auth-oauth.c File Reference

#include "postgres.h"
#include <unistd.h>
#include <fcntl.h>
#include "common/oauth-common.h"
#include "fmgr.h"
#include "lib/stringinfo.h"
#include "libpq/auth.h"
#include "libpq/hba.h"
#include "libpq/oauth.h"
#include "libpq/sasl.h"
#include "miscadmin.h"
#include "storage/fd.h"
#include "storage/ipc.h"
#include "utils/json.h"
#include "utils/varlena.h"

Include dependency graph for auth-oauth.c:

Go to the source code of this file.

Data Structures
struct	oauth_ctx

Macros
#define	KVSEP   0x01 /* separator byte for key/value pairs */
#define	AUTH_KEY   "auth" /* key containing the Authorization header */
#define	BEARER_SCHEME   "Bearer " /* required header scheme (case-insensitive!) */

Enumerations
enum	oauth_state { OAUTH_STATE_INIT = 0 , OAUTH_STATE_ERROR , OAUTH_STATE_ERROR_DISCOVERY , OAUTH_STATE_FINISHED }

Functions
static void	oauth_get_mechanisms (Port *port, StringInfo buf)
static void *	oauth_init (Port *port, const char *selected_mech, const char *shadow_pass)
static int	oauth_exchange (void *opaq, const char *input, int inputlen, char **output, int *outputlen, const char **logdetail)
static void	load_validator_library (const char *libname)
static void	shutdown_validator_library (void *arg)
static bool	check_validator_hba_options (Port *port, const char **logdetail)
static char *	sanitize_char (char c)
static char *	parse_kvpairs_for_auth (char **input)
static void	generate_error_response (struct oauth_ctx *ctx, char **output, int *outputlen)
static bool	validate (Port *port, const char *auth, const char **logdetail)
static void	validate_kvpair (const char *key, const char *val)
static const char *	validate_token_format (const char *header)
bool	check_oauth_validator (HbaLine *hbaline, int elevel, char **err_msg)
void	RegisterOAuthHBAOptions (ValidatorModuleState *state, int num, const char *opts[])
bool	valid_oauth_hba_option_name (const char *name)
const char *	GetOAuthHBAOption (const ValidatorModuleState *state, const char *optname)

Variables
char *	oauth_validator_libraries_string = NULL
static ValidatorModuleState *	validator_module_state
static const OAuthValidatorCallbacks *	ValidatorCallbacks
static MemoryContext	ValidatorMemoryContext
static List *	ValidatorOptions
static bool	ValidatorOptionsChecked
const pg_be_sasl_mech	pg_be_oauth_mech

Macro Definition Documentation

AUTH_KEY

#define AUTH_KEY   "auth" /* key containing the Authorization header */

Definition at line 87 of file auth-oauth.c.

BEARER_SCHEME

#define BEARER_SCHEME   "Bearer " /* required header scheme (case-insensitive!) */

Definition at line 88 of file auth-oauth.c.

KVSEP

#define KVSEP   0x01 /* separator byte for key/value pairs */

Definition at line 86 of file auth-oauth.c.

Enumeration Type Documentation

oauth_state

enum oauth_state

Enumerator
OAUTH_STATE_INIT
OAUTH_STATE_ERROR
OAUTH_STATE_ERROR_DISCOVERY
OAUTH_STATE_FINISHED

Definition at line 63 of file auth-oauth.c.

{
    OAUTH_STATE_INIT = 0,
    OAUTH_STATE_ERROR,
    OAUTH_STATE_ERROR_DISCOVERY,
    OAUTH_STATE_FINISHED,
};

Function Documentation

check_oauth_validator()

bool check_oauth_validator	(	HbaLine *	hbaline,
		int	elevel,
		char **	err_msg
	)

Definition at line 857 of file auth-oauth.c.

{
    int         line_num = hbaline->linenumber;
    const char *file_name = hbaline->sourcefile;
    char       *rawstring;
    List       *elemlist = NIL;
 
    *err_msg = NULL;
 
    if (oauth_validator_libraries_string[0] == '\0')
    {
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("oauth_validator_libraries must be set for authentication method %s",
                       "oauth"),
                errcontext("line %d of configuration file \"%s\"",
                           line_num, file_name));
        *err_msg = psprintf("oauth_validator_libraries must be set for authentication method %s",
                            "oauth");
        return false;
    }
 
    /* SplitDirectoriesString needs a modifiable copy */
    rawstring = pstrdup(oauth_validator_libraries_string);
 
    if (!SplitDirectoriesString(rawstring, ',', &elemlist))
    {
        /* syntax error in list */
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("invalid list syntax in parameter \"%s\"",
                       "oauth_validator_libraries"));
        *err_msg = psprintf("invalid list syntax in parameter \"%s\"",
                            "oauth_validator_libraries");
        goto done;
    }
 
    if (!hbaline->oauth_validator)
    {
        if (elemlist->length == 1)
        {
            hbaline->oauth_validator = pstrdup(linitial(elemlist));
            goto done;
        }
 
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options"),
                errcontext("line %d of configuration file \"%s\"",
                           line_num, file_name));
        *err_msg = "authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options";
        goto done;
    }
 
    foreach_ptr(char, allowed, elemlist)
    {
        if (strcmp(allowed, hbaline->oauth_validator) == 0)
            goto done;
    }
 
    ereport(elevel,
            errcode(ERRCODE_INVALID_PARAMETER_VALUE),
            errmsg("validator \"%s\" is not permitted by %s",
                   hbaline->oauth_validator, "oauth_validator_libraries"),
            errcontext("line %d of configuration file \"%s\"",
                       line_num, file_name));
    *err_msg = psprintf("validator \"%s\" is not permitted by %s",
                        hbaline->oauth_validator, "oauth_validator_libraries");
 
done:
    list_free_deep(elemlist);
    pfree(rawstring);
 
    return (*err_msg == NULL);
}

References ereport, errcode(), errcontext, errmsg, fb(), foreach_ptr, linitial, list_free_deep(), NIL, oauth_validator_libraries_string, pfree(), psprintf(), pstrdup(), and SplitDirectoriesString().

Referenced by parse_hba_line().

check_validator_hba_options()

static bool check_validator_hba_options ( Port *  port, const char **  logdetail  )

static

Definition at line 1030 of file auth-oauth.c.

{
    HbaLine    *hba = port->hba;
 
    foreach_ptr(char, key, hba->oauth_opt_keys)
    {
        bool        found = false;
 
        /* O(n^2) shouldn't be a problem here in practice. */
        foreach_ptr(char, optname, ValidatorOptions)
        {
            if (strcmp(key, optname) == 0)
            {
                found = true;
                break;
            }
        }
 
        if (!found)
        {
            /*
             * Unknown option name. Mirror the error messages in hba.c here,
             * keeping in mind that the original "validator." prefix was
             * stripped from the key during parsing.
             *
             * Since this is affecting live connections, which is unusual for
             * HBA, be noisy with a WARNING. (Warnings aren't sent to clients
             * prior to successful authentication, so this won't disclose the
             * server config.) It'll duplicate some of the information in the
             * logdetail, but that should make it hard to miss the connection
             * between the two.
             */
            char       *name = psprintf("validator.%s", key);
 
            *logdetail = psprintf(_("unrecognized authentication option name: \"%s\""),
                                  name);
            ereport(WARNING,
                    errcode(ERRCODE_CONFIG_FILE_ERROR),
                    errmsg("unrecognized authentication option name: \"%s\"",
                           name),
            /* translator: the first %s is the name of the module */
                    errdetail("The installed validator module (\"%s\") did not define an option named \"%s\".",
                              hba->oauth_validator, key),
                    errhint("All OAuth connections matching this line will fail. Correct the option and reload the server configuration."),
                    errcontext("line %d of configuration file \"%s\"",
                               hba->linenumber, hba->sourcefile));
 
            return false;
        }
    }
 
    ValidatorOptionsChecked = true; /* unfetter GetOAuthHBAOption() */
    return true;
}

References _, ereport, errcode(), errcontext, errdetail(), errhint(), errmsg, fb(), foreach_ptr, HbaLine::linenumber, name, HbaLine::oauth_opt_keys, HbaLine::oauth_validator, port, psprintf(), HbaLine::sourcefile, ValidatorOptions, ValidatorOptionsChecked, and WARNING.

Referenced by oauth_exchange().

generate_error_response()

static void generate_error_response ( struct oauth_ctx *  ctx, char **  output, int *  outputlen  )

static

Definition at line 530 of file auth-oauth.c.

{
    StringInfoData buf;
    StringInfoData issuer;
 
    /*
     * The admin needs to set an issuer and scope for OAuth to work. There's
     * not really a way to hide this from the user, either, because we can't
     * choose a "default" issuer, so be honest in the failure message. (In
     * practice such configurations are rejected during HBA parsing.)
     */
    if (!ctx->issuer || !ctx->scope)
        ereport(FATAL,
                errcode(ERRCODE_INTERNAL_ERROR),
                errmsg("OAuth is not properly configured for this user"),
                errdetail_log("The issuer and scope parameters must be set in pg_hba.conf."));
 
    /*
     * Build a default .well-known URI based on our issuer, unless the HBA has
     * already provided one.
     */
    initStringInfo(&issuer);
    appendStringInfoString(&issuer, ctx->issuer);
    if (strstr(ctx->issuer, "/.well-known/") == NULL)
        appendStringInfoString(&issuer, "/.well-known/openid-configuration");
 
    initStringInfo(&buf);
 
    /*
     * Escaping the string here is belt-and-suspenders defensive programming
     * since escapable characters aren't valid in either the issuer URI or the
     * scope list, but the HBA doesn't enforce that yet.
     */
    appendStringInfoString(&buf, "{ \"status\": \"invalid_token\", ");
 
    appendStringInfoString(&buf, "\"openid-configuration\": ");
    escape_json(&buf, issuer.data);
    pfree(issuer.data);
 
    appendStringInfoString(&buf, ", \"scope\": ");
    escape_json(&buf, ctx->scope);
 
    appendStringInfoString(&buf, " }");
 
    *output = buf.data;
    *outputlen = buf.len;
}

References appendStringInfoString(), buf, ereport, errcode(), errdetail_log(), errmsg, escape_json(), FATAL, fb(), initStringInfo(), oauth_ctx::issuer, output, pfree(), and oauth_ctx::scope.

Referenced by oauth_exchange().

GetOAuthHBAOption()

const char * GetOAuthHBAOption	(	const ValidatorModuleState *	state,
		const char *	optname
	)

Definition at line 1090 of file auth-oauth.c.

{
    HbaLine    *hba = MyProcPort->hba;
    ListCell   *lc_k;
    ListCell   *lc_v;
    const char *ret = NULL;
 
    if (!ValidatorOptionsChecked)
    {
        /*
         * Prevent the startup_cb from retrieving HBA options that it has just
         * registered. This probably seems strange -- why refuse to hand out
         * information we already know? -- but this lets us reserve the
         * ability to perform the startup_cb call earlier, before we know
         * which HBA line is matched by a connection, without breaking this
         * API.
         */
        return NULL;
    }
 
    if (!state || !hba)
    {
        Assert(false);
        return NULL;
    }
 
    Assert(list_length(hba->oauth_opt_keys) == list_length(hba->oauth_opt_vals));
 
    forboth(lc_k, hba->oauth_opt_keys, lc_v, hba->oauth_opt_vals)
    {
        const char *key = lfirst(lc_k);
        const char *val = lfirst(lc_v);
 
        if (strcmp(key, optname) == 0)
        {
            /*
             * Don't return yet -- when regular HBA options are specified more
             * than once, the last one wins. Do the same for these options.
             */
            ret = val;
        }
    }
 
    return ret;
}

References Assert, fb(), forboth, Port::hba, lfirst, list_length(), MyProcPort, HbaLine::oauth_opt_keys, HbaLine::oauth_opt_vals, val, and ValidatorOptionsChecked.

Referenced by validate_token(), and validator_startup().

load_validator_library()

static void load_validator_library ( const char *  libname )

static

Definition at line 772 of file auth-oauth.c.

{
    OAuthValidatorModuleInit validator_init;
    MemoryContextCallback *mcb;
 
    /*
     * The presence, and validity, of libname has already been established by
     * check_oauth_validator so we don't need to perform more than Assert
     * level checking here.
     */
    Assert(libname && *libname);
 
    validator_init = (OAuthValidatorModuleInit)
        load_external_function(libname, "_PG_oauth_validator_module_init",
                               false, NULL);
 
    /*
     * The validator init function is required since it will set the callbacks
     * for the validator library.
     */
    if (validator_init == NULL)
        ereport(ERROR,
                errmsg("%s module \"%s\" must define the symbol %s",
                       "OAuth validator", libname, "_PG_oauth_validator_module_init"));
 
    ValidatorCallbacks = (*validator_init) ();
    Assert(ValidatorCallbacks);
 
    /*
     * Check the magic number, to protect against break-glass scenarios where
     * the ABI must change within a major version. load_external_function()
     * already checks for compatibility across major versions.
     */
    if (ValidatorCallbacks->magic != PG_OAUTH_VALIDATOR_MAGIC)
        ereport(ERROR,
                errmsg("%s module \"%s\": magic number mismatch",
                       "OAuth validator", libname),
                errdetail("Server has magic number 0x%08X, module has 0x%08X.",
                          PG_OAUTH_VALIDATOR_MAGIC, ValidatorCallbacks->magic));
 
    /*
     * Make sure all required callbacks are present in the ValidatorCallbacks
     * structure. Right now only the validation callback is required.
     */
    if (ValidatorCallbacks->validate_cb == NULL)
        ereport(ERROR,
                errmsg("%s module \"%s\" must provide a %s callback",
                       "OAuth validator", libname, "validate_cb"));
 
    /* Allocate memory for validator library private state data */
    validator_module_state = palloc0_object(ValidatorModuleState);
    validator_module_state->sversion = PG_VERSION_NUM;
 
    if (ValidatorCallbacks->startup_cb != NULL)
        ValidatorCallbacks->startup_cb(validator_module_state);
 
    /* Shut down the library before cleaning up its state. */
    mcb = palloc0_object(MemoryContextCallback);
    mcb->func = shutdown_validator_library;
 
    MemoryContextRegisterResetCallback(CurrentMemoryContext, mcb);
}

References Assert, CurrentMemoryContext, ereport, errdetail(), errmsg, ERROR, fb(), MemoryContextCallback::func, load_external_function(), OAuthValidatorCallbacks::magic, MemoryContextRegisterResetCallback(), palloc0_object, PG_OAUTH_VALIDATOR_MAGIC, shutdown_validator_library(), OAuthValidatorCallbacks::startup_cb, ValidatorModuleState::sversion, OAuthValidatorCallbacks::validate_cb, validator_module_state, and ValidatorCallbacks.

Referenced by oauth_init().

oauth_exchange()

static int oauth_exchange ( void *  opaq, const char *  input, int  inputlen, char **  output, int *  outputlen, const char **  logdetail  )

static

Definition at line 144 of file auth-oauth.c.

{
    char       *input_copy;
    char       *p;
    char        cbind_flag;
    char       *auth;
    int         status;
 
    struct oauth_ctx *ctx = opaq;
 
    *output = NULL;
    *outputlen = -1;
 
    /*
     * If the client didn't include an "Initial Client Response" in the
     * SASLInitialResponse message, send an empty challenge, to which the
     * client will respond with the same data that usually comes in the
     * Initial Client Response.
     */
    if (input == NULL)
    {
        Assert(ctx->state == OAUTH_STATE_INIT);
 
        *output = pstrdup("");
        *outputlen = 0;
        return PG_SASL_EXCHANGE_CONTINUE;
    }
 
    /*
     * Check that the input length agrees with the string length of the input.
     */
    if (inputlen == 0)
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("The message is empty."));
    if (inputlen != strlen(input))
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Message length does not match input length."));
 
    switch (ctx->state)
    {
        case OAUTH_STATE_INIT:
            /* Handle this case below. */
            break;
 
        case OAUTH_STATE_ERROR:
        case OAUTH_STATE_ERROR_DISCOVERY:
 
            /*
             * Only one response is valid for the client during authentication
             * failure: a single kvsep.
             */
            if (inputlen != 1 || *input != KVSEP)
                ereport(ERROR,
                        errcode(ERRCODE_PROTOCOL_VIOLATION),
                        errmsg("malformed OAUTHBEARER message"),
                        errdetail("Client did not send a kvsep response."));
 
            /*
             * The (failed) handshake is now complete. Don't report discovery
             * requests in the server log unless the log level is high enough.
             */
            if (ctx->state == OAUTH_STATE_ERROR_DISCOVERY)
            {
                ereport(DEBUG1, errmsg("OAuth issuer discovery requested"));
 
                ctx->state = OAUTH_STATE_FINISHED;
                return PG_SASL_EXCHANGE_ABANDONED;
            }
 
            /* We're not in discovery, so this is just a normal auth failure. */
            ctx->state = OAUTH_STATE_FINISHED;
            return PG_SASL_EXCHANGE_FAILURE;
 
        default:
            elog(ERROR, "invalid OAUTHBEARER exchange state");
            return PG_SASL_EXCHANGE_FAILURE;
    }
 
    /* Handle the client's initial message. */
    p = input_copy = pstrdup(input);
 
    /*
     * OAUTHBEARER does not currently define a channel binding (so there is no
     * OAUTHBEARER-PLUS, and we do not accept a 'p' specifier). We accept a
     * 'y' specifier purely for the remote chance that a future specification
     * could define one; then future clients can still interoperate with this
     * server implementation. 'n' is the expected case.
     */
    cbind_flag = *p;
    switch (cbind_flag)
    {
        case 'p':
            ereport(ERROR,
                    errcode(ERRCODE_PROTOCOL_VIOLATION),
                    errmsg("malformed OAUTHBEARER message"),
                    errdetail("The server does not support channel binding for OAuth, but the client message includes channel binding data."));
            break;
 
        case 'y':               /* fall through */
        case 'n':
            p++;
            if (*p != ',')
                ereport(ERROR,
                        errcode(ERRCODE_PROTOCOL_VIOLATION),
                        errmsg("malformed OAUTHBEARER message"),
                        errdetail("Comma expected, but found character \"%s\".",
                                  sanitize_char(*p)));
            p++;
            break;
 
        default:
            ereport(ERROR,
                    errcode(ERRCODE_PROTOCOL_VIOLATION),
                    errmsg("malformed OAUTHBEARER message"),
                    errdetail("Unexpected channel-binding flag \"%s\".",
                              sanitize_char(cbind_flag)));
    }
 
    /*
     * Forbid optional authzid (authorization identity).  We don't support it.
     */
    if (*p == 'a')
        ereport(ERROR,
                errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                errmsg("client uses authorization identity, but it is not supported"));
    if (*p != ',')
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Unexpected attribute \"%s\" in client-first-message.",
                          sanitize_char(*p)));
    p++;
 
    /* All remaining fields are separated by the RFC's kvsep (\x01). */
    if (*p != KVSEP)
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Key-value separator expected, but found character \"%s\".",
                          sanitize_char(*p)));
    p++;
 
    auth = parse_kvpairs_for_auth(&p);
    if (!auth)
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Message does not contain an auth value."));
 
    /* We should be at the end of our message. */
    if (*p)
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Message contains additional data after the final terminator."));
 
    /*
     * Make sure all custom HBA options are understood by the validator before
     * continuing, since we couldn't check them during server start/reload.
     */
    if (!check_validator_hba_options(ctx->port, logdetail))
    {
        ctx->state = OAUTH_STATE_FINISHED;
        return PG_SASL_EXCHANGE_FAILURE;
    }
 
    if (auth[0] == '\0')
    {
        /*
         * An empty auth value represents a discovery request; the client
         * expects it to fail.  Skip validation entirely and move directly to
         * the error response.
         */
        generate_error_response(ctx, output, outputlen);
 
        ctx->state = OAUTH_STATE_ERROR_DISCOVERY;
        status = PG_SASL_EXCHANGE_CONTINUE;
    }
    else if (!validate(ctx->port, auth, logdetail))
    {
        generate_error_response(ctx, output, outputlen);
 
        ctx->state = OAUTH_STATE_ERROR;
        status = PG_SASL_EXCHANGE_CONTINUE;
    }
    else
    {
        ctx->state = OAUTH_STATE_FINISHED;
        status = PG_SASL_EXCHANGE_SUCCESS;
    }
 
    /* Don't let extra copies of the bearer token hang around. */
    explicit_bzero(input_copy, inputlen);
 
    return status;
}

References Assert, check_validator_hba_options(), DEBUG1, elog, ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errdetail(), errmsg, ERROR, explicit_bzero(), fb(), generate_error_response(), input, KVSEP, OAUTH_STATE_ERROR, OAUTH_STATE_ERROR_DISCOVERY, OAUTH_STATE_FINISHED, OAUTH_STATE_INIT, output, parse_kvpairs_for_auth(), PG_SASL_EXCHANGE_ABANDONED, PG_SASL_EXCHANGE_CONTINUE, PG_SASL_EXCHANGE_FAILURE, PG_SASL_EXCHANGE_SUCCESS, oauth_ctx::port, pstrdup(), sanitize_char(), oauth_ctx::state, and validate().

oauth_get_mechanisms()

static void oauth_get_mechanisms ( Port *  port, StringInfo  buf  )

static

Definition at line 96 of file auth-oauth.c.

{
    /* Only OAUTHBEARER is supported. */
    appendStringInfoString(buf, OAUTHBEARER_NAME);
    appendStringInfoChar(buf, '\0');
}

References appendStringInfoChar(), appendStringInfoString(), buf, and OAUTHBEARER_NAME.

oauth_init()

static void * oauth_init ( Port *  port, const char *  selected_mech, const char *  shadow_pass  )

static

Definition at line 109 of file auth-oauth.c.

{
    struct oauth_ctx *ctx;
 
    if (strcmp(selected_mech, OAUTHBEARER_NAME) != 0)
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("client selected an invalid SASL authentication mechanism"));
 
    /* Save our memory context for later use by client API calls. */
    ValidatorMemoryContext = CurrentMemoryContext;
 
    ctx = palloc0_object(struct oauth_ctx);
 
    ctx->state = OAUTH_STATE_INIT;
    ctx->port = port;
 
    Assert(port->hba);
    ctx->issuer = port->hba->oauth_issuer;
    ctx->scope = port->hba->oauth_scope;
 
    load_validator_library(port->hba->oauth_validator);
 
    return ctx;
}

References Assert, CurrentMemoryContext, ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errmsg, ERROR, fb(), oauth_ctx::issuer, load_validator_library(), OAUTH_STATE_INIT, OAUTHBEARER_NAME, palloc0_object, oauth_ctx::port, port, oauth_ctx::scope, oauth_ctx::state, and ValidatorMemoryContext.

parse_kvpairs_for_auth()

static char * parse_kvpairs_for_auth ( char **  input )

static

Definition at line 431 of file auth-oauth.c.

{
    char       *pos = *input;
    char       *auth = NULL;
 
    /*----
     * The relevant ABNF, from Sec. 3.1:
     *
     *     kvsep          = %x01
     *     key            = 1*(ALPHA)
     *     value          = *(VCHAR / SP / HTAB / CR / LF )
     *     kvpair         = key "=" value kvsep
     *   ;;gs2-header     = See RFC 5801
     *     client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
     *
     * By the time we reach this code, the gs2-header and initial kvsep have
     * already been validated. We start at the beginning of the first kvpair.
     */
 
    while (*pos)
    {
        char       *end;
        char       *sep;
        char       *key;
        char       *value;
 
        /*
         * Find the end of this kvpair. Note that input is null-terminated by
         * the SASL code, so the strchr() is bounded.
         */
        end = strchr(pos, KVSEP);
        if (!end)
            ereport(ERROR,
                    errcode(ERRCODE_PROTOCOL_VIOLATION),
                    errmsg("malformed OAUTHBEARER message"),
                    errdetail("Message contains an unterminated key/value pair."));
        *end = '\0';
 
        if (pos == end)
        {
            /* Empty kvpair, signifying the end of the list. */
            *input = pos + 1;
            return auth;
        }
 
        /*
         * Find the end of the key name.
         */
        sep = strchr(pos, '=');
        if (!sep)
            ereport(ERROR,
                    errcode(ERRCODE_PROTOCOL_VIOLATION),
                    errmsg("malformed OAUTHBEARER message"),
                    errdetail("Message contains a key without a value."));
        *sep = '\0';
 
        /* Both key and value are now safely terminated. */
        key = pos;
        value = sep + 1;
        validate_kvpair(key, value);
 
        if (strcmp(key, AUTH_KEY) == 0)
        {
            if (auth)
                ereport(ERROR,
                        errcode(ERRCODE_PROTOCOL_VIOLATION),
                        errmsg("malformed OAUTHBEARER message"),
                        errdetail("Message contains multiple auth values."));
 
            auth = value;
        }
        else
        {
            /*
             * The RFC also defines the host and port keys, but they are not
             * required for OAUTHBEARER and we do not use them. Also, per Sec.
             * 3.1, any key/value pairs we don't recognize must be ignored.
             */
        }
 
        /* Move to the next pair. */
        pos = end + 1;
    }
 
    ereport(ERROR,
            errcode(ERRCODE_PROTOCOL_VIOLATION),
            errmsg("malformed OAUTHBEARER message"),
            errdetail("Message did not contain a final terminator."));
 
    pg_unreachable();
    return NULL;
}

References AUTH_KEY, ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errdetail(), errmsg, ERROR, fb(), input, KVSEP, pg_unreachable, validate_kvpair(), and value.

Referenced by oauth_exchange().

RegisterOAuthHBAOptions()

void RegisterOAuthHBAOptions	(	ValidatorModuleState *	state,
		int	num,
		const char *	opts[]
	)

Definition at line 949 of file auth-oauth.c.

{
    MemoryContext oldcontext;
 
    if (!state)
    {
        Assert(false);
        return;
    }
 
    oldcontext = MemoryContextSwitchTo(ValidatorMemoryContext);
 
    for (int i = 0; i < num; i++)
    {
        if (!valid_oauth_hba_option_name(opts[i]))
        {
            /*
             * The user can't set this option in the HBA, so GetOAuthHBAOption
             * would always return NULL.
             */
            ereport(WARNING,
                    errmsg("HBA option name \"%s\" is invalid and will be ignored",
                           opts[i]),
            /* translator: the second %s is a function name */
                    errcontext("validator module \"%s\", in call to %s",
                               MyProcPort->hba->oauth_validator,
                               "RegisterOAuthHBAOptions"));
            continue;
        }
 
        ValidatorOptions = lappend(ValidatorOptions, pstrdup(opts[i]));
    }
 
    MemoryContextSwitchTo(oldcontext);
 
    /*
     * Wait to validate the HBA against the registered options until later
     * (see check_validator_hba_options()).
     *
     * Delaying allows the validator to make multiple registration calls, to
     * append to the list; it lets us make the check in a place where we can
     * report the error without leaking details to the client; and it avoids
     * exporting the order of operations between HBA matching and the
     * startup_cb call as an API guarantee. (The last issue may become
     * relevant with a threaded model.)
     */
}

References Assert, ereport, errcontext, errmsg, Port::hba, i, lappend(), MemoryContextSwitchTo(), MyProcPort, HbaLine::oauth_validator, opts, pstrdup(), valid_oauth_hba_option_name(), ValidatorMemoryContext, ValidatorOptions, and WARNING.

Referenced by validator_startup().

sanitize_char()

static char * sanitize_char ( char  c )

static

Definition at line 355 of file auth-oauth.c.

{
    static char buf[5];
 
    if (c >= 0x21 && c <= 0x7E)
        snprintf(buf, sizeof(buf), "'%c'", c);
    else
        snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
    return buf;
}

References buf, and snprintf.

Referenced by oauth_exchange().

shutdown_validator_library()

static void shutdown_validator_library ( void *  arg )

static

Definition at line 840 of file auth-oauth.c.

{
    if (ValidatorCallbacks->shutdown_cb != NULL)
        ValidatorCallbacks->shutdown_cb(validator_module_state);
 
    /* The backing memory for this is about to disappear. */
    ValidatorOptions = NIL;
}

References fb(), NIL, OAuthValidatorCallbacks::shutdown_cb, validator_module_state, ValidatorCallbacks, and ValidatorOptions.

Referenced by load_validator_library().

valid_oauth_hba_option_name()

bool valid_oauth_hba_option_name

(

const char *

name

)

Definition at line 1003 of file auth-oauth.c.

{
    /*
     * This list is not incredibly principled, since the goal is just to bound
     * compatibility guarantees for our HBA parser. Alphanumerics seem
     * obviously fine, and it's difficult to argue against the punctuation
     * that's already included in some HBA option names and identifiers.
     */
    static const char *name_allowed_set =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        "0123456789_-";
 
    size_t      span;
 
    if (!name[0])
        return false;
 
    span = strspn(name, name_allowed_set);
    return name[span] == '\0';
}

References fb(), and name.

Referenced by parse_hba_auth_opt(), and RegisterOAuthHBAOptions().

validate()

static bool validate ( Port *  port, const char *  auth, const char **  logdetail  )

static

Definition at line 672 of file auth-oauth.c.

{
    int         map_status;
    ValidatorModuleResult *ret;
    const char *token;
    bool        status;
 
    /* Ensure that we have a correct token to validate */
    if (!(token = validate_token_format(auth)))
        return false;
 
    /*
     * Ensure that we have a validation library loaded, this should always be
     * the case and an error here is indicative of a bug.
     */
    if (!ValidatorCallbacks || !ValidatorCallbacks->validate_cb)
        ereport(FATAL,
                errcode(ERRCODE_INTERNAL_ERROR),
                errmsg("validation of OAuth token requested without a validator loaded"));
 
    /* Call the validation function from the validator module */
    ret = palloc0_object(ValidatorModuleResult);
    if (!ValidatorCallbacks->validate_cb(validator_module_state, token,
                                         port->user_name, ret))
    {
        ereport(WARNING,
                errcode(ERRCODE_INTERNAL_ERROR),
                errmsg("internal error in OAuth validator module"),
                ret->error_detail ? errdetail_log("%s", ret->error_detail) : 0);
 
        *logdetail = ret->error_detail;
        return false;
    }
 
    /*
     * Log any authentication results even if the token isn't authorized; it
     * might be useful for auditing or troubleshooting.
     */
    if (ret->authn_id)
        set_authn_id(port, ret->authn_id);
 
    if (!ret->authorized)
    {
        if (ret->error_detail)
            *logdetail = ret->error_detail;
        else
            *logdetail = _("Validator failed to authorize the provided token.");
 
        status = false;
        goto cleanup;
    }
 
    if (port->hba->oauth_skip_usermap)
    {
        /*
         * If the validator is our authorization authority, we're done.
         * Authentication may or may not have been performed depending on the
         * validator implementation; all that matters is that the validator
         * says the user can log in with the target role.
         */
        status = true;
        goto cleanup;
    }
 
    /* Make sure the validator authenticated the user. */
    if (ret->authn_id == NULL || ret->authn_id[0] == '\0')
    {
        *logdetail = _("Validator provided no identity.");
 
        status = false;
        goto cleanup;
    }
 
    /* Finally, check the user map. */
    map_status = check_usermap(port->hba->usermap, port->user_name,
                               MyClientConnectionInfo.authn_id, false);
    status = (map_status == STATUS_OK);
 
cleanup:
 
    /*
     * Clear and free the validation result from the validator module once
     * we're done with it.
     */
    if (ret->authn_id != NULL)
        pfree(ret->authn_id);
    pfree(ret);
 
    return status;
}

References _, ClientConnectionInfo::authn_id, ValidatorModuleResult::authn_id, ValidatorModuleResult::authorized, check_usermap(), cleanup(), ereport, errcode(), errdetail_log(), errmsg, ValidatorModuleResult::error_detail, FATAL, fb(), MyClientConnectionInfo, palloc0_object, pfree(), port, set_authn_id(), STATUS_OK, token, OAuthValidatorCallbacks::validate_cb, validate_token_format(), validator_module_state, ValidatorCallbacks, and WARNING.

Referenced by attribute_reloptions(), bloptions(), brinoptions(), btoptions(), build_local_reloptions(), build_reloptions(), default_reloptions(), dioptions(), fillRelOptions(), ginoptions(), gistoptions(), hashoptions(), heap_reloptions(), index_opclass_options(), index_reloptions(), oauth_exchange(), parse_one_reloption(), parseLocalRelOptions(), parseRelOptions(), parseRelOptionsInternal(), partitioned_table_reloptions(), spgoptions(), tablespace_reloptions(), and view_reloptions().

validate_kvpair()

static void validate_kvpair ( const char *  key, const char *  val  )

static

Definition at line 372 of file auth-oauth.c.

{
    /*-----
     * From Sec 3.1:
     *     key            = 1*(ALPHA)
     */
    static const char *key_allowed_set =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 
    size_t      span;
 
    if (!key[0])
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Message contains an empty key name."));
 
    span = strspn(key, key_allowed_set);
    if (key[span] != '\0')
        ereport(ERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAUTHBEARER message"),
                errdetail("Message contains an invalid key name."));
 
    /*-----
     * From Sec 3.1:
     *     value          = *(VCHAR / SP / HTAB / CR / LF )
     *
     * The VCHAR (visible character) class is large; a loop is more
     * straightforward than strspn().
     */
    for (; *val; ++val)
    {
        if (0x21 <= *val && *val <= 0x7E)
            continue;           /* VCHAR */
 
        switch (*val)
        {
            case ' ':
            case '\t':
            case '\r':
            case '\n':
                continue;       /* SP, HTAB, CR, LF */
 
            default:
                ereport(ERROR,
                        errcode(ERRCODE_PROTOCOL_VIOLATION),
                        errmsg("malformed OAUTHBEARER message"),
                        errdetail("Message contains an invalid value."));
        }
    }
}

References ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errdetail(), errmsg, ERROR, fb(), and val.

Referenced by parse_kvpairs_for_auth().

validate_token_format()

static const char * validate_token_format ( const char *  header )

static

Definition at line 601 of file auth-oauth.c.

{
    size_t      span;
    const char *token;
    static const char *const b64token_allowed_set =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        "0123456789-._~+/";
 
    /* Missing auth headers should be handled by the caller. */
    Assert(header);
    /* Empty auth (discovery) should be handled before calling validate(). */
    Assert(header[0] != '\0');
 
    if (pg_strncasecmp(header, BEARER_SCHEME, strlen(BEARER_SCHEME)))
    {
        ereport(COMMERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAuth bearer token"),
                errdetail_log("Client response indicated a non-Bearer authentication scheme."));
        return NULL;
    }
 
    /* Pull the bearer token out of the auth value. */
    token = header + strlen(BEARER_SCHEME);
 
    /* Swallow any additional spaces. */
    while (*token == ' ')
        token++;
 
    /* Tokens must not be empty. */
    if (!*token)
    {
        ereport(COMMERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAuth bearer token"),
                errdetail_log("Bearer token is empty."));
        return NULL;
    }
 
    /*
     * Make sure the token contains only allowed characters. Tokens may end
     * with any number of '=' characters.
     */
    span = strspn(token, b64token_allowed_set);
    while (token[span] == '=')
        span++;
 
    if (token[span] != '\0')
    {
        /*
         * This error message could be more helpful by printing the
         * problematic character(s), but that'd be a bit like printing a piece
         * of someone's password into the logs.
         */
        ereport(COMMERROR,
                errcode(ERRCODE_PROTOCOL_VIOLATION),
                errmsg("malformed OAuth bearer token"),
                errdetail_log("Bearer token is not in the correct format."));
        return NULL;
    }
 
    return token;
}

References Assert, BEARER_SCHEME, COMMERROR, ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errdetail_log(), errmsg, fb(), pg_strncasecmp(), and token.

Referenced by validate().

Variable Documentation

oauth_validator_libraries_string

char* oauth_validator_libraries_string = NULL

Definition at line 35 of file auth-oauth.c.

Referenced by check_oauth_validator().

pg_be_oauth_mech

const pg_be_sasl_mech pg_be_oauth_mech

Initial value:

= {
    .get_mechanisms = oauth_get_mechanisms,
    .init = oauth_init,
    .exchange = oauth_exchange,
 
    .max_message_length = PG_MAX_AUTH_TOKEN_LENGTH,
}

Definition at line 54 of file auth-oauth.c.

                                         {
    .get_mechanisms = oauth_get_mechanisms,
    .init = oauth_init,
    .exchange = oauth_exchange,
 
    .max_message_length = PG_MAX_AUTH_TOKEN_LENGTH,
};

Referenced by ClientAuthentication().

validator_module_state

ValidatorModuleState* validator_module_state

static

Definition at line 46 of file auth-oauth.c.

Referenced by load_validator_library(), shutdown_validator_library(), and validate().

ValidatorCallbacks

const OAuthValidatorCallbacks* ValidatorCallbacks

static

Definition at line 47 of file auth-oauth.c.

Referenced by load_validator_library(), shutdown_validator_library(), and validate().

ValidatorMemoryContext

MemoryContext ValidatorMemoryContext

static

Definition at line 49 of file auth-oauth.c.

Referenced by oauth_init(), and RegisterOAuthHBAOptions().

ValidatorOptions

List* ValidatorOptions

static

Definition at line 50 of file auth-oauth.c.

Referenced by check_validator_hba_options(), RegisterOAuthHBAOptions(), and shutdown_validator_library().

ValidatorOptionsChecked

bool ValidatorOptionsChecked

static

Definition at line 51 of file auth-oauth.c.

Referenced by check_validator_hba_options(), and GetOAuthHBAOption().