGrgi+lYPeKk0KUk3pcmwHB2GqDxZS6aSyX7k7jNOiHYN/dY1W6QslOrQggmkZ +QaKtn9YeOx2aZ7CWLiiTVYK4W2Kii9pS71XhcJrMAldvJAeurQwSm9uYXRoYW4gR29uemFsZXogV i4gPGpvbmF0aGFuLmFiZGllbEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQ gLBRYCAwEAFiEEEmw+ucrZ0EVA8vzDQ83vCnOlHMUFAmera5wFCQw7MK0ACgkQQ83vCnOlHMVWbxA AxQiwerHqAoq1ahb0uaCiw6eLpEXFbDD7a5BcILo5/lNtill8qkRP1wRdL7iPZWhGRyd4nQB6q1fK vggf6PkQGv2I35kq3/30sT+7TDXla6UFPyI012ipaU/7WW14ipZLeU+/rvUbdKMcWpEYTMHU89w2C Z9LSVHkxm1v3SvkOw1DgnUQvA11L4pzZVtTDluER717y2B0tlo43qMYGjlVNNWAuxHnAzJWC4Acj5 j0XgADAW78h+zFQfQ+b5znRC6tv9C4Pf5vRiw0TaMD2Tn6b8BTpflBX7zh0CINPUsrD8SEw0uZcCv JeSmZSHiHeS8uHcHVIxoxj1d5mcT18tyFC3n2JCfR4RkK/zNYXhBBRJbmiWmFqvzesSQEsGOu3G8X kvZGlN8RBFkj5ScZ4gWjsXwxGv2Hrf8FILycCcS2xkD2Sp2JBfZFHSvi2OI1ItHyrcXiBOSXZu6MU fyJoIWFQDkWkQcWPHxO9n7ZA+c+ACaBtW7rfEoCXYSk4pnUUj6eXA1meY1DI71G39O3k6B5T/yzdL k5h7H3R3ITpGvFNhePjuIYcbdF7stAcc7e46PzjFnApwmG27qXBE8agYtCYMwqcYweMzWvyzAtX3x 9BE8BIicy944IZnQmnhsNn5zT4HXl8xCBedEnYv/qdw32bp7qFhkn6/xNemwhgEFjgNC0N0pvbmF0 aGFuIEdvbnphbGV6IFYgPGpvbmF0aGFuLmdvbnphbGV6QDJuZHF1YWRyYW50LmNvbT6JAlQEEwEKA D4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD65ytnQRUDy/MNDze8Kc6UcxQUCZ6trnA UJDDswrQAKCRBDze8Kc6UcxY0OD/9svV6f/BSn6OsZ+nIe5birEIEejiU3rEVORNmDxYalHt0MLay YYFRC7WV6Hds/EsokUO+rkqpjXVh8Ee0IIvTolNWgGzW4ZaguP7G+RqXAGndDpT31wG588Ft0fkeN 0Y6+2odoUHNeXkzgLddNrQN3iXlWnfQLMEWBo/uvEpPMls+fO6zvArnrxsMpeS5i2c/BQoN3A2VBr Pk9mQBKoyU+fCQEsTwUl4THVAma4LoXvgd9PZSI9yWUZ1KK2Wb6XnZKqIEv6QN2qIy+g9KqGiUM+6 H4q0D3SDtDaZFrzi3l8ql9iCflgL5fe6gvvU3lmLfRpBrNROfuWSL+Xm+TKClX9PHJ2nAUzgGu8M7 egSXzGhBVvYxKNMqmgpOy6LRa01T9/bfSfMB4zyrEpJm8GRKBDochFEVX+ZDJSGFtgdV9KXSEpe0+ Ei+dOdmptPjeLEtvY7/JtYO/7/ByIGrkZjSGP3L3urShTo1gs6gbIYaXeuSfRpzJ1cy8WepOjTxP2 j52IiH/CIjiXjmzD2KZ0ETyZn3eQY2E/ROqsGmBonTo/xrg2PuSSRbP9xeW9H8LVn0Vh+YRKlUnVn Cn1qQsrrZGEl6FFXI3P1n04mslSzWrlgCjOHJfhbbxqcvLkY2tnPv3vX/b+vd1HmihKz5UpijmBFQ oQ0KXJ6d0Ud8Vdn/b0A== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 04 Nov 2025 14:00:55 +0100 MIME-Version: 1.0 User-Agent: Evolution 3.56.2-4 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! On Mon, 2025-11-03 at 08:24 -0800, Jacob Champion wrote: >=20 > But I ran into this annoyance (wanted to override the CA for > temporary > development purposes, got sprayed with debug output) during a demo > just last month, so I'm in favor of doing something to make this > easier. I was creating some demo too, at the beginning was really useful, but after some seconds, I used to lose the URL and the code, the URL wasn't an issue later, but the code it was. >=20 >=20 > Jonathan, the patch itself claims to handle two cases. What's the > production use case where a company has its own CA isolated from the > Internet but isn't willing to add that CA to the system trust? Well, there's a couple of cases, I figure out after the first email, thanks to Alvaro, that I wasn't clear in the comments, probably I should change it, will try to describe a few cases that I've seen over the years. * In Kubernetes, even with a network isolation, people use to prefer having TLS connections, just because it's the standard, but in internal communications (between namespaces and pods), these domains contain the format: ..svc..local, as you can already imagine, this kind of domain cannot be verified by an external CA, but they can be generated and verified with an internal CA. Now the question is, why they don't add this CA to every distribution? The defacto standard way to do this in Kubernetes is to take the CA from a ConfigMap or Secret (objects that can provide content inside the infrastructure) and deploy this dynamically inside the Pod, so, to indicate the path to this file, the standard is to use an environment variable, in this case, if the content of the ConfigMap or Secret changes, this will be refreshed inside the Pod too. * Big companies like those managing credit cards or big banks, use to have air gap environment, which may have exactly the same problem while communicating internally, the CA cannot verify an internal domain, on these cases the CA is usually moved around and installed in a specific path and installed on specific path and not the system path (usually because of compliant reasons), meaning that you will actually have to provide with a variable/configuration/environment the path to the CA. * Development cases, I think this is clear, but even when you're doing development, you'll be using a self-signed certificate, but doing developing and losing URL and the code it can be really common, it happened to me many times and it wasn't nice looking for the code. * CI cases, here, you'll not have time to get a certificate to just trigger an action against a one time domain, usually with a random domain to not conflict with other CI running at the same time, and you should never expose sensitive information on the CI output like the one exposes when enabling PGOAUTHDEBUG=3D"UNSAFE" > The reason I ask is that we'd briefly talked about splitting > PGOAUTHDEBUG into more granular settings than just "off" and > "UNSAFE". I was thinking the same for another patch that will require discussion for sure, but it's something similar to add some levels of debug, for example, when you want to have the tokens or when you only want to see the URLs used to negotiate (which are really useful when working with the OAuth flows) or the deep one when you want to see the tokens. > So if this is a developer-only thing, we could maybe put some more > design work into the list of debug features. That list currently > includes the stderr spray, turning off HTTPS, allowing sub-second > ping > intervals, overriding the CA, debugging libpq-oauth link failures, > counting the calls to the flow -- all of which run the gamut from > "completely unsafe" to "completely safe". Ho! where can I see this list? I'd love to help with something here! I'm more than open to keep discussing this, because I can see that many people will be affected by the same, specially in the Kubernetes world. Thank your for looking at this! --=20 Jonathan Gonzalez V.