68 #define token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0)
69 #define token_matches(t, k) (strcmp(t->string, k) == 0)
116 const char *inc_filename,
int elevel,
char **err_msg);
118 int elevel,
char **err_msg);
128 return c ==
' ' ||
c ==
'\t' ||
c ==
'\r';
170 bool *initial_quote,
bool *terminating_comma,
171 int elevel,
char **err_msg)
174 char *start_buf =
buf;
175 char *end_buf =
buf + (bufsz - 1);
176 bool in_quote =
false;
177 bool was_quote =
false;
178 bool saw_quote =
false;
180 Assert(end_buf > start_buf);
182 *initial_quote =
false;
183 *terminating_comma =
false;
197 if (
c ==
'#' && !in_quote)
199 while ((
c = (*(*
lineptr)++)) !=
'\0')
208 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
209 errmsg(
"authentication file token too long, skipping: \"%s\"",
211 *err_msg =
"authentication file token too long";
213 while ((
c = (*(*
lineptr)++)) !=
'\0')
221 if (
c ==
',' && !in_quote)
223 *terminating_comma =
true;
227 if (
c !=
'"' || was_quote)
231 if (in_quote &&
c ==
'"')
232 was_quote = !was_quote;
238 in_quote = !in_quote;
240 if (
buf == start_buf)
241 *initial_quote =
true;
255 return (saw_quote ||
buf > start_buf);
267 toklen = strlen(token);
271 authtoken->
quoted = quoted;
272 memcpy(authtoken->
string, token, toklen + 1);
305 int elevel,
char **err_msg)
315 &initial_quote, &trailing_comma,
320 if (!initial_quote &&
buf[0] ==
'@' &&
buf[1] !=
'\0')
325 }
while (trailing_comma && (*err_msg == NULL));
347 const char *outer_filename,
348 const char *inc_filename,
361 inc_fullname =
pstrdup(inc_filename);
366 inc_fullname = (
char *)
palloc(strlen(outer_filename) + 1 +
367 strlen(inc_filename) + 1);
368 strcpy(inc_fullname, outer_filename);
375 if (inc_file == NULL)
377 int save_errno = errno;
381 errmsg(
"could not open secondary authentication file \"@%s\" as \"%s\": %m",
382 inc_filename, inc_fullname)));
383 *err_msg =
psprintf(
"could not open secondary authentication file \"@%s\" as \"%s\": %s",
384 inc_filename, inc_fullname,
strerror(save_errno));
396 foreach(inc_line, inc_lines)
408 foreach(inc_field, tok_line->
fields)
413 foreach(inc_token, inc_tokens)
455 "tokenize_auth_file",
463 while (!feof(file) && !ferror(file))
467 char *err_msg = NULL;
468 int last_backslash_buflen = 0;
469 int continuations = 0;
484 if (
buf.len > last_backslash_buflen &&
485 buf.data[
buf.len - 1] ==
'\\')
488 buf.data[--
buf.len] =
'\0';
489 last_backslash_buflen =
buf.len;
501 int save_errno = errno;
506 err_msg =
psprintf(
"could not read file \"%s\": %s",
513 while (*
lineptr && err_msg == NULL)
520 if (current_field !=
NIL)
521 current_line =
lappend(current_line, current_field);
527 if (current_line !=
NIL || err_msg != NULL)
532 tok_line->
fields = current_line;
536 *tok_lines =
lappend(*tok_lines, tok_line);
539 line_number += continuations + 1;
584 foreach(cell, tokens)
608 foreach(cell, tokens)
624 if (strcmp(
dbname, role) == 0)
642 ipv4eq(
struct sockaddr_in *
a,
struct sockaddr_in *
b)
644 return (
a->sin_addr.s_addr ==
b->sin_addr.s_addr);
650 ipv6eq(
struct sockaddr_in6 *
a,
struct sockaddr_in6 *
b)
654 for (
i = 0;
i < 16;
i++)
655 if (
a->sin6_addr.s6_addr[
i] !=
b->sin6_addr.s6_addr[
i])
668 if (pattern[0] ==
'.')
670 size_t plen = strlen(pattern);
671 size_t hlen = strlen(actual_hostname);
676 return (
pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
694 if (
port->remote_hostname_resolv < 0)
698 if (!
port->remote_hostname)
703 remote_hostname,
sizeof(remote_hostname),
709 port->remote_hostname_resolv = -2;
710 port->remote_hostname_errcode = ret;
722 if (
port->remote_hostname_resolv == +1)
730 port->remote_hostname_resolv = -2;
731 port->remote_hostname_errcode = ret;
736 for (gai = gai_result; gai; gai = gai->
ai_next)
738 if (gai->
ai_addr->sa_family ==
port->raddr.addr.ss_family)
740 if (gai->
ai_addr->sa_family == AF_INET)
743 (
struct sockaddr_in *) &
port->raddr.addr))
750 else if (gai->
ai_addr->sa_family == AF_INET6)
752 if (ipv6eq((
struct sockaddr_in6 *) gai->
ai_addr,
753 (
struct sockaddr_in6 *) &
port->raddr.addr))
767 elog(
DEBUG2,
"pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
770 port->remote_hostname_resolv = found ? +1 : -1;
781 if (raddr->
addr.ss_family == addr->sa_family &&
832 (
errmsg(
"error enumerating network interfaces: %m")));
854 #define INVALID_AUTH_OPTION(optname, validmethods) \
857 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
859 errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
860 optname, _(validmethods)), \
861 errcontext("line %d of configuration file \"%s\"", \
862 line_num, HbaFileName))); \
863 *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
864 optname, validmethods); \
868 #define REQUIRE_AUTH_OPTION(methodval, optname, validmethods) \
870 if (hbaline->auth_method != methodval) \
871 INVALID_AUTH_OPTION(optname, validmethods); \
874 #define MANDATORY_AUTH_ARG(argvar, argname, authname) \
876 if (argvar == NULL) { \
878 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
879 errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
880 authname, argname), \
881 errcontext("line %d of configuration file \"%s\"", \
882 line_num, HbaFileName))); \
883 *err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
884 authname, argname); \
898 #define IDENT_FIELD_ABSENT(field) \
902 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
903 errmsg("missing entry in file \"%s\" at end of line %d", \
904 IdentFileName, line_num))); \
905 *err_msg = psprintf("missing entry at end of line"); \
910 #define IDENT_MULTI_VALUE(tokens) \
912 if (tokens->length > 1) { \
914 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
915 errmsg("multiple values in ident field"), \
916 errcontext("line %d of configuration file \"%s\"", \
917 line_num, IdentFileName))); \
918 *err_msg = psprintf("multiple values in ident field"); \
940 char **err_msg = &tok_line->
err_msg;
964 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
965 errmsg(
"multiple values specified for connection type"),
966 errhint(
"Specify exactly one connection type per line."),
967 errcontext(
"line %d of configuration file \"%s\"",
969 *err_msg =
"multiple values specified for connection type";
973 if (strcmp(token->
string,
"local") == 0)
975 #ifdef HAVE_UNIX_SOCKETS
979 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
980 errmsg(
"local connections are not supported by this build"),
981 errcontext(
"line %d of configuration file \"%s\"",
983 *err_msg =
"local connections are not supported by this build";
987 else if (strcmp(token->
string,
"host") == 0 ||
988 strcmp(token->
string,
"hostssl") == 0 ||
989 strcmp(token->
string,
"hostnossl") == 0 ||
990 strcmp(token->
string,
"hostgssenc") == 0 ||
991 strcmp(token->
string,
"hostnogssenc") == 0)
994 if (token->
string[4] ==
's')
1002 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1003 errmsg(
"hostssl record cannot match because SSL is disabled"),
1004 errhint(
"Set ssl = on in postgresql.conf."),
1005 errcontext(
"line %d of configuration file \"%s\"",
1007 *err_msg =
"hostssl record cannot match because SSL is disabled";
1011 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1012 errmsg(
"hostssl record cannot match because SSL is not supported by this build"),
1013 errcontext(
"line %d of configuration file \"%s\"",
1015 *err_msg =
"hostssl record cannot match because SSL is not supported by this build";
1018 else if (token->
string[4] ==
'g')
1023 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1024 errmsg(
"hostgssenc record cannot match because GSSAPI is not supported by this build"),
1025 errcontext(
"line %d of configuration file \"%s\"",
1027 *err_msg =
"hostgssenc record cannot match because GSSAPI is not supported by this build";
1030 else if (token->
string[4] ==
'n' && token->
string[6] ==
's')
1032 else if (token->
string[4] ==
'n' && token->
string[6] ==
'g')
1043 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1044 errmsg(
"invalid connection type \"%s\"",
1046 errcontext(
"line %d of configuration file \"%s\"",
1048 *err_msg =
psprintf(
"invalid connection type \"%s\"", token->
string);
1057 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1058 errmsg(
"end-of-line before database specification"),
1059 errcontext(
"line %d of configuration file \"%s\"",
1061 *err_msg =
"end-of-line before database specification";
1066 foreach(tokencell, tokens)
1077 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1078 errmsg(
"end-of-line before role specification"),
1079 errcontext(
"line %d of configuration file \"%s\"",
1081 *err_msg =
"end-of-line before role specification";
1086 foreach(tokencell, tokens)
1099 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1100 errmsg(
"end-of-line before IP address specification"),
1101 errcontext(
"line %d of configuration file \"%s\"",
1103 *err_msg =
"end-of-line before IP address specification";
1110 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1111 errmsg(
"multiple values specified for host address"),
1112 errhint(
"Specify one address range per line."),
1113 errcontext(
"line %d of configuration file \"%s\"",
1115 *err_msg =
"multiple values specified for host address";
1143 cidr_slash = strchr(
str,
'/');
1158 if (ret == 0 && gai_result)
1169 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1170 errmsg(
"invalid IP address \"%s\": %s",
1172 errcontext(
"line %d of configuration file \"%s\"",
1174 *err_msg =
psprintf(
"invalid IP address \"%s\": %s",
1189 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1190 errmsg(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1192 errcontext(
"line %d of configuration file \"%s\"",
1194 *err_msg =
psprintf(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1200 parsedline->
addr.ss_family) < 0)
1203 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1204 errmsg(
"invalid CIDR mask in address \"%s\"",
1206 errcontext(
"line %d of configuration file \"%s\"",
1208 *err_msg =
psprintf(
"invalid CIDR mask in address \"%s\"",
1223 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1224 errmsg(
"end-of-line before netmask specification"),
1225 errhint(
"Specify an address range in CIDR notation, or provide a separate netmask."),
1226 errcontext(
"line %d of configuration file \"%s\"",
1228 *err_msg =
"end-of-line before netmask specification";
1235 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1236 errmsg(
"multiple values specified for netmask"),
1237 errcontext(
"line %d of configuration file \"%s\"",
1239 *err_msg =
"multiple values specified for netmask";
1245 &hints, &gai_result);
1246 if (ret || !gai_result)
1249 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1250 errmsg(
"invalid IP mask \"%s\": %s",
1252 errcontext(
"line %d of configuration file \"%s\"",
1254 *err_msg =
psprintf(
"invalid IP mask \"%s\": %s",
1266 if (parsedline->
addr.ss_family != parsedline->
mask.ss_family)
1269 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1270 errmsg(
"IP address and mask do not match"),
1271 errcontext(
"line %d of configuration file \"%s\"",
1273 *err_msg =
"IP address and mask do not match";
1285 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1286 errmsg(
"end-of-line before authentication method"),
1287 errcontext(
"line %d of configuration file \"%s\"",
1289 *err_msg =
"end-of-line before authentication method";
1296 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1297 errmsg(
"multiple values specified for authentication type"),
1298 errhint(
"Specify exactly one authentication type per line."),
1299 errcontext(
"line %d of configuration file \"%s\"",
1301 *err_msg =
"multiple values specified for authentication type";
1307 if (strcmp(token->
string,
"trust") == 0)
1309 else if (strcmp(token->
string,
"ident") == 0)
1311 else if (strcmp(token->
string,
"peer") == 0)
1313 else if (strcmp(token->
string,
"password") == 0)
1315 else if (strcmp(token->
string,
"gss") == 0)
1321 else if (strcmp(token->
string,
"sspi") == 0)
1327 else if (strcmp(token->
string,
"reject") == 0)
1329 else if (strcmp(token->
string,
"md5") == 0)
1334 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1335 errmsg(
"MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
1336 errcontext(
"line %d of configuration file \"%s\"",
1338 *err_msg =
"MD5 authentication is not supported when \"db_user_namespace\" is enabled";
1343 else if (strcmp(token->
string,
"scram-sha-256") == 0)
1345 else if (strcmp(token->
string,
"pam") == 0)
1351 else if (strcmp(token->
string,
"bsd") == 0)
1357 else if (strcmp(token->
string,
"ldap") == 0)
1363 else if (strcmp(token->
string,
"cert") == 0)
1369 else if (strcmp(token->
string,
"radius") == 0)
1374 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1375 errmsg(
"invalid authentication method \"%s\"",
1377 errcontext(
"line %d of configuration file \"%s\"",
1379 *err_msg =
psprintf(
"invalid authentication method \"%s\"",
1387 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1388 errmsg(
"invalid authentication method \"%s\": not supported by this build",
1390 errcontext(
"line %d of configuration file \"%s\"",
1392 *err_msg =
psprintf(
"invalid authentication method \"%s\": not supported by this build",
1410 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1411 errmsg(
"gssapi authentication is not supported on local sockets"),
1412 errcontext(
"line %d of configuration file \"%s\"",
1414 *err_msg =
"gssapi authentication is not supported on local sockets";
1422 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1423 errmsg(
"peer authentication is only supported on local sockets"),
1424 errcontext(
"line %d of configuration file \"%s\"",
1426 *err_msg =
"peer authentication is only supported on local sockets";
1440 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1441 errmsg(
"cert authentication is only supported on hostssl connections"),
1442 errcontext(
"line %d of configuration file \"%s\"",
1444 *err_msg =
"cert authentication is only supported on hostssl connections";
1473 while ((field =
lnext(tok_line->
fields, field)) != NULL)
1476 foreach(tokencell, tokens)
1480 token =
lfirst(tokencell);
1490 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1491 errmsg(
"authentication option not in name=value format: %s", token->
string),
1492 errcontext(
"line %d of configuration file \"%s\"",
1494 *err_msg =
psprintf(
"authentication option not in name=value format: %s",
1513 #ifndef HAVE_LDAP_INITIALIZE
1534 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1535 errmsg(
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"),
1536 errcontext(
"line %d of configuration file \"%s\"",
1538 *err_msg =
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix";
1545 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1546 errmsg(
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1547 errcontext(
"line %d of configuration file \"%s\"",
1549 *err_msg =
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1561 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1562 errmsg(
"cannot use ldapsearchattribute together with ldapsearchfilter"),
1563 errcontext(
"line %d of configuration file \"%s\"",
1565 *err_msg =
"cannot use ldapsearchattribute together with ldapsearchfilter";
1578 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1579 errmsg(
"list of RADIUS servers cannot be empty"),
1580 errcontext(
"line %d of configuration file \"%s\"",
1582 *err_msg =
"list of RADIUS servers cannot be empty";
1589 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1590 errmsg(
"list of RADIUS secrets cannot be empty"),
1591 errcontext(
"line %d of configuration file \"%s\"",
1593 *err_msg =
"list of RADIUS secrets cannot be empty";
1606 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1607 errmsg(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1610 errcontext(
"line %d of configuration file \"%s\"",
1612 *err_msg =
psprintf(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1622 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1623 errmsg(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1626 errcontext(
"line %d of configuration file \"%s\"",
1628 *err_msg =
psprintf(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1638 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1639 errmsg(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1642 errcontext(
"line %d of configuration file \"%s\"",
1644 *err_msg =
psprintf(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1675 int elevel,
char **err_msg)
1680 hbaline->
ldapscope = LDAP_SCOPE_SUBTREE;
1683 if (strcmp(
name,
"map") == 0)
1693 else if (strcmp(
name,
"clientcert") == 0)
1698 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1699 errmsg(
"clientcert can only be configured for \"hostssl\" rows"),
1700 errcontext(
"line %d of configuration file \"%s\"",
1702 *err_msg =
"clientcert can only be configured for \"hostssl\" rows";
1706 if (strcmp(
val,
"verify-full") == 0)
1710 else if (strcmp(
val,
"verify-ca") == 0)
1715 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1716 errmsg(
"clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
1717 errcontext(
"line %d of configuration file \"%s\"",
1719 *err_msg =
"clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
1728 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1729 errmsg(
"invalid value for clientcert: \"%s\"",
val),
1730 errcontext(
"line %d of configuration file \"%s\"",
1735 else if (strcmp(
name,
"clientname") == 0)
1740 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1741 errmsg(
"clientname can only be configured for \"hostssl\" rows"),
1742 errcontext(
"line %d of configuration file \"%s\"",
1744 *err_msg =
"clientname can only be configured for \"hostssl\" rows";
1748 if (strcmp(
val,
"CN") == 0)
1752 else if (strcmp(
val,
"DN") == 0)
1759 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1760 errmsg(
"invalid value for clientname: \"%s\"",
val),
1761 errcontext(
"line %d of configuration file \"%s\"",
1766 else if (strcmp(
name,
"pamservice") == 0)
1771 else if (strcmp(
name,
"pam_use_hostname") == 0)
1774 if (strcmp(
val,
"1") == 0)
1779 else if (strcmp(
name,
"ldapurl") == 0)
1781 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1782 LDAPURLDesc *urldata;
1787 #ifdef LDAP_API_FEATURE_X_OPENLDAP
1788 rc = ldap_url_parse(
val, &urldata);
1789 if (rc != LDAP_SUCCESS)
1792 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1793 errmsg(
"could not parse LDAP URL \"%s\": %s",
val, ldap_err2string(rc))));
1794 *err_msg =
psprintf(
"could not parse LDAP URL \"%s\": %s",
1795 val, ldap_err2string(rc));
1799 if (strcmp(urldata->lud_scheme,
"ldap") != 0 &&
1800 strcmp(urldata->lud_scheme,
"ldaps") != 0)
1803 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1804 errmsg(
"unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
1805 *err_msg =
psprintf(
"unsupported LDAP URL scheme: %s",
1806 urldata->lud_scheme);
1807 ldap_free_urldesc(urldata);
1811 if (urldata->lud_scheme)
1813 if (urldata->lud_host)
1815 hbaline->
ldapport = urldata->lud_port;
1816 if (urldata->lud_dn)
1819 if (urldata->lud_attrs)
1821 hbaline->
ldapscope = urldata->lud_scope;
1822 if (urldata->lud_filter)
1824 ldap_free_urldesc(urldata);
1827 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1828 errmsg(
"LDAP URLs not supported on this platform")));
1829 *err_msg =
"LDAP URLs not supported on this platform";
1832 else if (strcmp(
name,
"ldaptls") == 0)
1835 if (strcmp(
val,
"1") == 0)
1840 else if (strcmp(
name,
"ldapscheme") == 0)
1843 if (strcmp(
val,
"ldap") != 0 && strcmp(
val,
"ldaps") != 0)
1845 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1846 errmsg(
"invalid ldapscheme value: \"%s\"",
val),
1847 errcontext(
"line %d of configuration file \"%s\"",
1851 else if (strcmp(
name,
"ldapserver") == 0)
1856 else if (strcmp(
name,
"ldapport") == 0)
1863 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1864 errmsg(
"invalid LDAP port number: \"%s\"",
val),
1865 errcontext(
"line %d of configuration file \"%s\"",
1867 *err_msg =
psprintf(
"invalid LDAP port number: \"%s\"",
val);
1871 else if (strcmp(
name,
"ldapbinddn") == 0)
1876 else if (strcmp(
name,
"ldapbindpasswd") == 0)
1881 else if (strcmp(
name,
"ldapsearchattribute") == 0)
1886 else if (strcmp(
name,
"ldapsearchfilter") == 0)
1891 else if (strcmp(
name,
"ldapbasedn") == 0)
1896 else if (strcmp(
name,
"ldapprefix") == 0)
1901 else if (strcmp(
name,
"ldapsuffix") == 0)
1906 else if (strcmp(
name,
"krb_realm") == 0)
1913 else if (strcmp(
name,
"include_realm") == 0)
1918 if (strcmp(
val,
"1") == 0)
1923 else if (strcmp(
name,
"compat_realm") == 0)
1927 if (strcmp(
val,
"1") == 0)
1932 else if (strcmp(
name,
"upn_username") == 0)
1936 if (strcmp(
val,
"1") == 0)
1941 else if (strcmp(
name,
"radiusservers") == 0)
1946 List *parsed_servers;
1956 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1957 errmsg(
"could not parse RADIUS server list \"%s\"",
1959 errcontext(
"line %d of configuration file \"%s\"",
1965 foreach(l, parsed_servers)
1967 MemSet(&hints, 0,
sizeof(hints));
1972 if (ret || !gai_result)
1975 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1976 errmsg(
"could not translate RADIUS server name \"%s\" to address: %s",
1978 errcontext(
"line %d of configuration file \"%s\"",
1993 else if (strcmp(
name,
"radiusports") == 0)
2004 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2005 errmsg(
"could not parse RADIUS port list \"%s\"",
2007 errcontext(
"line %d of configuration file \"%s\"",
2009 *err_msg =
psprintf(
"invalid RADIUS port number: \"%s\"",
val);
2013 foreach(l, parsed_ports)
2015 if (atoi(
lfirst(l)) == 0)
2018 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2019 errmsg(
"invalid RADIUS port number: \"%s\"",
val),
2020 errcontext(
"line %d of configuration file \"%s\"",
2029 else if (strcmp(
name,
"radiussecrets") == 0)
2031 List *parsed_secrets;
2040 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2041 errmsg(
"could not parse RADIUS secret list \"%s\"",
2043 errcontext(
"line %d of configuration file \"%s\"",
2051 else if (strcmp(
name,
"radiusidentifiers") == 0)
2053 List *parsed_identifiers;
2062 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2063 errmsg(
"could not parse RADIUS identifiers list \"%s\"",
2065 errcontext(
"line %d of configuration file \"%s\"",
2076 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2077 errmsg(
"unrecognized authentication option name: \"%s\"",
2079 errcontext(
"line %d of configuration file \"%s\"",
2081 *err_msg =
psprintf(
"unrecognized authentication option name: \"%s\"",
2109 if (
port->raddr.addr.ss_family != AF_UNIX)
2114 if (
port->raddr.addr.ss_family == AF_UNIX)
2118 if (
port->ssl_in_use)
2136 else if (!(
port->gss &&
port->gss->enc) &&
2157 (
struct sockaddr *) &hba->
addr,
2158 (
struct sockaddr *) &hba->
mask))
2223 errmsg(
"could not open configuration file \"%s\": %m",
2234 "hba parser context",
2237 foreach(line, hba_lines)
2243 if (tok_line->
err_msg != NULL)
2270 if (ok && new_parsed_lines ==
NIL)
2273 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2274 errmsg(
"configuration file \"%s\" contains no entries",
2318 char **err_msg = &tok_line->
err_msg;
2373 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2374 errmsg(
"invalid regular expression \"%s\": %s",
2377 *err_msg =
psprintf(
"invalid regular expression \"%s\": %s",
2397 const char *pg_role,
const char *ident_user,
2398 bool case_insensitive,
bool *found_p,
bool *error_p)
2403 if (strcmp(identLine->
usermap, usermap_name) != 0)
2421 char *regexp_pgrole;
2426 r =
pg_regexec(&identLine->
re, wstr, wlen, 0, NULL, 2, matches, 0);
2436 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2437 errmsg(
"regular expression match for \"%s\" failed: %s",
2447 if ((ofs = strstr(identLine->
pg_role,
"\\1")) != NULL)
2452 if (matches[1].rm_so < 0)
2455 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2456 errmsg(
"regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2467 offset = ofs - identLine->
pg_role;
2468 memcpy(regexp_pgrole, identLine->
pg_role, offset);
2469 memcpy(regexp_pgrole + offset,
2470 ident_user + matches[1].rm_so,
2471 matches[1].rm_eo - matches[1].rm_so);
2472 strcat(regexp_pgrole, ofs + 2);
2484 if (case_insensitive)
2491 if (strcmp(regexp_pgrole, pg_role) == 0)
2494 pfree(regexp_pgrole);
2501 if (case_insensitive)
2509 if (strcmp(identLine->
pg_role, pg_role) == 0 &&
2510 strcmp(identLine->
ident_user, ident_user) == 0)
2532 const char *pg_role,
2533 const char *auth_user,
2534 bool case_insensitive)
2536 bool found_entry =
false,
2539 if (usermap_name == NULL || usermap_name[0] ==
'\0')
2541 if (case_insensitive)
2548 if (strcmp(pg_role, auth_user) == 0)
2552 (
errmsg(
"provided user name (%s) and authenticated user name (%s) do not match",
2553 pg_role, auth_user)));
2563 pg_role, auth_user, case_insensitive,
2564 &found_entry, &
error);
2565 if (found_entry ||
error)
2569 if (!found_entry && !
error)
2572 (
errmsg(
"no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2573 usermap_name, pg_role, auth_user)));
2605 errmsg(
"could not open usermap file \"%s\": %m",
2616 "ident parser context",
2619 foreach(line_cell, ident_lines)
2624 if (tok_line->
err_msg != NULL)
2657 foreach(parsed_line_cell, new_parsed_lines)
2660 if (
newline->ident_user[0] ==
'/')
2673 if (
newline->ident_user[0] ==
'/')
2716 "UserAuthName[] must match the UserAuth enum");
bool is_member_of_role_nosuper(Oid member, Oid role)
Oid get_role_oid(const char *rolname, bool missing_ok)
#define MemSet(start, val, len)
#define StaticAssertStmt(condition, errmessage)
#define OidIsValid(objectId)
int errcode_for_file_access(void)
int errhint(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
FILE * AllocateFile(const char *name, const char *mode)
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
bool pg_isblank(const char c)
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
static bool is_member(Oid userid, const char *role)
static bool hostname_match(const char *pattern, const char *actual_hostname)
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
#define IDENT_FIELD_ABSENT(field)
#define token_is_keyword(t, k)
static bool ipv4eq(struct sockaddr_in *a, struct sockaddr_in *b)
static List * tokenize_inc_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, char **err_msg)
static MemoryContext parsed_ident_context
struct check_network_data check_network_data
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
static bool next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, bool *terminating_comma, int elevel, char **err_msg)
static bool check_hostname(hbaPort *port, const char *hostname)
static void check_hba(hbaPort *port)
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
const char * hba_authname(UserAuth auth_method)
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
static MemoryContext parsed_hba_context
int check_usermap(const char *usermap_name, const char *pg_role, const char *auth_user, bool case_insensitive)
static AuthToken * copy_auth_token(AuthToken *in)
#define IDENT_MULTI_VALUE(tokens)
void hba_getauthmethod(hbaPort *port)
static List * parsed_ident_lines
static const char *const UserAuthName[]
#define token_matches(t, k)
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
MemoryContext tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel)
static List * parsed_hba_lines
#define INVALID_AUTH_OPTION(optname, validmethods)
static List * next_field_expand(const char *filename, char **lineptr, int elevel, char **err_msg)
static AuthToken * make_auth_token(const char *token, bool quoted)
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
static bool check_role(const char *role, Oid roleid, List *tokens)
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Assert(fmt[strlen(fmt) - 1] !='\n')
List * lappend(List *list, void *datum)
void list_free(List *list)
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
char * pstrdup(const char *in)
void pfree(void *pointer)
void * palloc0(Size size)
MemoryContext CurrentMemoryContext
MemoryContext PostmasterContext
void MemoryContextDelete(MemoryContext context)
#define AllocSetContextCreate
#define ALLOCSET_SMALL_SIZES
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
static int list_length(const List *l)
static ListCell * list_head(const List *l)
static ListCell * lnext(const List *l, const ListCell *c)
void join_path_components(char *ret_path, const char *head, const char *tail)
#define is_absolute_path(filename)
int pg_strcasecmp(const char *s1, const char *s2)
void canonicalize_path(char *path)
void get_parent_directory(char *path)
char * psprintf(const char *fmt,...)
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
void pg_regfree(regex_t *re)
int pg_strip_crlf(char *str)
void resetStringInfo(StringInfo str)
void initStringInfo(StringInfo str)
struct sockaddr_storage mask
ClientCertName clientcertname
ClientCertMode clientcert
char * ldapsearchattribute
struct sockaddr_storage addr
IPCompareMethod ip_cmp_method
char * radiusidentifiers_s
struct sockaddr_storage addr
struct sockaddr * ai_addr
struct addrinfo * ai_next
bool SplitGUCList(char *rawstring, char separator, List **namelist)