PostgreSQL Source Code  git master
hba.h File Reference
#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  HbaLine
 
struct  IdentLine
 

Macros

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */
 

Typedefs

typedef enum UserAuth UserAuth
 
typedef enum IPCompareMethod IPCompareMethod
 
typedef enum ConnType ConnType
 
typedef enum ClientCertMode ClientCertMode
 
typedef struct HbaLine HbaLine
 
typedef struct IdentLine IdentLine
 
typedef struct Port hbaPort
 

Enumerations

enum  UserAuth {
  uaReject, uaImplicitReject, uaTrust, uaIdent,
  uaPassword, uaMD5, uaSCRAM, uaGSS,
  uaSSPI, uaPAM, uaBSD, uaLDAP,
  uaCert, uaRADIUS
}
 
enum  IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
 
enum  ConnType {
  ctLocal, ctHost, ctHostSSL, ctHostNoSSL,
  ctHostGSS, ctHostNoGSS
}
 
enum  ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
 

Functions

bool load_hba (void)
 
bool load_ident (void)
 
void hba_getauthmethod (hbaPort *port)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
 
bool pg_isblank (const char c)
 

Macro Definition Documentation

◆ USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by fill_hba_line().

Typedef Documentation

◆ ClientCertMode

◆ ConnType

typedef enum ConnType ConnType

◆ HbaLine

typedef struct HbaLine HbaLine

◆ hbaPort

typedef struct Port hbaPort

Definition at line 124 of file hba.h.

◆ IdentLine

typedef struct IdentLine IdentLine

◆ IPCompareMethod

◆ UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

◆ ClientCertMode

Enumerator
clientCertOff 
clientCertCA 
clientCertFull 

Definition at line 63 of file hba.h.

64 {
ClientCertMode
Definition: hba.h:63

◆ ConnType

enum ConnType
Enumerator
ctLocal 
ctHost 
ctHostSSL 
ctHostNoSSL 
ctHostGSS 
ctHostNoGSS 

Definition at line 53 of file hba.h.

54 {
55  ctLocal,
56  ctHost,
57  ctHostSSL,
59  ctHostGSS,
61 } ConnType;
Definition: hba.h:57
Definition: hba.h:59
ConnType
Definition: hba.h:53
Definition: hba.h:55
Definition: hba.h:56

◆ IPCompareMethod

Enumerator
ipCmpMask 
ipCmpSameHost 
ipCmpSameNet 
ipCmpAll 

Definition at line 45 of file hba.h.

46 {
47  ipCmpMask,
50  ipCmpAll
Definition: hba.h:47
IPCompareMethod
Definition: hba.h:45
Definition: hba.h:50

◆ UserAuth

enum UserAuth
Enumerator
uaReject 
uaImplicitReject 
uaTrust 
uaIdent 
uaPassword 
uaMD5 
uaSCRAM 
uaGSS 
uaSSPI 
uaPAM 
uaBSD 
uaLDAP 
uaCert 
uaRADIUS 

Definition at line 25 of file hba.h.

26 {
27  uaReject,
28  uaImplicitReject, /* Not a user-visible option */
29  uaTrust,
30  uaIdent,
31  uaPassword,
32  uaMD5,
33  uaSCRAM,
34  uaGSS,
35  uaSSPI,
36  uaPAM,
37  uaBSD,
38  uaLDAP,
39  uaCert,
40  uaRADIUS,
41  uaPeer
42 #define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
43 } UserAuth;
UserAuth
Definition: hba.h:25
Definition: hba.h:30
Definition: hba.h:38
Definition: hba.h:32
Definition: hba.h:35
Definition: hba.h:34
Definition: hba.h:31
Definition: hba.h:39
Definition: hba.h:27
Definition: hba.h:29
Definition: hba.h:33
Definition: hba.h:37
Definition: hba.h:36
Definition: hba.h:40

Function Documentation

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_sensitive 
)

Definition at line 2922 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckSCRAMAuth(), and ident_inet().

2926 {
2927  bool found_entry = false,
2928  error = false;
2929 
2930  if (usermap_name == NULL || usermap_name[0] == '\0')
2931  {
2932  if (case_insensitive)
2933  {
2934  if (pg_strcasecmp(pg_role, auth_user) == 0)
2935  return STATUS_OK;
2936  }
2937  else
2938  {
2939  if (strcmp(pg_role, auth_user) == 0)
2940  return STATUS_OK;
2941  }
2942  ereport(LOG,
2943  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2944  pg_role, auth_user)));
2945  return STATUS_ERROR;
2946  }
2947  else
2948  {
2949  ListCell *line_cell;
2950 
2951  foreach(line_cell, parsed_ident_lines)
2952  {
2953  check_ident_usermap(lfirst(line_cell), usermap_name,
2954  pg_role, auth_user, case_insensitive,
2955  &found_entry, &error);
2956  if (found_entry || error)
2957  break;
2958  }
2959  }
2960  if (!found_entry && !error)
2961  {
2962  ereport(LOG,
2963  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2964  usermap_name, pg_role, auth_user)));
2965  }
2966  return found_entry ? STATUS_OK : STATUS_ERROR;
2967 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2787
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:1121
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define ereport(elevel, rest)
Definition: elog.h:141
#define STATUS_OK
Definition: c.h:1120
static List * parsed_ident_lines
Definition: hba.c:112
#define lfirst(lc)
Definition: pg_list.h:190
int errmsg(const char *fmt,...)
Definition: elog.c:822

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3088 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3089 {
3090  check_hba(port);
3091 }
static void check_hba(hbaPort *port)
Definition: hba.c:2071

◆ load_hba()

bool load_hba ( void  )

Definition at line 2183 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2184 {
2185  FILE *file;
2186  List *hba_lines = NIL;
2187  ListCell *line;
2188  List *new_parsed_lines = NIL;
2189  bool ok = true;
2190  MemoryContext linecxt;
2191  MemoryContext oldcxt;
2192  MemoryContext hbacxt;
2193 
2194  file = AllocateFile(HbaFileName, "r");
2195  if (file == NULL)
2196  {
2197  ereport(LOG,
2199  errmsg("could not open configuration file \"%s\": %m",
2200  HbaFileName)));
2201  return false;
2202  }
2203 
2204  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2205  FreeFile(file);
2206 
2207  /* Now parse all the lines */
2210  "hba parser context",
2212  oldcxt = MemoryContextSwitchTo(hbacxt);
2213  foreach(line, hba_lines)
2214  {
2215  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2216  HbaLine *newline;
2217 
2218  /* don't parse lines that already have errors */
2219  if (tok_line->err_msg != NULL)
2220  {
2221  ok = false;
2222  continue;
2223  }
2224 
2225  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2226  {
2227  /* Parse error; remember there's trouble */
2228  ok = false;
2229 
2230  /*
2231  * Keep parsing the rest of the file so we can report errors on
2232  * more than the first line. Error has already been logged, no
2233  * need for more chatter here.
2234  */
2235  continue;
2236  }
2237 
2238  new_parsed_lines = lappend(new_parsed_lines, newline);
2239  }
2240 
2241  /*
2242  * A valid HBA file must have at least one entry; else there's no way to
2243  * connect to the postmaster. But only complain about this if we didn't
2244  * already have parsing errors.
2245  */
2246  if (ok && new_parsed_lines == NIL)
2247  {
2248  ereport(LOG,
2249  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2250  errmsg("configuration file \"%s\" contains no entries",
2251  HbaFileName)));
2252  ok = false;
2253  }
2254 
2255  /* Free tokenizer memory */
2256  MemoryContextDelete(linecxt);
2257  MemoryContextSwitchTo(oldcxt);
2258 
2259  if (!ok)
2260  {
2261  /* File contained one or more errors, so bail out */
2262  MemoryContextDelete(hbacxt);
2263  return false;
2264  }
2265 
2266  /* Loaded new file successfully, replace the one we use */
2267  if (parsed_hba_context != NULL)
2269  parsed_hba_context = hbacxt;
2270  parsed_hba_lines = new_parsed_lines;
2271 
2272  return true;
2273 }
Definition: hba.h:70
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
#define AllocSetContextCreate
Definition: memutils.h:170
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:608
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1138
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:536
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:631
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2242
#define ereport(elevel, rest)
Definition: elog.h:141
List * lappend(List *list, void *datum)
Definition: list.c:322
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
#define Assert(condition)
Definition: c.h:739
#define lfirst(lc)
Definition: pg_list.h:190
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
int FreeFile(FILE *file)
Definition: fd.c:2441
int errmsg(const char *fmt,...)
Definition: elog.c:822
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ load_ident()

bool load_ident ( void  )

Definition at line 2977 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2978 {
2979  FILE *file;
2980  List *ident_lines = NIL;
2981  ListCell *line_cell,
2982  *parsed_line_cell;
2983  List *new_parsed_lines = NIL;
2984  bool ok = true;
2985  MemoryContext linecxt;
2986  MemoryContext oldcxt;
2987  MemoryContext ident_context;
2988  IdentLine *newline;
2989 
2990  file = AllocateFile(IdentFileName, "r");
2991  if (file == NULL)
2992  {
2993  /* not fatal ... we just won't do any special ident maps */
2994  ereport(LOG,
2996  errmsg("could not open usermap file \"%s\": %m",
2997  IdentFileName)));
2998  return false;
2999  }
3000 
3001  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3002  FreeFile(file);
3003 
3004  /* Now parse all the lines */
3006  ident_context = AllocSetContextCreate(PostmasterContext,
3007  "ident parser context",
3009  oldcxt = MemoryContextSwitchTo(ident_context);
3010  foreach(line_cell, ident_lines)
3011  {
3012  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3013 
3014  /* don't parse lines that already have errors */
3015  if (tok_line->err_msg != NULL)
3016  {
3017  ok = false;
3018  continue;
3019  }
3020 
3021  if ((newline = parse_ident_line(tok_line)) == NULL)
3022  {
3023  /* Parse error; remember there's trouble */
3024  ok = false;
3025 
3026  /*
3027  * Keep parsing the rest of the file so we can report errors on
3028  * more than the first line. Error has already been logged, no
3029  * need for more chatter here.
3030  */
3031  continue;
3032  }
3033 
3034  new_parsed_lines = lappend(new_parsed_lines, newline);
3035  }
3036 
3037  /* Free tokenizer memory */
3038  MemoryContextDelete(linecxt);
3039  MemoryContextSwitchTo(oldcxt);
3040 
3041  if (!ok)
3042  {
3043  /*
3044  * File contained one or more errors, so bail out, first being careful
3045  * to clean up whatever we allocated. Most stuff will go away via
3046  * MemoryContextDelete, but we have to clean up regexes explicitly.
3047  */
3048  foreach(parsed_line_cell, new_parsed_lines)
3049  {
3050  newline = (IdentLine *) lfirst(parsed_line_cell);
3051  if (newline->ident_user[0] == '/')
3052  pg_regfree(&newline->re);
3053  }
3054  MemoryContextDelete(ident_context);
3055  return false;
3056  }
3057 
3058  /* Loaded new file successfully, replace the one we use */
3059  if (parsed_ident_lines != NIL)
3060  {
3061  foreach(parsed_line_cell, parsed_ident_lines)
3062  {
3063  newline = (IdentLine *) lfirst(parsed_line_cell);
3064  if (newline->ident_user[0] == '/')
3065  pg_regfree(&newline->re);
3066  }
3067  }
3068  if (parsed_ident_context != NULL)
3070 
3071  parsed_ident_context = ident_context;
3072  parsed_ident_lines = new_parsed_lines;
3073 
3074  return true;
3075 }
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
#define AllocSetContextCreate
Definition: memutils.h:170
regex_t re
Definition: hba.h:120
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1138
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:631
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2242
char * IdentFileName
Definition: guc.c:537
#define ereport(elevel, rest)
Definition: elog.h:141
List * lappend(List *list, void *datum)
Definition: list.c:322
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define Assert(condition)
Definition: c.h:739
#define lfirst(lc)
Definition: pg_list.h:190
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
Definition: hba.h:113
int FreeFile(FILE *file)
Definition: fd.c:2441
char * ident_user
Definition: hba.h:118
int errmsg(const char *fmt,...)
Definition: elog.c:822
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2710
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
char * c