PostgreSQL Source Code  git master
hba.h File Reference
#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  HbaLine
 
struct  IdentLine
 

Macros

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */
 

Typedefs

typedef enum UserAuth UserAuth
 
typedef enum IPCompareMethod IPCompareMethod
 
typedef enum ConnType ConnType
 
typedef enum ClientCertMode ClientCertMode
 
typedef struct HbaLine HbaLine
 
typedef struct IdentLine IdentLine
 
typedef struct Port hbaPort
 

Enumerations

enum  UserAuth {
  uaReject, uaImplicitReject, uaTrust, uaIdent,
  uaPassword, uaMD5, uaSCRAM, uaGSS,
  uaSSPI, uaPAM, uaBSD, uaLDAP,
  uaCert, uaRADIUS
}
 
enum  IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
 
enum  ConnType {
  ctLocal, ctHost, ctHostSSL, ctHostNoSSL,
  ctHostGSS, ctHostNoGSS
}
 
enum  ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
 

Functions

bool load_hba (void)
 
bool load_ident (void)
 
void hba_getauthmethod (hbaPort *port)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
 
bool pg_isblank (const char c)
 

Macro Definition Documentation

◆ USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by fill_hba_line().

Typedef Documentation

◆ ClientCertMode

◆ ConnType

typedef enum ConnType ConnType

◆ HbaLine

typedef struct HbaLine HbaLine

◆ hbaPort

typedef struct Port hbaPort

Definition at line 124 of file hba.h.

◆ IdentLine

typedef struct IdentLine IdentLine

◆ IPCompareMethod

◆ UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

◆ ClientCertMode

Enumerator
clientCertOff 
clientCertCA 
clientCertFull 

Definition at line 63 of file hba.h.

64 {
ClientCertMode
Definition: hba.h:63

◆ ConnType

enum ConnType
Enumerator
ctLocal 
ctHost 
ctHostSSL 
ctHostNoSSL 
ctHostGSS 
ctHostNoGSS 

Definition at line 53 of file hba.h.

54 {
55  ctLocal,
56  ctHost,
57  ctHostSSL,
59  ctHostGSS,
61 } ConnType;
Definition: hba.h:57
Definition: hba.h:59
ConnType
Definition: hba.h:53
Definition: hba.h:55
Definition: hba.h:56

◆ IPCompareMethod

Enumerator
ipCmpMask 
ipCmpSameHost 
ipCmpSameNet 
ipCmpAll 

Definition at line 45 of file hba.h.

46 {
47  ipCmpMask,
50  ipCmpAll
Definition: hba.h:47
IPCompareMethod
Definition: hba.h:45
Definition: hba.h:50

◆ UserAuth

enum UserAuth
Enumerator
uaReject 
uaImplicitReject 
uaTrust 
uaIdent 
uaPassword 
uaMD5 
uaSCRAM 
uaGSS 
uaSSPI 
uaPAM 
uaBSD 
uaLDAP 
uaCert 
uaRADIUS 

Definition at line 25 of file hba.h.

26 {
27  uaReject,
28  uaImplicitReject, /* Not a user-visible option */
29  uaTrust,
30  uaIdent,
31  uaPassword,
32  uaMD5,
33  uaSCRAM,
34  uaGSS,
35  uaSSPI,
36  uaPAM,
37  uaBSD,
38  uaLDAP,
39  uaCert,
40  uaRADIUS,
41  uaPeer
42 #define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
43 } UserAuth;
UserAuth
Definition: hba.h:25
Definition: hba.h:30
Definition: hba.h:38
Definition: hba.h:32
Definition: hba.h:35
Definition: hba.h:34
Definition: hba.h:31
Definition: hba.h:39
Definition: hba.h:27
Definition: hba.h:29
Definition: hba.h:33
Definition: hba.h:37
Definition: hba.h:36
Definition: hba.h:40

Function Documentation

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_sensitive 
)

Definition at line 2924 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by CheckSCRAMAuth(), and ident_inet().

2928 {
2929  bool found_entry = false,
2930  error = false;
2931 
2932  if (usermap_name == NULL || usermap_name[0] == '\0')
2933  {
2934  if (case_insensitive)
2935  {
2936  if (pg_strcasecmp(pg_role, auth_user) == 0)
2937  return STATUS_OK;
2938  }
2939  else
2940  {
2941  if (strcmp(pg_role, auth_user) == 0)
2942  return STATUS_OK;
2943  }
2944  ereport(LOG,
2945  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2946  pg_role, auth_user)));
2947  return STATUS_ERROR;
2948  }
2949  else
2950  {
2951  ListCell *line_cell;
2952 
2953  foreach(line_cell, parsed_ident_lines)
2954  {
2955  check_ident_usermap(lfirst(line_cell), usermap_name,
2956  pg_role, auth_user, case_insensitive,
2957  &found_entry, &error);
2958  if (found_entry || error)
2959  break;
2960  }
2961  }
2962  if (!found_entry && !error)
2963  {
2964  ereport(LOG,
2965  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2966  usermap_name, pg_role, auth_user)));
2967  }
2968  return found_entry ? STATUS_OK : STATUS_ERROR;
2969 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2788
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:1115
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define ereport(elevel, rest)
Definition: elog.h:141
#define STATUS_OK
Definition: c.h:1114
static List * parsed_ident_lines
Definition: hba.c:112
#define lfirst(lc)
Definition: pg_list.h:190
int errmsg(const char *fmt,...)
Definition: elog.c:822

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3090 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3091 {
3092  check_hba(port);
3093 }
static void check_hba(hbaPort *port)
Definition: hba.c:2071

◆ load_hba()

bool load_hba ( void  )

Definition at line 2183 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2184 {
2185  FILE *file;
2186  List *hba_lines = NIL;
2187  ListCell *line;
2188  List *new_parsed_lines = NIL;
2189  bool ok = true;
2190  MemoryContext linecxt;
2191  MemoryContext oldcxt;
2192  MemoryContext hbacxt;
2193 
2194  file = AllocateFile(HbaFileName, "r");
2195  if (file == NULL)
2196  {
2197  ereport(LOG,
2199  errmsg("could not open configuration file \"%s\": %m",
2200  HbaFileName)));
2201  return false;
2202  }
2203 
2204  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2205  FreeFile(file);
2206 
2207  /* Now parse all the lines */
2210  "hba parser context",
2212  oldcxt = MemoryContextSwitchTo(hbacxt);
2213  foreach(line, hba_lines)
2214  {
2215  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2216  HbaLine *newline;
2217 
2218  /* don't parse lines that already have errors */
2219  if (tok_line->err_msg != NULL)
2220  {
2221  ok = false;
2222  continue;
2223  }
2224 
2225  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2226  {
2227  /* Parse error; remember there's trouble */
2228  ok = false;
2229 
2230  /*
2231  * Keep parsing the rest of the file so we can report errors on
2232  * more than the first line. Error has already been logged, no
2233  * need for more chatter here.
2234  */
2235  continue;
2236  }
2237 
2238  new_parsed_lines = lappend(new_parsed_lines, newline);
2239  }
2240 
2241  /*
2242  * A valid HBA file must have at least one entry; else there's no way to
2243  * connect to the postmaster. But only complain about this if we didn't
2244  * already have parsing errors.
2245  */
2246  if (ok && new_parsed_lines == NIL)
2247  {
2248  ereport(LOG,
2249  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2250  errmsg("configuration file \"%s\" contains no entries",
2251  HbaFileName)));
2252  ok = false;
2253  }
2254 
2255  /* Free tokenizer memory */
2256  MemoryContextDelete(linecxt);
2257  MemoryContextSwitchTo(oldcxt);
2258 
2259  if (!ok)
2260  {
2261  /* File contained one or more errors, so bail out */
2262  MemoryContextDelete(hbacxt);
2263  return false;
2264  }
2265 
2266  /* Loaded new file successfully, replace the one we use */
2267  if (parsed_hba_context != NULL)
2269  parsed_hba_context = hbacxt;
2270  parsed_hba_lines = new_parsed_lines;
2271 
2272  return true;
2273 }
Definition: hba.h:70
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
#define AllocSetContextCreate
Definition: memutils.h:170
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:608
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1138
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:530
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:631
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2204
#define ereport(elevel, rest)
Definition: elog.h:141
List * lappend(List *list, void *datum)
Definition: list.c:322
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:945
#define Assert(condition)
Definition: c.h:733
#define lfirst(lc)
Definition: pg_list.h:190
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
int FreeFile(FILE *file)
Definition: fd.c:2403
int errmsg(const char *fmt,...)
Definition: elog.c:822
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ load_ident()

bool load_ident ( void  )

Definition at line 2979 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2980 {
2981  FILE *file;
2982  List *ident_lines = NIL;
2983  ListCell *line_cell,
2984  *parsed_line_cell;
2985  List *new_parsed_lines = NIL;
2986  bool ok = true;
2987  MemoryContext linecxt;
2988  MemoryContext oldcxt;
2989  MemoryContext ident_context;
2990  IdentLine *newline;
2991 
2992  file = AllocateFile(IdentFileName, "r");
2993  if (file == NULL)
2994  {
2995  /* not fatal ... we just won't do any special ident maps */
2996  ereport(LOG,
2998  errmsg("could not open usermap file \"%s\": %m",
2999  IdentFileName)));
3000  return false;
3001  }
3002 
3003  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3004  FreeFile(file);
3005 
3006  /* Now parse all the lines */
3008  ident_context = AllocSetContextCreate(PostmasterContext,
3009  "ident parser context",
3011  oldcxt = MemoryContextSwitchTo(ident_context);
3012  foreach(line_cell, ident_lines)
3013  {
3014  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3015 
3016  /* don't parse lines that already have errors */
3017  if (tok_line->err_msg != NULL)
3018  {
3019  ok = false;
3020  continue;
3021  }
3022 
3023  if ((newline = parse_ident_line(tok_line)) == NULL)
3024  {
3025  /* Parse error; remember there's trouble */
3026  ok = false;
3027 
3028  /*
3029  * Keep parsing the rest of the file so we can report errors on
3030  * more than the first line. Error has already been logged, no
3031  * need for more chatter here.
3032  */
3033  continue;
3034  }
3035 
3036  new_parsed_lines = lappend(new_parsed_lines, newline);
3037  }
3038 
3039  /* Free tokenizer memory */
3040  MemoryContextDelete(linecxt);
3041  MemoryContextSwitchTo(oldcxt);
3042 
3043  if (!ok)
3044  {
3045  /*
3046  * File contained one or more errors, so bail out, first being careful
3047  * to clean up whatever we allocated. Most stuff will go away via
3048  * MemoryContextDelete, but we have to clean up regexes explicitly.
3049  */
3050  foreach(parsed_line_cell, new_parsed_lines)
3051  {
3052  newline = (IdentLine *) lfirst(parsed_line_cell);
3053  if (newline->ident_user[0] == '/')
3054  pg_regfree(&newline->re);
3055  }
3056  MemoryContextDelete(ident_context);
3057  return false;
3058  }
3059 
3060  /* Loaded new file successfully, replace the one we use */
3061  if (parsed_ident_lines != NIL)
3062  {
3063  foreach(parsed_line_cell, parsed_ident_lines)
3064  {
3065  newline = (IdentLine *) lfirst(parsed_line_cell);
3066  if (newline->ident_user[0] == '/')
3067  pg_regfree(&newline->re);
3068  }
3069  }
3070  if (parsed_ident_context != NULL)
3072 
3073  parsed_ident_context = ident_context;
3074  parsed_ident_lines = new_parsed_lines;
3075 
3076  return true;
3077 }
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:211
#define AllocSetContextCreate
Definition: memutils.h:170
regex_t re
Definition: hba.h:120
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1138
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:631
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2204
char * IdentFileName
Definition: guc.c:531
#define ereport(elevel, rest)
Definition: elog.h:141
List * lappend(List *list, void *datum)
Definition: list.c:322
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define Assert(condition)
Definition: c.h:733
#define lfirst(lc)
Definition: pg_list.h:190
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:470
Definition: hba.h:113
int FreeFile(FILE *file)
Definition: fd.c:2403
char * ident_user
Definition: hba.h:118
int errmsg(const char *fmt,...)
Definition: elog.c:822
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2711
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
char * c