68 #define token_has_regexp(t) (t->regex != NULL)
69 #define token_is_member_check(t) (!t->quoted && t->string[0] == '+')
70 #define token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0)
71 #define token_matches(t, k) (strcmp(t->string, k) == 0)
72 #define token_matches_insensitive(t,k) (pg_strcasecmp(t->string, k) == 0)
124 "UserAuthName[] must match the UserAuth enum");
128 const char *inc_filename,
int elevel,
129 int depth,
char **err_msg);
131 int elevel,
char **err_msg);
133 char **err_msg,
int elevel);
146 return c ==
' ' ||
c ==
'\t' ||
c ==
'\r';
186 bool *initial_quote,
bool *terminating_comma)
189 bool in_quote =
false;
190 bool was_quote =
false;
191 bool saw_quote =
false;
195 *initial_quote =
false;
196 *terminating_comma =
false;
210 if (
c ==
'#' && !in_quote)
212 while ((
c = (*(*
lineptr)++)) !=
'\0')
218 if (
c ==
',' && !in_quote)
220 *terminating_comma =
true;
224 if (
c !=
'"' || was_quote)
228 if (in_quote &&
c ==
'"')
229 was_quote = !was_quote;
235 in_quote = !in_quote;
238 *initial_quote =
true;
250 return (saw_quote ||
buf->len > 0);
262 toklen = strlen(
token);
266 authtoken->
quoted = quoted;
267 authtoken->
regex = NULL;
302 char **err_msg,
int elevel)
310 if (
token->string[0] !=
'/')
316 wstr, strlen(
token->string + 1));
326 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
327 errmsg(
"invalid regular expression \"%s\": %s",
328 token->string + 1, errstr),
329 errcontext(
"line %d of configuration file \"%s\"",
332 *err_msg =
psprintf(
"invalid regular expression \"%s\": %s",
333 token->string + 1, errstr);
358 r =
pg_regexec(
token->regex, wmatchstr, wmatchlen, 0, NULL, nmatch, pmatch, 0);
380 int elevel,
int depth,
char **err_msg)
392 &initial_quote, &trailing_comma))
396 if (!initial_quote &&
buf.len > 1 &&
buf.data[0] ==
'@')
398 elevel, depth + 1, err_msg);
411 }
while (trailing_comma && (*err_msg == NULL));
439 const char *inc_filename,
454 if (errno == ENOENT && missing_ok)
457 (
errmsg(
"skipping missing authentication file \"%s\"",
494 const char *outer_filename,
495 const char *inc_filename,
508 if (inc_file == NULL)
528 foreach(inc_line, inc_lines)
540 foreach(inc_field, tok_line->
fields)
545 foreach(inc_token, inc_tokens)
609 errmsg(
"could not open file \"%s\": maximum nesting depth exceeded",
612 *err_msg =
psprintf(
"could not open file \"%s\": maximum nesting depth exceeded",
620 int save_errno = errno;
624 errmsg(
"could not open file \"%s\": %m",
627 *err_msg =
psprintf(
"could not open file \"%s\": %s",
661 errcontext(
"line %d of configuration file \"%s\"",
687 int elevel,
int depth)
699 callback_arg.
linenum = line_number;
702 tokenerrcontext.
arg = (
void *) &callback_arg;
711 "tokenize_auth_file",
720 while (!feof(file) && !ferror(file))
726 char *err_msg = NULL;
727 int last_backslash_buflen = 0;
728 int continuations = 0;
743 if (
buf.len > last_backslash_buflen &&
744 buf.data[
buf.len - 1] ==
'\\')
747 buf.data[--
buf.len] =
'\0';
748 last_backslash_buflen =
buf.len;
760 int save_errno = errno;
765 err_msg =
psprintf(
"could not read file \"%s\": %s",
772 while (*
lineptr && err_msg == NULL)
777 elevel, depth, &err_msg);
779 if (current_field !=
NIL)
786 current_line =
lappend(current_line, current_field);
795 if (current_line ==
NIL && err_msg == NULL)
799 if (err_msg == NULL &&
list_length(current_line) == 2)
807 if (strcmp(first->
string,
"include") == 0)
810 elevel, depth + 1,
false, &err_msg);
821 else if (strcmp(first->
string,
"include_dir") == 0)
824 char *dir_name = second->
string;
829 &num_filenames, &err_msg);
838 for (
int i = 0;
i < num_filenames;
i++)
841 elevel, depth + 1,
false, &err_msg);
852 for (
int i = 0;
i < num_filenames;
i++)
860 if (err_buf.
len == 0)
864 err_msg = err_buf.
data;
867 else if (strcmp(first->
string,
"include_if_exists") == 0)
871 elevel, depth + 1,
true, &err_msg);
892 tok_line->
fields = current_line;
897 *tok_lines =
lappend(*tok_lines, tok_line);
901 line_number += continuations + 1;
902 callback_arg.
linenum = line_number;
953 foreach(cell, tokens)
968 else if (case_insensitive)
992 foreach(cell, tokens)
1008 if (strcmp(
dbname, role) == 0)
1033 return (
a->sin_addr.s_addr ==
b->sin_addr.s_addr);
1041 for (
i = 0;
i < 16;
i++)
1042 if (
a->sin6_addr.s6_addr[
i] !=
b->sin6_addr.s6_addr[
i])
1054 if (pattern[0] ==
'.')
1056 size_t plen = strlen(pattern);
1057 size_t hlen = strlen(actual_hostname);
1062 return (
pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
1074 struct addrinfo *gai_result,
1080 if (
port->remote_hostname_resolv < 0)
1084 if (!
port->remote_hostname)
1086 char remote_hostname[NI_MAXHOST];
1089 remote_hostname,
sizeof(remote_hostname),
1095 port->remote_hostname_resolv = -2;
1096 port->remote_hostname_errcode = ret;
1108 if (
port->remote_hostname_resolv == +1)
1112 ret = getaddrinfo(
port->remote_hostname, NULL, NULL, &gai_result);
1116 port->remote_hostname_resolv = -2;
1117 port->remote_hostname_errcode = ret;
1122 for (gai = gai_result; gai; gai = gai->ai_next)
1124 if (gai->ai_addr->sa_family ==
port->raddr.addr.ss_family)
1126 if (gai->ai_addr->sa_family == AF_INET)
1128 if (
ipv4eq((
struct sockaddr_in *) gai->ai_addr,
1129 (
struct sockaddr_in *) &
port->raddr.addr))
1135 else if (gai->ai_addr->sa_family == AF_INET6)
1137 if (
ipv6eq((
struct sockaddr_in6 *) gai->ai_addr,
1138 (
struct sockaddr_in6 *) &
port->raddr.addr))
1148 freeaddrinfo(gai_result);
1151 elog(
DEBUG2,
"pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
1154 port->remote_hostname_resolv = found ? +1 : -1;
1165 if (raddr->
addr.ss_family == addr->sa_family &&
1167 (
struct sockaddr_storage *) addr,
1168 (
struct sockaddr_storage *) mask))
1181 struct sockaddr_storage mask;
1216 (
errmsg(
"error enumerating network interfaces: %m")));
1238 #define INVALID_AUTH_OPTION(optname, validmethods) \
1241 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1243 errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
1244 optname, _(validmethods)), \
1245 errcontext("line %d of configuration file \"%s\"", \
1246 line_num, file_name))); \
1247 *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
1248 optname, validmethods); \
1252 #define REQUIRE_AUTH_OPTION(methodval, optname, validmethods) \
1254 if (hbaline->auth_method != methodval) \
1255 INVALID_AUTH_OPTION(optname, validmethods); \
1258 #define MANDATORY_AUTH_ARG(argvar, argname, authname) \
1260 if (argvar == NULL) { \
1262 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1263 errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
1264 authname, argname), \
1265 errcontext("line %d of configuration file \"%s\"", \
1266 line_num, file_name))); \
1267 *err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
1268 authname, argname); \
1282 #define IDENT_FIELD_ABSENT(field) \
1286 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1287 errmsg("missing entry at end of line"), \
1288 errcontext("line %d of configuration file \"%s\"", \
1289 line_num, file_name))); \
1290 *err_msg = pstrdup("missing entry at end of line"); \
1295 #define IDENT_MULTI_VALUE(tokens) \
1297 if (tokens->length > 1) { \
1299 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1300 errmsg("multiple values in ident field"), \
1301 errcontext("line %d of configuration file \"%s\"", \
1302 line_num, file_name))); \
1303 *err_msg = pstrdup("multiple values in ident field"); \
1326 char **err_msg = &tok_line->
err_msg;
1328 struct addrinfo *gai_result;
1329 struct addrinfo hints;
1351 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1352 errmsg(
"multiple values specified for connection type"),
1353 errhint(
"Specify exactly one connection type per line."),
1354 errcontext(
"line %d of configuration file \"%s\"",
1355 line_num, file_name)));
1356 *err_msg =
"multiple values specified for connection type";
1360 if (strcmp(
token->string,
"local") == 0)
1364 else if (strcmp(
token->string,
"host") == 0 ||
1365 strcmp(
token->string,
"hostssl") == 0 ||
1366 strcmp(
token->string,
"hostnossl") == 0 ||
1367 strcmp(
token->string,
"hostgssenc") == 0 ||
1368 strcmp(
token->string,
"hostnogssenc") == 0)
1371 if (
token->string[4] ==
's')
1379 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1380 errmsg(
"hostssl record cannot match because SSL is disabled"),
1381 errhint(
"Set ssl = on in postgresql.conf."),
1382 errcontext(
"line %d of configuration file \"%s\"",
1383 line_num, file_name)));
1384 *err_msg =
"hostssl record cannot match because SSL is disabled";
1388 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1389 errmsg(
"hostssl record cannot match because SSL is not supported by this build"),
1390 errcontext(
"line %d of configuration file \"%s\"",
1391 line_num, file_name)));
1392 *err_msg =
"hostssl record cannot match because SSL is not supported by this build";
1395 else if (
token->string[4] ==
'g')
1400 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1401 errmsg(
"hostgssenc record cannot match because GSSAPI is not supported by this build"),
1402 errcontext(
"line %d of configuration file \"%s\"",
1403 line_num, file_name)));
1404 *err_msg =
"hostgssenc record cannot match because GSSAPI is not supported by this build";
1407 else if (
token->string[4] ==
'n' &&
token->string[6] ==
's')
1409 else if (
token->string[4] ==
'n' &&
token->string[6] ==
'g')
1420 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1421 errmsg(
"invalid connection type \"%s\"",
1423 errcontext(
"line %d of configuration file \"%s\"",
1424 line_num, file_name)));
1425 *err_msg =
psprintf(
"invalid connection type \"%s\"",
token->string);
1434 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1435 errmsg(
"end-of-line before database specification"),
1436 errcontext(
"line %d of configuration file \"%s\"",
1437 line_num, file_name)));
1438 *err_msg =
"end-of-line before database specification";
1443 foreach(tokencell, tokens)
1459 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1460 errmsg(
"end-of-line before role specification"),
1461 errcontext(
"line %d of configuration file \"%s\"",
1462 line_num, file_name)));
1463 *err_msg =
"end-of-line before role specification";
1468 foreach(tokencell, tokens)
1486 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1487 errmsg(
"end-of-line before IP address specification"),
1488 errcontext(
"line %d of configuration file \"%s\"",
1489 line_num, file_name)));
1490 *err_msg =
"end-of-line before IP address specification";
1497 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1498 errmsg(
"multiple values specified for host address"),
1499 errhint(
"Specify one address range per line."),
1500 errcontext(
"line %d of configuration file \"%s\"",
1501 line_num, file_name)));
1502 *err_msg =
"multiple values specified for host address";
1530 cidr_slash = strchr(
str,
'/');
1535 hints.ai_flags = AI_NUMERICHOST;
1536 hints.ai_family = AF_UNSPEC;
1537 hints.ai_socktype = 0;
1538 hints.ai_protocol = 0;
1539 hints.ai_addrlen = 0;
1540 hints.ai_canonname = NULL;
1541 hints.ai_addr = NULL;
1542 hints.ai_next = NULL;
1545 if (ret == 0 && gai_result)
1547 memcpy(&parsedline->
addr, gai_result->ai_addr,
1548 gai_result->ai_addrlen);
1549 parsedline->
addrlen = gai_result->ai_addrlen;
1551 else if (ret == EAI_NONAME)
1556 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1557 errmsg(
"invalid IP address \"%s\": %s",
1559 errcontext(
"line %d of configuration file \"%s\"",
1560 line_num, file_name)));
1561 *err_msg =
psprintf(
"invalid IP address \"%s\": %s",
1576 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1577 errmsg(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1579 errcontext(
"line %d of configuration file \"%s\"",
1580 line_num, file_name)));
1581 *err_msg =
psprintf(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1587 parsedline->
addr.ss_family) < 0)
1590 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1591 errmsg(
"invalid CIDR mask in address \"%s\"",
1593 errcontext(
"line %d of configuration file \"%s\"",
1594 line_num, file_name)));
1595 *err_msg =
psprintf(
"invalid CIDR mask in address \"%s\"",
1610 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1611 errmsg(
"end-of-line before netmask specification"),
1612 errhint(
"Specify an address range in CIDR notation, or provide a separate netmask."),
1613 errcontext(
"line %d of configuration file \"%s\"",
1614 line_num, file_name)));
1615 *err_msg =
"end-of-line before netmask specification";
1622 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1623 errmsg(
"multiple values specified for netmask"),
1624 errcontext(
"line %d of configuration file \"%s\"",
1625 line_num, file_name)));
1626 *err_msg =
"multiple values specified for netmask";
1632 &hints, &gai_result);
1633 if (ret || !gai_result)
1636 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1637 errmsg(
"invalid IP mask \"%s\": %s",
1639 errcontext(
"line %d of configuration file \"%s\"",
1640 line_num, file_name)));
1641 *err_msg =
psprintf(
"invalid IP mask \"%s\": %s",
1648 memcpy(&parsedline->
mask, gai_result->ai_addr,
1649 gai_result->ai_addrlen);
1650 parsedline->
masklen = gai_result->ai_addrlen;
1653 if (parsedline->
addr.ss_family != parsedline->
mask.ss_family)
1656 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1657 errmsg(
"IP address and mask do not match"),
1658 errcontext(
"line %d of configuration file \"%s\"",
1659 line_num, file_name)));
1660 *err_msg =
"IP address and mask do not match";
1672 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1673 errmsg(
"end-of-line before authentication method"),
1674 errcontext(
"line %d of configuration file \"%s\"",
1675 line_num, file_name)));
1676 *err_msg =
"end-of-line before authentication method";
1683 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1684 errmsg(
"multiple values specified for authentication type"),
1685 errhint(
"Specify exactly one authentication type per line."),
1686 errcontext(
"line %d of configuration file \"%s\"",
1687 line_num, file_name)));
1688 *err_msg =
"multiple values specified for authentication type";
1694 if (strcmp(
token->string,
"trust") == 0)
1696 else if (strcmp(
token->string,
"ident") == 0)
1698 else if (strcmp(
token->string,
"peer") == 0)
1700 else if (strcmp(
token->string,
"password") == 0)
1702 else if (strcmp(
token->string,
"gss") == 0)
1708 else if (strcmp(
token->string,
"sspi") == 0)
1714 else if (strcmp(
token->string,
"reject") == 0)
1716 else if (strcmp(
token->string,
"md5") == 0)
1718 else if (strcmp(
token->string,
"scram-sha-256") == 0)
1720 else if (strcmp(
token->string,
"pam") == 0)
1726 else if (strcmp(
token->string,
"bsd") == 0)
1732 else if (strcmp(
token->string,
"ldap") == 0)
1738 else if (strcmp(
token->string,
"cert") == 0)
1744 else if (strcmp(
token->string,
"radius") == 0)
1749 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1750 errmsg(
"invalid authentication method \"%s\"",
1752 errcontext(
"line %d of configuration file \"%s\"",
1753 line_num, file_name)));
1754 *err_msg =
psprintf(
"invalid authentication method \"%s\"",
1762 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1763 errmsg(
"invalid authentication method \"%s\": not supported by this build",
1765 errcontext(
"line %d of configuration file \"%s\"",
1766 line_num, file_name)));
1767 *err_msg =
psprintf(
"invalid authentication method \"%s\": not supported by this build",
1785 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1786 errmsg(
"gssapi authentication is not supported on local sockets"),
1787 errcontext(
"line %d of configuration file \"%s\"",
1788 line_num, file_name)));
1789 *err_msg =
"gssapi authentication is not supported on local sockets";
1797 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1798 errmsg(
"peer authentication is only supported on local sockets"),
1799 errcontext(
"line %d of configuration file \"%s\"",
1800 line_num, file_name)));
1801 *err_msg =
"peer authentication is only supported on local sockets";
1815 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1816 errmsg(
"cert authentication is only supported on hostssl connections"),
1817 errcontext(
"line %d of configuration file \"%s\"",
1818 line_num, file_name)));
1819 *err_msg =
"cert authentication is only supported on hostssl connections";
1848 while ((field =
lnext(tok_line->
fields, field)) != NULL)
1851 foreach(tokencell, tokens)
1865 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1866 errmsg(
"authentication option not in name=value format: %s",
token->string),
1867 errcontext(
"line %d of configuration file \"%s\"",
1868 line_num, file_name)));
1869 *err_msg =
psprintf(
"authentication option not in name=value format: %s",
1888 #ifndef HAVE_LDAP_INITIALIZE
1909 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1910 errmsg(
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"),
1911 errcontext(
"line %d of configuration file \"%s\"",
1912 line_num, file_name)));
1913 *err_msg =
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix";
1920 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1921 errmsg(
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1922 errcontext(
"line %d of configuration file \"%s\"",
1923 line_num, file_name)));
1924 *err_msg =
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1936 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1937 errmsg(
"cannot use ldapsearchattribute together with ldapsearchfilter"),
1938 errcontext(
"line %d of configuration file \"%s\"",
1939 line_num, file_name)));
1940 *err_msg =
"cannot use ldapsearchattribute together with ldapsearchfilter";
1953 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1954 errmsg(
"list of RADIUS servers cannot be empty"),
1955 errcontext(
"line %d of configuration file \"%s\"",
1956 line_num, file_name)));
1957 *err_msg =
"list of RADIUS servers cannot be empty";
1964 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1965 errmsg(
"list of RADIUS secrets cannot be empty"),
1966 errcontext(
"line %d of configuration file \"%s\"",
1967 line_num, file_name)));
1968 *err_msg =
"list of RADIUS secrets cannot be empty";
1981 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1982 errmsg(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1985 errcontext(
"line %d of configuration file \"%s\"",
1986 line_num, file_name)));
1987 *err_msg =
psprintf(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1997 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1998 errmsg(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2001 errcontext(
"line %d of configuration file \"%s\"",
2002 line_num, file_name)));
2003 *err_msg =
psprintf(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2013 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2014 errmsg(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2017 errcontext(
"line %d of configuration file \"%s\"",
2018 line_num, file_name)));
2019 *err_msg =
psprintf(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2050 int elevel,
char **err_msg)
2056 hbaline->
ldapscope = LDAP_SCOPE_SUBTREE;
2059 if (strcmp(
name,
"map") == 0)
2069 else if (strcmp(
name,
"clientcert") == 0)
2074 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2075 errmsg(
"clientcert can only be configured for \"hostssl\" rows"),
2076 errcontext(
"line %d of configuration file \"%s\"",
2077 line_num, file_name)));
2078 *err_msg =
"clientcert can only be configured for \"hostssl\" rows";
2082 if (strcmp(
val,
"verify-full") == 0)
2086 else if (strcmp(
val,
"verify-ca") == 0)
2091 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2092 errmsg(
"clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
2093 errcontext(
"line %d of configuration file \"%s\"",
2094 line_num, file_name)));
2095 *err_msg =
"clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
2104 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2105 errmsg(
"invalid value for clientcert: \"%s\"",
val),
2106 errcontext(
"line %d of configuration file \"%s\"",
2107 line_num, file_name)));
2111 else if (strcmp(
name,
"clientname") == 0)
2116 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2117 errmsg(
"clientname can only be configured for \"hostssl\" rows"),
2118 errcontext(
"line %d of configuration file \"%s\"",
2119 line_num, file_name)));
2120 *err_msg =
"clientname can only be configured for \"hostssl\" rows";
2124 if (strcmp(
val,
"CN") == 0)
2128 else if (strcmp(
val,
"DN") == 0)
2135 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2136 errmsg(
"invalid value for clientname: \"%s\"",
val),
2137 errcontext(
"line %d of configuration file \"%s\"",
2138 line_num, file_name)));
2142 else if (strcmp(
name,
"pamservice") == 0)
2147 else if (strcmp(
name,
"pam_use_hostname") == 0)
2150 if (strcmp(
val,
"1") == 0)
2155 else if (strcmp(
name,
"ldapurl") == 0)
2157 #ifdef LDAP_API_FEATURE_X_OPENLDAP
2158 LDAPURLDesc *urldata;
2163 #ifdef LDAP_API_FEATURE_X_OPENLDAP
2164 rc = ldap_url_parse(
val, &urldata);
2165 if (rc != LDAP_SUCCESS)
2168 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2169 errmsg(
"could not parse LDAP URL \"%s\": %s",
val, ldap_err2string(rc))));
2170 *err_msg =
psprintf(
"could not parse LDAP URL \"%s\": %s",
2171 val, ldap_err2string(rc));
2175 if (strcmp(urldata->lud_scheme,
"ldap") != 0 &&
2176 strcmp(urldata->lud_scheme,
"ldaps") != 0)
2179 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2180 errmsg(
"unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
2181 *err_msg =
psprintf(
"unsupported LDAP URL scheme: %s",
2182 urldata->lud_scheme);
2183 ldap_free_urldesc(urldata);
2187 if (urldata->lud_scheme)
2189 if (urldata->lud_host)
2191 hbaline->
ldapport = urldata->lud_port;
2192 if (urldata->lud_dn)
2195 if (urldata->lud_attrs)
2197 hbaline->
ldapscope = urldata->lud_scope;
2198 if (urldata->lud_filter)
2200 ldap_free_urldesc(urldata);
2203 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2204 errmsg(
"LDAP URLs not supported on this platform")));
2205 *err_msg =
"LDAP URLs not supported on this platform";
2208 else if (strcmp(
name,
"ldaptls") == 0)
2211 if (strcmp(
val,
"1") == 0)
2216 else if (strcmp(
name,
"ldapscheme") == 0)
2219 if (strcmp(
val,
"ldap") != 0 && strcmp(
val,
"ldaps") != 0)
2221 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2222 errmsg(
"invalid ldapscheme value: \"%s\"",
val),
2223 errcontext(
"line %d of configuration file \"%s\"",
2224 line_num, file_name)));
2227 else if (strcmp(
name,
"ldapserver") == 0)
2232 else if (strcmp(
name,
"ldapport") == 0)
2239 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2240 errmsg(
"invalid LDAP port number: \"%s\"",
val),
2241 errcontext(
"line %d of configuration file \"%s\"",
2242 line_num, file_name)));
2243 *err_msg =
psprintf(
"invalid LDAP port number: \"%s\"",
val);
2247 else if (strcmp(
name,
"ldapbinddn") == 0)
2252 else if (strcmp(
name,
"ldapbindpasswd") == 0)
2257 else if (strcmp(
name,
"ldapsearchattribute") == 0)
2262 else if (strcmp(
name,
"ldapsearchfilter") == 0)
2267 else if (strcmp(
name,
"ldapbasedn") == 0)
2272 else if (strcmp(
name,
"ldapprefix") == 0)
2277 else if (strcmp(
name,
"ldapsuffix") == 0)
2282 else if (strcmp(
name,
"krb_realm") == 0)
2289 else if (strcmp(
name,
"include_realm") == 0)
2294 if (strcmp(
val,
"1") == 0)
2299 else if (strcmp(
name,
"compat_realm") == 0)
2303 if (strcmp(
val,
"1") == 0)
2308 else if (strcmp(
name,
"upn_username") == 0)
2312 if (strcmp(
val,
"1") == 0)
2317 else if (strcmp(
name,
"radiusservers") == 0)
2319 struct addrinfo *gai_result;
2320 struct addrinfo hints;
2322 List *parsed_servers;
2332 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2333 errmsg(
"could not parse RADIUS server list \"%s\"",
2335 errcontext(
"line %d of configuration file \"%s\"",
2336 line_num, file_name)));
2341 foreach(l, parsed_servers)
2343 MemSet(&hints, 0,
sizeof(hints));
2344 hints.ai_socktype = SOCK_DGRAM;
2345 hints.ai_family = AF_UNSPEC;
2348 if (ret || !gai_result)
2351 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2352 errmsg(
"could not translate RADIUS server name \"%s\" to address: %s",
2354 errcontext(
"line %d of configuration file \"%s\"",
2355 line_num, file_name)));
2369 else if (strcmp(
name,
"radiusports") == 0)
2380 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2381 errmsg(
"could not parse RADIUS port list \"%s\"",
2383 errcontext(
"line %d of configuration file \"%s\"",
2384 line_num, file_name)));
2385 *err_msg =
psprintf(
"invalid RADIUS port number: \"%s\"",
val);
2389 foreach(l, parsed_ports)
2391 if (atoi(
lfirst(l)) == 0)
2394 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2395 errmsg(
"invalid RADIUS port number: \"%s\"",
val),
2396 errcontext(
"line %d of configuration file \"%s\"",
2397 line_num, file_name)));
2405 else if (strcmp(
name,
"radiussecrets") == 0)
2407 List *parsed_secrets;
2416 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2417 errmsg(
"could not parse RADIUS secret list \"%s\"",
2419 errcontext(
"line %d of configuration file \"%s\"",
2420 line_num, file_name)));
2427 else if (strcmp(
name,
"radiusidentifiers") == 0)
2429 List *parsed_identifiers;
2438 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2439 errmsg(
"could not parse RADIUS identifiers list \"%s\"",
2441 errcontext(
"line %d of configuration file \"%s\"",
2442 line_num, file_name)));
2452 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2453 errmsg(
"unrecognized authentication option name: \"%s\"",
2455 errcontext(
"line %d of configuration file \"%s\"",
2456 line_num, file_name)));
2457 *err_msg =
psprintf(
"unrecognized authentication option name: \"%s\"",
2485 if (
port->raddr.addr.ss_family != AF_UNIX)
2490 if (
port->raddr.addr.ss_family == AF_UNIX)
2494 if (
port->ssl_in_use)
2512 else if (!(
port->gss &&
port->gss->enc) &&
2533 (
struct sockaddr *) &hba->
addr,
2534 (
struct sockaddr *) &hba->
mask))
2605 "hba parser context",
2608 foreach(line, hba_lines)
2614 if (tok_line->
err_msg != NULL)
2641 if (ok && new_parsed_lines ==
NIL)
2644 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2645 errmsg(
"configuration file \"%s\" contains no entries",
2693 char **err_msg = &tok_line->
err_msg;
2759 bool case_insensitive,
bool *found_p,
bool *error_p)
2766 if (strcmp(identLine->
usermap, usermap_name) != 0)
2785 bool created_temporary_token =
false;
2797 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2798 errmsg(
"regular expression match for \"%s\" failed: %s",
2814 char *expanded_pg_user;
2818 if (matches[1].rm_so < 0)
2821 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2822 errmsg(
"regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2834 memcpy(expanded_pg_user, identLine->
pg_user->
string, offset);
2835 memcpy(expanded_pg_user + offset,
2837 matches[1].rm_eo - matches[1].rm_so);
2838 strcat(expanded_pg_user, ofs + 2);
2846 created_temporary_token =
true;
2847 pfree(expanded_pg_user);
2851 expanded_pg_user_token = identLine->
pg_user;
2859 if (created_temporary_token)
2870 if (case_insensitive)
2905 const char *pg_user,
2907 bool case_insensitive)
2909 bool found_entry =
false,
2912 if (usermap_name == NULL || usermap_name[0] ==
'\0')
2914 if (case_insensitive)
2925 (
errmsg(
"provided user name (%s) and authenticated user name (%s) do not match",
2937 &found_entry, &
error);
2938 if (found_entry ||
error)
2942 if (!found_entry && !
error)
2945 (
errmsg(
"no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2983 "ident parser context",
2986 foreach(line_cell, ident_lines)
2991 if (tok_line->
err_msg != NULL)
bool is_member_of_role_nosuper(Oid member, Oid role)
Oid get_role_oid(const char *rolname, bool missing_ok)
#define Assert(condition)
#define MemSet(start, val, len)
#define OidIsValid(objectId)
char * AbsoluteConfigLocation(const char *location, const char *calling_file)
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
#define CONF_FILE_MAX_DEPTH
#define CONF_FILE_START_DEPTH
int errcode_for_file_access(void)
ErrorContextCallback * error_context_stack
int errhint(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
FILE * AllocateFile(const char *name, const char *mode)
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
bool pg_isblank(const char c)
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
static bool is_member(Oid userid, const char *role)
static bool check_role(const char *role, Oid roleid, List *tokens, bool case_insensitive)
static bool hostname_match(const char *pattern, const char *actual_hostname)
StaticAssertDecl(lengthof(UserAuthName)==USER_AUTH_LAST+1, "UserAuthName[] must match the UserAuth enum")
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
#define token_is_member_check(t)
#define IDENT_FIELD_ABSENT(field)
#define token_is_keyword(t, k)
static bool ipv4eq(struct sockaddr_in *a, struct sockaddr_in *b)
static MemoryContext parsed_ident_context
#define token_matches_insensitive(t, k)
struct check_network_data check_network_data
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
static MemoryContext tokenize_context
static int regexec_auth_token(const char *match, AuthToken *token, size_t nmatch, regmatch_t pmatch[])
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
static bool check_hostname(hbaPort *port, const char *hostname)
static void tokenize_error_callback(void *arg)
static void check_hba(hbaPort *port)
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
#define token_has_regexp(t)
const char * hba_authname(UserAuth auth_method)
static MemoryContext parsed_hba_context
static AuthToken * copy_auth_token(AuthToken *in)
#define IDENT_MULTI_VALUE(tokens)
void hba_getauthmethod(hbaPort *port)
int check_usermap(const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive)
void free_auth_file(FILE *file, int depth)
static bool ipv6eq(struct sockaddr_in6 *a, struct sockaddr_in6 *b)
static List * tokenize_expand_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, int depth, char **err_msg)
static void free_auth_token(AuthToken *token)
static List * parsed_ident_lines
static const char *const UserAuthName[]
#define token_matches(t, k)
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
static bool next_token(char **lineptr, StringInfo buf, bool *initial_quote, bool *terminating_comma)
static List * parsed_hba_lines
#define INVALID_AUTH_OPTION(optname, validmethods)
static AuthToken * make_auth_token(const char *token, bool quoted)
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
List * lappend(List *list, void *datum)
void list_free(List *list)
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
char * pstrdup(const char *in)
void pfree(void *pointer)
void * palloc0(Size size)
MemoryContext CurrentMemoryContext
MemoryContext PostmasterContext
void MemoryContextDelete(MemoryContext context)
#define AllocSetContextCreate
#define ALLOCSET_START_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Datum system_user(PG_FUNCTION_ARGS)
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
static int list_length(const List *l)
#define linitial_node(type, l)
#define lsecond_node(type, l)
static ListCell * list_head(const List *l)
static ListCell * lnext(const List *l, const ListCell *c)
int pg_strcasecmp(const char *s1, const char *s2)
char * psprintf(const char *fmt,...)
MemoryContextSwitchTo(old_ctx)
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
void pg_regfree(regex_t *re)
const char * gai_strerror(int ecode)
int pg_strip_crlf(char *str)
void resetStringInfo(StringInfo str)
void appendStringInfoString(StringInfo str, const char *s)
void appendStringInfoChar(StringInfo str, char ch)
void initStringInfo(StringInfo str)
struct ErrorContextCallback * previous
void(* callback)(void *arg)
struct sockaddr_storage mask
ClientCertName clientcertname
ClientCertMode clientcert
char * ldapsearchattribute
struct sockaddr_storage addr
IPCompareMethod ip_cmp_method
char * radiusidentifiers_s
struct sockaddr_storage addr
bool SplitGUCList(char *rawstring, char separator, List **namelist)