PostgreSQL Source Code  git master
hba.h File Reference
#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  HbaLine
 
struct  IdentLine
 

Macros

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */
 

Typedefs

typedef enum UserAuth UserAuth
 
typedef enum IPCompareMethod IPCompareMethod
 
typedef enum ConnType ConnType
 
typedef enum ClientCertMode ClientCertMode
 
typedef enum ClientCertName ClientCertName
 
typedef struct HbaLine HbaLine
 
typedef struct IdentLine IdentLine
 
typedef struct Port hbaPort
 

Enumerations

enum  UserAuth {
  uaReject, uaImplicitReject, uaTrust, uaIdent,
  uaPassword, uaMD5, uaSCRAM, uaGSS,
  uaSSPI, uaPAM, uaBSD, uaLDAP,
  uaCert, uaRADIUS
}
 
enum  IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
 
enum  ConnType {
  ctLocal, ctHost, ctHostSSL, ctHostNoSSL,
  ctHostGSS, ctHostNoGSS
}
 
enum  ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
 
enum  ClientCertName { clientCertCN, clientCertDN }
 

Functions

bool load_hba (void)
 
bool load_ident (void)
 
const char * hba_authname (UserAuth auth_method)
 
void hba_getauthmethod (hbaPort *port)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
 
bool pg_isblank (const char c)
 

Macro Definition Documentation

◆ USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by hba_authname().

Typedef Documentation

◆ ClientCertMode

◆ ClientCertName

◆ ConnType

typedef enum ConnType ConnType

◆ HbaLine

typedef struct HbaLine HbaLine

◆ hbaPort

typedef struct Port hbaPort

Definition at line 136 of file hba.h.

◆ IdentLine

typedef struct IdentLine IdentLine

◆ IPCompareMethod

◆ UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

◆ ClientCertMode

Enumerator
clientCertOff 
clientCertCA 
clientCertFull 

Definition at line 67 of file hba.h.

68 {
ClientCertMode
Definition: hba.h:67

◆ ClientCertName

Enumerator
clientCertCN 
clientCertDN 

Definition at line 74 of file hba.h.

75 {
ClientCertName
Definition: hba.h:74

◆ ConnType

enum ConnType
Enumerator
ctLocal 
ctHost 
ctHostSSL 
ctHostNoSSL 
ctHostGSS 
ctHostNoGSS 

Definition at line 57 of file hba.h.

58 {
59  ctLocal,
60  ctHost,
61  ctHostSSL,
63  ctHostGSS,
65 } ConnType;
Definition: hba.h:61
Definition: hba.h:63
ConnType
Definition: hba.h:57
Definition: hba.h:59
Definition: hba.h:60

◆ IPCompareMethod

Enumerator
ipCmpMask 
ipCmpSameHost 
ipCmpSameNet 
ipCmpAll 

Definition at line 49 of file hba.h.

50 {
51  ipCmpMask,
54  ipCmpAll
Definition: hba.h:51
IPCompareMethod
Definition: hba.h:49
Definition: hba.h:54

◆ UserAuth

enum UserAuth
Enumerator
uaReject 
uaImplicitReject 
uaTrust 
uaIdent 
uaPassword 
uaMD5 
uaSCRAM 
uaGSS 
uaSSPI 
uaPAM 
uaBSD 
uaLDAP 
uaCert 
uaRADIUS 

Definition at line 25 of file hba.h.

26 {
27  uaReject,
28  uaImplicitReject, /* Not a user-visible option */
29  uaTrust,
30  uaIdent,
31  uaPassword,
32  uaMD5,
33  uaSCRAM,
34  uaGSS,
35  uaSSPI,
36  uaPAM,
37  uaBSD,
38  uaLDAP,
39  uaCert,
40  uaRADIUS,
41  uaPeer
42 #define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
43 } UserAuth;
UserAuth
Definition: hba.h:25
Definition: hba.h:30
Definition: hba.h:38
Definition: hba.h:32
Definition: hba.h:35
Definition: hba.h:34
Definition: hba.h:31
Definition: hba.h:39
Definition: hba.h:27
Definition: hba.h:29
Definition: hba.h:33
Definition: hba.h:37
Definition: hba.h:36
Definition: hba.h:40

Function Documentation

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_sensitive 
)

Definition at line 2974 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckMD5Auth(), and ident_inet().

2978 {
2979  bool found_entry = false,
2980  error = false;
2981 
2982  if (usermap_name == NULL || usermap_name[0] == '\0')
2983  {
2984  if (case_insensitive)
2985  {
2986  if (pg_strcasecmp(pg_role, auth_user) == 0)
2987  return STATUS_OK;
2988  }
2989  else
2990  {
2991  if (strcmp(pg_role, auth_user) == 0)
2992  return STATUS_OK;
2993  }
2994  ereport(LOG,
2995  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2996  pg_role, auth_user)));
2997  return STATUS_ERROR;
2998  }
2999  else
3000  {
3001  ListCell *line_cell;
3002 
3003  foreach(line_cell, parsed_ident_lines)
3004  {
3005  check_ident_usermap(lfirst(line_cell), usermap_name,
3006  pg_role, auth_user, case_insensitive,
3007  &found_entry, &error);
3008  if (found_entry || error)
3009  break;
3010  }
3011  }
3012  if (!found_entry && !error)
3013  {
3014  ereport(LOG,
3015  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
3016  usermap_name, pg_role, auth_user)));
3017  }
3018  return found_entry ? STATUS_OK : STATUS_ERROR;
3019 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2839
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:1171
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define STATUS_OK
Definition: c.h:1170
#define ereport(elevel,...)
Definition: elog.h:157
static List * parsed_ident_lines
Definition: hba.c:112
#define lfirst(lc)
Definition: pg_list.h:169
int errmsg(const char *fmt,...)
Definition: elog.c:909

◆ hba_authname()

const char* hba_authname ( UserAuth  auth_method)

Definition at line 3153 of file hba.c.

References lengthof, StaticAssertStmt, USER_AUTH_LAST, and UserAuthName.

Referenced by fill_hba_line(), and set_authn_id().

3154 {
3155  /*
3156  * Make sure UserAuthName[] tracks additions to the UserAuth enum
3157  */
3159  "UserAuthName[] must match the UserAuth enum");
3160 
3161  return UserAuthName[auth_method];
3162 }
static const char *const UserAuthName[]
Definition: hba.c:121
#define lengthof(array)
Definition: c.h:734
#define StaticAssertStmt(condition, errmessage)
Definition: c.h:918
#define USER_AUTH_LAST
Definition: hba.h:42

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3140 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3141 {
3142  check_hba(port);
3143 }
static void check_hba(hbaPort *port)
Definition: hba.c:2121

◆ load_hba()

bool load_hba ( void  )

Definition at line 2235 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2236 {
2237  FILE *file;
2238  List *hba_lines = NIL;
2239  ListCell *line;
2240  List *new_parsed_lines = NIL;
2241  bool ok = true;
2242  MemoryContext linecxt;
2243  MemoryContext oldcxt;
2244  MemoryContext hbacxt;
2245 
2246  file = AllocateFile(HbaFileName, "r");
2247  if (file == NULL)
2248  {
2249  ereport(LOG,
2251  errmsg("could not open configuration file \"%s\": %m",
2252  HbaFileName)));
2253  return false;
2254  }
2255 
2256  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2257  FreeFile(file);
2258 
2259  /* Now parse all the lines */
2262  "hba parser context",
2264  oldcxt = MemoryContextSwitchTo(hbacxt);
2265  foreach(line, hba_lines)
2266  {
2267  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2268  HbaLine *newline;
2269 
2270  /* don't parse lines that already have errors */
2271  if (tok_line->err_msg != NULL)
2272  {
2273  ok = false;
2274  continue;
2275  }
2276 
2277  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2278  {
2279  /* Parse error; remember there's trouble */
2280  ok = false;
2281 
2282  /*
2283  * Keep parsing the rest of the file so we can report errors on
2284  * more than the first line. Error has already been logged, no
2285  * need for more chatter here.
2286  */
2287  continue;
2288  }
2289 
2290  new_parsed_lines = lappend(new_parsed_lines, newline);
2291  }
2292 
2293  /*
2294  * A valid HBA file must have at least one entry; else there's no way to
2295  * connect to the postmaster. But only complain about this if we didn't
2296  * already have parsing errors.
2297  */
2298  if (ok && new_parsed_lines == NIL)
2299  {
2300  ereport(LOG,
2301  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2302  errmsg("configuration file \"%s\" contains no entries",
2303  HbaFileName)));
2304  ok = false;
2305  }
2306 
2307  /* Free tokenizer memory */
2308  MemoryContextDelete(linecxt);
2309  MemoryContextSwitchTo(oldcxt);
2310 
2311  if (!ok)
2312  {
2313  /* File contained one or more errors, so bail out */
2314  MemoryContextDelete(hbacxt);
2315  return false;
2316  }
2317 
2318  /* Loaded new file successfully, replace the one we use */
2319  if (parsed_hba_context != NULL)
2321  parsed_hba_context = hbacxt;
2322  parsed_hba_lines = new_parsed_lines;
2323 
2324  return true;
2325 }
Definition: hba.h:80
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:218
#define AllocSetContextCreate
Definition: memutils.h:173
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:205
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:698
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1001
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:615
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:721
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2459
List * lappend(List *list, void *datum)
Definition: list.c:336
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:966
#define ereport(elevel,...)
Definition: elog.h:157
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:476
int FreeFile(FILE *file)
Definition: fd.c:2658
int errmsg(const char *fmt,...)
Definition: elog.c:909
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:50

◆ load_ident()

bool load_ident ( void  )

Definition at line 3029 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

3030 {
3031  FILE *file;
3032  List *ident_lines = NIL;
3033  ListCell *line_cell,
3034  *parsed_line_cell;
3035  List *new_parsed_lines = NIL;
3036  bool ok = true;
3037  MemoryContext linecxt;
3038  MemoryContext oldcxt;
3039  MemoryContext ident_context;
3040  IdentLine *newline;
3041 
3042  file = AllocateFile(IdentFileName, "r");
3043  if (file == NULL)
3044  {
3045  /* not fatal ... we just won't do any special ident maps */
3046  ereport(LOG,
3048  errmsg("could not open usermap file \"%s\": %m",
3049  IdentFileName)));
3050  return false;
3051  }
3052 
3053  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3054  FreeFile(file);
3055 
3056  /* Now parse all the lines */
3058  ident_context = AllocSetContextCreate(PostmasterContext,
3059  "ident parser context",
3061  oldcxt = MemoryContextSwitchTo(ident_context);
3062  foreach(line_cell, ident_lines)
3063  {
3064  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3065 
3066  /* don't parse lines that already have errors */
3067  if (tok_line->err_msg != NULL)
3068  {
3069  ok = false;
3070  continue;
3071  }
3072 
3073  if ((newline = parse_ident_line(tok_line)) == NULL)
3074  {
3075  /* Parse error; remember there's trouble */
3076  ok = false;
3077 
3078  /*
3079  * Keep parsing the rest of the file so we can report errors on
3080  * more than the first line. Error has already been logged, no
3081  * need for more chatter here.
3082  */
3083  continue;
3084  }
3085 
3086  new_parsed_lines = lappend(new_parsed_lines, newline);
3087  }
3088 
3089  /* Free tokenizer memory */
3090  MemoryContextDelete(linecxt);
3091  MemoryContextSwitchTo(oldcxt);
3092 
3093  if (!ok)
3094  {
3095  /*
3096  * File contained one or more errors, so bail out, first being careful
3097  * to clean up whatever we allocated. Most stuff will go away via
3098  * MemoryContextDelete, but we have to clean up regexes explicitly.
3099  */
3100  foreach(parsed_line_cell, new_parsed_lines)
3101  {
3102  newline = (IdentLine *) lfirst(parsed_line_cell);
3103  if (newline->ident_user[0] == '/')
3104  pg_regfree(&newline->re);
3105  }
3106  MemoryContextDelete(ident_context);
3107  return false;
3108  }
3109 
3110  /* Loaded new file successfully, replace the one we use */
3111  if (parsed_ident_lines != NIL)
3112  {
3113  foreach(parsed_line_cell, parsed_ident_lines)
3114  {
3115  newline = (IdentLine *) lfirst(parsed_line_cell);
3116  if (newline->ident_user[0] == '/')
3117  pg_regfree(&newline->re);
3118  }
3119  }
3120  if (parsed_ident_context != NULL)
3122 
3123  parsed_ident_context = ident_context;
3124  parsed_ident_lines = new_parsed_lines;
3125 
3126  return true;
3127 }
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:218
#define AllocSetContextCreate
Definition: memutils.h:173
regex_t re
Definition: hba.h:132
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:205
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1001
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:721
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2459
char * IdentFileName
Definition: guc.c:616
List * lappend(List *list, void *datum)
Definition: list.c:336
#define ereport(elevel,...)
Definition: elog.h:157
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:476
Definition: hba.h:125
int FreeFile(FILE *file)
Definition: fd.c:2658
char * ident_user
Definition: hba.h:130
int errmsg(const char *fmt,...)
Definition: elog.c:909
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2762
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:50

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 158 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

159 {
160  return c == ' ' || c == '\t' || c == '\r';
161 }
char * c