Support for SCRAM-SHA-256 SASL authentication

[gwynne]

• PostgreSQL supports SCRAM-SHA-256 authentication since version 11. This is preliminary support for that authentication type.

[calebkleveter]

This generally looks good to me. I think it's safe to assume you know what you're doing so I don't have to read the docs for the Postgres authentication protocol.

One question though, should there be tests for this?

[gwynne]

One question though, should there be tests for this?

@calebkleveter The Postgres-specific side of it is implicitly tested whenever the test suite is run against a database configured for scram-sha-256 auth, a job for a Docker Compose manifest or similar. But yes, there certainly should be unit tests for the other bits. Some categories that'd make good test suites that come to mind:

• Tests for the generic SASL authentication manager (such as by implementing a dummy mechanism to put the system through its paces)
• Tests for the SCRAM_SHA256 mechanism in terms of it as a SASLMechanism.
• Tests for the SCRAMMessageParser, which is currently a bit of a hacked-up mess with several fail-closed (auth fails when it shouldn't rather than vice versa) corner cases.
• Possibly, separate tests for the GS2Header parsing code, depending how later refinements to the overall implementation go.
• Tests for the Hi() function, which is effectively most of a PBKDF2 implementation and should at least be verified against that algorithm's test vectors.
• Last but not least, tests to verify the behavior of the additional as-yet-unimplemented SCRAM_SHA256_PLUS mechanism, particularly to verify it performs channel bonding correctly, since that's the only reason it exists.

[tanner0101]

Huge +1 to this ❤️

Can we configure the DB image we use in CI to test this?

• https://github.com/vapor/postgres-nio/blob/master/.github/workflows/test.yml#L9-L12

It could also be nice to add a psql-sasl image to the docker-compose file:

• https://github.com/vapor/postgres-nio/blob/master/docker-compose.yml#L4

For easy testing locally.

[gwynne]

@tanner0101 Test workflow has been updated to test all three auth methods (trust, MD5, SCRAM-SHA-256) for all supported PostgreSQL versions (and lots of Swift versions...), docker-compose.yml now permits specifying an auth method via env var. I'd like to get this in ASAP; more Postgres setups are starting to default to SCRAM-SHA-256, and Postgres itself has made it the default for the "next version after 13" release (see https://www.postgresql.org/docs/devel/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION, at the time of this writing).

[bridger]

Thank you for implementing this! I was getting my dev environment set up on a new machine and sure enough, postgresql has started defaulting to scram-sha-256. That means it was rejecting any connections from postgres-nio. I'm happy to see the fix is ready to go! 🌟

For other people who might run into this, the error you'll get is protocol error: Unkonwn authentication request type: 10, which means postgres-nio is connecting with md5 but scram-sha-256 is required. You can go back to md5 by modifying pg_hba.conf and changing the lines that look something like local all all scram-sha-265 to have md5 instead.

[Joannis]

A lot of commented code could be removed, but it's non-critical for sure. LGTM

[tanner0101]

These changes are now available in 1.4.2