383{
385 const char *logdetail = NULL;
386
387
388
389
390
391
392
394
396
397
398
399
400
401
403 {
404
407 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
408 errmsg(
"client certificates can only be checked if a root certificate store is available")));
409
410
411
412
413
414
415
416 if (!
port->peer_cert_valid)
418 (
errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
419 errmsg(
"connection requires a valid client certificate")));
420 }
421
422
423
424
425 switch (
port->hba->auth_method)
426 {
428
429
430
431
432
433
434
435
436
437
438
439 {
440 char hostinfo[NI_MAXHOST];
441 const char *encryption_state;
442
444 hostinfo, sizeof(hostinfo),
445 NULL, 0,
446 NI_NUMERICHOST);
447
448 encryption_state =
449#ifdef ENABLE_GSS
450 (
port->gss &&
port->gss->enc) ?
_(
"GSS encryption") :
451#endif
452#ifdef USE_SSL
453 port->ssl_in_use ?
_(
"SSL encryption") :
454#endif
456
459 (
errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
460
461 errmsg(
"pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
462 hostinfo,
port->user_name,
463 encryption_state)));
464 else
466 (
errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
467
468 errmsg(
"pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
469 hostinfo,
port->user_name,
471 encryption_state)));
472 break;
473 }
474
476
477
478
479
480
481
482
483
484
485 {
486 char hostinfo[NI_MAXHOST];
487 const char *encryption_state;
488
490 hostinfo, sizeof(hostinfo),
491 NULL, 0,
492 NI_NUMERICHOST);
493
494 encryption_state =
495#ifdef ENABLE_GSS
496 (
port->gss &&
port->gss->enc) ?
_(
"GSS encryption") :
497#endif
498#ifdef USE_SSL
499 port->ssl_in_use ?
_(
"SSL encryption") :
500#endif
502
503#define HOSTNAME_LOOKUP_DETAIL(port) \
504 (port->remote_hostname ? \
505 (port->remote_hostname_resolv == +1 ? \
506 errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
507 port->remote_hostname) : \
508 port->remote_hostname_resolv == 0 ? \
509 errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
510 port->remote_hostname) : \
511 port->remote_hostname_resolv == -1 ? \
512 errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
513 port->remote_hostname) : \
514 port->remote_hostname_resolv == -2 ? \
515 errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
516 port->remote_hostname, \
517 gai_strerror(port->remote_hostname_errcode)) : \
518 0) \
519 : (port->remote_hostname_resolv == -2 ? \
520 errdetail_log("Could not resolve client IP address to a host name: %s.", \
521 gai_strerror(port->remote_hostname_errcode)) : \
522 0))
523
526 (
errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
527
528 errmsg(
"no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
529 hostinfo,
port->user_name,
530 encryption_state),
532 else
534 (
errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
535
536 errmsg(
"no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
537 hostinfo,
port->user_name,
539 encryption_state),
541 break;
542 }
543
545#ifdef ENABLE_GSS
546
547 if (
port->gss == NULL)
548 port->gss = (pg_gssinfo *)
550 sizeof(pg_gssinfo));
551 port->gss->auth =
true;
552
553
554
555
556
558 status = pg_GSS_checkauth(
port);
559 else
560 {
562 status = pg_GSS_recvauth(
port);
563 }
564#else
566#endif
567 break;
568
570#ifdef ENABLE_SSPI
571 if (
port->gss == NULL)
572 port->gss = (pg_gssinfo *)
574 sizeof(pg_gssinfo));
576 status = pg_SSPI_recvauth(
port);
577#else
579#endif
580 break;
581
584 break;
585
588 break;
589
593 break;
594
597 break;
598
600#ifdef USE_PAM
601 status = CheckPAMAuth(
port,
port->user_name,
"");
602#else
604#endif
605 break;
606
608#ifdef USE_BSD_AUTH
609 status = CheckBSDAuth(
port,
port->user_name);
610#else
612#endif
613 break;
614
616#ifdef USE_LDAP
617 status = CheckLDAPAuth(
port);
618#else
620#endif
621 break;
624 break;
626
629 break;
630 }
631
634 {
635
636
637
638
639#ifdef USE_SSL
640 status = CheckCertAuth(
port);
641#else
643#endif
644 }
645
648 {
649
650
651
652
653
654
656 errmsg(
"connection authenticated: user=\"%s\" method=%s "
657 "(%s:%d)",
659 port->hba->sourcefile,
port->hba->linenumber));
660 }
661
663 (*ClientAuthentication_hook) (
port, status);
664
667 else
669}
void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extralen)
static int CheckPWChallengeAuth(Port *port, const char **logdetail)
static int ident_inet(hbaPort *port)
static int CheckRADIUSAuth(Port *port)
static void auth_failed(Port *port, int status, const char *logdetail)
ClientAuthentication_hook_type ClientAuthentication_hook
static int auth_peer(hbaPort *port)
#define HOSTNAME_LOOKUP_DETAIL(port)
static int CheckPasswordAuth(Port *port, const char **logdetail)
bool secure_loaded_verify_locations(void)
#define Assert(condition)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
void hba_getauthmethod(hbaPort *port)
const char * hba_authname(UserAuth auth_method)
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
void * MemoryContextAllocZero(MemoryContext context, Size size)
MemoryContext TopMemoryContext
#define CHECK_FOR_INTERRUPTS()
ClientConnectionInfo MyClientConnectionInfo