libpq: Add oauth_ca_file option to change CAs without debugging PG18 hid the PGOAUTHCAFILE envvar behind PGOAUTHDEBUG=UNSAFE, because I thought that any "real" production usage of private CA certificates would have them added to the Curl system trust store. But there are use cases, such as containerized environments, that prefer to manage custom CA settings more granularly; some of them consider envvar configuration of certificates to be standard practice.
Move PGOAUTHCAFILE out from under the debug flag, and add an oauth_ca_file option to libpq to configure trusted CAs per connection. Patch by Jonathan Gonzalez V., with some additional wordsmithing and test organization by me. Author: Jonathan Gonzalez V. <[email protected]> Co-authored-by: Jacob Champion <[email protected]> Reviewed-by: Zsolt Parragi <[email protected]> Discussion: https://postgr.es/m/16a91d02795cb991963326a902afa764e4d721db.camel%40gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/993368113c432832862db29f927c206dab0c0b8a Modified Files -------------- doc/src/sgml/libpq.sgml | 40 +++++++++++-- src/interfaces/libpq-oauth/oauth-curl.c | 26 ++++----- src/interfaces/libpq/fe-connect.c | 5 ++ src/interfaces/libpq/libpq-int.h | 1 + src/test/modules/oauth_validator/t/001_server.pl | 67 ++++++++++++++-------- src/test/modules/oauth_validator/t/OAuth/Server.pm | 2 +- 6 files changed, 96 insertions(+), 45 deletions(-)
