ereport(FATAL,
errcode(ERRCODE_INTERNAL_ERROR),
errmsg("OAuth is not properly configured for this user"),
- errdetail_log("The issuer and scope parameters must be set in pg_hba.conf."));
+ errdetail_log("The options \"issuer\" and \"scope\" must be set in pg_hba.conf."));
/*
* Build a default .well-known URI based on our issuer, unless the HBA has
*/
if (validator_init == NULL)
ereport(ERROR,
- errmsg("%s module \"%s\" must define the symbol %s",
- "OAuth validator", libname, "_PG_oauth_validator_module_init"));
+ errmsg("OAuth validator module \"%s\" must define the symbol \"%s\"",
+ libname, "_PG_oauth_validator_module_init"));
ValidatorCallbacks = (*validator_init) ();
Assert(ValidatorCallbacks);
*/
if (ValidatorCallbacks->magic != PG_OAUTH_VALIDATOR_MAGIC)
ereport(ERROR,
- errmsg("%s module \"%s\": magic number mismatch",
- "OAuth validator", libname),
+ errmsg("OAuth validator module \"%s\": magic number mismatch",
+ libname),
errdetail("Server has magic number 0x%08X, module has 0x%08X.",
PG_OAUTH_VALIDATOR_MAGIC, ValidatorCallbacks->magic));
*/
if (ValidatorCallbacks->validate_cb == NULL)
ereport(ERROR,
- errmsg("%s module \"%s\" must provide a %s callback",
- "OAuth validator", libname, "validate_cb"));
+ errmsg("OAuth validator module \"%s\" must provide a \"%s\" callback",
+ libname, "validate_cb"));
/* Allocate memory for validator library private state data */
validator_module_state = palloc0_object(ValidatorModuleState);
{
ereport(elevel,
errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("oauth_validator_libraries must be set for authentication method %s",
- "oauth"),
+ errmsg("parameter \%s\" must be set for authentication method \"%s\"",
+ "oauth_validator_libraries", "oauth"),
errcontext("line %d of configuration file \"%s\"",
line_num, file_name));
- *err_msg = psprintf("oauth_validator_libraries must be set for authentication method %s",
- "oauth");
+ *err_msg = psprintf("parameter \"%s\" must be set for authentication method \"%s\"",
+ "oauth_validator_libraries", "oauth");
return false;
}
ereport(elevel,
errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options"),
+ errmsg("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
+ "oauth_validator_libraries"),
errcontext("line %d of configuration file \"%s\"",
line_num, file_name));
- *err_msg = "authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options";
+ *err_msg = psprintf("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
+ "oauth_validator_libraries");
goto done;
}
ereport(elevel,
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
- errmsg("validator \"%s\" is not permitted by %s",
+ errmsg("validator \"%s\" is not permitted by \"%s\"",
hbaline->oauth_validator, "oauth_validator_libraries"),
errcontext("line %d of configuration file \"%s\"",
line_num, file_name));
- *err_msg = psprintf("validator \"%s\" is not permitted by %s",
+ *err_msg = psprintf("validator \"%s\" is not permitted by \"%s\"",
hbaline->oauth_validator, "oauth_validator_libraries");
done:
struct async_ctx *_actx = (ACTX); \
CURLMcode _setopterr = curl_multi_setopt(_actx->curlm, OPT, VAL); \
if (_setopterr) { \
- actx_error(_actx, "failed to set %s on OAuth connection: %s",\
+ actx_error(_actx, "could not set libcurl option \"%s\" on OAuth connection: %s",\
#OPT, curl_multi_strerror(_setopterr)); \
FAILACTION; \
} \
struct async_ctx *_actx = (ACTX); \
CURLcode _setopterr = curl_easy_setopt(_actx->curl, OPT, VAL); \
if (_setopterr) { \
- actx_error(_actx, "failed to set %s on OAuth connection: %s",\
+ actx_error(_actx, "could not set libcurl option \"%s\" on OAuth connection: %s",\
#OPT, curl_easy_strerror(_setopterr)); \
FAILACTION; \
} \
struct async_ctx *_actx = (ACTX); \
CURLcode _getinfoerr = curl_easy_getinfo(_actx->curl, INFO, OUT); \
if (_getinfoerr) { \
- actx_error(_actx, "failed to get %s from OAuth response: %s",\
+ actx_error(_actx, "could not get libcurl info \"%s\" from OAuth response: %s",\
#INFO, curl_easy_strerror(_getinfoerr)); \
FAILACTION; \
} \
if (strlen(resp->data) != resp->len)
{
- actx_error(actx, "response contains embedded NULLs");
+ actx_error(actx, "response contains embedded null");
return false;
}
* override the errctx if parsing explicitly fails.
*/
if (!result)
- actx->errctx = libpq_gettext("failed to parse token error response");
+ actx->errctx = libpq_gettext("could not parse token error response");
return result;
}
actx->mux = epoll_create1(EPOLL_CLOEXEC);
if (actx->mux < 0)
{
- actx_error_internal(actx, "failed to create epoll set: %m");
+ actx_error_internal(actx, "could not create epoll set: %m");
return false;
}
actx->timerfd = timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC);
if (actx->timerfd < 0)
{
- actx_error_internal(actx, "failed to create timerfd: %m");
+ actx_error_internal(actx, "could not create timerfd: %m");
return false;
}
if (epoll_ctl(actx->mux, EPOLL_CTL_ADD, actx->timerfd, &ev) < 0)
{
- actx_error_internal(actx, "failed to add timerfd to epoll set: %m");
+ actx_error_internal(actx, "could not add timerfd to epoll set: %m");
return false;
}
actx->mux = kqueue();
if (actx->mux < 0)
{
- actx_error_internal(actx, "failed to create kqueue: %m");
+ actx_error_internal(actx, "could not create kqueue: %m");
return false;
}
actx->timerfd = kqueue();
if (actx->timerfd < 0)
{
- actx_error_internal(actx, "failed to create timer kqueue: %m");
+ actx_error_internal(actx, "could not create timer kqueue: %m");
return false;
}
break;
default:
- actx_error_internal(actx, "unknown libcurl socket operation: %d", what);
+ actx_error_internal(actx, "unrecognized libcurl socket operation: %d", what);
return -1;
}
break;
default:
- actx_error_internal(actx, "unknown libcurl socket operation: %d", what);
+ actx_error_internal(actx, "unrecognized libcurl socket operation: %d", what);
return -1;
}
if (timerfd_settime(actx->timerfd, 0 /* no flags */ , &spec, NULL) < 0)
{
- actx_error_internal(actx, "setting timerfd to %ld: %m", timeout);
+ actx_error_internal(actx, "could not set timerfd to %ld: %m", timeout);
return false;
}
EV_SET(&ev, 1, EVFILT_TIMER, EV_DELETE, 0, 0, 0);
if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
{
- actx_error_internal(actx, "deleting kqueue timer: %m");
+ actx_error_internal(actx, "could not delete kqueue timer: %m");
return false;
}
EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_DELETE, 0, 0, 0);
if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
{
- actx_error_internal(actx, "removing kqueue timer from multiplexer: %m");
+ actx_error_internal(actx, "could not remove kqueue timer from multiplexer: %m");
return false;
}
EV_SET(&ev, 1, EVFILT_TIMER, (EV_ADD | EV_ONESHOT), 0, timeout, 0);
if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0)
{
- actx_error_internal(actx, "setting kqueue timer to %ld: %m", timeout);
+ actx_error_internal(actx, "could not set kqueue timer to %ld: %m", timeout);
return false;
}
EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_ADD, 0, 0, 0);
if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0)
{
- actx_error_internal(actx, "adding kqueue timer to multiplexer: %m");
+ actx_error_internal(actx, "could not add kqueue timer to multiplexer: %m");
return false;
}
res = PQsocketPoll(actx->timerfd, 1 /* forRead */ , 0, 0);
if (res < 0)
{
- actx_error(actx, "checking timer expiration: %m");
+ actx_error(actx, "could not check timer expiration: %m");
return -1;
}
if (!actx->curlm)
{
/* We don't get a lot of feedback on the failure reason. */
- actx_error(actx, "failed to create libcurl multi handle");
+ actx_error(actx, "could not create libcurl multi handle");
return false;
}
actx->curl = curl_easy_init();
if (!actx->curl)
{
- actx_error(actx, "failed to create libcurl handle");
+ actx_error(actx, "could not create libcurl handle");
return false;
}
err = curl_multi_add_handle(actx->curlm, actx->curl);
if (err)
{
- actx_error(actx, "failed to queue HTTP request: %s",
+ actx_error(actx, "could not queue HTTP request: %s",
curl_multi_strerror(err));
return false;
}
/*
* Pull the fields we care about from the document.
*/
- actx->errctx = libpq_gettext("failed to parse OpenID discovery document");
+ actx->errctx = libpq_gettext("could not parse OpenID discovery document");
if (!parse_provider(actx, &actx->provider))
return false; /* error message already set */
if (strcmp(oauth_issuer_id, provider->issuer) != 0)
{
actx_error(actx,
- "the issuer identifier (%s) does not match oauth_issuer (%s)",
+ "issuer identifier (%s) does not match oauth_issuer (%s)",
provider->issuer, oauth_issuer_id);
return false;
}
*/
if (response_code == 200)
{
- actx->errctx = libpq_gettext("failed to parse device authorization");
+ actx->errctx = libpq_gettext("could not parse device authorization");
if (!parse_device_authz(actx, &actx->authz))
return false; /* error message already set */
*/
if (response_code == 200)
{
- actx->errctx = libpq_gettext("failed to parse access token response");
+ actx->errctx = libpq_gettext("could not parse access token response");
if (!parse_access_token(actx, tok))
return false; /* error message already set */
switch (actx->step)
{
case OAUTH_STEP_INIT:
- actx->errctx = libpq_gettext("failed to fetch OpenID discovery document");
+ actx->errctx = libpq_gettext("could not fetch OpenID discovery document");
if (!start_discovery(actx, actx->discovery_uri))
goto error_return;
if (!check_for_device_flow(actx))
goto error_return;
- actx->errctx = libpq_gettext("failed to obtain device authorization");
+ actx->errctx = libpq_gettext("could not obtain device authorization");
if (!start_device_authz(actx, conn))
goto error_return;
if (!finish_device_authz(actx))
goto error_return;
- actx->errctx = libpq_gettext("failed to obtain access token");
+ actx->errctx = libpq_gettext("could not obtain access token");
if (!start_token_request(actx, conn))
goto error_return;
break;
case OAUTH_STEP_WAIT_INTERVAL:
- actx->errctx = libpq_gettext("failed to obtain access token");
+ actx->errctx = libpq_gettext("could not obtain access token");
if (!start_token_request(actx, conn))
goto error_return;
# Key off of the "peer certificate" portion, since that seems to have
# remained constant over a long period of time.
expected_stderr =>
- qr/failed to fetch OpenID discovery document:.*peer certificate/i);
+ qr/could not fetch OpenID discovery document:.*peer certificate/i);
}
my $alternative_ca = "$ENV{cert_dir}/root+server_ca.crt";
connstr(stage => 'device', huge_response => JSON::PP::true),
"bad device authz response: overlarge JSON",
expected_stderr =>
- qr/failed to obtain device authorization: response is too large/);
+ qr/could not obtain device authorization: response is too large/);
$node->connect_fails(
connstr(stage => 'token', huge_response => JSON::PP::true),
"bad token response: overlarge JSON",
expected_stderr =>
- qr/failed to obtain access token: response is too large/);
+ qr/could not obtain access token: response is too large/);
my $nesting_limit = 16;
$node->connect_ok(
connstr(stage => 'device', nested_array => $nesting_limit + 1),
"bad discovery response: overly nested JSON array",
expected_stderr =>
- qr/failed to parse device authorization: JSON is too deeply nested/);
+ qr/could not parse device authorization: JSON is too deeply nested/);
$node->connect_fails(
connstr(stage => 'device', nested_object => $nesting_limit + 1),
"bad discovery response: overly nested JSON object",
expected_stderr =>
- qr/failed to parse device authorization: JSON is too deeply nested/);
+ qr/could not parse device authorization: JSON is too deeply nested/);
$node->connect_fails(
connstr(stage => 'device', content_type => 'text/plain'),
"bad device authz response: wrong content type",
expected_stderr =>
- qr/failed to parse device authorization: unexpected content type/);
+ qr/could not parse device authorization: unexpected content type/);
$node->connect_fails(
connstr(stage => 'token', content_type => 'text/plain'),
"bad token response: wrong content type",
expected_stderr =>
- qr/failed to parse access token response: unexpected content type/);
+ qr/could not parse access token response: unexpected content type/);
$node->connect_fails(
connstr(stage => 'token', content_type => 'application/jsonx'),
"bad token response: wrong content type (correct prefix)",
expected_stderr =>
- qr/failed to parse access token response: unexpected content type/);
+ qr/could not parse access token response: unexpected content type/);
$node->connect_fails(
connstr(
retry_code => "slow_down"),
"bad token response: server overflows the device authz interval",
expected_stderr =>
- qr/failed to obtain access token: slow_down interval overflow/);
+ qr/could not obtain access token: slow_down interval overflow/);
$node->connect_fails(
connstr(stage => 'token', error_code => "invalid_grant"),
"bad token response: invalid_grant, no description",
- expected_stderr => qr/failed to obtain access token: \(invalid_grant\)/);
+ expected_stderr => qr/could not obtain access token: \(invalid_grant\)/);
$node->connect_fails(
connstr(
stage => 'token',
error_desc => "grant expired"),
"bad token response: expired grant",
expected_stderr =>
- qr/failed to obtain access token: grant expired \(invalid_grant\)/);
+ qr/could not obtain access token: grant expired \(invalid_grant\)/);
$node->connect_fails(
connstr(
stage => 'token',
error_status => 401),
"bad token response: client authentication failure, default description",
expected_stderr =>
- qr/failed to obtain access token: provider requires client authentication, and no oauth_client_secret is set \(invalid_client\)/
+ qr/could not obtain access token: provider requires client authentication, and no oauth_client_secret is set \(invalid_client\)/
);
$node->connect_fails(
connstr(
error_desc => "authn failure"),
"bad token response: client authentication failure, provided description",
expected_stderr =>
- qr/failed to obtain access token: authn failure \(invalid_client\)/);
+ qr/could not obtain access token: authn failure \(invalid_client\)/);
$node->connect_fails(
connstr(stage => 'token', token => ""),
error_status => 401),
"bad token response: client authentication failure, default description with oauth_client_secret",
expected_stderr =>
- qr/failed to obtain access token: provider rejected the oauth_client_secret \(invalid_client\)/
+ qr/could not obtain access token: provider rejected the oauth_client_secret \(invalid_client\)/
);
$node->connect_fails(
connstr(
error_desc => "mutual TLS required for client"),
"bad token response: client authentication failure, provided description with oauth_client_secret",
expected_stderr =>
- qr/failed to obtain access token: mutual TLS required for client \(invalid_client\)/
+ qr/could not obtain access token: mutual TLS required for client \(invalid_client\)/
);
# Count the number of calls to the internal flow when multiple retries are
'restart fails without explicit validators in oauth HBA entries');
$log_start = $node->wait_for_log(
- qr/authentication method "oauth" requires argument "validator" to be set/,
+ qr/authentication method "oauth" requires option "validator" to be set/,
$log_start);
unlink($node->data_dir . '/pg_hba.conf');
projects / thirdparty / postgresql.git / commitdiff
