sql,security: add validation for PROVISIONSRC role option

Release note (enterprise change): Added a new PROVISIONSRC role option.
This role option should be prefixed with the HBA auth method for provisioning,
i.e. `ldap` followed by the IDP uri, for example `ldap:ldap.example.com`. This
is intended to be used only internally for user provisioning and is supposed
to be view-only when checking set role options for a user.

Author: souravcrl

pkg/BUILD.bazel

@@ -1717,6 +1717,7 @@ GO_TARGETS = [
     "//pkg/security/password:password",
     "//pkg/security/password:password_test",
     "//pkg/security/pprompt:pprompt",
+    "//pkg/security/provisioning:provisioning",
     "//pkg/security/securityassets:securityassets",
     "//pkg/security/securitytest:securitytest",
     "//pkg/security/sessionrevival:sessionrevival",

pkg/ccl/logictestccl/testdata/logic_test/provisioning

@@ -0,0 +1,45 @@
+# LogicTest: !local-mixed-24.3 !local-mixed-25.1 !local-mixed-25.2
+# Tests for parsing/validation of the PROVISIONSRC role option.
+
+statement error role "root" cannot have a PROVISIONSRC
+ALTER ROLE root PROVISIONSRC 'ldap:ldap.example.com'
+
+statement error pq: PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods \["ldap"\]
+CREATE ROLE role_with_provisioning PROVISIONSRC 'ldap.example.com'
+
+statement error pq: conflicting role options
+CREATE ROLE role_with_provisioning WITH PROVISIONSRC 'ldap:ldap.bar.com' NOSQLLOGIN
+
+statement ok
+CREATE ROLE role_with_provisioning PROVISIONSRC 'ldap:ldap.bar.com'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:ldap.bar.com
+
+statement ok
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:ldap.example.com'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:ldap.example.com
+
+statement error pq: provided IDP "\[\]!@#%#\^\$&\*" in PROVISIONSRC is non parseable: parse "\[\]!@#%#\^\$&\*": invalid URL escape "%#\^"
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:[]!@#%#^$&*'
+
+statement ok
+ALTER ROLE role_with_provisioning PROVISIONSRC 'ldap:foo.bar'
+
+query T
+SELECT value FROM system.role_options
+WHERE username = 'role_with_provisioning'
+AND option = 'PROVISIONSRC'
+----
+ldap:foo.bar
+

pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go

@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 35,
+    shard_count = 36,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",

pkg/ccl/logictestccl/tests/fakedist-disk/BUILD.bazel

@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 35,
+    shard_count = 36,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",

pkg/ccl/logictestccl/tests/fakedist-disk/generated_test.go

@@ -12,7 +12,7 @@ go_test(
         "//build/toolchains:is_heavy": {"test.Pool": "heavy"},
         "//conditions:default": {"test.Pool": "large"},
     }),
-    shard_count = 36,
+    shard_count = 37,
     tags = ["cpu:2"],
     deps = [
         "//pkg/base",

pkg/ccl/logictestccl/tests/fakedist-vec-off/BUILD.bazel

@@ -9,7 +9,7 @@ go_test(
         "//pkg/ccl/logictestccl:testdata",  # keep
     ],
     exec_properties = {"test.Pool": "large"},
-    shard_count = 33,
+    shard_count = 34,
     tags = ["cpu:1"],
     deps = [
         "//pkg/base",