hba.c File Reference
#include "postgres.h"#include <ctype.h>#include <pwd.h>#include <fcntl.h>#include <sys/param.h>#include <sys/socket.h>#include <netdb.h>#include <netinet/in.h>#include <arpa/inet.h>#include <unistd.h>#include "catalog/pg_collation.h"#include "common/ip.h"#include "common/string.h"#include "libpq/hba.h"#include "libpq/ifaddr.h"#include "libpq/libpq-be.h"#include "libpq/oauth.h"#include "postmaster/postmaster.h"#include "regex/regex.h"#include "replication/walsender.h"#include "storage/fd.h"#include "utils/acl.h"#include "utils/conffiles.h"#include "utils/guc.h"#include "utils/memutils.h"#include "utils/varlena.h"
Include dependency graph for hba.c:
Go to the source code of this file.
Data Structures | |
| struct | check_network_data |
| struct | tokenize_error_callback_arg |
Macros | |
| #define | token_has_regexp(t) (t->regex != NULL) |
| #define | token_is_member_check(t) (!t->quoted && t->string[0] == '+') |
| #define | token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0) |
| #define | token_matches(t, k) (strcmp(t->string, k) == 0) |
| #define | token_matches_insensitive(t, k) (pg_strcasecmp(t->string, k) == 0) |
| #define | INVALID_AUTH_OPTION(optname, validmethods) |
| #define | REQUIRE_AUTH_OPTION(methodval, optname, validmethods) |
| #define | MANDATORY_AUTH_ARG(argvar, argname, authname) |
| #define | IDENT_FIELD_ABSENT(field) |
| #define | IDENT_MULTI_VALUE(tokens) |
Typedefs | |
| typedef struct check_network_data | check_network_data |
Functions | |
| StaticAssertDecl (lengthof(UserAuthName)==USER_AUTH_LAST+1, "UserAuthName[] must match the UserAuth enum") | |
| static List * | tokenize_expand_file (List *tokens, const char *outer_filename, const char *inc_filename, int elevel, int depth, char **err_msg) |
| static bool | parse_hba_auth_opt (char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg) |
| static int | regcomp_auth_token (AuthToken *token, char *filename, int line_num, char **err_msg, int elevel) |
| static int | regexec_auth_token (const char *match, AuthToken *token, size_t nmatch, regmatch_t pmatch[]) |
| static void | tokenize_error_callback (void *arg) |
| bool | pg_isblank (const char c) |
| static bool | next_token (char **lineptr, StringInfo buf, bool *initial_quote, bool *terminating_comma) |
| static AuthToken * | make_auth_token (const char *token, bool quoted) |
| static void | free_auth_token (AuthToken *token) |
| static AuthToken * | copy_auth_token (AuthToken *in) |
| static List * | next_field_expand (const char *filename, char **lineptr, int elevel, int depth, char **err_msg) |
| static void | tokenize_include_file (const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg) |
| void | free_auth_file (FILE *file, int depth) |
| FILE * | open_auth_file (const char *filename, int elevel, int depth, char **err_msg) |
| void | tokenize_auth_file (const char *filename, FILE *file, List **tok_lines, int elevel, int depth) |
| static bool | is_member (Oid userid, const char *role) |
| static bool | check_role (const char *role, Oid roleid, List *tokens, bool case_insensitive) |
| static bool | check_db (const char *dbname, const char *role, Oid roleid, List *tokens) |
| static bool | ipv4eq (struct sockaddr_in *a, struct sockaddr_in *b) |
| static bool | ipv6eq (struct sockaddr_in6 *a, struct sockaddr_in6 *b) |
| static bool | hostname_match (const char *pattern, const char *actual_hostname) |
| static bool | check_hostname (hbaPort *port, const char *hostname) |
| static bool | check_ip (SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask) |
| static void | check_network_callback (struct sockaddr *addr, struct sockaddr *netmask, void *cb_data) |
| static bool | check_same_host_or_net (SockAddr *raddr, IPCompareMethod method) |
| HbaLine * | parse_hba_line (TokenizedAuthLine *tok_line, int elevel) |
| static void | check_hba (hbaPort *port) |
| bool | load_hba (void) |
| IdentLine * | parse_ident_line (TokenizedAuthLine *tok_line, int elevel) |
| static void | check_ident_usermap (IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p) |
| int | check_usermap (const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive) |
| bool | load_ident (void) |
| void | hba_getauthmethod (hbaPort *port) |
| const char * | hba_authname (UserAuth auth_method) |
Variables | |
| static MemoryContext | tokenize_context = NULL |
| static List * | parsed_hba_lines = NIL |
| static MemoryContext | parsed_hba_context = NULL |
| static List * | parsed_ident_lines = NIL |
| static MemoryContext | parsed_ident_context = NULL |
| static const char *const | UserAuthName [] |
Macro Definition Documentation
◆ IDENT_FIELD_ABSENT
| #define IDENT_FIELD_ABSENT | ( | field | ) |
Value:
do { \
if (!field) { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("missing entry at end of line"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = pstrdup("missing entry at end of line"); \
return NULL; \
} \
} while (0)
◆ IDENT_MULTI_VALUE
| #define IDENT_MULTI_VALUE | ( | tokens | ) |
Value:
do { \
if (tokens->length > 1) { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("multiple values in ident field"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = pstrdup("multiple values in ident field"); \
return NULL; \
} \
} while (0)
◆ INVALID_AUTH_OPTION
| #define INVALID_AUTH_OPTION | ( | optname, | |
| validmethods | |||
| ) |
Value:
do { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
optname, validmethods); \
return false; \
} while (0)
◆ MANDATORY_AUTH_ARG
| #define MANDATORY_AUTH_ARG | ( | argvar, | |
| argname, | |||
| authname | |||
| ) |
Value:
do { \
if (argvar == NULL) { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname); \
return NULL; \
} \
} while (0)
◆ REQUIRE_AUTH_OPTION
| #define REQUIRE_AUTH_OPTION | ( | methodval, | |
| optname, | |||
| validmethods | |||
| ) |
◆ token_has_regexp
◆ token_is_keyword
| #define token_is_keyword | ( | t, | |
| k | |||
| ) | (!t->quoted && strcmp(t->string, k) == 0) |
◆ token_is_member_check
| #define token_is_member_check | ( | t | ) | (!t->quoted && t->string[0] == '+') |
◆ token_matches
◆ token_matches_insensitive
| #define token_matches_insensitive | ( | t, | |
| k | |||
| ) | (pg_strcasecmp(t->string, k) == 0) |
Typedef Documentation
◆ check_network_data
| typedef struct check_network_data check_network_data |
Function Documentation
◆ check_db()
Definition at line 993 of file hba.c.
994{
995 ListCell *cell;
996 AuthToken *tok;
997
998 foreach(cell, tokens)
999 {
1000 tok = lfirst(cell);
1002 {
1003 /*
1004 * physical replication walsender connections can only match
1005 * replication keyword
1006 */
1008 return true;
1009 }
1011 return true;
1013 {
1015 return true;
1016 }
1019 {
1021 return true;
1022 }
1024 continue; /* never match this if not walsender */
1026 {
1028 return true;
1029 }
1031 return true;
1032 }
1033 return false;
1034}
static int regexec_auth_token(const char *match, AuthToken *token, size_t nmatch, regmatch_t pmatch[])
Definition: hba.c:348
Definition: pg_list.h:46
References am_db_walsender, am_walsender, dbname, is_member(), lfirst, REG_OKAY, regexec_auth_token(), token_has_regexp, token_is_keyword, and token_matches.
Referenced by check_hba().
◆ check_hba()
|
static |
Definition at line 2531 of file hba.c.
2532{
2533 Oid roleid;
2534 ListCell *line;
2535 HbaLine *hba;
2536
2537 /* Get the target role's OID. Note we do not error out for bad role. */
2539
2541 {
2543
2544 /* Check connection type */
2546 {
2548 continue;
2549 }
2550 else
2551 {
2553 continue;
2554
2555 /* Check SSL state */
2557 {
2558 /* Connection is SSL, match both "host" and "hostssl" */
2560 continue;
2561 }
2562 else
2563 {
2564 /* Connection is not SSL, match both "host" and "hostnossl" */
2566 continue;
2567 }
2568
2569 /* Check GSSAPI state */
2570#ifdef ENABLE_GSS
2573 continue;
2576 continue;
2577#else
2579 continue;
2580#endif
2581
2582 /* Check IP address */
2584 {
2587 {
2589 hba->hostname))
2590 continue;
2591 }
2592 else
2593 {
2597 continue;
2598 }
2599 break;
2601 break;
2605 hba->ip_cmp_method))
2606 continue;
2607 break;
2608 default:
2609 /* shouldn't get here, but deem it no-match if so */
2610 continue;
2611 }
2612 } /* != ctLocal */
2613
2614 /* Check database and role */
2616 hba->databases))
2617 continue;
2618
2620 continue;
2621
2622 /* Found a record that matched! */
2623 port->hba = hba;
2624 return;
2625 }
2626
2627 /* If no matching entry was found, then implicitly reject. */
2630 port->hba = hba;
2631}
static bool check_role(const char *role, Oid roleid, List *tokens, bool case_insensitive)
Definition: hba.c:954
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition: hba.c:1169
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
Definition: hba.c:1210
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
Definition: hba.c:993
References HbaLine::addr, HbaLine::auth_method, check_db(), check_hostname(), check_ip(), check_role(), check_same_host_or_net(), HbaLine::conntype, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, get_role_oid(), HbaLine::hostname, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lfirst, HbaLine::mask, palloc0(), parsed_hba_lines, port, HbaLine::roles, and uaImplicitReject.
Referenced by hba_getauthmethod().
◆ check_hostname()
|
static |
Definition at line 1078 of file hba.c.
1079{
1080 struct addrinfo *gai_result,
1081 *gai;
1082 int ret;
1083 bool found;
1084
1085 /* Quick out if remote host name already known bad */
1087 return false;
1088
1089 /* Lookup remote host name if not already done */
1091 {
1092 char remote_hostname[NI_MAXHOST];
1093
1095 remote_hostname, sizeof(remote_hostname),
1096 NULL, 0,
1097 NI_NAMEREQD);
1098 if (ret != 0)
1099 {
1100 /* remember failure; don't complain in the postmaster log yet */
1101 port->remote_hostname_resolv = -2;
1102 port->remote_hostname_errcode = ret;
1103 return false;
1104 }
1105
1107 }
1108
1109 /* Now see if remote host name matches this pg_hba line */
1111 return false;
1112
1113 /* If we already verified the forward lookup, we're done */
1115 return true;
1116
1117 /* Lookup IP from host name and check against original IP */
1118 ret = getaddrinfo(port->remote_hostname, NULL, NULL, &gai_result);
1119 if (ret != 0)
1120 {
1121 /* remember failure; don't complain in the postmaster log yet */
1122 port->remote_hostname_resolv = -2;
1123 port->remote_hostname_errcode = ret;
1124 return false;
1125 }
1126
1127 found = false;
1128 for (gai = gai_result; gai; gai = gai->ai_next)
1129 {
1131 {
1132 if (gai->ai_addr->sa_family == AF_INET)
1133 {
1136 {
1137 found = true;
1138 break;
1139 }
1140 }
1141 else if (gai->ai_addr->sa_family == AF_INET6)
1142 {
1145 {
1146 found = true;
1147 break;
1148 }
1149 }
1150 }
1151 }
1152
1153 if (gai_result)
1154 freeaddrinfo(gai_result);
1155
1156 if (!found)
1157 elog(DEBUG2, "pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
1158 hostname);
1159
1160 port->remote_hostname_resolv = found ? +1 : -1;
1161
1162 return found;
1163}
static bool hostname_match(const char *pattern, const char *actual_hostname)
Definition: hba.c:1058
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:114
References DEBUG2, elog, hostname, hostname_match(), ipv4eq(), ipv6eq(), pg_getnameinfo_all(), port, and pstrdup().
Referenced by check_hba().
◆ check_ident_usermap()
|
static |
Definition at line 2819 of file hba.c.
2822{
2823 Oid roleid;
2824
2825 *found_p = false;
2826 *error_p = false;
2827
2829 /* Line does not match the map name we're looking for, so just abort */
2830 return;
2831
2832 /* Get the target role's OID. Note we do not error out for bad role. */
2834
2835 /* Match? */
2837 {
2838 /*
2839 * Process the system username as a regular expression that returns
2840 * exactly one match. This is replaced for \1 in the database username
2841 * string, if present.
2842 */
2843 int r;
2844 regmatch_t matches[2];
2845 char *ofs;
2846 AuthToken *expanded_pg_user_token;
2847 bool created_temporary_token = false;
2848
2850 if (r)
2851 {
2852 char errstr[100];
2853
2855 {
2856 /* REG_NOMATCH is not an error, everything else is */
2859 (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2862 *error_p = true;
2863 }
2864 return;
2865 }
2866
2867 /*
2868 * Replace \1 with the first captured group unless the field already
2869 * has some special meaning, like a group membership or a regexp-based
2870 * check.
2871 */
2875 {
2876 char *expanded_pg_user;
2877 int offset;
2878
2879 /* substitution of the first argument requested */
2880 if (matches[1].rm_so < 0)
2881 {
2883 (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2884 errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2886 *error_p = true;
2887 return;
2888 }
2889
2890 /*
2891 * length: original length minus length of \1 plus length of match
2892 * plus null terminator
2893 */
2894 expanded_pg_user = palloc0(strlen(identLine->pg_user->string) - 2 + (matches[1].rm_eo - matches[1].rm_so) + 1);
2897 memcpy(expanded_pg_user + offset,
2898 system_user + matches[1].rm_so,
2899 matches[1].rm_eo - matches[1].rm_so);
2900 strcat(expanded_pg_user, ofs + 2);
2901
2902 /*
2903 * Mark the token as quoted, so it will only be compared literally
2904 * and not for some special meaning, such as "all" or a group
2905 * membership check.
2906 */
2908 created_temporary_token = true;
2909 pfree(expanded_pg_user);
2910 }
2911 else
2912 {
2913 expanded_pg_user_token = identLine->pg_user;
2914 }
2915
2916 /* check the Postgres user */
2917 *found_p = check_role(pg_user, roleid,
2918 list_make1(expanded_pg_user_token),
2919 case_insensitive);
2920
2921 if (created_temporary_token)
2922 free_auth_token(expanded_pg_user_token);
2923
2924 return;
2925 }
2926 else
2927 {
2928 /*
2929 * Not a regular expression, so make a complete match. If the system
2930 * user does not match, just leave.
2931 */
2932 if (case_insensitive)
2933 {
2935 system_user))
2936 return;
2937 }
2938 else
2939 {
2941 return;
2942 }
2943
2944 /* check the Postgres user */
2945 *found_p = check_role(pg_user, roleid,
2947 case_insensitive);
2948 }
2949}
static AuthToken * make_auth_token(const char *token, bool quoted)
Definition: hba.c:259
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition: regerror.c:60
References check_role(), ereport, errcode(), errmsg(), free_auth_token(), get_role_oid(), list_make1, LOG, make_auth_token(), palloc0(), pfree(), pg_regerror(), IdentLine::pg_user, REG_NOMATCH, AuthToken::regex, regexec_auth_token(), regmatch_t, AuthToken::string, system_user(), IdentLine::system_user, token_has_regexp, token_is_member_check, token_matches, token_matches_insensitive, and IdentLine::usermap.
Referenced by check_usermap().
◆ check_ip()
|
static |
Definition at line 1169 of file hba.c.
1170{
1173 (struct sockaddr_storage *) addr,
1174 (struct sockaddr_storage *) mask))
1175 return true;
1176 return false;
1177}
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
Definition: ifaddr.c:49
References SockAddr::addr, and pg_range_sockaddr().
Referenced by check_hba(), and check_network_callback().
◆ check_network_callback()
|
static |
Definition at line 1183 of file hba.c.
1185{
1187 struct sockaddr_storage mask;
1188
1189 /* Already found a match? */
1191 return;
1192
1194 {
1195 /* Make an all-ones netmask of appropriate length for family */
1196 pg_sockaddr_cidr_mask(&mask, NULL, addr->sa_family);
1198 }
1199 else
1200 {
1201 /* Use the netmask of the interface itself */
1203 }
1204}
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:105
Definition: hba.c:57
References check_ip(), ipCmpSameHost, check_network_data::method, pg_sockaddr_cidr_mask(), check_network_data::raddr, and check_network_data::result.
Referenced by check_same_host_or_net().
◆ check_role()
|
static |
Definition at line 954 of file hba.c.
955{
956 ListCell *cell;
957 AuthToken *tok;
958
959 foreach(cell, tokens)
960 {
961 tok = lfirst(cell);
963 {
965 return true;
966 }
968 return true;
970 {
972 return true;
973 }
974 else if (case_insensitive)
975 {
977 return true;
978 }
980 return true;
981 }
982 return false;
983}
References is_member(), lfirst, REG_OKAY, regexec_auth_token(), AuthToken::string, token_has_regexp, token_is_keyword, token_is_member_check, token_matches, and token_matches_insensitive.
Referenced by check_hba(), and check_ident_usermap().
◆ check_same_host_or_net()
|
static |
Definition at line 1210 of file hba.c.
1211{
1212 check_network_data cn;
1213
1214 cn.method = method;
1215 cn.raddr = raddr;
1217
1218 errno = 0;
1220 {
1223 return false;
1224 }
1225
1227}
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
Definition: hba.c:1183
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
Definition: ifaddr.c:425
References check_network_callback(), ereport, errmsg(), LOG, check_network_data::method, pg_foreach_ifaddr(), check_network_data::raddr, and check_network_data::result.
Referenced by check_hba().
◆ check_usermap()
| int check_usermap | ( | const char * | usermap_name, |
| const char * | pg_user, | ||
| const char * | system_user, | ||
| bool | case_insensitive | ||
| ) |
Definition at line 2966 of file hba.c.
2970{
2971 bool found_entry = false,
2973
2974 if (usermap_name == NULL || usermap_name[0] == '\0')
2975 {
2976 if (case_insensitive)
2977 {
2980 }
2981 else
2982 {
2985 }
2988 pg_user, system_user)));
2990 }
2991 else
2992 {
2993 ListCell *line_cell;
2994
2996 {
2998 pg_user, system_user, case_insensitive,
2999 &found_entry, &error);
3001 break;
3002 }
3003 }
3005 {
3008 usermap_name, pg_user, system_user)));
3009 }
3011}
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2819
References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, parsed_ident_lines, pg_strcasecmp(), STATUS_ERROR, STATUS_OK, and system_user().
Referenced by auth_peer(), ident_inet(), and validate().
◆ copy_auth_token()
Definition at line 290 of file hba.c.
291{
293
294 return out;
295}
References make_auth_token(), AuthToken::quoted, and AuthToken::string.
Referenced by parse_hba_line(), and parse_ident_line().
◆ free_auth_file()
| void free_auth_file | ( | FILE * | file, |
| int | depth | ||
| ) |
Definition at line 572 of file hba.c.
573{
574 FreeFile(file);
575
576 /* If this is the last cleanup, remove the tokenization context */
578 {
580 tokenize_context = NULL;
581 }
582}
References CONF_FILE_START_DEPTH, FreeFile(), MemoryContextDelete(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ free_auth_token()
|
static |
Definition at line 280 of file hba.c.
References pg_regfree(), and token_has_regexp.
Referenced by check_ident_usermap().
◆ hba_authname()
| const char * hba_authname | ( | UserAuth | auth_method | ) |
Definition at line 3123 of file hba.c.
3124{
3126}
References UserAuthName.
Referenced by ClientAuthentication(), fill_hba_line(), InitPostgres(), ParallelWorkerMain(), and set_authn_id().
◆ hba_getauthmethod()
| void hba_getauthmethod | ( | hbaPort * | port | ) |
Definition at line 3110 of file hba.c.
3111{
3113}
References check_hba(), and port.
Referenced by ClientAuthentication().
◆ hostname_match()
|
static |
Definition at line 1058 of file hba.c.
1059{
1060 if (pattern[0] == '.') /* suffix match */
1061 {
1062 size_t plen = strlen(pattern);
1063 size_t hlen = strlen(actual_hostname);
1064
1065 if (hlen < plen)
1066 return false;
1067
1069 }
1070 else
1072}
References pg_strcasecmp().
Referenced by check_hostname().
◆ ipv4eq()
|
static |
◆ ipv6eq()
|
static |
◆ is_member()
|
static |
Definition at line 925 of file hba.c.
926{
927 Oid roleid;
928
930 return false; /* if user not exist, say "no" */
931
933
935 return false; /* if target role not exist, say "no" */
936
937 /*
938 * See if user is directly or indirectly a member of role. For this
939 * purpose, a superuser is not considered to be automatically a member of
940 * the role, so group auth only applies to explicit membership.
941 */
943}
References get_role_oid(), is_member_of_role_nosuper(), and OidIsValid.
Referenced by check_db(), and check_role().
◆ load_hba()
| bool load_hba | ( | void | ) |
Definition at line 2645 of file hba.c.
2646{
2647 FILE *file;
2649 ListCell *line;
2651 bool ok = true;
2652 MemoryContext oldcxt;
2653 MemoryContext hbacxt;
2654
2656 if (file == NULL)
2657 {
2658 /* error already logged */
2659 return false;
2660 }
2661
2663
2664 /* Now parse all the lines */
2667 "hba parser context",
2668 ALLOCSET_SMALL_SIZES);
2669 oldcxt = MemoryContextSwitchTo(hbacxt);
2670 foreach(line, hba_lines)
2671 {
2674
2675 /* don't parse lines that already have errors */
2677 {
2678 ok = false;
2679 continue;
2680 }
2681
2683 {
2684 /* Parse error; remember there's trouble */
2685 ok = false;
2686
2687 /*
2688 * Keep parsing the rest of the file so we can report errors on
2689 * more than the first line. Error has already been logged, no
2690 * need for more chatter here.
2691 */
2692 continue;
2693 }
2694
2696 }
2697
2698 /*
2699 * A valid HBA file must have at least one entry; else there's no way to
2700 * connect to the postmaster. But only complain about this if we didn't
2701 * already have parsing errors.
2702 */
2704 {
2706 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2708 HbaFileName)));
2709 ok = false;
2710 }
2711
2712 /* Free tokenizer memory */
2713 free_auth_file(file, 0);
2714 MemoryContextSwitchTo(oldcxt);
2715
2716 if (!ok)
2717 {
2718 /*
2719 * File contained one or more errors, so bail out. MemoryContextDelete
2720 * is enough to clean up everything, including regexes.
2721 */
2722 MemoryContextDelete(hbacxt);
2723 return false;
2724 }
2725
2726 /* Loaded new file successfully, replace the one we use */
2729 parsed_hba_context = hbacxt;
2730 parsed_hba_lines = new_parsed_lines;
2731
2732 return true;
2733}
Assert(PointerIsAligned(start, uint64))
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:1328
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
Definition: hba.c:691
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
Definition: hba.c:597
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
Definition: pg_list.h:54
Definition: memnodes.h:118
Definition: hba.h:164
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), ereport, TokenizedAuthLine::err_msg, errcode(), errmsg(), free_auth_file(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_hba_line(), parsed_hba_context, parsed_hba_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ load_ident()
| bool load_ident | ( | void | ) |
Definition at line 3021 of file hba.c.
3022{
3023 FILE *file;
3025 ListCell *line_cell;
3027 bool ok = true;
3028 MemoryContext oldcxt;
3029 MemoryContext ident_context;
3031
3032 /* not FATAL ... we just won't do any special ident maps */
3034 if (file == NULL)
3035 {
3036 /* error already logged */
3037 return false;
3038 }
3039
3041
3042 /* Now parse all the lines */
3045 "ident parser context",
3046 ALLOCSET_SMALL_SIZES);
3047 oldcxt = MemoryContextSwitchTo(ident_context);
3048 foreach(line_cell, ident_lines)
3049 {
3051
3052 /* don't parse lines that already have errors */
3054 {
3055 ok = false;
3056 continue;
3057 }
3058
3060 {
3061 /* Parse error; remember there's trouble */
3062 ok = false;
3063
3064 /*
3065 * Keep parsing the rest of the file so we can report errors on
3066 * more than the first line. Error has already been logged, no
3067 * need for more chatter here.
3068 */
3069 continue;
3070 }
3071
3073 }
3074
3075 /* Free tokenizer memory */
3076 free_auth_file(file, 0);
3077 MemoryContextSwitchTo(oldcxt);
3078
3079 if (!ok)
3080 {
3081 /*
3082 * File contained one or more errors, so bail out. MemoryContextDelete
3083 * is enough to clean up everything, including regexes.
3084 */
3085 MemoryContextDelete(ident_context);
3086 return false;
3087 }
3088
3089 /* Loaded new file successfully, replace the one we use */
3092
3093 parsed_ident_context = ident_context;
3094 parsed_ident_lines = new_parsed_lines;
3095
3096 return true;
3097}
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:2751
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), TokenizedAuthLine::err_msg, free_auth_file(), IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_ident_line(), parsed_ident_context, parsed_ident_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ make_auth_token()
|
static |
Definition at line 259 of file hba.c.
260{
261 AuthToken *authtoken;
262 int toklen;
263
264 toklen = strlen(token);
265 /* we copy string into same palloc block as the struct */
268 authtoken->quoted = quoted;
269 authtoken->regex = NULL;
271
272 return authtoken;
273}
References palloc0(), AuthToken::quoted, AuthToken::regex, and AuthToken::string.
Referenced by check_ident_usermap(), copy_auth_token(), and next_field_expand().
◆ next_field_expand()
|
static |
Definition at line 381 of file hba.c.
383{
385 bool trailing_comma;
386 bool initial_quote;
388
390
391 do
392 {
394 &initial_quote, &trailing_comma))
395 break;
396
397 /* Is this referencing a file? */
400 elevel, depth + 1, err_msg);
401 else
402 {
403 MemoryContext oldcxt;
404
405 /*
406 * lappend() may do its own allocations, so move to the context
407 * for the list of tokens.
408 */
411 MemoryContextSwitchTo(oldcxt);
412 }
413 } while (trailing_comma && (*err_msg == NULL));
414
416
417 return tokens;
418}
static List * tokenize_expand_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, int depth, char **err_msg)
Definition: hba.c:495
static bool next_token(char **lineptr, StringInfo buf, bool *initial_quote, bool *terminating_comma)
Definition: hba.c:187
Definition: stringinfo.h:47
Definition: mbprint.h:17
References buf, filename, initStringInfo(), lappend(), make_auth_token(), MemoryContextSwitchTo(), next_token(), NIL, pfree(), tokenize_context, and tokenize_expand_file().
Referenced by tokenize_auth_file().
◆ next_token()
|
static |
Definition at line 187 of file hba.c.
189{
191 bool in_quote = false;
192 bool was_quote = false;
193 bool saw_quote = false;
194
195 /* Initialize output parameters */
197 *initial_quote = false;
198 *terminating_comma = false;
199
200 /* Move over any whitespace and commas preceding the next token */
202 ;
203
204 /*
205 * Build a token in buf of next characters up to EOL, unquoted comma, or
206 * unquoted whitespace.
207 */
210 {
211 /* skip comments to EOL */
213 {
215 ;
216 break;
217 }
218
219 /* we do not pass back a terminating comma in the token */
221 {
222 *terminating_comma = true;
223 break;
224 }
225
228
229 /* Literal double-quote is two double-quotes */
231 was_quote = !was_quote;
232 else
233 was_quote = false;
234
236 {
237 in_quote = !in_quote;
238 saw_quote = true;
240 *initial_quote = true;
241 }
242
243 c = *(*lineptr)++;
244 }
245
246 /*
247 * Un-eat the char right after the token (critical in case it is '\0',
248 * else next call will read past end of string).
249 */
250 (*lineptr)--;
251
253}
References appendStringInfoChar(), buf, pg_isblank(), and resetStringInfo().
Referenced by base_yylex(), filtered_base_yylex(), and next_field_expand().
◆ open_auth_file()
| FILE * open_auth_file | ( | const char * | filename, |
| int | elevel, | ||
| int | depth, | ||
| char ** | err_msg | ||
| ) |
Definition at line 597 of file hba.c.
599{
600 FILE *file;
601
602 /*
603 * Reject too-deep include nesting depth. This is just a safety check to
604 * avoid dumping core due to stack overflow if an include file loops back
605 * to itself. The maximum nesting depth is pretty arbitrary.
606 */
608 {
609 ereport(elevel,
610 (errcode_for_file_access(),
612 filename)));
613 if (err_msg)
615 filename);
616 return NULL;
617 }
618
620 if (file == NULL)
621 {
622 int save_errno = errno;
623
624 ereport(elevel,
625 (errcode_for_file_access(),
627 filename)));
628 if (err_msg)
629 {
630 errno = save_errno;
632 filename);
633 }
634 /* the caller may care about some specific errno */
635 errno = save_errno;
636 return NULL;
637 }
638
639 /*
640 * When opening the top-level file, create the memory context used for the
641 * tokenization. This will be closed with this file when coming back to
642 * this level of cleanup.
643 */
645 {
646 /*
647 * A context may be present, but assume that it has been eliminated
648 * already.
649 */
651 "tokenize_context",
653 }
654
655 return file;
656}
References AllocateFile(), ALLOCSET_START_SMALL_SIZES, AllocSetContextCreate, CONF_FILE_MAX_DEPTH, CONF_FILE_START_DEPTH, CurrentMemoryContext, ereport, errcode_for_file_access(), errmsg(), filename, psprintf(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ parse_hba_auth_opt()
|
static |
Definition at line 2087 of file hba.c.
2089{
2092
2093#ifdef USE_LDAP
2094 hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
2095#endif
2096
2098 {
2107 }
2109 {
2111 {
2112 ereport(elevel,
2113 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2116 line_num, file_name)));
2117 *err_msg = "clientcert can only be configured for \"hostssl\" rows";
2118 return false;
2119 }
2120
2122 {
2124 }
2126 {
2128 {
2129 ereport(elevel,
2130 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2133 line_num, file_name)));
2134 *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
2135 return false;
2136 }
2137
2139 }
2140 else
2141 {
2142 ereport(elevel,
2143 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2146 line_num, file_name)));
2147 return false;
2148 }
2149 }
2151 {
2153 {
2154 ereport(elevel,
2155 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2158 line_num, file_name)));
2159 *err_msg = "clientname can only be configured for \"hostssl\" rows";
2160 return false;
2161 }
2162
2164 {
2166 }
2168 {
2170 }
2171 else
2172 {
2173 ereport(elevel,
2174 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2177 line_num, file_name)));
2178 return false;
2179 }
2180 }
2182 {
2185 }
2187 {
2191 else
2193 }
2195 {
2196#ifdef LDAP_API_FEATURE_X_OPENLDAP
2197 LDAPURLDesc *urldata;
2198 int rc;
2199#endif
2200
2202#ifdef LDAP_API_FEATURE_X_OPENLDAP
2203 rc = ldap_url_parse(val, &urldata);
2204 if (rc != LDAP_SUCCESS)
2205 {
2206 ereport(elevel,
2207 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2210 val, ldap_err2string(rc));
2211 return false;
2212 }
2213
2214 if (strcmp(urldata->lud_scheme, "ldap") != 0 &&
2215 strcmp(urldata->lud_scheme, "ldaps") != 0)
2216 {
2217 ereport(elevel,
2218 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2221 urldata->lud_scheme);
2222 ldap_free_urldesc(urldata);
2223 return false;
2224 }
2225
2226 if (urldata->lud_scheme)
2228 if (urldata->lud_host)
2230 hbaline->ldapport = urldata->lud_port;
2231 if (urldata->lud_dn)
2233
2234 if (urldata->lud_attrs)
2236 hbaline->ldapscope = urldata->lud_scope;
2237 if (urldata->lud_filter)
2239 ldap_free_urldesc(urldata);
2240#else /* not OpenLDAP */
2241 ereport(elevel,
2242 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2244 *err_msg = "LDAP URLs not supported on this platform";
2245#endif /* not OpenLDAP */
2246 }
2248 {
2252 else
2254 }
2256 {
2259 ereport(elevel,
2260 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2263 line_num, file_name)));
2265 }
2267 {
2270 }
2272 {
2276 {
2277 ereport(elevel,
2278 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2281 line_num, file_name)));
2283 return false;
2284 }
2285 }
2287 {
2290 }
2292 {
2295 }
2297 {
2300 }
2302 {
2305 }
2307 {
2310 }
2312 {
2315 }
2317 {
2320 }
2322 {
2327 }
2329 {
2335 else
2337 }
2339 {
2344 else
2346 }
2348 {
2353 else
2355 }
2357 {
2358 struct addrinfo *gai_result;
2359 struct addrinfo hints;
2360 int ret;
2361 List *parsed_servers;
2362 ListCell *l;
2364
2366
2368 {
2369 /* syntax error in list */
2370 ereport(elevel,
2371 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2373 val),
2375 line_num, file_name)));
2376 return false;
2377 }
2378
2379 /* For each entry in the list, translate it */
2380 foreach(l, parsed_servers)
2381 {
2383 hints.ai_socktype = SOCK_DGRAM;
2384 hints.ai_family = AF_UNSPEC;
2385
2387 if (ret || !gai_result)
2388 {
2389 ereport(elevel,
2390 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2394 line_num, file_name)));
2395 if (gai_result)
2396 pg_freeaddrinfo_all(hints.ai_family, gai_result);
2397
2398 list_free(parsed_servers);
2399 return false;
2400 }
2401 pg_freeaddrinfo_all(hints.ai_family, gai_result);
2402 }
2403
2404 /* All entries are OK, so store them */
2405 hbaline->radiusservers = parsed_servers;
2407 }
2409 {
2410 List *parsed_ports;
2411 ListCell *l;
2413
2415
2417 {
2418 ereport(elevel,
2419 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2421 val),
2423 line_num, file_name)));
2425 return false;
2426 }
2427
2428 foreach(l, parsed_ports)
2429 {
2431 {
2432 ereport(elevel,
2433 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2436 line_num, file_name)));
2437
2438 return false;
2439 }
2440 }
2441 hbaline->radiusports = parsed_ports;
2443 }
2445 {
2446 List *parsed_secrets;
2448
2450
2452 {
2453 /* syntax error in list */
2454 ereport(elevel,
2455 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2457 val),
2459 line_num, file_name)));
2460 return false;
2461 }
2462
2463 hbaline->radiussecrets = parsed_secrets;
2465 }
2467 {
2468 List *parsed_identifiers;
2470
2472
2474 {
2475 /* syntax error in list */
2476 ereport(elevel,
2477 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2479 val),
2481 line_num, file_name)));
2482 return false;
2483 }
2484
2485 hbaline->radiusidentifiers = parsed_identifiers;
2487 }
2489 {
2492 }
2494 {
2497 }
2499 {
2502 }
2504 {
2508 else
2510 }
2511 else
2512 {
2513 ereport(elevel,
2514 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2516 name),
2518 line_num, file_name)));
2520 name);
2521 return false;
2522 }
2523 return true;
2524}
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
Definition: hba.c:1258
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:82
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:53
bool SplitGUCList(char *rawstring, char separator, List **namelist)
Definition: varlena.c:3773
References HbaLine::auth_method, HbaLine::clientcert, clientCertCA, clientCertCN, clientCertDN, clientCertFull, HbaLine::clientcertname, HbaLine::compat_realm, HbaLine::conntype, ctHostSSL, ereport, errcode(), errcontext, errmsg(), gai_strerror(), gettext_noop, HbaLine::include_realm, INVALID_AUTH_OPTION, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscheme, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, lfirst, HbaLine::linenumber, list_free(), MemSet, name, HbaLine::oauth_issuer, HbaLine::oauth_scope, HbaLine::oauth_skip_usermap, HbaLine::oauth_validator, HbaLine::pam_use_hostname, HbaLine::pamservice, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusidentifiers_s, HbaLine::radiusports, HbaLine::radiusports_s, HbaLine::radiussecrets, HbaLine::radiussecrets_s, HbaLine::radiusservers, HbaLine::radiusservers_s, REQUIRE_AUTH_OPTION, HbaLine::sourcefile, SplitGUCList(), uaCert, uaGSS, uaIdent, uaLDAP, uaOAuth, uaPAM, uaPeer, uaRADIUS, uaSSPI, HbaLine::upn_username, HbaLine::usermap, and val.
Referenced by parse_hba_line().
◆ parse_hba_line()
| HbaLine * parse_hba_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 1328 of file hba.c.
1329{
1334 struct addrinfo *gai_result;
1335 struct addrinfo hints;
1336 int ret;
1337 char *cidr_slash;
1338 char *unsupauth;
1339 ListCell *field;
1340 List *tokens;
1341 ListCell *tokencell;
1343 HbaLine *parsedline;
1344
1347 parsedline->linenumber = line_num;
1349
1350 /* Check the record type. */
1353 tokens = lfirst(field);
1355 {
1356 ereport(elevel,
1357 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1361 line_num, file_name)));
1362 *err_msg = "multiple values specified for connection type";
1363 return NULL;
1364 }
1367 {
1369 }
1375 {
1376
1378 {
1380 /* Log a warning if SSL support is not active */
1381#ifdef USE_SSL
1383 {
1384 ereport(elevel,
1385 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1389 line_num, file_name)));
1390 *err_msg = "hostssl record cannot match because SSL is disabled";
1391 }
1392#else
1393 ereport(elevel,
1394 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1397 line_num, file_name)));
1398 *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1399#endif
1400 }
1402 {
1404#ifndef ENABLE_GSS
1405 ereport(elevel,
1406 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1409 line_num, file_name)));
1410 *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build";
1411#endif
1412 }
1417 else
1418 {
1419 /* "host" */
1421 }
1422 } /* record type */
1423 else
1424 {
1425 ereport(elevel,
1426 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1428 token->string),
1430 line_num, file_name)));
1432 return NULL;
1433 }
1434
1435 /* Get the databases. */
1437 if (!field)
1438 {
1439 ereport(elevel,
1440 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1443 line_num, file_name)));
1444 *err_msg = "end-of-line before database specification";
1445 return NULL;
1446 }
1448 tokens = lfirst(field);
1449 foreach(tokencell, tokens)
1450 {
1452
1453 /* Compile a regexp for the database token, if necessary */
1455 return NULL;
1456
1458 }
1459
1460 /* Get the roles. */
1462 if (!field)
1463 {
1464 ereport(elevel,
1465 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1468 line_num, file_name)));
1469 *err_msg = "end-of-line before role specification";
1470 return NULL;
1471 }
1473 tokens = lfirst(field);
1474 foreach(tokencell, tokens)
1475 {
1477
1478 /* Compile a regexp from the role token, if necessary */
1480 return NULL;
1481
1483 }
1484
1486 {
1487 /* Read the IP address field. (with or without CIDR netmask) */
1489 if (!field)
1490 {
1491 ereport(elevel,
1492 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1495 line_num, file_name)));
1496 *err_msg = "end-of-line before IP address specification";
1497 return NULL;
1498 }
1499 tokens = lfirst(field);
1501 {
1502 ereport(elevel,
1503 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1507 line_num, file_name)));
1508 *err_msg = "multiple values specified for host address";
1509 return NULL;
1510 }
1512
1514 {
1516 }
1518 {
1519 /* Any IP on this host is allowed to connect */
1521 }
1523 {
1524 /* Any IP on the host's subnets is allowed to connect */
1526 }
1527 else
1528 {
1529 /* IP and netmask are specified */
1531
1532 /* need a modifiable copy of token */
1534
1535 /* Check if it has a CIDR suffix and if so isolate it */
1537 if (cidr_slash)
1538 *cidr_slash = '\0';
1539
1540 /* Get the IP address either way */
1541 hints.ai_flags = AI_NUMERICHOST;
1542 hints.ai_family = AF_UNSPEC;
1543 hints.ai_socktype = 0;
1544 hints.ai_protocol = 0;
1545 hints.ai_addrlen = 0;
1546 hints.ai_canonname = NULL;
1547 hints.ai_addr = NULL;
1548 hints.ai_next = NULL;
1549
1551 if (ret == 0 && gai_result)
1552 {
1553 memcpy(&parsedline->addr, gai_result->ai_addr,
1554 gai_result->ai_addrlen);
1555 parsedline->addrlen = gai_result->ai_addrlen;
1556 }
1557 else if (ret == EAI_NONAME)
1559 else
1560 {
1561 ereport(elevel,
1562 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1566 line_num, file_name)));
1569 if (gai_result)
1570 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1571 return NULL;
1572 }
1573
1574 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1575
1576 /* Get the netmask */
1577 if (cidr_slash)
1578 {
1580 {
1581 ereport(elevel,
1582 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1584 token->string),
1586 line_num, file_name)));
1588 token->string);
1589 return NULL;
1590 }
1591
1593 parsedline->addr.ss_family) < 0)
1594 {
1595 ereport(elevel,
1596 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1598 token->string),
1600 line_num, file_name)));
1602 token->string);
1603 return NULL;
1604 }
1607 }
1609 {
1610 /* Read the mask field. */
1613 if (!field)
1614 {
1615 ereport(elevel,
1616 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1620 line_num, file_name)));
1621 *err_msg = "end-of-line before netmask specification";
1622 return NULL;
1623 }
1624 tokens = lfirst(field);
1626 {
1627 ereport(elevel,
1628 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1631 line_num, file_name)));
1632 *err_msg = "multiple values specified for netmask";
1633 return NULL;
1634 }
1636
1638 &hints, &gai_result);
1639 if (ret || !gai_result)
1640 {
1641 ereport(elevel,
1642 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1646 line_num, file_name)));
1649 if (gai_result)
1650 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1651 return NULL;
1652 }
1653
1654 memcpy(&parsedline->mask, gai_result->ai_addr,
1655 gai_result->ai_addrlen);
1656 parsedline->masklen = gai_result->ai_addrlen;
1657 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1658
1660 {
1661 ereport(elevel,
1662 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1665 line_num, file_name)));
1666 *err_msg = "IP address and mask do not match";
1667 return NULL;
1668 }
1669 }
1670 }
1671 } /* != ctLocal */
1672
1673 /* Get the authentication method */
1675 if (!field)
1676 {
1677 ereport(elevel,
1678 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1681 line_num, file_name)));
1682 *err_msg = "end-of-line before authentication method";
1683 return NULL;
1684 }
1685 tokens = lfirst(field);
1687 {
1688 ereport(elevel,
1689 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1693 line_num, file_name)));
1694 *err_msg = "multiple values specified for authentication type";
1695 return NULL;
1696 }
1698
1699 unsupauth = NULL;
1709#ifdef ENABLE_GSS
1711#else
1712 unsupauth = "gss";
1713#endif
1715#ifdef ENABLE_SSPI
1717#else
1718 unsupauth = "sspi";
1719#endif
1727#ifdef USE_PAM
1729#else
1730 unsupauth = "pam";
1731#endif
1733#ifdef USE_BSD_AUTH
1735#else
1736 unsupauth = "bsd";
1737#endif
1739#ifdef USE_LDAP
1741#else
1742 unsupauth = "ldap";
1743#endif
1745#ifdef USE_SSL
1747#else
1748 unsupauth = "cert";
1749#endif
1754 else
1755 {
1756 ereport(elevel,
1757 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1759 token->string),
1761 line_num, file_name)));
1763 token->string);
1764 return NULL;
1765 }
1766
1767 if (unsupauth)
1768 {
1769 ereport(elevel,
1770 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1772 token->string),
1774 line_num, file_name)));
1776 token->string);
1777 return NULL;
1778 }
1779
1780 /*
1781 * XXX: When using ident on local connections, change it to peer, for
1782 * backwards compatibility.
1783 */
1787
1788 /* Invalid authentication combinations */
1791 {
1792 ereport(elevel,
1793 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1796 line_num, file_name)));
1797 *err_msg = "gssapi authentication is not supported on local sockets";
1798 return NULL;
1799 }
1800
1803 {
1804 ereport(elevel,
1805 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1808 line_num, file_name)));
1809 *err_msg = "peer authentication is only supported on local sockets";
1810 return NULL;
1811 }
1812
1813 /*
1814 * SSPI authentication can never be enabled on ctLocal connections,
1815 * because it's only supported on Windows, where ctLocal isn't supported.
1816 */
1817
1818
1821 {
1822 ereport(elevel,
1823 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1826 line_num, file_name)));
1827 *err_msg = "cert authentication is only supported on hostssl connections";
1828 return NULL;
1829 }
1830
1831 /*
1832 * For GSS and SSPI, set the default value of include_realm to true.
1833 * Having include_realm set to false is dangerous in multi-realm
1834 * situations and is generally considered bad practice. We keep the
1835 * capability around for backwards compatibility, but we might want to
1836 * remove it at some point in the future. Users who still need to strip
1837 * the realm off would be better served by using an appropriate regex in a
1838 * pg_ident.conf mapping.
1839 */
1843
1844 /*
1845 * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1846 * NetBIOS name) and user names instead of the Kerberos principal name for
1847 * compatibility.
1848 */
1850 {
1853 }
1854
1855 /* Parse remaining arguments */
1857 {
1858 tokens = lfirst(field);
1859 foreach(tokencell, tokens)
1860 {
1862
1864
1868 {
1869 /*
1870 * Got something that's not a name=value pair.
1871 */
1872 ereport(elevel,
1873 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1876 line_num, file_name)));
1878 token->string);
1879 return NULL;
1880 }
1881
1884 /* parse_hba_auth_opt already logged the error message */
1885 return NULL;
1887 }
1888 }
1889
1890 /*
1891 * Check if the selected authentication method has any mandatory arguments
1892 * that are not set.
1893 */
1895 {
1896#ifndef HAVE_LDAP_INITIALIZE
1897 /* Not mandatory for OpenLDAP, because it can use DNS SRV records */
1899#endif
1900
1901 /*
1902 * LDAP can operate in two modes: either with a direct bind, using
1903 * ldapprefix and ldapsuffix, or using a search+bind, using
1904 * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
1905 * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
1906 * parameters.
1907 */
1909 {
1911 parsedline->ldapbinddn ||
1912 parsedline->ldapbindpasswd ||
1913 parsedline->ldapsearchattribute ||
1914 parsedline->ldapsearchfilter)
1915 {
1916 ereport(elevel,
1917 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1920 line_num, file_name)));
1921 *err_msg = "cannot mix options for simple bind and search+bind modes";
1922 return NULL;
1923 }
1924 }
1926 {
1927 ereport(elevel,
1928 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1929 errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1931 line_num, file_name)));
1932 *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1933 return NULL;
1934 }
1935
1936 /*
1937 * When using search+bind, you can either use a simple attribute
1938 * (defaulting to "uid") or a fully custom search filter. You can't
1939 * do both.
1940 */
1942 {
1943 ereport(elevel,
1944 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1947 line_num, file_name)));
1948 *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
1949 return NULL;
1950 }
1951 }
1952
1954 {
1957
1959 {
1960 ereport(elevel,
1961 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1964 line_num, file_name)));
1965 *err_msg = "list of RADIUS servers cannot be empty";
1966 return NULL;
1967 }
1968
1970 {
1971 ereport(elevel,
1972 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1975 line_num, file_name)));
1976 *err_msg = "list of RADIUS secrets cannot be empty";
1977 return NULL;
1978 }
1979
1980 /*
1981 * Verify length of option lists - each can be 0 (except for secrets,
1982 * but that's already checked above), 1 (use the same value
1983 * everywhere) or the same as the number of servers.
1984 */
1987 {
1988 ereport(elevel,
1989 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1990 errmsg("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1994 line_num, file_name)));
1995 *err_msg = psprintf("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1998 return NULL;
1999 }
2003 {
2004 ereport(elevel,
2005 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2006 errmsg("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2010 line_num, file_name)));
2011 *err_msg = psprintf("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2014 return NULL;
2015 }
2019 {
2020 ereport(elevel,
2021 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2022 errmsg("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2026 line_num, file_name)));
2027 *err_msg = psprintf("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2030 return NULL;
2031 }
2032 }
2033
2034 /*
2035 * Enforce any parameters implied by other settings.
2036 */
2038 {
2039 /*
2040 * For auth method cert, client certificate validation is mandatory,
2041 * and it implies the level of verify-full.
2042 */
2044 }
2045
2046 /*
2047 * Enforce proper configuration of OAuth authentication.
2048 */
2050 {
2053
2054 /* Ensure a validator library is set and permitted by the config. */
2056 return NULL;
2057
2058 /*
2059 * Supplying a usermap combined with the option to skip usermapping is
2060 * nonsensical and indicates a configuration error.
2061 */
2063 {
2064 ereport(elevel,
2065 errcode(ERRCODE_CONFIG_FILE_ERROR),
2066 /* translator: strings are replaced with hba options */
2068 "map", "delegate_ident_mapping"),
2070 line_num, file_name));
2071 *err_msg = "map cannot be used in combination with delegate_ident_mapping";
2072 return NULL;
2073 }
2074 }
2075
2076 return parsedline;
2077}
bool check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
Definition: auth-oauth.c:820
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition: hba.c:2087
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
Definition: hba.c:303
References HbaLine::addr, HbaLine::addrlen, Assert(), HbaLine::auth_method, check_oauth_validator(), HbaLine::clientcert, clientCertFull, HbaLine::compat_realm, HbaLine::conntype, copy_auth_token(), ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, EnableSSL, ereport, TokenizedAuthLine::err_msg, errcode(), errcontext, errhint(), errmsg(), TokenizedAuthLine::fields, TokenizedAuthLine::file_name, gai_strerror(), HbaLine::hostname, HbaLine::include_realm, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapprefix, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, List::length, lfirst, TokenizedAuthLine::line_num, HbaLine::linenumber, linitial, list_head(), list_length(), lnext(), MANDATORY_AUTH_ARG, HbaLine::mask, HbaLine::masklen, NIL, HbaLine::oauth_issuer, HbaLine::oauth_scope, HbaLine::oauth_skip_usermap, palloc0(), parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, TokenizedAuthLine::raw_line, HbaLine::rawline, regcomp_auth_token(), HbaLine::roles, HbaLine::sourcefile, str, token, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, HbaLine::upn_username, HbaLine::usermap, and val.
Referenced by fill_hba_view(), and load_hba().
◆ parse_ident_line()
| IdentLine * parse_ident_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 2751 of file hba.c.
2752{
2756 ListCell *field;
2757 List *tokens;
2759 IdentLine *parsedline;
2760
2763
2765 parsedline->linenumber = line_num;
2766
2767 /* Get the map token (must exist) */
2768 tokens = lfirst(field);
2769 IDENT_MULTI_VALUE(tokens);
2772
2773 /* Get the ident user token */
2775 IDENT_FIELD_ABSENT(field);
2776 tokens = lfirst(field);
2777 IDENT_MULTI_VALUE(tokens);
2779
2780 /* Copy the ident user token */
2782
2783 /* Get the PG rolename token */
2785 IDENT_FIELD_ABSENT(field);
2786 tokens = lfirst(field);
2787 IDENT_MULTI_VALUE(tokens);
2790
2791 /*
2792 * Now that the field validation is done, compile a regex from the user
2793 * tokens, if necessary.
2794 */
2796 err_msg, elevel))
2797 {
2798 /* err_msg includes the error to report */
2799 return NULL;
2800 }
2801
2803 err_msg, elevel))
2804 {
2805 /* err_msg includes the error to report */
2806 return NULL;
2807 }
2808
2809 return parsedline;
2810}
References Assert(), copy_auth_token(), TokenizedAuthLine::err_msg, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, lfirst, TokenizedAuthLine::line_num, IdentLine::linenumber, linitial, list_head(), lnext(), NIL, palloc0(), IdentLine::pg_user, pstrdup(), regcomp_auth_token(), IdentLine::system_user, token, and IdentLine::usermap.
Referenced by fill_ident_view(), and load_ident().
◆ pg_isblank()
| bool pg_isblank | ( | const char | c | ) |
Definition at line 146 of file hba.c.
Referenced by interpret_ident_response(), and next_token().
◆ regcomp_auth_token()
|
static |
Definition at line 303 of file hba.c.
305{
306 pg_wchar *wstr;
307 int wlen;
308 int rc;
309
311
313 return 0; /* nothing to compile */
314
318 wstr, strlen(token->string + 1));
319
321
322 if (rc)
323 {
324 char errstr[100];
325
327 ereport(elevel,
328 (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
330 token->string + 1, errstr),
332 line_num, filename)));
333
335 token->string + 1, errstr);
336 }
337
338 pfree(wstr);
339 return rc;
340}
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition: mbutils.c:986
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
Definition: regcomp.c:372
References Assert(), ereport, errcode(), errcontext, errmsg(), filename, palloc(), palloc0(), pfree(), pg_mb2wchar_with_len(), pg_regcomp(), pg_regerror(), psprintf(), REG_ADVANCED, and regex_t.
Referenced by parse_hba_line(), and parse_ident_line().
◆ regexec_auth_token()
|
static |
Definition at line 348 of file hba.c.
350{
351 pg_wchar *wmatchstr;
352 int wmatchlen;
353 int r;
354
356
358 wmatchlen = pg_mb2wchar_with_len(match, wmatchstr, strlen(match));
359
361
362 pfree(wmatchstr);
363 return r;
364}
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
Definition: regexec.c:185
References Assert(), palloc(), pfree(), pg_mb2wchar_with_len(), and pg_regexec().
Referenced by check_db(), check_ident_usermap(), and check_role().
◆ StaticAssertDecl()
| StaticAssertDecl | ( | lengthof(UserAuthName) | = =USER_AUTH_LAST+1, |
| "UserAuthName []must match the UserAuth enum" | |||
| ) |
◆ tokenize_auth_file()
| void tokenize_auth_file | ( | const char * | filename, |
| FILE * | file, | ||
| List ** | tok_lines, | ||
| int | elevel, | ||
| int | depth | ||
| ) |
Definition at line 691 of file hba.c.
693{
694 int line_number = 1;
696 MemoryContext linecxt;
698 ErrorContextCallback tokenerrcontext;
699 tokenize_error_callback_arg callback_arg;
700
702
704 callback_arg.linenum = line_number;
705
707 tokenerrcontext.arg = &callback_arg;
709 error_context_stack = &tokenerrcontext;
710
711 /*
712 * Do all the local tokenization in its own context, to ease the cleanup
713 * of any memory allocated while tokenizing.
714 */
716 "tokenize_auth_file",
717 ALLOCSET_SMALL_SIZES);
718 funccxt = MemoryContextSwitchTo(linecxt);
719
721
723 *tok_lines = NIL;
724
725 while (!feof(file) && !ferror(file))
726 {
727 TokenizedAuthLine *tok_line;
728 MemoryContext oldcxt;
731 char *err_msg = NULL;
732 int last_backslash_buflen = 0;
733 int continuations = 0;
734
735 /* Collect the next input line, handling backslash continuations */
737
739 {
740 /* Strip trailing newline, including \r in case we're on Windows */
742
743 /*
744 * Check for backslash continuation. The backslash must be after
745 * the last place we found a continuation, else two backslashes
746 * followed by two \n's would behave surprisingly.
747 */
750 {
751 /* Continuation, so strip it and keep reading */
753 last_backslash_buflen = buf.len;
754 continuations++;
755 continue;
756 }
757
758 /* Nope, so we have the whole line */
759 break;
760 }
761
762 if (ferror(file))
763 {
764 /* I/O error! */
765 int save_errno = errno;
766
767 ereport(elevel,
768 (errcode_for_file_access(),
770 errno = save_errno;
772 filename);
773 break;
774 }
775
776 /* Parse fields */
779 {
780 List *current_field;
781
783 elevel, depth, &err_msg);
784 /* add field to line, unless we are at EOL or comment start */
786 {
787 /*
788 * lappend() may do its own allocations, so move to the
789 * context for the list of tokens.
790 */
792 current_line = lappend(current_line, current_field);
793 MemoryContextSwitchTo(oldcxt);
794 }
795 }
796
797 /*
798 * Reached EOL; no need to emit line to TokenizedAuthLine list if it's
799 * boring.
800 */
802 goto next_line;
803
804 /* If the line is valid, check if that's an include directive */
806 {
807 AuthToken *first,
808 *second;
809
812
814 {
816 elevel, depth + 1, false, &err_msg);
817
818 if (err_msg)
819 goto process_line;
820
821 /*
822 * tokenize_auth_file() has taken care of creating the
823 * TokenizedAuthLines.
824 */
825 goto next_line;
826 }
828 {
829 char **filenames;
831 int num_filenames;
832 StringInfoData err_buf;
833
835 &num_filenames, &err_msg);
836
837 if (!filenames)
838 {
839 /* the error is in err_msg, so create an entry */
840 goto process_line;
841 }
842
843 initStringInfo(&err_buf);
845 {
847 elevel, depth + 1, false, &err_msg);
848 /* cumulate errors if any */
849 if (err_msg)
850 {
853 appendStringInfoString(&err_buf, err_msg);
854 }
855 }
856
857 /* clean up things */
860 pfree(filenames);
861
862 /*
863 * If there were no errors, the line is fully processed,
864 * bypass the general TokenizedAuthLine processing.
865 */
867 goto next_line;
868
869 /* Otherwise, process the cumulated errors, if any. */
870 err_msg = err_buf.data;
871 goto process_line;
872 }
874 {
875
877 elevel, depth + 1, true, &err_msg);
878 if (err_msg)
879 goto process_line;
880
881 /*
882 * tokenize_auth_file() has taken care of creating the
883 * TokenizedAuthLines.
884 */
885 goto next_line;
886 }
887 }
888
889process_line:
890
891 /*
892 * General processing: report the error if any and emit line to the
893 * TokenizedAuthLine. This is saved in the memory context dedicated
894 * to this list.
895 */
898 tok_line->fields = current_line;
900 tok_line->line_num = line_number;
903 *tok_lines = lappend(*tok_lines, tok_line);
904 MemoryContextSwitchTo(oldcxt);
905
906next_line:
907 line_number += continuations + 1;
908 callback_arg.linenum = line_number;
909 }
910
911 MemoryContextSwitchTo(funccxt);
912 MemoryContextDelete(linecxt);
913
915}
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
Definition: conffiles.c:70
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
Definition: hba.c:381
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
Definition: hba.c:440
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
Definition: pg_get_line.c:124
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:230
Definition: elog.h:296
Definition: hba.c:64
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, appendStringInfoChar(), appendStringInfoString(), ErrorContextCallback::arg, Assert(), buf, ErrorContextCallback::callback, CONF_FILE_START_DEPTH, CurrentMemoryContext, StringInfoData::data, ereport, TokenizedAuthLine::err_msg, errcode_for_file_access(), errmsg(), error_context_stack, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, tokenize_error_callback_arg::filename, filename, GetConfFilesInDir(), i, initStringInfo(), lappend(), StringInfoData::len, TokenizedAuthLine::line_num, tokenize_error_callback_arg::linenum, linitial, linitial_node, list_length(), lsecond_node, MemoryContextDelete(), MemoryContextSwitchTo(), next_field_expand(), NIL, palloc0(), pfree(), pg_get_line_append(), pg_strip_crlf(), ErrorContextCallback::previous, psprintf(), pstrdup(), TokenizedAuthLine::raw_line, resetStringInfo(), AuthToken::string, tokenize_context, tokenize_error_callback(), and tokenize_include_file().
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ tokenize_error_callback()
|
static |
Definition at line 662 of file hba.c.
663{
665
668}
References arg, errcontext, tokenize_error_callback_arg::filename, and tokenize_error_callback_arg::linenum.
Referenced by tokenize_auth_file().
◆ tokenize_expand_file()
|
static |
Definition at line 495 of file hba.c.
501{
502 char *inc_fullname;
503 FILE *inc_file;
505 ListCell *inc_line;
506
507 inc_fullname = AbsoluteConfigLocation(inc_filename, outer_filename);
508 inc_file = open_auth_file(inc_fullname, elevel, depth, err_msg);
509
510 if (inc_file == NULL)
511 {
512 /* error already logged */
513 pfree(inc_fullname);
514 return tokens;
515 }
516
517 /*
518 * There is possible recursion here if the file contains @ or an include
519 * record.
520 */
521 tokenize_auth_file(inc_fullname, inc_file, &inc_lines, elevel,
522 depth);
523
524 pfree(inc_fullname);
525
526 /*
527 * Move all the tokens found in the file to the tokens list. These are
528 * already saved in tokenize_context.
529 */
530 foreach(inc_line, inc_lines)
531 {
533 ListCell *inc_field;
534
535 /* If any line has an error, propagate that up to caller */
537 {
539 break;
540 }
541
543 {
545 ListCell *inc_token;
546
547 foreach(inc_token, inc_tokens)
548 {
550 MemoryContext oldcxt;
551
552 /*
553 * lappend() may do its own allocations, so move to the
554 * context for the list of tokens.
555 */
558 MemoryContextSwitchTo(oldcxt);
559 }
560 }
561 }
562
563 free_auth_file(inc_file, depth);
564 return tokens;
565}
char * AbsoluteConfigLocation(const char *location, const char *calling_file)
Definition: conffiles.c:36
References AbsoluteConfigLocation(), TokenizedAuthLine::err_msg, TokenizedAuthLine::fields, free_auth_file(), lappend(), lfirst, MemoryContextSwitchTo(), NIL, open_auth_file(), pfree(), pstrdup(), tokenize_auth_file(), and tokenize_context.
Referenced by next_field_expand().
◆ tokenize_include_file()
|
static |
Definition at line 440 of file hba.c.
447{
448 char *inc_fullname;
449 FILE *inc_file;
450
451 inc_fullname = AbsoluteConfigLocation(inc_filename, outer_filename);
452 inc_file = open_auth_file(inc_fullname, elevel, depth, err_msg);
453
454 if (!inc_file)
455 {
456 if (errno == ENOENT && missing_ok)
457 {
458 ereport(elevel,
460 inc_fullname)));
461 *err_msg = NULL;
462 pfree(inc_fullname);
463 return;
464 }
465
466 /* error in err_msg, so leave and report */
467 pfree(inc_fullname);
468 Assert(err_msg);
469 return;
470 }
471
472 tokenize_auth_file(inc_fullname, inc_file, tok_lines, elevel,
473 depth);
474 free_auth_file(inc_file, depth);
475 pfree(inc_fullname);
476}
References AbsoluteConfigLocation(), Assert(), ereport, errmsg(), free_auth_file(), open_auth_file(), pfree(), and tokenize_auth_file().
Referenced by tokenize_auth_file().
Variable Documentation
◆ parsed_hba_context
|
static |
Definition at line 87 of file hba.c.
Referenced by load_hba().
◆ parsed_hba_lines
Definition at line 86 of file hba.c.
Referenced by check_hba(), and load_hba().
◆ parsed_ident_context
|
static |
Definition at line 94 of file hba.c.
Referenced by load_ident().
◆ parsed_ident_lines
Definition at line 93 of file hba.c.
Referenced by check_usermap(), and load_ident().
◆ tokenize_context
|
static |
Definition at line 80 of file hba.c.
Referenced by free_auth_file(), next_field_expand(), open_auth_file(), tokenize_auth_file(), and tokenize_expand_file().
◆ UserAuthName
|
static |
Initial value:
=
{
"reject",
"implicit reject",
"trust",
"ident",
"password",
"md5",
"scram-sha-256",
"gss",
"sspi",
"pam",
"bsd",
"ldap",
"cert",
"radius",
"peer",
"oauth",
}
Definition at line 102 of file hba.c.
Referenced by hba_authname().
