PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
hba.c File Reference
#include "postgres.h"
#include <ctype.h>
#include <pwd.h>
#include <fcntl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include "access/htup_details.h"
#include "catalog/pg_collation.h"
#include "catalog/pg_type.h"
#include "common/ip.h"
#include "funcapi.h"
#include "libpq/ifaddr.h"
#include "libpq/libpq.h"
#include "miscadmin.h"
#include "postmaster/postmaster.h"
#include "regex/regex.h"
#include "replication/walsender.h"
#include "storage/fd.h"
#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/varlena.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
Include dependency graph for hba.c:

Go to the source code of this file.

Data Structures

struct  check_network_data
 
struct  HbaToken
 
struct  TokenizedLine
 

Macros

#define MAX_TOKEN   256
 
#define MAX_LINE   8192
 
#define token_is_keyword(t, k)   (!t->quoted && strcmp(t->string, k) == 0)
 
#define token_matches(t, k)   (strcmp(t->string, k) == 0)
 
#define INVALID_AUTH_OPTION(optname, validmethods)
 
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
 
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
 
#define IDENT_FIELD_ABSENT(field)
 
#define IDENT_MULTI_VALUE(tokens)
 
#define MAX_HBA_OPTIONS   12
 
#define NUM_PG_HBA_FILE_RULES_ATTS   9
 

Typedefs

typedef struct check_network_data check_network_data
 
typedef struct HbaToken HbaToken
 
typedef struct TokenizedLine TokenizedLine
 

Functions

static MemoryContext tokenize_file (const char *filename, FILE *file, List **tok_lines, int elevel)
 
static Listtokenize_inc_file (List *tokens, const char *outer_filename, const char *inc_filename, int elevel, char **err_msg)
 
static bool parse_hba_auth_opt (char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
 
static bool verify_option_list_length (List *options, char *optionname, List *masters, char *mastername, int line_num)
 
static ArrayTypegethba_options (HbaLine *hba)
 
static void fill_hba_line (Tuplestorestate *tuple_store, TupleDesc tupdesc, int lineno, HbaLine *hba, const char *err_msg)
 
static void fill_hba_view (Tuplestorestate *tuple_store, TupleDesc tupdesc)
 
bool pg_isblank (const char c)
 
static bool next_token (char **lineptr, char *buf, int bufsz, bool *initial_quote, bool *terminating_comma, int elevel, char **err_msg)
 
static HbaTokenmake_hba_token (const char *token, bool quoted)
 
static HbaTokencopy_hba_token (HbaToken *in)
 
static Listnext_field_expand (const char *filename, char **lineptr, int elevel, char **err_msg)
 
static bool is_member (Oid userid, const char *role)
 
static bool check_role (const char *role, Oid roleid, List *tokens)
 
static bool check_db (const char *dbname, const char *role, Oid roleid, List *tokens)
 
static bool ipv4eq (struct sockaddr_in *a, struct sockaddr_in *b)
 
static bool hostname_match (const char *pattern, const char *actual_hostname)
 
static bool check_hostname (hbaPort *port, const char *hostname)
 
static bool check_ip (SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
 
static void check_network_callback (struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
 
static bool check_same_host_or_net (SockAddr *raddr, IPCompareMethod method)
 
static HbaLineparse_hba_line (TokenizedLine *tok_line, int elevel)
 
static void check_hba (hbaPort *port)
 
bool load_hba (void)
 
Datum pg_hba_file_rules (PG_FUNCTION_ARGS)
 
static IdentLineparse_ident_line (TokenizedLine *tok_line)
 
static void check_ident_usermap (IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_insensitive)
 
bool load_ident (void)
 
void hba_getauthmethod (hbaPort *port)
 

Variables

static Listparsed_hba_lines = NIL
 
static MemoryContext parsed_hba_context = NULL
 
static Listparsed_ident_lines = NIL
 
static MemoryContext parsed_ident_context = NULL
 
static const char *const UserAuthName []
 

Macro Definition Documentation

#define IDENT_FIELD_ABSENT (   field)
Value:
do { \
if (!field) { \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("missing entry in file \"%s\" at end of line %d", \
IdentFileName, line_num))); \
return NULL; \
} \
} while (0)
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
char * IdentFileName
Definition: guc.c:464
#define ereport(elevel, rest)
Definition: elog.h:122
#define NULL
Definition: c.h:229
int errmsg(const char *fmt,...)
Definition: elog.c:797

Definition at line 908 of file hba.c.

Referenced by parse_ident_line().

#define IDENT_MULTI_VALUE (   tokens)
Value:
do { \
if (tokens->length > 1) { \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("multiple values in ident field"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, IdentFileName))); \
return NULL; \
} \
} while (0)
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
char * IdentFileName
Definition: guc.c:464
#define ereport(elevel, rest)
Definition: elog.h:122
#define NULL
Definition: c.h:229
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define errcontext
Definition: elog.h:164

Definition at line 919 of file hba.c.

Referenced by parse_ident_line().

#define INVALID_AUTH_OPTION (   optname,
  validmethods 
)
Value:
do { \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
*err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
optname, validmethods); \
return false; \
} while (0)
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
int errcode(int sqlerrcode)
Definition: elog.c:575
char * HbaFileName
Definition: guc.c:463
#define ereport(elevel, rest)
Definition: elog.h:122
static int elevel
Definition: vacuumlazy.c:136
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define errcontext
Definition: elog.h:164
#define _(x)
Definition: elog.c:84

Definition at line 860 of file hba.c.

Referenced by parse_hba_auth_opt().

#define MANDATORY_AUTH_ARG (   argvar,
  argname,
  authname 
)
Value:
do { \
if (argvar == NULL) { \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
*err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname); \
return NULL; \
} \
} while (0)
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
int errcode(int sqlerrcode)
Definition: elog.c:575
char * HbaFileName
Definition: guc.c:463
#define ereport(elevel, rest)
Definition: elog.h:122
static int elevel
Definition: vacuumlazy.c:136
#define NULL
Definition: c.h:229
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define errcontext
Definition: elog.h:164

Definition at line 880 of file hba.c.

Referenced by parse_hba_line().

#define MAX_HBA_OPTIONS   12

Definition at line 2192 of file hba.c.

Referenced by gethba_options().

#define MAX_LINE   8192

Definition at line 57 of file hba.c.

Referenced by tokenize_file().

#define MAX_TOKEN   256

Definition at line 56 of file hba.c.

Referenced by next_field_expand().

#define NUM_PG_HBA_FILE_RULES_ATTS   9

Definition at line 2302 of file hba.c.

Referenced by fill_hba_line().

#define REQUIRE_AUTH_OPTION (   methodval,
  optname,
  validmethods 
)
Value:
do { \
if (hbaline->auth_method != methodval) \
INVALID_AUTH_OPTION(optname, validmethods); \
} while (0)
#define INVALID_AUTH_OPTION(optname, validmethods)
Definition: hba.c:860

Definition at line 874 of file hba.c.

Referenced by parse_hba_auth_opt().

#define token_is_keyword (   t,
 
)    (!t->quoted && strcmp(t->string, k) == 0)

Definition at line 68 of file hba.c.

Referenced by check_db(), check_role(), and parse_hba_line().

#define token_matches (   t,
 
)    (strcmp(t->string, k) == 0)

Definition at line 69 of file hba.c.

Referenced by check_db(), and check_role().

Typedef Documentation

Function Documentation

static bool check_db ( const char *  dbname,
const char *  role,
Oid  roleid,
List tokens 
)
static

Definition at line 610 of file hba.c.

References am_db_walsender, am_walsender, is_member(), lfirst, token_is_keyword, and token_matches.

Referenced by check_hba().

611 {
612  ListCell *cell;
613  HbaToken *tok;
614 
615  foreach(cell, tokens)
616  {
617  tok = lfirst(cell);
619  {
620  /*
621  * physical replication walsender connections can only match
622  * replication keyword
623  */
624  if (token_is_keyword(tok, "replication"))
625  return true;
626  }
627  else if (token_is_keyword(tok, "all"))
628  return true;
629  else if (token_is_keyword(tok, "sameuser"))
630  {
631  if (strcmp(dbname, role) == 0)
632  return true;
633  }
634  else if (token_is_keyword(tok, "samegroup") ||
635  token_is_keyword(tok, "samerole"))
636  {
637  if (is_member(roleid, dbname))
638  return true;
639  }
640  else if (token_is_keyword(tok, "replication"))
641  continue; /* never match this if not walsender */
642  else if (token_matches(tok, dbname))
643  return true;
644  }
645  return false;
646 }
#define token_matches(t, k)
Definition: hba.c:69
bool am_walsender
Definition: walsender.c:114
Definition: hba.c:75
bool am_db_walsender
Definition: walsender.c:117
#define lfirst(lc)
Definition: pg_list.h:106
char * dbname
Definition: streamutil.c:39
static bool is_member(Oid userid, const char *role)
Definition: hba.c:562
#define token_is_keyword(t, k)
Definition: hba.c:68
static void check_hba ( hbaPort port)
static

Definition at line 1993 of file hba.c.

References SockAddr::addr, HbaLine::addr, HbaLine::auth_method, check_db(), check_hostname(), check_ip(), check_role(), check_same_host_or_net(), HbaLine::conntype, ctHostNoSSL, ctHostSSL, ctLocal, Port::database_name, HbaLine::databases, get_role_oid(), Port::hba, HbaLine::hostname, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, IS_AF_UNIX, lfirst, HbaLine::mask, palloc0(), Port::raddr, HbaLine::roles, Port::ssl_in_use, uaImplicitReject, and Port::user_name.

Referenced by hba_getauthmethod().

1994 {
1995  Oid roleid;
1996  ListCell *line;
1997  HbaLine *hba;
1998 
1999  /* Get the target role's OID. Note we do not error out for bad role. */
2000  roleid = get_role_oid(port->user_name, true);
2001 
2002  foreach(line, parsed_hba_lines)
2003  {
2004  hba = (HbaLine *) lfirst(line);
2005 
2006  /* Check connection type */
2007  if (hba->conntype == ctLocal)
2008  {
2009  if (!IS_AF_UNIX(port->raddr.addr.ss_family))
2010  continue;
2011  }
2012  else
2013  {
2014  if (IS_AF_UNIX(port->raddr.addr.ss_family))
2015  continue;
2016 
2017  /* Check SSL state */
2018  if (port->ssl_in_use)
2019  {
2020  /* Connection is SSL, match both "host" and "hostssl" */
2021  if (hba->conntype == ctHostNoSSL)
2022  continue;
2023  }
2024  else
2025  {
2026  /* Connection is not SSL, match both "host" and "hostnossl" */
2027  if (hba->conntype == ctHostSSL)
2028  continue;
2029  }
2030 
2031  /* Check IP address */
2032  switch (hba->ip_cmp_method)
2033  {
2034  case ipCmpMask:
2035  if (hba->hostname)
2036  {
2037  if (!check_hostname(port,
2038  hba->hostname))
2039  continue;
2040  }
2041  else
2042  {
2043  if (!check_ip(&port->raddr,
2044  (struct sockaddr *) &hba->addr,
2045  (struct sockaddr *) &hba->mask))
2046  continue;
2047  }
2048  break;
2049  case ipCmpAll:
2050  break;
2051  case ipCmpSameHost:
2052  case ipCmpSameNet:
2053  if (!check_same_host_or_net(&port->raddr,
2054  hba->ip_cmp_method))
2055  continue;
2056  break;
2057  default:
2058  /* shouldn't get here, but deem it no-match if so */
2059  continue;
2060  }
2061  } /* != ctLocal */
2062 
2063  /* Check database and role */
2064  if (!check_db(port->database_name, port->user_name, roleid,
2065  hba->databases))
2066  continue;
2067 
2068  if (!check_role(port->user_name, roleid, hba->roles))
2069  continue;
2070 
2071  /* Found a record that matched! */
2072  port->hba = hba;
2073  return;
2074  }
2075 
2076  /* If no matching entry was found, then implicitly reject. */
2077  hba = palloc0(sizeof(HbaLine));
2079  port->hba = hba;
2080 }
List * databases
Definition: hba.h:66
Definition: hba.h:61
struct sockaddr_storage mask
Definition: hba.h:69
Definition: hba.h:47
struct sockaddr_storage addr
Definition: pqcomm.h:64
bool ssl_in_use
Definition: libpq-be.h:181
unsigned int Oid
Definition: postgres_ext.h:31
static bool check_hostname(hbaPort *port, const char *hostname)
Definition: hba.c:693
static List * parsed_hba_lines
Definition: hba.c:101
Oid get_role_oid(const char *rolname, bool missing_ok)
Definition: acl.c:5096
SockAddr raddr
Definition: libpq-be.h:122
ConnType conntype
Definition: hba.h:65
Definition: hba.h:57
struct sockaddr_storage addr
Definition: hba.h:68
#define IS_AF_UNIX(fam)
Definition: ip.h:24
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition: hba.c:786
char * user_name
Definition: libpq-be.h:137
static bool check_role(const char *role, Oid roleid, List *tokens)
Definition: hba.c:586
Definition: hba.h:55
HbaLine * hba
Definition: libpq-be.h:144
Definition: hba.h:50
void * palloc0(Size size)
Definition: mcxt.c:878
char * hostname
Definition: hba.h:71
List * roles
Definition: hba.h:67
#define lfirst(lc)
Definition: pg_list.h:106
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
Definition: hba.c:610
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
Definition: hba.c:827
IPCompareMethod ip_cmp_method
Definition: hba.h:70
char * database_name
Definition: libpq-be.h:136
UserAuth auth_method
Definition: hba.h:72
static bool check_hostname ( hbaPort port,
const char *  hostname 
)
static

Definition at line 693 of file hba.c.

References SockAddr::addr, addrinfo::ai_addr, addrinfo::ai_next, DEBUG2, elog, freeaddrinfo, getaddrinfo, hostname_match(), ipv4eq(), NI_MAXHOST, NI_NAMEREQD, NULL, pg_getnameinfo_all(), pstrdup(), Port::raddr, Port::remote_hostname, Port::remote_hostname_errcode, Port::remote_hostname_resolv, and SockAddr::salen.

Referenced by check_hba().

694 {
695  struct addrinfo *gai_result,
696  *gai;
697  int ret;
698  bool found;
699 
700  /* Quick out if remote host name already known bad */
701  if (port->remote_hostname_resolv < 0)
702  return false;
703 
704  /* Lookup remote host name if not already done */
705  if (!port->remote_hostname)
706  {
707  char remote_hostname[NI_MAXHOST];
708 
709  ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
710  remote_hostname, sizeof(remote_hostname),
711  NULL, 0,
712  NI_NAMEREQD);
713  if (ret != 0)
714  {
715  /* remember failure; don't complain in the postmaster log yet */
716  port->remote_hostname_resolv = -2;
717  port->remote_hostname_errcode = ret;
718  return false;
719  }
720 
721  port->remote_hostname = pstrdup(remote_hostname);
722  }
723 
724  /* Now see if remote host name matches this pg_hba line */
726  return false;
727 
728  /* If we already verified the forward lookup, we're done */
729  if (port->remote_hostname_resolv == +1)
730  return true;
731 
732  /* Lookup IP from host name and check against original IP */
733  ret = getaddrinfo(port->remote_hostname, NULL, NULL, &gai_result);
734  if (ret != 0)
735  {
736  /* remember failure; don't complain in the postmaster log yet */
737  port->remote_hostname_resolv = -2;
738  port->remote_hostname_errcode = ret;
739  return false;
740  }
741 
742  found = false;
743  for (gai = gai_result; gai; gai = gai->ai_next)
744  {
745  if (gai->ai_addr->sa_family == port->raddr.addr.ss_family)
746  {
747  if (gai->ai_addr->sa_family == AF_INET)
748  {
749  if (ipv4eq((struct sockaddr_in *) gai->ai_addr,
750  (struct sockaddr_in *) &port->raddr.addr))
751  {
752  found = true;
753  break;
754  }
755  }
756 #ifdef HAVE_IPV6
757  else if (gai->ai_addr->sa_family == AF_INET6)
758  {
759  if (ipv6eq((struct sockaddr_in6 *) gai->ai_addr,
760  (struct sockaddr_in6 *) &port->raddr.addr))
761  {
762  found = true;
763  break;
764  }
765  }
766 #endif
767  }
768  }
769 
770  if (gai_result)
771  freeaddrinfo(gai_result);
772 
773  if (!found)
774  elog(DEBUG2, "pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
775  hostname);
776 
777  port->remote_hostname_resolv = found ? +1 : -1;
778 
779  return found;
780 }
#define getaddrinfo
Definition: getaddrinfo.h:136
#define NI_NAMEREQD
Definition: getaddrinfo.h:84
char * pstrdup(const char *in)
Definition: mcxt.c:1077
#define freeaddrinfo
Definition: getaddrinfo.h:141
struct sockaddr_storage addr
Definition: pqcomm.h:64
static bool ipv4eq(struct sockaddr_in *a, struct sockaddr_in *b)
Definition: hba.c:649
char * remote_hostname
Definition: libpq-be.h:124
SockAddr raddr
Definition: libpq-be.h:122
#define NI_MAXHOST
Definition: getaddrinfo.h:88
static bool hostname_match(const char *pattern, const char *actual_hostname)
Definition: hba.c:673
#define DEBUG2
Definition: elog.h:24
int remote_hostname_errcode
Definition: libpq-be.h:127
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
#define NULL
Definition: c.h:229
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
int remote_hostname_resolv
Definition: libpq-be.h:126
struct addrinfo * ai_next
Definition: getaddrinfo.h:107
#define elog
Definition: elog.h:219
static char * hostname
Definition: pg_regress.c:88
struct sockaddr * ai_addr
Definition: getaddrinfo.h:105
static void check_ident_usermap ( IdentLine identLine,
const char *  usermap_name,
const char *  pg_role,
const char *  ident_user,
bool  case_insensitive,
bool found_p,
bool error_p 
)
static

Definition at line 2685 of file hba.c.

References ereport, errcode(), errmsg(), IdentLine::ident_user, LOG, NULL, palloc(), palloc0(), pfree(), pg_mb2wchar_with_len(), pg_regerror(), pg_regexec(), IdentLine::pg_role, pg_strcasecmp(), pstrdup(), IdentLine::re, REG_NOMATCH, regmatch_t::rm_eo, regmatch_t::rm_so, and IdentLine::usermap.

Referenced by check_usermap().

2688 {
2689  *found_p = false;
2690  *error_p = false;
2691 
2692  if (strcmp(identLine->usermap, usermap_name) != 0)
2693  /* Line does not match the map name we're looking for, so just abort */
2694  return;
2695 
2696  /* Match? */
2697  if (identLine->ident_user[0] == '/')
2698  {
2699  /*
2700  * When system username starts with a slash, treat it as a regular
2701  * expression. In this case, we process the system username as a
2702  * regular expression that returns exactly one match. This is replaced
2703  * for \1 in the database username string, if present.
2704  */
2705  int r;
2706  regmatch_t matches[2];
2707  pg_wchar *wstr;
2708  int wlen;
2709  char *ofs;
2710  char *regexp_pgrole;
2711 
2712  wstr = palloc((strlen(ident_user) + 1) * sizeof(pg_wchar));
2713  wlen = pg_mb2wchar_with_len(ident_user, wstr, strlen(ident_user));
2714 
2715  r = pg_regexec(&identLine->re, wstr, wlen, 0, NULL, 2, matches, 0);
2716  if (r)
2717  {
2718  char errstr[100];
2719 
2720  if (r != REG_NOMATCH)
2721  {
2722  /* REG_NOMATCH is not an error, everything else is */
2723  pg_regerror(r, &identLine->re, errstr, sizeof(errstr));
2724  ereport(LOG,
2725  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2726  errmsg("regular expression match for \"%s\" failed: %s",
2727  identLine->ident_user + 1, errstr)));
2728  *error_p = true;
2729  }
2730 
2731  pfree(wstr);
2732  return;
2733  }
2734  pfree(wstr);
2735 
2736  if ((ofs = strstr(identLine->pg_role, "\\1")) != NULL)
2737  {
2738  int offset;
2739 
2740  /* substitution of the first argument requested */
2741  if (matches[1].rm_so < 0)
2742  {
2743  ereport(LOG,
2744  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2745  errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2746  identLine->ident_user + 1, identLine->pg_role)));
2747  *error_p = true;
2748  return;
2749  }
2750 
2751  /*
2752  * length: original length minus length of \1 plus length of match
2753  * plus null terminator
2754  */
2755  regexp_pgrole = palloc0(strlen(identLine->pg_role) - 2 + (matches[1].rm_eo - matches[1].rm_so) + 1);
2756  offset = ofs - identLine->pg_role;
2757  memcpy(regexp_pgrole, identLine->pg_role, offset);
2758  memcpy(regexp_pgrole + offset,
2759  ident_user + matches[1].rm_so,
2760  matches[1].rm_eo - matches[1].rm_so);
2761  strcat(regexp_pgrole, ofs + 2);
2762  }
2763  else
2764  {
2765  /* no substitution, so copy the match */
2766  regexp_pgrole = pstrdup(identLine->pg_role);
2767  }
2768 
2769  /*
2770  * now check if the username actually matched what the user is trying
2771  * to connect as
2772  */
2773  if (case_insensitive)
2774  {
2775  if (pg_strcasecmp(regexp_pgrole, pg_role) == 0)
2776  *found_p = true;
2777  }
2778  else
2779  {
2780  if (strcmp(regexp_pgrole, pg_role) == 0)
2781  *found_p = true;
2782  }
2783  pfree(regexp_pgrole);
2784 
2785  return;
2786  }
2787  else
2788  {
2789  /* Not regular expression, so make complete match */
2790  if (case_insensitive)
2791  {
2792  if (pg_strcasecmp(identLine->pg_role, pg_role) == 0 &&
2793  pg_strcasecmp(identLine->ident_user, ident_user) == 0)
2794  *found_p = true;
2795  }
2796  else
2797  {
2798  if (strcmp(identLine->pg_role, pg_role) == 0 &&
2799  strcmp(identLine->ident_user, ident_user) == 0)
2800  *found_p = true;
2801  }
2802  }
2803  return;
2804 }
regex_t re
Definition: hba.h:109
char * pstrdup(const char *in)
Definition: mcxt.c:1077
regoff_t rm_so
Definition: regex.h:85
int errcode(int sqlerrcode)
Definition: elog.c:575
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
regoff_t rm_eo
Definition: regex.h:86
void pfree(void *pointer)
Definition: mcxt.c:950
char * usermap
Definition: hba.h:106
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition: regerror.c:60
#define ereport(elevel, rest)
Definition: elog.h:122
unsigned int pg_wchar
Definition: mbprint.c:31
void * palloc0(Size size)
Definition: mcxt.c:878
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition: mbutils.c:734
#define NULL
Definition: c.h:229
char * ident_user
Definition: hba.h:107
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
Definition: regexec.c:172
void * palloc(Size size)
Definition: mcxt.c:849
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define REG_NOMATCH
Definition: regex.h:138
char * pg_role
Definition: hba.h:108
static bool check_ip ( SockAddr raddr,
struct sockaddr *  addr,
struct sockaddr *  mask 
)
static

Definition at line 786 of file hba.c.

References SockAddr::addr, and pg_range_sockaddr().

Referenced by check_hba(), and check_network_callback().

787 {
788  if (raddr->addr.ss_family == addr->sa_family &&
789  pg_range_sockaddr(&raddr->addr,
790  (struct sockaddr_storage *) addr,
791  (struct sockaddr_storage *) mask))
792  return true;
793  return false;
794 }
struct sockaddr_storage addr
Definition: pqcomm.h:64
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
Definition: ifaddr.c:53
static void check_network_callback ( struct sockaddr *  addr,
struct sockaddr *  netmask,
void *  cb_data 
)
static

Definition at line 800 of file hba.c.

References check_ip(), ipCmpSameHost, check_network_data::method, NULL, pg_sockaddr_cidr_mask(), check_network_data::raddr, and check_network_data::result.

Referenced by check_same_host_or_net().

802 {
803  check_network_data *cn = (check_network_data *) cb_data;
804  struct sockaddr_storage mask;
805 
806  /* Already found a match? */
807  if (cn->result)
808  return;
809 
810  if (cn->method == ipCmpSameHost)
811  {
812  /* Make an all-ones netmask of appropriate length for family */
813  pg_sockaddr_cidr_mask(&mask, NULL, addr->sa_family);
814  cn->result = check_ip(cn->raddr, addr, (struct sockaddr *) &mask);
815  }
816  else
817  {
818  /* Use the netmask of the interface itself */
819  cn->result = check_ip(cn->raddr, addr, netmask);
820  }
821 }
SockAddr * raddr
Definition: hba.c:63
IPCompareMethod method
Definition: hba.c:62
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:115
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition: hba.c:786
bool result
Definition: hba.c:64
#define NULL
Definition: c.h:229
static bool check_role ( const char *  role,
Oid  roleid,
List tokens 
)
static

Definition at line 586 of file hba.c.

References is_member(), lfirst, HbaToken::quoted, HbaToken::string, token_is_keyword, and token_matches.

Referenced by check_hba().

587 {
588  ListCell *cell;
589  HbaToken *tok;
590 
591  foreach(cell, tokens)
592  {
593  tok = lfirst(cell);
594  if (!tok->quoted && tok->string[0] == '+')
595  {
596  if (is_member(roleid, tok->string + 1))
597  return true;
598  }
599  else if (token_matches(tok, role) ||
600  token_is_keyword(tok, "all"))
601  return true;
602  }
603  return false;
604 }
#define token_matches(t, k)
Definition: hba.c:69
Definition: hba.c:75
char * string
Definition: hba.c:77
bool quoted
Definition: hba.c:78
#define lfirst(lc)
Definition: pg_list.h:106
static bool is_member(Oid userid, const char *role)
Definition: hba.c:562
#define token_is_keyword(t, k)
Definition: hba.c:68
static bool check_same_host_or_net ( SockAddr raddr,
IPCompareMethod  method 
)
static

Definition at line 827 of file hba.c.

References check_network_callback(), elog, LOG, check_network_data::method, pg_foreach_ifaddr(), check_network_data::raddr, and check_network_data::result.

Referenced by check_hba().

828 {
830 
831  cn.method = method;
832  cn.raddr = raddr;
833  cn.result = false;
834 
835  errno = 0;
837  {
838  elog(LOG, "error enumerating network interfaces: %m");
839  return false;
840  }
841 
842  return cn.result;
843 }
SockAddr * raddr
Definition: hba.c:63
#define LOG
Definition: elog.h:26
IPCompareMethod method
Definition: hba.c:62
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
Definition: ifaddr.c:559
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
Definition: hba.c:800
bool result
Definition: hba.c:64
#define elog
Definition: elog.h:219
int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_insensitive 
)

Definition at line 2821 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, NULL, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by ident_inet().

2825 {
2826  bool found_entry = false,
2827  error = false;
2828 
2829  if (usermap_name == NULL || usermap_name[0] == '\0')
2830  {
2831  if (case_insensitive)
2832  {
2833  if (pg_strcasecmp(pg_role, auth_user) == 0)
2834  return STATUS_OK;
2835  }
2836  else
2837  {
2838  if (strcmp(pg_role, auth_user) == 0)
2839  return STATUS_OK;
2840  }
2841  ereport(LOG,
2842  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2843  pg_role, auth_user)));
2844  return STATUS_ERROR;
2845  }
2846  else
2847  {
2848  ListCell *line_cell;
2849 
2850  foreach(line_cell, parsed_ident_lines)
2851  {
2852  check_ident_usermap(lfirst(line_cell), usermap_name,
2853  pg_role, auth_user, case_insensitive,
2854  &found_entry, &error);
2855  if (found_entry || error)
2856  break;
2857  }
2858  }
2859  if (!found_entry && !error)
2860  {
2861  ereport(LOG,
2862  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2863  usermap_name, pg_role, auth_user)));
2864  }
2865  return found_entry ? STATUS_OK : STATUS_ERROR;
2866 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2685
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:976
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define ereport(elevel, rest)
Definition: elog.h:122
#define STATUS_OK
Definition: c.h:975
static List * parsed_ident_lines
Definition: hba.c:112
#define NULL
Definition: c.h:229
#define lfirst(lc)
Definition: pg_list.h:106
int errmsg(const char *fmt,...)
Definition: elog.c:797
static HbaToken* copy_hba_token ( HbaToken in)
static

Definition at line 307 of file hba.c.

References make_hba_token(), HbaToken::quoted, and HbaToken::string.

Referenced by parse_hba_line(), and tokenize_inc_file().

308 {
309  HbaToken *out = make_hba_token(in->string, in->quoted);
310 
311  return out;
312 }
Definition: hba.c:75
char * string
Definition: hba.c:77
bool quoted
Definition: hba.c:78
static HbaToken * make_hba_token(const char *token, bool quoted)
Definition: hba.c:288
static void fill_hba_line ( Tuplestorestate tuple_store,
TupleDesc  tupdesc,
int  lineno,
HbaLine hba,
const char *  err_msg 
)
static

Definition at line 2317 of file hba.c.

References HbaLine::addr, Assert, HbaLine::auth_method, buffer, clean_ipv6_addr(), HbaLine::conntype, CStringGetTextDatum, ctHost, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, gethba_options(), heap_form_tuple(), HbaLine::hostname, Int32GetDatum, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), lengthof, lfirst, HbaLine::mask, tupleDesc::natts, NI_MAXHOST, NI_NUMERICHOST, NIL, NULL, NUM_PG_HBA_FILE_RULES_ATTS, options, pg_getnameinfo_all(), PointerGetDatum, pstrdup(), HbaLine::roles, StaticAssertStmt, HbaToken::string, strlist_to_textarray(), tuplestore_puttuple(), USER_AUTH_LAST, UserAuthName, and values.

Referenced by fill_hba_view().

2319 {
2321  bool nulls[NUM_PG_HBA_FILE_RULES_ATTS];
2322  char buffer[NI_MAXHOST];
2323  HeapTuple tuple;
2324  int index;
2325  ListCell *lc;
2326  const char *typestr;
2327  const char *addrstr;
2328  const char *maskstr;
2329  ArrayType *options;
2330 
2332 
2333  memset(values, 0, sizeof(values));
2334  memset(nulls, 0, sizeof(nulls));
2335  index = 0;
2336 
2337  /* line_number */
2338  values[index++] = Int32GetDatum(lineno);
2339 
2340  if (hba != NULL)
2341  {
2342  /* type */
2343  /* Avoid a default: case so compiler will warn about missing cases */
2344  typestr = NULL;
2345  switch (hba->conntype)
2346  {
2347  case ctLocal:
2348  typestr = "local";
2349  break;
2350  case ctHost:
2351  typestr = "host";
2352  break;
2353  case ctHostSSL:
2354  typestr = "hostssl";
2355  break;
2356  case ctHostNoSSL:
2357  typestr = "hostnossl";
2358  break;
2359  }
2360  if (typestr)
2361  values[index++] = CStringGetTextDatum(typestr);
2362  else
2363  nulls[index++] = true;
2364 
2365  /* database */
2366  if (hba->databases)
2367  {
2368  /*
2369  * Flatten HbaToken list to string list. It might seem that we
2370  * should re-quote any quoted tokens, but that has been rejected
2371  * on the grounds that it makes it harder to compare the array
2372  * elements to other system catalogs. That makes entries like
2373  * "all" or "samerole" formally ambiguous ... but users who name
2374  * databases/roles that way are inflicting their own pain.
2375  */
2376  List *names = NIL;
2377 
2378  foreach(lc, hba->databases)
2379  {
2380  HbaToken *tok = lfirst(lc);
2381 
2382  names = lappend(names, tok->string);
2383  }
2384  values[index++] = PointerGetDatum(strlist_to_textarray(names));
2385  }
2386  else
2387  nulls[index++] = true;
2388 
2389  /* user */
2390  if (hba->roles)
2391  {
2392  /* Flatten HbaToken list to string list; see comment above */
2393  List *roles = NIL;
2394 
2395  foreach(lc, hba->roles)
2396  {
2397  HbaToken *tok = lfirst(lc);
2398 
2399  roles = lappend(roles, tok->string);
2400  }
2401  values[index++] = PointerGetDatum(strlist_to_textarray(roles));
2402  }
2403  else
2404  nulls[index++] = true;
2405 
2406  /* address and netmask */
2407  /* Avoid a default: case so compiler will warn about missing cases */
2408  addrstr = maskstr = NULL;
2409  switch (hba->ip_cmp_method)
2410  {
2411  case ipCmpMask:
2412  if (hba->hostname)
2413  {
2414  addrstr = hba->hostname;
2415  }
2416  else
2417  {
2418  if (pg_getnameinfo_all(&hba->addr, sizeof(hba->addr),
2419  buffer, sizeof(buffer),
2420  NULL, 0,
2421  NI_NUMERICHOST) == 0)
2422  {
2423  clean_ipv6_addr(hba->addr.ss_family, buffer);
2424  addrstr = pstrdup(buffer);
2425  }
2426  if (pg_getnameinfo_all(&hba->mask, sizeof(hba->mask),
2427  buffer, sizeof(buffer),
2428  NULL, 0,
2429  NI_NUMERICHOST) == 0)
2430  {
2431  clean_ipv6_addr(hba->mask.ss_family, buffer);
2432  maskstr = pstrdup(buffer);
2433  }
2434  }
2435  break;
2436  case ipCmpAll:
2437  addrstr = "all";
2438  break;
2439  case ipCmpSameHost:
2440  addrstr = "samehost";
2441  break;
2442  case ipCmpSameNet:
2443  addrstr = "samenet";
2444  break;
2445  }
2446  if (addrstr)
2447  values[index++] = CStringGetTextDatum(addrstr);
2448  else
2449  nulls[index++] = true;
2450  if (maskstr)
2451  values[index++] = CStringGetTextDatum(maskstr);
2452  else
2453  nulls[index++] = true;
2454 
2455  /*
2456  * Make sure UserAuthName[] tracks additions to the UserAuth enum
2457  */
2459  "UserAuthName[] must match the UserAuth enum");
2460 
2461  /* auth_method */
2462  values[index++] = CStringGetTextDatum(UserAuthName[hba->auth_method]);
2463 
2464  /* options */
2465  options = gethba_options(hba);
2466  if (options)
2467  values[index++] = PointerGetDatum(options);
2468  else
2469  nulls[index++] = true;
2470  }
2471  else
2472  {
2473  /* no parsing result, so set relevant fields to nulls */
2474  memset(&nulls[1], true, (NUM_PG_HBA_FILE_RULES_ATTS - 2) * sizeof(bool));
2475  }
2476 
2477  /* error */
2478  if (err_msg)
2479  values[NUM_PG_HBA_FILE_RULES_ATTS - 1] = CStringGetTextDatum(err_msg);
2480  else
2481  nulls[NUM_PG_HBA_FILE_RULES_ATTS - 1] = true;
2482 
2483  tuple = heap_form_tuple(tupdesc, values, nulls);
2484  tuplestore_puttuple(tuple_store, tuple);
2485 }
List * databases
Definition: hba.h:66
#define NIL
Definition: pg_list.h:69
struct sockaddr_storage mask
Definition: hba.h:69
#define NI_NUMERICHOST
Definition: getaddrinfo.h:78
#define PointerGetDatum(X)
Definition: postgres.h:562
Definition: hba.h:47
char * pstrdup(const char *in)
Definition: mcxt.c:1077
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:692
static const char *const UserAuthName[]
Definition: hba.c:121
#define lengthof(array)
Definition: c.h:562
int natts
Definition: tupdesc.h:73
Definition: type.h:89
#define StaticAssertStmt(condition, errmessage)
Definition: c.h:757
ConnType conntype
Definition: hba.h:65
Definition: hba.h:57
#define NI_MAXHOST
Definition: getaddrinfo.h:88
struct sockaddr_storage addr
Definition: hba.h:68
void tuplestore_puttuple(Tuplestorestate *state, HeapTuple tuple)
Definition: tuplestore.c:730
Definition: hba.c:75
#define USER_AUTH_LAST
Definition: hba.h:42
Definition: hba.h:55
List * lappend(List *list, void *datum)
Definition: list.c:128
static char ** options
Definition: hba.h:50
uintptr_t Datum
Definition: postgres.h:372
char * hostname
Definition: hba.h:71
char * string
Definition: hba.c:77
List * roles
Definition: hba.h:67
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
#define lfirst(lc)
Definition: pg_list.h:106
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
#define NUM_PG_HBA_FILE_RULES_ATTS
Definition: hba.c:2302
WalTimeSample buffer[LAG_TRACKER_BUFFER_SIZE]
Definition: walsender.c:214
void clean_ipv6_addr(int addr_family, char *addr)
Definition: network.c:1504
static Datum values[MAXATTR]
Definition: bootstrap.c:163
#define Int32GetDatum(X)
Definition: postgres.h:485
#define CStringGetTextDatum(s)
Definition: builtins.h:91
ArrayType * strlist_to_textarray(List *list)
IPCompareMethod ip_cmp_method
Definition: hba.h:70
Definition: pg_list.h:45
Definition: hba.h:56
UserAuth auth_method
Definition: hba.h:72
static ArrayType * gethba_options(HbaLine *hba)
Definition: hba.c:2199
static void fill_hba_view ( Tuplestorestate tuple_store,
TupleDesc  tupdesc 
)
static

Definition at line 2491 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate(), CurrentMemoryContext, DEBUG3, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), ERROR, fill_hba_line(), FreeFile(), HbaFileName, lfirst, TokenizedLine::line_num, MemoryContextDelete(), MemoryContextSwitchTo(), NIL, NULL, parse_hba_line(), and tokenize_file().

Referenced by pg_hba_file_rules().

2492 {
2493  FILE *file;
2494  List *hba_lines = NIL;
2495  ListCell *line;
2496  MemoryContext linecxt;
2497  MemoryContext hbacxt;
2498  MemoryContext oldcxt;
2499 
2500  /*
2501  * In the unlikely event that we can't open pg_hba.conf, we throw an
2502  * error, rather than trying to report it via some sort of view entry.
2503  * (Most other error conditions should result in a message in a view
2504  * entry.)
2505  */
2506  file = AllocateFile(HbaFileName, "r");
2507  if (file == NULL)
2508  ereport(ERROR,
2510  errmsg("could not open configuration file \"%s\": %m",
2511  HbaFileName)));
2512 
2513  linecxt = tokenize_file(HbaFileName, file, &hba_lines, DEBUG3);
2514  FreeFile(file);
2515 
2516  /* Now parse all the lines */
2518  "hba parser context",
2520  oldcxt = MemoryContextSwitchTo(hbacxt);
2521  foreach(line, hba_lines)
2522  {
2523  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2524  HbaLine *hbaline = NULL;
2525 
2526  /* don't parse lines that already have errors */
2527  if (tok_line->err_msg == NULL)
2528  hbaline = parse_hba_line(tok_line, DEBUG3);
2529 
2530  fill_hba_line(tuple_store, tupdesc, tok_line->line_num,
2531  hbaline, tok_line->err_msg);
2532  }
2533 
2534  /* Free tokenizer memory */
2535  MemoryContextDelete(linecxt);
2536  /* Free parse_hba_line memory */
2537  MemoryContextSwitchTo(oldcxt);
2538  MemoryContextDelete(hbacxt);
2539 }
Definition: hba.h:61
#define NIL
Definition: pg_list.h:69
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:200
#define DEBUG3
Definition: elog.h:23
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:175
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
char * HbaFileName
Definition: guc.c:463
#define ERROR
Definition: elog.h:43
int line_num
Definition: hba.c:92
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:598
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2094
MemoryContext CurrentMemoryContext
Definition: mcxt.c:37
#define ereport(elevel, rest)
Definition: elog.h:122
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc, int lineno, HbaLine *hba, const char *err_msg)
Definition: hba.c:2317
MemoryContext AllocSetContextCreate(MemoryContext parent, const char *name, Size minContextSize, Size initBlockSize, Size maxBlockSize)
Definition: aset.c:322
#define NULL
Definition: c.h:229
#define lfirst(lc)
Definition: pg_list.h:106
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
int FreeFile(FILE *file)
Definition: fd.c:2277
int errmsg(const char *fmt,...)
Definition: elog.c:797
Definition: pg_list.h:45
static ArrayType * gethba_options ( HbaLine hba)
static

Definition at line 2199 of file hba.c.

References Assert, HbaLine::auth_method, HbaLine::clientcert, construct_array(), CStringGetTextDatum, HbaLine::include_realm, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, MAX_HBA_OPTIONS, noptions, NULL, HbaLine::pamservice, psprintf(), HbaLine::radiusidentifiers_s, HbaLine::radiusports_s, HbaLine::radiussecrets_s, HbaLine::radiusservers_s, TEXTOID, uaGSS, uaLDAP, uaRADIUS, uaSSPI, and HbaLine::usermap.

Referenced by fill_hba_line().

2200 {
2201  int noptions;
2203 
2204  noptions = 0;
2205 
2206  if (hba->auth_method == uaGSS || hba->auth_method == uaSSPI)
2207  {
2208  if (hba->include_realm)
2209  options[noptions++] =
2210  CStringGetTextDatum("include_realm=true");
2211 
2212  if (hba->krb_realm)
2213  options[noptions++] =
2214  CStringGetTextDatum(psprintf("krb_realm=%s", hba->krb_realm));
2215  }
2216 
2217  if (hba->usermap)
2218  options[noptions++] =
2219  CStringGetTextDatum(psprintf("map=%s", hba->usermap));
2220 
2221  if (hba->clientcert)
2222  options[noptions++] =
2223  CStringGetTextDatum("clientcert=true");
2224 
2225  if (hba->pamservice)
2226  options[noptions++] =
2227  CStringGetTextDatum(psprintf("pamservice=%s", hba->pamservice));
2228 
2229  if (hba->auth_method == uaLDAP)
2230  {
2231  if (hba->ldapserver)
2232  options[noptions++] =
2233  CStringGetTextDatum(psprintf("ldapserver=%s", hba->ldapserver));
2234 
2235  if (hba->ldapport)
2236  options[noptions++] =
2237  CStringGetTextDatum(psprintf("ldapport=%d", hba->ldapport));
2238 
2239  if (hba->ldaptls)
2240  options[noptions++] =
2241  CStringGetTextDatum("ldaptls=true");
2242 
2243  if (hba->ldapprefix)
2244  options[noptions++] =
2245  CStringGetTextDatum(psprintf("ldapprefix=%s", hba->ldapprefix));
2246 
2247  if (hba->ldapsuffix)
2248  options[noptions++] =
2249  CStringGetTextDatum(psprintf("ldapsuffix=%s", hba->ldapsuffix));
2250 
2251  if (hba->ldapbasedn)
2252  options[noptions++] =
2253  CStringGetTextDatum(psprintf("ldapbasedn=%s", hba->ldapbasedn));
2254 
2255  if (hba->ldapbinddn)
2256  options[noptions++] =
2257  CStringGetTextDatum(psprintf("ldapbinddn=%s", hba->ldapbinddn));
2258 
2259  if (hba->ldapbindpasswd)
2260  options[noptions++] =
2261  CStringGetTextDatum(psprintf("ldapbindpasswd=%s",
2262  hba->ldapbindpasswd));
2263 
2264  if (hba->ldapsearchattribute)
2265  options[noptions++] =
2266  CStringGetTextDatum(psprintf("ldapsearchattribute=%s",
2267  hba->ldapsearchattribute));
2268 
2269  if (hba->ldapscope)
2270  options[noptions++] =
2271  CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
2272  }
2273 
2274  if (hba->auth_method == uaRADIUS)
2275  {
2276  if (hba->radiusservers_s)
2277  options[noptions++] =
2278  CStringGetTextDatum(psprintf("radiusservers=%s", hba->radiusservers_s));
2279 
2280  if (hba->radiussecrets_s)
2281  options[noptions++] =
2282  CStringGetTextDatum(psprintf("radiussecrets=%s", hba->radiussecrets_s));
2283 
2284  if (hba->radiusidentifiers_s)
2285  options[noptions++] =
2286  CStringGetTextDatum(psprintf("radiusidentifiers=%s", hba->radiusidentifiers_s));
2287 
2288  if (hba->radiusports_s)
2289  options[noptions++] =
2290  CStringGetTextDatum(psprintf("radiusports=%s", hba->radiusports_s));
2291  }
2292 
2293  Assert(noptions <= MAX_HBA_OPTIONS);
2294 
2295  if (noptions > 0)
2296  return construct_array(options, noptions, TEXTOID, -1, false, 'i');
2297  else
2298  return NULL;
2299 }
int ldapscope
Definition: hba.h:84
char * radiusports_s
Definition: hba.h:99
char * ldapserver
Definition: hba.h:78
Definition: hba.h:38
int ldapport
Definition: hba.h:79
char * ldapbasedn
Definition: hba.h:83
char * pamservice
Definition: hba.h:75
#define TEXTOID
Definition: pg_type.h:324
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
Definition: hba.h:35
ArrayType * construct_array(Datum *elems, int nelems, Oid elmtype, int elmlen, bool elmbyval, char elmalign)
Definition: arrayfuncs.c:3306
char * ldapsuffix
Definition: hba.h:86
Definition: hba.h:34
char * radiusservers_s
Definition: hba.h:93
char * usermap
Definition: hba.h:74
bool include_realm
Definition: hba.h:89
char * ldapbinddn
Definition: hba.h:80
char * krb_realm
Definition: hba.h:88
char * ldapbindpasswd
Definition: hba.h:81
char * ldapprefix
Definition: hba.h:85
uintptr_t Datum
Definition: postgres.h:372
char * radiusidentifiers_s
Definition: hba.h:97
char * radiussecrets_s
Definition: hba.h:95
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
bool ldaptls
Definition: hba.h:77
char * ldapsearchattribute
Definition: hba.h:82
#define CStringGetTextDatum(s)
Definition: builtins.h:91
bool clientcert
Definition: hba.h:87
static size_t noptions
Definition: hba.h:40
UserAuth auth_method
Definition: hba.h:72
#define MAX_HBA_OPTIONS
Definition: hba.c:2192
void hba_getauthmethod ( hbaPort port)

Definition at line 2987 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

2988 {
2989  check_hba(port);
2990 }
static void check_hba(hbaPort *port)
Definition: hba.c:1993
static bool hostname_match ( const char *  pattern,
const char *  actual_hostname 
)
static

Definition at line 673 of file hba.c.

References pg_strcasecmp().

Referenced by check_hostname().

674 {
675  if (pattern[0] == '.') /* suffix match */
676  {
677  size_t plen = strlen(pattern);
678  size_t hlen = strlen(actual_hostname);
679 
680  if (hlen < plen)
681  return false;
682 
683  return (pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
684  }
685  else
686  return (pg_strcasecmp(pattern, actual_hostname) == 0);
687 }
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
static bool ipv4eq ( struct sockaddr_in *  a,
struct sockaddr_in *  b 
)
static

Definition at line 649 of file hba.c.

Referenced by check_hostname().

650 {
651  return (a->sin_addr.s_addr == b->sin_addr.s_addr);
652 }
static bool is_member ( Oid  userid,
const char *  role 
)
static

Definition at line 562 of file hba.c.

References get_role_oid(), is_member_of_role_nosuper(), and OidIsValid.

Referenced by check_db(), and check_role().

563 {
564  Oid roleid;
565 
566  if (!OidIsValid(userid))
567  return false; /* if user not exist, say "no" */
568 
569  roleid = get_role_oid(role, true);
570 
571  if (!OidIsValid(roleid))
572  return false; /* if target role not exist, say "no" */
573 
574  /*
575  * See if user is directly or indirectly a member of role. For this
576  * purpose, a superuser is not considered to be automatically a member of
577  * the role, so group auth only applies to explicit membership.
578  */
579  return is_member_of_role_nosuper(userid, roleid);
580 }
unsigned int Oid
Definition: postgres_ext.h:31
#define OidIsValid(objectId)
Definition: c.h:538
Oid get_role_oid(const char *rolname, bool missing_ok)
Definition: acl.c:5096
bool is_member_of_role_nosuper(Oid member, Oid role)
Definition: acl.c:4875
bool load_hba ( void  )

Definition at line 2094 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate(), Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, NULL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2095 {
2096  FILE *file;
2097  List *hba_lines = NIL;
2098  ListCell *line;
2099  List *new_parsed_lines = NIL;
2100  bool ok = true;
2101  MemoryContext linecxt;
2102  MemoryContext oldcxt;
2103  MemoryContext hbacxt;
2104 
2105  file = AllocateFile(HbaFileName, "r");
2106  if (file == NULL)
2107  {
2108  ereport(LOG,
2110  errmsg("could not open configuration file \"%s\": %m",
2111  HbaFileName)));
2112  return false;
2113  }
2114 
2115  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2116  FreeFile(file);
2117 
2118  /* Now parse all the lines */
2121  "hba parser context",
2123  oldcxt = MemoryContextSwitchTo(hbacxt);
2124  foreach(line, hba_lines)
2125  {
2126  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2127  HbaLine *newline;
2128 
2129  /* don't parse lines that already have errors */
2130  if (tok_line->err_msg != NULL)
2131  {
2132  ok = false;
2133  continue;
2134  }
2135 
2136  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2137  {
2138  /* Parse error; remember there's trouble */
2139  ok = false;
2140 
2141  /*
2142  * Keep parsing the rest of the file so we can report errors on
2143  * more than the first line. Error has already been logged, no
2144  * need for more chatter here.
2145  */
2146  continue;
2147  }
2148 
2149  new_parsed_lines = lappend(new_parsed_lines, newline);
2150  }
2151 
2152  /*
2153  * A valid HBA file must have at least one entry; else there's no way to
2154  * connect to the postmaster. But only complain about this if we didn't
2155  * already have parsing errors.
2156  */
2157  if (ok && new_parsed_lines == NIL)
2158  {
2159  ereport(LOG,
2160  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2161  errmsg("configuration file \"%s\" contains no entries",
2162  HbaFileName)));
2163  ok = false;
2164  }
2165 
2166  /* Free tokenizer memory */
2167  MemoryContextDelete(linecxt);
2168  MemoryContextSwitchTo(oldcxt);
2169 
2170  if (!ok)
2171  {
2172  /* File contained one or more errors, so bail out */
2173  MemoryContextDelete(hbacxt);
2174  return false;
2175  }
2176 
2177  /* Loaded new file successfully, replace the one we use */
2178  if (parsed_hba_context != NULL)
2180  parsed_hba_context = hbacxt;
2181  parsed_hba_lines = new_parsed_lines;
2182 
2183  return true;
2184 }
Definition: hba.h:61
#define NIL
Definition: pg_list.h:69
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:200
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:175
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1137
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:463
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:598
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2094
#define ereport(elevel, rest)
Definition: elog.h:122
List * lappend(List *list, void *datum)
Definition: list.c:128
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
MemoryContext AllocSetContextCreate(MemoryContext parent, const char *name, Size minContextSize, Size initBlockSize, Size maxBlockSize)
Definition: aset.c:322
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
#define lfirst(lc)
Definition: pg_list.h:106
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
int FreeFile(FILE *file)
Definition: fd.c:2277
int errmsg(const char *fmt,...)
Definition: elog.c:797
Definition: pg_list.h:45
MemoryContext PostmasterContext
Definition: mcxt.c:45
bool load_ident ( void  )

Definition at line 2876 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate(), Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, NULL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2877 {
2878  FILE *file;
2879  List *ident_lines = NIL;
2880  ListCell *line_cell,
2881  *parsed_line_cell;
2882  List *new_parsed_lines = NIL;
2883  bool ok = true;
2884  MemoryContext linecxt;
2885  MemoryContext oldcxt;
2886  MemoryContext ident_context;
2887  IdentLine *newline;
2888 
2889  file = AllocateFile(IdentFileName, "r");
2890  if (file == NULL)
2891  {
2892  /* not fatal ... we just won't do any special ident maps */
2893  ereport(LOG,
2895  errmsg("could not open usermap file \"%s\": %m",
2896  IdentFileName)));
2897  return false;
2898  }
2899 
2900  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
2901  FreeFile(file);
2902 
2903  /* Now parse all the lines */
2905  ident_context = AllocSetContextCreate(PostmasterContext,
2906  "ident parser context",
2908  oldcxt = MemoryContextSwitchTo(ident_context);
2909  foreach(line_cell, ident_lines)
2910  {
2911  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
2912 
2913  /* don't parse lines that already have errors */
2914  if (tok_line->err_msg != NULL)
2915  {
2916  ok = false;
2917  continue;
2918  }
2919 
2920  if ((newline = parse_ident_line(tok_line)) == NULL)
2921  {
2922  /* Parse error; remember there's trouble */
2923  ok = false;
2924 
2925  /*
2926  * Keep parsing the rest of the file so we can report errors on
2927  * more than the first line. Error has already been logged, no
2928  * need for more chatter here.
2929  */
2930  continue;
2931  }
2932 
2933  new_parsed_lines = lappend(new_parsed_lines, newline);
2934  }
2935 
2936  /* Free tokenizer memory */
2937  MemoryContextDelete(linecxt);
2938  MemoryContextSwitchTo(oldcxt);
2939 
2940  if (!ok)
2941  {
2942  /*
2943  * File contained one or more errors, so bail out, first being careful
2944  * to clean up whatever we allocated. Most stuff will go away via
2945  * MemoryContextDelete, but we have to clean up regexes explicitly.
2946  */
2947  foreach(parsed_line_cell, new_parsed_lines)
2948  {
2949  newline = (IdentLine *) lfirst(parsed_line_cell);
2950  if (newline->ident_user[0] == '/')
2951  pg_regfree(&newline->re);
2952  }
2953  MemoryContextDelete(ident_context);
2954  return false;
2955  }
2956 
2957  /* Loaded new file successfully, replace the one we use */
2958  if (parsed_ident_lines != NIL)
2959  {
2960  foreach(parsed_line_cell, parsed_ident_lines)
2961  {
2962  newline = (IdentLine *) lfirst(parsed_line_cell);
2963  if (newline->ident_user[0] == '/')
2964  pg_regfree(&newline->re);
2965  }
2966  }
2967  if (parsed_ident_context != NULL)
2969 
2970  parsed_ident_context = ident_context;
2971  parsed_ident_lines = new_parsed_lines;
2972 
2973  return true;
2974 }
#define NIL
Definition: pg_list.h:69
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:200
regex_t re
Definition: hba.h:109
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:175
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1137
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:598
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2094
char * IdentFileName
Definition: guc.c:464
#define ereport(elevel, rest)
Definition: elog.h:122
List * lappend(List *list, void *datum)
Definition: list.c:128
MemoryContext AllocSetContextCreate(MemoryContext parent, const char *name, Size minContextSize, Size initBlockSize, Size maxBlockSize)
Definition: aset.c:322
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
#define lfirst(lc)
Definition: pg_list.h:106
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
Definition: hba.h:102
int FreeFile(FILE *file)
Definition: fd.c:2277
char * ident_user
Definition: hba.h:107
int errmsg(const char *fmt,...)
Definition: elog.c:797
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2608
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:45
MemoryContext PostmasterContext
Definition: mcxt.c:45
static HbaToken* make_hba_token ( const char *  token,
bool  quoted 
)
static

Definition at line 288 of file hba.c.

References palloc(), HbaToken::quoted, and HbaToken::string.

Referenced by copy_hba_token(), and next_field_expand().

289 {
290  HbaToken *hbatoken;
291  int toklen;
292 
293  toklen = strlen(token);
294  /* we copy string into same palloc block as the struct */
295  hbatoken = (HbaToken *) palloc(sizeof(HbaToken) + toklen + 1);
296  hbatoken->string = (char *) hbatoken + sizeof(HbaToken);
297  hbatoken->quoted = quoted;
298  memcpy(hbatoken->string, token, toklen + 1);
299 
300  return hbatoken;
301 }
Definition: hba.c:75
char * string
Definition: hba.c:77
bool quoted
Definition: hba.c:78
void * palloc(Size size)
Definition: mcxt.c:849
static List* next_field_expand ( const char *  filename,
char **  lineptr,
int  elevel,
char **  err_msg 
)
static

Definition at line 330 of file hba.c.

References buf, lappend(), make_hba_token(), MAX_TOKEN, next_token(), NIL, NULL, and tokenize_inc_file().

Referenced by tokenize_file().

332 {
333  char buf[MAX_TOKEN];
334  bool trailing_comma;
335  bool initial_quote;
336  List *tokens = NIL;
337 
338  do
339  {
340  if (!next_token(lineptr, buf, sizeof(buf),
341  &initial_quote, &trailing_comma,
342  elevel, err_msg))
343  break;
344 
345  /* Is this referencing a file? */
346  if (!initial_quote && buf[0] == '@' && buf[1] != '\0')
347  tokens = tokenize_inc_file(tokens, filename, buf + 1,
348  elevel, err_msg);
349  else
350  tokens = lappend(tokens, make_hba_token(buf, initial_quote));
351  } while (trailing_comma && (*err_msg == NULL));
352 
353  return tokens;
354 }
#define NIL
Definition: pg_list.h:69
static bool next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, bool *terminating_comma, int elevel, char **err_msg)
Definition: hba.c:195
static char * buf
Definition: pg_test_fsync.c:66
List * lappend(List *list, void *datum)
Definition: list.c:128
static int elevel
Definition: vacuumlazy.c:136
#define NULL
Definition: c.h:229
#define MAX_TOKEN
Definition: hba.c:56
static char * filename
Definition: pg_dumpall.c:89
Definition: pg_list.h:45
static List * tokenize_inc_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, char **err_msg)
Definition: hba.c:372
static HbaToken * make_hba_token(const char *token, bool quoted)
Definition: hba.c:288
static bool next_token ( char **  lineptr,
char *  buf,
int  bufsz,
bool initial_quote,
bool terminating_comma,
int  elevel,
char **  err_msg 
)
static

Definition at line 195 of file hba.c.

References Assert, buf, ereport, errcode(), errmsg(), and pg_isblank().

Referenced by base_yylex(), filtered_base_yylex(), and next_field_expand().

198 {
199  int c;
200  char *start_buf = buf;
201  char *end_buf = buf + (bufsz - 1);
202  bool in_quote = false;
203  bool was_quote = false;
204  bool saw_quote = false;
205 
206  Assert(end_buf > start_buf);
207 
208  *initial_quote = false;
209  *terminating_comma = false;
210 
211  /* Move over any whitespace and commas preceding the next token */
212  while ((c = (*(*lineptr)++)) != '\0' && (pg_isblank(c) || c == ','))
213  ;
214 
215  /*
216  * Build a token in buf of next characters up to EOL, unquoted comma, or
217  * unquoted whitespace.
218  */
219  while (c != '\0' &&
220  (!pg_isblank(c) || in_quote))
221  {
222  /* skip comments to EOL */
223  if (c == '#' && !in_quote)
224  {
225  while ((c = (*(*lineptr)++)) != '\0')
226  ;
227  break;
228  }
229 
230  if (buf >= end_buf)
231  {
232  *buf = '\0';
233  ereport(elevel,
234  (errcode(ERRCODE_CONFIG_FILE_ERROR),
235  errmsg("authentication file token too long, skipping: \"%s\"",
236  start_buf)));
237  *err_msg = "authentication file token too long";
238  /* Discard remainder of line */
239  while ((c = (*(*lineptr)++)) != '\0')
240  ;
241  /* Un-eat the '\0', in case we're called again */
242  (*lineptr)--;
243  return false;
244  }
245 
246  /* we do not pass back a terminating comma in the token */
247  if (c == ',' && !in_quote)
248  {
249  *terminating_comma = true;
250  break;
251  }
252 
253  if (c != '"' || was_quote)
254  *buf++ = c;
255 
256  /* Literal double-quote is two double-quotes */
257  if (in_quote && c == '"')
258  was_quote = !was_quote;
259  else
260  was_quote = false;
261 
262  if (c == '"')
263  {
264  in_quote = !in_quote;
265  saw_quote = true;
266  if (buf == start_buf)
267  *initial_quote = true;
268  }
269 
270  c = *(*lineptr)++;
271  }
272 
273  /*
274  * Un-eat the char right after the token (critical in case it is '\0',
275  * else next call will read past end of string).
276  */
277  (*lineptr)--;
278 
279  *buf = '\0';
280 
281  return (saw_quote || buf > start_buf);
282 }
bool pg_isblank(const char c)
Definition: hba.c:160
int errcode(int sqlerrcode)
Definition: elog.c:575
char * c
static char * buf
Definition: pg_test_fsync.c:66
#define ereport(elevel, rest)
Definition: elog.h:122
static int elevel
Definition: vacuumlazy.c:136
#define Assert(condition)
Definition: c.h:675
int errmsg(const char *fmt,...)
Definition: elog.c:797
static bool parse_hba_auth_opt ( char *  name,
char *  val,
HbaLine hbaline,
int  elevel,
char **  err_msg 
)
static

Definition at line 1629 of file hba.c.

References addrinfo::ai_family, addrinfo::ai_socktype, HbaLine::auth_method, HbaLine::clientcert, HbaLine::compat_realm, HbaLine::conntype, ctHostSSL, ereport, errcode(), errcontext, errmsg(), gai_strerror, gettext_noop, HbaFileName, HbaLine::include_realm, INVALID_AUTH_OPTION, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, lfirst, HbaLine::linenumber, list_free(), MemSet, NULL, HbaLine::pam_use_hostname, HbaLine::pamservice, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusidentifiers_s, HbaLine::radiusports, HbaLine::radiusports_s, HbaLine::radiussecrets, HbaLine::radiussecrets_s, HbaLine::radiusservers, HbaLine::radiusservers_s, REQUIRE_AUTH_OPTION, SplitIdentifierString(), uaCert, uaGSS, uaIdent, uaLDAP, uaPAM, uaRADIUS, uaSSPI, HbaLine::upn_username, and HbaLine::usermap.

Referenced by parse_hba_line().

1631 {
1632  int line_num = hbaline->linenumber;
1633 
1634 #ifdef USE_LDAP
1635  hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
1636 #endif
1637 
1638  if (strcmp(name, "map") == 0)
1639  {
1640  if (hbaline->auth_method != uaIdent &&
1641  hbaline->auth_method != uaPeer &&
1642  hbaline->auth_method != uaGSS &&
1643  hbaline->auth_method != uaSSPI &&
1644  hbaline->auth_method != uaCert)
1645  INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
1646  hbaline->usermap = pstrdup(val);
1647  }
1648  else if (strcmp(name, "clientcert") == 0)
1649  {
1650  if (hbaline->conntype != ctHostSSL)
1651  {
1652  ereport(elevel,
1653  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1654  errmsg("clientcert can only be configured for \"hostssl\" rows"),
1655  errcontext("line %d of configuration file \"%s\"",
1656  line_num, HbaFileName)));
1657  *err_msg = "clientcert can only be configured for \"hostssl\" rows";
1658  return false;
1659  }
1660  if (strcmp(val, "1") == 0)
1661  {
1662  hbaline->clientcert = true;
1663  }
1664  else
1665  {
1666  if (hbaline->auth_method == uaCert)
1667  {
1668  ereport(elevel,
1669  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1670  errmsg("clientcert can not be set to 0 when using \"cert\" authentication"),
1671  errcontext("line %d of configuration file \"%s\"",
1672  line_num, HbaFileName)));
1673  *err_msg = "clientcert can not be set to 0 when using \"cert\" authentication";
1674  return false;
1675  }
1676  hbaline->clientcert = false;
1677  }
1678  }
1679  else if (strcmp(name, "pamservice") == 0)
1680  {
1681  REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam");
1682  hbaline->pamservice = pstrdup(val);
1683  }
1684  else if (strcmp(name, "pam_use_hostname") == 0)
1685  {
1686  REQUIRE_AUTH_OPTION(uaPAM, "pam_use_hostname", "pam");
1687  if (strcmp(val, "1") == 0)
1688  hbaline->pam_use_hostname = true;
1689  else
1690  hbaline->pam_use_hostname = false;
1691 
1692  }
1693  else if (strcmp(name, "ldapurl") == 0)
1694  {
1695 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1696  LDAPURLDesc *urldata;
1697  int rc;
1698 #endif
1699 
1700  REQUIRE_AUTH_OPTION(uaLDAP, "ldapurl", "ldap");
1701 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1702  rc = ldap_url_parse(val, &urldata);
1703  if (rc != LDAP_SUCCESS)
1704  {
1705  ereport(elevel,
1706  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1707  errmsg("could not parse LDAP URL \"%s\": %s", val, ldap_err2string(rc))));
1708  *err_msg = psprintf("could not parse LDAP URL \"%s\": %s",
1709  val, ldap_err2string(rc));
1710  return false;
1711  }
1712 
1713  if (strcmp(urldata->lud_scheme, "ldap") != 0)
1714  {
1715  ereport(elevel,
1716  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1717  errmsg("unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
1718  *err_msg = psprintf("unsupported LDAP URL scheme: %s",
1719  urldata->lud_scheme);
1720  ldap_free_urldesc(urldata);
1721  return false;
1722  }
1723 
1724  hbaline->ldapserver = pstrdup(urldata->lud_host);
1725  hbaline->ldapport = urldata->lud_port;
1726  hbaline->ldapbasedn = pstrdup(urldata->lud_dn);
1727 
1728  if (urldata->lud_attrs)
1729  hbaline->ldapsearchattribute = pstrdup(urldata->lud_attrs[0]); /* only use first one */
1730  hbaline->ldapscope = urldata->lud_scope;
1731  if (urldata->lud_filter)
1732  {
1733  ereport(elevel,
1734  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1735  errmsg("filters not supported in LDAP URLs")));
1736  *err_msg = "filters not supported in LDAP URLs";
1737  ldap_free_urldesc(urldata);
1738  return false;
1739  }
1740  ldap_free_urldesc(urldata);
1741 #else /* not OpenLDAP */
1742  ereport(elevel,
1743  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1744  errmsg("LDAP URLs not supported on this platform")));
1745  *err_msg = "LDAP URLs not supported on this platform";
1746 #endif /* not OpenLDAP */
1747  }
1748  else if (strcmp(name, "ldaptls") == 0)
1749  {
1750  REQUIRE_AUTH_OPTION(uaLDAP, "ldaptls", "ldap");
1751  if (strcmp(val, "1") == 0)
1752  hbaline->ldaptls = true;
1753  else
1754  hbaline->ldaptls = false;
1755  }
1756  else if (strcmp(name, "ldapserver") == 0)
1757  {
1758  REQUIRE_AUTH_OPTION(uaLDAP, "ldapserver", "ldap");
1759  hbaline->ldapserver = pstrdup(val);
1760  }
1761  else if (strcmp(name, "ldapport") == 0)
1762  {
1763  REQUIRE_AUTH_OPTION(uaLDAP, "ldapport", "ldap");
1764  hbaline->ldapport = atoi(val);
1765  if (hbaline->ldapport == 0)
1766  {
1767  ereport(elevel,
1768  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1769  errmsg("invalid LDAP port number: \"%s\"", val),
1770  errcontext("line %d of configuration file \"%s\"",
1771  line_num, HbaFileName)));
1772  *err_msg = psprintf("invalid LDAP port number: \"%s\"", val);
1773  return false;
1774  }
1775  }
1776  else if (strcmp(name, "ldapbinddn") == 0)
1777  {
1778  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap");
1779  hbaline->ldapbinddn = pstrdup(val);
1780  }
1781  else if (strcmp(name, "ldapbindpasswd") == 0)
1782  {
1783  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap");
1784  hbaline->ldapbindpasswd = pstrdup(val);
1785  }
1786  else if (strcmp(name, "ldapsearchattribute") == 0)
1787  {
1788  REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap");
1789  hbaline->ldapsearchattribute = pstrdup(val);
1790  }
1791  else if (strcmp(name, "ldapbasedn") == 0)
1792  {
1793  REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap");
1794  hbaline->ldapbasedn = pstrdup(val);
1795  }
1796  else if (strcmp(name, "ldapprefix") == 0)
1797  {
1798  REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap");
1799  hbaline->ldapprefix = pstrdup(val);
1800  }
1801  else if (strcmp(name, "ldapsuffix") == 0)
1802  {
1803  REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
1804  hbaline->ldapsuffix = pstrdup(val);
1805  }
1806  else if (strcmp(name, "krb_realm") == 0)
1807  {
1808  if (hbaline->auth_method != uaGSS &&
1809  hbaline->auth_method != uaSSPI)
1810  INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi"));
1811  hbaline->krb_realm = pstrdup(val);
1812  }
1813  else if (strcmp(name, "include_realm") == 0)
1814  {
1815  if (hbaline->auth_method != uaGSS &&
1816  hbaline->auth_method != uaSSPI)
1817  INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi"));
1818  if (strcmp(val, "1") == 0)
1819  hbaline->include_realm = true;
1820  else
1821  hbaline->include_realm = false;
1822  }
1823  else if (strcmp(name, "compat_realm") == 0)
1824  {
1825  if (hbaline->auth_method != uaSSPI)
1826  INVALID_AUTH_OPTION("compat_realm", gettext_noop("sspi"));
1827  if (strcmp(val, "1") == 0)
1828  hbaline->compat_realm = true;
1829  else
1830  hbaline->compat_realm = false;
1831  }
1832  else if (strcmp(name, "upn_username") == 0)
1833  {
1834  if (hbaline->auth_method != uaSSPI)
1835  INVALID_AUTH_OPTION("upn_username", gettext_noop("sspi"));
1836  if (strcmp(val, "1") == 0)
1837  hbaline->upn_username = true;
1838  else
1839  hbaline->upn_username = false;
1840  }
1841  else if (strcmp(name, "radiusservers") == 0)
1842  {
1843  struct addrinfo *gai_result;
1844  struct addrinfo hints;
1845  int ret;
1846  List *parsed_servers;
1847  ListCell *l;
1848  char *dupval = pstrdup(val);
1849 
1850  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusservers", "radius");
1851 
1852  if (!SplitIdentifierString(dupval, ',', &parsed_servers))
1853  {
1854  /* syntax error in list */
1855  ereport(elevel,
1856  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1857  errmsg("could not parse RADIUS server list \"%s\"",
1858  val),
1859  errcontext("line %d of configuration file \"%s\"",
1860  line_num, HbaFileName)));
1861  return false;
1862  }
1863 
1864  /* For each entry in the list, translate it */
1865  foreach(l, parsed_servers)
1866  {
1867  MemSet(&hints, 0, sizeof(hints));
1868  hints.ai_socktype = SOCK_DGRAM;
1869  hints.ai_family = AF_UNSPEC;
1870 
1871  ret = pg_getaddrinfo_all((char *) lfirst(l), NULL, &hints, &gai_result);
1872  if (ret || !gai_result)
1873  {
1874  ereport(elevel,
1875  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1876  errmsg("could not translate RADIUS server name \"%s\" to address: %s",
1877  (char *) lfirst(l), gai_strerror(ret)),
1878  errcontext("line %d of configuration file \"%s\"",
1879  line_num, HbaFileName)));
1880  if (gai_result)
1881  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1882 
1883  list_free(parsed_servers);
1884  return false;
1885  }
1886  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1887  }
1888 
1889  /* All entries are OK, so store them */
1890  hbaline->radiusservers = parsed_servers;
1891  hbaline->radiusservers_s = pstrdup(val);
1892  }
1893  else if (strcmp(name, "radiusports") == 0)
1894  {
1895  List *parsed_ports;
1896  ListCell *l;
1897  char *dupval = pstrdup(val);
1898 
1899  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusports", "radius");
1900 
1901  if (!SplitIdentifierString(dupval, ',', &parsed_ports))
1902  {
1903  ereport(elevel,
1904  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1905  errmsg("could not parse RADIUS port list \"%s\"",
1906  val),
1907  errcontext("line %d of configuration file \"%s\"",
1908  line_num, HbaFileName)));
1909  *err_msg = psprintf("invalid RADIUS port number: \"%s\"", val);
1910  return false;
1911  }
1912 
1913  foreach(l, parsed_ports)
1914  {
1915  if (atoi(lfirst(l)) == 0)
1916  {
1917  ereport(elevel,
1918  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1919  errmsg("invalid RADIUS port number: \"%s\"", val),
1920  errcontext("line %d of configuration file \"%s\"",
1921  line_num, HbaFileName)));
1922 
1923  return false;
1924  }
1925  }
1926  hbaline->radiusports = parsed_ports;
1927  hbaline->radiusports_s = pstrdup(val);
1928  }
1929  else if (strcmp(name, "radiussecrets") == 0)
1930  {
1931  List *parsed_secrets;
1932  char *dupval = pstrdup(val);
1933 
1934  REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecrets", "radius");
1935 
1936  if (!SplitIdentifierString(dupval, ',', &parsed_secrets))
1937  {
1938  /* syntax error in list */
1939  ereport(elevel,
1940  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1941  errmsg("could not parse RADIUS secret list \"%s\"",
1942  val),
1943  errcontext("line %d of configuration file \"%s\"",
1944  line_num, HbaFileName)));
1945  return false;
1946  }
1947 
1948  hbaline->radiussecrets = parsed_secrets;
1949  hbaline->radiussecrets_s = pstrdup(val);
1950  }
1951  else if (strcmp(name, "radiusidentifiers") == 0)
1952  {
1953  List *parsed_identifiers;
1954  char *dupval = pstrdup(val);
1955 
1956  REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifiers", "radius");
1957 
1958  if (!SplitIdentifierString(dupval, ',', &parsed_identifiers))
1959  {
1960  /* syntax error in list */
1961  ereport(elevel,
1962  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1963  errmsg("could not parse RADIUS identifiers list \"%s\"",
1964  val),
1965  errcontext("line %d of configuration file \"%s\"",
1966  line_num, HbaFileName)));
1967  return false;
1968  }
1969 
1970  hbaline->radiusidentifiers = parsed_identifiers;
1971  hbaline->radiusidentifiers_s = pstrdup(val);
1972  }
1973  else
1974  {
1975  ereport(elevel,
1976  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1977  errmsg("unrecognized authentication option name: \"%s\"",
1978  name),
1979  errcontext("line %d of configuration file \"%s\"",
1980  line_num, HbaFileName)));
1981  *err_msg = psprintf("unrecognized authentication option name: \"%s\"",
1982  name);
1983  return false;
1984  }
1985  return true;
1986 }
int ldapscope
Definition: hba.h:84
char * radiusports_s
Definition: hba.h:99
Definition: hba.h:30
char * ldapserver
Definition: hba.h:78
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
Definition: hba.c:874
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:88
Definition: hba.h:38
int ldapport
Definition: hba.h:79
char * ldapbasedn
Definition: hba.h:83
char * pamservice
Definition: hba.h:75
char * pstrdup(const char *in)
Definition: mcxt.c:1077
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
Definition: hba.h:35
#define gettext_noop(x)
Definition: c.h:139
int errcode(int sqlerrcode)
Definition: elog.c:575
#define MemSet(start, val, len)
Definition: c.h:857
List * radiussecrets
Definition: hba.h:94
#define gai_strerror
Definition: getaddrinfo.h:146
char * ldapsuffix
Definition: hba.h:86
char * HbaFileName
Definition: guc.c:463
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:57
#define INVALID_AUTH_OPTION(optname, validmethods)
Definition: hba.c:860
Definition: hba.h:34
ConnType conntype
Definition: hba.h:65
char * radiusservers_s
Definition: hba.h:93
Definition: hba.h:57
bool pam_use_hostname
Definition: hba.h:76
Definition: hba.h:39
char * usermap
Definition: hba.h:74
List * radiusports
Definition: hba.h:98
List * radiusservers
Definition: hba.h:92
bool include_realm
Definition: hba.h:89
bool SplitIdentifierString(char *rawstring, char separator, List **namelist)
Definition: varlena.c:3260
char * ldapbinddn
Definition: hba.h:80
char * krb_realm
Definition: hba.h:88
int linenumber
Definition: hba.h:63
char * ldapbindpasswd
Definition: hba.h:81
#define ereport(elevel, rest)
Definition: elog.h:122
char * ldapprefix
Definition: hba.h:85
static int elevel
Definition: vacuumlazy.c:136
char * radiusidentifiers_s
Definition: hba.h:97
List * radiusidentifiers
Definition: hba.h:96
char * radiussecrets_s
Definition: hba.h:95
#define NULL
Definition: c.h:229
#define lfirst(lc)
Definition: pg_list.h:106
bool ldaptls
Definition: hba.h:77
char * ldapsearchattribute
Definition: hba.h:82
const char * name
Definition: encode.c:521
bool upn_username
Definition: hba.h:91
int errmsg(const char *fmt,...)
Definition: elog.c:797
void list_free(List *list)
Definition: list.c:1133
#define errcontext
Definition: elog.h:164
bool clientcert
Definition: hba.h:87
Definition: pg_list.h:45
Definition: hba.h:36
bool compat_realm
Definition: hba.h:90
long val
Definition: informix.c:689
Definition: hba.h:40
UserAuth auth_method
Definition: hba.h:72
static HbaLine* parse_hba_line ( TokenizedLine tok_line,
int  elevel 
)
static

Definition at line 945 of file hba.c.

References HbaLine::addr, addrinfo::ai_addr, addrinfo::ai_addrlen, addrinfo::ai_canonname, addrinfo::ai_family, addrinfo::ai_flags, addrinfo::ai_next, AI_NUMERICHOST, addrinfo::ai_protocol, addrinfo::ai_socktype, Assert, HbaLine::auth_method, HbaLine::clientcert, HbaLine::compat_realm, HbaLine::conntype, copy_hba_token(), ctHost, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, Db_user_namespace, EAI_NONAME, EnableSSL, ereport, TokenizedLine::err_msg, errcode(), errcontext, errhint(), errmsg(), TokenizedLine::fields, gai_strerror, HbaFileName, HbaLine::hostname, HbaLine::include_realm, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapprefix, HbaLine::ldapsearchattribute, HbaLine::ldapserver, HbaLine::ldapsuffix, List::length, lfirst, TokenizedLine::line_num, HbaLine::linenumber, linitial, list_head(), list_length(), lnext, LOG, MANDATORY_AUTH_ARG, HbaLine::mask, NIL, NULL, palloc0(), parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, TokenizedLine::raw_line, HbaLine::rawline, HbaLine::roles, HbaToken::string, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, HbaLine::upn_username, val, and verify_option_list_length().

Referenced by fill_hba_view(), and load_hba().

946 {
947  int line_num = tok_line->line_num;
948  char **err_msg = &tok_line->err_msg;
949  char *str;
950  struct addrinfo *gai_result;
951  struct addrinfo hints;
952  int ret;
953  char *cidr_slash;
954  char *unsupauth;
955  ListCell *field;
956  List *tokens;
957  ListCell *tokencell;
958  HbaToken *token;
959  HbaLine *parsedline;
960 
961  parsedline = palloc0(sizeof(HbaLine));
962  parsedline->linenumber = line_num;
963  parsedline->rawline = pstrdup(tok_line->raw_line);
964 
965  /* Check the record type. */
966  Assert(tok_line->fields != NIL);
967  field = list_head(tok_line->fields);
968  tokens = lfirst(field);
969  if (tokens->length > 1)
970  {
971  ereport(elevel,
972  (errcode(ERRCODE_CONFIG_FILE_ERROR),
973  errmsg("multiple values specified for connection type"),
974  errhint("Specify exactly one connection type per line."),
975  errcontext("line %d of configuration file \"%s\"",
976  line_num, HbaFileName)));
977  *err_msg = "multiple values specified for connection type";
978  return NULL;
979  }
980  token = linitial(tokens);
981  if (strcmp(token->string, "local") == 0)
982  {
983 #ifdef HAVE_UNIX_SOCKETS
984  parsedline->conntype = ctLocal;
985 #else
986  ereport(elevel,
987  (errcode(ERRCODE_CONFIG_FILE_ERROR),
988  errmsg("local connections are not supported by this build"),
989  errcontext("line %d of configuration file \"%s\"",
990  line_num, HbaFileName)));
991  *err_msg = "local connections are not supported by this build";
992  return NULL;
993 #endif
994  }
995  else if (strcmp(token->string, "host") == 0 ||
996  strcmp(token->string, "hostssl") == 0 ||
997  strcmp(token->string, "hostnossl") == 0)
998  {
999 
1000  if (token->string[4] == 's') /* "hostssl" */
1001  {
1002  parsedline->conntype = ctHostSSL;
1003  /* Log a warning if SSL support is not active */
1004 #ifdef USE_SSL
1005  if (!EnableSSL)
1006  {
1007  ereport(elevel,
1008  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1009  errmsg("hostssl record cannot match because SSL is disabled"),
1010  errhint("Set ssl = on in postgresql.conf."),
1011  errcontext("line %d of configuration file \"%s\"",
1012  line_num, HbaFileName)));
1013  *err_msg = "hostssl record cannot match because SSL is disabled";
1014  }
1015 #else
1016  ereport(elevel,
1017  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1018  errmsg("hostssl record cannot match because SSL is not supported by this build"),
1019  errhint("Compile with --with-openssl to use SSL connections."),
1020  errcontext("line %d of configuration file \"%s\"",
1021  line_num, HbaFileName)));
1022  *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1023 #endif
1024  }
1025  else if (token->string[4] == 'n') /* "hostnossl" */
1026  {
1027  parsedline->conntype = ctHostNoSSL;
1028  }
1029  else
1030  {
1031  /* "host" */
1032  parsedline->conntype = ctHost;
1033  }
1034  } /* record type */
1035  else
1036  {
1037  ereport(elevel,
1038  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1039  errmsg("invalid connection type \"%s\"",
1040  token->string),
1041  errcontext("line %d of configuration file \"%s\"",
1042  line_num, HbaFileName)));
1043  *err_msg = psprintf("invalid connection type \"%s\"", token->string);
1044  return NULL;
1045  }
1046 
1047  /* Get the databases. */
1048  field = lnext(field);
1049  if (!field)
1050  {
1051  ereport(elevel,
1052  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1053  errmsg("end-of-line before database specification"),
1054  errcontext("line %d of configuration file \"%s\"",
1055  line_num, HbaFileName)));
1056  *err_msg = "end-of-line before database specification";
1057  return NULL;
1058  }
1059  parsedline->databases = NIL;
1060  tokens = lfirst(field);
1061  foreach(tokencell, tokens)
1062  {
1063  parsedline->databases = lappend(parsedline->databases,
1064  copy_hba_token(lfirst(tokencell)));
1065  }
1066 
1067  /* Get the roles. */
1068  field = lnext(field);
1069  if (!field)
1070  {
1071  ereport(elevel,
1072  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1073  errmsg("end-of-line before role specification"),
1074  errcontext("line %d of configuration file \"%s\"",
1075  line_num, HbaFileName)));
1076  *err_msg = "end-of-line before role specification";
1077  return NULL;
1078  }
1079  parsedline->roles = NIL;
1080  tokens = lfirst(field);
1081  foreach(tokencell, tokens)
1082  {
1083  parsedline->roles = lappend(parsedline->roles,
1084  copy_hba_token(lfirst(tokencell)));
1085  }
1086 
1087  if (parsedline->conntype != ctLocal)
1088  {
1089  /* Read the IP address field. (with or without CIDR netmask) */
1090  field = lnext(field);
1091  if (!field)
1092  {
1093  ereport(elevel,
1094  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1095  errmsg("end-of-line before IP address specification"),
1096  errcontext("line %d of configuration file \"%s\"",
1097  line_num, HbaFileName)));
1098  *err_msg = "end-of-line before IP address specification";
1099  return NULL;
1100  }
1101  tokens = lfirst(field);
1102  if (tokens->length > 1)
1103  {
1104  ereport(elevel,
1105  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1106  errmsg("multiple values specified for host address"),
1107  errhint("Specify one address range per line."),
1108  errcontext("line %d of configuration file \"%s\"",
1109  line_num, HbaFileName)));
1110  *err_msg = "multiple values specified for host address";
1111  return NULL;
1112  }
1113  token = linitial(tokens);
1114 
1115  if (token_is_keyword(token, "all"))
1116  {
1117  parsedline->ip_cmp_method = ipCmpAll;
1118  }
1119  else if (token_is_keyword(token, "samehost"))
1120  {
1121  /* Any IP on this host is allowed to connect */
1122  parsedline->ip_cmp_method = ipCmpSameHost;
1123  }
1124  else if (token_is_keyword(token, "samenet"))
1125  {
1126  /* Any IP on the host's subnets is allowed to connect */
1127  parsedline->ip_cmp_method = ipCmpSameNet;
1128  }
1129  else
1130  {
1131  /* IP and netmask are specified */
1132  parsedline->ip_cmp_method = ipCmpMask;
1133 
1134  /* need a modifiable copy of token */
1135  str = pstrdup(token->string);
1136 
1137  /* Check if it has a CIDR suffix and if so isolate it */
1138  cidr_slash = strchr(str, '/');
1139  if (cidr_slash)
1140  *cidr_slash = '\0';
1141 
1142  /* Get the IP address either way */
1143  hints.ai_flags = AI_NUMERICHOST;
1144  hints.ai_family = AF_UNSPEC;
1145  hints.ai_socktype = 0;
1146  hints.ai_protocol = 0;
1147  hints.ai_addrlen = 0;
1148  hints.ai_canonname = NULL;
1149  hints.ai_addr = NULL;
1150  hints.ai_next = NULL;
1151 
1152  ret = pg_getaddrinfo_all(str, NULL, &hints, &gai_result);
1153  if (ret == 0 && gai_result)
1154  memcpy(&parsedline->addr, gai_result->ai_addr,
1155  gai_result->ai_addrlen);
1156  else if (ret == EAI_NONAME)
1157  parsedline->hostname = str;
1158  else
1159  {
1160  ereport(elevel,
1161  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1162  errmsg("invalid IP address \"%s\": %s",
1163  str, gai_strerror(ret)),
1164  errcontext("line %d of configuration file \"%s\"",
1165  line_num, HbaFileName)));
1166  *err_msg = psprintf("invalid IP address \"%s\": %s",
1167  str, gai_strerror(ret));
1168  if (gai_result)
1169  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1170  return NULL;
1171  }
1172 
1173  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1174 
1175  /* Get the netmask */
1176  if (cidr_slash)
1177  {
1178  if (parsedline->hostname)
1179  {
1180  ereport(elevel,
1181  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1182  errmsg("specifying both host name and CIDR mask is invalid: \"%s\"",
1183  token->string),
1184  errcontext("line %d of configuration file \"%s\"",
1185  line_num, HbaFileName)));
1186  *err_msg = psprintf("specifying both host name and CIDR mask is invalid: \"%s\"",
1187  token->string);
1188  return NULL;
1189  }
1190 
1191  if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
1192  parsedline->addr.ss_family) < 0)
1193  {
1194  ereport(elevel,
1195  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1196  errmsg("invalid CIDR mask in address \"%s\"",
1197  token->string),
1198  errcontext("line %d of configuration file \"%s\"",
1199  line_num, HbaFileName)));
1200  *err_msg = psprintf("invalid CIDR mask in address \"%s\"",
1201  token->string);
1202  return NULL;
1203  }
1204  pfree(str);
1205  }
1206  else if (!parsedline->hostname)
1207  {
1208  /* Read the mask field. */
1209  pfree(str);
1210  field = lnext(field);
1211  if (!field)
1212  {
1213  ereport(elevel,
1214  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1215  errmsg("end-of-line before netmask specification"),
1216  errhint("Specify an address range in CIDR notation, or provide a separate netmask."),
1217  errcontext("line %d of configuration file \"%s\"",
1218  line_num, HbaFileName)));
1219  *err_msg = "end-of-line before netmask specification";
1220  return NULL;
1221  }
1222  tokens = lfirst(field);
1223  if (tokens->length > 1)
1224  {
1225  ereport(elevel,
1226  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1227  errmsg("multiple values specified for netmask"),
1228  errcontext("line %d of configuration file \"%s\"",
1229  line_num, HbaFileName)));
1230  *err_msg = "multiple values specified for netmask";
1231  return NULL;
1232  }
1233  token = linitial(tokens);
1234 
1235  ret = pg_getaddrinfo_all(token->string, NULL,
1236  &hints, &gai_result);
1237  if (ret || !gai_result)
1238  {
1239  ereport(elevel,
1240  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1241  errmsg("invalid IP mask \"%s\": %s",
1242  token->string, gai_strerror(ret)),
1243  errcontext("line %d of configuration file \"%s\"",
1244  line_num, HbaFileName)));
1245  *err_msg = psprintf("invalid IP mask \"%s\": %s",
1246  token->string, gai_strerror(ret));
1247  if (gai_result)
1248  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1249  return NULL;
1250  }
1251 
1252  memcpy(&parsedline->mask, gai_result->ai_addr,
1253  gai_result->ai_addrlen);
1254  pg_freeaddrinfo_all(hints.ai_family, gai_result);
1255 
1256  if (parsedline->addr.ss_family != parsedline->mask.ss_family)
1257  {
1258  ereport(elevel,
1259  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1260  errmsg("IP address and mask do not match"),
1261  errcontext("line %d of configuration file \"%s\"",
1262  line_num, HbaFileName)));
1263  *err_msg = "IP address and mask do not match";
1264  return NULL;
1265  }
1266  }
1267  }
1268  } /* != ctLocal */
1269 
1270  /* Get the authentication method */
1271  field = lnext(field);
1272  if (!field)
1273  {
1274  ereport(elevel,
1275  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1276  errmsg("end-of-line before authentication method"),
1277  errcontext("line %d of configuration file \"%s\"",
1278  line_num, HbaFileName)));
1279  *err_msg = "end-of-line before authentication method";
1280  return NULL;
1281  }
1282  tokens = lfirst(field);
1283  if (tokens->length > 1)
1284  {
1285  ereport(elevel,
1286  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1287  errmsg("multiple values specified for authentication type"),
1288  errhint("Specify exactly one authentication type per line."),
1289  errcontext("line %d of configuration file \"%s\"",
1290  line_num, HbaFileName)));
1291  *err_msg = "multiple values specified for authentication type";
1292  return NULL;
1293  }
1294  token = linitial(tokens);
1295 
1296  unsupauth = NULL;
1297  if (strcmp(token->string, "trust") == 0)
1298  parsedline->auth_method = uaTrust;
1299  else if (strcmp(token->string, "ident") == 0)
1300  parsedline->auth_method = uaIdent;
1301  else if (strcmp(token->string, "peer") == 0)
1302  parsedline->auth_method = uaPeer;
1303  else if (strcmp(token->string, "password") == 0)
1304  parsedline->auth_method = uaPassword;
1305  else if (strcmp(token->string, "gss") == 0)
1306 #ifdef ENABLE_GSS
1307  parsedline->auth_method = uaGSS;
1308 #else
1309  unsupauth = "gss";
1310 #endif
1311  else if (strcmp(token->string, "sspi") == 0)
1312 #ifdef ENABLE_SSPI
1313  parsedline->auth_method = uaSSPI;
1314 #else
1315  unsupauth = "sspi";
1316 #endif
1317  else if (strcmp(token->string, "reject") == 0)
1318  parsedline->auth_method = uaReject;
1319  else if (strcmp(token->string, "md5") == 0)
1320  {
1321  if (Db_user_namespace)
1322  {
1323  ereport(elevel,
1324  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1325  errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
1326  errcontext("line %d of configuration file \"%s\"",
1327  line_num, HbaFileName)));
1328  *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
1329  return NULL;
1330  }
1331  parsedline->auth_method = uaMD5;
1332  }
1333  else if (strcmp(token->string, "scram-sha-256") == 0)
1334  parsedline->auth_method = uaSCRAM;
1335  else if (strcmp(token->string, "pam") == 0)
1336 #ifdef USE_PAM
1337  parsedline->auth_method = uaPAM;
1338 #else
1339  unsupauth = "pam";
1340 #endif
1341  else if (strcmp(token->string, "bsd") == 0)
1342 #ifdef USE_BSD_AUTH
1343  parsedline->auth_method = uaBSD;
1344 #else
1345  unsupauth = "bsd";
1346 #endif
1347  else if (strcmp(token->string, "ldap") == 0)
1348 #ifdef USE_LDAP
1349  parsedline->auth_method = uaLDAP;
1350 #else
1351  unsupauth = "ldap";
1352 #endif
1353  else if (strcmp(token->string, "cert") == 0)
1354 #ifdef USE_SSL
1355  parsedline->auth_method = uaCert;
1356 #else
1357  unsupauth = "cert";
1358 #endif
1359  else if (strcmp(token->string, "radius") == 0)
1360  parsedline->auth_method = uaRADIUS;
1361  else
1362  {
1363  ereport(elevel,
1364  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1365  errmsg("invalid authentication method \"%s\"",
1366  token->string),
1367  errcontext("line %d of configuration file \"%s\"",
1368  line_num, HbaFileName)));
1369  *err_msg = psprintf("invalid authentication method \"%s\"",
1370  token->string);
1371  return NULL;
1372  }
1373 
1374  if (unsupauth)
1375  {
1376  ereport(elevel,
1377  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1378  errmsg("invalid authentication method \"%s\": not supported by this build",
1379  token->string),
1380  errcontext("line %d of configuration file \"%s\"",
1381  line_num, HbaFileName)));
1382  *err_msg = psprintf("invalid authentication method \"%s\": not supported by this build",
1383  token->string);
1384  return NULL;
1385  }
1386 
1387  /*
1388  * XXX: When using ident on local connections, change it to peer, for
1389  * backwards compatibility.
1390  */
1391  if (parsedline->conntype == ctLocal &&
1392  parsedline->auth_method == uaIdent)
1393  parsedline->auth_method = uaPeer;
1394 
1395  /* Invalid authentication combinations */
1396  if (parsedline->conntype == ctLocal &&
1397  parsedline->auth_method == uaGSS)
1398  {
1399  ereport(elevel,
1400  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1401  errmsg("gssapi authentication is not supported on local sockets"),
1402  errcontext("line %d of configuration file \"%s\"",
1403  line_num, HbaFileName)));
1404  *err_msg = "gssapi authentication is not supported on local sockets";
1405  return NULL;
1406  }
1407 
1408  if (parsedline->conntype != ctLocal &&
1409  parsedline->auth_method == uaPeer)
1410  {
1411  ereport(elevel,
1412  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1413  errmsg("peer authentication is only supported on local sockets"),
1414  errcontext("line %d of configuration file \"%s\"",
1415  line_num, HbaFileName)));
1416  *err_msg = "peer authentication is only supported on local sockets";
1417  return NULL;
1418  }
1419 
1420  /*
1421  * SSPI authentication can never be enabled on ctLocal connections,
1422  * because it's only supported on Windows, where ctLocal isn't supported.
1423  */
1424 
1425 
1426  if (parsedline->conntype != ctHostSSL &&
1427  parsedline->auth_method == uaCert)
1428  {
1429  ereport(elevel,
1430  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1431  errmsg("cert authentication is only supported on hostssl connections"),
1432  errcontext("line %d of configuration file \"%s\"",
1433  line_num, HbaFileName)));
1434  *err_msg = "cert authentication is only supported on hostssl connections";
1435  return NULL;
1436  }
1437 
1438  /*
1439  * For GSS and SSPI, set the default value of include_realm to true.
1440  * Having include_realm set to false is dangerous in multi-realm
1441  * situations and is generally considered bad practice. We keep the
1442  * capability around for backwards compatibility, but we might want to
1443  * remove it at some point in the future. Users who still need to strip
1444  * the realm off would be better served by using an appropriate regex in a
1445  * pg_ident.conf mapping.
1446  */
1447  if (parsedline->auth_method == uaGSS ||
1448  parsedline->auth_method == uaSSPI)
1449  parsedline->include_realm = true;
1450 
1451  /*
1452  * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1453  * NetBIOS name) and user names instead of the Kerberos principal name for
1454  * compatibility.
1455  */
1456  if (parsedline->auth_method == uaSSPI)
1457  {
1458  parsedline->compat_realm = true;
1459  parsedline->upn_username = false;
1460  }
1461 
1462  /* Parse remaining arguments */
1463  while ((field = lnext(field)) != NULL)
1464  {
1465  tokens = lfirst(field);
1466  foreach(tokencell, tokens)
1467  {
1468  char *val;
1469 
1470  token = lfirst(tokencell);
1471 
1472  str = pstrdup(token->string);
1473  val = strchr(str, '=');
1474  if (val == NULL)
1475  {
1476  /*
1477  * Got something that's not a name=value pair.
1478  */
1479  ereport(elevel,
1480  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1481  errmsg("authentication option not in name=value format: %s", token->string),
1482  errcontext("line %d of configuration file \"%s\"",
1483  line_num, HbaFileName)));
1484  *err_msg = psprintf("authentication option not in name=value format: %s",
1485  token->string);
1486  return NULL;
1487  }
1488 
1489  *val++ = '\0'; /* str now holds "name", val holds "value" */
1490  if (!parse_hba_auth_opt(str, val, parsedline, elevel, err_msg))
1491  /* parse_hba_auth_opt already logged the error message */
1492  return NULL;
1493  pfree(str);
1494  }
1495  }
1496 
1497  /*
1498  * Check if the selected authentication method has any mandatory arguments
1499  * that are not set.
1500  */
1501  if (parsedline->auth_method == uaLDAP)
1502  {
1503  MANDATORY_AUTH_ARG(parsedline->ldapserver, "ldapserver", "ldap");
1504 
1505  /*
1506  * LDAP can operate in two modes: either with a direct bind, using
1507  * ldapprefix and ldapsuffix, or using a search+bind, using
1508  * ldapbasedn, ldapbinddn, ldapbindpasswd and ldapsearchattribute.
1509  * Disallow mixing these parameters.
1510  */
1511  if (parsedline->ldapprefix || parsedline->ldapsuffix)
1512  {
1513  if (parsedline->ldapbasedn ||
1514  parsedline->ldapbinddn ||
1515  parsedline->ldapbindpasswd ||
1516  parsedline->ldapsearchattribute)
1517  {
1518  ereport(elevel,
1519  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1520  errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix"),
1521  errcontext("line %d of configuration file \"%s\"",
1522  line_num, HbaFileName)));
1523  *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix";
1524  return NULL;
1525  }
1526  }
1527  else if (!parsedline->ldapbasedn)
1528  {
1529  ereport(elevel,
1530  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1531  errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1532  errcontext("line %d of configuration file \"%s\"",
1533  line_num, HbaFileName)));
1534  *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1535  return NULL;
1536  }
1537  }
1538 
1539  if (parsedline->auth_method == uaRADIUS)
1540  {
1541  MANDATORY_AUTH_ARG(parsedline->radiusservers, "radiusservers", "radius");
1542  MANDATORY_AUTH_ARG(parsedline->radiussecrets, "radiussecrets", "radius");
1543 
1544  if (list_length(parsedline->radiusservers) < 1)
1545  {
1546  ereport(LOG,
1547  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1548  errmsg("list of RADIUS servers cannot be empty"),
1549  errcontext("line %d of configuration file \"%s\"",
1550  line_num, HbaFileName)));
1551  return NULL;
1552  }
1553 
1554  if (list_length(parsedline->radiussecrets) < 1)
1555  {
1556  ereport(LOG,
1557  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1558  errmsg("list of RADIUS secrets cannot be empty"),
1559  errcontext("line %d of configuration file \"%s\"",
1560  line_num, HbaFileName)));
1561  return NULL;
1562  }
1563 
1564  /*
1565  * Verify length of option lists - each can be 0 (except for secrets,
1566  * but that's already checked above), 1 (use the same value
1567  * everywhere) or the same as the number of servers.
1568  */
1569  if (!verify_option_list_length(parsedline->radiussecrets,
1570  "RADIUS secrets",
1571  parsedline->radiusservers,
1572  "RADIUS servers",
1573  line_num))
1574  return NULL;
1575  if (!verify_option_list_length(parsedline->radiusports,
1576  "RADIUS ports",
1577  parsedline->radiusservers,
1578  "RADIUS servers",
1579  line_num))
1580  return NULL;
1582  "RADIUS identifiers",
1583  parsedline->radiusservers,
1584  "RADIUS servers",
1585  line_num))
1586  return NULL;
1587  }
1588 
1589  /*
1590  * Enforce any parameters implied by other settings.
1591  */
1592  if (parsedline->auth_method == uaCert)
1593  {
1594  parsedline->clientcert = true;
1595  }
1596 
1597  return parsedline;
1598 }
List * databases
Definition: hba.h:66
Definition: hba.h:61
#define NIL
Definition: pg_list.h:69
Definition: hba.h:30
bool EnableSSL
Definition: postmaster.c:234
char * ldapserver
Definition: hba.h:78
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:88
struct sockaddr_storage mask
Definition: hba.h:69
int errhint(const char *fmt,...)
Definition: elog.c:987
Definition: hba.h:38
char * ldapbasedn
Definition: hba.h:83
Definition: hba.h:32
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition: hba.c:1629
Definition: hba.h:47
char * pstrdup(const char *in)
Definition: mcxt.c:1077
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
Definition: hba.h:35
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
#define AI_NUMERICHOST
Definition: getaddrinfo.h:73
List * radiussecrets
Definition: hba.h:94
#define gai_strerror
Definition: getaddrinfo.h:146
char * ldapsuffix
Definition: hba.h:86
char * HbaFileName
Definition: guc.c:463
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:57
Definition: hba.h:34
Definition: hba.h:31
ConnType conntype
Definition: hba.h:65
void pfree(void *pointer)
Definition: mcxt.c:950
Definition: hba.h:57
#define linitial(l)
Definition: pg_list.h:111
Definition: hba.h:39
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:115
struct sockaddr_storage addr
Definition: hba.h:68
int line_num
Definition: hba.c:92
List * radiusports
Definition: hba.h:98
Definition: hba.h:27
List * radiusservers
Definition: hba.h:92
bool include_realm
Definition: hba.h:89
Definition: hba.h:29
bool Db_user_namespace
Definition: postmaster.c:241
char * err_msg
Definition: hba.c:94
Definition: hba.c:75
char * ldapbinddn
Definition: hba.h:80
#define EAI_NONAME
Definition: getaddrinfo.h:34
static ListCell * list_head(const List *l)
Definition: pg_list.h:77
int linenumber
Definition: hba.h:63
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
Definition: hba.c:880
char * ldapbindpasswd
Definition: hba.h:81
List * fields
Definition: hba.c:91
#define lnext(lc)
Definition: pg_list.h:105
#define ereport(elevel, rest)
Definition: elog.h:122
char * ldapprefix
Definition: hba.h:85
Definition: hba.h:55
List * lappend(List *list, void *datum)
Definition: list.c:128
static int elevel
Definition: vacuumlazy.c:136
static bool verify_option_list_length(List *options, char *optionname, List *masters, char *mastername, int line_num)
Definition: hba.c:1602
Definition: hba.h:33
Definition: hba.h:50
void * palloc0(Size size)
Definition: mcxt.c:878
char * hostname
Definition: hba.h:71
char * string
Definition: hba.c:77
List * radiusidentifiers
Definition: hba.h:96
Definition: hba.h:37
List * roles
Definition: hba.h:67
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
#define lfirst(lc)
Definition: pg_list.h:106
static int list_length(const List *l)
Definition: pg_list.h:89
char * ldapsearchattribute
Definition: hba.h:82
int length
Definition: pg_list.h:48
char * rawline
Definition: hba.h:64
static HbaToken * copy_hba_token(HbaToken *in)
Definition: hba.c:307
bool upn_username
Definition: hba.h:91
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define token_is_keyword(t, k)
Definition: hba.c:68
#define errcontext
Definition: elog.h:164
bool clientcert
Definition: hba.h:87
size_t ai_addrlen
Definition: getaddrinfo.h:104
char * raw_line
Definition: hba.c:93
IPCompareMethod ip_cmp_method
Definition: hba.h:70
Definition: pg_list.h:45
Definition: hba.h:36
bool compat_realm
Definition: hba.h:90
long val
Definition: informix.c:689
Definition: hba.h:56
Definition: hba.h:40
UserAuth auth_method
Definition: hba.h:72
struct sockaddr * ai_addr
Definition: getaddrinfo.h:105
static IdentLine* parse_ident_line ( TokenizedLine tok_line)
static

Definition at line 2608 of file hba.c.

References Assert, C_COLLATION_OID, ereport, errcode(), errmsg(), TokenizedLine::fields, IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, IdentLine::ident_user, lfirst, TokenizedLine::line_num, IdentLine::linenumber, linitial, list_head(), lnext, LOG, NIL, NULL, palloc(), palloc0(), pfree(), pg_mb2wchar_with_len(), pg_regcomp(), pg_regerror(), IdentLine::pg_role, pstrdup(), IdentLine::re, REG_ADVANCED, HbaToken::string, and IdentLine::usermap.

Referenced by load_ident().

2609 {
2610  int line_num = tok_line->line_num;
2611  ListCell *field;
2612  List *tokens;
2613  HbaToken *token;
2614  IdentLine *parsedline;
2615 
2616  Assert(tok_line->fields != NIL);
2617  field = list_head(tok_line->fields);
2618 
2619  parsedline = palloc0(sizeof(IdentLine));
2620  parsedline->linenumber = line_num;
2621 
2622  /* Get the map token (must exist) */
2623  tokens = lfirst(field);
2624  IDENT_MULTI_VALUE(tokens);
2625  token = linitial(tokens);
2626  parsedline->usermap = pstrdup(token->string);
2627 
2628  /* Get the ident user token */
2629  field = lnext(field);
2630  IDENT_FIELD_ABSENT(field);
2631  tokens = lfirst(field);
2632  IDENT_MULTI_VALUE(tokens);
2633  token = linitial(tokens);
2634  parsedline->ident_user = pstrdup(token->string);
2635 
2636  /* Get the PG rolename token */
2637  field = lnext(field);
2638  IDENT_FIELD_ABSENT(field);
2639  tokens = lfirst(field);
2640  IDENT_MULTI_VALUE(tokens);
2641  token = linitial(tokens);
2642  parsedline->pg_role = pstrdup(token->string);
2643 
2644  if (parsedline->ident_user[0] == '/')
2645  {
2646  /*
2647  * When system username starts with a slash, treat it as a regular
2648  * expression. Pre-compile it.
2649  */
2650  int r;
2651  pg_wchar *wstr;
2652  int wlen;
2653 
2654  wstr = palloc((strlen(parsedline->ident_user + 1) + 1) * sizeof(pg_wchar));
2655  wlen = pg_mb2wchar_with_len(parsedline->ident_user + 1,
2656  wstr, strlen(parsedline->ident_user + 1));
2657 
2658  r = pg_regcomp(&parsedline->re, wstr, wlen, REG_ADVANCED, C_COLLATION_OID);
2659  if (r)
2660  {
2661  char errstr[100];
2662 
2663  pg_regerror(r, &parsedline->re, errstr, sizeof(errstr));
2664  ereport(LOG,
2665  (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2666  errmsg("invalid regular expression \"%s\": %s",
2667  parsedline->ident_user + 1, errstr)));
2668 
2669  pfree(wstr);
2670  return NULL;
2671  }
2672  pfree(wstr);
2673  }
2674 
2675  return parsedline;
2676 }
#define NIL
Definition: pg_list.h:69
regex_t re
Definition: hba.h:109
char * pstrdup(const char *in)
Definition: mcxt.c:1077
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
Definition: regcomp.c:314
#define IDENT_FIELD_ABSENT(field)
Definition: hba.c:908
int linenumber
Definition: hba.h:104
void pfree(void *pointer)
Definition: mcxt.c:950
#define linitial(l)
Definition: pg_list.h:111
int line_num
Definition: hba.c:92
char * usermap
Definition: hba.h:106
Definition: hba.c:75
static ListCell * list_head(const List *l)
Definition: pg_list.h:77
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition: regerror.c:60
#define REG_ADVANCED
Definition: regex.h:103
List * fields
Definition: hba.c:91
#define lnext(lc)
Definition: pg_list.h:105
#define ereport(elevel, rest)
Definition: elog.h:122
unsigned int pg_wchar
Definition: mbprint.c:31
#define IDENT_MULTI_VALUE(tokens)
Definition: hba.c:919
void * palloc0(Size size)
Definition: mcxt.c:878
char * string
Definition: hba.c:77
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition: mbutils.c:734
#define NULL
Definition: c.h:229
#define Assert(condition)
Definition: c.h:675
#define lfirst(lc)
Definition: pg_list.h:106
Definition: hba.h:102
#define C_COLLATION_OID
Definition: pg_collation.h:78
char * ident_user
Definition: hba.h:107
void * palloc(Size size)
Definition: mcxt.c:849
int errmsg(const char *fmt,...)
Definition: elog.c:797
Definition: pg_list.h:45
char * pg_role
Definition: hba.h:108
Datum pg_hba_file_rules ( PG_FUNCTION_ARGS  )

Definition at line 2545 of file hba.c.

References ReturnSetInfo::allowedModes, ReturnSetInfo::econtext, ExprContext::ecxt_per_query_memory, elog, ereport, errcode(), errmsg(), ERROR, fill_hba_view(), get_call_result_type(), IsA, MemoryContextSwitchTo(), NULL, PG_RETURN_NULL, ReturnSetInfo::returnMode, ReturnSetInfo::setDesc, ReturnSetInfo::setResult, SFRM_Materialize, SFRM_Materialize_Random, tuplestore_begin_heap(), TYPEFUNC_COMPOSITE, and work_mem.

2546 {
2547  Tuplestorestate *tuple_store;
2548  TupleDesc tupdesc;
2549  MemoryContext old_cxt;
2550  ReturnSetInfo *rsi;
2551 
2552  /*
2553  * We must use the Materialize mode to be safe against HBA file changes
2554  * while the cursor is open. It's also more efficient than having to look
2555  * up our current position in the parsed list every time.
2556  */
2557  rsi = (ReturnSetInfo *) fcinfo->resultinfo;
2558 
2559  /* Check to see if caller supports us returning a tuplestore */
2560  if (rsi == NULL || !IsA(rsi, ReturnSetInfo))
2561  ereport(ERROR,
2562  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2563  errmsg("set-valued function called in context that cannot accept a set")));
2564  if (!(rsi->allowedModes & SFRM_Materialize))
2565  ereport(ERROR,
2566  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2567  errmsg("materialize mode required, but it is not " \
2568  "allowed in this context")));
2569 
2571 
2572  /* Build a tuple descriptor for our result type */
2573  if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
2574  elog(ERROR, "return type must be a row type");
2575 
2576  /* Build tuplestore to hold the result rows */
2578 
2579  tuple_store =
2581  false, work_mem);
2582  rsi->setDesc = tupdesc;
2583  rsi->setResult = tuple_store;
2584 
2585  MemoryContextSwitchTo(old_cxt);
2586 
2587  /* Fill the tuplestore */
2588  fill_hba_view(tuple_store, tupdesc);
2589 
2590  PG_RETURN_NULL();
2591 }
#define IsA(nodeptr, _type_)
Definition: nodes.h:560
TypeFuncClass get_call_result_type(FunctionCallInfo fcinfo, Oid *resultTypeId, TupleDesc *resultTupleDesc)
Definition: funcapi.c:211
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:575
#define ERROR
Definition: elog.h:43
#define ereport(elevel, rest)
Definition: elog.h:122
Tuplestorestate * tuplestore_begin_heap(bool randomAccess, bool interXact, int maxKBytes)
Definition: tuplestore.c:318
static void fill_hba_view(Tuplestorestate *tuple_store, TupleDesc tupdesc)
Definition: hba.c:2491
int work_mem
Definition: globals.c:113
int allowedModes
Definition: execnodes.h:268
SetFunctionReturnMode returnMode
Definition: execnodes.h:270
#define NULL
Definition: c.h:229
MemoryContext ecxt_per_query_memory
Definition: execnodes.h:202
Tuplestorestate * setResult
Definition: execnodes.h:273
ExprContext * econtext
Definition: execnodes.h:266
TupleDesc setDesc
Definition: execnodes.h:274
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define elog
Definition: elog.h:219
#define PG_RETURN_NULL()
Definition: fmgr.h:305
bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
char * c
static MemoryContext tokenize_file ( const char *  filename,
FILE *  file,
List **  tok_lines,
int  elevel 
)
static

Definition at line 470 of file hba.c.

References ALLOCSET_SMALL_SIZES, AllocSetContextCreate(), CurrentMemoryContext, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errcontext, errmsg(), TokenizedLine::fields, lappend(), TokenizedLine::line_num, MAX_LINE, MemoryContextSwitchTo(), next_field_expand(), NIL, NULL, palloc(), psprintf(), pstrdup(), TokenizedLine::raw_line, and strerror().

Referenced by fill_hba_view(), load_hba(), load_ident(), and tokenize_inc_file().

471 {
472  int line_number = 1;
473  MemoryContext linecxt;
474  MemoryContext oldcxt;
475 
477  "tokenize_file",
479  oldcxt = MemoryContextSwitchTo(linecxt);
480 
481  *tok_lines = NIL;
482 
483  while (!feof(file) && !ferror(file))
484  {
485  char rawline[MAX_LINE];
486  char *lineptr;
487  List *current_line = NIL;
488  char *err_msg = NULL;
489 
490  if (!fgets(rawline, sizeof(rawline), file))
491  {
492  int save_errno = errno;
493 
494  if (!ferror(file))
495  break; /* normal EOF */
496  /* I/O error! */
497  ereport(elevel,
499  errmsg("could not read file \"%s\": %m", filename)));
500  err_msg = psprintf("could not read file \"%s\": %s",
501  filename, strerror(save_errno));
502  rawline[0] = '\0';
503  }
504  if (strlen(rawline) == MAX_LINE - 1)
505  {
506  /* Line too long! */
507  ereport(elevel,
508  (errcode(ERRCODE_CONFIG_FILE_ERROR),
509  errmsg("authentication file line too long"),
510  errcontext("line %d of configuration file \"%s\"",
511  line_number, filename)));
512  err_msg = "authentication file line too long";
513  }
514 
515  /* Strip trailing linebreak from rawline */
516  lineptr = rawline + strlen(rawline) - 1;
517  while (lineptr >= rawline && (*lineptr == '\n' || *lineptr == '\r'))
518  *lineptr-- = '\0';
519 
520  /* Parse fields */
521  lineptr = rawline;
522  while (*lineptr && err_msg == NULL)
523  {
524  List *current_field;
525 
526  current_field = next_field_expand(filename, &lineptr,
527  elevel, &err_msg);
528  /* add field to line, unless we are at EOL or comment start */
529  if (current_field != NIL)
530  current_line = lappend(current_line, current_field);
531  }
532 
533  /* Reached EOL; emit line to TokenizedLine list unless it's boring */
534  if (current_line != NIL || err_msg != NULL)
535  {
536  TokenizedLine *tok_line;
537 
538  tok_line = (TokenizedLine *) palloc(sizeof(TokenizedLine));
539  tok_line->fields = current_line;
540  tok_line->line_num = line_number;
541  tok_line->raw_line = pstrdup(rawline);
542  tok_line->err_msg = err_msg;
543  *tok_lines = lappend(*tok_lines, tok_line);
544  }
545 
546  line_number++;
547  }
548 
549  MemoryContextSwitchTo(oldcxt);
550 
551  return linecxt;
552 }
#define NIL
Definition: pg_list.h:69
char * pstrdup(const char *in)
Definition: mcxt.c:1077
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:175
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:575
int line_num
Definition: hba.c:92
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:598
MemoryContext CurrentMemoryContext
Definition: mcxt.c:37
List * fields
Definition: hba.c:91
#define ereport(elevel, rest)
Definition: elog.h:122
List * lappend(List *list, void *datum)
Definition: list.c:128
#define MAX_LINE
Definition: hba.c:57
static int elevel
Definition: vacuumlazy.c:136
MemoryContext AllocSetContextCreate(MemoryContext parent, const char *name, Size minContextSize, Size initBlockSize, Size maxBlockSize)
Definition: aset.c:322
#define NULL
Definition: c.h:229
static char * filename
Definition: pg_dumpall.c:89
void * palloc(Size size)
Definition: mcxt.c:849
int errmsg(const char *fmt,...)
Definition: elog.c:797
const char * strerror(int errnum)
Definition: strerror.c:19
#define errcontext
Definition: elog.h:164
char * raw_line
Definition: hba.c:93
Definition: pg_list.h:45
static List * next_field_expand(const char *filename, char **lineptr, int elevel, char **err_msg)
Definition: hba.c:330
static List * tokenize_inc_file ( List tokens,
const char *  outer_filename,
const char *  inc_filename,
int  elevel,
char **  err_msg 
)
static

Definition at line 372 of file hba.c.

References AllocateFile(), canonicalize_path(), copy_hba_token(), ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), TokenizedLine::fields, FreeFile(), get_parent_directory(), is_absolute_path, join_path_components(), lappend(), lfirst, MemoryContextDelete(), NULL, palloc(), pfree(), psprintf(), pstrdup(), strerror(), and tokenize_file().

Referenced by next_field_expand().

377 {
378  char *inc_fullname;
379  FILE *inc_file;
380  List *inc_lines;
381  ListCell *inc_line;
382  MemoryContext linecxt;
383 
384  if (is_absolute_path(inc_filename))
385  {
386  /* absolute path is taken as-is */
387  inc_fullname = pstrdup(inc_filename);
388  }
389  else
390  {
391  /* relative path is relative to dir of calling file */
392  inc_fullname = (char *) palloc(strlen(outer_filename) + 1 +
393  strlen(inc_filename) + 1);
394  strcpy(inc_fullname, outer_filename);
395  get_parent_directory(inc_fullname);
396  join_path_components(inc_fullname, inc_fullname, inc_filename);
397  canonicalize_path(inc_fullname);
398  }
399 
400  inc_file = AllocateFile(inc_fullname, "r");
401  if (inc_file == NULL)
402  {
403  int save_errno = errno;
404 
405  ereport(elevel,
407  errmsg("could not open secondary authentication file \"@%s\" as \"%s\": %m",
408  inc_filename, inc_fullname)));
409  *err_msg = psprintf("could not open secondary authentication file \"@%s\" as \"%s\": %s",
410  inc_filename, inc_fullname, strerror(save_errno));
411  pfree(inc_fullname);
412  return tokens;
413  }
414 
415  /* There is possible recursion here if the file contains @ */
416  linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines, elevel);
417 
418  FreeFile(inc_file);
419  pfree(inc_fullname);
420 
421  /* Copy all tokens found in the file and append to the tokens list */
422  foreach(inc_line, inc_lines)
423  {
424  TokenizedLine *tok_line = (TokenizedLine *) lfirst(inc_line);
425  ListCell *inc_field;
426 
427  /* If any line has an error, propagate that up to caller */
428  if (tok_line->err_msg)
429  {
430  *err_msg = pstrdup(tok_line->err_msg);
431  break;
432  }
433 
434  foreach(inc_field, tok_line->fields)
435  {
436  List *inc_tokens = lfirst(inc_field);
437  ListCell *inc_token;
438 
439  foreach(inc_token, inc_tokens)
440  {
441  HbaToken *token = lfirst(inc_token);
442 
443  tokens = lappend(tokens, copy_hba_token(token));
444  }
445  }
446  }
447 
448  MemoryContextDelete(linecxt);
449  return tokens;
450 }
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:200
char * pstrdup(const char *in)
Definition: mcxt.c:1077
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
void canonicalize_path(char *path)
Definition: path.c:254
void pfree(void *pointer)
Definition: mcxt.c:950
char * err_msg
Definition: hba.c:94
Definition: hba.c:75
int errcode_for_file_access(void)
Definition: elog.c:598
#define is_absolute_path(filename)
Definition: port.h:77
void get_parent_directory(char *path)
Definition: path.c:854
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2094
List * fields
Definition: hba.c:91
#define ereport(elevel, rest)
Definition: elog.h:122
List * lappend(List *list, void *datum)
Definition: list.c:128
static int elevel
Definition: vacuumlazy.c:136
#define NULL
Definition: c.h:229
#define lfirst(lc)
Definition: pg_list.h:106
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
void join_path_components(char *ret_path, const char *head, const char *tail)
Definition: path.c:218
static HbaToken * copy_hba_token(HbaToken *in)
Definition: hba.c:307
int FreeFile(FILE *file)
Definition: fd.c:2277
void * palloc(Size size)
Definition: mcxt.c:849
int errmsg(const char *fmt,...)
Definition: elog.c:797
const char * strerror(int errnum)
Definition: strerror.c:19
Definition: pg_list.h:45
static bool verify_option_list_length ( List options,
char *  optionname,
List masters,
char *  mastername,
int  line_num 
)
static

Definition at line 1602 of file hba.c.

References ereport, errcode(), errcontext, errmsg(), HbaFileName, list_length(), and LOG.

Referenced by parse_hba_line().

1603 {
1604  if (list_length(options) == 0 ||
1605  list_length(options) == 1 ||
1606  list_length(options) == list_length(masters))
1607  return true;
1608 
1609  ereport(LOG,
1610  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1611  errmsg("the number of %s (%i) must be 1 or the same as the number of %s (%i)",
1612  optionname,
1613  list_length(options),
1614  mastername,
1615  list_length(masters)
1616  ),
1617  errcontext("line %d of configuration file \"%s\"",
1618  line_num, HbaFileName)));
1619  return false;
1620 }
int errcode(int sqlerrcode)
Definition: elog.c:575
#define LOG
Definition: elog.h:26
char * HbaFileName
Definition: guc.c:463
#define ereport(elevel, rest)
Definition: elog.h:122
static int list_length(const List *l)
Definition: pg_list.h:89
int errmsg(const char *fmt,...)
Definition: elog.c:797
#define errcontext
Definition: elog.h:164

Variable Documentation

MemoryContext parsed_hba_context = NULL
static

Definition at line 102 of file hba.c.

List* parsed_hba_lines = NIL
static

Definition at line 101 of file hba.c.

MemoryContext parsed_ident_context = NULL
static

Definition at line 113 of file hba.c.

List* parsed_ident_lines = NIL
static

Definition at line 112 of file hba.c.

const char* const UserAuthName[]
static
Initial value:
=
{
"reject",
"implicit reject",
"trust",
"ident",
"password",
"md5",
"scram-sha256",
"gss",
"sspi",
"pam",
"bsd",
"ldap",
"cert",
"radius",
"peer"
}

Definition at line 121 of file hba.c.

Referenced by fill_hba_line().