On Fri, Feb 27, 2026 at 11:17 AM Jonathan Gonzalez V. <[email protected]> wrote: > I'm attaching a patch that add this TLS support making use of the > already certs system in the `src/test/ssl/` directory and just making > the `oauth_server.py` script able to support TLS only, this removes the > plain HTTP support from the server.
Thank you! > My Python skills are old, but I tried to keep the modifications as > simple as possible, even that there's an easy way to have the context > in Python 3.14, I decided to just have a context because the function > HTTPSServer() is only available from Python 3.14 and above, which is > not so widely used yet, in the future for sure will be more simple to > use that function. Yep, we need to support back to Python 3.6.8 (which I've tested your patch with locally). Comments: > Signed-off-by: Jonathan Gonzalez V. <[email protected]> Note that we have no signoff convention here, at least that I'm aware of. It's not a problem to include it, but this will be replaced by an `Author:` line in the final commit. Submissions here fall under the Archive Policy: https://www.postgresql.org/about/policies/archives/ > +my $certdir = dirname(__FILE__) . "/../../../ssl/ssl"; > +$ENV{PGOAUTHCAFILE} = "$certdir/root+server_ca.crt"; I think we should inject this directory from the build system, instead of walking across the tree. > - my $issuer = "http://127.0.0.1:$port";; > + my $issuer = "https://localhost:$port";; Unfortunately this will cause strange bugs [1]: we aren't listening on IPv6, but Curl will attempt to contact a DNS hostname on both IPv4 and IPv6 simultaneously, leading to intermittent failures. So we'll need to get the certificate's SANs working... > +[ req ] > +distinguished_name = req_distinguished_name > +prompt = no > + > +[ req_distinguished_name ] > +CN = localhost > +OU = PostgreSQL test suite > + > +# For Subject Alternative Names > +[ v3_req ] > +subjectAltName = @alt_names ...which will require the v3_req section to be enabled here. (We can move the CommonName into SANs as well, since Curl is a modern web client.) > -# To test against HTTP rather than HTTPS, we need to enable PGOAUTHDEBUG. But > -# first, check to make sure the client refuses such connections by default. > -$node->connect_fails( I think we should keep this test; it's an important safeguard. This is also a good chance to test the case where certificate verification fails. > server-ip-in-dnsname \ > + server-ip-localhost \ > server-single-alt-name \ nitpick: Though the naming scheme is not really all that well defined, I think this probably belongs with the other -alt-name certs rather than the -ip- certs. -- To avoid making you play fetch-a-rock, I've attached these comments in code form as v1.1-0002 (but you're under no obligation to take them if you'd prefer to do it a different way :D). I also ran oauth_server.py through Black. Thanks! --Jacob [1] https://postgr.es/m/CAOYmi%2Bn4EDOOUL27_OqYT2-F2rS6S%2B3mK-ppWb2Ec92UEoUbYA%40mail.gmail.com
v1.1-0001-Add-TLS-support-for-the-OAuth-tests.patch
Description: Binary data
v1.1-0002-squash-Add-TLS-support-for-the-OAuth-tests.patch
Description: Binary data
