git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Jacob Champion <jchampion@postgresql.org>
	Mon, 30 Mar 2026 21:14:45 +0000 (14:14 -0700)
committer	Jacob Champion <jchampion@postgresql.org>
	Mon, 30 Mar 2026 21:14:45 +0000 (14:14 -0700)
commit	993368113c432832862db29f927c206dab0c0b8a
tree	8a203164a1034db15fdac5a4ce9d9daac4f5e910	tree \| snapshot
parent	bab2f27eaaad77f799ecc224f9e11b09adb07d5a	commit \| diff

libpq: Add oauth_ca_file option to change CAs without debugging

PG18 hid the PGOAUTHCAFILE envvar behind PGOAUTHDEBUG=UNSAFE, because I
thought that any "real" production usage of private CA certificates
would have them added to the Curl system trust store. But there are use
cases, such as containerized environments, that prefer to manage custom
CA settings more granularly; some of them consider envvar configuration
of certificates to be standard practice.

Move PGOAUTHCAFILE out from under the debug flag, and add an
oauth_ca_file option to libpq to configure trusted CAs per connection.

Patch by Jonathan Gonzalez V., with some additional wordsmithing and
test organization by me.

Author: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Zsolt Parragi <zsolt.parragi@percona.com>
Discussion: https://postgr.es/m/16a91d02795cb991963326a902afa764e4d721db.camel%40gmail.com

doc/src/sgml/libpq.sgml		diff \| blob \| blame \| history
src/interfaces/libpq-oauth/oauth-curl.c		diff \| blob \| blame \| history
src/interfaces/libpq/fe-connect.c		diff \| blob \| blame \| history
src/interfaces/libpq/libpq-int.h		diff \| blob \| blame \| history
src/test/modules/oauth_validator/t/001_server.pl		diff \| blob \| blame \| history
src/test/modules/oauth_validator/t/OAuth/Server.pm		diff \| blob \| blame \| history