PostgreSQL Source Code  git master
Data Structures | Macros | Typedefs | Functions | Variables
hba.c File Reference
#include "postgres.h"
#include <ctype.h>
#include <pwd.h>
#include <fcntl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include "access/htup_details.h"
#include "catalog/pg_collation.h"
#include "catalog/pg_type.h"
#include "common/ip.h"
#include "funcapi.h"
#include "libpq/ifaddr.h"
#include "libpq/libpq.h"
#include "miscadmin.h"
#include "postmaster/postmaster.h"
#include "regex/regex.h"
#include "replication/walsender.h"
#include "storage/fd.h"
#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/varlena.h"
Include dependency graph for hba.c:

Go to the source code of this file.

Data Structures

struct  check_network_data
 
struct  HbaToken
 
struct  TokenizedLine
 

Macros

#define MAX_TOKEN   256
 
#define MAX_LINE   8192
 
#define token_is_keyword(t, k)   (!t->quoted && strcmp(t->string, k) == 0)
 
#define token_matches(t, k)   (strcmp(t->string, k) == 0)
 
#define INVALID_AUTH_OPTION(optname, validmethods)
 
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
 
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
 
#define IDENT_FIELD_ABSENT(field)
 
#define IDENT_MULTI_VALUE(tokens)
 
#define MAX_HBA_OPTIONS   14
 
#define NUM_PG_HBA_FILE_RULES_ATTS   9
 

Typedefs

typedef struct check_network_data check_network_data
 
typedef struct HbaToken HbaToken
 
typedef struct TokenizedLine TokenizedLine
 

Functions

static MemoryContext tokenize_file (const char *filename, FILE *file, List **tok_lines, int elevel)
 
static Listtokenize_inc_file (List *tokens, const char *outer_filename, const char *inc_filename, int elevel, char **err_msg)
 
static bool parse_hba_auth_opt (char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
 
static bool verify_option_list_length (List *options, const char *optionname, List *comparelist, const char *comparename, int line_num)
 
static ArrayTypegethba_options (HbaLine *hba)
 
static void fill_hba_line (Tuplestorestate *tuple_store, TupleDesc tupdesc, int lineno, HbaLine *hba, const char *err_msg)
 
static void fill_hba_view (Tuplestorestate *tuple_store, TupleDesc tupdesc)
 
bool pg_isblank (const char c)
 
static bool next_token (char **lineptr, char *buf, int bufsz, bool *initial_quote, bool *terminating_comma, int elevel, char **err_msg)
 
static HbaTokenmake_hba_token (const char *token, bool quoted)
 
static HbaTokencopy_hba_token (HbaToken *in)
 
static Listnext_field_expand (const char *filename, char **lineptr, int elevel, char **err_msg)
 
static bool is_member (Oid userid, const char *role)
 
static bool check_role (const char *role, Oid roleid, List *tokens)
 
static bool check_db (const char *dbname, const char *role, Oid roleid, List *tokens)
 
static bool ipv4eq (struct sockaddr_in *a, struct sockaddr_in *b)
 
static bool hostname_match (const char *pattern, const char *actual_hostname)
 
static bool check_hostname (hbaPort *port, const char *hostname)
 
static bool check_ip (SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
 
static void check_network_callback (struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
 
static bool check_same_host_or_net (SockAddr *raddr, IPCompareMethod method)
 
static HbaLineparse_hba_line (TokenizedLine *tok_line, int elevel)
 
static void check_hba (hbaPort *port)
 
bool load_hba (void)
 
Datum pg_hba_file_rules (PG_FUNCTION_ARGS)
 
static IdentLineparse_ident_line (TokenizedLine *tok_line)
 
static void check_ident_usermap (IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_insensitive)
 
bool load_ident (void)
 
void hba_getauthmethod (hbaPort *port)
 

Variables

static Listparsed_hba_lines = NIL
 
static MemoryContext parsed_hba_context = NULL
 
static Listparsed_ident_lines = NIL
 
static MemoryContext parsed_ident_context = NULL
 
static const char *const UserAuthName []
 

Macro Definition Documentation

◆ IDENT_FIELD_ABSENT

#define IDENT_FIELD_ABSENT (   field)
Value:
do { \
if (!field) { \
ereport(LOG, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("missing entry in file \"%s\" at end of line %d", \
IdentFileName, line_num))); \
return NULL; \
} \
} while (0)
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
IdentFileName
char * IdentFileName
Definition: guc.c:558
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824

Definition at line 908 of file hba.c.

Referenced by parse_ident_line().

◆ IDENT_MULTI_VALUE

#define IDENT_MULTI_VALUE (   tokens)
Value:
do { \
if (tokens->length > 1) { \
ereport(LOG, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("multiple values in ident field"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, IdentFileName))); \
return NULL; \
} \
} while (0)
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
IdentFileName
char * IdentFileName
Definition: guc.c:558
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
errcontext
#define errcontext
Definition: elog.h:185

Definition at line 919 of file hba.c.

Referenced by parse_ident_line().

◆ INVALID_AUTH_OPTION

#define INVALID_AUTH_OPTION (   optname,
  validmethods 
)
Value:
do { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
*err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
optname, validmethods); \
return false; \
} while (0)
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
HbaFileName
char * HbaFileName
Definition: guc.c:557
elevel
static int elevel
Definition: vacuumlazy.c:330
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
errcontext
#define errcontext
Definition: elog.h:185
_
#define _(x)
Definition: elog.c:88

Definition at line 860 of file hba.c.

Referenced by parse_hba_auth_opt().

◆ MANDATORY_AUTH_ARG

#define MANDATORY_AUTH_ARG (   argvar,
  argname,
  authname 
)
Value:
do { \
if (argvar == NULL) { \
ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
*err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname); \
return NULL; \
} \
} while (0)
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
HbaFileName
char * HbaFileName
Definition: guc.c:557
elevel
static int elevel
Definition: vacuumlazy.c:330
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
errcontext
#define errcontext
Definition: elog.h:185

Definition at line 880 of file hba.c.

Referenced by parse_hba_line().

◆ MAX_HBA_OPTIONS

#define MAX_HBA_OPTIONS   14

Definition at line 2285 of file hba.c.

Referenced by gethba_options().

◆ MAX_LINE

#define MAX_LINE   8192

Definition at line 57 of file hba.c.

Referenced by tokenize_file().

◆ MAX_TOKEN

#define MAX_TOKEN   256

Definition at line 56 of file hba.c.

Referenced by next_field_expand().

◆ NUM_PG_HBA_FILE_RULES_ATTS

#define NUM_PG_HBA_FILE_RULES_ATTS   9

Definition at line 2401 of file hba.c.

Referenced by fill_hba_line().

◆ REQUIRE_AUTH_OPTION

#define REQUIRE_AUTH_OPTION (   methodval,
  optname,
  validmethods 
)
Value:
do { \
if (hbaline->auth_method != methodval) \
INVALID_AUTH_OPTION(optname, validmethods); \
} while (0)

Definition at line 874 of file hba.c.

Referenced by parse_hba_auth_opt().

◆ token_is_keyword

#define token_is_keyword (   t,
 
)    (!t->quoted && strcmp(t->string, k) == 0)

Definition at line 68 of file hba.c.

Referenced by check_db(), check_role(), and parse_hba_line().

◆ token_matches

#define token_matches (   t,
 
)    (strcmp(t->string, k) == 0)

Definition at line 69 of file hba.c.

Referenced by check_db(), and check_role().

Typedef Documentation

◆ check_network_data

typedef struct check_network_data check_network_data

◆ HbaToken

typedef struct HbaToken HbaToken

◆ TokenizedLine

typedef struct TokenizedLine TokenizedLine

Function Documentation

◆ check_db()

static bool check_db ( const char *  dbname,
const char *  role,
Oid  roleid,
List tokens 
)
static

Definition at line 610 of file hba.c.

References am_db_walsender, am_walsender, is_member(), lfirst, token_is_keyword, and token_matches.

Referenced by check_hba().

611 {
612  ListCell *cell;
613  HbaToken *tok;
614 
615  foreach(cell, tokens)
616  {
617  tok = lfirst(cell);
618  if (am_walsender && !am_db_walsender)
619  {
620  /*
621  * physical replication walsender connections can only match
622  * replication keyword
623  */
624  if (token_is_keyword(tok, "replication"))
625  return true;
626  }
627  else if (token_is_keyword(tok, "all"))
628  return true;
629  else if (token_is_keyword(tok, "sameuser"))
630  {
631  if (strcmp(dbname, role) == 0)
632  return true;
633  }
634  else if (token_is_keyword(tok, "samegroup") ||
635  token_is_keyword(tok, "samerole"))
636  {
637  if (is_member(roleid, dbname))
638  return true;
639  }
640  else if (token_is_keyword(tok, "replication"))
641  continue; /* never match this if not walsender */
642  else if (token_matches(tok, dbname))
643  return true;
644  }
645  return false;
646 }
token_matches
#define token_matches(t, k)
Definition: hba.c:69
am_walsender
bool am_walsender
Definition: walsender.c:115
HbaToken
Definition: hba.c:75
am_db_walsender
bool am_db_walsender
Definition: walsender.c:118
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
dbname
char * dbname
Definition: streamutil.c:50
is_member
static bool is_member(Oid userid, const char *role)
Definition: hba.c:562
token_is_keyword
#define token_is_keyword(t, k)
Definition: hba.c:68

◆ check_hba()

static void check_hba ( hbaPort port)
static

Definition at line 2073 of file hba.c.

References SockAddr::addr, HbaLine::addr, HbaLine::auth_method, check_db(), check_hostname(), check_ip(), check_role(), check_same_host_or_net(), HbaLine::conntype, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, Port::database_name, HbaLine::databases, get_role_oid(), Port::gss, Port::hba, HbaLine::hostname, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, IS_AF_UNIX, lfirst, HbaLine::mask, palloc0(), Port::raddr, HbaLine::roles, Port::ssl_in_use, uaImplicitReject, and Port::user_name.

Referenced by hba_getauthmethod().

2074 {
2075  Oid roleid;
2076  ListCell *line;
2077  HbaLine *hba;
2078 
2079  /* Get the target role's OID. Note we do not error out for bad role. */
2080  roleid = get_role_oid(port->user_name, true);
2081 
2082  foreach(line, parsed_hba_lines)
2083  {
2084  hba = (HbaLine *) lfirst(line);
2085 
2086  /* Check connection type */
2087  if (hba->conntype == ctLocal)
2088  {
2089  if (!IS_AF_UNIX(port->raddr.addr.ss_family))
2090  continue;
2091  }
2092  else
2093  {
2094  if (IS_AF_UNIX(port->raddr.addr.ss_family))
2095  continue;
2096 
2097  /* Check SSL state */
2098  if (port->ssl_in_use)
2099  {
2100  /* Connection is SSL, match both "host" and "hostssl" */
2101  if (hba->conntype == ctHostNoSSL)
2102  continue;
2103  }
2104  else
2105  {
2106  /* Connection is not SSL, match both "host" and "hostnossl" */
2107  if (hba->conntype == ctHostSSL)
2108  continue;
2109  }
2110 
2111  /* Check GSSAPI state */
2112 #ifdef ENABLE_GSS
2113  if (port->gss->enc && hba->conntype == ctHostNoGSS)
2114  continue;
2115  else if (!port->gss->enc && hba->conntype == ctHostGSS)
2116  continue;
2117 #else
2118  if (hba->conntype == ctHostGSS)
2119  continue;
2120 #endif
2121 
2122  /* Check IP address */
2123  switch (hba->ip_cmp_method)
2124  {
2125  case ipCmpMask:
2126  if (hba->hostname)
2127  {
2128  if (!check_hostname(port,
2129  hba->hostname))
2130  continue;
2131  }
2132  else
2133  {
2134  if (!check_ip(&port->raddr,
2135  (struct sockaddr *) &hba->addr,
2136  (struct sockaddr *) &hba->mask))
2137  continue;
2138  }
2139  break;
2140  case ipCmpAll:
2141  break;
2142  case ipCmpSameHost:
2143  case ipCmpSameNet:
2144  if (!check_same_host_or_net(&port->raddr,
2145  hba->ip_cmp_method))
2146  continue;
2147  break;
2148  default:
2149  /* shouldn't get here, but deem it no-match if so */
2150  continue;
2151  }
2152  } /* != ctLocal */
2153 
2154  /* Check database and role */
2155  if (!check_db(port->database_name, port->user_name, roleid,
2156  hba->databases))
2157  continue;
2158 
2159  if (!check_role(port->user_name, roleid, hba->roles))
2160  continue;
2161 
2162  /* Found a record that matched! */
2163  port->hba = hba;
2164  return;
2165  }
2166 
2167  /* If no matching entry was found, then implicitly reject. */
2168  hba = palloc0(sizeof(HbaLine));
2169  hba->auth_method = uaImplicitReject;
2170  port->hba = hba;
2171 }
HbaLine::databases
List * databases
Definition: hba.h:75
HbaLine
Definition: hba.h:70
HbaLine::mask
struct sockaddr_storage mask
Definition: hba.h:78
ipCmpMask
Definition: hba.h:47
SockAddr::addr
struct sockaddr_storage addr
Definition: pqcomm.h:64
Port::ssl_in_use
bool ssl_in_use
Definition: libpq-be.h:190
Oid
unsigned int Oid
Definition: postgres_ext.h:31
check_hostname
static bool check_hostname(hbaPort *port, const char *hostname)
Definition: hba.c:693
parsed_hba_lines
static List * parsed_hba_lines
Definition: hba.c:101
get_role_oid
Oid get_role_oid(const char *rolname, bool missing_ok)
Definition: acl.c:5175
Port::raddr
SockAddr raddr
Definition: libpq-be.h:126
HbaLine::conntype
ConnType conntype
Definition: hba.h:74
ctHostSSL
Definition: hba.h:57
HbaLine::addr
struct sockaddr_storage addr
Definition: hba.h:77
IS_AF_UNIX
#define IS_AF_UNIX(fam)
Definition: ip.h:24
ctHostGSS
Definition: hba.h:59
check_ip
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition: hba.c:786
Port::user_name
char * user_name
Definition: libpq-be.h:141
check_role
static bool check_role(const char *role, Oid roleid, List *tokens)
Definition: hba.c:586
ctLocal
Definition: hba.h:55
Port::hba
HbaLine * hba
Definition: libpq-be.h:155
ipCmpAll
Definition: hba.h:50
palloc0
void * palloc0(Size size)
Definition: mcxt.c:980
HbaLine::hostname
char * hostname
Definition: hba.h:80
HbaLine::roles
List * roles
Definition: hba.h:76
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
check_db
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
Definition: hba.c:610
Port::gss
void * gss
Definition: libpq-be.h:184
check_same_host_or_net
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
Definition: hba.c:827
HbaLine::ip_cmp_method
IPCompareMethod ip_cmp_method
Definition: hba.h:79
Port::database_name
char * database_name
Definition: libpq-be.h:140
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:81

◆ check_hostname()

static bool check_hostname ( hbaPort port,
const char *  hostname 
)
static

Definition at line 693 of file hba.c.

References SockAddr::addr, addrinfo::ai_addr, addrinfo::ai_next, DEBUG2, elog, freeaddrinfo, getaddrinfo, hostname_match(), ipv4eq(), NI_MAXHOST, NI_NAMEREQD, pg_getnameinfo_all(), pstrdup(), Port::raddr, Port::remote_hostname, Port::remote_hostname_errcode, Port::remote_hostname_resolv, and SockAddr::salen.

Referenced by check_hba().

694 {
695  struct addrinfo *gai_result,
696  *gai;
697  int ret;
698  bool found;
699 
700  /* Quick out if remote host name already known bad */
701  if (port->remote_hostname_resolv < 0)
702  return false;
703 
704  /* Lookup remote host name if not already done */
705  if (!port->remote_hostname)
706  {
707  char remote_hostname[NI_MAXHOST];
708 
709  ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
710  remote_hostname, sizeof(remote_hostname),
711  NULL, 0,
712  NI_NAMEREQD);
713  if (ret != 0)
714  {
715  /* remember failure; don't complain in the postmaster log yet */
716  port->remote_hostname_resolv = -2;
717  port->remote_hostname_errcode = ret;
718  return false;
719  }
720 
721  port->remote_hostname = pstrdup(remote_hostname);
722  }
723 
724  /* Now see if remote host name matches this pg_hba line */
725  if (!hostname_match(hostname, port->remote_hostname))
726  return false;
727 
728  /* If we already verified the forward lookup, we're done */
729  if (port->remote_hostname_resolv == +1)
730  return true;
731 
732  /* Lookup IP from host name and check against original IP */
733  ret = getaddrinfo(port->remote_hostname, NULL, NULL, &gai_result);
734  if (ret != 0)
735  {
736  /* remember failure; don't complain in the postmaster log yet */
737  port->remote_hostname_resolv = -2;
738  port->remote_hostname_errcode = ret;
739  return false;
740  }
741 
742  found = false;
743  for (gai = gai_result; gai; gai = gai->ai_next)
744  {
745  if (gai->ai_addr->sa_family == port->raddr.addr.ss_family)
746  {
747  if (gai->ai_addr->sa_family == AF_INET)
748  {
749  if (ipv4eq((struct sockaddr_in *) gai->ai_addr,
750  (struct sockaddr_in *) &port->raddr.addr))
751  {
752  found = true;
753  break;
754  }
755  }
756 #ifdef HAVE_IPV6
757  else if (gai->ai_addr->sa_family == AF_INET6)
758  {
759  if (ipv6eq((struct sockaddr_in6 *) gai->ai_addr,
760  (struct sockaddr_in6 *) &port->raddr.addr))
761  {
762  found = true;
763  break;
764  }
765  }
766 #endif
767  }
768  }
769 
770  if (gai_result)
771  freeaddrinfo(gai_result);
772 
773  if (!found)
774  elog(DEBUG2, "pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
775  hostname);
776 
777  port->remote_hostname_resolv = found ? +1 : -1;
778 
779  return found;
780 }
getaddrinfo
#define getaddrinfo
Definition: getaddrinfo.h:136
NI_NAMEREQD
#define NI_NAMEREQD
Definition: getaddrinfo.h:84
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
freeaddrinfo
#define freeaddrinfo
Definition: getaddrinfo.h:141
SockAddr::addr
struct sockaddr_storage addr
Definition: pqcomm.h:64
ipv4eq
static bool ipv4eq(struct sockaddr_in *a, struct sockaddr_in *b)
Definition: hba.c:649
Port::remote_hostname
char * remote_hostname
Definition: libpq-be.h:128
Port::raddr
SockAddr raddr
Definition: libpq-be.h:126
NI_MAXHOST
#define NI_MAXHOST
Definition: getaddrinfo.h:88
hostname_match
static bool hostname_match(const char *pattern, const char *actual_hostname)
Definition: hba.c:673
DEBUG2
#define DEBUG2
Definition: elog.h:24
Port::remote_hostname_errcode
int remote_hostname_errcode
Definition: libpq-be.h:131
SockAddr::salen
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
pg_getnameinfo_all
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
Port::remote_hostname_resolv
int remote_hostname_resolv
Definition: libpq-be.h:130
addrinfo::ai_next
struct addrinfo * ai_next
Definition: getaddrinfo.h:107
elog
#define elog(elevel,...)
Definition: elog.h:214
hostname
static char * hostname
Definition: pg_regress.c:89
addrinfo::ai_addr
struct sockaddr * ai_addr
Definition: getaddrinfo.h:105

◆ check_ident_usermap()

static void check_ident_usermap ( IdentLine identLine,
const char *  usermap_name,
const char *  pg_role,
const char *  ident_user,
bool  case_insensitive,
bool found_p,
bool error_p 
)
static

Definition at line 2789 of file hba.c.

References ereport, errcode(), errmsg(), IdentLine::ident_user, LOG, palloc(), palloc0(), pfree(), pg_mb2wchar_with_len(), pg_regerror(), pg_regexec(), IdentLine::pg_role, pg_strcasecmp(), pstrdup(), IdentLine::re, REG_NOMATCH, regmatch_t::rm_eo, regmatch_t::rm_so, and IdentLine::usermap.

Referenced by check_usermap().

2792 {
2793  *found_p = false;
2794  *error_p = false;
2795 
2796  if (strcmp(identLine->usermap, usermap_name) != 0)
2797  /* Line does not match the map name we're looking for, so just abort */
2798  return;
2799 
2800  /* Match? */
2801  if (identLine->ident_user[0] == '/')
2802  {
2803  /*
2804  * When system username starts with a slash, treat it as a regular
2805  * expression. In this case, we process the system username as a
2806  * regular expression that returns exactly one match. This is replaced
2807  * for \1 in the database username string, if present.
2808  */
2809  int r;
2810  regmatch_t matches[2];
2811  pg_wchar *wstr;
2812  int wlen;
2813  char *ofs;
2814  char *regexp_pgrole;
2815 
2816  wstr = palloc((strlen(ident_user) + 1) * sizeof(pg_wchar));
2817  wlen = pg_mb2wchar_with_len(ident_user, wstr, strlen(ident_user));
2818 
2819  r = pg_regexec(&identLine->re, wstr, wlen, 0, NULL, 2, matches, 0);
2820  if (r)
2821  {
2822  char errstr[100];
2823 
2824  if (r != REG_NOMATCH)
2825  {
2826  /* REG_NOMATCH is not an error, everything else is */
2827  pg_regerror(r, &identLine->re, errstr, sizeof(errstr));
2828  ereport(LOG,
2829  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2830  errmsg("regular expression match for \"%s\" failed: %s",
2831  identLine->ident_user + 1, errstr)));
2832  *error_p = true;
2833  }
2834 
2835  pfree(wstr);
2836  return;
2837  }
2838  pfree(wstr);
2839 
2840  if ((ofs = strstr(identLine->pg_role, "\\1")) != NULL)
2841  {
2842  int offset;
2843 
2844  /* substitution of the first argument requested */
2845  if (matches[1].rm_so < 0)
2846  {
2847  ereport(LOG,
2848  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2849  errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2850  identLine->ident_user + 1, identLine->pg_role)));
2851  *error_p = true;
2852  return;
2853  }
2854 
2855  /*
2856  * length: original length minus length of \1 plus length of match
2857  * plus null terminator
2858  */
2859  regexp_pgrole = palloc0(strlen(identLine->pg_role) - 2 + (matches[1].rm_eo - matches[1].rm_so) + 1);
2860  offset = ofs - identLine->pg_role;
2861  memcpy(regexp_pgrole, identLine->pg_role, offset);
2862  memcpy(regexp_pgrole + offset,
2863  ident_user + matches[1].rm_so,
2864  matches[1].rm_eo - matches[1].rm_so);
2865  strcat(regexp_pgrole, ofs + 2);
2866  }
2867  else
2868  {
2869  /* no substitution, so copy the match */
2870  regexp_pgrole = pstrdup(identLine->pg_role);
2871  }
2872 
2873  /*
2874  * now check if the username actually matched what the user is trying
2875  * to connect as
2876  */
2877  if (case_insensitive)
2878  {
2879  if (pg_strcasecmp(regexp_pgrole, pg_role) == 0)
2880  *found_p = true;
2881  }
2882  else
2883  {
2884  if (strcmp(regexp_pgrole, pg_role) == 0)
2885  *found_p = true;
2886  }
2887  pfree(regexp_pgrole);
2888 
2889  return;
2890  }
2891  else
2892  {
2893  /* Not regular expression, so make complete match */
2894  if (case_insensitive)
2895  {
2896  if (pg_strcasecmp(identLine->pg_role, pg_role) == 0 &&
2897  pg_strcasecmp(identLine->ident_user, ident_user) == 0)
2898  *found_p = true;
2899  }
2900  else
2901  {
2902  if (strcmp(identLine->pg_role, pg_role) == 0 &&
2903  strcmp(identLine->ident_user, ident_user) == 0)
2904  *found_p = true;
2905  }
2906  }
2907 }
IdentLine::re
regex_t re
Definition: hba.h:120
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
regmatch_t::rm_so
regoff_t rm_so
Definition: regex.h:85
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
LOG
#define LOG
Definition: elog.h:26
regmatch_t::rm_eo
regoff_t rm_eo
Definition: regex.h:86
pfree
void pfree(void *pointer)
Definition: mcxt.c:1056
IdentLine::usermap
char * usermap
Definition: hba.h:117
regmatch_t
Definition: regex.h:83
pg_regerror
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition: regerror.c:60
pg_wchar
unsigned int pg_wchar
Definition: mbprint.c:31
palloc0
void * palloc0(Size size)
Definition: mcxt.c:980
pg_mb2wchar_with_len
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition: mbutils.c:870
ereport
#define ereport(elevel,...)
Definition: elog.h:144
IdentLine::ident_user
char * ident_user
Definition: hba.h:118
pg_regexec
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
Definition: regexec.c:172
palloc
void * palloc(Size size)
Definition: mcxt.c:949
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
REG_NOMATCH
#define REG_NOMATCH
Definition: regex.h:138
IdentLine::pg_role
char * pg_role
Definition: hba.h:119

◆ check_ip()

static bool check_ip ( SockAddr raddr,
struct sockaddr *  addr,
struct sockaddr *  mask 
)
static

Definition at line 786 of file hba.c.

References SockAddr::addr, and pg_range_sockaddr().

Referenced by check_hba(), and check_network_callback().

787 {
788  if (raddr->addr.ss_family == addr->sa_family &&
789  pg_range_sockaddr(&raddr->addr,
790  (struct sockaddr_storage *) addr,
791  (struct sockaddr_storage *) mask))
792  return true;
793  return false;
794 }
SockAddr::addr
struct sockaddr_storage addr
Definition: pqcomm.h:64
pg_range_sockaddr
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
Definition: ifaddr.c:53
sockaddr_storage
Definition: pqcomm.h:44

◆ check_network_callback()

static void check_network_callback ( struct sockaddr *  addr,
struct sockaddr *  netmask,
void *  cb_data 
)
static

Definition at line 800 of file hba.c.

References check_ip(), ipCmpSameHost, check_network_data::method, pg_sockaddr_cidr_mask(), check_network_data::raddr, and check_network_data::result.

Referenced by check_same_host_or_net().

802 {
803  check_network_data *cn = (check_network_data *) cb_data;
804  struct sockaddr_storage mask;
805 
806  /* Already found a match? */
807  if (cn->result)
808  return;
809 
810  if (cn->method == ipCmpSameHost)
811  {
812  /* Make an all-ones netmask of appropriate length for family */
813  pg_sockaddr_cidr_mask(&mask, NULL, addr->sa_family);
814  cn->result = check_ip(cn->raddr, addr, (struct sockaddr *) &mask);
815  }
816  else
817  {
818  /* Use the netmask of the interface itself */
819  cn->result = check_ip(cn->raddr, addr, netmask);
820  }
821 }
check_network_data::raddr
SockAddr * raddr
Definition: hba.c:63
check_network_data
Definition: hba.c:60
check_network_data::method
IPCompareMethod method
Definition: hba.c:62
pg_sockaddr_cidr_mask
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:115
check_ip
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition: hba.c:786
sockaddr_storage
Definition: pqcomm.h:44
check_network_data::result
bool result
Definition: hba.c:64

◆ check_role()

static bool check_role ( const char *  role,
Oid  roleid,
List tokens 
)
static

Definition at line 586 of file hba.c.

References is_member(), lfirst, HbaToken::quoted, HbaToken::string, token_is_keyword, and token_matches.

Referenced by check_hba().

587 {
588  ListCell *cell;
589  HbaToken *tok;
590 
591  foreach(cell, tokens)
592  {
593  tok = lfirst(cell);
594  if (!tok->quoted && tok->string[0] == '+')
595  {
596  if (is_member(roleid, tok->string + 1))
597  return true;
598  }
599  else if (token_matches(tok, role) ||
600  token_is_keyword(tok, "all"))
601  return true;
602  }
603  return false;
604 }
token_matches
#define token_matches(t, k)
Definition: hba.c:69
HbaToken
Definition: hba.c:75
HbaToken::string
char * string
Definition: hba.c:77
HbaToken::quoted
bool quoted
Definition: hba.c:78
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
is_member
static bool is_member(Oid userid, const char *role)
Definition: hba.c:562
token_is_keyword
#define token_is_keyword(t, k)
Definition: hba.c:68

◆ check_same_host_or_net()

static bool check_same_host_or_net ( SockAddr raddr,
IPCompareMethod  method 
)
static

Definition at line 827 of file hba.c.

References check_network_callback(), elog, LOG, check_network_data::method, pg_foreach_ifaddr(), check_network_data::raddr, and check_network_data::result.

Referenced by check_hba().

828 {
829  check_network_data cn;
830 
831  cn.method = method;
832  cn.raddr = raddr;
833  cn.result = false;
834 
835  errno = 0;
836  if (pg_foreach_ifaddr(check_network_callback, &cn) < 0)
837  {
838  elog(LOG, "error enumerating network interfaces: %m");
839  return false;
840  }
841 
842  return cn.result;
843 }
check_network_data::raddr
SockAddr * raddr
Definition: hba.c:63
check_network_data
Definition: hba.c:60
LOG
#define LOG
Definition: elog.h:26
check_network_data::method
IPCompareMethod method
Definition: hba.c:62
pg_foreach_ifaddr
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
Definition: ifaddr.c:559
check_network_callback
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
Definition: hba.c:800
check_network_data::result
bool result
Definition: hba.c:64
elog
#define elog(elevel,...)
Definition: elog.h:214

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_insensitive 
)

Definition at line 2924 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckSCRAMAuth(), and ident_inet().

2928 {
2929  bool found_entry = false,
2930  error = false;
2931 
2932  if (usermap_name == NULL || usermap_name[0] == '\0')
2933  {
2934  if (case_insensitive)
2935  {
2936  if (pg_strcasecmp(pg_role, auth_user) == 0)
2937  return STATUS_OK;
2938  }
2939  else
2940  {
2941  if (strcmp(pg_role, auth_user) == 0)
2942  return STATUS_OK;
2943  }
2944  ereport(LOG,
2945  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2946  pg_role, auth_user)));
2947  return STATUS_ERROR;
2948  }
2949  else
2950  {
2951  ListCell *line_cell;
2952 
2953  foreach(line_cell, parsed_ident_lines)
2954  {
2955  check_ident_usermap(lfirst(line_cell), usermap_name,
2956  pg_role, auth_user, case_insensitive,
2957  &found_entry, &error);
2958  if (found_entry || error)
2959  break;
2960  }
2961  }
2962  if (!found_entry && !error)
2963  {
2964  ereport(LOG,
2965  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2966  usermap_name, pg_role, auth_user)));
2967  }
2968  return found_entry ? STATUS_OK : STATUS_ERROR;
2969 }
check_ident_usermap
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2789
error
static void error(void)
Definition: sql-dyntest.c:147
STATUS_ERROR
#define STATUS_ERROR
Definition: c.h:1141
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
LOG
#define LOG
Definition: elog.h:26
STATUS_OK
#define STATUS_OK
Definition: c.h:1140
ereport
#define ereport(elevel,...)
Definition: elog.h:144
parsed_ident_lines
static List * parsed_ident_lines
Definition: hba.c:112
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824

◆ copy_hba_token()

static HbaToken* copy_hba_token ( HbaToken in)
static

Definition at line 307 of file hba.c.

References make_hba_token(), HbaToken::quoted, and HbaToken::string.

Referenced by parse_hba_line(), and tokenize_inc_file().

308 {
309  HbaToken *out = make_hba_token(in->string, in->quoted);
310 
311  return out;
312 }
HbaToken
Definition: hba.c:75
HbaToken::string
char * string
Definition: hba.c:77
HbaToken::quoted
bool quoted
Definition: hba.c:78
make_hba_token
static HbaToken * make_hba_token(const char *token, bool quoted)
Definition: hba.c:288

◆ fill_hba_line()

static void fill_hba_line ( Tuplestorestate tuple_store,
TupleDesc  tupdesc,
int  lineno,
HbaLine hba,
const char *  err_msg 
)
static

Definition at line 2416 of file hba.c.

References HbaLine::addr, Assert, HbaLine::auth_method, clean_ipv6_addr(), HbaLine::conntype, CStringGetTextDatum, ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, gethba_options(), heap_form_tuple(), HbaLine::hostname, Int32GetDatum, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), lengthof, lfirst, HbaLine::mask, TupleDescData::natts, NI_MAXHOST, NI_NUMERICHOST, NIL, NUM_PG_HBA_FILE_RULES_ATTS, options, pg_getnameinfo_all(), PointerGetDatum, pstrdup(), HbaLine::roles, StaticAssertStmt, HbaToken::string, strlist_to_textarray(), tuplestore_puttuple(), USER_AUTH_LAST, UserAuthName, and values.

Referenced by fill_hba_view().

2418 {
2419  Datum values[NUM_PG_HBA_FILE_RULES_ATTS];
2420  bool nulls[NUM_PG_HBA_FILE_RULES_ATTS];
2421  char buffer[NI_MAXHOST];
2422  HeapTuple tuple;
2423  int index;
2424  ListCell *lc;
2425  const char *typestr;
2426  const char *addrstr;
2427  const char *maskstr;
2428  ArrayType *options;
2429 
2430  Assert(tupdesc->natts == NUM_PG_HBA_FILE_RULES_ATTS);
2431 
2432  memset(values, 0, sizeof(values));
2433  memset(nulls, 0, sizeof(nulls));
2434  index = 0;
2435 
2436  /* line_number */
2437  values[index++] = Int32GetDatum(lineno);
2438 
2439  if (hba != NULL)
2440  {
2441  /* type */
2442  /* Avoid a default: case so compiler will warn about missing cases */
2443  typestr = NULL;
2444  switch (hba->conntype)
2445  {
2446  case ctLocal:
2447  typestr = "local";
2448  break;
2449  case ctHost:
2450  typestr = "host";
2451  break;
2452  case ctHostSSL:
2453  typestr = "hostssl";
2454  break;
2455  case ctHostNoSSL:
2456  typestr = "hostnossl";
2457  break;
2458  case ctHostGSS:
2459  typestr = "hostgssenc";
2460  break;
2461  case ctHostNoGSS:
2462  typestr = "hostnogssenc";
2463  break;
2464  }
2465  if (typestr)
2466  values[index++] = CStringGetTextDatum(typestr);
2467  else
2468  nulls[index++] = true;
2469 
2470  /* database */
2471  if (hba->databases)
2472  {
2473  /*
2474  * Flatten HbaToken list to string list. It might seem that we
2475  * should re-quote any quoted tokens, but that has been rejected
2476  * on the grounds that it makes it harder to compare the array
2477  * elements to other system catalogs. That makes entries like
2478  * "all" or "samerole" formally ambiguous ... but users who name
2479  * databases/roles that way are inflicting their own pain.
2480  */
2481  List *names = NIL;
2482 
2483  foreach(lc, hba->databases)
2484  {
2485  HbaToken *tok = lfirst(lc);
2486 
2487  names = lappend(names, tok->string);
2488  }
2489  values[index++] = PointerGetDatum(strlist_to_textarray(names));
2490  }
2491  else
2492  nulls[index++] = true;
2493 
2494  /* user */
2495  if (hba->roles)
2496  {
2497  /* Flatten HbaToken list to string list; see comment above */
2498  List *roles = NIL;
2499 
2500  foreach(lc, hba->roles)
2501  {
2502  HbaToken *tok = lfirst(lc);
2503 
2504  roles = lappend(roles, tok->string);
2505  }
2506  values[index++] = PointerGetDatum(strlist_to_textarray(roles));
2507  }
2508  else
2509  nulls[index++] = true;
2510 
2511  /* address and netmask */
2512  /* Avoid a default: case so compiler will warn about missing cases */
2513  addrstr = maskstr = NULL;
2514  switch (hba->ip_cmp_method)
2515  {
2516  case ipCmpMask:
2517  if (hba->hostname)
2518  {
2519  addrstr = hba->hostname;
2520  }
2521  else
2522  {
2523  if (pg_getnameinfo_all(&hba->addr, sizeof(hba->addr),
2524  buffer, sizeof(buffer),
2525  NULL, 0,
2526  NI_NUMERICHOST) == 0)
2527  {
2528  clean_ipv6_addr(hba->addr.ss_family, buffer);
2529  addrstr = pstrdup(buffer);
2530  }
2531  if (pg_getnameinfo_all(&hba->mask, sizeof(hba->mask),
2532  buffer, sizeof(buffer),
2533  NULL, 0,
2534  NI_NUMERICHOST) == 0)
2535  {
2536  clean_ipv6_addr(hba->mask.ss_family, buffer);
2537  maskstr = pstrdup(buffer);
2538  }
2539  }
2540  break;
2541  case ipCmpAll:
2542  addrstr = "all";
2543  break;
2544  case ipCmpSameHost:
2545  addrstr = "samehost";
2546  break;
2547  case ipCmpSameNet:
2548  addrstr = "samenet";
2549  break;
2550  }
2551  if (addrstr)
2552  values[index++] = CStringGetTextDatum(addrstr);
2553  else
2554  nulls[index++] = true;
2555  if (maskstr)
2556  values[index++] = CStringGetTextDatum(maskstr);
2557  else
2558  nulls[index++] = true;
2559 
2560  /*
2561  * Make sure UserAuthName[] tracks additions to the UserAuth enum
2562  */
2563  StaticAssertStmt(lengthof(UserAuthName) == USER_AUTH_LAST + 1,
2564  "UserAuthName[] must match the UserAuth enum");
2565 
2566  /* auth_method */
2567  values[index++] = CStringGetTextDatum(UserAuthName[hba->auth_method]);
2568 
2569  /* options */
2570  options = gethba_options(hba);
2571  if (options)
2572  values[index++] = PointerGetDatum(options);
2573  else
2574  nulls[index++] = true;
2575  }
2576  else
2577  {
2578  /* no parsing result, so set relevant fields to nulls */
2579  memset(&nulls[1], true, (NUM_PG_HBA_FILE_RULES_ATTS - 2) * sizeof(bool));
2580  }
2581 
2582  /* error */
2583  if (err_msg)
2584  values[NUM_PG_HBA_FILE_RULES_ATTS - 1] = CStringGetTextDatum(err_msg);
2585  else
2586  nulls[NUM_PG_HBA_FILE_RULES_ATTS - 1] = true;
2587 
2588  tuple = heap_form_tuple(tupdesc, values, nulls);
2589  tuplestore_puttuple(tuple_store, tuple);
2590 }
HbaLine::databases
List * databases
Definition: hba.h:75
NIL
#define NIL
Definition: pg_list.h:65
HbaLine::mask
struct sockaddr_storage mask
Definition: hba.h:78
NI_NUMERICHOST
#define NI_NUMERICHOST
Definition: getaddrinfo.h:78
PointerGetDatum
#define PointerGetDatum(X)
Definition: postgres.h:556
ipCmpMask
Definition: hba.h:47
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
heap_form_tuple
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:1020
UserAuthName
static const char *const UserAuthName[]
Definition: hba.c:121
lengthof
#define lengthof(array)
Definition: c.h:675
index
Definition: type.h:89
StaticAssertStmt
#define StaticAssertStmt(condition, errmessage)
Definition: c.h:859
HbaLine::conntype
ConnType conntype
Definition: hba.h:74
ctHostSSL
Definition: hba.h:57
NI_MAXHOST
#define NI_MAXHOST
Definition: getaddrinfo.h:88
HbaLine::addr
struct sockaddr_storage addr
Definition: hba.h:77
ctHostGSS
Definition: hba.h:59
tuplestore_puttuple
void tuplestore_puttuple(Tuplestorestate *state, HeapTuple tuple)
Definition: tuplestore.c:730
HbaToken
Definition: hba.c:75
USER_AUTH_LAST
#define USER_AUTH_LAST
Definition: hba.h:42
ctLocal
Definition: hba.h:55
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
options
static char ** options
Definition: pg_recvlogical.c:50
ipCmpAll
Definition: hba.h:50
Datum
uintptr_t Datum
Definition: postgres.h:367
HbaLine::hostname
char * hostname
Definition: hba.h:80
HbaToken::string
char * string
Definition: hba.c:77
HbaLine::roles
List * roles
Definition: hba.h:76
Assert
#define Assert(condition)
Definition: c.h:745
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
pg_getnameinfo_all
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
NUM_PG_HBA_FILE_RULES_ATTS
#define NUM_PG_HBA_FILE_RULES_ATTS
Definition: hba.c:2401
clean_ipv6_addr
void clean_ipv6_addr(int addr_family, char *addr)
Definition: network.c:2118
values
static Datum values[MAXATTR]
Definition: bootstrap.c:167
Int32GetDatum
#define Int32GetDatum(X)
Definition: postgres.h:479
CStringGetTextDatum
#define CStringGetTextDatum(s)
Definition: builtins.h:87
strlist_to_textarray
ArrayType * strlist_to_textarray(List *list)
Definition: objectaddress.c:5876
HbaLine::ip_cmp_method
IPCompareMethod ip_cmp_method
Definition: hba.h:79
List
Definition: pg_list.h:50
ctHost
Definition: hba.h:56
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:81
gethba_options
static ArrayType * gethba_options(HbaLine *hba)
Definition: hba.c:2292

◆ fill_hba_view()

static void fill_hba_view ( Tuplestorestate tuple_store,
TupleDesc  tupdesc 
)
static

Definition at line 2596 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, CurrentMemoryContext, DEBUG3, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), ERROR, fill_hba_line(), FreeFile(), HbaFileName, lfirst, TokenizedLine::line_num, MemoryContextDelete(), MemoryContextSwitchTo(), NIL, parse_hba_line(), and tokenize_file().

Referenced by pg_hba_file_rules().

2597 {
2598  FILE *file;
2599  List *hba_lines = NIL;
2600  ListCell *line;
2601  MemoryContext linecxt;
2602  MemoryContext hbacxt;
2603  MemoryContext oldcxt;
2604 
2605  /*
2606  * In the unlikely event that we can't open pg_hba.conf, we throw an
2607  * error, rather than trying to report it via some sort of view entry.
2608  * (Most other error conditions should result in a message in a view
2609  * entry.)
2610  */
2611  file = AllocateFile(HbaFileName, "r");
2612  if (file == NULL)
2613  ereport(ERROR,
2614  (errcode_for_file_access(),
2615  errmsg("could not open configuration file \"%s\": %m",
2616  HbaFileName)));
2617 
2618  linecxt = tokenize_file(HbaFileName, file, &hba_lines, DEBUG3);
2619  FreeFile(file);
2620 
2621  /* Now parse all the lines */
2622  hbacxt = AllocSetContextCreate(CurrentMemoryContext,
2623  "hba parser context",
2624  ALLOCSET_SMALL_SIZES);
2625  oldcxt = MemoryContextSwitchTo(hbacxt);
2626  foreach(line, hba_lines)
2627  {
2628  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2629  HbaLine *hbaline = NULL;
2630 
2631  /* don't parse lines that already have errors */
2632  if (tok_line->err_msg == NULL)
2633  hbaline = parse_hba_line(tok_line, DEBUG3);
2634 
2635  fill_hba_line(tuple_store, tupdesc, tok_line->line_num,
2636  hbaline, tok_line->err_msg);
2637  }
2638 
2639  /* Free tokenizer memory */
2640  MemoryContextDelete(linecxt);
2641  /* Free parse_hba_line memory */
2642  MemoryContextSwitchTo(oldcxt);
2643  MemoryContextDelete(hbacxt);
2644 }
HbaLine
Definition: hba.h:70
NIL
#define NIL
Definition: pg_list.h:65
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:170
DEBUG3
#define DEBUG3
Definition: elog.h:23
ALLOCSET_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
HbaFileName
char * HbaFileName
Definition: guc.c:557
ERROR
#define ERROR
Definition: elog.h:43
TokenizedLine::line_num
int line_num
Definition: hba.c:92
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
errcode_for_file_access
int errcode_for_file_access(void)
Definition: elog.c:633
AllocateFile
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2322
CurrentMemoryContext
MemoryContext CurrentMemoryContext
Definition: mcxt.c:38
parse_hba_line
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
fill_hba_line
static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc, int lineno, HbaLine *hba, const char *err_msg)
Definition: hba.c:2416
ereport
#define ereport(elevel,...)
Definition: elog.h:144
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
tokenize_file
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
FreeFile
int FreeFile(FILE *file)
Definition: fd.c:2521
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
List
Definition: pg_list.h:50

◆ gethba_options()

static ArrayType * gethba_options ( HbaLine hba)
static

Definition at line 2292 of file hba.c.

References Assert, HbaLine::auth_method, HbaLine::clientcert, clientCertCA, clientCertOff, construct_array(), CStringGetTextDatum, HbaLine::include_realm, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, MAX_HBA_OPTIONS, noptions, HbaLine::pamservice, psprintf(), HbaLine::radiusidentifiers_s, HbaLine::radiusports_s, HbaLine::radiussecrets_s, HbaLine::radiusservers_s, uaGSS, uaLDAP, uaRADIUS, uaSSPI, and HbaLine::usermap.

Referenced by fill_hba_line().

2293 {
2294  int noptions;
2295  Datum options[MAX_HBA_OPTIONS];
2296 
2297  noptions = 0;
2298 
2299  if (hba->auth_method == uaGSS || hba->auth_method == uaSSPI)
2300  {
2301  if (hba->include_realm)
2302  options[noptions++] =
2303  CStringGetTextDatum("include_realm=true");
2304 
2305  if (hba->krb_realm)
2306  options[noptions++] =
2307  CStringGetTextDatum(psprintf("krb_realm=%s", hba->krb_realm));
2308  }
2309 
2310  if (hba->usermap)
2311  options[noptions++] =
2312  CStringGetTextDatum(psprintf("map=%s", hba->usermap));
2313 
2314  if (hba->clientcert != clientCertOff)
2315  options[noptions++] =
2316  CStringGetTextDatum(psprintf("clientcert=%s", (hba->clientcert == clientCertCA) ? "verify-ca" : "verify-full"));
2317 
2318  if (hba->pamservice)
2319  options[noptions++] =
2320  CStringGetTextDatum(psprintf("pamservice=%s", hba->pamservice));
2321 
2322  if (hba->auth_method == uaLDAP)
2323  {
2324  if (hba->ldapserver)
2325  options[noptions++] =
2326  CStringGetTextDatum(psprintf("ldapserver=%s", hba->ldapserver));
2327 
2328  if (hba->ldapport)
2329  options[noptions++] =
2330  CStringGetTextDatum(psprintf("ldapport=%d", hba->ldapport));
2331 
2332  if (hba->ldaptls)
2333  options[noptions++] =
2334  CStringGetTextDatum("ldaptls=true");
2335 
2336  if (hba->ldapprefix)
2337  options[noptions++] =
2338  CStringGetTextDatum(psprintf("ldapprefix=%s", hba->ldapprefix));
2339 
2340  if (hba->ldapsuffix)
2341  options[noptions++] =
2342  CStringGetTextDatum(psprintf("ldapsuffix=%s", hba->ldapsuffix));
2343 
2344  if (hba->ldapbasedn)
2345  options[noptions++] =
2346  CStringGetTextDatum(psprintf("ldapbasedn=%s", hba->ldapbasedn));
2347 
2348  if (hba->ldapbinddn)
2349  options[noptions++] =
2350  CStringGetTextDatum(psprintf("ldapbinddn=%s", hba->ldapbinddn));
2351 
2352  if (hba->ldapbindpasswd)
2353  options[noptions++] =
2354  CStringGetTextDatum(psprintf("ldapbindpasswd=%s",
2355  hba->ldapbindpasswd));
2356 
2357  if (hba->ldapsearchattribute)
2358  options[noptions++] =
2359  CStringGetTextDatum(psprintf("ldapsearchattribute=%s",
2360  hba->ldapsearchattribute));
2361 
2362  if (hba->ldapsearchfilter)
2363  options[noptions++] =
2364  CStringGetTextDatum(psprintf("ldapsearchfilter=%s",
2365  hba->ldapsearchfilter));
2366 
2367  if (hba->ldapscope)
2368  options[noptions++] =
2369  CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
2370  }
2371 
2372  if (hba->auth_method == uaRADIUS)
2373  {
2374  if (hba->radiusservers_s)
2375  options[noptions++] =
2376  CStringGetTextDatum(psprintf("radiusservers=%s", hba->radiusservers_s));
2377 
2378  if (hba->radiussecrets_s)
2379  options[noptions++] =
2380  CStringGetTextDatum(psprintf("radiussecrets=%s", hba->radiussecrets_s));
2381 
2382  if (hba->radiusidentifiers_s)
2383  options[noptions++] =
2384  CStringGetTextDatum(psprintf("radiusidentifiers=%s", hba->radiusidentifiers_s));
2385 
2386  if (hba->radiusports_s)
2387  options[noptions++] =
2388  CStringGetTextDatum(psprintf("radiusports=%s", hba->radiusports_s));
2389  }
2390 
2391  /* If you add more options, consider increasing MAX_HBA_OPTIONS. */
2392  Assert(noptions <= MAX_HBA_OPTIONS);
2393 
2394  if (noptions > 0)
2395  return construct_array(options, noptions, TEXTOID, -1, false, TYPALIGN_INT);
2396  else
2397  return NULL;
2398 }
HbaLine::ldapscope
int ldapscope
Definition: hba.h:95
HbaLine::radiusports_s
char * radiusports_s
Definition: hba.h:110
HbaLine::ldapserver
char * ldapserver
Definition: hba.h:88
uaLDAP
Definition: hba.h:38
HbaLine::ldapport
int ldapport
Definition: hba.h:89
HbaLine::ldapbasedn
char * ldapbasedn
Definition: hba.h:94
HbaLine::pamservice
char * pamservice
Definition: hba.h:84
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
uaSSPI
Definition: hba.h:35
construct_array
ArrayType * construct_array(Datum *elems, int nelems, Oid elmtype, int elmlen, bool elmbyval, char elmalign)
Definition: arrayfuncs.c:3313
HbaLine::ldapsuffix
char * ldapsuffix
Definition: hba.h:97
uaGSS
Definition: hba.h:34
HbaLine::radiusservers_s
char * radiusservers_s
Definition: hba.h:104
HbaLine::usermap
char * usermap
Definition: hba.h:83
HbaLine::include_realm
bool include_realm
Definition: hba.h:100
HbaLine::ldapbinddn
char * ldapbinddn
Definition: hba.h:90
HbaLine::krb_realm
char * krb_realm
Definition: hba.h:99
HbaLine::ldapbindpasswd
char * ldapbindpasswd
Definition: hba.h:91
HbaLine::ldapprefix
char * ldapprefix
Definition: hba.h:96
Datum
uintptr_t Datum
Definition: postgres.h:367
HbaLine::radiusidentifiers_s
char * radiusidentifiers_s
Definition: hba.h:108
HbaLine::radiussecrets_s
char * radiussecrets_s
Definition: hba.h:106
Assert
#define Assert(condition)
Definition: c.h:745
HbaLine::ldapsearchfilter
char * ldapsearchfilter
Definition: hba.h:93
HbaLine::clientcert
ClientCertMode clientcert
Definition: hba.h:98
HbaLine::ldaptls
bool ldaptls
Definition: hba.h:86
HbaLine::ldapsearchattribute
char * ldapsearchattribute
Definition: hba.h:92
CStringGetTextDatum
#define CStringGetTextDatum(s)
Definition: builtins.h:87
noptions
static size_t noptions
Definition: pg_recvlogical.c:51
uaRADIUS
Definition: hba.h:40
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:81
MAX_HBA_OPTIONS
#define MAX_HBA_OPTIONS
Definition: hba.c:2285

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3090 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3091 {
3092  check_hba(port);
3093 }
check_hba
static void check_hba(hbaPort *port)
Definition: hba.c:2073

◆ hostname_match()

static bool hostname_match ( const char *  pattern,
const char *  actual_hostname 
)
static

Definition at line 673 of file hba.c.

References pg_strcasecmp().

Referenced by check_hostname().

674 {
675  if (pattern[0] == '.') /* suffix match */
676  {
677  size_t plen = strlen(pattern);
678  size_t hlen = strlen(actual_hostname);
679 
680  if (hlen < plen)
681  return false;
682 
683  return (pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
684  }
685  else
686  return (pg_strcasecmp(pattern, actual_hostname) == 0);
687 }
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36

◆ ipv4eq()

static bool ipv4eq ( struct sockaddr_in *  a,
struct sockaddr_in *  b 
)
static

Definition at line 649 of file hba.c.

References i.

Referenced by check_hostname().

650 {
651  return (a->sin_addr.s_addr == b->sin_addr.s_addr);
652 }

◆ is_member()

static bool is_member ( Oid  userid,
const char *  role 
)
static

Definition at line 562 of file hba.c.

References get_role_oid(), is_member_of_role_nosuper(), and OidIsValid.

Referenced by check_db(), and check_role().

563 {
564  Oid roleid;
565 
566  if (!OidIsValid(userid))
567  return false; /* if user not exist, say "no" */
568 
569  roleid = get_role_oid(role, true);
570 
571  if (!OidIsValid(roleid))
572  return false; /* if target role not exist, say "no" */
573 
574  /*
575  * See if user is directly or indirectly a member of role. For this
576  * purpose, a superuser is not considered to be automatically a member of
577  * the role, so group auth only applies to explicit membership.
578  */
579  return is_member_of_role_nosuper(userid, roleid);
580 }
Oid
unsigned int Oid
Definition: postgres_ext.h:31
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:651
get_role_oid
Oid get_role_oid(const char *rolname, bool missing_ok)
Definition: acl.c:5175
is_member_of_role_nosuper
bool is_member_of_role_nosuper(Oid member, Oid role)
Definition: acl.c:4954

◆ load_hba()

bool load_hba ( void  )

Definition at line 2185 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2186 {
2187  FILE *file;
2188  List *hba_lines = NIL;
2189  ListCell *line;
2190  List *new_parsed_lines = NIL;
2191  bool ok = true;
2192  MemoryContext linecxt;
2193  MemoryContext oldcxt;
2194  MemoryContext hbacxt;
2195 
2196  file = AllocateFile(HbaFileName, "r");
2197  if (file == NULL)
2198  {
2199  ereport(LOG,
2200  (errcode_for_file_access(),
2201  errmsg("could not open configuration file \"%s\": %m",
2202  HbaFileName)));
2203  return false;
2204  }
2205 
2206  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2207  FreeFile(file);
2208 
2209  /* Now parse all the lines */
2210  Assert(PostmasterContext);
2211  hbacxt = AllocSetContextCreate(PostmasterContext,
2212  "hba parser context",
2213  ALLOCSET_SMALL_SIZES);
2214  oldcxt = MemoryContextSwitchTo(hbacxt);
2215  foreach(line, hba_lines)
2216  {
2217  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2218  HbaLine *newline;
2219 
2220  /* don't parse lines that already have errors */
2221  if (tok_line->err_msg != NULL)
2222  {
2223  ok = false;
2224  continue;
2225  }
2226 
2227  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2228  {
2229  /* Parse error; remember there's trouble */
2230  ok = false;
2231 
2232  /*
2233  * Keep parsing the rest of the file so we can report errors on
2234  * more than the first line. Error has already been logged, no
2235  * need for more chatter here.
2236  */
2237  continue;
2238  }
2239 
2240  new_parsed_lines = lappend(new_parsed_lines, newline);
2241  }
2242 
2243  /*
2244  * A valid HBA file must have at least one entry; else there's no way to
2245  * connect to the postmaster. But only complain about this if we didn't
2246  * already have parsing errors.
2247  */
2248  if (ok && new_parsed_lines == NIL)
2249  {
2250  ereport(LOG,
2251  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2252  errmsg("configuration file \"%s\" contains no entries",
2253  HbaFileName)));
2254  ok = false;
2255  }
2256 
2257  /* Free tokenizer memory */
2258  MemoryContextDelete(linecxt);
2259  MemoryContextSwitchTo(oldcxt);
2260 
2261  if (!ok)
2262  {
2263  /* File contained one or more errors, so bail out */
2264  MemoryContextDelete(hbacxt);
2265  return false;
2266  }
2267 
2268  /* Loaded new file successfully, replace the one we use */
2269  if (parsed_hba_context != NULL)
2270  MemoryContextDelete(parsed_hba_context);
2271  parsed_hba_context = hbacxt;
2272  parsed_hba_lines = new_parsed_lines;
2273 
2274  return true;
2275 }
HbaLine
Definition: hba.h:70
NIL
#define NIL
Definition: pg_list.h:65
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:170
ALLOCSET_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
newline
static chr newline(void)
Definition: regc_lex.c:1138
parsed_hba_lines
static List * parsed_hba_lines
Definition: hba.c:101
HbaFileName
char * HbaFileName
Definition: guc.c:557
parsed_hba_context
static MemoryContext parsed_hba_context
Definition: hba.c:102
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
errcode_for_file_access
int errcode_for_file_access(void)
Definition: elog.c:633
AllocateFile
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2322
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
parse_hba_line
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
ereport
#define ereport(elevel,...)
Definition: elog.h:144
Assert
#define Assert(condition)
Definition: c.h:745
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
tokenize_file
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
FreeFile
int FreeFile(FILE *file)
Definition: fd.c:2521
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
List
Definition: pg_list.h:50
PostmasterContext
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ load_ident()

bool load_ident ( void  )

Definition at line 2979 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2980 {
2981  FILE *file;
2982  List *ident_lines = NIL;
2983  ListCell *line_cell,
2984  *parsed_line_cell;
2985  List *new_parsed_lines = NIL;
2986  bool ok = true;
2987  MemoryContext linecxt;
2988  MemoryContext oldcxt;
2989  MemoryContext ident_context;
2990  IdentLine *newline;
2991 
2992  file = AllocateFile(IdentFileName, "r");
2993  if (file == NULL)
2994  {
2995  /* not fatal ... we just won't do any special ident maps */
2996  ereport(LOG,
2997  (errcode_for_file_access(),
2998  errmsg("could not open usermap file \"%s\": %m",
2999  IdentFileName)));
3000  return false;
3001  }
3002 
3003  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3004  FreeFile(file);
3005 
3006  /* Now parse all the lines */
3007  Assert(PostmasterContext);
3008  ident_context = AllocSetContextCreate(PostmasterContext,
3009  "ident parser context",
3010  ALLOCSET_SMALL_SIZES);
3011  oldcxt = MemoryContextSwitchTo(ident_context);
3012  foreach(line_cell, ident_lines)
3013  {
3014  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3015 
3016  /* don't parse lines that already have errors */
3017  if (tok_line->err_msg != NULL)
3018  {
3019  ok = false;
3020  continue;
3021  }
3022 
3023  if ((newline = parse_ident_line(tok_line)) == NULL)
3024  {
3025  /* Parse error; remember there's trouble */
3026  ok = false;
3027 
3028  /*
3029  * Keep parsing the rest of the file so we can report errors on
3030  * more than the first line. Error has already been logged, no
3031  * need for more chatter here.
3032  */
3033  continue;
3034  }
3035 
3036  new_parsed_lines = lappend(new_parsed_lines, newline);
3037  }
3038 
3039  /* Free tokenizer memory */
3040  MemoryContextDelete(linecxt);
3041  MemoryContextSwitchTo(oldcxt);
3042 
3043  if (!ok)
3044  {
3045  /*
3046  * File contained one or more errors, so bail out, first being careful
3047  * to clean up whatever we allocated. Most stuff will go away via
3048  * MemoryContextDelete, but we have to clean up regexes explicitly.
3049  */
3050  foreach(parsed_line_cell, new_parsed_lines)
3051  {
3052  newline = (IdentLine *) lfirst(parsed_line_cell);
3053  if (newline->ident_user[0] == '/')
3054  pg_regfree(&newline->re);
3055  }
3056  MemoryContextDelete(ident_context);
3057  return false;
3058  }
3059 
3060  /* Loaded new file successfully, replace the one we use */
3061  if (parsed_ident_lines != NIL)
3062  {
3063  foreach(parsed_line_cell, parsed_ident_lines)
3064  {
3065  newline = (IdentLine *) lfirst(parsed_line_cell);
3066  if (newline->ident_user[0] == '/')
3067  pg_regfree(&newline->re);
3068  }
3069  }
3070  if (parsed_ident_context != NULL)
3071  MemoryContextDelete(parsed_ident_context);
3072 
3073  parsed_ident_context = ident_context;
3074  parsed_ident_lines = new_parsed_lines;
3075 
3076  return true;
3077 }
NIL
#define NIL
Definition: pg_list.h:65
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:170
IdentLine::re
regex_t re
Definition: hba.h:120
ALLOCSET_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
LOG
#define LOG
Definition: elog.h:26
newline
static chr newline(void)
Definition: regc_lex.c:1138
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
errcode_for_file_access
int errcode_for_file_access(void)
Definition: elog.c:633
AllocateFile
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2322
IdentFileName
char * IdentFileName
Definition: guc.c:558
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
ereport
#define ereport(elevel,...)
Definition: elog.h:144
parsed_ident_lines
static List * parsed_ident_lines
Definition: hba.c:112
parsed_ident_context
static MemoryContext parsed_ident_context
Definition: hba.c:113
Assert
#define Assert(condition)
Definition: c.h:745
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
tokenize_file
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
IdentLine
Definition: hba.h:113
FreeFile
int FreeFile(FILE *file)
Definition: fd.c:2521
IdentLine::ident_user
char * ident_user
Definition: hba.h:118
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
parse_ident_line
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2712
pg_regfree
void pg_regfree(regex_t *re)
Definition: regfree.c:49
List
Definition: pg_list.h:50
PostmasterContext
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ make_hba_token()

static HbaToken* make_hba_token ( const char *  token,
bool  quoted 
)
static

Definition at line 288 of file hba.c.

References palloc(), HbaToken::quoted, and HbaToken::string.

Referenced by copy_hba_token(), and next_field_expand().

289 {
290  HbaToken *hbatoken;
291  int toklen;
292 
293  toklen = strlen(token);
294  /* we copy string into same palloc block as the struct */
295  hbatoken = (HbaToken *) palloc(sizeof(HbaToken) + toklen + 1);
296  hbatoken->string = (char *) hbatoken + sizeof(HbaToken);
297  hbatoken->quoted = quoted;
298  memcpy(hbatoken->string, token, toklen + 1);
299 
300  return hbatoken;
301 }
HbaToken
Definition: hba.c:75
HbaToken::string
char * string
Definition: hba.c:77
HbaToken::quoted
bool quoted
Definition: hba.c:78
palloc
void * palloc(Size size)
Definition: mcxt.c:949

◆ next_field_expand()

static List* next_field_expand ( const char *  filename,
char **  lineptr,
int  elevel,
char **  err_msg 
)
static

Definition at line 330 of file hba.c.

References buf, lappend(), make_hba_token(), MAX_TOKEN, next_token(), NIL, and tokenize_inc_file().

Referenced by tokenize_file().

332 {
333  char buf[MAX_TOKEN];
334  bool trailing_comma;
335  bool initial_quote;
336  List *tokens = NIL;
337 
338  do
339  {
340  if (!next_token(lineptr, buf, sizeof(buf),
341  &initial_quote, &trailing_comma,
342  elevel, err_msg))
343  break;
344 
345  /* Is this referencing a file? */
346  if (!initial_quote && buf[0] == '@' && buf[1] != '\0')
347  tokens = tokenize_inc_file(tokens, filename, buf + 1,
348  elevel, err_msg);
349  else
350  tokens = lappend(tokens, make_hba_token(buf, initial_quote));
351  } while (trailing_comma && (*err_msg == NULL));
352 
353  return tokens;
354 }
NIL
#define NIL
Definition: pg_list.h:65
next_token
static bool next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, bool *terminating_comma, int elevel, char **err_msg)
Definition: hba.c:195
buf
static char * buf
Definition: pg_test_fsync.c:67
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
elevel
static int elevel
Definition: vacuumlazy.c:330
MAX_TOKEN
#define MAX_TOKEN
Definition: hba.c:56
filename
static char * filename
Definition: pg_dumpall.c:90
List
Definition: pg_list.h:50
tokenize_inc_file
static List * tokenize_inc_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, char **err_msg)
Definition: hba.c:372
make_hba_token
static HbaToken * make_hba_token(const char *token, bool quoted)
Definition: hba.c:288

◆ next_token()

static bool next_token ( char **  lineptr,
char *  buf,
int  bufsz,
bool initial_quote,
bool terminating_comma,
int  elevel,
char **  err_msg 
)
static

Definition at line 195 of file hba.c.

References Assert, buf, ereport, errcode(), errmsg(), and pg_isblank().

Referenced by base_yylex(), filtered_base_yylex(), and next_field_expand().

198 {
199  int c;
200  char *start_buf = buf;
201  char *end_buf = buf + (bufsz - 1);
202  bool in_quote = false;
203  bool was_quote = false;
204  bool saw_quote = false;
205 
206  Assert(end_buf > start_buf);
207 
208  *initial_quote = false;
209  *terminating_comma = false;
210 
211  /* Move over any whitespace and commas preceding the next token */
212  while ((c = (*(*lineptr)++)) != '\0' && (pg_isblank(c) || c == ','))
213  ;
214 
215  /*
216  * Build a token in buf of next characters up to EOL, unquoted comma, or
217  * unquoted whitespace.
218  */
219  while (c != '\0' &&
220  (!pg_isblank(c) || in_quote))
221  {
222  /* skip comments to EOL */
223  if (c == '#' && !in_quote)
224  {
225  while ((c = (*(*lineptr)++)) != '\0')
226  ;
227  break;
228  }
229 
230  if (buf >= end_buf)
231  {
232  *buf = '\0';
233  ereport(elevel,
234  (errcode(ERRCODE_CONFIG_FILE_ERROR),
235  errmsg("authentication file token too long, skipping: \"%s\"",
236  start_buf)));
237  *err_msg = "authentication file token too long";
238  /* Discard remainder of line */
239  while ((c = (*(*lineptr)++)) != '\0')
240  ;
241  /* Un-eat the '\0', in case we're called again */
242  (*lineptr)--;
243  return false;
244  }
245 
246  /* we do not pass back a terminating comma in the token */
247  if (c == ',' && !in_quote)
248  {
249  *terminating_comma = true;
250  break;
251  }
252 
253  if (c != '"' || was_quote)
254  *buf++ = c;
255 
256  /* Literal double-quote is two double-quotes */
257  if (in_quote && c == '"')
258  was_quote = !was_quote;
259  else
260  was_quote = false;
261 
262  if (c == '"')
263  {
264  in_quote = !in_quote;
265  saw_quote = true;
266  if (buf == start_buf)
267  *initial_quote = true;
268  }
269 
270  c = *(*lineptr)++;
271  }
272 
273  /*
274  * Un-eat the char right after the token (critical in case it is '\0',
275  * else next call will read past end of string).
276  */
277  (*lineptr)--;
278 
279  *buf = '\0';
280 
281  return (saw_quote || buf > start_buf);
282 }
pg_isblank
bool pg_isblank(const char c)
Definition: hba.c:160
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
c
char * c
Definition: preproc-cursor.c:31
buf
static char * buf
Definition: pg_test_fsync.c:67
elevel
static int elevel
Definition: vacuumlazy.c:330
ereport
#define ereport(elevel,...)
Definition: elog.h:144
Assert
#define Assert(condition)
Definition: c.h:745
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824

◆ parse_hba_auth_opt()

static bool parse_hba_auth_opt ( char *  name,
char *  val,
HbaLine hbaline,
int  elevel,
char **  err_msg 
)
static

Definition at line 1680 of file hba.c.

References addrinfo::ai_family, addrinfo::ai_socktype, HbaLine::auth_method, HbaLine::clientcert, clientCertCA, clientCertFull, clientCertOff, HbaLine::compat_realm, HbaLine::conntype, ctHostSSL, ereport, errcode(), errcontext, errmsg(), gai_strerror, gettext_noop, HbaFileName, HbaLine::include_realm, INVALID_AUTH_OPTION, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscheme, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, lfirst, HbaLine::linenumber, list_free(), MemSet, HbaLine::pam_use_hostname, HbaLine::pamservice, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusidentifiers_s, HbaLine::radiusports, HbaLine::radiusports_s, HbaLine::radiussecrets, HbaLine::radiussecrets_s, HbaLine::radiusservers, HbaLine::radiusservers_s, REQUIRE_AUTH_OPTION, SplitGUCList(), uaCert, uaGSS, uaIdent, uaLDAP, uaPAM, uaRADIUS, uaSSPI, HbaLine::upn_username, and HbaLine::usermap.

Referenced by parse_hba_line().

1682 {
1683  int line_num = hbaline->linenumber;
1684 
1685 #ifdef USE_LDAP
1686  hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
1687 #endif
1688 
1689  if (strcmp(name, "map") == 0)
1690  {
1691  if (hbaline->auth_method != uaIdent &&
1692  hbaline->auth_method != uaPeer &&
1693  hbaline->auth_method != uaGSS &&
1694  hbaline->auth_method != uaSSPI &&
1695  hbaline->auth_method != uaCert)
1696  INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
1697  hbaline->usermap = pstrdup(val);
1698  }
1699  else if (strcmp(name, "clientcert") == 0)
1700  {
1701  if (hbaline->conntype != ctHostSSL)
1702  {
1703  ereport(elevel,
1704  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1705  errmsg("clientcert can only be configured for \"hostssl\" rows"),
1706  errcontext("line %d of configuration file \"%s\"",
1707  line_num, HbaFileName)));
1708  *err_msg = "clientcert can only be configured for \"hostssl\" rows";
1709  return false;
1710  }
1711  if (strcmp(val, "1") == 0
1712  || strcmp(val, "verify-ca") == 0)
1713  {
1714  hbaline->clientcert = clientCertCA;
1715  }
1716  else if (strcmp(val, "verify-full") == 0)
1717  {
1718  hbaline->clientcert = clientCertFull;
1719  }
1720  else if (strcmp(val, "0") == 0
1721  || strcmp(val, "no-verify") == 0)
1722  {
1723  if (hbaline->auth_method == uaCert)
1724  {
1725  ereport(elevel,
1726  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1727  errmsg("clientcert can not be set to \"no-verify\" when using \"cert\" authentication"),
1728  errcontext("line %d of configuration file \"%s\"",
1729  line_num, HbaFileName)));
1730  *err_msg = "clientcert can not be set to \"no-verify\" when using \"cert\" authentication";
1731  return false;
1732  }
1733  hbaline->clientcert = clientCertOff;
1734  }
1735  else
1736  {
1737  ereport(elevel,
1738  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1739  errmsg("invalid value for clientcert: \"%s\"", val),
1740  errcontext("line %d of configuration file \"%s\"",
1741  line_num, HbaFileName)));
1742  return false;
1743  }
1744  }
1745  else if (strcmp(name, "pamservice") == 0)
1746  {
1747  REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam");
1748  hbaline->pamservice = pstrdup(val);
1749  }
1750  else if (strcmp(name, "pam_use_hostname") == 0)
1751  {
1752  REQUIRE_AUTH_OPTION(uaPAM, "pam_use_hostname", "pam");
1753  if (strcmp(val, "1") == 0)
1754  hbaline->pam_use_hostname = true;
1755  else
1756  hbaline->pam_use_hostname = false;
1757 
1758  }
1759  else if (strcmp(name, "ldapurl") == 0)
1760  {
1761 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1762  LDAPURLDesc *urldata;
1763  int rc;
1764 #endif
1765 
1766  REQUIRE_AUTH_OPTION(uaLDAP, "ldapurl", "ldap");
1767 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1768  rc = ldap_url_parse(val, &urldata);
1769  if (rc != LDAP_SUCCESS)
1770  {
1771  ereport(elevel,
1772  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1773  errmsg("could not parse LDAP URL \"%s\": %s", val, ldap_err2string(rc))));
1774  *err_msg = psprintf("could not parse LDAP URL \"%s\": %s",
1775  val, ldap_err2string(rc));
1776  return false;
1777  }
1778 
1779  if (strcmp(urldata->lud_scheme, "ldap") != 0 &&
1780  strcmp(urldata->lud_scheme, "ldaps") != 0)
1781  {
1782  ereport(elevel,
1783  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1784  errmsg("unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
1785  *err_msg = psprintf("unsupported LDAP URL scheme: %s",
1786  urldata->lud_scheme);
1787  ldap_free_urldesc(urldata);
1788  return false;
1789  }
1790 
1791  if (urldata->lud_scheme)
1792  hbaline->ldapscheme = pstrdup(urldata->lud_scheme);
1793  if (urldata->lud_host)
1794  hbaline->ldapserver = pstrdup(urldata->lud_host);
1795  hbaline->ldapport = urldata->lud_port;
1796  if (urldata->lud_dn)
1797  hbaline->ldapbasedn = pstrdup(urldata->lud_dn);
1798 
1799  if (urldata->lud_attrs)
1800  hbaline->ldapsearchattribute = pstrdup(urldata->lud_attrs[0]); /* only use first one */
1801  hbaline->ldapscope = urldata->lud_scope;
1802  if (urldata->lud_filter)
1803  hbaline->ldapsearchfilter = pstrdup(urldata->lud_filter);
1804  ldap_free_urldesc(urldata);
1805 #else /* not OpenLDAP */
1806  ereport(elevel,
1807  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1808  errmsg("LDAP URLs not supported on this platform")));
1809  *err_msg = "LDAP URLs not supported on this platform";
1810 #endif /* not OpenLDAP */
1811  }
1812  else if (strcmp(name, "ldaptls") == 0)
1813  {
1814  REQUIRE_AUTH_OPTION(uaLDAP, "ldaptls", "ldap");
1815  if (strcmp(val, "1") == 0)
1816  hbaline->ldaptls = true;
1817  else
1818  hbaline->ldaptls = false;
1819  }
1820  else if (strcmp(name, "ldapscheme") == 0)
1821  {
1822  REQUIRE_AUTH_OPTION(uaLDAP, "ldapscheme", "ldap");
1823  if (strcmp(val, "ldap") != 0 && strcmp(val, "ldaps") != 0)
1824  ereport(elevel,
1825  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1826  errmsg("invalid ldapscheme value: \"%s\"", val),
1827  errcontext("line %d of configuration file \"%s\"",
1828  line_num, HbaFileName)));
1829  hbaline->ldapscheme = pstrdup(val);
1830  }
1831  else if (strcmp(name, "ldapserver") == 0)
1832  {
1833  REQUIRE_AUTH_OPTION(uaLDAP, "ldapserver", "ldap");
1834  hbaline->ldapserver = pstrdup(val);
1835  }
1836  else if (strcmp(name, "ldapport") == 0)
1837  {
1838  REQUIRE_AUTH_OPTION(uaLDAP, "ldapport", "ldap");
1839  hbaline->ldapport = atoi(val);
1840  if (hbaline->ldapport == 0)
1841  {
1842  ereport(elevel,
1843  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1844  errmsg("invalid LDAP port number: \"%s\"", val),
1845  errcontext("line %d of configuration file \"%s\"",
1846  line_num, HbaFileName)));
1847  *err_msg = psprintf("invalid LDAP port number: \"%s\"", val);
1848  return false;
1849  }
1850  }
1851  else if (strcmp(name, "ldapbinddn") == 0)
1852  {
1853  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap");
1854  hbaline->ldapbinddn = pstrdup(val);
1855  }
1856  else if (strcmp(name, "ldapbindpasswd") == 0)
1857  {
1858  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap");
1859  hbaline->ldapbindpasswd = pstrdup(val);
1860  }
1861  else if (strcmp(name, "ldapsearchattribute") == 0)
1862  {
1863  REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap");
1864  hbaline->ldapsearchattribute = pstrdup(val);
1865  }
1866  else if (strcmp(name, "ldapsearchfilter") == 0)
1867  {
1868  REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchfilter", "ldap");
1869  hbaline->ldapsearchfilter = pstrdup(val);
1870  }
1871  else if (strcmp(name, "ldapbasedn") == 0)
1872  {
1873  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap");
1874  hbaline->ldapbasedn = pstrdup(val);
1875  }
1876  else if (strcmp(name, "ldapprefix") == 0)
1877  {
1878  REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap");
1879  hbaline->ldapprefix = pstrdup(val);
1880  }
1881  else if (strcmp(name, "ldapsuffix") == 0)
1882  {
1883  REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
1884  hbaline->ldapsuffix = pstrdup(val);
1885  }
1886  else if (strcmp(name, "krb_realm") == 0)
1887  {
1888  if (hbaline->auth_method != uaGSS &&
1889  hbaline->auth_method != uaSSPI)
1890  INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi"));
1891  hbaline->krb_realm = pstrdup(val);
1892  }
1893  else if (strcmp(name, "include_realm") == 0)
1894  {
1895  if (hbaline->auth_method != uaGSS &&
1896  hbaline->auth_method != uaSSPI)
1897  INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi"));
1898  if (strcmp(val, "1") == 0)
1899  hbaline->include_realm = true;
1900  else
1901  hbaline->include_realm = false;
1902  }
1903  else if (strcmp(name, "compat_realm") == 0)
1904  {
1905  if (hbaline->auth_method != uaSSPI)
1906  INVALID_AUTH_OPTION("compat_realm", gettext_noop("sspi"));
1907  if (strcmp(val, "1") == 0)
1908  hbaline->compat_realm = true;
1909  else
1910  hbaline->compat_realm = false;
1911  }
1912  else if (strcmp(name, "upn_username") == 0)
1913  {
1914  if (hbaline->auth_method != uaSSPI)
1915  INVALID_AUTH_OPTION("upn_username", gettext_noop("sspi"));
1916  if (strcmp(val, "1") == 0)
1917  hbaline->upn_username = true;
1918  else
1919  hbaline->upn_username = false;
1920  }
1921  else if (strcmp(name, "radiusservers") == 0)
1922  {
1923  struct addrinfo *gai_result;
1924  struct addrinfo hints;
1925  int ret;
1926  List *parsed_servers;
1927  ListCell *l;
1928  char *dupval = pstrdup(val);
1929 
1930  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusservers", "radius");
1931 
1932  if (!SplitGUCList(dupval, ',', &parsed_servers))
1933  {
1934  /* syntax error in list */
1935  ereport(elevel,
1936  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1937  errmsg("could not parse RADIUS server list \"%s\"",
1938  val),
1939  errcontext("line %d of configuration file \"%s\"",
1940  line_num, HbaFileName)));
1941  return false;
1942  }
1943 
1944  /* For each entry in the list, translate it */
1945  foreach(l, parsed_servers)
1946  {
1947  MemSet(&hints, 0, sizeof(hints));
1948  hints.ai_socktype = SOCK_DGRAM;
1949  hints.ai_family = AF_UNSPEC;
1950 
1951  ret = pg_getaddrinfo_all((char *) lfirst(l), NULL, &hints, &gai_result);
1952  if (ret || !gai_result)
1953  {
1954  ereport(elevel,
1955  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1956  errmsg("could not translate RADIUS server name \"%s\" to address: %s",
1957  (char *) lfirst(l), gai_strerror(ret)),
1958  errcontext("line %d of configuration file \"%s\"",
1959  line_num, HbaFileName)));
1960  if (gai_result)
1961  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1962 
1963  list_free(parsed_servers);
1964  return false;
1965  }
1966  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1967  }
1968 
1969  /* All entries are OK, so store them */
1970  hbaline->radiusservers = parsed_servers;
1971  hbaline->radiusservers_s = pstrdup(val);
1972  }
1973  else if (strcmp(name, "radiusports") == 0)
1974  {
1975  List *parsed_ports;
1976  ListCell *l;
1977  char *dupval = pstrdup(val);
1978 
1979  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusports", "radius");
1980 
1981  if (!SplitGUCList(dupval, ',', &parsed_ports))
1982  {
1983  ereport(elevel,
1984  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1985  errmsg("could not parse RADIUS port list \"%s\"",
1986  val),
1987  errcontext("line %d of configuration file \"%s\"",
1988  line_num, HbaFileName)));
1989  *err_msg = psprintf("invalid RADIUS port number: \"%s\"", val);
1990  return false;
1991  }
1992 
1993  foreach(l, parsed_ports)
1994  {
1995  if (atoi(lfirst(l)) == 0)
1996  {
1997  ereport(elevel,
1998  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1999  errmsg("invalid RADIUS port number: \"%s\"", val),
2000  errcontext("line %d of configuration file \"%s\"",
2001  line_num, HbaFileName)));
2002 
2003  return false;
2004  }
2005  }
2006  hbaline->radiusports = parsed_ports;
2007  hbaline->radiusports_s = pstrdup(val);
2008  }
2009  else if (strcmp(name, "radiussecrets") == 0)
2010  {
2011  List *parsed_secrets;
2012  char *dupval = pstrdup(val);
2013 
2014  REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecrets", "radius");
2015 
2016  if (!SplitGUCList(dupval, ',', &parsed_secrets))
2017  {
2018  /* syntax error in list */
2019  ereport(elevel,
2020  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2021  errmsg("could not parse RADIUS secret list \"%s\"",
2022  val),
2023  errcontext("line %d of configuration file \"%s\"",
2024  line_num, HbaFileName)));
2025  return false;
2026  }
2027 
2028  hbaline->radiussecrets = parsed_secrets;
2029  hbaline->radiussecrets_s = pstrdup(val);
2030  }
2031  else if (strcmp(name, "radiusidentifiers") == 0)
2032  {
2033  List *parsed_identifiers;
2034  char *dupval = pstrdup(val);
2035 
2036  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifiers", "radius");
2037 
2038  if (!SplitGUCList(dupval, ',', &parsed_identifiers))
2039  {
2040  /* syntax error in list */
2041  ereport(elevel,
2042  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2043  errmsg("could not parse RADIUS identifiers list \"%s\"",
2044  val),
2045  errcontext("line %d of configuration file \"%s\"",
2046  line_num, HbaFileName)));
2047  return false;
2048  }
2049 
2050  hbaline->radiusidentifiers = parsed_identifiers;
2051  hbaline->radiusidentifiers_s = pstrdup(val);
2052  }
2053  else
2054  {
2055  ereport(elevel,
2056  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2057  errmsg("unrecognized authentication option name: \"%s\"",
2058  name),
2059  errcontext("line %d of configuration file \"%s\"",
2060  line_num, HbaFileName)));
2061  *err_msg = psprintf("unrecognized authentication option name: \"%s\"",
2062  name);
2063  return false;
2064  }
2065  return true;
2066 }
HbaLine::ldapscope
int ldapscope
Definition: hba.h:95
HbaLine::radiusports_s
char * radiusports_s
Definition: hba.h:110
uaIdent
Definition: hba.h:30
HbaLine::ldapserver
char * ldapserver
Definition: hba.h:88
REQUIRE_AUTH_OPTION
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
Definition: hba.c:874
pg_freeaddrinfo_all
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:88
uaLDAP
Definition: hba.h:38
HbaLine::ldapport
int ldapport
Definition: hba.h:89
HbaLine::ldapbasedn
char * ldapbasedn
Definition: hba.h:94
HbaLine::ldapscheme
char * ldapscheme
Definition: hba.h:87
HbaLine::pamservice
char * pamservice
Definition: hba.h:84
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
uaSSPI
Definition: hba.h:35
gettext_noop
#define gettext_noop(x)
Definition: c.h:1166
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
MemSet
#define MemSet(start, val, len)
Definition: c.h:978
HbaLine::radiussecrets
List * radiussecrets
Definition: hba.h:105
gai_strerror
#define gai_strerror
Definition: getaddrinfo.h:146
HbaLine::ldapsuffix
char * ldapsuffix
Definition: hba.h:97
HbaFileName
char * HbaFileName
Definition: guc.c:557
pg_getaddrinfo_all
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:57
INVALID_AUTH_OPTION
#define INVALID_AUTH_OPTION(optname, validmethods)
Definition: hba.c:860
uaGSS
Definition: hba.h:34
HbaLine::conntype
ConnType conntype
Definition: hba.h:74
HbaLine::radiusservers_s
char * radiusservers_s
Definition: hba.h:104
ctHostSSL
Definition: hba.h:57
HbaLine::pam_use_hostname
bool pam_use_hostname
Definition: hba.h:85
uaCert
Definition: hba.h:39
HbaLine::usermap
char * usermap
Definition: hba.h:83
HbaLine::radiusports
List * radiusports
Definition: hba.h:109
HbaLine::radiusservers
List * radiusservers
Definition: hba.h:103
HbaLine::include_realm
bool include_realm
Definition: hba.h:100
HbaLine::ldapbinddn
char * ldapbinddn
Definition: hba.h:90
HbaLine::krb_realm
char * krb_realm
Definition: hba.h:99
HbaLine::linenumber
int linenumber
Definition: hba.h:72
HbaLine::ldapbindpasswd
char * ldapbindpasswd
Definition: hba.h:91
HbaLine::ldapprefix
char * ldapprefix
Definition: hba.h:96
elevel
static int elevel
Definition: vacuumlazy.c:330
HbaLine::radiusidentifiers_s
char * radiusidentifiers_s
Definition: hba.h:108
HbaLine::radiusidentifiers
List * radiusidentifiers
Definition: hba.h:107
HbaLine::radiussecrets_s
char * radiussecrets_s
Definition: hba.h:106
ereport
#define ereport(elevel,...)
Definition: elog.h:144
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
HbaLine::ldapsearchfilter
char * ldapsearchfilter
Definition: hba.h:93
HbaLine::clientcert
ClientCertMode clientcert
Definition: hba.h:98
HbaLine::ldaptls
bool ldaptls
Definition: hba.h:86
HbaLine::ldapsearchattribute
char * ldapsearchattribute
Definition: hba.h:92
name
const char * name
Definition: encode.c:561
HbaLine::upn_username
bool upn_username
Definition: hba.h:102
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
list_free
void list_free(List *list)
Definition: list.c:1376
errcontext
#define errcontext
Definition: elog.h:185
SplitGUCList
bool SplitGUCList(char *rawstring, char separator, List **namelist)
Definition: varlena.c:3934
List
Definition: pg_list.h:50
uaPAM
Definition: hba.h:36
HbaLine::compat_realm
bool compat_realm
Definition: hba.h:101
val
long val
Definition: informix.c:664
uaRADIUS
Definition: hba.h:40
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:81

◆ parse_hba_line()

static HbaLine* parse_hba_line ( TokenizedLine tok_line,
int  elevel 
)
static

Definition at line 945 of file hba.c.

References HbaLine::addr, addrinfo::ai_addr, addrinfo::ai_addrlen, addrinfo::ai_canonname, addrinfo::ai_family, addrinfo::ai_flags, addrinfo::ai_next, AI_NUMERICHOST, addrinfo::ai_protocol, addrinfo::ai_socktype, Assert, HbaLine::auth_method, HbaLine::clientcert, clientCertCA, HbaLine::compat_realm, HbaLine::conntype, copy_hba_token(), ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, Db_user_namespace, EAI_NONAME, EnableSSL, ereport, TokenizedLine::err_msg, errcode(), errcontext, errhint(), errmsg(), TokenizedLine::fields, gai_strerror, HbaFileName, HbaLine::hostname, HbaLine::include_realm, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapprefix, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, List::length, lfirst, TokenizedLine::line_num, HbaLine::linenumber, linitial, list_head(), list_length(), lnext(), LOG, MANDATORY_AUTH_ARG, HbaLine::mask, NIL, palloc0(), parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, TokenizedLine::raw_line, HbaLine::rawline, HbaLine::roles, generate_unaccent_rules::str, HbaToken::string, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, HbaLine::upn_username, val, and verify_option_list_length().

Referenced by fill_hba_view(), and load_hba().

946 {
947  int line_num = tok_line->line_num;
948  char **err_msg = &tok_line->err_msg;
949  char *str;
950  struct addrinfo *gai_result;
951  struct addrinfo hints;
952  int ret;
953  char *cidr_slash;
954  char *unsupauth;
955  ListCell *field;
956  List *tokens;
957  ListCell *tokencell;
958  HbaToken *token;
959  HbaLine *parsedline;
960 
961  parsedline = palloc0(sizeof(HbaLine));
962  parsedline->linenumber = line_num;
963  parsedline->rawline = pstrdup(tok_line->raw_line);
964 
965  /* Check the record type. */
966  Assert(tok_line->fields != NIL);
967  field = list_head(tok_line->fields);
968  tokens = lfirst(field);
969  if (tokens->length > 1)
970  {
971  ereport(elevel,
972  (errcode(ERRCODE_CONFIG_FILE_ERROR),
973  errmsg("multiple values specified for connection type"),
974  errhint("Specify exactly one connection type per line."),
975  errcontext("line %d of configuration file \"%s\"",
976  line_num, HbaFileName)));
977  *err_msg = "multiple values specified for connection type";
978  return NULL;
979  }
980  token = linitial(tokens);
981  if (strcmp(token->string, "local") == 0)
982  {
983 #ifdef HAVE_UNIX_SOCKETS
984  parsedline->conntype = ctLocal;
985 #else
986  ereport(elevel,
987  (errcode(ERRCODE_CONFIG_FILE_ERROR),
988  errmsg("local connections are not supported by this build"),
989  errcontext("line %d of configuration file \"%s\"",
990  line_num, HbaFileName)));
991  *err_msg = "local connections are not supported by this build";
992  return NULL;
993 #endif
994  }
995  else if (strcmp(token->string, "host") == 0 ||
996  strcmp(token->string, "hostssl") == 0 ||
997  strcmp(token->string, "hostnossl") == 0 ||
998  strcmp(token->string, "hostgssenc") == 0 ||
999  strcmp(token->string, "hostnogssenc") == 0)
1000  {
1001 
1002  if (token->string[4] == 's') /* "hostssl" */
1003  {
1004  parsedline->conntype = ctHostSSL;
1005  /* Log a warning if SSL support is not active */
1006 #ifdef USE_SSL
1007  if (!EnableSSL)
1008  {
1009  ereport(elevel,
1010  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1011  errmsg("hostssl record cannot match because SSL is disabled"),
1012  errhint("Set ssl = on in postgresql.conf."),
1013  errcontext("line %d of configuration file \"%s\"",
1014  line_num, HbaFileName)));
1015  *err_msg = "hostssl record cannot match because SSL is disabled";
1016  }
1017 #else
1018  ereport(elevel,
1019  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1020  errmsg("hostssl record cannot match because SSL is not supported by this build"),
1021  errhint("Compile with --with-openssl to use SSL connections."),
1022  errcontext("line %d of configuration file \"%s\"",
1023  line_num, HbaFileName)));
1024  *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1025 #endif
1026  }
1027  else if (token->string[4] == 'g') /* "hostgssenc" */
1028  {
1029  parsedline->conntype = ctHostGSS;
1030 #ifndef ENABLE_GSS
1031  ereport(elevel,
1032  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1033  errmsg("hostgssenc record cannot match because GSSAPI is not supported by this build"),
1034  errhint("Compile with --with-gssapi to use GSSAPI connections."),
1035  errcontext("line %d of configuration file \"%s\"",
1036  line_num, HbaFileName)));
1037  *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build";
1038 #endif
1039  }
1040  else if (token->string[4] == 'n' && token->string[6] == 's')
1041  parsedline->conntype = ctHostNoSSL;
1042  else if (token->string[4] == 'n' && token->string[6] == 'g')
1043  parsedline->conntype = ctHostNoGSS;
1044  else
1045  {
1046  /* "host" */
1047  parsedline->conntype = ctHost;
1048  }
1049  } /* record type */
1050  else
1051  {
1052  ereport(elevel,
1053  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1054  errmsg("invalid connection type \"%s\"",
1055  token->string),
1056  errcontext("line %d of configuration file \"%s\"",
1057  line_num, HbaFileName)));
1058  *err_msg = psprintf("invalid connection type \"%s\"", token->string);
1059  return NULL;
1060  }
1061 
1062  /* Get the databases. */
1063  field = lnext(tok_line->fields, field);
1064  if (!field)
1065  {
1066  ereport(elevel,
1067  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1068  errmsg("end-of-line before database specification"),
1069  errcontext("line %d of configuration file \"%s\"",
1070  line_num, HbaFileName)));
1071  *err_msg = "end-of-line before database specification";
1072  return NULL;
1073  }
1074  parsedline->databases = NIL;
1075  tokens = lfirst(field);
1076  foreach(tokencell, tokens)
1077  {
1078  parsedline->databases = lappend(parsedline->databases,
1079  copy_hba_token(lfirst(tokencell)));
1080  }
1081 
1082  /* Get the roles. */
1083  field = lnext(tok_line->fields, field);
1084  if (!field)
1085  {
1086  ereport(elevel,
1087  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1088  errmsg("end-of-line before role specification"),
1089  errcontext("line %d of configuration file \"%s\"",
1090  line_num, HbaFileName)));
1091  *err_msg = "end-of-line before role specification";
1092  return NULL;
1093  }
1094  parsedline->roles = NIL;
1095  tokens = lfirst(field);
1096  foreach(tokencell, tokens)
1097  {
1098  parsedline->roles = lappend(parsedline->roles,
1099  copy_hba_token(lfirst(tokencell)));
1100  }
1101 
1102  if (parsedline->conntype != ctLocal)
1103  {
1104  /* Read the IP address field. (with or without CIDR netmask) */
1105  field = lnext(tok_line->fields, field);
1106  if (!field)
1107  {
1108  ereport(elevel,
1109  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1110  errmsg("end-of-line before IP address specification"),
1111  errcontext("line %d of configuration file \"%s\"",
1112  line_num, HbaFileName)));
1113  *err_msg = "end-of-line before IP address specification";
1114  return NULL;
1115  }
1116  tokens = lfirst(field);
1117  if (tokens->length > 1)
1118  {
1119  ereport(elevel,
1120  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1121  errmsg("multiple values specified for host address"),
1122  errhint("Specify one address range per line."),
1123  errcontext("line %d of configuration file \"%s\"",
1124  line_num, HbaFileName)));
1125  *err_msg = "multiple values specified for host address";
1126  return NULL;
1127  }
1128  token = linitial(tokens);
1129 
1130  if (token_is_keyword(token, "all"))
1131  {
1132  parsedline->ip_cmp_method = ipCmpAll;
1133  }
1134  else if (token_is_keyword(token, "samehost"))
1135  {
1136  /* Any IP on this host is allowed to connect */
1137  parsedline->ip_cmp_method = ipCmpSameHost;
1138  }
1139  else if (token_is_keyword(token, "samenet"))
1140  {
1141  /* Any IP on the host's subnets is allowed to connect */
1142  parsedline->ip_cmp_method = ipCmpSameNet;
1143  }
1144  else
1145  {
1146  /* IP and netmask are specified */
1147  parsedline->ip_cmp_method = ipCmpMask;
1148 
1149  /* need a modifiable copy of token */
1150  str = pstrdup(token->string);
1151 
1152  /* Check if it has a CIDR suffix and if so isolate it */
1153  cidr_slash = strchr(str, '/');
1154  if (cidr_slash)
1155  *cidr_slash = '\0';
1156 
1157  /* Get the IP address either way */
1158  hints.ai_flags = AI_NUMERICHOST;
1159  hints.ai_family = AF_UNSPEC;
1160  hints.ai_socktype = 0;
1161  hints.ai_protocol = 0;
1162  hints.ai_addrlen = 0;
1163  hints.ai_canonname = NULL;
1164  hints.ai_addr = NULL;
1165  hints.ai_next = NULL;
1166 
1167  ret = pg_getaddrinfo_all(str, NULL, &hints, &gai_result);
1168  if (ret == 0 && gai_result)
1169  memcpy(&parsedline->addr, gai_result->ai_addr,
1170  gai_result->ai_addrlen);
1171  else if (ret == EAI_NONAME)
1172  parsedline->hostname = str;
1173  else
1174  {
1175  ereport(elevel,
1176  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1177  errmsg("invalid IP address \"%s\": %s",
1178  str, gai_strerror(ret)),
1179  errcontext("line %d of configuration file \"%s\"",
1180  line_num, HbaFileName)));
1181  *err_msg = psprintf("invalid IP address \"%s\": %s",
1182  str, gai_strerror(ret));
1183  if (gai_result)
1184  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1185  return NULL;
1186  }
1187 
1188  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1189 
1190  /* Get the netmask */
1191  if (cidr_slash)
1192  {
1193  if (parsedline->hostname)
1194  {
1195  ereport(elevel,
1196  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1197  errmsg("specifying both host name and CIDR mask is invalid: \"%s\"",
1198  token->string),
1199  errcontext("line %d of configuration file \"%s\"",
1200  line_num, HbaFileName)));
1201  *err_msg = psprintf("specifying both host name and CIDR mask is invalid: \"%s\"",
1202  token->string);
1203  return NULL;
1204  }
1205 
1206  if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
1207  parsedline->addr.ss_family) < 0)
1208  {
1209  ereport(elevel,
1210  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1211  errmsg("invalid CIDR mask in address \"%s\"",
1212  token->string),
1213  errcontext("line %d of configuration file \"%s\"",
1214  line_num, HbaFileName)));
1215  *err_msg = psprintf("invalid CIDR mask in address \"%s\"",
1216  token->string);
1217  return NULL;
1218  }
1219  pfree(str);
1220  }
1221  else if (!parsedline->hostname)
1222  {
1223  /* Read the mask field. */
1224  pfree(str);
1225  field = lnext(tok_line->fields, field);
1226  if (!field)
1227  {
1228  ereport(elevel,
1229  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1230  errmsg("end-of-line before netmask specification"),
1231  errhint("Specify an address range in CIDR notation, or provide a separate netmask."),
1232  errcontext("line %d of configuration file \"%s\"",
1233  line_num, HbaFileName)));
1234  *err_msg = "end-of-line before netmask specification";
1235  return NULL;
1236  }
1237  tokens = lfirst(field);
1238  if (tokens->length > 1)
1239  {
1240  ereport(elevel,
1241  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1242  errmsg("multiple values specified for netmask"),
1243  errcontext("line %d of configuration file \"%s\"",
1244  line_num, HbaFileName)));
1245  *err_msg = "multiple values specified for netmask";
1246  return NULL;
1247  }
1248  token = linitial(tokens);
1249 
1250  ret = pg_getaddrinfo_all(token->string, NULL,
1251  &hints, &gai_result);
1252  if (ret || !gai_result)
1253  {
1254  ereport(elevel,
1255  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1256  errmsg("invalid IP mask \"%s\": %s",
1257  token->string, gai_strerror(ret)),
1258  errcontext("line %d of configuration file \"%s\"",
1259  line_num, HbaFileName)));
1260  *err_msg = psprintf("invalid IP mask \"%s\": %s",
1261  token->string, gai_strerror(ret));
1262  if (gai_result)
1263  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1264  return NULL;
1265  }
1266 
1267  memcpy(&parsedline->mask, gai_result->ai_addr,
1268  gai_result->ai_addrlen);
1269  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1270 
1271  if (parsedline->addr.ss_family != parsedline->mask.ss_family)
1272  {
1273  ereport(elevel,
1274  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1275  errmsg("IP address and mask do not match"),
1276  errcontext("line %d of configuration file \"%s\"",
1277  line_num, HbaFileName)));
1278  *err_msg = "IP address and mask do not match";
1279  return NULL;
1280  }
1281  }
1282  }
1283  } /* != ctLocal */
1284 
1285  /* Get the authentication method */
1286  field = lnext(tok_line->fields, field);
1287  if (!field)
1288  {
1289  ereport(elevel,
1290  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1291  errmsg("end-of-line before authentication method"),
1292  errcontext("line %d of configuration file \"%s\"",
1293  line_num, HbaFileName)));
1294  *err_msg = "end-of-line before authentication method";
1295  return NULL;
1296  }
1297  tokens = lfirst(field);
1298  if (tokens->length > 1)
1299  {
1300  ereport(elevel,
1301  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1302  errmsg("multiple values specified for authentication type"),
1303  errhint("Specify exactly one authentication type per line."),
1304  errcontext("line %d of configuration file \"%s\"",
1305  line_num, HbaFileName)));
1306  *err_msg = "multiple values specified for authentication type";
1307  return NULL;
1308  }
1309  token = linitial(tokens);
1310 
1311  unsupauth = NULL;
1312  if (strcmp(token->string, "trust") == 0)
1313  parsedline->auth_method = uaTrust;
1314  else if (strcmp(token->string, "ident") == 0)
1315  parsedline->auth_method = uaIdent;
1316  else if (strcmp(token->string, "peer") == 0)
1317  parsedline->auth_method = uaPeer;
1318  else if (strcmp(token->string, "password") == 0)
1319  parsedline->auth_method = uaPassword;
1320  else if (strcmp(token->string, "gss") == 0)
1321 #ifdef ENABLE_GSS
1322  parsedline->auth_method = uaGSS;
1323 #else
1324  unsupauth = "gss";
1325 #endif
1326  else if (strcmp(token->string, "sspi") == 0)
1327 #ifdef ENABLE_SSPI
1328  parsedline->auth_method = uaSSPI;
1329 #else
1330  unsupauth = "sspi";
1331 #endif
1332  else if (strcmp(token->string, "reject") == 0)
1333  parsedline->auth_method = uaReject;
1334  else if (strcmp(token->string, "md5") == 0)
1335  {
1336  if (Db_user_namespace)
1337  {
1338  ereport(elevel,
1339  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1340  errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
1341  errcontext("line %d of configuration file \"%s\"",
1342  line_num, HbaFileName)));
1343  *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
1344  return NULL;
1345  }
1346  parsedline->auth_method = uaMD5;
1347  }
1348  else if (strcmp(token->string, "scram-sha-256") == 0)
1349  parsedline->auth_method = uaSCRAM;
1350  else if (strcmp(token->string, "pam") == 0)
1351 #ifdef USE_PAM
1352  parsedline->auth_method = uaPAM;
1353 #else
1354  unsupauth = "pam";
1355 #endif
1356  else if (strcmp(token->string, "bsd") == 0)
1357 #ifdef USE_BSD_AUTH
1358  parsedline->auth_method = uaBSD;
1359 #else
1360  unsupauth = "bsd";
1361 #endif
1362  else if (strcmp(token->string, "ldap") == 0)
1363 #ifdef USE_LDAP
1364  parsedline->auth_method = uaLDAP;
1365 #else
1366  unsupauth = "ldap";
1367 #endif
1368  else if (strcmp(token->string, "cert") == 0)
1369 #ifdef USE_SSL
1370  parsedline->auth_method = uaCert;
1371 #else
1372  unsupauth = "cert";
1373 #endif
1374  else if (strcmp(token->string, "radius") == 0)
1375  parsedline->auth_method = uaRADIUS;
1376  else
1377  {
1378  ereport(elevel,
1379  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1380  errmsg("invalid authentication method \"%s\"",
1381  token->string),
1382  errcontext("line %d of configuration file \"%s\"",
1383  line_num, HbaFileName)));
1384  *err_msg = psprintf("invalid authentication method \"%s\"",
1385  token->string);
1386  return NULL;
1387  }
1388 
1389  if (unsupauth)
1390  {
1391  ereport(elevel,
1392  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1393  errmsg("invalid authentication method \"%s\": not supported by this build",
1394  token->string),
1395  errcontext("line %d of configuration file \"%s\"",
1396  line_num, HbaFileName)));
1397  *err_msg = psprintf("invalid authentication method \"%s\": not supported by this build",
1398  token->string);
1399  return NULL;
1400  }
1401 
1402  /*
1403  * XXX: When using ident on local connections, change it to peer, for
1404  * backwards compatibility.
1405  */
1406  if (parsedline->conntype == ctLocal &&
1407  parsedline->auth_method == uaIdent)
1408  parsedline->auth_method = uaPeer;
1409 
1410  /* Invalid authentication combinations */
1411  if (parsedline->conntype == ctLocal &&
1412  parsedline->auth_method == uaGSS)
1413  {
1414  ereport(elevel,
1415  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1416  errmsg("gssapi authentication is not supported on local sockets"),
1417  errcontext("line %d of configuration file \"%s\"",
1418  line_num, HbaFileName)));
1419  *err_msg = "gssapi authentication is not supported on local sockets";
1420  return NULL;
1421  }
1422  if (parsedline->conntype == ctHostGSS &&
1423  parsedline->auth_method != uaGSS &&
1424  parsedline->auth_method != uaReject &&
1425  parsedline->auth_method != uaTrust)
1426  {
1427  ereport(elevel,
1428  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1429  errmsg("GSSAPI encryption only supports gss, trust, or reject authentication"),
1430  errcontext("line %d of configuration file \"%s\"",
1431  line_num, HbaFileName)));
1432  *err_msg = "GSSAPI encryption only supports gss, trust, or reject authentication";
1433  return NULL;
1434  }
1435 
1436  if (parsedline->conntype != ctLocal &&
1437  parsedline->auth_method == uaPeer)
1438  {
1439  ereport(elevel,
1440  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1441  errmsg("peer authentication is only supported on local sockets"),
1442  errcontext("line %d of configuration file \"%s\"",
1443  line_num, HbaFileName)));
1444  *err_msg = "peer authentication is only supported on local sockets";
1445  return NULL;
1446  }
1447 
1448  /*
1449  * SSPI authentication can never be enabled on ctLocal connections,
1450  * because it's only supported on Windows, where ctLocal isn't supported.
1451  */
1452 
1453 
1454  if (parsedline->conntype != ctHostSSL &&
1455  parsedline->auth_method == uaCert)
1456  {
1457  ereport(elevel,
1458  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1459  errmsg("cert authentication is only supported on hostssl connections"),
1460  errcontext("line %d of configuration file \"%s\"",
1461  line_num, HbaFileName)));
1462  *err_msg = "cert authentication is only supported on hostssl connections";
1463  return NULL;
1464  }
1465 
1466  /*
1467  * For GSS and SSPI, set the default value of include_realm to true.
1468  * Having include_realm set to false is dangerous in multi-realm
1469  * situations and is generally considered bad practice. We keep the
1470  * capability around for backwards compatibility, but we might want to
1471  * remove it at some point in the future. Users who still need to strip
1472  * the realm off would be better served by using an appropriate regex in a
1473  * pg_ident.conf mapping.
1474  */
1475  if (parsedline->auth_method == uaGSS ||
1476  parsedline->auth_method == uaSSPI)
1477  parsedline->include_realm = true;
1478 
1479  /*
1480  * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1481  * NetBIOS name) and user names instead of the Kerberos principal name for
1482  * compatibility.
1483  */
1484  if (parsedline->auth_method == uaSSPI)
1485  {
1486  parsedline->compat_realm = true;
1487  parsedline->upn_username = false;
1488  }
1489 
1490  /* Parse remaining arguments */
1491  while ((field = lnext(tok_line->fields, field)) != NULL)
1492  {
1493  tokens = lfirst(field);
1494  foreach(tokencell, tokens)
1495  {
1496  char *val;
1497 
1498  token = lfirst(tokencell);
1499 
1500  str = pstrdup(token->string);
1501  val = strchr(str, '=');
1502  if (val == NULL)
1503  {
1504  /*
1505  * Got something that's not a name=value pair.
1506  */
1507  ereport(elevel,
1508  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1509  errmsg("authentication option not in name=value format: %s", token->string),
1510  errcontext("line %d of configuration file \"%s\"",
1511  line_num, HbaFileName)));
1512  *err_msg = psprintf("authentication option not in name=value format: %s",
1513  token->string);
1514  return NULL;
1515  }
1516 
1517  *val++ = '\0'; /* str now holds "name", val holds "value" */
1518  if (!parse_hba_auth_opt(str, val, parsedline, elevel, err_msg))
1519  /* parse_hba_auth_opt already logged the error message */
1520  return NULL;
1521  pfree(str);
1522  }
1523  }
1524 
1525  /*
1526  * Check if the selected authentication method has any mandatory arguments
1527  * that are not set.
1528  */
1529  if (parsedline->auth_method == uaLDAP)
1530  {
1531 #ifndef HAVE_LDAP_INITIALIZE
1532  /* Not mandatory for OpenLDAP, because it can use DNS SRV records */
1533  MANDATORY_AUTH_ARG(parsedline->ldapserver, "ldapserver", "ldap");
1534 #endif
1535 
1536  /*
1537  * LDAP can operate in two modes: either with a direct bind, using
1538  * ldapprefix and ldapsuffix, or using a search+bind, using
1539  * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
1540  * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
1541  * parameters.
1542  */
1543  if (parsedline->ldapprefix || parsedline->ldapsuffix)
1544  {
1545  if (parsedline->ldapbasedn ||
1546  parsedline->ldapbinddn ||
1547  parsedline->ldapbindpasswd ||
1548  parsedline->ldapsearchattribute ||
1549  parsedline->ldapsearchfilter)
1550  {
1551  ereport(elevel,
1552  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1553  errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"),
1554  errcontext("line %d of configuration file \"%s\"",
1555  line_num, HbaFileName)));
1556  *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix";
1557  return NULL;
1558  }
1559  }
1560  else if (!parsedline->ldapbasedn)
1561  {
1562  ereport(elevel,
1563  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1564  errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1565  errcontext("line %d of configuration file \"%s\"",
1566  line_num, HbaFileName)));
1567  *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1568  return NULL;
1569  }
1570 
1571  /*
1572  * When using search+bind, you can either use a simple attribute
1573  * (defaulting to "uid") or a fully custom search filter. You can't
1574  * do both.
1575  */
1576  if (parsedline->ldapsearchattribute && parsedline->ldapsearchfilter)
1577  {
1578  ereport(elevel,
1579  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1580  errmsg("cannot use ldapsearchattribute together with ldapsearchfilter"),
1581  errcontext("line %d of configuration file \"%s\"",
1582  line_num, HbaFileName)));
1583  *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
1584  return NULL;
1585  }
1586  }
1587 
1588  if (parsedline->auth_method == uaRADIUS)
1589  {
1590  MANDATORY_AUTH_ARG(parsedline->radiusservers, "radiusservers", "radius");
1591  MANDATORY_AUTH_ARG(parsedline->radiussecrets, "radiussecrets", "radius");
1592 
1593  if (list_length(parsedline->radiusservers) < 1)
1594  {
1595  ereport(LOG,
1596  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1597  errmsg("list of RADIUS servers cannot be empty"),
1598  errcontext("line %d of configuration file \"%s\"",
1599  line_num, HbaFileName)));
1600  return NULL;
1601  }
1602 
1603  if (list_length(parsedline->radiussecrets) < 1)
1604  {
1605  ereport(LOG,
1606  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1607  errmsg("list of RADIUS secrets cannot be empty"),
1608  errcontext("line %d of configuration file \"%s\"",
1609  line_num, HbaFileName)));
1610  return NULL;
1611  }
1612 
1613  /*
1614  * Verify length of option lists - each can be 0 (except for secrets,
1615  * but that's already checked above), 1 (use the same value
1616  * everywhere) or the same as the number of servers.
1617  */
1618  if (!verify_option_list_length(parsedline->radiussecrets,
1619  "RADIUS secrets",
1620  parsedline->radiusservers,
1621  "RADIUS servers",
1622  line_num))
1623  return NULL;
1624  if (!verify_option_list_length(parsedline->radiusports,
1625  "RADIUS ports",
1626  parsedline->radiusservers,
1627  "RADIUS servers",
1628  line_num))
1629  return NULL;
1630  if (!verify_option_list_length(parsedline->radiusidentifiers,
1631  "RADIUS identifiers",
1632  parsedline->radiusservers,
1633  "RADIUS servers",
1634  line_num))
1635  return NULL;
1636  }
1637 
1638  /*
1639  * Enforce any parameters implied by other settings.
1640  */
1641  if (parsedline->auth_method == uaCert)
1642  {
1643  parsedline->clientcert = clientCertCA;
1644  }
1645 
1646  return parsedline;
1647 }
HbaLine::databases
List * databases
Definition: hba.h:75
HbaLine
Definition: hba.h:70
NIL
#define NIL
Definition: pg_list.h:65
uaIdent
Definition: hba.h:30
EnableSSL
bool EnableSSL
Definition: postmaster.c:236
HbaLine::ldapserver
char * ldapserver
Definition: hba.h:88
pg_freeaddrinfo_all
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:88
HbaLine::mask
struct sockaddr_storage mask
Definition: hba.h:78
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1071
uaLDAP
Definition: hba.h:38
HbaLine::ldapbasedn
char * ldapbasedn
Definition: hba.h:94
lnext
static ListCell * lnext(const List *l, const ListCell *c)
Definition: pg_list.h:321
uaMD5
Definition: hba.h:32
parse_hba_auth_opt
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition: hba.c:1680
ipCmpMask
Definition: hba.h:47
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
uaSSPI
Definition: hba.h:35
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
AI_NUMERICHOST
#define AI_NUMERICHOST
Definition: getaddrinfo.h:73
HbaLine::radiussecrets
List * radiussecrets
Definition: hba.h:105
gai_strerror
#define gai_strerror
Definition: getaddrinfo.h:146
HbaLine::ldapsuffix
char * ldapsuffix
Definition: hba.h:97
HbaFileName
char * HbaFileName
Definition: guc.c:557
pg_getaddrinfo_all
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:57
uaGSS
Definition: hba.h:34
uaPassword
Definition: hba.h:31
HbaLine::conntype
ConnType conntype
Definition: hba.h:74
pfree
void pfree(void *pointer)
Definition: mcxt.c:1056
ctHostSSL
Definition: hba.h:57
linitial
#define linitial(l)
Definition: pg_list.h:195
uaCert
Definition: hba.h:39
pg_sockaddr_cidr_mask
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:115
HbaLine::addr
struct sockaddr_storage addr
Definition: hba.h:77
ctHostGSS
Definition: hba.h:59
TokenizedLine::line_num
int line_num
Definition: hba.c:92
HbaLine::radiusports
List * radiusports
Definition: hba.h:109
uaReject
Definition: hba.h:27
HbaLine::radiusservers
List * radiusservers
Definition: hba.h:103
HbaLine::include_realm
bool include_realm
Definition: hba.h:100
uaTrust
Definition: hba.h:29
generate_unaccent_rules.str
str
Definition: generate_unaccent_rules.py:282
Db_user_namespace
bool Db_user_namespace
Definition: postmaster.c:243
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
HbaToken
Definition: hba.c:75
HbaLine::ldapbinddn
char * ldapbinddn
Definition: hba.h:90
EAI_NONAME
#define EAI_NONAME
Definition: getaddrinfo.h:34
list_head
static ListCell * list_head(const List *l)
Definition: pg_list.h:125
HbaLine::linenumber
int linenumber
Definition: hba.h:72
MANDATORY_AUTH_ARG
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
Definition: hba.c:880
HbaLine::ldapbindpasswd
char * ldapbindpasswd
Definition: hba.h:91
TokenizedLine::fields
List * fields
Definition: hba.c:91
verify_option_list_length
static bool verify_option_list_length(List *options, const char *optionname, List *comparelist, const char *comparename, int line_num)
Definition: hba.c:1651
HbaLine::ldapprefix
char * ldapprefix
Definition: hba.h:96
ctLocal
Definition: hba.h:55
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
elevel
static int elevel
Definition: vacuumlazy.c:330
uaSCRAM
Definition: hba.h:33
ipCmpAll
Definition: hba.h:50
palloc0
void * palloc0(Size size)
Definition: mcxt.c:980
HbaLine::hostname
char * hostname
Definition: hba.h:80
HbaToken::string
char * string
Definition: hba.c:77
HbaLine::radiusidentifiers
List * radiusidentifiers
Definition: hba.h:107
uaBSD
Definition: hba.h:37
ereport
#define ereport(elevel,...)
Definition: elog.h:144
HbaLine::roles
List * roles
Definition: hba.h:76
Assert
#define Assert(condition)
Definition: c.h:745
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
HbaLine::ldapsearchfilter
char * ldapsearchfilter
Definition: hba.h:93
HbaLine::clientcert
ClientCertMode clientcert
Definition: hba.h:98
list_length
static int list_length(const List *l)
Definition: pg_list.h:169
HbaLine::ldapsearchattribute
char * ldapsearchattribute
Definition: hba.h:92
List::length
int length
Definition: pg_list.h:53
HbaLine::rawline
char * rawline
Definition: hba.h:73
copy_hba_token
static HbaToken * copy_hba_token(HbaToken *in)
Definition: hba.c:307
HbaLine::upn_username
bool upn_username
Definition: hba.h:102
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
token_is_keyword
#define token_is_keyword(t, k)
Definition: hba.c:68
errcontext
#define errcontext
Definition: elog.h:185
addrinfo::ai_addrlen
size_t ai_addrlen
Definition: getaddrinfo.h:104
TokenizedLine::raw_line
char * raw_line
Definition: hba.c:93
HbaLine::ip_cmp_method
IPCompareMethod ip_cmp_method
Definition: hba.h:79
List
Definition: pg_list.h:50
uaPAM
Definition: hba.h:36
HbaLine::compat_realm
bool compat_realm
Definition: hba.h:101
val
long val
Definition: informix.c:664
ctHost
Definition: hba.h:56
uaRADIUS
Definition: hba.h:40
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:81
addrinfo::ai_addr
struct sockaddr * ai_addr
Definition: getaddrinfo.h:105

◆ parse_ident_line()

static IdentLine* parse_ident_line ( TokenizedLine tok_line)
static

Definition at line 2712 of file hba.c.

References Assert, ereport, errcode(), errmsg(), TokenizedLine::fields, IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, IdentLine::ident_user, lfirst, TokenizedLine::line_num, IdentLine::linenumber, linitial, list_head(), lnext(), LOG, NIL, palloc(), palloc0(), pfree(), pg_mb2wchar_with_len(), pg_regcomp(), pg_regerror(), IdentLine::pg_role, pstrdup(), IdentLine::re, REG_ADVANCED, HbaToken::string, and IdentLine::usermap.

Referenced by load_ident().

2713 {
2714  int line_num = tok_line->line_num;
2715  ListCell *field;
2716  List *tokens;
2717  HbaToken *token;
2718  IdentLine *parsedline;
2719 
2720  Assert(tok_line->fields != NIL);
2721  field = list_head(tok_line->fields);
2722 
2723  parsedline = palloc0(sizeof(IdentLine));
2724  parsedline->linenumber = line_num;
2725 
2726  /* Get the map token (must exist) */
2727  tokens = lfirst(field);
2728  IDENT_MULTI_VALUE(tokens);
2729  token = linitial(tokens);
2730  parsedline->usermap = pstrdup(token->string);
2731 
2732  /* Get the ident user token */
2733  field = lnext(tok_line->fields, field);
2734  IDENT_FIELD_ABSENT(field);
2735  tokens = lfirst(field);
2736  IDENT_MULTI_VALUE(tokens);
2737  token = linitial(tokens);
2738  parsedline->ident_user = pstrdup(token->string);
2739 
2740  /* Get the PG rolename token */
2741  field = lnext(tok_line->fields, field);
2742  IDENT_FIELD_ABSENT(field);
2743  tokens = lfirst(field);
2744  IDENT_MULTI_VALUE(tokens);
2745  token = linitial(tokens);
2746  parsedline->pg_role = pstrdup(token->string);
2747 
2748  if (parsedline->ident_user[0] == '/')
2749  {
2750  /*
2751  * When system username starts with a slash, treat it as a regular
2752  * expression. Pre-compile it.
2753  */
2754  int r;
2755  pg_wchar *wstr;
2756  int wlen;
2757 
2758  wstr = palloc((strlen(parsedline->ident_user + 1) + 1) * sizeof(pg_wchar));
2759  wlen = pg_mb2wchar_with_len(parsedline->ident_user + 1,
2760  wstr, strlen(parsedline->ident_user + 1));
2761 
2762  r = pg_regcomp(&parsedline->re, wstr, wlen, REG_ADVANCED, C_COLLATION_OID);
2763  if (r)
2764  {
2765  char errstr[100];
2766 
2767  pg_regerror(r, &parsedline->re, errstr, sizeof(errstr));
2768  ereport(LOG,
2769  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2770  errmsg("invalid regular expression \"%s\": %s",
2771  parsedline->ident_user + 1, errstr)));
2772 
2773  pfree(wstr);
2774  return NULL;
2775  }
2776  pfree(wstr);
2777  }
2778 
2779  return parsedline;
2780 }
NIL
#define NIL
Definition: pg_list.h:65
lnext
static ListCell * lnext(const List *l, const ListCell *c)
Definition: pg_list.h:321
IdentLine::re
regex_t re
Definition: hba.h:120
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
pg_regcomp
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
Definition: regcomp.c:313
IDENT_FIELD_ABSENT
#define IDENT_FIELD_ABSENT(field)
Definition: hba.c:908
IdentLine::linenumber
int linenumber
Definition: hba.h:115
pfree
void pfree(void *pointer)
Definition: mcxt.c:1056
linitial
#define linitial(l)
Definition: pg_list.h:195
TokenizedLine::line_num
int line_num
Definition: hba.c:92
IdentLine::usermap
char * usermap
Definition: hba.h:117
HbaToken
Definition: hba.c:75
list_head
static ListCell * list_head(const List *l)
Definition: pg_list.h:125
pg_regerror
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition: regerror.c:60
REG_ADVANCED
#define REG_ADVANCED
Definition: regex.h:103
TokenizedLine::fields
List * fields
Definition: hba.c:91
pg_wchar
unsigned int pg_wchar
Definition: mbprint.c:31
IDENT_MULTI_VALUE
#define IDENT_MULTI_VALUE(tokens)
Definition: hba.c:919
palloc0
void * palloc0(Size size)
Definition: mcxt.c:980
HbaToken::string
char * string
Definition: hba.c:77
pg_mb2wchar_with_len
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition: mbutils.c:870
ereport
#define ereport(elevel,...)
Definition: elog.h:144
Assert
#define Assert(condition)
Definition: c.h:745
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
IdentLine
Definition: hba.h:113
IdentLine::ident_user
char * ident_user
Definition: hba.h:118
palloc
void * palloc(Size size)
Definition: mcxt.c:949
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
List
Definition: pg_list.h:50
IdentLine::pg_role
char * pg_role
Definition: hba.h:119

◆ pg_hba_file_rules()

Datum pg_hba_file_rules ( PG_FUNCTION_ARGS  )

Definition at line 2650 of file hba.c.

References ReturnSetInfo::allowedModes, ReturnSetInfo::econtext, ExprContext::ecxt_per_query_memory, elog, ereport, errcode(), errmsg(), ERROR, fill_hba_view(), get_call_result_type(), IsA, MemoryContextSwitchTo(), PG_RETURN_NULL, ReturnSetInfo::returnMode, ReturnSetInfo::setDesc, ReturnSetInfo::setResult, SFRM_Materialize, SFRM_Materialize_Random, tuplestore_begin_heap(), TYPEFUNC_COMPOSITE, and work_mem.

2651 {
2652  Tuplestorestate *tuple_store;
2653  TupleDesc tupdesc;
2654  MemoryContext old_cxt;
2655  ReturnSetInfo *rsi;
2656 
2657  /*
2658  * We must use the Materialize mode to be safe against HBA file changes
2659  * while the cursor is open. It's also more efficient than having to look
2660  * up our current position in the parsed list every time.
2661  */
2662  rsi = (ReturnSetInfo *) fcinfo->resultinfo;
2663 
2664  /* Check to see if caller supports us returning a tuplestore */
2665  if (rsi == NULL || !IsA(rsi, ReturnSetInfo))
2666  ereport(ERROR,
2667  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2668  errmsg("set-valued function called in context that cannot accept a set")));
2669  if (!(rsi->allowedModes & SFRM_Materialize))
2670  ereport(ERROR,
2671  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2672  errmsg("materialize mode required, but it is not allowed in this context")));
2673 
2674  rsi->returnMode = SFRM_Materialize;
2675 
2676  /* Build a tuple descriptor for our result type */
2677  if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
2678  elog(ERROR, "return type must be a row type");
2679 
2680  /* Build tuplestore to hold the result rows */
2681  old_cxt = MemoryContextSwitchTo(rsi->econtext->ecxt_per_query_memory);
2682 
2683  tuple_store =
2684  tuplestore_begin_heap(rsi->allowedModes & SFRM_Materialize_Random,
2685  false, work_mem);
2686  rsi->setDesc = tupdesc;
2687  rsi->setResult = tuple_store;
2688 
2689  MemoryContextSwitchTo(old_cxt);
2690 
2691  /* Fill the tuplestore */
2692  fill_hba_view(tuple_store, tupdesc);
2693 
2694  PG_RETURN_NULL();
2695 }
IsA
#define IsA(nodeptr, _type_)
Definition: nodes.h:580
get_call_result_type
TypeFuncClass get_call_result_type(FunctionCallInfo fcinfo, Oid *resultTypeId, TupleDesc *resultTupleDesc)
Definition: funcapi.c:205
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
ERROR
#define ERROR
Definition: elog.h:43
tuplestore_begin_heap
Tuplestorestate * tuplestore_begin_heap(bool randomAccess, bool interXact, int maxKBytes)
Definition: tuplestore.c:318
fill_hba_view
static void fill_hba_view(Tuplestorestate *tuple_store, TupleDesc tupdesc)
Definition: hba.c:2596
work_mem
int work_mem
Definition: globals.c:121
ereport
#define ereport(elevel,...)
Definition: elog.h:144
ReturnSetInfo::allowedModes
int allowedModes
Definition: execnodes.h:305
ReturnSetInfo::returnMode
SetFunctionReturnMode returnMode
Definition: execnodes.h:307
ExprContext::ecxt_per_query_memory
MemoryContext ecxt_per_query_memory
Definition: execnodes.h:233
ReturnSetInfo::setResult
Tuplestorestate * setResult
Definition: execnodes.h:310
ReturnSetInfo::econtext
ExprContext * econtext
Definition: execnodes.h:303
ReturnSetInfo::setDesc
TupleDesc setDesc
Definition: execnodes.h:311
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
elog
#define elog(elevel,...)
Definition: elog.h:214
PG_RETURN_NULL
#define PG_RETURN_NULL()
Definition: fmgr.h:344

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
c
char * c
Definition: preproc-cursor.c:31

◆ tokenize_file()

static MemoryContext tokenize_file ( const char *  filename,
FILE *  file,
List **  tok_lines,
int  elevel 
)
static

Definition at line 470 of file hba.c.

References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, CurrentMemoryContext, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errcontext, errmsg(), TokenizedLine::fields, lappend(), TokenizedLine::line_num, MAX_LINE, MemoryContextSwitchTo(), next_field_expand(), NIL, palloc(), psprintf(), pstrdup(), TokenizedLine::raw_line, and strerror.

Referenced by fill_hba_view(), load_hba(), load_ident(), and tokenize_inc_file().

471 {
472  int line_number = 1;
473  MemoryContext linecxt;
474  MemoryContext oldcxt;
475 
476  linecxt = AllocSetContextCreate(CurrentMemoryContext,
477  "tokenize_file",
478  ALLOCSET_SMALL_SIZES);
479  oldcxt = MemoryContextSwitchTo(linecxt);
480 
481  *tok_lines = NIL;
482 
483  while (!feof(file) && !ferror(file))
484  {
485  char rawline[MAX_LINE];
486  char *lineptr;
487  List *current_line = NIL;
488  char *err_msg = NULL;
489 
490  if (!fgets(rawline, sizeof(rawline), file))
491  {
492  int save_errno = errno;
493 
494  if (!ferror(file))
495  break; /* normal EOF */
496  /* I/O error! */
497  ereport(elevel,
498  (errcode_for_file_access(),
499  errmsg("could not read file \"%s\": %m", filename)));
500  err_msg = psprintf("could not read file \"%s\": %s",
501  filename, strerror(save_errno));
502  rawline[0] = '\0';
503  }
504  if (strlen(rawline) == MAX_LINE - 1)
505  {
506  /* Line too long! */
507  ereport(elevel,
508  (errcode(ERRCODE_CONFIG_FILE_ERROR),
509  errmsg("authentication file line too long"),
510  errcontext("line %d of configuration file \"%s\"",
511  line_number, filename)));
512  err_msg = "authentication file line too long";
513  }
514 
515  /* Strip trailing linebreak from rawline */
516  lineptr = rawline + strlen(rawline) - 1;
517  while (lineptr >= rawline && (*lineptr == '\n' || *lineptr == '\r'))
518  *lineptr-- = '\0';
519 
520  /* Parse fields */
521  lineptr = rawline;
522  while (*lineptr && err_msg == NULL)
523  {
524  List *current_field;
525 
526  current_field = next_field_expand(filename, &lineptr,
527  elevel, &err_msg);
528  /* add field to line, unless we are at EOL or comment start */
529  if (current_field != NIL)
530  current_line = lappend(current_line, current_field);
531  }
532 
533  /* Reached EOL; emit line to TokenizedLine list unless it's boring */
534  if (current_line != NIL || err_msg != NULL)
535  {
536  TokenizedLine *tok_line;
537 
538  tok_line = (TokenizedLine *) palloc(sizeof(TokenizedLine));
539  tok_line->fields = current_line;
540  tok_line->line_num = line_number;
541  tok_line->raw_line = pstrdup(rawline);
542  tok_line->err_msg = err_msg;
543  *tok_lines = lappend(*tok_lines, tok_line);
544  }
545 
546  line_number++;
547  }
548 
549  MemoryContextSwitchTo(oldcxt);
550 
551  return linecxt;
552 }
NIL
#define NIL
Definition: pg_list.h:65
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:170
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
ALLOCSET_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
TokenizedLine::line_num
int line_num
Definition: hba.c:92
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
errcode_for_file_access
int errcode_for_file_access(void)
Definition: elog.c:633
CurrentMemoryContext
MemoryContext CurrentMemoryContext
Definition: mcxt.c:38
TokenizedLine::fields
List * fields
Definition: hba.c:91
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
MAX_LINE
#define MAX_LINE
Definition: hba.c:57
elevel
static int elevel
Definition: vacuumlazy.c:330
ereport
#define ereport(elevel,...)
Definition: elog.h:144
strerror
#define strerror
Definition: port.h:206
filename
static char * filename
Definition: pg_dumpall.c:90
palloc
void * palloc(Size size)
Definition: mcxt.c:949
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
errcontext
#define errcontext
Definition: elog.h:185
TokenizedLine::raw_line
char * raw_line
Definition: hba.c:93
List
Definition: pg_list.h:50
next_field_expand
static List * next_field_expand(const char *filename, char **lineptr, int elevel, char **err_msg)
Definition: hba.c:330

◆ tokenize_inc_file()

static List * tokenize_inc_file ( List tokens,
const char *  outer_filename,
const char *  inc_filename,
int  elevel,
char **  err_msg 
)
static

Definition at line 372 of file hba.c.

References AllocateFile(), canonicalize_path(), copy_hba_token(), ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), TokenizedLine::fields, FreeFile(), get_parent_directory(), is_absolute_path, join_path_components(), lappend(), lfirst, MemoryContextDelete(), palloc(), pfree(), psprintf(), pstrdup(), strerror, and tokenize_file().

Referenced by next_field_expand().

377 {
378  char *inc_fullname;
379  FILE *inc_file;
380  List *inc_lines;
381  ListCell *inc_line;
382  MemoryContext linecxt;
383 
384  if (is_absolute_path(inc_filename))
385  {
386  /* absolute path is taken as-is */
387  inc_fullname = pstrdup(inc_filename);
388  }
389  else
390  {
391  /* relative path is relative to dir of calling file */
392  inc_fullname = (char *) palloc(strlen(outer_filename) + 1 +
393  strlen(inc_filename) + 1);
394  strcpy(inc_fullname, outer_filename);
395  get_parent_directory(inc_fullname);
396  join_path_components(inc_fullname, inc_fullname, inc_filename);
397  canonicalize_path(inc_fullname);
398  }
399 
400  inc_file = AllocateFile(inc_fullname, "r");
401  if (inc_file == NULL)
402  {
403  int save_errno = errno;
404 
405  ereport(elevel,
406  (errcode_for_file_access(),
407  errmsg("could not open secondary authentication file \"@%s\" as \"%s\": %m",
408  inc_filename, inc_fullname)));
409  *err_msg = psprintf("could not open secondary authentication file \"@%s\" as \"%s\": %s",
410  inc_filename, inc_fullname, strerror(save_errno));
411  pfree(inc_fullname);
412  return tokens;
413  }
414 
415  /* There is possible recursion here if the file contains @ */
416  linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines, elevel);
417 
418  FreeFile(inc_file);
419  pfree(inc_fullname);
420 
421  /* Copy all tokens found in the file and append to the tokens list */
422  foreach(inc_line, inc_lines)
423  {
424  TokenizedLine *tok_line = (TokenizedLine *) lfirst(inc_line);
425  ListCell *inc_field;
426 
427  /* If any line has an error, propagate that up to caller */
428  if (tok_line->err_msg)
429  {
430  *err_msg = pstrdup(tok_line->err_msg);
431  break;
432  }
433 
434  foreach(inc_field, tok_line->fields)
435  {
436  List *inc_tokens = lfirst(inc_field);
437  ListCell *inc_token;
438 
439  foreach(inc_token, inc_tokens)
440  {
441  HbaToken *token = lfirst(inc_token);
442 
443  tokens = lappend(tokens, copy_hba_token(token));
444  }
445  }
446  }
447 
448  MemoryContextDelete(linecxt);
449  return tokens;
450 }
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1186
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
canonicalize_path
void canonicalize_path(char *path)
Definition: path.c:254
pfree
void pfree(void *pointer)
Definition: mcxt.c:1056
TokenizedLine::err_msg
char * err_msg
Definition: hba.c:94
HbaToken
Definition: hba.c:75
errcode_for_file_access
int errcode_for_file_access(void)
Definition: elog.c:633
is_absolute_path
#define is_absolute_path(filename)
Definition: port.h:86
get_parent_directory
void get_parent_directory(char *path)
Definition: path.c:854
AllocateFile
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2322
TokenizedLine::fields
List * fields
Definition: hba.c:91
lappend
List * lappend(List *list, void *datum)
Definition: list.c:321
elevel
static int elevel
Definition: vacuumlazy.c:330
ereport
#define ereport(elevel,...)
Definition: elog.h:144
lfirst
#define lfirst(lc)
Definition: pg_list.h:190
strerror
#define strerror
Definition: port.h:206
tokenize_file
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
join_path_components
void join_path_components(char *ret_path, const char *head, const char *tail)
Definition: path.c:218
copy_hba_token
static HbaToken * copy_hba_token(HbaToken *in)
Definition: hba.c:307
FreeFile
int FreeFile(FILE *file)
Definition: fd.c:2521
palloc
void * palloc(Size size)
Definition: mcxt.c:949
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
List
Definition: pg_list.h:50

◆ verify_option_list_length()

static bool verify_option_list_length ( List options,
const char *  optionname,
List comparelist,
const char *  comparename,
int  line_num 
)
static

Definition at line 1651 of file hba.c.

References ereport, errcode(), errcontext, errmsg(), HbaFileName, list_length(), and LOG.

Referenced by parse_hba_line().

1654 {
1655  if (list_length(options) == 0 ||
1656  list_length(options) == 1 ||
1657  list_length(options) == list_length(comparelist))
1658  return true;
1659 
1660  ereport(LOG,
1661  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1662  errmsg("the number of %s (%d) must be 1 or the same as the number of %s (%d)",
1663  optionname,
1664  list_length(options),
1665  comparename,
1666  list_length(comparelist)
1667  ),
1668  errcontext("line %d of configuration file \"%s\"",
1669  line_num, HbaFileName)));
1670  return false;
1671 }
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
LOG
#define LOG
Definition: elog.h:26
HbaFileName
char * HbaFileName
Definition: guc.c:557
ereport
#define ereport(elevel,...)
Definition: elog.h:144
list_length
static int list_length(const List *l)
Definition: pg_list.h:169
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:824
errcontext
#define errcontext
Definition: elog.h:185

Variable Documentation

◆ parsed_hba_context

MemoryContext parsed_hba_context = NULL
static

Definition at line 102 of file hba.c.

◆ parsed_hba_lines

List* parsed_hba_lines = NIL
static

Definition at line 101 of file hba.c.

◆ parsed_ident_context

MemoryContext parsed_ident_context = NULL
static

Definition at line 113 of file hba.c.

◆ parsed_ident_lines

List* parsed_ident_lines = NIL
static

Definition at line 112 of file hba.c.

◆ UserAuthName

const char* const UserAuthName[]
static
Initial value:
=
{
"reject",
"implicit reject",
"trust",
"ident",
"password",
"md5",
"scram-sha-256",
"gss",
"sspi",
"pam",
"bsd",
"ldap",
"cert",
"radius",
"peer"
}

Definition at line 121 of file hba.c.

Referenced by fill_hba_line().