68 #define token_has_regexp(t) (t->regex != NULL)
69 #define token_is_member_check(t) (!t->quoted && t->string[0] == '+')
70 #define token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0)
71 #define token_matches(t, k) (strcmp(t->string, k) == 0)
72 #define token_matches_insensitive(t,k) (pg_strcasecmp(t->string, k) == 0)
124 "UserAuthName[] must match the UserAuth enum");
128 const char *inc_filename,
int elevel,
129 int depth,
char **err_msg);
131 int elevel,
char **err_msg);
133 char **err_msg,
int elevel);
146 return c ==
' ' ||
c ==
'\t' ||
c ==
'\r';
186 bool *initial_quote,
bool *terminating_comma)
189 bool in_quote =
false;
190 bool was_quote =
false;
191 bool saw_quote =
false;
195 *initial_quote =
false;
196 *terminating_comma =
false;
210 if (
c ==
'#' && !in_quote)
212 while ((
c = (*(*
lineptr)++)) !=
'\0')
218 if (
c ==
',' && !in_quote)
220 *terminating_comma =
true;
224 if (
c !=
'"' || was_quote)
228 if (in_quote &&
c ==
'"')
229 was_quote = !was_quote;
235 in_quote = !in_quote;
238 *initial_quote =
true;
250 return (saw_quote ||
buf->len > 0);
262 toklen = strlen(
token);
266 authtoken->
quoted = quoted;
267 authtoken->
regex = NULL;
302 char **err_msg,
int elevel)
310 if (
token->string[0] !=
'/')
316 wstr, strlen(
token->string + 1));
326 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
327 errmsg(
"invalid regular expression \"%s\": %s",
328 token->string + 1, errstr),
329 errcontext(
"line %d of configuration file \"%s\"",
332 *err_msg =
psprintf(
"invalid regular expression \"%s\": %s",
333 token->string + 1, errstr);
358 r =
pg_regexec(
token->regex, wmatchstr, wmatchlen, 0, NULL, nmatch, pmatch, 0);
380 int elevel,
int depth,
char **err_msg)
392 &initial_quote, &trailing_comma))
396 if (!initial_quote &&
buf.len > 1 &&
buf.data[0] ==
'@')
398 elevel, depth + 1, err_msg);
411 }
while (trailing_comma && (*err_msg == NULL));
439 const char *inc_filename,
454 if (errno == ENOENT && missing_ok)
457 (
errmsg(
"skipping missing authentication file \"%s\"",
494 const char *outer_filename,
495 const char *inc_filename,
508 if (inc_file == NULL)
528 foreach(inc_line, inc_lines)
540 foreach(inc_field, tok_line->
fields)
545 foreach(inc_token, inc_tokens)
609 errmsg(
"could not open file \"%s\": maximum nesting depth exceeded",
612 *err_msg =
psprintf(
"could not open file \"%s\": maximum nesting depth exceeded",
620 int save_errno = errno;
624 errmsg(
"could not open file \"%s\": %m",
629 *err_msg =
psprintf(
"could not open file \"%s\": %m",
664 errcontext(
"line %d of configuration file \"%s\"",
690 int elevel,
int depth)
702 callback_arg.
linenum = line_number;
705 tokenerrcontext.
arg = (
void *) &callback_arg;
714 "tokenize_auth_file",
723 while (!feof(file) && !ferror(file))
729 char *err_msg = NULL;
730 int last_backslash_buflen = 0;
731 int continuations = 0;
746 if (
buf.len > last_backslash_buflen &&
747 buf.data[
buf.len - 1] ==
'\\')
750 buf.data[--
buf.len] =
'\0';
751 last_backslash_buflen =
buf.len;
763 int save_errno = errno;
769 err_msg =
psprintf(
"could not read file \"%s\": %m",
776 while (*
lineptr && err_msg == NULL)
781 elevel, depth, &err_msg);
783 if (current_field !=
NIL)
790 current_line =
lappend(current_line, current_field);
799 if (current_line ==
NIL && err_msg == NULL)
803 if (err_msg == NULL &&
list_length(current_line) == 2)
811 if (strcmp(first->
string,
"include") == 0)
814 elevel, depth + 1,
false, &err_msg);
825 else if (strcmp(first->
string,
"include_dir") == 0)
828 char *dir_name = second->
string;
833 &num_filenames, &err_msg);
842 for (
int i = 0;
i < num_filenames;
i++)
845 elevel, depth + 1,
false, &err_msg);
856 for (
int i = 0;
i < num_filenames;
i++)
864 if (err_buf.
len == 0)
868 err_msg = err_buf.
data;
871 else if (strcmp(first->
string,
"include_if_exists") == 0)
875 elevel, depth + 1,
true, &err_msg);
896 tok_line->
fields = current_line;
901 *tok_lines =
lappend(*tok_lines, tok_line);
905 line_number += continuations + 1;
906 callback_arg.
linenum = line_number;
957 foreach(cell, tokens)
972 else if (case_insensitive)
996 foreach(cell, tokens)
1012 if (strcmp(
dbname, role) == 0)
1037 return (
a->sin_addr.s_addr ==
b->sin_addr.s_addr);
1045 for (
i = 0;
i < 16;
i++)
1046 if (
a->sin6_addr.s6_addr[
i] !=
b->sin6_addr.s6_addr[
i])
1058 if (pattern[0] ==
'.')
1060 size_t plen = strlen(pattern);
1061 size_t hlen = strlen(actual_hostname);
1066 return (
pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
1078 struct addrinfo *gai_result,
1084 if (
port->remote_hostname_resolv < 0)
1088 if (!
port->remote_hostname)
1090 char remote_hostname[NI_MAXHOST];
1093 remote_hostname,
sizeof(remote_hostname),
1099 port->remote_hostname_resolv = -2;
1100 port->remote_hostname_errcode = ret;
1112 if (
port->remote_hostname_resolv == +1)
1116 ret = getaddrinfo(
port->remote_hostname, NULL, NULL, &gai_result);
1120 port->remote_hostname_resolv = -2;
1121 port->remote_hostname_errcode = ret;
1126 for (gai = gai_result; gai; gai = gai->ai_next)
1128 if (gai->ai_addr->sa_family ==
port->raddr.addr.ss_family)
1130 if (gai->ai_addr->sa_family == AF_INET)
1132 if (
ipv4eq((
struct sockaddr_in *) gai->ai_addr,
1133 (
struct sockaddr_in *) &
port->raddr.addr))
1139 else if (gai->ai_addr->sa_family == AF_INET6)
1141 if (
ipv6eq((
struct sockaddr_in6 *) gai->ai_addr,
1142 (
struct sockaddr_in6 *) &
port->raddr.addr))
1152 freeaddrinfo(gai_result);
1155 elog(
DEBUG2,
"pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
1158 port->remote_hostname_resolv = found ? +1 : -1;
1169 if (raddr->
addr.ss_family == addr->sa_family &&
1171 (
struct sockaddr_storage *) addr,
1172 (
struct sockaddr_storage *) mask))
1185 struct sockaddr_storage mask;
1220 (
errmsg(
"error enumerating network interfaces: %m")));
1242 #define INVALID_AUTH_OPTION(optname, validmethods) \
1245 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1247 errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
1248 optname, _(validmethods)), \
1249 errcontext("line %d of configuration file \"%s\"", \
1250 line_num, file_name))); \
1251 *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
1252 optname, validmethods); \
1256 #define REQUIRE_AUTH_OPTION(methodval, optname, validmethods) \
1258 if (hbaline->auth_method != methodval) \
1259 INVALID_AUTH_OPTION(optname, validmethods); \
1262 #define MANDATORY_AUTH_ARG(argvar, argname, authname) \
1264 if (argvar == NULL) { \
1266 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1267 errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
1268 authname, argname), \
1269 errcontext("line %d of configuration file \"%s\"", \
1270 line_num, file_name))); \
1271 *err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
1272 authname, argname); \
1286 #define IDENT_FIELD_ABSENT(field) \
1290 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1291 errmsg("missing entry at end of line"), \
1292 errcontext("line %d of configuration file \"%s\"", \
1293 line_num, file_name))); \
1294 *err_msg = pstrdup("missing entry at end of line"); \
1299 #define IDENT_MULTI_VALUE(tokens) \
1301 if (tokens->length > 1) { \
1303 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
1304 errmsg("multiple values in ident field"), \
1305 errcontext("line %d of configuration file \"%s\"", \
1306 line_num, file_name))); \
1307 *err_msg = pstrdup("multiple values in ident field"); \
1330 char **err_msg = &tok_line->
err_msg;
1332 struct addrinfo *gai_result;
1333 struct addrinfo hints;
1355 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1356 errmsg(
"multiple values specified for connection type"),
1357 errhint(
"Specify exactly one connection type per line."),
1358 errcontext(
"line %d of configuration file \"%s\"",
1359 line_num, file_name)));
1360 *err_msg =
"multiple values specified for connection type";
1364 if (strcmp(
token->string,
"local") == 0)
1368 else if (strcmp(
token->string,
"host") == 0 ||
1369 strcmp(
token->string,
"hostssl") == 0 ||
1370 strcmp(
token->string,
"hostnossl") == 0 ||
1371 strcmp(
token->string,
"hostgssenc") == 0 ||
1372 strcmp(
token->string,
"hostnogssenc") == 0)
1375 if (
token->string[4] ==
's')
1383 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1384 errmsg(
"hostssl record cannot match because SSL is disabled"),
1385 errhint(
"Set \"ssl = on\" in postgresql.conf."),
1386 errcontext(
"line %d of configuration file \"%s\"",
1387 line_num, file_name)));
1388 *err_msg =
"hostssl record cannot match because SSL is disabled";
1392 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1393 errmsg(
"hostssl record cannot match because SSL is not supported by this build"),
1394 errcontext(
"line %d of configuration file \"%s\"",
1395 line_num, file_name)));
1396 *err_msg =
"hostssl record cannot match because SSL is not supported by this build";
1399 else if (
token->string[4] ==
'g')
1404 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1405 errmsg(
"hostgssenc record cannot match because GSSAPI is not supported by this build"),
1406 errcontext(
"line %d of configuration file \"%s\"",
1407 line_num, file_name)));
1408 *err_msg =
"hostgssenc record cannot match because GSSAPI is not supported by this build";
1411 else if (
token->string[4] ==
'n' &&
token->string[6] ==
's')
1413 else if (
token->string[4] ==
'n' &&
token->string[6] ==
'g')
1424 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1425 errmsg(
"invalid connection type \"%s\"",
1427 errcontext(
"line %d of configuration file \"%s\"",
1428 line_num, file_name)));
1429 *err_msg =
psprintf(
"invalid connection type \"%s\"",
token->string);
1438 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1439 errmsg(
"end-of-line before database specification"),
1440 errcontext(
"line %d of configuration file \"%s\"",
1441 line_num, file_name)));
1442 *err_msg =
"end-of-line before database specification";
1447 foreach(tokencell, tokens)
1463 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1464 errmsg(
"end-of-line before role specification"),
1465 errcontext(
"line %d of configuration file \"%s\"",
1466 line_num, file_name)));
1467 *err_msg =
"end-of-line before role specification";
1472 foreach(tokencell, tokens)
1490 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1491 errmsg(
"end-of-line before IP address specification"),
1492 errcontext(
"line %d of configuration file \"%s\"",
1493 line_num, file_name)));
1494 *err_msg =
"end-of-line before IP address specification";
1501 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1502 errmsg(
"multiple values specified for host address"),
1503 errhint(
"Specify one address range per line."),
1504 errcontext(
"line %d of configuration file \"%s\"",
1505 line_num, file_name)));
1506 *err_msg =
"multiple values specified for host address";
1534 cidr_slash = strchr(
str,
'/');
1539 hints.ai_flags = AI_NUMERICHOST;
1540 hints.ai_family = AF_UNSPEC;
1541 hints.ai_socktype = 0;
1542 hints.ai_protocol = 0;
1543 hints.ai_addrlen = 0;
1544 hints.ai_canonname = NULL;
1545 hints.ai_addr = NULL;
1546 hints.ai_next = NULL;
1549 if (ret == 0 && gai_result)
1551 memcpy(&parsedline->
addr, gai_result->ai_addr,
1552 gai_result->ai_addrlen);
1553 parsedline->
addrlen = gai_result->ai_addrlen;
1555 else if (ret == EAI_NONAME)
1560 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1561 errmsg(
"invalid IP address \"%s\": %s",
1563 errcontext(
"line %d of configuration file \"%s\"",
1564 line_num, file_name)));
1565 *err_msg =
psprintf(
"invalid IP address \"%s\": %s",
1580 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1581 errmsg(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1583 errcontext(
"line %d of configuration file \"%s\"",
1584 line_num, file_name)));
1585 *err_msg =
psprintf(
"specifying both host name and CIDR mask is invalid: \"%s\"",
1591 parsedline->
addr.ss_family) < 0)
1594 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1595 errmsg(
"invalid CIDR mask in address \"%s\"",
1597 errcontext(
"line %d of configuration file \"%s\"",
1598 line_num, file_name)));
1599 *err_msg =
psprintf(
"invalid CIDR mask in address \"%s\"",
1614 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1615 errmsg(
"end-of-line before netmask specification"),
1616 errhint(
"Specify an address range in CIDR notation, or provide a separate netmask."),
1617 errcontext(
"line %d of configuration file \"%s\"",
1618 line_num, file_name)));
1619 *err_msg =
"end-of-line before netmask specification";
1626 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1627 errmsg(
"multiple values specified for netmask"),
1628 errcontext(
"line %d of configuration file \"%s\"",
1629 line_num, file_name)));
1630 *err_msg =
"multiple values specified for netmask";
1636 &hints, &gai_result);
1637 if (ret || !gai_result)
1640 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1641 errmsg(
"invalid IP mask \"%s\": %s",
1643 errcontext(
"line %d of configuration file \"%s\"",
1644 line_num, file_name)));
1645 *err_msg =
psprintf(
"invalid IP mask \"%s\": %s",
1652 memcpy(&parsedline->
mask, gai_result->ai_addr,
1653 gai_result->ai_addrlen);
1654 parsedline->
masklen = gai_result->ai_addrlen;
1657 if (parsedline->
addr.ss_family != parsedline->
mask.ss_family)
1660 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1661 errmsg(
"IP address and mask do not match"),
1662 errcontext(
"line %d of configuration file \"%s\"",
1663 line_num, file_name)));
1664 *err_msg =
"IP address and mask do not match";
1676 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1677 errmsg(
"end-of-line before authentication method"),
1678 errcontext(
"line %d of configuration file \"%s\"",
1679 line_num, file_name)));
1680 *err_msg =
"end-of-line before authentication method";
1687 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1688 errmsg(
"multiple values specified for authentication type"),
1689 errhint(
"Specify exactly one authentication type per line."),
1690 errcontext(
"line %d of configuration file \"%s\"",
1691 line_num, file_name)));
1692 *err_msg =
"multiple values specified for authentication type";
1698 if (strcmp(
token->string,
"trust") == 0)
1700 else if (strcmp(
token->string,
"ident") == 0)
1702 else if (strcmp(
token->string,
"peer") == 0)
1704 else if (strcmp(
token->string,
"password") == 0)
1706 else if (strcmp(
token->string,
"gss") == 0)
1712 else if (strcmp(
token->string,
"sspi") == 0)
1718 else if (strcmp(
token->string,
"reject") == 0)
1720 else if (strcmp(
token->string,
"md5") == 0)
1722 else if (strcmp(
token->string,
"scram-sha-256") == 0)
1724 else if (strcmp(
token->string,
"pam") == 0)
1730 else if (strcmp(
token->string,
"bsd") == 0)
1736 else if (strcmp(
token->string,
"ldap") == 0)
1742 else if (strcmp(
token->string,
"cert") == 0)
1748 else if (strcmp(
token->string,
"radius") == 0)
1753 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1754 errmsg(
"invalid authentication method \"%s\"",
1756 errcontext(
"line %d of configuration file \"%s\"",
1757 line_num, file_name)));
1758 *err_msg =
psprintf(
"invalid authentication method \"%s\"",
1766 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1767 errmsg(
"invalid authentication method \"%s\": not supported by this build",
1769 errcontext(
"line %d of configuration file \"%s\"",
1770 line_num, file_name)));
1771 *err_msg =
psprintf(
"invalid authentication method \"%s\": not supported by this build",
1789 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1790 errmsg(
"gssapi authentication is not supported on local sockets"),
1791 errcontext(
"line %d of configuration file \"%s\"",
1792 line_num, file_name)));
1793 *err_msg =
"gssapi authentication is not supported on local sockets";
1801 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1802 errmsg(
"peer authentication is only supported on local sockets"),
1803 errcontext(
"line %d of configuration file \"%s\"",
1804 line_num, file_name)));
1805 *err_msg =
"peer authentication is only supported on local sockets";
1819 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1820 errmsg(
"cert authentication is only supported on hostssl connections"),
1821 errcontext(
"line %d of configuration file \"%s\"",
1822 line_num, file_name)));
1823 *err_msg =
"cert authentication is only supported on hostssl connections";
1852 while ((field =
lnext(tok_line->
fields, field)) != NULL)
1855 foreach(tokencell, tokens)
1869 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1870 errmsg(
"authentication option not in name=value format: %s",
token->string),
1871 errcontext(
"line %d of configuration file \"%s\"",
1872 line_num, file_name)));
1873 *err_msg =
psprintf(
"authentication option not in name=value format: %s",
1892 #ifndef HAVE_LDAP_INITIALIZE
1913 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1914 errmsg(
"cannot mix options for simple bind and search+bind modes"),
1915 errcontext(
"line %d of configuration file \"%s\"",
1916 line_num, file_name)));
1917 *err_msg =
"cannot mix options for simple bind and search+bind modes";
1924 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1925 errmsg(
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1926 errcontext(
"line %d of configuration file \"%s\"",
1927 line_num, file_name)));
1928 *err_msg =
"authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1940 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1941 errmsg(
"cannot use ldapsearchattribute together with ldapsearchfilter"),
1942 errcontext(
"line %d of configuration file \"%s\"",
1943 line_num, file_name)));
1944 *err_msg =
"cannot use ldapsearchattribute together with ldapsearchfilter";
1957 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1958 errmsg(
"list of RADIUS servers cannot be empty"),
1959 errcontext(
"line %d of configuration file \"%s\"",
1960 line_num, file_name)));
1961 *err_msg =
"list of RADIUS servers cannot be empty";
1968 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1969 errmsg(
"list of RADIUS secrets cannot be empty"),
1970 errcontext(
"line %d of configuration file \"%s\"",
1971 line_num, file_name)));
1972 *err_msg =
"list of RADIUS secrets cannot be empty";
1985 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
1986 errmsg(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1989 errcontext(
"line %d of configuration file \"%s\"",
1990 line_num, file_name)));
1991 *err_msg =
psprintf(
"the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2001 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2002 errmsg(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2005 errcontext(
"line %d of configuration file \"%s\"",
2006 line_num, file_name)));
2007 *err_msg =
psprintf(
"the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2017 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2018 errmsg(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2021 errcontext(
"line %d of configuration file \"%s\"",
2022 line_num, file_name)));
2023 *err_msg =
psprintf(
"the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2054 int elevel,
char **err_msg)
2060 hbaline->
ldapscope = LDAP_SCOPE_SUBTREE;
2063 if (strcmp(
name,
"map") == 0)
2073 else if (strcmp(
name,
"clientcert") == 0)
2078 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2079 errmsg(
"clientcert can only be configured for \"hostssl\" rows"),
2080 errcontext(
"line %d of configuration file \"%s\"",
2081 line_num, file_name)));
2082 *err_msg =
"clientcert can only be configured for \"hostssl\" rows";
2086 if (strcmp(
val,
"verify-full") == 0)
2090 else if (strcmp(
val,
"verify-ca") == 0)
2095 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2096 errmsg(
"clientcert only accepts \"verify-full\" when using \"cert\" authentication"),
2097 errcontext(
"line %d of configuration file \"%s\"",
2098 line_num, file_name)));
2099 *err_msg =
"clientcert can only be set to \"verify-full\" when using \"cert\" authentication";
2108 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2109 errmsg(
"invalid value for clientcert: \"%s\"",
val),
2110 errcontext(
"line %d of configuration file \"%s\"",
2111 line_num, file_name)));
2115 else if (strcmp(
name,
"clientname") == 0)
2120 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2121 errmsg(
"clientname can only be configured for \"hostssl\" rows"),
2122 errcontext(
"line %d of configuration file \"%s\"",
2123 line_num, file_name)));
2124 *err_msg =
"clientname can only be configured for \"hostssl\" rows";
2128 if (strcmp(
val,
"CN") == 0)
2132 else if (strcmp(
val,
"DN") == 0)
2139 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2140 errmsg(
"invalid value for clientname: \"%s\"",
val),
2141 errcontext(
"line %d of configuration file \"%s\"",
2142 line_num, file_name)));
2146 else if (strcmp(
name,
"pamservice") == 0)
2151 else if (strcmp(
name,
"pam_use_hostname") == 0)
2154 if (strcmp(
val,
"1") == 0)
2159 else if (strcmp(
name,
"ldapurl") == 0)
2161 #ifdef LDAP_API_FEATURE_X_OPENLDAP
2162 LDAPURLDesc *urldata;
2167 #ifdef LDAP_API_FEATURE_X_OPENLDAP
2168 rc = ldap_url_parse(
val, &urldata);
2169 if (rc != LDAP_SUCCESS)
2172 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2173 errmsg(
"could not parse LDAP URL \"%s\": %s",
val, ldap_err2string(rc))));
2174 *err_msg =
psprintf(
"could not parse LDAP URL \"%s\": %s",
2175 val, ldap_err2string(rc));
2179 if (strcmp(urldata->lud_scheme,
"ldap") != 0 &&
2180 strcmp(urldata->lud_scheme,
"ldaps") != 0)
2183 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2184 errmsg(
"unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
2185 *err_msg =
psprintf(
"unsupported LDAP URL scheme: %s",
2186 urldata->lud_scheme);
2187 ldap_free_urldesc(urldata);
2191 if (urldata->lud_scheme)
2193 if (urldata->lud_host)
2195 hbaline->
ldapport = urldata->lud_port;
2196 if (urldata->lud_dn)
2199 if (urldata->lud_attrs)
2201 hbaline->
ldapscope = urldata->lud_scope;
2202 if (urldata->lud_filter)
2204 ldap_free_urldesc(urldata);
2207 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2208 errmsg(
"LDAP URLs not supported on this platform")));
2209 *err_msg =
"LDAP URLs not supported on this platform";
2212 else if (strcmp(
name,
"ldaptls") == 0)
2215 if (strcmp(
val,
"1") == 0)
2220 else if (strcmp(
name,
"ldapscheme") == 0)
2223 if (strcmp(
val,
"ldap") != 0 && strcmp(
val,
"ldaps") != 0)
2225 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2226 errmsg(
"invalid ldapscheme value: \"%s\"",
val),
2227 errcontext(
"line %d of configuration file \"%s\"",
2228 line_num, file_name)));
2231 else if (strcmp(
name,
"ldapserver") == 0)
2236 else if (strcmp(
name,
"ldapport") == 0)
2243 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2244 errmsg(
"invalid LDAP port number: \"%s\"",
val),
2245 errcontext(
"line %d of configuration file \"%s\"",
2246 line_num, file_name)));
2247 *err_msg =
psprintf(
"invalid LDAP port number: \"%s\"",
val);
2251 else if (strcmp(
name,
"ldapbinddn") == 0)
2256 else if (strcmp(
name,
"ldapbindpasswd") == 0)
2261 else if (strcmp(
name,
"ldapsearchattribute") == 0)
2266 else if (strcmp(
name,
"ldapsearchfilter") == 0)
2271 else if (strcmp(
name,
"ldapbasedn") == 0)
2276 else if (strcmp(
name,
"ldapprefix") == 0)
2281 else if (strcmp(
name,
"ldapsuffix") == 0)
2286 else if (strcmp(
name,
"krb_realm") == 0)
2293 else if (strcmp(
name,
"include_realm") == 0)
2298 if (strcmp(
val,
"1") == 0)
2303 else if (strcmp(
name,
"compat_realm") == 0)
2307 if (strcmp(
val,
"1") == 0)
2312 else if (strcmp(
name,
"upn_username") == 0)
2316 if (strcmp(
val,
"1") == 0)
2321 else if (strcmp(
name,
"radiusservers") == 0)
2323 struct addrinfo *gai_result;
2324 struct addrinfo hints;
2326 List *parsed_servers;
2336 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2337 errmsg(
"could not parse RADIUS server list \"%s\"",
2339 errcontext(
"line %d of configuration file \"%s\"",
2340 line_num, file_name)));
2345 foreach(l, parsed_servers)
2347 MemSet(&hints, 0,
sizeof(hints));
2348 hints.ai_socktype = SOCK_DGRAM;
2349 hints.ai_family = AF_UNSPEC;
2352 if (ret || !gai_result)
2355 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2356 errmsg(
"could not translate RADIUS server name \"%s\" to address: %s",
2358 errcontext(
"line %d of configuration file \"%s\"",
2359 line_num, file_name)));
2373 else if (strcmp(
name,
"radiusports") == 0)
2384 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2385 errmsg(
"could not parse RADIUS port list \"%s\"",
2387 errcontext(
"line %d of configuration file \"%s\"",
2388 line_num, file_name)));
2389 *err_msg =
psprintf(
"invalid RADIUS port number: \"%s\"",
val);
2393 foreach(l, parsed_ports)
2395 if (atoi(
lfirst(l)) == 0)
2398 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2399 errmsg(
"invalid RADIUS port number: \"%s\"",
val),
2400 errcontext(
"line %d of configuration file \"%s\"",
2401 line_num, file_name)));
2409 else if (strcmp(
name,
"radiussecrets") == 0)
2411 List *parsed_secrets;
2420 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2421 errmsg(
"could not parse RADIUS secret list \"%s\"",
2423 errcontext(
"line %d of configuration file \"%s\"",
2424 line_num, file_name)));
2431 else if (strcmp(
name,
"radiusidentifiers") == 0)
2433 List *parsed_identifiers;
2442 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2443 errmsg(
"could not parse RADIUS identifiers list \"%s\"",
2445 errcontext(
"line %d of configuration file \"%s\"",
2446 line_num, file_name)));
2456 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2457 errmsg(
"unrecognized authentication option name: \"%s\"",
2459 errcontext(
"line %d of configuration file \"%s\"",
2460 line_num, file_name)));
2461 *err_msg =
psprintf(
"unrecognized authentication option name: \"%s\"",
2489 if (
port->raddr.addr.ss_family != AF_UNIX)
2494 if (
port->raddr.addr.ss_family == AF_UNIX)
2498 if (
port->ssl_in_use)
2516 else if (!(
port->gss &&
port->gss->enc) &&
2537 (
struct sockaddr *) &hba->
addr,
2538 (
struct sockaddr *) &hba->
mask))
2609 "hba parser context",
2612 foreach(line, hba_lines)
2618 if (tok_line->
err_msg != NULL)
2645 if (ok && new_parsed_lines ==
NIL)
2648 (
errcode(ERRCODE_CONFIG_FILE_ERROR),
2649 errmsg(
"configuration file \"%s\" contains no entries",
2697 char **err_msg = &tok_line->
err_msg;
2763 bool case_insensitive,
bool *found_p,
bool *error_p)
2770 if (strcmp(identLine->
usermap, usermap_name) != 0)
2789 bool created_temporary_token =
false;
2801 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2802 errmsg(
"regular expression match for \"%s\" failed: %s",
2818 char *expanded_pg_user;
2822 if (matches[1].rm_so < 0)
2825 (
errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
2826 errmsg(
"regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
2836 expanded_pg_user =
palloc0(strlen(identLine->
pg_user->
string) - 2 + (matches[1].rm_eo - matches[1].rm_so) + 1);
2838 memcpy(expanded_pg_user, identLine->
pg_user->
string, offset);
2839 memcpy(expanded_pg_user + offset,
2841 matches[1].rm_eo - matches[1].rm_so);
2842 strcat(expanded_pg_user, ofs + 2);
2850 created_temporary_token =
true;
2851 pfree(expanded_pg_user);
2855 expanded_pg_user_token = identLine->
pg_user;
2863 if (created_temporary_token)
2874 if (case_insensitive)
2909 const char *pg_user,
2911 bool case_insensitive)
2913 bool found_entry =
false,
2916 if (usermap_name == NULL || usermap_name[0] ==
'\0')
2918 if (case_insensitive)
2929 (
errmsg(
"provided user name (%s) and authenticated user name (%s) do not match",
2941 &found_entry, &
error);
2942 if (found_entry ||
error)
2946 if (!found_entry && !
error)
2949 (
errmsg(
"no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2987 "ident parser context",
2990 foreach(line_cell, ident_lines)
2995 if (tok_line->
err_msg != NULL)
bool is_member_of_role_nosuper(Oid member, Oid role)
Oid get_role_oid(const char *rolname, bool missing_ok)
#define Assert(condition)
#define MemSet(start, val, len)
#define OidIsValid(objectId)
char * AbsoluteConfigLocation(const char *location, const char *calling_file)
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
#define CONF_FILE_MAX_DEPTH
#define CONF_FILE_START_DEPTH
int errcode_for_file_access(void)
ErrorContextCallback * error_context_stack
int errhint(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
FILE * AllocateFile(const char *name, const char *mode)
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
bool pg_isblank(const char c)
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
#define MANDATORY_AUTH_ARG(argvar, argname, authname)
static bool is_member(Oid userid, const char *role)
static bool check_role(const char *role, Oid roleid, List *tokens, bool case_insensitive)
static bool hostname_match(const char *pattern, const char *actual_hostname)
StaticAssertDecl(lengthof(UserAuthName)==USER_AUTH_LAST+1, "UserAuthName[] must match the UserAuth enum")
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
static bool check_ip(SockAddr *raddr, struct sockaddr *addr, struct sockaddr *mask)
#define token_is_member_check(t)
#define IDENT_FIELD_ABSENT(field)
#define token_is_keyword(t, k)
static bool ipv4eq(struct sockaddr_in *a, struct sockaddr_in *b)
static MemoryContext parsed_ident_context
#define token_matches_insensitive(t, k)
struct check_network_data check_network_data
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
static bool check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
static MemoryContext tokenize_context
static int regexec_auth_token(const char *match, AuthToken *token, size_t nmatch, regmatch_t pmatch[])
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
static bool check_hostname(hbaPort *port, const char *hostname)
static void tokenize_error_callback(void *arg)
static void check_hba(hbaPort *port)
static void check_network_callback(struct sockaddr *addr, struct sockaddr *netmask, void *cb_data)
#define token_has_regexp(t)
const char * hba_authname(UserAuth auth_method)
static MemoryContext parsed_hba_context
static AuthToken * copy_auth_token(AuthToken *in)
#define IDENT_MULTI_VALUE(tokens)
void hba_getauthmethod(hbaPort *port)
int check_usermap(const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive)
void free_auth_file(FILE *file, int depth)
static bool ipv6eq(struct sockaddr_in6 *a, struct sockaddr_in6 *b)
static List * tokenize_expand_file(List *tokens, const char *outer_filename, const char *inc_filename, int elevel, int depth, char **err_msg)
static void free_auth_token(AuthToken *token)
static List * parsed_ident_lines
static const char *const UserAuthName[]
#define token_matches(t, k)
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
static bool next_token(char **lineptr, StringInfo buf, bool *initial_quote, bool *terminating_comma)
static List * parsed_hba_lines
#define INVALID_AUTH_OPTION(optname, validmethods)
static AuthToken * make_auth_token(const char *token, bool quoted)
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
static bool check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
#define REQUIRE_AUTH_OPTION(methodval, optname, validmethods)
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
int pg_foreach_ifaddr(PgIfAddrCallback callback, void *cb_data)
int pg_range_sockaddr(const struct sockaddr_storage *addr, const struct sockaddr_storage *netaddr, const struct sockaddr_storage *netmask)
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
List * lappend(List *list, void *datum)
void list_free(List *list)
int pg_mb2wchar_with_len(const char *from, pg_wchar *to, int len)
char * pstrdup(const char *in)
void pfree(void *pointer)
void * palloc0(Size size)
MemoryContext CurrentMemoryContext
MemoryContext PostmasterContext
void MemoryContextDelete(MemoryContext context)
#define AllocSetContextCreate
#define ALLOCSET_START_SMALL_SIZES
#define ALLOCSET_SMALL_SIZES
Datum system_user(PG_FUNCTION_ARGS)
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
static int list_length(const List *l)
#define linitial_node(type, l)
#define lsecond_node(type, l)
static ListCell * list_head(const List *l)
static ListCell * lnext(const List *l, const ListCell *c)
int pg_strcasecmp(const char *s1, const char *s2)
char * psprintf(const char *fmt,...)
MemoryContextSwitchTo(old_ctx)
int pg_regcomp(regex_t *re, const chr *string, size_t len, int flags, Oid collation)
size_t pg_regerror(int errcode, const regex_t *preg, char *errbuf, size_t errbuf_size)
int pg_regexec(regex_t *re, const chr *string, size_t len, size_t search_start, rm_detail_t *details, size_t nmatch, regmatch_t pmatch[], int flags)
void pg_regfree(regex_t *re)
const char * gai_strerror(int ecode)
int pg_strip_crlf(char *str)
void resetStringInfo(StringInfo str)
void appendStringInfoString(StringInfo str, const char *s)
void appendStringInfoChar(StringInfo str, char ch)
void initStringInfo(StringInfo str)
struct ErrorContextCallback * previous
void(* callback)(void *arg)
struct sockaddr_storage mask
ClientCertName clientcertname
ClientCertMode clientcert
char * ldapsearchattribute
struct sockaddr_storage addr
IPCompareMethod ip_cmp_method
char * radiusidentifiers_s
struct sockaddr_storage addr
bool SplitGUCList(char *rawstring, char separator, List **namelist)