hba.h File Reference

#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"

Include dependency graph for hba.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	HbaLine
struct	IdentLine

Macros
#define	USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Typedefs
typedef enum UserAuth	UserAuth
typedef enum IPCompareMethod	IPCompareMethod
typedef enum ConnType	ConnType
typedef enum ClientCertMode	ClientCertMode
typedef enum ClientCertName	ClientCertName
typedef struct HbaLine	HbaLine
typedef struct IdentLine	IdentLine
typedef struct Port	hbaPort

Enumerations
enum	UserAuth {   uaReject, uaImplicitReject, uaTrust, uaIdent,   uaPassword, uaMD5, uaSCRAM, uaGSS,   uaSSPI, uaPAM, uaBSD, uaLDAP,   uaCert, uaRADIUS }
enum	IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
enum	ConnType {   ctLocal, ctHost, ctHostSSL, ctHostNoSSL,   ctHostGSS, ctHostNoGSS }
enum	ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
enum	ClientCertName { clientCertCN, clientCertDN }

Functions
bool	load_hba (void)
bool	load_ident (void)
const char *	hba_authname (UserAuth auth_method)
void	hba_getauthmethod (hbaPort *port)
int	check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
bool	pg_isblank (const char c)

Macro Definition Documentation

USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by hba_authname().

Typedef Documentation

ClientCertMode

typedef enum ClientCertMode ClientCertMode

ClientCertName

typedef enum ClientCertName ClientCertName

ConnType

typedef enum ConnType ConnType

HbaLine

typedef struct HbaLine HbaLine

hbaPort

typedef struct Port hbaPort

Definition at line 136 of file hba.h.

IdentLine

typedef struct IdentLine IdentLine

IPCompareMethod

typedef enum IPCompareMethod IPCompareMethod

UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

ClientCertMode

enum ClientCertMode

Enumerator
clientCertOff
clientCertCA
clientCertFull

Definition at line 67 of file hba.h.

{
    clientCertOff,
    clientCertCA,
    clientCertFull
} ClientCertMode;

ClientCertName

enum ClientCertName

Enumerator
clientCertCN
clientCertDN

Definition at line 74 of file hba.h.

{
    clientCertCN,
    clientCertDN
} ClientCertName;

ConnType

enum ConnType

Enumerator
ctLocal
ctHost
ctHostSSL
ctHostNoSSL
ctHostGSS
ctHostNoGSS

Definition at line 57 of file hba.h.

{
    ctLocal,
    ctHost,
    ctHostSSL,
    ctHostNoSSL,
    ctHostGSS,
    ctHostNoGSS,
} ConnType;

IPCompareMethod

enum IPCompareMethod

Enumerator
ipCmpMask
ipCmpSameHost
ipCmpSameNet
ipCmpAll

Definition at line 49 of file hba.h.

{
    ipCmpMask,
    ipCmpSameHost,
    ipCmpSameNet,
    ipCmpAll
} IPCompareMethod;

UserAuth

enum UserAuth

Enumerator
uaReject
uaImplicitReject
uaTrust
uaIdent
uaPassword
uaMD5
uaSCRAM
uaGSS
uaSSPI
uaPAM
uaBSD
uaLDAP
uaCert
uaRADIUS

Definition at line 25 of file hba.h.

{
    uaReject,
    uaImplicitReject,           /* Not a user-visible option */
    uaTrust,
    uaIdent,
    uaPassword,
    uaMD5,
    uaSCRAM,
    uaGSS,
    uaSSPI,
    uaPAM,
    uaBSD,
    uaLDAP,
    uaCert,
    uaRADIUS,
    uaPeer
#define USER_AUTH_LAST uaPeer   /* Must be last value of this enum */
} UserAuth;

Function Documentation

check_usermap()

int check_usermap	(	const char *	usermap_name,
		const char *	pg_role,
		const char *	auth_user,
		bool	case_sensitive
	)

Definition at line 2968 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckSCRAMAuth(), and ident_inet().

{
    bool        found_entry = false,
                error = false;

    if (usermap_name == NULL || usermap_name[0] == '\0')
    {
        if (case_insensitive)
        {
            if (pg_strcasecmp(pg_role, auth_user) == 0)
                return STATUS_OK;
        }
        else
        {
            if (strcmp(pg_role, auth_user) == 0)
                return STATUS_OK;
        }
        ereport(LOG,
                (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
                        pg_role, auth_user)));
        return STATUS_ERROR;
    }
    else
    {
        ListCell   *line_cell;

        foreach(line_cell, parsed_ident_lines)
        {
            check_ident_usermap(lfirst(line_cell), usermap_name,
                                pg_role, auth_user, case_insensitive,
                                &found_entry, &error);
            if (found_entry || error)
                break;
        }
    }
    if (!found_entry && !error)
    {
        ereport(LOG,
                (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
                        usermap_name, pg_role, auth_user)));
    }
    return found_entry ? STATUS_OK : STATUS_ERROR;
}

hba_authname()

const char* hba_authname

(

UserAuth

auth_method

)

Definition at line 3147 of file hba.c.

References lengthof, StaticAssertStmt, USER_AUTH_LAST, and UserAuthName.

Referenced by fill_hba_line(), and set_authn_id().

{
    /*
     * Make sure UserAuthName[] tracks additions to the UserAuth enum
     */
    StaticAssertStmt(lengthof(UserAuthName) == USER_AUTH_LAST + 1,
                     "UserAuthName[] must match the UserAuth enum");

    return UserAuthName[auth_method];
}

hba_getauthmethod()

void hba_getauthmethod

(

hbaPort *

port

)

Definition at line 3134 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

{
    check_hba(port);
}

load_hba()

bool load_hba

(

void

)

Definition at line 2229 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

{
    FILE       *file;
    List       *hba_lines = NIL;
    ListCell   *line;
    List       *new_parsed_lines = NIL;
    bool        ok = true;
    MemoryContext linecxt;
    MemoryContext oldcxt;
    MemoryContext hbacxt;

    file = AllocateFile(HbaFileName, "r");
    if (file == NULL)
    {
        ereport(LOG,
                (errcode_for_file_access(),
                 errmsg("could not open configuration file \"%s\": %m",
                        HbaFileName)));
        return false;
    }

    linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
    FreeFile(file);

    /* Now parse all the lines */
    Assert(PostmasterContext);
    hbacxt = AllocSetContextCreate(PostmasterContext,
                                   "hba parser context",
                                   ALLOCSET_SMALL_SIZES);
    oldcxt = MemoryContextSwitchTo(hbacxt);
    foreach(line, hba_lines)
    {
        TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
        HbaLine    *newline;

        /* don't parse lines that already have errors */
        if (tok_line->err_msg != NULL)
        {
            ok = false;
            continue;
        }

        if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
        {
            /* Parse error; remember there's trouble */
            ok = false;

            /*
             * Keep parsing the rest of the file so we can report errors on
             * more than the first line.  Error has already been logged, no
             * need for more chatter here.
             */
            continue;
        }

        new_parsed_lines = lappend(new_parsed_lines, newline);
    }

    /*
     * A valid HBA file must have at least one entry; else there's no way to
     * connect to the postmaster.  But only complain about this if we didn't
     * already have parsing errors.
     */
    if (ok && new_parsed_lines == NIL)
    {
        ereport(LOG,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("configuration file \"%s\" contains no entries",
                        HbaFileName)));
        ok = false;
    }

    /* Free tokenizer memory */
    MemoryContextDelete(linecxt);
    MemoryContextSwitchTo(oldcxt);

    if (!ok)
    {
        /* File contained one or more errors, so bail out */
        MemoryContextDelete(hbacxt);
        return false;
    }

    /* Loaded new file successfully, replace the one we use */
    if (parsed_hba_context != NULL)
        MemoryContextDelete(parsed_hba_context);
    parsed_hba_context = hbacxt;
    parsed_hba_lines = new_parsed_lines;

    return true;
}

load_ident()

bool load_ident

(

void

)

Definition at line 3023 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

{
    FILE       *file;
    List       *ident_lines = NIL;
    ListCell   *line_cell,
               *parsed_line_cell;
    List       *new_parsed_lines = NIL;
    bool        ok = true;
    MemoryContext linecxt;
    MemoryContext oldcxt;
    MemoryContext ident_context;
    IdentLine  *newline;

    file = AllocateFile(IdentFileName, "r");
    if (file == NULL)
    {
        /* not fatal ... we just won't do any special ident maps */
        ereport(LOG,
                (errcode_for_file_access(),
                 errmsg("could not open usermap file \"%s\": %m",
                        IdentFileName)));
        return false;
    }

    linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
    FreeFile(file);

    /* Now parse all the lines */
    Assert(PostmasterContext);
    ident_context = AllocSetContextCreate(PostmasterContext,
                                          "ident parser context",
                                          ALLOCSET_SMALL_SIZES);
    oldcxt = MemoryContextSwitchTo(ident_context);
    foreach(line_cell, ident_lines)
    {
        TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);

        /* don't parse lines that already have errors */
        if (tok_line->err_msg != NULL)
        {
            ok = false;
            continue;
        }

        if ((newline = parse_ident_line(tok_line)) == NULL)
        {
            /* Parse error; remember there's trouble */
            ok = false;

            /*
             * Keep parsing the rest of the file so we can report errors on
             * more than the first line.  Error has already been logged, no
             * need for more chatter here.
             */
            continue;
        }

        new_parsed_lines = lappend(new_parsed_lines, newline);
    }

    /* Free tokenizer memory */
    MemoryContextDelete(linecxt);
    MemoryContextSwitchTo(oldcxt);

    if (!ok)
    {
        /*
         * File contained one or more errors, so bail out, first being careful
         * to clean up whatever we allocated.  Most stuff will go away via
         * MemoryContextDelete, but we have to clean up regexes explicitly.
         */
        foreach(parsed_line_cell, new_parsed_lines)
        {
            newline = (IdentLine *) lfirst(parsed_line_cell);
            if (newline->ident_user[0] == '/')
                pg_regfree(&newline->re);
        }
        MemoryContextDelete(ident_context);
        return false;
    }

    /* Loaded new file successfully, replace the one we use */
    if (parsed_ident_lines != NIL)
    {
        foreach(parsed_line_cell, parsed_ident_lines)
        {
            newline = (IdentLine *) lfirst(parsed_line_cell);
            if (newline->ident_user[0] == '/')
                pg_regfree(&newline->re);
        }
    }
    if (parsed_ident_context != NULL)
        MemoryContextDelete(parsed_ident_context);

    parsed_ident_context = ident_context;
    parsed_ident_lines = new_parsed_lines;

    return true;
}

pg_isblank()

bool pg_isblank

(

const char

c

)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

{
    return c == ' ' || c == '\t' || c == '\r';
}