Loading...
Searching...
No Matches
hba.c File Reference
#include "postgres.h"#include <ctype.h>#include <pwd.h>#include <fcntl.h>#include <sys/param.h>#include <sys/socket.h>#include <netdb.h>#include <netinet/in.h>#include <arpa/inet.h>#include <unistd.h>#include "catalog/pg_collation.h"#include "common/ip.h"#include "common/string.h"#include "libpq/hba.h"#include "libpq/ifaddr.h"#include "libpq/libpq-be.h"#include "libpq/oauth.h"#include "postmaster/postmaster.h"#include "regex/regex.h"#include "replication/walsender.h"#include "storage/fd.h"#include "utils/acl.h"#include "utils/conffiles.h"#include "utils/guc.h"#include "utils/memutils.h"#include "utils/varlena.h"
Include dependency graph for hba.c:
Go to the source code of this file.
Data Structures | |
| struct | check_network_data |
| struct | tokenize_error_callback_arg |
Macros | |
| #define | token_has_regexp(t) (t->regex != NULL) |
| #define | token_is_member_check(t) (!t->quoted && t->string[0] == '+') |
| #define | token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0) |
| #define | token_matches(t, k) (strcmp(t->string, k) == 0) |
| #define | token_matches_insensitive(t, k) (pg_strcasecmp(t->string, k) == 0) |
| #define | INVALID_AUTH_OPTION(optname, validmethods) |
| #define | REQUIRE_AUTH_OPTION(methodval, optname, validmethods) |
| #define | MANDATORY_AUTH_ARG(argvar, argname, authname) |
| #define | IDENT_FIELD_ABSENT(field) |
| #define | IDENT_MULTI_VALUE(tokens) |
Typedefs | |
| typedef struct check_network_data | check_network_data |
Macro Definition Documentation
◆ IDENT_FIELD_ABSENT
| #define IDENT_FIELD_ABSENT | ( | field | ) |
Value:
do { \
ereport(elevel, \
errmsg("missing entry at end of line"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = pstrdup("missing entry at end of line"); \
return NULL; \
} \
} while (0)
◆ IDENT_MULTI_VALUE
Value:
do { \
ereport(elevel, \
errmsg("multiple values in ident field"), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = pstrdup("multiple values in ident field"); \
return NULL; \
} \
} while (0)
◆ INVALID_AUTH_OPTION
| #define INVALID_AUTH_OPTION | ( | optname, | |
| validmethods | |||
| ) |
Value:
do { \
ereport(elevel, \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
optname, validmethods); \
return false; \
} while (0)
Definition at line 1241 of file hba.c.
1242 { \
1243 ereport(elevel, \
1245 /* translator: the second %s is a list of auth methods */ \
1249 line_num, file_name))); \
1250 *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
1251 optname, validmethods); \
1252 return false; \
1253} while (0)
◆ MANDATORY_AUTH_ARG
Value:
do { \
ereport(elevel, \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, file_name))); \
*err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname); \
return NULL; \
} \
} while (0)
◆ REQUIRE_AUTH_OPTION
| #define REQUIRE_AUTH_OPTION | ( | methodval, | |
| optname, | |||
| validmethods | |||
| ) |
Value:
Definition at line 1255 of file hba.c.
1256 { \
1259} while (0)
◆ token_has_regexp
◆ token_is_keyword
◆ token_is_member_check
◆ token_matches
◆ token_matches_insensitive
| #define token_matches_insensitive | ( | t, | |
| k | |||
| ) | (pg_strcasecmp(t->string, k) == 0) |
Typedef Documentation
◆ check_network_data
Function Documentation
◆ check_db()
Definition at line 990 of file hba.c.
991{
992 ListCell *cell;
994
996 {
999 {
1000 /*
1001 * physical replication walsender connections can only match
1002 * replication keyword
1003 */
1005 return true;
1006 }
1008 return true;
1010 {
1012 return true;
1013 }
1016 {
1018 return true;
1019 }
1021 continue; /* never match this if not walsender */
1023 {
1025 return true;
1026 }
1028 return true;
1029 }
1030 return false;
1031}
static int regexec_auth_token(const char *match, AuthToken *token, size_t nmatch, regmatch_t pmatch[])
Definition hba.c:345
Definition pg_list.h:46
References am_db_walsender, am_walsender, dbname, fb(), is_member(), lfirst, REG_OKAY, regexec_auth_token(), token_has_regexp, token_is_keyword, and token_matches.
Referenced by check_hba().
◆ check_hba()
Definition at line 2528 of file hba.c.
2529{
2530 Oid roleid;
2531 ListCell *line;
2532 HbaLine *hba;
2533
2534 /* Get the target role's OID. Note we do not error out for bad role. */
2536
2538 {
2540
2541 /* Check connection type */
2543 {
2545 continue;
2546 }
2547 else
2548 {
2550 continue;
2551
2552 /* Check SSL state */
2554 {
2555 /* Connection is SSL, match both "host" and "hostssl" */
2557 continue;
2558 }
2559 else
2560 {
2561 /* Connection is not SSL, match both "host" and "hostnossl" */
2563 continue;
2564 }
2565
2566 /* Check GSSAPI state */
2567#ifdef ENABLE_GSS
2570 continue;
2573 continue;
2574#else
2576 continue;
2577#endif
2578
2579 /* Check IP address */
2581 {
2584 {
2586 hba->hostname))
2587 continue;
2588 }
2589 else
2590 {
2594 continue;
2595 }
2596 break;
2598 break;
2602 hba->ip_cmp_method))
2603 continue;
2604 break;
2605 default:
2606 /* shouldn't get here, but deem it no-match if so */
2607 continue;
2608 }
2609 } /* != ctLocal */
2610
2611 /* Check database and role */
2613 hba->databases))
2614 continue;
2615
2617 continue;
2618
2619 /* Found a record that matched! */
2620 port->hba = hba;
2621 return;
2622 }
2623
2624 /* If no matching entry was found, then implicitly reject. */
2627 port->hba = hba;
2628}
static bool check_role(const char *role, Oid roleid, List *tokens, bool case_insensitive)
Definition hba.c:951
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
Definition hba.c:1166
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
Definition hba.c:1207
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
Definition hba.c:990
References HbaLine::addr, HbaLine::auth_method, check_db(), check_hostname(), check_ip(), check_role(), check_same_host_or_net(), HbaLine::conntype, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, fb(), get_role_oid(), HbaLine::hostname, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lfirst, HbaLine::mask, palloc0_object, parsed_hba_lines, port, HbaLine::roles, and uaImplicitReject.
Referenced by hba_getauthmethod().
◆ check_hostname()
Definition at line 1075 of file hba.c.
1076{
1078 *gai;
1079 int ret;
1080 bool found;
1081
1082 /* Quick out if remote host name already known bad */
1084 return false;
1085
1086 /* Lookup remote host name if not already done */
1088 {
1090
1092 remote_hostname, sizeof(remote_hostname),
1093 NULL, 0,
1094 NI_NAMEREQD);
1095 if (ret != 0)
1096 {
1097 /* remember failure; don't complain in the postmaster log yet */
1098 port->remote_hostname_resolv = -2;
1099 port->remote_hostname_errcode = ret;
1100 return false;
1101 }
1102
1104 }
1105
1106 /* Now see if remote host name matches this pg_hba line */
1108 return false;
1109
1110 /* If we already verified the forward lookup, we're done */
1112 return true;
1113
1114 /* Lookup IP from host name and check against original IP */
1116 if (ret != 0)
1117 {
1118 /* remember failure; don't complain in the postmaster log yet */
1119 port->remote_hostname_resolv = -2;
1120 port->remote_hostname_errcode = ret;
1121 return false;
1122 }
1123
1124 found = false;
1126 {
1128 {
1130 {
1133 {
1134 found = true;
1135 break;
1136 }
1137 }
1139 {
1142 {
1143 found = true;
1144 break;
1145 }
1146 }
1147 }
1148 }
1149
1152
1153 if (!found)
1154 elog(DEBUG2, "pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
1155 hostname);
1156
1157 port->remote_hostname_resolv = found ? +1 : -1;
1158
1159 return found;
1160}
static bool hostname_match(const char *pattern, const char *actual_hostname)
Definition hba.c:1055
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition ip.c:117
References DEBUG2, elog, fb(), hostname, hostname_match(), ipv4eq(), ipv6eq(), pg_getnameinfo_all(), port, and pstrdup().
Referenced by check_hba().
◆ check_ident_usermap()
|
static |
Definition at line 2816 of file hba.c.
2819{
2820 Oid roleid;
2821
2824
2826 /* Line does not match the map name we're looking for, so just abort */
2827 return;
2828
2829 /* Get the target role's OID. Note we do not error out for bad role. */
2831
2832 /* Match? */
2834 {
2835 /*
2836 * Process the system username as a regular expression that returns
2837 * exactly one match. This is replaced for \1 in the database username
2838 * string, if present.
2839 */
2840 int r;
2845
2847 if (r)
2848 {
2850
2852 {
2853 /* REG_NOMATCH is not an error, everything else is */
2860 }
2861 return;
2862 }
2863
2864 /*
2865 * Replace \1 with the first captured group unless the field already
2866 * has some special meaning, like a group membership or a regexp-based
2867 * check.
2868 */
2872 {
2877 size_t offset;
2878
2879 /* substitution of the first argument requested */
2881 {
2884 errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2887 return;
2888 }
2891
2892 /*
2893 * It's allowed to have more than one \1 in the string, and we'll
2894 * replace them all. But that's pretty unusual so we optimize on
2895 * the assumption of only one occurrence, which motivates doing
2896 * repeated replacements instead of making two passes over the
2897 * string to determine the final length right away.
2898 */
2900 do
2901 {
2902 /*
2903 * length: current length minus length of \1 plus length of
2904 * replacement plus null terminator
2905 */
2907 /* ofs points into the old_pg_user string at this point */
2916
2917 /*
2918 * Mark the token as quoted, so it will only be compared literally
2919 * and not for some special meaning, such as "all" or a group
2920 * membership check.
2921 */
2925 }
2926 else
2927 {
2929 }
2930
2931 /* check the Postgres user */
2934 case_insensitive);
2935
2938
2939 return;
2940 }
2941 else
2942 {
2943 /*
2944 * Not a regular expression, so make a complete match. If the system
2945 * user does not match, just leave.
2946 */
2948 {
2950 system_user))
2951 return;
2952 }
2953 else
2954 {
2956 return;
2957 }
2958
2959 /* check the Postgres user */
2962 case_insensitive);
2963 }
2964}
static AuthToken * make_auth_token(const char *token, bool quoted)
Definition hba.c:256
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
Definition regerror.c:60
References check_role(), ereport, errcode(), errmsg(), fb(), free_auth_token(), get_role_oid(), list_make1, LOG, make_auth_token(), palloc(), pfree(), pg_regerror(), REG_NOMATCH, regexec_auth_token(), regmatch_t, system_user(), token_has_regexp, token_is_member_check, token_matches, and token_matches_insensitive.
Referenced by check_usermap().
◆ check_ip()
Definition at line 1166 of file hba.c.
1167{
1172 return true;
1173 return false;
1174}
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
Definition ifaddr.c:49
References SockAddr::addr, fb(), and pg_range_sockaddr().
Referenced by check_hba(), and check_network_callback().
◆ check_network_callback()
|
static |
Definition at line 1180 of file hba.c.
1182{
1185
1186 /* Already found a match? */
1188 return;
1189
1191 {
1192 /* Make an all-ones netmask of appropriate length for family */
1195 }
1196 else
1197 {
1198 /* Use the netmask of the interface itself */
1200 }
1201}
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition ifaddr.c:105
Definition hba.c:57
References check_ip(), fb(), ipCmpSameHost, and pg_sockaddr_cidr_mask().
Referenced by check_same_host_or_net().
◆ check_role()
|
static |
Definition at line 951 of file hba.c.
952{
953 ListCell *cell;
955
957 {
960 {
962 return true;
963 }
965 return true;
967 {
969 return true;
970 }
972 {
974 return true;
975 }
977 return true;
978 }
979 return false;
980}
References fb(), is_member(), lfirst, REG_OKAY, regexec_auth_token(), token_has_regexp, token_is_keyword, token_is_member_check, token_matches, and token_matches_insensitive.
Referenced by check_hba(), and check_ident_usermap().
◆ check_same_host_or_net()
|
static |
Definition at line 1207 of file hba.c.
1208{
1210
1212 cn.raddr = raddr;
1214
1215 errno = 0;
1217 {
1220 return false;
1221 }
1222
1224}
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
Definition hba.c:1180
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
Definition ifaddr.c:425
References check_network_callback(), ereport, errmsg(), fb(), LOG, check_network_data::method, and pg_foreach_ifaddr().
Referenced by check_hba().
◆ check_usermap()
| int check_usermap | ( | const char * | usermap_name, |
| const char * | pg_user, | ||
| const char * | system_user, | ||
| bool | case_insensitive | ||
| ) |
Definition at line 2981 of file hba.c.
2985{
2988
2990 {
2992 {
2995 }
2996 else
2997 {
3000 }
3003 pg_user, system_user)));
3005 }
3006 else
3007 {
3009
3011 {
3016 break;
3017 }
3018 }
3020 {
3024 }
3026}
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition hba.c:2816
References check_ident_usermap(), ereport, errmsg(), error(), fb(), lfirst, LOG, parsed_ident_lines, pg_strcasecmp(), STATUS_ERROR, STATUS_OK, and system_user().
Referenced by auth_peer(), ident_inet(), and validate().
◆ copy_auth_token()
Definition at line 287 of file hba.c.
288{
290
291 return out;
292}
References make_auth_token(), AuthToken::quoted, and AuthToken::string.
Referenced by parse_hba_line(), and parse_ident_line().
◆ free_auth_file()
Definition at line 569 of file hba.c.
570{
571 FreeFile(file);
572
573 /* If this is the last cleanup, remove the tokenization context */
575 {
578 }
579}
References CONF_FILE_START_DEPTH, fb(), FreeFile(), MemoryContextDelete(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ free_auth_token()
Definition at line 277 of file hba.c.
References pg_regfree(), and token_has_regexp.
Referenced by check_ident_usermap().
◆ hba_authname()
Definition at line 3138 of file hba.c.
3139{
3141}
References UserAuthName.
Referenced by ClientAuthentication(), fill_hba_line(), InitPostgres(), ParallelWorkerMain(), and set_authn_id().
◆ hba_getauthmethod()
Definition at line 3125 of file hba.c.
References check_hba(), and port.
Referenced by ClientAuthentication().
◆ hostname_match()
Definition at line 1055 of file hba.c.
1056{
1057 if (pattern[0] == '.') /* suffix match */
1058 {
1061
1063 return false;
1064
1066 }
1067 else
1069}
References fb(), and pg_strcasecmp().
Referenced by check_hostname().
◆ ipv4eq()
|
static |
◆ ipv6eq()
|
static |
◆ is_member()
Definition at line 922 of file hba.c.
923{
924 Oid roleid;
925
927 return false; /* if user not exist, say "no" */
928
930
932 return false; /* if target role not exist, say "no" */
933
934 /*
935 * See if user is directly or indirectly a member of role. For this
936 * purpose, a superuser is not considered to be automatically a member of
937 * the role, so group auth only applies to explicit membership.
938 */
940}
References get_role_oid(), is_member_of_role_nosuper(), and OidIsValid.
Referenced by check_db(), and check_role().
◆ load_hba()
Definition at line 2642 of file hba.c.
2643{
2644 FILE *file;
2646 ListCell *line;
2651
2654 {
2655 /* error already logged */
2656 return false;
2657 }
2658
2660
2661 /* Now parse all the lines */
2664 "hba parser context",
2665 ALLOCSET_SMALL_SIZES);
2668 {
2671
2672 /* don't parse lines that already have errors */
2674 {
2676 continue;
2677 }
2678
2680 {
2681 /* Parse error; remember there's trouble */
2683
2684 /*
2685 * Keep parsing the rest of the file so we can report errors on
2686 * more than the first line. Error has already been logged, no
2687 * need for more chatter here.
2688 */
2689 continue;
2690 }
2691
2693 }
2694
2695 /*
2696 * A valid HBA file must have at least one entry; else there's no way to
2697 * connect to the postmaster. But only complain about this if we didn't
2698 * already have parsing errors.
2699 */
2701 {
2705 HbaFileName)));
2707 }
2708
2709 /* Free tokenizer memory */
2710 free_auth_file(file, 0);
2712
2714 {
2715 /*
2716 * File contained one or more errors, so bail out. MemoryContextDelete
2717 * is enough to clean up everything, including regexes.
2718 */
2720 return false;
2721 }
2722
2723 /* Loaded new file successfully, replace the one we use */
2728
2729 return true;
2730}
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
Definition hba.c:1325
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
Definition hba.c:688
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
Definition hba.c:594
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition palloc.h:124
Definition pg_list.h:54
Definition memnodes.h:118
Definition hba.h:164
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, errcode(), errmsg(), fb(), free_auth_file(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_hba_line(), parsed_hba_context, parsed_hba_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ load_ident()
Definition at line 3036 of file hba.c.
3037{
3038 FILE *file;
3046
3047 /* not FATAL ... we just won't do any special ident maps */
3050 {
3051 /* error already logged */
3052 return false;
3053 }
3054
3056
3057 /* Now parse all the lines */
3060 "ident parser context",
3061 ALLOCSET_SMALL_SIZES);
3064 {
3066
3067 /* don't parse lines that already have errors */
3069 {
3071 continue;
3072 }
3073
3075 {
3076 /* Parse error; remember there's trouble */
3078
3079 /*
3080 * Keep parsing the rest of the file so we can report errors on
3081 * more than the first line. Error has already been logged, no
3082 * need for more chatter here.
3083 */
3084 continue;
3085 }
3086
3088 }
3089
3090 /* Free tokenizer memory */
3091 free_auth_file(file, 0);
3093
3095 {
3096 /*
3097 * File contained one or more errors, so bail out. MemoryContextDelete
3098 * is enough to clean up everything, including regexes.
3099 */
3101 return false;
3102 }
3103
3104 /* Loaded new file successfully, replace the one we use */
3107
3110
3111 return true;
3112}
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
Definition hba.c:2748
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, fb(), free_auth_file(), IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_ident_line(), parsed_ident_context, parsed_ident_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ make_auth_token()
Definition at line 256 of file hba.c.
257{
260
262 /* we copy string into same palloc block as the struct */
265 authtoken->quoted = quoted;
268
270}
References fb(), and palloc0().
Referenced by check_ident_usermap(), copy_auth_token(), and next_field_expand().
◆ next_field_expand()
|
static |
Definition at line 378 of file hba.c.
380{
385
387
388 do
389 {
392 break;
393
394 /* Is this referencing a file? */
397 elevel, depth + 1, err_msg);
398 else
399 {
401
402 /*
403 * lappend() may do its own allocations, so move to the context
404 * for the list of tokens.
405 */
409 }
411
413
415}
static List * tokenize_expand_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, int depth, char **err_msg)
Definition hba.c:492
static bool next_token(char **lineptr, StringInfo buf, bool *initial_quote, bool *terminating_comma)
Definition hba.c:184
Definition stringinfo.h:47
Definition mbprint.h:17
References buf, fb(), filename, initStringInfo(), lappend(), make_auth_token(), MemoryContextSwitchTo(), next_token(), NIL, pfree(), tokenize_context, and tokenize_expand_file().
Referenced by tokenize_auth_file().
◆ next_token()
|
static |
Definition at line 184 of file hba.c.
186{
191
192 /* Initialize output parameters */
196
197 /* Move over any whitespace and commas preceding the next token */
199 ;
200
201 /*
202 * Build a token in buf of next characters up to EOL, unquoted comma, or
203 * unquoted whitespace.
204 */
207 {
208 /* skip comments to EOL */
210 {
212 ;
213 break;
214 }
215
216 /* we do not pass back a terminating comma in the token */
218 {
220 break;
221 }
222
225
226 /* Literal double-quote is two double-quotes */
229 else
231
233 {
238 }
239
240 c = *(*lineptr)++;
241 }
242
243 /*
244 * Un-eat the char right after the token (critical in case it is '\0',
245 * else next call will read past end of string).
246 */
247 (*lineptr)--;
248
250}
References appendStringInfoChar(), buf, fb(), pg_isblank(), and resetStringInfo().
Referenced by base_yylex(), filtered_base_yylex(), and next_field_expand().
◆ open_auth_file()
Definition at line 594 of file hba.c.
596{
597 FILE *file;
598
599 /*
600 * Reject too-deep include nesting depth. This is just a safety check to
601 * avoid dumping core due to stack overflow if an include file loops back
602 * to itself. The maximum nesting depth is pretty arbitrary.
603 */
605 {
606 ereport(elevel,
607 (errcode_for_file_access(),
609 filename)));
610 if (err_msg)
612 filename);
614 }
615
618 {
620
621 ereport(elevel,
622 (errcode_for_file_access(),
624 filename)));
625 if (err_msg)
626 {
629 filename);
630 }
631 /* the caller may care about some specific errno */
634 }
635
636 /*
637 * When opening the top-level file, create the memory context used for the
638 * tokenization. This will be closed with this file when coming back to
639 * this level of cleanup.
640 */
642 {
643 /*
644 * A context may be present, but assume that it has been eliminated
645 * already.
646 */
648 "tokenize_context",
650 }
651
652 return file;
653}
References AllocateFile(), ALLOCSET_START_SMALL_SIZES, AllocSetContextCreate, CONF_FILE_MAX_DEPTH, CONF_FILE_START_DEPTH, CurrentMemoryContext, ereport, errcode_for_file_access(), errmsg(), fb(), filename, psprintf(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ parse_hba_auth_opt()
|
static |
Definition at line 2084 of file hba.c.
2086{
2089
2090#ifdef USE_LDAP
2092#endif
2093
2095 {
2104 }
2106 {
2108 {
2109 ereport(elevel,
2113 line_num, file_name)));
2114 *err_msg = "clientcert can only be configured for \"hostssl\" rows";
2115 return false;
2116 }
2117
2119 {
2121 }
2123 {
2125 {
2126 ereport(elevel,
2130 line_num, file_name)));
2131 *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
2132 return false;
2133 }
2134
2136 }
2137 else
2138 {
2139 ereport(elevel,
2143 line_num, file_name)));
2144 return false;
2145 }
2146 }
2148 {
2150 {
2151 ereport(elevel,
2155 line_num, file_name)));
2156 *err_msg = "clientname can only be configured for \"hostssl\" rows";
2157 return false;
2158 }
2159
2161 {
2163 }
2165 {
2167 }
2168 else
2169 {
2170 ereport(elevel,
2174 line_num, file_name)));
2175 return false;
2176 }
2177 }
2179 {
2182 }
2184 {
2188 else
2190 }
2192 {
2193#ifdef LDAP_API_FEATURE_X_OPENLDAP
2195 int rc;
2196#endif
2197
2199#ifdef LDAP_API_FEATURE_X_OPENLDAP
2202 {
2203 ereport(elevel,
2208 return false;
2209 }
2210
2213 {
2214 ereport(elevel,
2218 urldata->lud_scheme);
2220 return false;
2221 }
2222
2230
2237#else /* not OpenLDAP */
2238 ereport(elevel,
2241 *err_msg = "LDAP URLs not supported on this platform";
2242#endif /* not OpenLDAP */
2243 }
2245 {
2249 else
2251 }
2253 {
2256 ereport(elevel,
2260 line_num, file_name)));
2262 }
2264 {
2267 }
2269 {
2273 {
2274 ereport(elevel,
2278 line_num, file_name)));
2280 return false;
2281 }
2282 }
2284 {
2287 }
2289 {
2292 }
2294 {
2297 }
2299 {
2302 }
2304 {
2307 }
2309 {
2312 }
2314 {
2317 }
2319 {
2324 }
2326 {
2332 else
2334 }
2336 {
2341 else
2343 }
2345 {
2350 else
2352 }
2354 {
2357 int ret;
2359 ListCell *l;
2361
2363
2365 {
2366 /* syntax error in list */
2367 ereport(elevel,
2370 val),
2372 line_num, file_name)));
2373 return false;
2374 }
2375
2376 /* For each entry in the list, translate it */
2378 {
2382
2385 {
2386 ereport(elevel,
2391 line_num, file_name)));
2394
2396 return false;
2397 }
2399 }
2400
2401 /* All entries are OK, so store them */
2404 }
2406 {
2408 ListCell *l;
2410
2412
2414 {
2415 ereport(elevel,
2418 val),
2420 line_num, file_name)));
2422 return false;
2423 }
2424
2426 {
2428 {
2429 ereport(elevel,
2433 line_num, file_name)));
2434
2435 return false;
2436 }
2437 }
2440 }
2442 {
2445
2447
2449 {
2450 /* syntax error in list */
2451 ereport(elevel,
2454 val),
2456 line_num, file_name)));
2457 return false;
2458 }
2459
2462 }
2464 {
2467
2469
2471 {
2472 /* syntax error in list */
2473 ereport(elevel,
2476 val),
2478 line_num, file_name)));
2479 return false;
2480 }
2481
2484 }
2486 {
2489 }
2491 {
2494 }
2496 {
2499 }
2501 {
2505 else
2507 }
2508 else
2509 {
2510 ereport(elevel,
2513 name),
2515 line_num, file_name)));
2517 name);
2518 return false;
2519 }
2520 return true;
2521}
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
Definition hba.c:1255
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition ip.c:85
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition ip.c:56
bool SplitGUCList(char *rawstring, char separator, List **namelist)
Definition varlena.c:2978
References clientCertCA, clientCertCN, clientCertDN, clientCertFull, ctHostSSL, ereport, errcode(), errcontext, errmsg(), fb(), gai_strerror(), gettext_noop, INVALID_AUTH_OPTION, lfirst, list_free(), MemSet, name, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), psprintf(), pstrdup(), REQUIRE_AUTH_OPTION, SplitGUCList(), uaCert, uaGSS, uaIdent, uaLDAP, uaOAuth, uaPAM, uaPeer, uaRADIUS, uaSSPI, and val.
Referenced by parse_hba_line().
◆ parse_hba_line()
| HbaLine * parse_hba_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 1325 of file hba.c.
1326{
1333 int ret;
1336 ListCell *field;
1341
1344 parsedline->linenumber = line_num;
1346
1347 /* Check the record type. */
1352 {
1353 ereport(elevel,
1358 line_num, file_name)));
1359 *err_msg = "multiple values specified for connection type";
1361 }
1364 {
1366 }
1372 {
1373
1375 {
1377 /* Log a warning if SSL support is not active */
1378#ifdef USE_SSL
1380 {
1381 ereport(elevel,
1386 line_num, file_name)));
1387 *err_msg = "hostssl record cannot match because SSL is disabled";
1388 }
1389#else
1390 ereport(elevel,
1394 line_num, file_name)));
1395 *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1396#endif
1397 }
1399 {
1401#ifndef ENABLE_GSS
1402 ereport(elevel,
1406 line_num, file_name)));
1407 *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build";
1408#endif
1409 }
1414 else
1415 {
1416 /* "host" */
1418 }
1419 } /* record type */
1420 else
1421 {
1422 ereport(elevel,
1425 token->string),
1427 line_num, file_name)));
1430 }
1431
1432 /* Get the databases. */
1434 if (!field)
1435 {
1436 ereport(elevel,
1440 line_num, file_name)));
1441 *err_msg = "end-of-line before database specification";
1443 }
1447 {
1449
1450 /* Compile a regexp for the database token, if necessary */
1453
1455 }
1456
1457 /* Get the roles. */
1459 if (!field)
1460 {
1461 ereport(elevel,
1465 line_num, file_name)));
1466 *err_msg = "end-of-line before role specification";
1468 }
1472 {
1474
1475 /* Compile a regexp from the role token, if necessary */
1478
1480 }
1481
1483 {
1484 /* Read the IP address field. (with or without CIDR netmask) */
1486 if (!field)
1487 {
1488 ereport(elevel,
1492 line_num, file_name)));
1493 *err_msg = "end-of-line before IP address specification";
1495 }
1498 {
1499 ereport(elevel,
1504 line_num, file_name)));
1505 *err_msg = "multiple values specified for host address";
1507 }
1509
1511 {
1513 }
1515 {
1516 /* Any IP on this host is allowed to connect */
1518 }
1520 {
1521 /* Any IP on the host's subnets is allowed to connect */
1523 }
1524 else
1525 {
1526 /* IP and netmask are specified */
1528
1529 /* need a modifiable copy of token */
1531
1532 /* Check if it has a CIDR suffix and if so isolate it */
1536
1537 /* Get the IP address either way */
1540 hints.ai_socktype = 0;
1541 hints.ai_protocol = 0;
1542 hints.ai_addrlen = 0;
1546
1549 {
1551 gai_result->ai_addrlen);
1553 }
1556 else
1557 {
1558 ereport(elevel,
1563 line_num, file_name)));
1569 }
1570
1572
1573 /* Get the netmask */
1575 {
1577 {
1578 ereport(elevel,
1581 token->string),
1583 line_num, file_name)));
1585 token->string);
1587 }
1588
1590 parsedline->addr.ss_family) < 0)
1591 {
1592 ereport(elevel,
1595 token->string),
1597 line_num, file_name)));
1599 token->string);
1601 }
1604 }
1606 {
1607 /* Read the mask field. */
1610 if (!field)
1611 {
1612 ereport(elevel,
1617 line_num, file_name)));
1618 *err_msg = "end-of-line before netmask specification";
1620 }
1623 {
1624 ereport(elevel,
1628 line_num, file_name)));
1629 *err_msg = "multiple values specified for netmask";
1631 }
1633
1637 {
1638 ereport(elevel,
1643 line_num, file_name)));
1649 }
1650
1652 gai_result->ai_addrlen);
1655
1657 {
1658 ereport(elevel,
1662 line_num, file_name)));
1663 *err_msg = "IP address and mask do not match";
1665 }
1666 }
1667 }
1668 } /* != ctLocal */
1669
1670 /* Get the authentication method */
1672 if (!field)
1673 {
1674 ereport(elevel,
1678 line_num, file_name)));
1679 *err_msg = "end-of-line before authentication method";
1681 }
1684 {
1685 ereport(elevel,
1690 line_num, file_name)));
1691 *err_msg = "multiple values specified for authentication type";
1693 }
1695
1706#ifdef ENABLE_GSS
1708#else
1710#endif
1712#ifdef ENABLE_SSPI
1714#else
1716#endif
1724#ifdef USE_PAM
1726#else
1728#endif
1730#ifdef USE_BSD_AUTH
1732#else
1734#endif
1736#ifdef USE_LDAP
1738#else
1740#endif
1742#ifdef USE_SSL
1744#else
1746#endif
1751 else
1752 {
1753 ereport(elevel,
1756 token->string),
1758 line_num, file_name)));
1760 token->string);
1762 }
1763
1765 {
1766 ereport(elevel,
1769 token->string),
1771 line_num, file_name)));
1773 token->string);
1775 }
1776
1777 /*
1778 * XXX: When using ident on local connections, change it to peer, for
1779 * backwards compatibility.
1780 */
1784
1785 /* Invalid authentication combinations */
1788 {
1789 ereport(elevel,
1793 line_num, file_name)));
1794 *err_msg = "gssapi authentication is not supported on local sockets";
1796 }
1797
1800 {
1801 ereport(elevel,
1805 line_num, file_name)));
1806 *err_msg = "peer authentication is only supported on local sockets";
1808 }
1809
1810 /*
1811 * SSPI authentication can never be enabled on ctLocal connections,
1812 * because it's only supported on Windows, where ctLocal isn't supported.
1813 */
1814
1815
1818 {
1819 ereport(elevel,
1823 line_num, file_name)));
1824 *err_msg = "cert authentication is only supported on hostssl connections";
1826 }
1827
1828 /*
1829 * For GSS and SSPI, set the default value of include_realm to true.
1830 * Having include_realm set to false is dangerous in multi-realm
1831 * situations and is generally considered bad practice. We keep the
1832 * capability around for backwards compatibility, but we might want to
1833 * remove it at some point in the future. Users who still need to strip
1834 * the realm off would be better served by using an appropriate regex in a
1835 * pg_ident.conf mapping.
1836 */
1840
1841 /*
1842 * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1843 * NetBIOS name) and user names instead of the Kerberos principal name for
1844 * compatibility.
1845 */
1847 {
1850 }
1851
1852 /* Parse remaining arguments */
1854 {
1857 {
1859
1861
1865 {
1866 /*
1867 * Got something that's not a name=value pair.
1868 */
1869 ereport(elevel,
1873 line_num, file_name)));
1875 token->string);
1877 }
1878
1881 /* parse_hba_auth_opt already logged the error message */
1884 }
1885 }
1886
1887 /*
1888 * Check if the selected authentication method has any mandatory arguments
1889 * that are not set.
1890 */
1892 {
1893#ifndef HAVE_LDAP_INITIALIZE
1894 /* Not mandatory for OpenLDAP, because it can use DNS SRV records */
1896#endif
1897
1898 /*
1899 * LDAP can operate in two modes: either with a direct bind, using
1900 * ldapprefix and ldapsuffix, or using a search+bind, using
1901 * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
1902 * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
1903 * parameters.
1904 */
1906 {
1908 parsedline->ldapbinddn ||
1909 parsedline->ldapbindpasswd ||
1910 parsedline->ldapsearchattribute ||
1911 parsedline->ldapsearchfilter)
1912 {
1913 ereport(elevel,
1917 line_num, file_name)));
1918 *err_msg = "cannot mix options for simple bind and search+bind modes";
1920 }
1921 }
1923 {
1924 ereport(elevel,
1926 errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1928 line_num, file_name)));
1929 *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1931 }
1932
1933 /*
1934 * When using search+bind, you can either use a simple attribute
1935 * (defaulting to "uid") or a fully custom search filter. You can't
1936 * do both.
1937 */
1939 {
1940 ereport(elevel,
1944 line_num, file_name)));
1945 *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
1947 }
1948 }
1949
1951 {
1954
1956 {
1957 ereport(elevel,
1961 line_num, file_name)));
1962 *err_msg = "list of RADIUS servers cannot be empty";
1964 }
1965
1967 {
1968 ereport(elevel,
1972 line_num, file_name)));
1973 *err_msg = "list of RADIUS secrets cannot be empty";
1975 }
1976
1977 /*
1978 * Verify length of option lists - each can be 0 (except for secrets,
1979 * but that's already checked above), 1 (use the same value
1980 * everywhere) or the same as the number of servers.
1981 */
1984 {
1985 ereport(elevel,
1987 errmsg("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1991 line_num, file_name)));
1992 *err_msg = psprintf("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1996 }
2000 {
2001 ereport(elevel,
2003 errmsg("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2007 line_num, file_name)));
2008 *err_msg = psprintf("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2012 }
2016 {
2017 ereport(elevel,
2019 errmsg("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2023 line_num, file_name)));
2024 *err_msg = psprintf("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2028 }
2029 }
2030
2031 /*
2032 * Enforce any parameters implied by other settings.
2033 */
2035 {
2036 /*
2037 * For auth method cert, client certificate validation is mandatory,
2038 * and it implies the level of verify-full.
2039 */
2041 }
2042
2043 /*
2044 * Enforce proper configuration of OAuth authentication.
2045 */
2047 {
2050
2051 /* Ensure a validator library is set and permitted by the config. */
2054
2055 /*
2056 * Supplying a usermap combined with the option to skip usermapping is
2057 * nonsensical and indicates a configuration error.
2058 */
2060 {
2061 ereport(elevel,
2063 /* translator: strings are replaced with hba options */
2065 "map", "delegate_ident_mapping"),
2067 line_num, file_name));
2068 *err_msg = "map cannot be used in combination with delegate_ident_mapping";
2070 }
2071 }
2072
2074}
bool check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
Definition auth-oauth.c:820
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition hba.c:2084
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
Definition hba.c:300
References Assert, check_oauth_validator(), clientCertFull, copy_auth_token(), ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, EnableSSL, ereport, errcode(), errcontext, errhint(), errmsg(), fb(), gai_strerror(), ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), lfirst, linitial, list_head(), list_length(), lnext(), MANDATORY_AUTH_ARG, NIL, palloc0_object, parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), regcomp_auth_token(), str, token, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and val.
Referenced by fill_hba_view(), and load_hba().
◆ parse_ident_line()
| IdentLine * parse_ident_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 2748 of file hba.c.
2749{
2753 ListCell *field;
2757
2760
2762 parsedline->linenumber = line_num;
2763
2764 /* Get the map token (must exist) */
2769
2770 /* Get the ident user token */
2772 IDENT_FIELD_ABSENT(field);
2776
2777 /* Copy the ident user token */
2779
2780 /* Get the PG rolename token */
2782 IDENT_FIELD_ABSENT(field);
2787
2788 /*
2789 * Now that the field validation is done, compile a regex from the user
2790 * tokens, if necessary.
2791 */
2793 err_msg, elevel))
2794 {
2795 /* err_msg includes the error to report */
2797 }
2798
2800 err_msg, elevel))
2801 {
2802 /* err_msg includes the error to report */
2804 }
2805
2807}
References Assert, copy_auth_token(), fb(), IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, lfirst, linitial, list_head(), lnext(), NIL, palloc0_object, pstrdup(), regcomp_auth_token(), and token.
Referenced by fill_ident_view(), and load_ident().
◆ pg_isblank()
Definition at line 142 of file hba.c.
143{
144 /* don't accept non-ASCII data */
146}
References fb(), and IS_HIGHBIT_SET.
Referenced by next_token().
◆ regcomp_auth_token()
|
static |
Definition at line 300 of file hba.c.
302{
304 int wlen;
305 int rc;
306
308
310 return 0; /* nothing to compile */
311
316
318
319 if (rc)
320 {
322
324 ereport(elevel,
329 line_num, filename)));
330
333 }
334
336 return rc;
337}
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
Definition mbutils.c:989
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
Definition regcomp.c:372
References Assert, ereport, errcode(), errcontext, errmsg(), fb(), filename, palloc(), palloc0_object, pfree(), pg_mb2wchar_with_len(), pg_regcomp(), pg_regerror(), psprintf(), REG_ADVANCED, and regex_t.
Referenced by parse_hba_line(), and parse_ident_line().
◆ regexec_auth_token()
|
static |
Definition at line 345 of file hba.c.
347{
350 int r;
351
353
356
358
360 return r;
361}
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
Definition regexec.c:185
References Assert, fb(), palloc(), pfree(), pg_mb2wchar_with_len(), and pg_regexec().
Referenced by check_db(), check_ident_usermap(), and check_role().
◆ StaticAssertDecl()
| StaticAssertDecl | ( | lengthof(UserAuthName) | = =USER_AUTH_LAST+1, |
| "UserAuthName []must match the UserAuth enum" | |||
| ) |
◆ tokenize_auth_file()
| void tokenize_auth_file | ( | const char * | filename, |
| FILE * | file, | ||
| List ** | tok_lines, | ||
| int | elevel, | ||
| int | depth | ||
| ) |
Definition at line 688 of file hba.c.
690{
691 int line_number = 1;
696 tokenize_error_callback_arg callback_arg;
697
699
701 callback_arg.linenum = line_number;
702
704 tokenerrcontext.arg = &callback_arg;
707
708 /*
709 * Do all the local tokenization in its own context, to ease the cleanup
710 * of any memory allocated while tokenizing.
711 */
713 "tokenize_auth_file",
714 ALLOCSET_SMALL_SIZES);
716
718
721
723 {
731
732 /* Collect the next input line, handling backslash continuations */
734
736 {
737 /* Strip trailing newline, including \r in case we're on Windows */
739
740 /*
741 * Check for backslash continuation. The backslash must be after
742 * the last place we found a continuation, else two backslashes
743 * followed by two \n's would behave surprisingly.
744 */
747 {
748 /* Continuation, so strip it and keep reading */
751 continuations++;
752 continue;
753 }
754
755 /* Nope, so we have the whole line */
756 break;
757 }
758
760 {
761 /* I/O error! */
763
764 ereport(elevel,
765 (errcode_for_file_access(),
769 filename);
770 break;
771 }
772
773 /* Parse fields */
776 {
778
780 elevel, depth, &err_msg);
781 /* add field to line, unless we are at EOL or comment start */
783 {
784 /*
785 * lappend() may do its own allocations, so move to the
786 * context for the list of tokens.
787 */
791 }
792 }
793
794 /*
795 * Reached EOL; no need to emit line to TokenizedAuthLine list if it's
796 * boring.
797 */
800
801 /* If the line is valid, check if that's an include directive */
803 {
804 AuthToken *first,
805 *second;
806
809
811 {
813 elevel, depth + 1, false, &err_msg);
814
815 if (err_msg)
817
818 /*
819 * tokenize_auth_file() has taken care of creating the
820 * TokenizedAuthLines.
821 */
823 }
825 {
830
832 &num_filenames, &err_msg);
833
835 {
836 /* the error is in err_msg, so create an entry */
838 }
839
842 {
844 elevel, depth + 1, false, &err_msg);
845 /* cumulate errors if any */
846 if (err_msg)
847 {
851 }
852 }
853
854 /* clean up things */
858
859 /*
860 * If there were no errors, the line is fully processed,
861 * bypass the general TokenizedAuthLine processing.
862 */
865
866 /* Otherwise, process the cumulated errors, if any. */
867 err_msg = err_buf.data;
869 }
871 {
872
874 elevel, depth + 1, true, &err_msg);
875 if (err_msg)
877
878 /*
879 * tokenize_auth_file() has taken care of creating the
880 * TokenizedAuthLines.
881 */
883 }
884 }
885
886process_line:
887
888 /*
889 * General processing: report the error if any and emit line to the
890 * TokenizedAuthLine. This is saved in the memory context dedicated
891 * to this list.
892 */
897 tok_line->line_num = line_number;
902
903next_line:
904 line_number += continuations + 1;
905 callback_arg.linenum = line_number;
906 }
907
910
912}
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
Definition conffiles.c:70
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
Definition hba.c:378
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
Definition hba.c:437
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
Definition pg_get_line.c:124
void appendStringInfoString(StringInfo str, const char *s)
Definition stringinfo.c:230
Definition elog.h:296
Definition hba.c:64
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, appendStringInfoChar(), appendStringInfoString(), Assert, buf, CONF_FILE_START_DEPTH, CurrentMemoryContext, ereport, errcode_for_file_access(), errmsg(), error_context_stack, fb(), tokenize_error_callback_arg::filename, filename, GetConfFilesInDir(), i, initStringInfo(), lappend(), tokenize_error_callback_arg::linenum, linitial, linitial_node, list_length(), lsecond_node, MemoryContextDelete(), MemoryContextSwitchTo(), next_field_expand(), NIL, palloc0_object, pfree(), pg_get_line_append(), pg_strip_crlf(), ErrorContextCallback::previous, psprintf(), pstrdup(), resetStringInfo(), AuthToken::string, tokenize_context, tokenize_error_callback(), and tokenize_include_file().
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ tokenize_error_callback()
Definition at line 659 of file hba.c.
660{
662
665}
References arg, errcontext, tokenize_error_callback_arg::filename, and tokenize_error_callback_arg::linenum.
Referenced by tokenize_auth_file().
◆ tokenize_expand_file()
|
static |
Definition at line 492 of file hba.c.
498{
503
506
508 {
509 /* error already logged */
512 }
513
514 /*
515 * There is possible recursion here if the file contains @ or an include
516 * record.
517 */
519 depth);
520
522
523 /*
524 * Move all the tokens found in the file to the tokens list. These are
525 * already saved in tokenize_context.
526 */
528 {
531
532 /* If any line has an error, propagate that up to caller */
534 {
536 break;
537 }
538
540 {
543
545 {
548
549 /*
550 * lappend() may do its own allocations, so move to the
551 * context for the list of tokens.
552 */
556 }
557 }
558 }
559
562}
char * AbsoluteConfigLocation(const char *location, const char *calling_file)
Definition conffiles.c:36
References AbsoluteConfigLocation(), fb(), free_auth_file(), lappend(), lfirst, MemoryContextSwitchTo(), NIL, open_auth_file(), pfree(), pstrdup(), tokenize_auth_file(), and tokenize_context.
Referenced by next_field_expand().
◆ tokenize_include_file()
|
static |
Definition at line 437 of file hba.c.
444{
447
450
452 {
454 {
455 ereport(elevel,
457 inc_fullname)));
458 *err_msg = NULL;
460 return;
461 }
462
463 /* error in err_msg, so leave and report */
465 Assert(err_msg);
466 return;
467 }
468
470 depth);
473}
References AbsoluteConfigLocation(), Assert, ereport, errmsg(), fb(), free_auth_file(), open_auth_file(), pfree(), and tokenize_auth_file().
Referenced by tokenize_auth_file().
Variable Documentation
◆ parsed_hba_context
|
static |
Definition at line 87 of file hba.c.
Referenced by load_hba().
◆ parsed_hba_lines
Definition at line 86 of file hba.c.
Referenced by check_hba(), and load_hba().
◆ parsed_ident_context
|
static |
Definition at line 94 of file hba.c.
Referenced by load_ident().
◆ parsed_ident_lines
Definition at line 93 of file hba.c.
Referenced by check_usermap(), and load_ident().
◆ tokenize_context
|
static |
Definition at line 80 of file hba.c.
Referenced by free_auth_file(), next_field_expand(), open_auth_file(), tokenize_auth_file(), and tokenize_expand_file().
◆ UserAuthName
Initial value:
=
{
"reject",
"implicit reject",
"trust",
"ident",
"password",
"md5",
"scram-sha-256",
"gss",
"sspi",
"pam",
"bsd",
"ldap",
"cert",
"radius",
"peer",
"oauth",
}
Definition at line 102 of file hba.c.
103{
104 "reject",
105 "implicit reject", /* Not a user-visible option */
106 "trust",
107 "ident",
108 "password",
109 "md5",
110 "scram-sha-256",
111 "gss",
112 "sspi",
113 "pam",
114 "bsd",
115 "ldap",
116 "cert",
117 "radius",
118 "peer",
119 "oauth",
120};
Referenced by hba_authname().
