auth.h File Reference

#include "libpq/libpq-be.h"

Include dependency graph for auth.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs
typedef void(*	ClientAuthentication_hook_type) (Port *, int)

Functions
void	ClientAuthentication (Port *port)
void	sendAuthRequest (Port *port, AuthRequest areq, const char *extradata, int extralen)

Variables
char *	pg_krb_server_keyfile
bool	pg_krb_caseins_users
char *	pg_krb_realm
PGDLLIMPORT ClientAuthentication_hook_type	ClientAuthentication_hook

Typedef Documentation

ClientAuthentication_hook_type

typedef void(* ClientAuthentication_hook_type) (Port *, int)

Definition at line 28 of file auth.h.

Function Documentation

ClientAuthentication()

void ClientAuthentication

(

Port *

port

)

Definition at line 385 of file auth.c.

{
    int         status = STATUS_ERROR;
    const char *logdetail = NULL;
 
    /*
     * Get the authentication method to use for this frontend/database
     * combination.  Note: we do not parse the file at this point; this has
     * already been done elsewhere.  hba.c dropped an error message into the
     * server logfile if parsing the hba config file failed.
     */
    hba_getauthmethod(port);
 
    CHECK_FOR_INTERRUPTS();
 
    /*
     * This is the first point where we have access to the hba record for the
     * current connection, so perform any verifications based on the hba
     * options field that should be done *before* the authentication here.
     */
    if (port->hba->clientcert != clientCertOff)
    {
        /* If we haven't loaded a root certificate store, fail */
        if (!secure_loaded_verify_locations())
            ereport(FATAL,
                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
                     errmsg("client certificates can only be checked if a root certificate store is available")));
 
        /*
         * If we loaded a root certificate store, and if a certificate is
         * present on the client, then it has been verified against our root
         * certificate store, and the connection would have been aborted
         * already if it didn't verify ok.
         */
        if (!port->peer_cert_valid)
            ereport(FATAL,
                    (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     errmsg("connection requires a valid client certificate")));
    }
 
    /*
     * Now proceed to do the actual authentication check
     */
    switch (port->hba->auth_method)
    {
        case uaReject:
 
            /*
             * An explicit "reject" entry in pg_hba.conf.  This report exposes
             * the fact that there's an explicit reject entry, which is
             * perhaps not so desirable from a security standpoint; but the
             * message for an implicit reject could confuse the DBA a lot when
             * the true situation is a match to an explicit reject.  And we
             * don't want to change the message for an implicit reject.  As
             * noted below, the additional information shown here doesn't
             * expose anything not known to an attacker.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state)));
                break;
            }
 
        case uaImplicitReject:
 
            /*
             * No matching entry, so tell the user we fell through.
             *
             * NOTE: the extra info reported here is not a security breach,
             * because all that info is known at the frontend and must be
             * assumed known to bad guys.  We're merely helping out the less
             * clueful good guys.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
#define HOSTNAME_LOOKUP_DETAIL(port) \
                (port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                break;
            }
 
        case uaGSS:
#ifdef ENABLE_GSS
            /* We might or might not have the gss workspace already */
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            port->gss->auth = true;
 
            /*
             * If GSS state was set up while enabling encryption, we can just
             * check the client's principal.  Otherwise, ask for it.
             */
            if (port->gss->enc)
                status = pg_GSS_checkauth(port);
            else
            {
                sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
                status = pg_GSS_recvauth(port);
            }
#else
            Assert(false);
#endif
            break;
 
        case uaSSPI:
#ifdef ENABLE_SSPI
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
            status = pg_SSPI_recvauth(port);
#else
            Assert(false);
#endif
            break;
 
        case uaPeer:
            status = auth_peer(port);
            break;
 
        case uaIdent:
            status = ident_inet(port);
            break;
 
        case uaMD5:
        case uaSCRAM:
            status = CheckPWChallengeAuth(port, &logdetail);
            break;
 
        case uaPassword:
            status = CheckPasswordAuth(port, &logdetail);
            break;
 
        case uaPAM:
#ifdef USE_PAM
            status = CheckPAMAuth(port, port->user_name, "");
#else
            Assert(false);
#endif                          /* USE_PAM */
            break;
 
        case uaBSD:
#ifdef USE_BSD_AUTH
            status = CheckBSDAuth(port, port->user_name);
#else
            Assert(false);
#endif                          /* USE_BSD_AUTH */
            break;
 
        case uaLDAP:
#ifdef USE_LDAP
            status = CheckLDAPAuth(port);
#else
            Assert(false);
#endif
            break;
        case uaRADIUS:
            status = CheckRADIUSAuth(port);
            break;
        case uaCert:
            /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
        case uaTrust:
            status = STATUS_OK;
            break;
    }
 
    if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
        || port->hba->auth_method == uaCert)
    {
        /*
         * Make sure we only check the certificate if we use the cert method
         * or verify-full option.
         */
#ifdef USE_SSL
        status = CheckCertAuth(port);
#else
        Assert(false);
#endif
    }
 
    if (ClientAuthentication_hook)
        (*ClientAuthentication_hook) (port, status);
 
    if (status == STATUS_OK)
        sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
    else
        auth_failed(port, status, logdetail);
}

References _, am_db_walsender, am_walsender, Assert(), auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg(), FATAL, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), MemoryContextAllocZero(), NI_MAXHOST, NI_NUMERICHOST, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), status(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.

Referenced by PerformAuthentication().

sendAuthRequest()

void sendAuthRequest	(	Port *	port,
		AuthRequest	areq,
		const char *	extradata,
		int	extralen
	)

Definition at line 663 of file auth.c.

{
    StringInfoData buf;
 
    CHECK_FOR_INTERRUPTS();
 
    pq_beginmessage(&buf, 'R');
    pq_sendint32(&buf, (int32) areq);
    if (extralen > 0)
        pq_sendbytes(&buf, extradata, extralen);
 
    pq_endmessage(&buf);
 
    /*
     * Flush message so client will see it, except for AUTH_REQ_OK and
     * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
     * queries.
     */
    if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
        pq_flush();
 
    CHECK_FOR_INTERRUPTS();
}

References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), and pq_sendint32().

Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), CheckSASLAuth(), and ClientAuthentication().

Variable Documentation

ClientAuthentication_hook

PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook

extern

Definition at line 236 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

pg_krb_caseins_users

bool pg_krb_caseins_users

extern

Definition at line 172 of file auth.c.

pg_krb_realm

char* pg_krb_realm

extern

pg_krb_server_keyfile

char* pg_krb_server_keyfile

extern

Definition at line 171 of file auth.c.

Referenced by secure_open_gssapi().