upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-06-10 09:10:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Message style improvements (oauth related)

Browse source
This commit is contained in:
Peter Eisentraut 2026-05-05 09:59:49 +02:00
parent eb2e2eb4d4
commit 22f9207aaa
3 changed files with 62 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
src/backend/libpq/auth-oauth.c
View file

@ -542,7 +542,7 @@ generate_error_response(struct oauth_ctx *ctx, char **output, int *outputlen)
ereport(FATAL, ereport(FATAL,
errcode(ERRCODE_INTERNAL_ERROR), errcode(ERRCODE_INTERNAL_ERROR),
errmsg("OAuth is not properly configured for this user"), errmsg("OAuth is not properly configured for this user"),
errdetail_log("The issuer and scope parameters must be set in pg_hba.conf.")); errdetail_log("The options \"issuer\" and \"scope\" must be set in pg_hba.conf."));
/* /*
* Build a default .well-known URI based on our issuer, unless the HBA has * Build a default .well-known URI based on our issuer, unless the HBA has
@ -791,8 +791,8 @@ load_validator_library(const char *libname)
*/ */
if (validator_init == NULL) if (validator_init == NULL)
ereport(ERROR, ereport(ERROR,
errmsg("%s module \"%s\" must define the symbol %s", errmsg("OAuth validator module \"%s\" must define the symbol \"%s\"",
"OAuth validator", libname, "_PG_oauth_validator_module_init")); libname, "_PG_oauth_validator_module_init"));
ValidatorCallbacks = (*validator_init) (); ValidatorCallbacks = (*validator_init) ();
Assert(ValidatorCallbacks); Assert(ValidatorCallbacks);
@ -804,8 +804,8 @@ load_validator_library(const char *libname)
*/ */
if (ValidatorCallbacks->magic != PG_OAUTH_VALIDATOR_MAGIC) if (ValidatorCallbacks->magic != PG_OAUTH_VALIDATOR_MAGIC)
ereport(ERROR, ereport(ERROR,
errmsg("%s module \"%s\": magic number mismatch", errmsg("OAuth validator module \"%s\": magic number mismatch",
"OAuth validator", libname), libname),
errdetail("Server has magic number 0x%08X, module has 0x%08X.", errdetail("Server has magic number 0x%08X, module has 0x%08X.",
PG_OAUTH_VALIDATOR_MAGIC, ValidatorCallbacks->magic)); PG_OAUTH_VALIDATOR_MAGIC, ValidatorCallbacks->magic));
@ -815,8 +815,8 @@ load_validator_library(const char *libname)
*/ */
if (ValidatorCallbacks->validate_cb == NULL) if (ValidatorCallbacks->validate_cb == NULL)
ereport(ERROR, ereport(ERROR,
errmsg("%s module \"%s\" must provide a %s callback", errmsg("OAuth validator module \"%s\" must provide a \"%s\" callback",
"OAuth validator", libname, "validate_cb")); libname, "validate_cb"));
/* Allocate memory for validator library private state data */ /* Allocate memory for validator library private state data */
validator_module_state = palloc0_object(ValidatorModuleState); validator_module_state = palloc0_object(ValidatorModuleState);
@ -867,12 +867,12 @@ check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
{ {
ereport(elevel, ereport(elevel,
errcode(ERRCODE_CONFIG_FILE_ERROR), errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("oauth_validator_libraries must be set for authentication method %s", errmsg("parameter \%s\" must be set for authentication method \"%s\"",
"oauth"), "oauth_validator_libraries", "oauth"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, file_name)); line_num, file_name));
*err_msg = psprintf("oauth_validator_libraries must be set for authentication method %s", *err_msg = psprintf("parameter \"%s\" must be set for authentication method \"%s\"",
"oauth"); "oauth_validator_libraries", "oauth");
return false; return false;
} }
@ -901,10 +901,12 @@ check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
ereport(elevel, ereport(elevel,
errcode(ERRCODE_CONFIG_FILE_ERROR), errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options"), errmsg("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
"oauth_validator_libraries"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, file_name)); line_num, file_name));
*err_msg = "authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options"; *err_msg = psprintf("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
"oauth_validator_libraries");
goto done; goto done;
} }
@ -916,11 +918,11 @@ check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
ereport(elevel, ereport(elevel,
errcode(ERRCODE_INVALID_PARAMETER_VALUE), errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("validator \"%s\" is not permitted by %s", errmsg("validator \"%s\" is not permitted by \"%s\"",
hbaline->oauth_validator, "oauth_validator_libraries"), hbaline->oauth_validator, "oauth_validator_libraries"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, file_name)); line_num, file_name));
*err_msg = psprintf("validator \"%s\" is not permitted by %s", *err_msg = psprintf("validator \"%s\" is not permitted by \"%s\"",
hbaline->oauth_validator, "oauth_validator_libraries"); hbaline->oauth_validator, "oauth_validator_libraries");
done: done:

58
src/interfaces/libpq-oauth/oauth-curl.c
View file

@ -435,7 +435,7 @@ append_actx_error(PGoauthBearerRequestV2 *req, struct async_ctx *actx)
struct async_ctx *_actx = (ACTX); \ struct async_ctx *_actx = (ACTX); \
CURLMcode _setopterr = curl_multi_setopt(_actx->curlm, OPT, VAL); \ CURLMcode _setopterr = curl_multi_setopt(_actx->curlm, OPT, VAL); \
if (_setopterr) { \ if (_setopterr) { \
actx_error(_actx, "failed to set %s on OAuth connection: %s",\ actx_error(_actx, "could not set libcurl option \"%s\" on OAuth connection: %s",\
#OPT, curl_multi_strerror(_setopterr)); \ #OPT, curl_multi_strerror(_setopterr)); \
FAILACTION; \ FAILACTION; \
} \ } \
@ -446,7 +446,7 @@ append_actx_error(PGoauthBearerRequestV2 *req, struct async_ctx *actx)
struct async_ctx *_actx = (ACTX); \ struct async_ctx *_actx = (ACTX); \
CURLcode _setopterr = curl_easy_setopt(_actx->curl, OPT, VAL); \ CURLcode _setopterr = curl_easy_setopt(_actx->curl, OPT, VAL); \
if (_setopterr) { \ if (_setopterr) { \
actx_error(_actx, "failed to set %s on OAuth connection: %s",\ actx_error(_actx, "could not set libcurl option \"%s\" on OAuth connection: %s",\
#OPT, curl_easy_strerror(_setopterr)); \ #OPT, curl_easy_strerror(_setopterr)); \
FAILACTION; \ FAILACTION; \
} \ } \
@ -457,7 +457,7 @@ append_actx_error(PGoauthBearerRequestV2 *req, struct async_ctx *actx)
struct async_ctx *_actx = (ACTX); \ struct async_ctx *_actx = (ACTX); \
CURLcode _getinfoerr = curl_easy_getinfo(_actx->curl, INFO, OUT); \ CURLcode _getinfoerr = curl_easy_getinfo(_actx->curl, INFO, OUT); \
if (_getinfoerr) { \ if (_getinfoerr) { \
actx_error(_actx, "failed to get %s from OAuth response: %s",\ actx_error(_actx, "could not get libcurl info \"%s\" from OAuth response: %s",\
#INFO, curl_easy_strerror(_getinfoerr)); \ #INFO, curl_easy_strerror(_getinfoerr)); \
FAILACTION; \ FAILACTION; \
} \ } \
@ -882,7 +882,7 @@ parse_oauth_json(struct async_ctx *actx, const struct json_field *fields)
if (strlen(resp->data) != resp->len) if (strlen(resp->data) != resp->len)
{ {
actx_error(actx, "response contains embedded NULLs"); actx_error(actx, "response contains embedded null");
return false; return false;
} }
@ -1138,7 +1138,7 @@ parse_token_error(struct async_ctx *actx, struct token_error *err)
* override the errctx if parsing explicitly fails. * override the errctx if parsing explicitly fails.
*/ */
if (!result) if (!result)
actx->errctx = libpq_gettext("failed to parse token error response"); actx->errctx = libpq_gettext("could not parse token error response");
return result; return result;
} }
@ -1230,20 +1230,20 @@ setup_multiplexer(struct async_ctx *actx)
actx->mux = epoll_create1(EPOLL_CLOEXEC); actx->mux = epoll_create1(EPOLL_CLOEXEC);
if (actx->mux < 0) if (actx->mux < 0)
{ {
actx_error_internal(actx, "failed to create epoll set: %m"); actx_error_internal(actx, "could not create epoll set: %m");
return false; return false;
} }
actx->timerfd = timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC); actx->timerfd = timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC);
if (actx->timerfd < 0) if (actx->timerfd < 0)
{ {
actx_error_internal(actx, "failed to create timerfd: %m"); actx_error_internal(actx, "could not create timerfd: %m");
return false; return false;
} }
if (epoll_ctl(actx->mux, EPOLL_CTL_ADD, actx->timerfd, &ev) < 0) if (epoll_ctl(actx->mux, EPOLL_CTL_ADD, actx->timerfd, &ev) < 0)
{ {
actx_error_internal(actx, "failed to add timerfd to epoll set: %m"); actx_error_internal(actx, "could not add timerfd to epoll set: %m");
return false; return false;
} }
@ -1252,7 +1252,7 @@ setup_multiplexer(struct async_ctx *actx)
actx->mux = kqueue(); actx->mux = kqueue();
if (actx->mux < 0) if (actx->mux < 0)
{ {
actx_error_internal(actx, "failed to create kqueue: %m"); actx_error_internal(actx, "could not create kqueue: %m");
return false; return false;
} }
@ -1265,7 +1265,7 @@ setup_multiplexer(struct async_ctx *actx)
actx->timerfd = kqueue(); actx->timerfd = kqueue();
if (actx->timerfd < 0) if (actx->timerfd < 0)
{ {
actx_error_internal(actx, "failed to create timer kqueue: %m"); actx_error_internal(actx, "could not create timer kqueue: %m");
return false; return false;
} }
@ -1309,7 +1309,7 @@ register_socket(CURL *curl, curl_socket_t socket, int what, void *ctx,
break; break;
default: default:
actx_error_internal(actx, "unknown libcurl socket operation: %d", what); actx_error_internal(actx, "unrecognized libcurl socket operation: %d", what);
return -1; return -1;
} }
@ -1384,7 +1384,7 @@ register_socket(CURL *curl, curl_socket_t socket, int what, void *ctx,
break; break;
default: default:
actx_error_internal(actx, "unknown libcurl socket operation: %d", what); actx_error_internal(actx, "unrecognized libcurl socket operation: %d", what);
return -1; return -1;
} }
@ -1520,7 +1520,7 @@ set_timer(struct async_ctx *actx, long timeout)
if (timerfd_settime(actx->timerfd, 0 /* no flags */ , &spec, NULL) < 0) if (timerfd_settime(actx->timerfd, 0 /* no flags */ , &spec, NULL) < 0)
{ {
actx_error_internal(actx, "setting timerfd to %ld: %m", timeout); actx_error_internal(actx, "could not set timerfd to %ld: %m", timeout);
return false; return false;
} }
@ -1550,14 +1550,14 @@ set_timer(struct async_ctx *actx, long timeout)
EV_SET(&ev, 1, EVFILT_TIMER, EV_DELETE, 0, 0, 0); EV_SET(&ev, 1, EVFILT_TIMER, EV_DELETE, 0, 0, 0);
if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT) if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
{ {
actx_error_internal(actx, "deleting kqueue timer: %m"); actx_error_internal(actx, "could not delete kqueue timer: %m");
return false; return false;
} }
EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_DELETE, 0, 0, 0); EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_DELETE, 0, 0, 0);
if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT) if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0 && errno != ENOENT)
{ {
actx_error_internal(actx, "removing kqueue timer from multiplexer: %m"); actx_error_internal(actx, "could not remove kqueue timer from multiplexer: %m");
return false; return false;
} }
@ -1568,14 +1568,14 @@ set_timer(struct async_ctx *actx, long timeout)
EV_SET(&ev, 1, EVFILT_TIMER, (EV_ADD | EV_ONESHOT), 0, timeout, 0); EV_SET(&ev, 1, EVFILT_TIMER, (EV_ADD | EV_ONESHOT), 0, timeout, 0);
if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0) if (kevent(actx->timerfd, &ev, 1, NULL, 0, NULL) < 0)
{ {
actx_error_internal(actx, "setting kqueue timer to %ld: %m", timeout); actx_error_internal(actx, "could not set kqueue timer to %ld: %m", timeout);
return false; return false;
} }
EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_ADD, 0, 0, 0); EV_SET(&ev, actx->timerfd, EVFILT_READ, EV_ADD, 0, 0, 0);
if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0) if (kevent(actx->mux, &ev, 1, NULL, 0, NULL) < 0)
{ {
actx_error_internal(actx, "adding kqueue timer to multiplexer: %m"); actx_error_internal(actx, "could not add kqueue timer to multiplexer: %m");
return false; return false;
} }
@ -1600,7 +1600,7 @@ timer_expired(struct async_ctx *actx)
res = PQsocketPoll(actx->timerfd, 1 /* forRead */ , 0, 0); res = PQsocketPoll(actx->timerfd, 1 /* forRead */ , 0, 0);
if (res < 0) if (res < 0)
{ {
actx_error(actx, "checking timer expiration: %m"); actx_error(actx, "could not check timer expiration: %m");
return -1; return -1;
} }
@ -1762,7 +1762,7 @@ setup_curl_handles(struct async_ctx *actx)
if (!actx->curlm) if (!actx->curlm)
{ {
/* We don't get a lot of feedback on the failure reason. */ /* We don't get a lot of feedback on the failure reason. */
actx_error(actx, "failed to create libcurl multi handle"); actx_error(actx, "could not create libcurl multi handle");
return false; return false;
} }
@ -1782,7 +1782,7 @@ setup_curl_handles(struct async_ctx *actx)
actx->curl = curl_easy_init(); actx->curl = curl_easy_init();
if (!actx->curl) if (!actx->curl)
{ {
actx_error(actx, "failed to create libcurl handle"); actx_error(actx, "could not create libcurl handle");
return false; return false;
} }
@ -1924,7 +1924,7 @@ start_request(struct async_ctx *actx)
err = curl_multi_add_handle(actx->curlm, actx->curl); err = curl_multi_add_handle(actx->curlm, actx->curl);
if (err) if (err)
{ {
actx_error(actx, "failed to queue HTTP request: %s", actx_error(actx, "could not queue HTTP request: %s",
curl_multi_strerror(err)); curl_multi_strerror(err));
return false; return false;
} }
@ -2191,7 +2191,7 @@ finish_discovery(struct async_ctx *actx)
/* /*
* Pull the fields we care about from the document. * Pull the fields we care about from the document.
*/ */
actx->errctx = libpq_gettext("failed to parse OpenID discovery document"); actx->errctx = libpq_gettext("could not parse OpenID discovery document");
if (!parse_provider(actx, &actx->provider)) if (!parse_provider(actx, &actx->provider))
return false; /* error message already set */ return false; /* error message already set */
@ -2256,7 +2256,7 @@ check_issuer(struct async_ctx *actx, PGconn *conn)
if (strcmp(oauth_issuer_id, provider->issuer) != 0) if (strcmp(oauth_issuer_id, provider->issuer) != 0)
{ {
actx_error(actx, actx_error(actx,
"the issuer identifier (%s) does not match oauth_issuer (%s)", "issuer identifier (%s) does not match oauth_issuer (%s)",
provider->issuer, oauth_issuer_id); provider->issuer, oauth_issuer_id);
return false; return false;
} }
@ -2458,7 +2458,7 @@ finish_device_authz(struct async_ctx *actx)
*/ */
if (response_code == 200) if (response_code == 200)
{ {
actx->errctx = libpq_gettext("failed to parse device authorization"); actx->errctx = libpq_gettext("could not parse device authorization");
if (!parse_device_authz(actx, &actx->authz)) if (!parse_device_authz(actx, &actx->authz))
return false; /* error message already set */ return false; /* error message already set */
@ -2545,7 +2545,7 @@ finish_token_request(struct async_ctx *actx, struct token *tok)
*/ */
if (response_code == 200) if (response_code == 200)
{ {
actx->errctx = libpq_gettext("failed to parse access token response"); actx->errctx = libpq_gettext("could not parse access token response");
if (!parse_access_token(actx, tok)) if (!parse_access_token(actx, tok))
return false; /* error message already set */ return false; /* error message already set */
@ -2884,7 +2884,7 @@ pg_fe_run_oauth_flow_impl(PGconn *conn, PGoauthBearerRequestV2 *request,
switch (actx->step) switch (actx->step)
{ {
case OAUTH_STEP_INIT: case OAUTH_STEP_INIT:
actx->errctx = libpq_gettext("failed to fetch OpenID discovery document"); actx->errctx = libpq_gettext("could not fetch OpenID discovery document");
if (!start_discovery(actx, actx->discovery_uri)) if (!start_discovery(actx, actx->discovery_uri))
goto error_return; goto error_return;
@ -2902,7 +2902,7 @@ pg_fe_run_oauth_flow_impl(PGconn *conn, PGoauthBearerRequestV2 *request,
if (!check_for_device_flow(actx)) if (!check_for_device_flow(actx))
goto error_return; goto error_return;
actx->errctx = libpq_gettext("failed to obtain device authorization"); actx->errctx = libpq_gettext("could not obtain device authorization");
if (!start_device_authz(actx, conn)) if (!start_device_authz(actx, conn))
goto error_return; goto error_return;
@ -2913,7 +2913,7 @@ pg_fe_run_oauth_flow_impl(PGconn *conn, PGoauthBearerRequestV2 *request,
if (!finish_device_authz(actx)) if (!finish_device_authz(actx))
goto error_return; goto error_return;
actx->errctx = libpq_gettext("failed to obtain access token"); actx->errctx = libpq_gettext("could not obtain access token");
if (!start_token_request(actx, conn)) if (!start_token_request(actx, conn))
goto error_return; goto error_return;
@ -2964,7 +2964,7 @@ pg_fe_run_oauth_flow_impl(PGconn *conn, PGoauthBearerRequestV2 *request,
break; break;
case OAUTH_STEP_WAIT_INTERVAL: case OAUTH_STEP_WAIT_INTERVAL:
actx->errctx = libpq_gettext("failed to obtain access token"); actx->errctx = libpq_gettext("could not obtain access token");
if (!start_token_request(actx, conn)) if (!start_token_request(actx, conn))
goto error_return; goto error_return;

32
src/test/modules/oauth_validator/t/001_server.pl
View file

@ -151,7 +151,7 @@ is( $contents,
# Key off of the "peer certificate" portion, since that seems to have # Key off of the "peer certificate" portion, since that seems to have
# remained constant over a long period of time. # remained constant over a long period of time.
expected_stderr => expected_stderr =>
qr/failed to fetch OpenID discovery document:.*peer certificate/i); qr/could not fetch OpenID discovery document:.*peer certificate/i);
} }
my $alternative_ca = "$ENV{cert_dir}/root+server_ca.crt"; my $alternative_ca = "$ENV{cert_dir}/root+server_ca.crt";
@ -362,12 +362,12 @@ $node->connect_fails(
connstr(stage => 'device', huge_response => JSON::PP::true), connstr(stage => 'device', huge_response => JSON::PP::true),
"bad device authz response: overlarge JSON", "bad device authz response: overlarge JSON",
expected_stderr => expected_stderr =>
qr/failed to obtain device authorization: response is too large/); qr/could not obtain device authorization: response is too large/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'token', huge_response => JSON::PP::true), connstr(stage => 'token', huge_response => JSON::PP::true),
"bad token response: overlarge JSON", "bad token response: overlarge JSON",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: response is too large/); qr/could not obtain access token: response is too large/);
my $nesting_limit = 16; my $nesting_limit = 16;
$node->connect_ok( $node->connect_ok(
@ -382,28 +382,28 @@ $node->connect_fails(
connstr(stage => 'device', nested_array => $nesting_limit + 1), connstr(stage => 'device', nested_array => $nesting_limit + 1),
"bad discovery response: overly nested JSON array", "bad discovery response: overly nested JSON array",
expected_stderr => expected_stderr =>
qr/failed to parse device authorization: JSON is too deeply nested/); qr/could not parse device authorization: JSON is too deeply nested/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'device', nested_object => $nesting_limit + 1), connstr(stage => 'device', nested_object => $nesting_limit + 1),
"bad discovery response: overly nested JSON object", "bad discovery response: overly nested JSON object",
expected_stderr => expected_stderr =>
qr/failed to parse device authorization: JSON is too deeply nested/); qr/could not parse device authorization: JSON is too deeply nested/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'device', content_type => 'text/plain'), connstr(stage => 'device', content_type => 'text/plain'),
"bad device authz response: wrong content type", "bad device authz response: wrong content type",
expected_stderr => expected_stderr =>
qr/failed to parse device authorization: unexpected content type/); qr/could not parse device authorization: unexpected content type/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'token', content_type => 'text/plain'), connstr(stage => 'token', content_type => 'text/plain'),
"bad token response: wrong content type", "bad token response: wrong content type",
expected_stderr => expected_stderr =>
qr/failed to parse access token response: unexpected content type/); qr/could not parse access token response: unexpected content type/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'token', content_type => 'application/jsonx'), connstr(stage => 'token', content_type => 'application/jsonx'),
"bad token response: wrong content type (correct prefix)", "bad token response: wrong content type (correct prefix)",
expected_stderr => expected_stderr =>
qr/failed to parse access token response: unexpected content type/); qr/could not parse access token response: unexpected content type/);
$node->connect_fails( $node->connect_fails(
connstr( connstr(
@ -413,12 +413,12 @@ $node->connect_fails(
retry_code => "slow_down"), retry_code => "slow_down"),
"bad token response: server overflows the device authz interval", "bad token response: server overflows the device authz interval",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: slow_down interval overflow/); qr/could not obtain access token: slow_down interval overflow/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'token', error_code => "invalid_grant"), connstr(stage => 'token', error_code => "invalid_grant"),
"bad token response: invalid_grant, no description", "bad token response: invalid_grant, no description",
expected_stderr => qr/failed to obtain access token: \(invalid_grant\)/); expected_stderr => qr/could not obtain access token: \(invalid_grant\)/);
$node->connect_fails( $node->connect_fails(
connstr( connstr(
stage => 'token', stage => 'token',
@ -426,7 +426,7 @@ $node->connect_fails(
error_desc => "grant expired"), error_desc => "grant expired"),
"bad token response: expired grant", "bad token response: expired grant",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: grant expired \(invalid_grant\)/); qr/could not obtain access token: grant expired \(invalid_grant\)/);
$node->connect_fails( $node->connect_fails(
connstr( connstr(
stage => 'token', stage => 'token',
@ -434,7 +434,7 @@ $node->connect_fails(
error_status => 401), error_status => 401),
"bad token response: client authentication failure, default description", "bad token response: client authentication failure, default description",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: provider requires client authentication, and no oauth_client_secret is set \(invalid_client\)/ qr/could not obtain access token: provider requires client authentication, and no oauth_client_secret is set \(invalid_client\)/
); );
$node->connect_fails( $node->connect_fails(
connstr( connstr(
@ -444,7 +444,7 @@ $node->connect_fails(
error_desc => "authn failure"), error_desc => "authn failure"),
"bad token response: client authentication failure, provided description", "bad token response: client authentication failure, provided description",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: authn failure \(invalid_client\)/); qr/could not obtain access token: authn failure \(invalid_client\)/);
$node->connect_fails( $node->connect_fails(
connstr(stage => 'token', token => ""), connstr(stage => 'token', token => ""),
@ -479,7 +479,7 @@ $node->connect_fails(
error_status => 401), error_status => 401),
"bad token response: client authentication failure, default description with oauth_client_secret", "bad token response: client authentication failure, default description with oauth_client_secret",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: provider rejected the oauth_client_secret \(invalid_client\)/ qr/could not obtain access token: provider rejected the oauth_client_secret \(invalid_client\)/
); );
$node->connect_fails( $node->connect_fails(
connstr( connstr(
@ -489,7 +489,7 @@ $node->connect_fails(
error_desc => "mutual TLS required for client"), error_desc => "mutual TLS required for client"),
"bad token response: client authentication failure, provided description with oauth_client_secret", "bad token response: client authentication failure, provided description with oauth_client_secret",
expected_stderr => expected_stderr =>
qr/failed to obtain access token: mutual TLS required for client \(invalid_client\)/ qr/could not obtain access token: mutual TLS required for client \(invalid_client\)/
); );
# Count the number of calls to the internal flow when multiple retries are # Count the number of calls to the internal flow when multiple retries are
@ -802,7 +802,7 @@ is($result, 0,
'restart fails without explicit validators in oauth HBA entries'); 'restart fails without explicit validators in oauth HBA entries');
$log_start = $node->wait_for_log( $log_start = $node->wait_for_log(
qr/authentication method "oauth" requires argument "validator" to be set/, qr/authentication method "oauth" requires option "validator" to be set/,
$log_start); $log_start);
unlink($node->data_dir . '/pg_hba.conf'); unlink($node->data_dir . '/pg_hba.conf');