From ec1318b9d169418c195f6e1625820921fde099a7 Mon Sep 17 00:00:00 2001
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Wed, 1 Apr 2026 11:17:36 -0700
Subject: [PATCH v3.1 5/6] squash! Split PGOAUTHDEBUG=UNSAFE into multiple
 options

- Move the implementation into its own header; revert the build system
  changes that were needed for the .c approach.

- <stdio.h> et al are included in "c.h" and do not need to be explicitly
  pulled in.
---
 src/interfaces/libpq-oauth/meson.build        |  6 +--
 src/interfaces/libpq/meson.build              |  1 -
 src/interfaces/libpq-oauth/Makefile           | 11 +----
 src/interfaces/libpq/Makefile                 |  3 +-
 src/interfaces/libpq-oauth/oauth-utils.h      |  2 -
 src/interfaces/libpq/fe-auth-oauth.h          | 30 ------------
 .../{fe-auth-oauth-debug.c => oauth-debug.h}  | 49 ++++++++++++++-----
 src/interfaces/libpq-oauth/oauth-curl.c       |  1 +
 src/interfaces/libpq/fe-auth-oauth.c          |  1 +
 9 files changed, 43 insertions(+), 61 deletions(-)
 rename src/interfaces/libpq/{fe-auth-oauth-debug.c => oauth-debug.h} (62%)

diff --git a/src/interfaces/libpq-oauth/meson.build b/src/interfaces/libpq-oauth/meson.build
index d8cc92e0c2c..ea3a900f4f1 100644
--- a/src/interfaces/libpq-oauth/meson.build
+++ b/src/interfaces/libpq-oauth/meson.build
@@ -6,7 +6,6 @@ endif
 
 libpq_oauth_sources = files(
   'oauth-curl.c',
-  '../libpq/fe-auth-oauth-debug.c',
 )
 
 # The shared library needs additional glue symbols.
@@ -63,10 +62,7 @@ endif
 
 libpq_oauth_test_deps = []
 
-oauth_test_sources = files(
-  'test-oauth-curl.c',
-  '../libpq/fe-auth-oauth-debug.c',
-) + libpq_oauth_so_sources
+oauth_test_sources = files('test-oauth-curl.c') + libpq_oauth_so_sources
 
 if host_system == 'windows'
   oauth_test_sources += rc_bin_gen.process(win32ver_rc, extra_args: [
diff --git a/src/interfaces/libpq/meson.build b/src/interfaces/libpq/meson.build
index d031f4962e5..b0ae72167a1 100644
--- a/src/interfaces/libpq/meson.build
+++ b/src/interfaces/libpq/meson.build
@@ -2,7 +2,6 @@
 
 libpq_sources = files(
   'fe-auth-oauth.c',
-  'fe-auth-oauth-debug.c',
   'fe-auth-scram.c',
   'fe-auth.c',
   'fe-cancel.c',
diff --git a/src/interfaces/libpq-oauth/Makefile b/src/interfaces/libpq-oauth/Makefile
index c6097dda531..11e1a3cf528 100644
--- a/src/interfaces/libpq-oauth/Makefile
+++ b/src/interfaces/libpq-oauth/Makefile
@@ -36,24 +36,15 @@ override CPPFLAGS_SHLIB += -DUSE_PRIVATE_ENCODING_FUNCS
 OBJS = \
 	$(WIN32RES)
 
-OBJS_STATIC = \
-	oauth-curl.o \
-	fe-auth-oauth-debug.o
+OBJS_STATIC = oauth-curl.o
 
 # The shared library needs additional glue symbols.
 OBJS_SHLIB = \
 	oauth-curl_shlib.o \
 	oauth-utils.o \
-	fe-auth-oauth-debug_shlib.o
 
 oauth-utils.o: override CPPFLAGS += $(CPPFLAGS_SHLIB)
 
-fe-auth-oauth-debug.o: $(libpq_srcdir)/fe-auth-oauth-debug.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
-
-fe-auth-oauth-debug_shlib.o: $(libpq_srcdir)/fe-auth-oauth-debug.c fe-auth-oauth-debug.o
-	$(CC) $(CFLAGS) $(CFLAGS_SL) $(CPPFLAGS) $(CPPFLAGS_SHLIB) -c $< -o $@
-
 # Add shlib-/stlib-specific objects.
 $(shlib): override OBJS += $(OBJS_SHLIB)
 $(shlib): $(OBJS_SHLIB)
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 099c6557e77..0963995eed4 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -44,8 +44,7 @@ OBJS = \
 	legacy-pqsignal.o \
 	libpq-events.o \
 	pqexpbuffer.o \
-	fe-auth.o \
-	fe-auth-oauth-debug.o
+	fe-auth.o
 
 # File shared across all SSL implementations supported.
 ifneq ($(with_ssl),no)
diff --git a/src/interfaces/libpq-oauth/oauth-utils.h b/src/interfaces/libpq-oauth/oauth-utils.h
index 64a9235ee85..dacd2dbacfe 100644
--- a/src/interfaces/libpq-oauth/oauth-utils.h
+++ b/src/interfaces/libpq-oauth/oauth-utils.h
@@ -15,7 +15,6 @@
 #ifndef OAUTH_UTILS_H
 #define OAUTH_UTILS_H
 
-#include "fe-auth-oauth.h"
 #include "libpq-fe.h"
 #include "pqexpbuffer.h"
 
@@ -36,7 +35,6 @@ typedef enum
 	PG_BOOL_NO					/* No (false) */
 } PGTernaryBool;
 
-extern uint32 oauth_get_debug_flags(void);
 extern int	pq_block_sigpipe(sigset_t *osigset, bool *sigpipe_pending);
 extern void pq_reset_sigpipe(sigset_t *osigset, bool sigpipe_pending, bool got_epipe);
 
diff --git a/src/interfaces/libpq/fe-auth-oauth.h b/src/interfaces/libpq/fe-auth-oauth.h
index a952fea09cf..a50d7b03408 100644
--- a/src/interfaces/libpq/fe-auth-oauth.h
+++ b/src/interfaces/libpq/fe-auth-oauth.h
@@ -39,37 +39,7 @@ typedef struct
 	void	   *flow_module;
 } fe_oauth_state;
 
-/*
- * Debug flags for the PGOAUTHDEBUG environment variable. Each flag controls a
- * specific debug feature. OAUTHDEBUG_UNSAFE_* flags require the envvar to have
- * a literal "UNSAFE:" prefix.
- */
-
-/* allow HTTP (unencrypted) connections */
-#define OAUTHDEBUG_UNSAFE_HTTP			(1<<0)
-/* log HTTP traffic (exposes secrets) */
-#define OAUTHDEBUG_UNSAFE_TRACE			(1<<1)
-/* allow zero-second retry intervals */
-#define OAUTHDEBUG_UNSAFE_DOS_ENDPOINT	(1<<2)
-
-/* mind the gap in values; see OAUTHDEBUG_UNSAFE_MASK below */
-
-/* print PQconnectPoll statistics */
-#define OAUTHDEBUG_CALL_COUNT			(1<<16)
-/* print plugin loading errors */
-#define OAUTHDEBUG_PLUGIN_ERRORS		(1<<17)
-
-/* all safe and unsafe flags, for the legacy UNSAFE behavior */
-#define OAUTHDEBUG_UNSAFE_ALL			((uint32) ~0)
-
-/* Flags are divided into "safe" and "unsafe" based on bit position. */
-#define OAUTHDEBUG_UNSAFE_MASK			((uint32) 0x0000FFFF)
-
-static_assert(OAUTHDEBUG_CALL_COUNT == OAUTHDEBUG_UNSAFE_MASK + 1,
-			  "the first safe OAUTHDEBUG flag should be above OAUTHDEBUG_UNSAFE_MASK");
-
 extern void pqClearOAuthToken(PGconn *conn);
-extern uint32 oauth_get_debug_flags(void);
 
 /* Mechanisms in fe-auth-oauth.c */
 extern const pg_fe_sasl_mech pg_oauth_mech;
diff --git a/src/interfaces/libpq/fe-auth-oauth-debug.c b/src/interfaces/libpq/oauth-debug.h
similarity index 62%
rename from src/interfaces/libpq/fe-auth-oauth-debug.c
rename to src/interfaces/libpq/oauth-debug.h
index 8bf710ce46a..ad5246a8402 100644
--- a/src/interfaces/libpq/fe-auth-oauth-debug.c
+++ b/src/interfaces/libpq/oauth-debug.h
@@ -1,28 +1,53 @@
 /*-------------------------------------------------------------------------
  *
- * fe-auth-oauth-debug.c
+ * oauth-debug.h
  *	  Parsing logic for PGOAUTHDEBUG environment variable
  *
- * This file contains pure string parsing logic with no dependencies on
- * libpq or libpq-oauth implementation details. It's compiled into both
- * libraries to avoid code duplication.
+ * Both libpq and libpq-oauth need this logic, so it's packaged in a small
+ * header for convenience.
  *
- * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1996-2026, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- * 	src/interfaces/libpq/fe-auth-oauth-debug.c
+ * 	src/interfaces/libpq/oauth-debug.h
  *
  *-------------------------------------------------------------------------
  */
 
+#ifndef OAUTH_DEBUG_H
+#define OAUTH_DEBUG_H
+
 #include "postgres_fe.h"
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
+/*
+ * Debug flags for the PGOAUTHDEBUG environment variable. Each flag controls a
+ * specific debug feature. OAUTHDEBUG_UNSAFE_* flags require the envvar to have
+ * a literal "UNSAFE:" prefix.
+ */
+
+/* allow HTTP (unencrypted) connections */
+#define OAUTHDEBUG_UNSAFE_HTTP			(1<<0)
+/* log HTTP traffic (exposes secrets) */
+#define OAUTHDEBUG_UNSAFE_TRACE			(1<<1)
+/* allow zero-second retry intervals */
+#define OAUTHDEBUG_UNSAFE_DOS_ENDPOINT	(1<<2)
+
+/* mind the gap in values; see OAUTHDEBUG_UNSAFE_MASK below */
 
-#include "fe-auth-oauth.h"
+/* print PQconnectPoll statistics */
+#define OAUTHDEBUG_CALL_COUNT			(1<<16)
+/* print plugin loading errors */
+#define OAUTHDEBUG_PLUGIN_ERRORS		(1<<17)
+
+/* all safe and unsafe flags, for the legacy UNSAFE behavior */
+#define OAUTHDEBUG_UNSAFE_ALL			((uint32) ~0)
+
+/* Flags are divided into "safe" and "unsafe" based on bit position. */
+#define OAUTHDEBUG_UNSAFE_MASK			((uint32) 0x0000FFFF)
+
+static_assert(OAUTHDEBUG_CALL_COUNT == OAUTHDEBUG_UNSAFE_MASK + 1,
+			  "the first safe OAUTHDEBUG flag should be above OAUTHDEBUG_UNSAFE_MASK");
 
 /*
  * Parses the PGOAUTHDEBUG environment variable and returns debug flags.
@@ -36,7 +61,7 @@
  * - An unrecognized option is specified
  * - An unsafe option is specified without the UNSAFE: prefix
  */
-uint32
+static uint32
 oauth_get_debug_flags(void)
 {
 	uint32		flags = 0;
@@ -102,3 +127,5 @@ oauth_get_debug_flags(void)
 
 	return flags;
 }
+
+#endif							/* OAUTH_DEBUG_H */
diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c
index 7100824c560..5ee630dd9f7 100644
--- a/src/interfaces/libpq-oauth/oauth-curl.c
+++ b/src/interfaces/libpq-oauth/oauth-curl.c
@@ -31,6 +31,7 @@
 #include "common/jsonapi.h"
 #include "mb/pg_wchar.h"
 #include "oauth-curl.h"
+#include "oauth-debug.h"
 
 #ifdef USE_DYNAMIC_OAUTH
 
diff --git a/src/interfaces/libpq/fe-auth-oauth.c b/src/interfaces/libpq/fe-auth-oauth.c
index 6f7ec3a129e..c150f27df00 100644
--- a/src/interfaces/libpq/fe-auth-oauth.c
+++ b/src/interfaces/libpq/fe-auth-oauth.c
@@ -26,6 +26,7 @@
 #include "fe-auth.h"
 #include "fe-auth-oauth.h"
 #include "mb/pg_wchar.h"
+#include "oauth-debug.h"
 #include "pg_config_paths.h"
 #include "utils/memdebug.h"
 
-- 
2.34.1