#include "libpq/libpq-be.h"

Include dependency graph for auth.h:

This graph shows which files directly or indirectly include this file:

Macros
#define	PG_MAX_AUTH_TOKEN_LENGTH 65535

Typedefs
typedef void(*	ClientAuthentication_hook_type) (Port *, int)

typedef char (	auth_password_hook_typ) (char *input)

Functions
void	ClientAuthentication (Port *port)

void	sendAuthRequest (Port port, AuthRequest areq, const void extradata, int extralen)

void	set_authn_id (Port port, const char id)

Variables
PGDLLIMPORT char *	pg_krb_server_keyfile

PGDLLIMPORT bool	pg_krb_caseins_users

PGDLLIMPORT bool	pg_gss_accept_delegation

PGDLLIMPORT ClientAuthentication_hook_type	ClientAuthentication_hook

PGDLLIMPORT auth_password_hook_typ	ldap_password_hook

Macro Definition Documentation

◆ PG_MAX_AUTH_TOKEN_LENGTH

#define PG_MAX_AUTH_TOKEN_LENGTH 65535

Definition at line 33 of file auth.h.

Typedef Documentation

◆ auth_password_hook_typ

typedef char *(* auth_password_hook_typ) (char *input)

Definition at line 49 of file auth.h.

◆ ClientAuthentication_hook_type

typedef void(* ClientAuthentication_hook_type) (Port *, int)

Definition at line 45 of file auth.h.

Function Documentation

◆ ClientAuthentication()

void ClientAuthentication ( Port * port )

extern

Definition at line 374 of file auth.c.

{
    int         status = STATUS_ERROR;
    const char *logdetail = NULL;
 
    /*
     * "Abandoned" is a SASL-specific state similar to STATUS_EOF, in that we
     * don't want to generate any server logs. But it's caused by an in-band
     * client action that requires a server response, not an out-of-band
     * connection closure, so we can't just proc_exit() like we do with
     * STATUS_EOF.
     */
    bool        abandoned = false;
 
    /*
     * Get the authentication method to use for this frontend/database
     * combination.  Note: we do not parse the file at this point; this has
     * already been done elsewhere.  hba.c dropped an error message into the
     * server logfile if parsing the hba config file failed.
     */
    hba_getauthmethod(port);
 
    CHECK_FOR_INTERRUPTS();
 
    /*
     * This is the first point where we have access to the hba record for the
     * current connection, so perform any verifications based on the hba
     * options field that should be done *before* the authentication here.
     */
    if (port->hba->clientcert != clientCertOff)
    {
        /* If we haven't loaded a root certificate store, fail */
        if (!secure_loaded_verify_locations())
            ereport(FATAL,
                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
                     errmsg("client certificates can only be checked if a root certificate store is available")));
 
        /*
         * If we loaded a root certificate store, and if a certificate is
         * present on the client, then it has been verified against our root
         * certificate store, and the connection would have been aborted
         * already if it didn't verify ok.
         */
        if (!port->peer_cert_valid)
            ereport(FATAL,
                    (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     errmsg("connection requires a valid client certificate")));
    }
 
    /*
     * Now proceed to do the actual authentication check
     */
    switch (port->hba->auth_method)
    {
        case uaReject:
 
            /*
             * An explicit "reject" entry in pg_hba.conf.  This report exposes
             * the fact that there's an explicit reject entry, which is
             * perhaps not so desirable from a security standpoint; but the
             * message for an implicit reject could confuse the DBA a lot when
             * the true situation is a match to an explicit reject.  And we
             * don't want to change the message for an implicit reject.  As
             * noted below, the additional information shown here doesn't
             * expose anything not known to an attacker.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state)));
                break;
            }
 
        case uaImplicitReject:
 
            /*
             * No matching entry, so tell the user we fell through.
             *
             * NOTE: the extra info reported here is not a security breach,
             * because all that info is known at the frontend and must be
             * assumed known to bad guys.  We're merely helping out the less
             * clueful good guys.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
#define HOSTNAME_LOOKUP_DETAIL(port) \
                (port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                break;
            }
 
        case uaGSS:
#ifdef ENABLE_GSS
            /* We might or might not have the gss workspace already */
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            port->gss->auth = true;
 
            /*
             * If GSS state was set up while enabling encryption, we can just
             * check the client's principal.  Otherwise, ask for it.
             */
            if (port->gss->enc)
                status = pg_GSS_checkauth(port);
            else
            {
                sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
                status = pg_GSS_recvauth(port);
            }
#else
            Assert(false);
#endif
            break;
 
        case uaSSPI:
#ifdef ENABLE_SSPI
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
            status = pg_SSPI_recvauth(port);
#else
            Assert(false);
#endif
            break;
 
        case uaPeer:
            status = auth_peer(port);
            break;
 
        case uaIdent:
            status = ident_inet(port);
            break;
 
        case uaMD5:
        case uaSCRAM:
            status = CheckPWChallengeAuth(port, &logdetail);
            break;
 
        case uaPassword:
            status = CheckPasswordAuth(port, &logdetail);
            break;
 
        case uaPAM:
#ifdef USE_PAM
            status = CheckPAMAuth(port, port->user_name, "");
#else
            Assert(false);
#endif                          /* USE_PAM */
            break;
 
        case uaBSD:
#ifdef USE_BSD_AUTH
            status = CheckBSDAuth(port, port->user_name);
#else
            Assert(false);
#endif                          /* USE_BSD_AUTH */
            break;
 
        case uaLDAP:
#ifdef USE_LDAP
            status = CheckLDAPAuth(port);
#else
            Assert(false);
#endif
            break;
        case uaCert:
            /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
        case uaTrust:
            status = STATUS_OK;
            break;
        case uaOAuth:
            status = CheckSASLAuth(&pg_be_oauth_mech, port, NULL, &logdetail,
                                   &abandoned);
            break;
    }
 
    if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
        || port->hba->auth_method == uaCert)
    {
        /*
         * Make sure we only check the certificate if we use the cert method
         * or verify-full option.
         */
#ifdef USE_SSL
        status = CheckCertAuth(port);
#else
        Assert(false);
#endif
    }
 
    if ((log_connections & LOG_CONNECTION_AUTHENTICATION) &&
        status == STATUS_OK &&
        !MyClientConnectionInfo.authn_id)
    {
        /*
         * Normally, if log_connections is set, the call to set_authn_id()
         * will log the connection.  However, if that function is never
         * called, perhaps because the trust method is in use, then we handle
         * the logging here instead.
         */
        ereport(LOG,
                errmsg("connection authenticated: user=\"%s\" method=%s "
                       "(%s:%d)",
                       port->user_name, hba_authname(port->hba->auth_method),
                       port->hba->sourcefile, port->hba->linenumber));
    }
 
    if (ClientAuthentication_hook)
        (*ClientAuthentication_hook) (port, status);
 
    if (status == STATUS_OK)
        sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
    else
        auth_failed(port,
                    abandoned ? FATAL_CLIENT_ONLY : FATAL,
                    status,
                    logdetail);
}

References _, am_db_walsender, am_walsender, Assert, auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckSASLAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg, FATAL, FATAL_CLIENT_ONLY, fb(), hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_be_oauth_mech, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaReject, uaSCRAM, uaSSPI, and uaTrust.

Referenced by PerformAuthentication().

◆ sendAuthRequest()

void sendAuthRequest	(	Port *	port,
		AuthRequest	areq,
		const void *	extradata,
		int	extralen
	)

extern

Definition at line 682 of file auth.c.

{
    StringInfoData buf;
 
    CHECK_FOR_INTERRUPTS();
 
    pq_beginmessage(&buf, PqMsg_AuthenticationRequest);
    pq_sendint32(&buf, (int32) areq);
    if (extralen > 0)
        pq_sendbytes(&buf, extradata, extralen);
 
    pq_endmessage(&buf);
 
    /*
     * Flush message so client will see it, except for AUTH_REQ_OK and
     * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
     * queries.
     */
    if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
        pq_flush();
 
    CHECK_FOR_INTERRUPTS();
}

References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, fb(), pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), pq_sendint32(), and PqMsg_AuthenticationRequest.

Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckSASLAuth(), and ClientAuthentication().

◆ set_authn_id()

void set_authn_id	(	Port *	port,
		const char *	id
	)

extern

Definition at line 336 of file auth.c.

{
    Assert(id);
 
    if (MyClientConnectionInfo.authn_id)
    {
        /*
         * An existing authn_id should never be overwritten; that means two
         * authentication providers are fighting (or one is fighting itself).
         * Don't leak any authn details to the client, but don't let the
         * connection continue, either.
         */
        ereport(FATAL,
                (errmsg("authentication identifier set more than once"),
                 errdetail_log("previous identifier: \"%s\"; new identifier: \"%s\"",
                               MyClientConnectionInfo.authn_id, id)));
    }
 
    MyClientConnectionInfo.authn_id = MemoryContextStrdup(TopMemoryContext, id);
    MyClientConnectionInfo.auth_method = port->hba->auth_method;
 
    if (log_connections & LOG_CONNECTION_AUTHENTICATION)
    {
        ereport(LOG,
                errmsg("connection authenticated: identity=\"%s\" method=%s "
                       "(%s:%d)",
                       MyClientConnectionInfo.authn_id,
                       hba_authname(MyClientConnectionInfo.auth_method),
                       port->hba->sourcefile, port->hba->linenumber));
    }
}