pgjdbc / r2dbc-postgresql

Postgresql R2DBC Driver
https://r2dbc.io
Apache License 2.0
1.01k stars 177 forks source link

Update SCRAM dependency to 3.0 #645

Closed jorsol closed 7 months ago

jorsol commented 7 months ago

Feature Request

A new release of the SCRAM dependency is available, update the dependency to version 3.0.

mp911de commented 7 months ago

Thanks a lot for letting us know. The stage-based approach to SCRAM auth is gone and now requires upfront knowledge of whether we want to authenticate via password or a key. Also, the changes look non-trivial.

jorsol commented 7 months ago

Thanks a lot for letting us know. The stage-based approach to SCRAM auth is gone and now requires upfront knowledge of whether we want to authenticate via password or a key. Also, the changes look non-trivial.

The changes are trivial at least to upgrade the current dependency, using the key or salted password is optional and only needed if the client (r2dbc) does some cache upfront.

What is not so trivial is to allow channel binding, this requires access to the SSLSession to extract the client peer certificate and use it on negotiation.

jorsol commented 7 months ago

These are the changes needed to upgrade the dependency: https://github.com/pgjdbc/r2dbc-postgresql/pull/646

Channel binding support is not implemented yet since it needs access to the connection and I'm not familiar with the codebase here, but the idea is to do something like this: https://github.com/pgjdbc/pgjdbc/blob/84e538b05693c57953bcdbdb9aa4fcebb6d2184f/pgjdbc/src/main/java/org/postgresql/core/v3/ScramAuthenticator.java#L87-L107

mp911de commented 7 months ago

Wow. It seems that I got some wrong class for starters and hence I assumed more complex. Thank you so much.

Do you have a pointer for the SSL auth config within Postgres so I can give it a spin?

mp911de commented 7 months ago

Thanks for your support. I added channel binding by extracting the first certificate from the SSL session. On a related note, there are setups like Google Cloud that put SSL terminators in front of a Postgres box. For the time being, we're only extracting SSL certificates with direct SSL connections where the server terminates SSL and not an SSL proxy.