hba.h File Reference
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:
Go to the source code of this file.
Data Structures | |
| struct | AuthToken |
| struct | HbaLine |
| struct | IdentLine |
| struct | TokenizedAuthLine |
Macros | |
| #define | USER_AUTH_LAST uaOAuth /* Must be last value of this enum */ |
Typedefs | |
| typedef enum UserAuth | UserAuth |
| typedef enum IPCompareMethod | IPCompareMethod |
| typedef enum ConnType | ConnType |
| typedef enum ClientCertMode | ClientCertMode |
| typedef enum ClientCertName | ClientCertName |
| typedef struct AuthToken | AuthToken |
| typedef struct HbaLine | HbaLine |
| typedef struct IdentLine | IdentLine |
| typedef struct TokenizedAuthLine | TokenizedAuthLine |
| typedef struct Port | Port |
Enumerations | |
| enum | UserAuth { uaReject , uaImplicitReject , uaTrust , uaIdent , uaPassword , uaMD5 , uaSCRAM , uaGSS , uaSSPI , uaPAM , uaBSD , uaLDAP , uaCert , uaRADIUS , uaPeer , uaOAuth } |
| enum | IPCompareMethod { ipCmpMask , ipCmpSameHost , ipCmpSameNet , ipCmpAll } |
| enum | ConnType { ctLocal , ctHost , ctHostSSL , ctHostNoSSL , ctHostGSS , ctHostNoGSS } |
| enum | ClientCertMode { clientCertOff , clientCertCA , clientCertFull } |
| enum | ClientCertName { clientCertCN , clientCertDN } |
Functions | |
| bool | load_hba (void) |
| bool | load_ident (void) |
| const char * | hba_authname (UserAuth auth_method) |
| void | hba_getauthmethod (Port *port) |
| int | check_usermap (const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive) |
| HbaLine * | parse_hba_line (TokenizedAuthLine *tok_line, int elevel) |
| IdentLine * | parse_ident_line (TokenizedAuthLine *tok_line, int elevel) |
| FILE * | open_auth_file (const char *filename, int elevel, int depth, char **err_msg) |
| void | free_auth_file (FILE *file, int depth) |
| void | tokenize_auth_file (const char *filename, FILE *file, List **tok_lines, int elevel, int depth) |
Macro Definition Documentation
◆ USER_AUTH_LAST
Typedef Documentation
◆ AuthToken
◆ ClientCertMode
| typedef enum ClientCertMode ClientCertMode |
◆ ClientCertName
| typedef enum ClientCertName ClientCertName |
◆ ConnType
◆ HbaLine
◆ IdentLine
◆ IPCompareMethod
| typedef enum IPCompareMethod IPCompareMethod |
◆ Port
◆ TokenizedAuthLine
| typedef struct TokenizedAuthLine TokenizedAuthLine |
◆ UserAuth
Enumeration Type Documentation
◆ ClientCertMode
| enum ClientCertMode |
| Enumerator | |
|---|---|
| clientCertOff | |
| clientCertCA | |
| clientCertFull | |
◆ ClientCertName
| enum ClientCertName |
| Enumerator | |
|---|---|
| clientCertCN | |
| clientCertDN | |
◆ ConnType
| enum ConnType |
| Enumerator | |
|---|---|
| ctLocal | |
| ctHost | |
| ctHostSSL | |
| ctHostNoSSL | |
| ctHostGSS | |
| ctHostNoGSS | |
Definition at line 58 of file hba.h.
59{
60 ctLocal,
61 ctHost,
62 ctHostSSL,
63 ctHostNoSSL,
64 ctHostGSS,
65 ctHostNoGSS,
66} ConnType;
◆ IPCompareMethod
| enum IPCompareMethod |
| Enumerator | |
|---|---|
| ipCmpMask | |
| ipCmpSameHost | |
| ipCmpSameNet | |
| ipCmpAll | |
◆ UserAuth
| enum UserAuth |
| Enumerator | |
|---|---|
| uaReject | |
| uaImplicitReject | |
| uaTrust | |
| uaIdent | |
| uaPassword | |
| uaMD5 | |
| uaSCRAM | |
| uaGSS | |
| uaSSPI | |
| uaPAM | |
| uaBSD | |
| uaLDAP | |
| uaCert | |
| uaRADIUS | |
| uaPeer | |
| uaOAuth | |
Function Documentation
◆ check_usermap()
| int check_usermap | ( | const char * | usermap_name, |
| const char * | pg_user, | ||
| const char * | system_user, | ||
| bool | case_insensitive | ||
| ) |
Definition at line 2981 of file hba.c.
2985{
2986 bool found_entry = false,
2988
2989 if (usermap_name == NULL || usermap_name[0] == '\0')
2990 {
2991 if (case_insensitive)
2992 {
2995 }
2996 else
2997 {
3000 }
3003 pg_user, system_user)));
3005 }
3006 else
3007 {
3008 ListCell *line_cell;
3009
3011 {
3013 pg_user, system_user, case_insensitive,
3014 &found_entry, &error);
3016 break;
3017 }
3018 }
3020 {
3023 usermap_name, pg_user, system_user)));
3024 }
3026}
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2816
Definition: pg_list.h:46
References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, parsed_ident_lines, pg_strcasecmp(), STATUS_ERROR, STATUS_OK, and system_user().
Referenced by auth_peer(), ident_inet(), and validate().
◆ free_auth_file()
| void free_auth_file | ( | FILE * | file, |
| int | depth | ||
| ) |
Definition at line 569 of file hba.c.
570{
571 FreeFile(file);
572
573 /* If this is the last cleanup, remove the tokenization context */
575 {
577 tokenize_context = NULL;
578 }
579}
References CONF_FILE_START_DEPTH, FreeFile(), MemoryContextDelete(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ hba_authname()
| const char * hba_authname | ( | UserAuth | auth_method | ) |
Definition at line 3138 of file hba.c.
3139{
3141}
References UserAuthName.
Referenced by ClientAuthentication(), fill_hba_line(), InitPostgres(), ParallelWorkerMain(), and set_authn_id().
◆ hba_getauthmethod()
| void hba_getauthmethod | ( | Port * | port | ) |
Definition at line 3125 of file hba.c.
3126{
3128}
References check_hba(), and port.
Referenced by ClientAuthentication().
◆ load_hba()
| bool load_hba | ( | void | ) |
Definition at line 2642 of file hba.c.
2643{
2644 FILE *file;
2646 ListCell *line;
2648 bool ok = true;
2649 MemoryContext oldcxt;
2650 MemoryContext hbacxt;
2651
2653 if (file == NULL)
2654 {
2655 /* error already logged */
2656 return false;
2657 }
2658
2660
2661 /* Now parse all the lines */
2664 "hba parser context",
2665 ALLOCSET_SMALL_SIZES);
2666 oldcxt = MemoryContextSwitchTo(hbacxt);
2667 foreach(line, hba_lines)
2668 {
2671
2672 /* don't parse lines that already have errors */
2674 {
2675 ok = false;
2676 continue;
2677 }
2678
2680 {
2681 /* Parse error; remember there's trouble */
2682 ok = false;
2683
2684 /*
2685 * Keep parsing the rest of the file so we can report errors on
2686 * more than the first line. Error has already been logged, no
2687 * need for more chatter here.
2688 */
2689 continue;
2690 }
2691
2693 }
2694
2695 /*
2696 * A valid HBA file must have at least one entry; else there's no way to
2697 * connect to the postmaster. But only complain about this if we didn't
2698 * already have parsing errors.
2699 */
2701 {
2703 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2705 HbaFileName)));
2706 ok = false;
2707 }
2708
2709 /* Free tokenizer memory */
2710 free_auth_file(file, 0);
2711 MemoryContextSwitchTo(oldcxt);
2712
2713 if (!ok)
2714 {
2715 /*
2716 * File contained one or more errors, so bail out. MemoryContextDelete
2717 * is enough to clean up everything, including regexes.
2718 */
2719 MemoryContextDelete(hbacxt);
2720 return false;
2721 }
2722
2723 /* Loaded new file successfully, replace the one we use */
2726 parsed_hba_context = hbacxt;
2727 parsed_hba_lines = new_parsed_lines;
2728
2729 return true;
2730}
Assert(PointerIsAligned(start, uint64))
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:1325
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
Definition: hba.c:688
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
Definition: hba.c:594
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
Definition: pg_list.h:54
Definition: memnodes.h:118
Definition: hba.h:164
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), ereport, TokenizedAuthLine::err_msg, errcode(), errmsg(), free_auth_file(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_hba_line(), parsed_hba_context, parsed_hba_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ load_ident()
| bool load_ident | ( | void | ) |
Definition at line 3036 of file hba.c.
3037{
3038 FILE *file;
3040 ListCell *line_cell;
3042 bool ok = true;
3043 MemoryContext oldcxt;
3044 MemoryContext ident_context;
3046
3047 /* not FATAL ... we just won't do any special ident maps */
3049 if (file == NULL)
3050 {
3051 /* error already logged */
3052 return false;
3053 }
3054
3056
3057 /* Now parse all the lines */
3060 "ident parser context",
3061 ALLOCSET_SMALL_SIZES);
3062 oldcxt = MemoryContextSwitchTo(ident_context);
3063 foreach(line_cell, ident_lines)
3064 {
3066
3067 /* don't parse lines that already have errors */
3069 {
3070 ok = false;
3071 continue;
3072 }
3073
3075 {
3076 /* Parse error; remember there's trouble */
3077 ok = false;
3078
3079 /*
3080 * Keep parsing the rest of the file so we can report errors on
3081 * more than the first line. Error has already been logged, no
3082 * need for more chatter here.
3083 */
3084 continue;
3085 }
3086
3088 }
3089
3090 /* Free tokenizer memory */
3091 free_auth_file(file, 0);
3092 MemoryContextSwitchTo(oldcxt);
3093
3094 if (!ok)
3095 {
3096 /*
3097 * File contained one or more errors, so bail out. MemoryContextDelete
3098 * is enough to clean up everything, including regexes.
3099 */
3100 MemoryContextDelete(ident_context);
3101 return false;
3102 }
3103
3104 /* Loaded new file successfully, replace the one we use */
3107
3108 parsed_ident_context = ident_context;
3109 parsed_ident_lines = new_parsed_lines;
3110
3111 return true;
3112}
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:2748
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), TokenizedAuthLine::err_msg, free_auth_file(), IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_ident_line(), parsed_ident_context, parsed_ident_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ open_auth_file()
| FILE * open_auth_file | ( | const char * | filename, |
| int | elevel, | ||
| int | depth, | ||
| char ** | err_msg | ||
| ) |
Definition at line 594 of file hba.c.
596{
597 FILE *file;
598
599 /*
600 * Reject too-deep include nesting depth. This is just a safety check to
601 * avoid dumping core due to stack overflow if an include file loops back
602 * to itself. The maximum nesting depth is pretty arbitrary.
603 */
605 {
606 ereport(elevel,
607 (errcode_for_file_access(),
609 filename)));
610 if (err_msg)
612 filename);
613 return NULL;
614 }
615
617 if (file == NULL)
618 {
619 int save_errno = errno;
620
621 ereport(elevel,
622 (errcode_for_file_access(),
624 filename)));
625 if (err_msg)
626 {
627 errno = save_errno;
629 filename);
630 }
631 /* the caller may care about some specific errno */
632 errno = save_errno;
633 return NULL;
634 }
635
636 /*
637 * When opening the top-level file, create the memory context used for the
638 * tokenization. This will be closed with this file when coming back to
639 * this level of cleanup.
640 */
642 {
643 /*
644 * A context may be present, but assume that it has been eliminated
645 * already.
646 */
648 "tokenize_context",
650 }
651
652 return file;
653}
References AllocateFile(), ALLOCSET_START_SMALL_SIZES, AllocSetContextCreate, CONF_FILE_MAX_DEPTH, CONF_FILE_START_DEPTH, CurrentMemoryContext, ereport, errcode_for_file_access(), errmsg(), filename, psprintf(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ parse_hba_line()
| HbaLine * parse_hba_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 1325 of file hba.c.
1326{
1331 struct addrinfo *gai_result;
1332 struct addrinfo hints;
1333 int ret;
1334 char *cidr_slash;
1335 char *unsupauth;
1336 ListCell *field;
1337 List *tokens;
1338 ListCell *tokencell;
1340 HbaLine *parsedline;
1341
1344 parsedline->linenumber = line_num;
1346
1347 /* Check the record type. */
1350 tokens = lfirst(field);
1352 {
1353 ereport(elevel,
1354 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1358 line_num, file_name)));
1359 *err_msg = "multiple values specified for connection type";
1360 return NULL;
1361 }
1364 {
1366 }
1372 {
1373
1375 {
1377 /* Log a warning if SSL support is not active */
1378#ifdef USE_SSL
1380 {
1381 ereport(elevel,
1382 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1386 line_num, file_name)));
1387 *err_msg = "hostssl record cannot match because SSL is disabled";
1388 }
1389#else
1390 ereport(elevel,
1391 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1394 line_num, file_name)));
1395 *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1396#endif
1397 }
1399 {
1401#ifndef ENABLE_GSS
1402 ereport(elevel,
1403 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1406 line_num, file_name)));
1407 *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build";
1408#endif
1409 }
1414 else
1415 {
1416 /* "host" */
1418 }
1419 } /* record type */
1420 else
1421 {
1422 ereport(elevel,
1423 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1425 token->string),
1427 line_num, file_name)));
1429 return NULL;
1430 }
1431
1432 /* Get the databases. */
1434 if (!field)
1435 {
1436 ereport(elevel,
1437 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1440 line_num, file_name)));
1441 *err_msg = "end-of-line before database specification";
1442 return NULL;
1443 }
1445 tokens = lfirst(field);
1446 foreach(tokencell, tokens)
1447 {
1449
1450 /* Compile a regexp for the database token, if necessary */
1452 return NULL;
1453
1455 }
1456
1457 /* Get the roles. */
1459 if (!field)
1460 {
1461 ereport(elevel,
1462 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1465 line_num, file_name)));
1466 *err_msg = "end-of-line before role specification";
1467 return NULL;
1468 }
1470 tokens = lfirst(field);
1471 foreach(tokencell, tokens)
1472 {
1474
1475 /* Compile a regexp from the role token, if necessary */
1477 return NULL;
1478
1480 }
1481
1483 {
1484 /* Read the IP address field. (with or without CIDR netmask) */
1486 if (!field)
1487 {
1488 ereport(elevel,
1489 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1492 line_num, file_name)));
1493 *err_msg = "end-of-line before IP address specification";
1494 return NULL;
1495 }
1496 tokens = lfirst(field);
1498 {
1499 ereport(elevel,
1500 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1504 line_num, file_name)));
1505 *err_msg = "multiple values specified for host address";
1506 return NULL;
1507 }
1509
1511 {
1513 }
1515 {
1516 /* Any IP on this host is allowed to connect */
1518 }
1520 {
1521 /* Any IP on the host's subnets is allowed to connect */
1523 }
1524 else
1525 {
1526 /* IP and netmask are specified */
1528
1529 /* need a modifiable copy of token */
1531
1532 /* Check if it has a CIDR suffix and if so isolate it */
1534 if (cidr_slash)
1535 *cidr_slash = '\0';
1536
1537 /* Get the IP address either way */
1538 hints.ai_flags = AI_NUMERICHOST;
1539 hints.ai_family = AF_UNSPEC;
1540 hints.ai_socktype = 0;
1541 hints.ai_protocol = 0;
1542 hints.ai_addrlen = 0;
1543 hints.ai_canonname = NULL;
1544 hints.ai_addr = NULL;
1545 hints.ai_next = NULL;
1546
1548 if (ret == 0 && gai_result)
1549 {
1550 memcpy(&parsedline->addr, gai_result->ai_addr,
1551 gai_result->ai_addrlen);
1552 parsedline->addrlen = gai_result->ai_addrlen;
1553 }
1554 else if (ret == EAI_NONAME)
1556 else
1557 {
1558 ereport(elevel,
1559 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1563 line_num, file_name)));
1566 if (gai_result)
1567 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1568 return NULL;
1569 }
1570
1571 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1572
1573 /* Get the netmask */
1574 if (cidr_slash)
1575 {
1577 {
1578 ereport(elevel,
1579 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1581 token->string),
1583 line_num, file_name)));
1585 token->string);
1586 return NULL;
1587 }
1588
1590 parsedline->addr.ss_family) < 0)
1591 {
1592 ereport(elevel,
1593 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1595 token->string),
1597 line_num, file_name)));
1599 token->string);
1600 return NULL;
1601 }
1604 }
1606 {
1607 /* Read the mask field. */
1610 if (!field)
1611 {
1612 ereport(elevel,
1613 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1617 line_num, file_name)));
1618 *err_msg = "end-of-line before netmask specification";
1619 return NULL;
1620 }
1621 tokens = lfirst(field);
1623 {
1624 ereport(elevel,
1625 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1628 line_num, file_name)));
1629 *err_msg = "multiple values specified for netmask";
1630 return NULL;
1631 }
1633
1635 &hints, &gai_result);
1636 if (ret || !gai_result)
1637 {
1638 ereport(elevel,
1639 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1643 line_num, file_name)));
1646 if (gai_result)
1647 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1648 return NULL;
1649 }
1650
1651 memcpy(&parsedline->mask, gai_result->ai_addr,
1652 gai_result->ai_addrlen);
1653 parsedline->masklen = gai_result->ai_addrlen;
1654 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1655
1657 {
1658 ereport(elevel,
1659 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1662 line_num, file_name)));
1663 *err_msg = "IP address and mask do not match";
1664 return NULL;
1665 }
1666 }
1667 }
1668 } /* != ctLocal */
1669
1670 /* Get the authentication method */
1672 if (!field)
1673 {
1674 ereport(elevel,
1675 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1678 line_num, file_name)));
1679 *err_msg = "end-of-line before authentication method";
1680 return NULL;
1681 }
1682 tokens = lfirst(field);
1684 {
1685 ereport(elevel,
1686 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1690 line_num, file_name)));
1691 *err_msg = "multiple values specified for authentication type";
1692 return NULL;
1693 }
1695
1696 unsupauth = NULL;
1706#ifdef ENABLE_GSS
1708#else
1709 unsupauth = "gss";
1710#endif
1712#ifdef ENABLE_SSPI
1714#else
1715 unsupauth = "sspi";
1716#endif
1724#ifdef USE_PAM
1726#else
1727 unsupauth = "pam";
1728#endif
1730#ifdef USE_BSD_AUTH
1732#else
1733 unsupauth = "bsd";
1734#endif
1736#ifdef USE_LDAP
1738#else
1739 unsupauth = "ldap";
1740#endif
1742#ifdef USE_SSL
1744#else
1745 unsupauth = "cert";
1746#endif
1751 else
1752 {
1753 ereport(elevel,
1754 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1756 token->string),
1758 line_num, file_name)));
1760 token->string);
1761 return NULL;
1762 }
1763
1764 if (unsupauth)
1765 {
1766 ereport(elevel,
1767 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1769 token->string),
1771 line_num, file_name)));
1773 token->string);
1774 return NULL;
1775 }
1776
1777 /*
1778 * XXX: When using ident on local connections, change it to peer, for
1779 * backwards compatibility.
1780 */
1784
1785 /* Invalid authentication combinations */
1788 {
1789 ereport(elevel,
1790 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1793 line_num, file_name)));
1794 *err_msg = "gssapi authentication is not supported on local sockets";
1795 return NULL;
1796 }
1797
1800 {
1801 ereport(elevel,
1802 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1805 line_num, file_name)));
1806 *err_msg = "peer authentication is only supported on local sockets";
1807 return NULL;
1808 }
1809
1810 /*
1811 * SSPI authentication can never be enabled on ctLocal connections,
1812 * because it's only supported on Windows, where ctLocal isn't supported.
1813 */
1814
1815
1818 {
1819 ereport(elevel,
1820 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1823 line_num, file_name)));
1824 *err_msg = "cert authentication is only supported on hostssl connections";
1825 return NULL;
1826 }
1827
1828 /*
1829 * For GSS and SSPI, set the default value of include_realm to true.
1830 * Having include_realm set to false is dangerous in multi-realm
1831 * situations and is generally considered bad practice. We keep the
1832 * capability around for backwards compatibility, but we might want to
1833 * remove it at some point in the future. Users who still need to strip
1834 * the realm off would be better served by using an appropriate regex in a
1835 * pg_ident.conf mapping.
1836 */
1840
1841 /*
1842 * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1843 * NetBIOS name) and user names instead of the Kerberos principal name for
1844 * compatibility.
1845 */
1847 {
1850 }
1851
1852 /* Parse remaining arguments */
1854 {
1855 tokens = lfirst(field);
1856 foreach(tokencell, tokens)
1857 {
1859
1861
1865 {
1866 /*
1867 * Got something that's not a name=value pair.
1868 */
1869 ereport(elevel,
1870 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1873 line_num, file_name)));
1875 token->string);
1876 return NULL;
1877 }
1878
1881 /* parse_hba_auth_opt already logged the error message */
1882 return NULL;
1884 }
1885 }
1886
1887 /*
1888 * Check if the selected authentication method has any mandatory arguments
1889 * that are not set.
1890 */
1892 {
1893#ifndef HAVE_LDAP_INITIALIZE
1894 /* Not mandatory for OpenLDAP, because it can use DNS SRV records */
1896#endif
1897
1898 /*
1899 * LDAP can operate in two modes: either with a direct bind, using
1900 * ldapprefix and ldapsuffix, or using a search+bind, using
1901 * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
1902 * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
1903 * parameters.
1904 */
1906 {
1908 parsedline->ldapbinddn ||
1909 parsedline->ldapbindpasswd ||
1910 parsedline->ldapsearchattribute ||
1911 parsedline->ldapsearchfilter)
1912 {
1913 ereport(elevel,
1914 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1917 line_num, file_name)));
1918 *err_msg = "cannot mix options for simple bind and search+bind modes";
1919 return NULL;
1920 }
1921 }
1923 {
1924 ereport(elevel,
1925 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1926 errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1928 line_num, file_name)));
1929 *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1930 return NULL;
1931 }
1932
1933 /*
1934 * When using search+bind, you can either use a simple attribute
1935 * (defaulting to "uid") or a fully custom search filter. You can't
1936 * do both.
1937 */
1939 {
1940 ereport(elevel,
1941 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1944 line_num, file_name)));
1945 *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
1946 return NULL;
1947 }
1948 }
1949
1951 {
1954
1956 {
1957 ereport(elevel,
1958 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1961 line_num, file_name)));
1962 *err_msg = "list of RADIUS servers cannot be empty";
1963 return NULL;
1964 }
1965
1967 {
1968 ereport(elevel,
1969 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1972 line_num, file_name)));
1973 *err_msg = "list of RADIUS secrets cannot be empty";
1974 return NULL;
1975 }
1976
1977 /*
1978 * Verify length of option lists - each can be 0 (except for secrets,
1979 * but that's already checked above), 1 (use the same value
1980 * everywhere) or the same as the number of servers.
1981 */
1984 {
1985 ereport(elevel,
1986 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1987 errmsg("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1991 line_num, file_name)));
1992 *err_msg = psprintf("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1995 return NULL;
1996 }
2000 {
2001 ereport(elevel,
2002 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2003 errmsg("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2007 line_num, file_name)));
2008 *err_msg = psprintf("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2011 return NULL;
2012 }
2016 {
2017 ereport(elevel,
2018 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2019 errmsg("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2023 line_num, file_name)));
2024 *err_msg = psprintf("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2027 return NULL;
2028 }
2029 }
2030
2031 /*
2032 * Enforce any parameters implied by other settings.
2033 */
2035 {
2036 /*
2037 * For auth method cert, client certificate validation is mandatory,
2038 * and it implies the level of verify-full.
2039 */
2041 }
2042
2043 /*
2044 * Enforce proper configuration of OAuth authentication.
2045 */
2047 {
2050
2051 /* Ensure a validator library is set and permitted by the config. */
2053 return NULL;
2054
2055 /*
2056 * Supplying a usermap combined with the option to skip usermapping is
2057 * nonsensical and indicates a configuration error.
2058 */
2060 {
2061 ereport(elevel,
2062 errcode(ERRCODE_CONFIG_FILE_ERROR),
2063 /* translator: strings are replaced with hba options */
2065 "map", "delegate_ident_mapping"),
2067 line_num, file_name));
2068 *err_msg = "map cannot be used in combination with delegate_ident_mapping";
2069 return NULL;
2070 }
2071 }
2072
2073 return parsedline;
2074}
bool check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
Definition: auth-oauth.c:820
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition: hba.c:2084
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
Definition: hba.c:300
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:105
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:85
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:56
Definition: oauth-curl.c:192
References HbaLine::addr, HbaLine::addrlen, Assert(), HbaLine::auth_method, check_oauth_validator(), HbaLine::clientcert, clientCertFull, HbaLine::compat_realm, HbaLine::conntype, copy_auth_token(), ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, EnableSSL, ereport, TokenizedAuthLine::err_msg, errcode(), errcontext, errhint(), errmsg(), TokenizedAuthLine::fields, TokenizedAuthLine::file_name, gai_strerror(), HbaLine::hostname, HbaLine::include_realm, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapprefix, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, List::length, lfirst, TokenizedAuthLine::line_num, HbaLine::linenumber, linitial, list_head(), list_length(), lnext(), MANDATORY_AUTH_ARG, HbaLine::mask, HbaLine::masklen, NIL, HbaLine::oauth_issuer, HbaLine::oauth_scope, HbaLine::oauth_skip_usermap, palloc0(), parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, TokenizedAuthLine::raw_line, HbaLine::rawline, regcomp_auth_token(), HbaLine::roles, HbaLine::sourcefile, str, token, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, HbaLine::upn_username, HbaLine::usermap, and val.
Referenced by fill_hba_view(), and load_hba().
◆ parse_ident_line()
| IdentLine * parse_ident_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 2748 of file hba.c.
2749{
2753 ListCell *field;
2754 List *tokens;
2756 IdentLine *parsedline;
2757
2760
2762 parsedline->linenumber = line_num;
2763
2764 /* Get the map token (must exist) */
2765 tokens = lfirst(field);
2766 IDENT_MULTI_VALUE(tokens);
2769
2770 /* Get the ident user token */
2772 IDENT_FIELD_ABSENT(field);
2773 tokens = lfirst(field);
2774 IDENT_MULTI_VALUE(tokens);
2776
2777 /* Copy the ident user token */
2779
2780 /* Get the PG rolename token */
2782 IDENT_FIELD_ABSENT(field);
2783 tokens = lfirst(field);
2784 IDENT_MULTI_VALUE(tokens);
2787
2788 /*
2789 * Now that the field validation is done, compile a regex from the user
2790 * tokens, if necessary.
2791 */
2793 err_msg, elevel))
2794 {
2795 /* err_msg includes the error to report */
2796 return NULL;
2797 }
2798
2800 err_msg, elevel))
2801 {
2802 /* err_msg includes the error to report */
2803 return NULL;
2804 }
2805
2806 return parsedline;
2807}
References Assert(), copy_auth_token(), TokenizedAuthLine::err_msg, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, lfirst, TokenizedAuthLine::line_num, IdentLine::linenumber, linitial, list_head(), lnext(), NIL, palloc0(), IdentLine::pg_user, pstrdup(), regcomp_auth_token(), IdentLine::system_user, token, and IdentLine::usermap.
Referenced by fill_ident_view(), and load_ident().
◆ tokenize_auth_file()
| void tokenize_auth_file | ( | const char * | filename, |
| FILE * | file, | ||
| List ** | tok_lines, | ||
| int | elevel, | ||
| int | depth | ||
| ) |
Definition at line 688 of file hba.c.
690{
691 int line_number = 1;
693 MemoryContext linecxt;
695 ErrorContextCallback tokenerrcontext;
696 tokenize_error_callback_arg callback_arg;
697
699
701 callback_arg.linenum = line_number;
702
704 tokenerrcontext.arg = &callback_arg;
706 error_context_stack = &tokenerrcontext;
707
708 /*
709 * Do all the local tokenization in its own context, to ease the cleanup
710 * of any memory allocated while tokenizing.
711 */
713 "tokenize_auth_file",
714 ALLOCSET_SMALL_SIZES);
715 funccxt = MemoryContextSwitchTo(linecxt);
716
718
720 *tok_lines = NIL;
721
722 while (!feof(file) && !ferror(file))
723 {
724 TokenizedAuthLine *tok_line;
725 MemoryContext oldcxt;
728 char *err_msg = NULL;
729 int last_backslash_buflen = 0;
730 int continuations = 0;
731
732 /* Collect the next input line, handling backslash continuations */
734
736 {
737 /* Strip trailing newline, including \r in case we're on Windows */
739
740 /*
741 * Check for backslash continuation. The backslash must be after
742 * the last place we found a continuation, else two backslashes
743 * followed by two \n's would behave surprisingly.
744 */
747 {
748 /* Continuation, so strip it and keep reading */
750 last_backslash_buflen = buf.len;
751 continuations++;
752 continue;
753 }
754
755 /* Nope, so we have the whole line */
756 break;
757 }
758
759 if (ferror(file))
760 {
761 /* I/O error! */
762 int save_errno = errno;
763
764 ereport(elevel,
765 (errcode_for_file_access(),
767 errno = save_errno;
769 filename);
770 break;
771 }
772
773 /* Parse fields */
776 {
777 List *current_field;
778
780 elevel, depth, &err_msg);
781 /* add field to line, unless we are at EOL or comment start */
783 {
784 /*
785 * lappend() may do its own allocations, so move to the
786 * context for the list of tokens.
787 */
789 current_line = lappend(current_line, current_field);
790 MemoryContextSwitchTo(oldcxt);
791 }
792 }
793
794 /*
795 * Reached EOL; no need to emit line to TokenizedAuthLine list if it's
796 * boring.
797 */
799 goto next_line;
800
801 /* If the line is valid, check if that's an include directive */
803 {
804 AuthToken *first,
805 *second;
806
809
811 {
813 elevel, depth + 1, false, &err_msg);
814
815 if (err_msg)
816 goto process_line;
817
818 /*
819 * tokenize_auth_file() has taken care of creating the
820 * TokenizedAuthLines.
821 */
822 goto next_line;
823 }
825 {
826 char **filenames;
828 int num_filenames;
829 StringInfoData err_buf;
830
832 &num_filenames, &err_msg);
833
834 if (!filenames)
835 {
836 /* the error is in err_msg, so create an entry */
837 goto process_line;
838 }
839
840 initStringInfo(&err_buf);
842 {
844 elevel, depth + 1, false, &err_msg);
845 /* cumulate errors if any */
846 if (err_msg)
847 {
850 appendStringInfoString(&err_buf, err_msg);
851 }
852 }
853
854 /* clean up things */
857 pfree(filenames);
858
859 /*
860 * If there were no errors, the line is fully processed,
861 * bypass the general TokenizedAuthLine processing.
862 */
864 goto next_line;
865
866 /* Otherwise, process the cumulated errors, if any. */
867 err_msg = err_buf.data;
868 goto process_line;
869 }
871 {
872
874 elevel, depth + 1, true, &err_msg);
875 if (err_msg)
876 goto process_line;
877
878 /*
879 * tokenize_auth_file() has taken care of creating the
880 * TokenizedAuthLines.
881 */
882 goto next_line;
883 }
884 }
885
886process_line:
887
888 /*
889 * General processing: report the error if any and emit line to the
890 * TokenizedAuthLine. This is saved in the memory context dedicated
891 * to this list.
892 */
895 tok_line->fields = current_line;
897 tok_line->line_num = line_number;
900 *tok_lines = lappend(*tok_lines, tok_line);
901 MemoryContextSwitchTo(oldcxt);
902
903next_line:
904 line_number += continuations + 1;
905 callback_arg.linenum = line_number;
906 }
907
908 MemoryContextSwitchTo(funccxt);
909 MemoryContextDelete(linecxt);
910
912}
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
Definition: conffiles.c:70
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
Definition: hba.c:378
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
Definition: hba.c:437
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
Definition: pg_get_line.c:124
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:230
Definition: elog.h:296
Definition: stringinfo.h:47
Definition: mbprint.h:17
Definition: hba.c:64
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, appendStringInfoChar(), appendStringInfoString(), ErrorContextCallback::arg, Assert(), buf, ErrorContextCallback::callback, CONF_FILE_START_DEPTH, CurrentMemoryContext, StringInfoData::data, ereport, TokenizedAuthLine::err_msg, errcode_for_file_access(), errmsg(), error_context_stack, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, tokenize_error_callback_arg::filename, filename, GetConfFilesInDir(), i, initStringInfo(), lappend(), StringInfoData::len, TokenizedAuthLine::line_num, tokenize_error_callback_arg::linenum, linitial, linitial_node, list_length(), lsecond_node, MemoryContextDelete(), MemoryContextSwitchTo(), next_field_expand(), NIL, palloc0(), pfree(), pg_get_line_append(), pg_strip_crlf(), ErrorContextCallback::previous, psprintf(), pstrdup(), TokenizedAuthLine::raw_line, resetStringInfo(), AuthToken::string, tokenize_context, tokenize_error_callback(), and tokenize_include_file().
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
