hba.h File Reference
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:
Go to the source code of this file.
Data Structures | |
| struct | AuthToken |
| struct | HbaLine |
| struct | IdentLine |
| struct | TokenizedAuthLine |
Macros | |
| #define | USER_AUTH_LAST uaOAuth /* Must be last value of this enum */ |
Typedefs | |
| typedef enum UserAuth | UserAuth |
| typedef enum IPCompareMethod | IPCompareMethod |
| typedef enum ConnType | ConnType |
| typedef enum ClientCertMode | ClientCertMode |
| typedef enum ClientCertName | ClientCertName |
| typedef struct AuthToken | AuthToken |
| typedef struct HbaLine | HbaLine |
| typedef struct IdentLine | IdentLine |
| typedef struct TokenizedAuthLine | TokenizedAuthLine |
| typedef struct Port | hbaPort |
Enumerations | |
| enum | UserAuth { uaReject , uaImplicitReject , uaTrust , uaIdent , uaPassword , uaMD5 , uaSCRAM , uaGSS , uaSSPI , uaPAM , uaBSD , uaLDAP , uaCert , uaRADIUS , uaPeer , uaOAuth } |
| enum | IPCompareMethod { ipCmpMask , ipCmpSameHost , ipCmpSameNet , ipCmpAll } |
| enum | ConnType { ctLocal , ctHost , ctHostSSL , ctHostNoSSL , ctHostGSS , ctHostNoGSS } |
| enum | ClientCertMode { clientCertOff , clientCertCA , clientCertFull } |
| enum | ClientCertName { clientCertCN , clientCertDN } |
Functions | |
| bool | load_hba (void) |
| bool | load_ident (void) |
| const char * | hba_authname (UserAuth auth_method) |
| void | hba_getauthmethod (hbaPort *port) |
| int | check_usermap (const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive) |
| HbaLine * | parse_hba_line (TokenizedAuthLine *tok_line, int elevel) |
| IdentLine * | parse_ident_line (TokenizedAuthLine *tok_line, int elevel) |
| bool | pg_isblank (const char c) |
| FILE * | open_auth_file (const char *filename, int elevel, int depth, char **err_msg) |
| void | free_auth_file (FILE *file, int depth) |
| void | tokenize_auth_file (const char *filename, FILE *file, List **tok_lines, int elevel, int depth) |
Macro Definition Documentation
◆ USER_AUTH_LAST
Typedef Documentation
◆ AuthToken
◆ ClientCertMode
| typedef enum ClientCertMode ClientCertMode |
◆ ClientCertName
| typedef enum ClientCertName ClientCertName |
◆ ConnType
◆ HbaLine
◆ hbaPort
◆ IdentLine
◆ IPCompareMethod
| typedef enum IPCompareMethod IPCompareMethod |
◆ TokenizedAuthLine
| typedef struct TokenizedAuthLine TokenizedAuthLine |
◆ UserAuth
Enumeration Type Documentation
◆ ClientCertMode
| enum ClientCertMode |
| Enumerator | |
|---|---|
| clientCertOff | |
| clientCertCA | |
| clientCertFull | |
◆ ClientCertName
| enum ClientCertName |
| Enumerator | |
|---|---|
| clientCertCN | |
| clientCertDN | |
◆ ConnType
| enum ConnType |
| Enumerator | |
|---|---|
| ctLocal | |
| ctHost | |
| ctHostSSL | |
| ctHostNoSSL | |
| ctHostGSS | |
| ctHostNoGSS | |
Definition at line 58 of file hba.h.
59{
60 ctLocal,
61 ctHost,
62 ctHostSSL,
63 ctHostNoSSL,
64 ctHostGSS,
65 ctHostNoGSS,
66} ConnType;
◆ IPCompareMethod
| enum IPCompareMethod |
| Enumerator | |
|---|---|
| ipCmpMask | |
| ipCmpSameHost | |
| ipCmpSameNet | |
| ipCmpAll | |
◆ UserAuth
| enum UserAuth |
| Enumerator | |
|---|---|
| uaReject | |
| uaImplicitReject | |
| uaTrust | |
| uaIdent | |
| uaPassword | |
| uaMD5 | |
| uaSCRAM | |
| uaGSS | |
| uaSSPI | |
| uaPAM | |
| uaBSD | |
| uaLDAP | |
| uaCert | |
| uaRADIUS | |
| uaPeer | |
| uaOAuth | |
Function Documentation
◆ check_usermap()
| int check_usermap | ( | const char * | usermap_name, |
| const char * | pg_user, | ||
| const char * | system_user, | ||
| bool | case_insensitive | ||
| ) |
Definition at line 2966 of file hba.c.
2970{
2971 bool found_entry = false,
2973
2974 if (usermap_name == NULL || usermap_name[0] == '\0')
2975 {
2976 if (case_insensitive)
2977 {
2980 }
2981 else
2982 {
2985 }
2988 pg_user, system_user)));
2990 }
2991 else
2992 {
2993 ListCell *line_cell;
2994
2996 {
2998 pg_user, system_user, case_insensitive,
2999 &found_entry, &error);
3001 break;
3002 }
3003 }
3005 {
3008 usermap_name, pg_user, system_user)));
3009 }
3011}
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2819
Definition: pg_list.h:46
References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, parsed_ident_lines, pg_strcasecmp(), STATUS_ERROR, STATUS_OK, and system_user().
Referenced by auth_peer(), ident_inet(), and validate().
◆ free_auth_file()
| void free_auth_file | ( | FILE * | file, |
| int | depth | ||
| ) |
Definition at line 572 of file hba.c.
573{
574 FreeFile(file);
575
576 /* If this is the last cleanup, remove the tokenization context */
578 {
580 tokenize_context = NULL;
581 }
582}
References CONF_FILE_START_DEPTH, FreeFile(), MemoryContextDelete(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ hba_authname()
| const char * hba_authname | ( | UserAuth | auth_method | ) |
Definition at line 3123 of file hba.c.
3124{
3126}
References UserAuthName.
Referenced by ClientAuthentication(), fill_hba_line(), InitPostgres(), ParallelWorkerMain(), and set_authn_id().
◆ hba_getauthmethod()
| void hba_getauthmethod | ( | hbaPort * | port | ) |
Definition at line 3110 of file hba.c.
3111{
3113}
References check_hba(), and port.
Referenced by ClientAuthentication().
◆ load_hba()
| bool load_hba | ( | void | ) |
Definition at line 2645 of file hba.c.
2646{
2647 FILE *file;
2649 ListCell *line;
2651 bool ok = true;
2652 MemoryContext oldcxt;
2653 MemoryContext hbacxt;
2654
2656 if (file == NULL)
2657 {
2658 /* error already logged */
2659 return false;
2660 }
2661
2663
2664 /* Now parse all the lines */
2667 "hba parser context",
2668 ALLOCSET_SMALL_SIZES);
2669 oldcxt = MemoryContextSwitchTo(hbacxt);
2670 foreach(line, hba_lines)
2671 {
2674
2675 /* don't parse lines that already have errors */
2677 {
2678 ok = false;
2679 continue;
2680 }
2681
2683 {
2684 /* Parse error; remember there's trouble */
2685 ok = false;
2686
2687 /*
2688 * Keep parsing the rest of the file so we can report errors on
2689 * more than the first line. Error has already been logged, no
2690 * need for more chatter here.
2691 */
2692 continue;
2693 }
2694
2696 }
2697
2698 /*
2699 * A valid HBA file must have at least one entry; else there's no way to
2700 * connect to the postmaster. But only complain about this if we didn't
2701 * already have parsing errors.
2702 */
2704 {
2706 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2708 HbaFileName)));
2709 ok = false;
2710 }
2711
2712 /* Free tokenizer memory */
2713 free_auth_file(file, 0);
2714 MemoryContextSwitchTo(oldcxt);
2715
2716 if (!ok)
2717 {
2718 /*
2719 * File contained one or more errors, so bail out. MemoryContextDelete
2720 * is enough to clean up everything, including regexes.
2721 */
2722 MemoryContextDelete(hbacxt);
2723 return false;
2724 }
2725
2726 /* Loaded new file successfully, replace the one we use */
2729 parsed_hba_context = hbacxt;
2730 parsed_hba_lines = new_parsed_lines;
2731
2732 return true;
2733}
Assert(PointerIsAligned(start, uint64))
HbaLine * parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:1328
void tokenize_auth_file(const char *filename, FILE *file, List **tok_lines, int elevel, int depth)
Definition: hba.c:691
FILE * open_auth_file(const char *filename, int elevel, int depth, char **err_msg)
Definition: hba.c:597
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
Definition: pg_list.h:54
Definition: memnodes.h:118
Definition: hba.h:164
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), ereport, TokenizedAuthLine::err_msg, errcode(), errmsg(), free_auth_file(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_hba_line(), parsed_hba_context, parsed_hba_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ load_ident()
| bool load_ident | ( | void | ) |
Definition at line 3021 of file hba.c.
3022{
3023 FILE *file;
3025 ListCell *line_cell;
3027 bool ok = true;
3028 MemoryContext oldcxt;
3029 MemoryContext ident_context;
3031
3032 /* not FATAL ... we just won't do any special ident maps */
3034 if (file == NULL)
3035 {
3036 /* error already logged */
3037 return false;
3038 }
3039
3041
3042 /* Now parse all the lines */
3045 "ident parser context",
3046 ALLOCSET_SMALL_SIZES);
3047 oldcxt = MemoryContextSwitchTo(ident_context);
3048 foreach(line_cell, ident_lines)
3049 {
3051
3052 /* don't parse lines that already have errors */
3054 {
3055 ok = false;
3056 continue;
3057 }
3058
3060 {
3061 /* Parse error; remember there's trouble */
3062 ok = false;
3063
3064 /*
3065 * Keep parsing the rest of the file so we can report errors on
3066 * more than the first line. Error has already been logged, no
3067 * need for more chatter here.
3068 */
3069 continue;
3070 }
3071
3073 }
3074
3075 /* Free tokenizer memory */
3076 free_auth_file(file, 0);
3077 MemoryContextSwitchTo(oldcxt);
3078
3079 if (!ok)
3080 {
3081 /*
3082 * File contained one or more errors, so bail out. MemoryContextDelete
3083 * is enough to clean up everything, including regexes.
3084 */
3085 MemoryContextDelete(ident_context);
3086 return false;
3087 }
3088
3089 /* Loaded new file successfully, replace the one we use */
3092
3093 parsed_ident_context = ident_context;
3094 parsed_ident_lines = new_parsed_lines;
3095
3096 return true;
3097}
IdentLine * parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
Definition: hba.c:2751
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert(), TokenizedAuthLine::err_msg, free_auth_file(), IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline, NIL, open_auth_file(), parse_ident_line(), parsed_ident_context, parsed_ident_lines, PostmasterContext, and tokenize_auth_file().
Referenced by PerformAuthentication(), PostmasterMain(), and process_pm_reload_request().
◆ open_auth_file()
| FILE * open_auth_file | ( | const char * | filename, |
| int | elevel, | ||
| int | depth, | ||
| char ** | err_msg | ||
| ) |
Definition at line 597 of file hba.c.
599{
600 FILE *file;
601
602 /*
603 * Reject too-deep include nesting depth. This is just a safety check to
604 * avoid dumping core due to stack overflow if an include file loops back
605 * to itself. The maximum nesting depth is pretty arbitrary.
606 */
608 {
609 ereport(elevel,
610 (errcode_for_file_access(),
612 filename)));
613 if (err_msg)
615 filename);
616 return NULL;
617 }
618
620 if (file == NULL)
621 {
622 int save_errno = errno;
623
624 ereport(elevel,
625 (errcode_for_file_access(),
627 filename)));
628 if (err_msg)
629 {
630 errno = save_errno;
632 filename);
633 }
634 /* the caller may care about some specific errno */
635 errno = save_errno;
636 return NULL;
637 }
638
639 /*
640 * When opening the top-level file, create the memory context used for the
641 * tokenization. This will be closed with this file when coming back to
642 * this level of cleanup.
643 */
645 {
646 /*
647 * A context may be present, but assume that it has been eliminated
648 * already.
649 */
651 "tokenize_context",
653 }
654
655 return file;
656}
References AllocateFile(), ALLOCSET_START_SMALL_SIZES, AllocSetContextCreate, CONF_FILE_MAX_DEPTH, CONF_FILE_START_DEPTH, CurrentMemoryContext, ereport, errcode_for_file_access(), errmsg(), filename, psprintf(), and tokenize_context.
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
◆ parse_hba_line()
| HbaLine * parse_hba_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 1328 of file hba.c.
1329{
1334 struct addrinfo *gai_result;
1335 struct addrinfo hints;
1336 int ret;
1337 char *cidr_slash;
1338 char *unsupauth;
1339 ListCell *field;
1340 List *tokens;
1341 ListCell *tokencell;
1343 HbaLine *parsedline;
1344
1347 parsedline->linenumber = line_num;
1349
1350 /* Check the record type. */
1353 tokens = lfirst(field);
1355 {
1356 ereport(elevel,
1357 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1361 line_num, file_name)));
1362 *err_msg = "multiple values specified for connection type";
1363 return NULL;
1364 }
1367 {
1369 }
1375 {
1376
1378 {
1380 /* Log a warning if SSL support is not active */
1381#ifdef USE_SSL
1383 {
1384 ereport(elevel,
1385 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1389 line_num, file_name)));
1390 *err_msg = "hostssl record cannot match because SSL is disabled";
1391 }
1392#else
1393 ereport(elevel,
1394 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1397 line_num, file_name)));
1398 *err_msg = "hostssl record cannot match because SSL is not supported by this build";
1399#endif
1400 }
1402 {
1404#ifndef ENABLE_GSS
1405 ereport(elevel,
1406 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1409 line_num, file_name)));
1410 *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build";
1411#endif
1412 }
1417 else
1418 {
1419 /* "host" */
1421 }
1422 } /* record type */
1423 else
1424 {
1425 ereport(elevel,
1426 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1428 token->string),
1430 line_num, file_name)));
1432 return NULL;
1433 }
1434
1435 /* Get the databases. */
1437 if (!field)
1438 {
1439 ereport(elevel,
1440 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1443 line_num, file_name)));
1444 *err_msg = "end-of-line before database specification";
1445 return NULL;
1446 }
1448 tokens = lfirst(field);
1449 foreach(tokencell, tokens)
1450 {
1452
1453 /* Compile a regexp for the database token, if necessary */
1455 return NULL;
1456
1458 }
1459
1460 /* Get the roles. */
1462 if (!field)
1463 {
1464 ereport(elevel,
1465 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1468 line_num, file_name)));
1469 *err_msg = "end-of-line before role specification";
1470 return NULL;
1471 }
1473 tokens = lfirst(field);
1474 foreach(tokencell, tokens)
1475 {
1477
1478 /* Compile a regexp from the role token, if necessary */
1480 return NULL;
1481
1483 }
1484
1486 {
1487 /* Read the IP address field. (with or without CIDR netmask) */
1489 if (!field)
1490 {
1491 ereport(elevel,
1492 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1495 line_num, file_name)));
1496 *err_msg = "end-of-line before IP address specification";
1497 return NULL;
1498 }
1499 tokens = lfirst(field);
1501 {
1502 ereport(elevel,
1503 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1507 line_num, file_name)));
1508 *err_msg = "multiple values specified for host address";
1509 return NULL;
1510 }
1512
1514 {
1516 }
1518 {
1519 /* Any IP on this host is allowed to connect */
1521 }
1523 {
1524 /* Any IP on the host's subnets is allowed to connect */
1526 }
1527 else
1528 {
1529 /* IP and netmask are specified */
1531
1532 /* need a modifiable copy of token */
1534
1535 /* Check if it has a CIDR suffix and if so isolate it */
1537 if (cidr_slash)
1538 *cidr_slash = '\0';
1539
1540 /* Get the IP address either way */
1541 hints.ai_flags = AI_NUMERICHOST;
1542 hints.ai_family = AF_UNSPEC;
1543 hints.ai_socktype = 0;
1544 hints.ai_protocol = 0;
1545 hints.ai_addrlen = 0;
1546 hints.ai_canonname = NULL;
1547 hints.ai_addr = NULL;
1548 hints.ai_next = NULL;
1549
1551 if (ret == 0 && gai_result)
1552 {
1553 memcpy(&parsedline->addr, gai_result->ai_addr,
1554 gai_result->ai_addrlen);
1555 parsedline->addrlen = gai_result->ai_addrlen;
1556 }
1557 else if (ret == EAI_NONAME)
1559 else
1560 {
1561 ereport(elevel,
1562 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1566 line_num, file_name)));
1569 if (gai_result)
1570 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1571 return NULL;
1572 }
1573
1574 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1575
1576 /* Get the netmask */
1577 if (cidr_slash)
1578 {
1580 {
1581 ereport(elevel,
1582 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1584 token->string),
1586 line_num, file_name)));
1588 token->string);
1589 return NULL;
1590 }
1591
1593 parsedline->addr.ss_family) < 0)
1594 {
1595 ereport(elevel,
1596 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1598 token->string),
1600 line_num, file_name)));
1602 token->string);
1603 return NULL;
1604 }
1607 }
1609 {
1610 /* Read the mask field. */
1613 if (!field)
1614 {
1615 ereport(elevel,
1616 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1620 line_num, file_name)));
1621 *err_msg = "end-of-line before netmask specification";
1622 return NULL;
1623 }
1624 tokens = lfirst(field);
1626 {
1627 ereport(elevel,
1628 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1631 line_num, file_name)));
1632 *err_msg = "multiple values specified for netmask";
1633 return NULL;
1634 }
1636
1638 &hints, &gai_result);
1639 if (ret || !gai_result)
1640 {
1641 ereport(elevel,
1642 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1646 line_num, file_name)));
1649 if (gai_result)
1650 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1651 return NULL;
1652 }
1653
1654 memcpy(&parsedline->mask, gai_result->ai_addr,
1655 gai_result->ai_addrlen);
1656 parsedline->masklen = gai_result->ai_addrlen;
1657 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1658
1660 {
1661 ereport(elevel,
1662 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1665 line_num, file_name)));
1666 *err_msg = "IP address and mask do not match";
1667 return NULL;
1668 }
1669 }
1670 }
1671 } /* != ctLocal */
1672
1673 /* Get the authentication method */
1675 if (!field)
1676 {
1677 ereport(elevel,
1678 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1681 line_num, file_name)));
1682 *err_msg = "end-of-line before authentication method";
1683 return NULL;
1684 }
1685 tokens = lfirst(field);
1687 {
1688 ereport(elevel,
1689 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1693 line_num, file_name)));
1694 *err_msg = "multiple values specified for authentication type";
1695 return NULL;
1696 }
1698
1699 unsupauth = NULL;
1709#ifdef ENABLE_GSS
1711#else
1712 unsupauth = "gss";
1713#endif
1715#ifdef ENABLE_SSPI
1717#else
1718 unsupauth = "sspi";
1719#endif
1727#ifdef USE_PAM
1729#else
1730 unsupauth = "pam";
1731#endif
1733#ifdef USE_BSD_AUTH
1735#else
1736 unsupauth = "bsd";
1737#endif
1739#ifdef USE_LDAP
1741#else
1742 unsupauth = "ldap";
1743#endif
1745#ifdef USE_SSL
1747#else
1748 unsupauth = "cert";
1749#endif
1754 else
1755 {
1756 ereport(elevel,
1757 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1759 token->string),
1761 line_num, file_name)));
1763 token->string);
1764 return NULL;
1765 }
1766
1767 if (unsupauth)
1768 {
1769 ereport(elevel,
1770 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1772 token->string),
1774 line_num, file_name)));
1776 token->string);
1777 return NULL;
1778 }
1779
1780 /*
1781 * XXX: When using ident on local connections, change it to peer, for
1782 * backwards compatibility.
1783 */
1787
1788 /* Invalid authentication combinations */
1791 {
1792 ereport(elevel,
1793 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1796 line_num, file_name)));
1797 *err_msg = "gssapi authentication is not supported on local sockets";
1798 return NULL;
1799 }
1800
1803 {
1804 ereport(elevel,
1805 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1808 line_num, file_name)));
1809 *err_msg = "peer authentication is only supported on local sockets";
1810 return NULL;
1811 }
1812
1813 /*
1814 * SSPI authentication can never be enabled on ctLocal connections,
1815 * because it's only supported on Windows, where ctLocal isn't supported.
1816 */
1817
1818
1821 {
1822 ereport(elevel,
1823 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1826 line_num, file_name)));
1827 *err_msg = "cert authentication is only supported on hostssl connections";
1828 return NULL;
1829 }
1830
1831 /*
1832 * For GSS and SSPI, set the default value of include_realm to true.
1833 * Having include_realm set to false is dangerous in multi-realm
1834 * situations and is generally considered bad practice. We keep the
1835 * capability around for backwards compatibility, but we might want to
1836 * remove it at some point in the future. Users who still need to strip
1837 * the realm off would be better served by using an appropriate regex in a
1838 * pg_ident.conf mapping.
1839 */
1843
1844 /*
1845 * For SSPI, include_realm defaults to the SAM-compatible domain (aka
1846 * NetBIOS name) and user names instead of the Kerberos principal name for
1847 * compatibility.
1848 */
1850 {
1853 }
1854
1855 /* Parse remaining arguments */
1857 {
1858 tokens = lfirst(field);
1859 foreach(tokencell, tokens)
1860 {
1862
1864
1868 {
1869 /*
1870 * Got something that's not a name=value pair.
1871 */
1872 ereport(elevel,
1873 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1876 line_num, file_name)));
1878 token->string);
1879 return NULL;
1880 }
1881
1884 /* parse_hba_auth_opt already logged the error message */
1885 return NULL;
1887 }
1888 }
1889
1890 /*
1891 * Check if the selected authentication method has any mandatory arguments
1892 * that are not set.
1893 */
1895 {
1896#ifndef HAVE_LDAP_INITIALIZE
1897 /* Not mandatory for OpenLDAP, because it can use DNS SRV records */
1899#endif
1900
1901 /*
1902 * LDAP can operate in two modes: either with a direct bind, using
1903 * ldapprefix and ldapsuffix, or using a search+bind, using
1904 * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
1905 * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
1906 * parameters.
1907 */
1909 {
1911 parsedline->ldapbinddn ||
1912 parsedline->ldapbindpasswd ||
1913 parsedline->ldapsearchattribute ||
1914 parsedline->ldapsearchfilter)
1915 {
1916 ereport(elevel,
1917 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1920 line_num, file_name)));
1921 *err_msg = "cannot mix options for simple bind and search+bind modes";
1922 return NULL;
1923 }
1924 }
1926 {
1927 ereport(elevel,
1928 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1929 errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1931 line_num, file_name)));
1932 *err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
1933 return NULL;
1934 }
1935
1936 /*
1937 * When using search+bind, you can either use a simple attribute
1938 * (defaulting to "uid") or a fully custom search filter. You can't
1939 * do both.
1940 */
1942 {
1943 ereport(elevel,
1944 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1947 line_num, file_name)));
1948 *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
1949 return NULL;
1950 }
1951 }
1952
1954 {
1957
1959 {
1960 ereport(elevel,
1961 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1964 line_num, file_name)));
1965 *err_msg = "list of RADIUS servers cannot be empty";
1966 return NULL;
1967 }
1968
1970 {
1971 ereport(elevel,
1972 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1975 line_num, file_name)));
1976 *err_msg = "list of RADIUS secrets cannot be empty";
1977 return NULL;
1978 }
1979
1980 /*
1981 * Verify length of option lists - each can be 0 (except for secrets,
1982 * but that's already checked above), 1 (use the same value
1983 * everywhere) or the same as the number of servers.
1984 */
1987 {
1988 ereport(elevel,
1989 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1990 errmsg("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1994 line_num, file_name)));
1995 *err_msg = psprintf("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
1998 return NULL;
1999 }
2003 {
2004 ereport(elevel,
2005 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2006 errmsg("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2010 line_num, file_name)));
2011 *err_msg = psprintf("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2014 return NULL;
2015 }
2019 {
2020 ereport(elevel,
2021 (errcode(ERRCODE_CONFIG_FILE_ERROR),
2022 errmsg("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2026 line_num, file_name)));
2027 *err_msg = psprintf("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
2030 return NULL;
2031 }
2032 }
2033
2034 /*
2035 * Enforce any parameters implied by other settings.
2036 */
2038 {
2039 /*
2040 * For auth method cert, client certificate validation is mandatory,
2041 * and it implies the level of verify-full.
2042 */
2044 }
2045
2046 /*
2047 * Enforce proper configuration of OAuth authentication.
2048 */
2050 {
2053
2054 /* Ensure a validator library is set and permitted by the config. */
2056 return NULL;
2057
2058 /*
2059 * Supplying a usermap combined with the option to skip usermapping is
2060 * nonsensical and indicates a configuration error.
2061 */
2063 {
2064 ereport(elevel,
2065 errcode(ERRCODE_CONFIG_FILE_ERROR),
2066 /* translator: strings are replaced with hba options */
2068 "map", "delegate_ident_mapping"),
2070 line_num, file_name));
2071 *err_msg = "map cannot be used in combination with delegate_ident_mapping";
2072 return NULL;
2073 }
2074 }
2075
2076 return parsedline;
2077}
bool check_oauth_validator(HbaLine *hbaline, int elevel, char **err_msg)
Definition: auth-oauth.c:820
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int elevel, char **err_msg)
Definition: hba.c:2087
static int regcomp_auth_token(AuthToken *token, char *filename, int line_num, char **err_msg, int elevel)
Definition: hba.c:303
int pg_sockaddr_cidr_mask(struct sockaddr_storage *mask, char *numbits, int family)
Definition: ifaddr.c:105
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:82
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:53
Definition: oauth-curl.c:192
References HbaLine::addr, HbaLine::addrlen, Assert(), HbaLine::auth_method, check_oauth_validator(), HbaLine::clientcert, clientCertFull, HbaLine::compat_realm, HbaLine::conntype, copy_auth_token(), ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, EnableSSL, ereport, TokenizedAuthLine::err_msg, errcode(), errcontext, errhint(), errmsg(), TokenizedAuthLine::fields, TokenizedAuthLine::file_name, gai_strerror(), HbaLine::hostname, HbaLine::include_realm, HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapprefix, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, List::length, lfirst, TokenizedAuthLine::line_num, HbaLine::linenumber, linitial, list_head(), list_length(), lnext(), MANDATORY_AUTH_ARG, HbaLine::mask, HbaLine::masklen, NIL, HbaLine::oauth_issuer, HbaLine::oauth_scope, HbaLine::oauth_skip_usermap, palloc0(), parse_hba_auth_opt(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_sockaddr_cidr_mask(), psprintf(), pstrdup(), HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, TokenizedAuthLine::raw_line, HbaLine::rawline, regcomp_auth_token(), HbaLine::roles, HbaLine::sourcefile, str, token, token_is_keyword, uaBSD, uaCert, uaGSS, uaIdent, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, HbaLine::upn_username, HbaLine::usermap, and val.
Referenced by fill_hba_view(), and load_hba().
◆ parse_ident_line()
| IdentLine * parse_ident_line | ( | TokenizedAuthLine * | tok_line, |
| int | elevel | ||
| ) |
Definition at line 2751 of file hba.c.
2752{
2756 ListCell *field;
2757 List *tokens;
2759 IdentLine *parsedline;
2760
2763
2765 parsedline->linenumber = line_num;
2766
2767 /* Get the map token (must exist) */
2768 tokens = lfirst(field);
2769 IDENT_MULTI_VALUE(tokens);
2772
2773 /* Get the ident user token */
2775 IDENT_FIELD_ABSENT(field);
2776 tokens = lfirst(field);
2777 IDENT_MULTI_VALUE(tokens);
2779
2780 /* Copy the ident user token */
2782
2783 /* Get the PG rolename token */
2785 IDENT_FIELD_ABSENT(field);
2786 tokens = lfirst(field);
2787 IDENT_MULTI_VALUE(tokens);
2790
2791 /*
2792 * Now that the field validation is done, compile a regex from the user
2793 * tokens, if necessary.
2794 */
2796 err_msg, elevel))
2797 {
2798 /* err_msg includes the error to report */
2799 return NULL;
2800 }
2801
2803 err_msg, elevel))
2804 {
2805 /* err_msg includes the error to report */
2806 return NULL;
2807 }
2808
2809 return parsedline;
2810}
References Assert(), copy_auth_token(), TokenizedAuthLine::err_msg, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, IDENT_FIELD_ABSENT, IDENT_MULTI_VALUE, lfirst, TokenizedAuthLine::line_num, IdentLine::linenumber, linitial, list_head(), lnext(), NIL, palloc0(), IdentLine::pg_user, pstrdup(), regcomp_auth_token(), IdentLine::system_user, token, and IdentLine::usermap.
Referenced by fill_ident_view(), and load_ident().
◆ pg_isblank()
| bool pg_isblank | ( | const char | c | ) |
Definition at line 146 of file hba.c.
Referenced by interpret_ident_response(), and next_token().
◆ tokenize_auth_file()
| void tokenize_auth_file | ( | const char * | filename, |
| FILE * | file, | ||
| List ** | tok_lines, | ||
| int | elevel, | ||
| int | depth | ||
| ) |
Definition at line 691 of file hba.c.
693{
694 int line_number = 1;
696 MemoryContext linecxt;
698 ErrorContextCallback tokenerrcontext;
699 tokenize_error_callback_arg callback_arg;
700
702
704 callback_arg.linenum = line_number;
705
707 tokenerrcontext.arg = &callback_arg;
709 error_context_stack = &tokenerrcontext;
710
711 /*
712 * Do all the local tokenization in its own context, to ease the cleanup
713 * of any memory allocated while tokenizing.
714 */
716 "tokenize_auth_file",
717 ALLOCSET_SMALL_SIZES);
718 funccxt = MemoryContextSwitchTo(linecxt);
719
721
723 *tok_lines = NIL;
724
725 while (!feof(file) && !ferror(file))
726 {
727 TokenizedAuthLine *tok_line;
728 MemoryContext oldcxt;
731 char *err_msg = NULL;
732 int last_backslash_buflen = 0;
733 int continuations = 0;
734
735 /* Collect the next input line, handling backslash continuations */
737
739 {
740 /* Strip trailing newline, including \r in case we're on Windows */
742
743 /*
744 * Check for backslash continuation. The backslash must be after
745 * the last place we found a continuation, else two backslashes
746 * followed by two \n's would behave surprisingly.
747 */
750 {
751 /* Continuation, so strip it and keep reading */
753 last_backslash_buflen = buf.len;
754 continuations++;
755 continue;
756 }
757
758 /* Nope, so we have the whole line */
759 break;
760 }
761
762 if (ferror(file))
763 {
764 /* I/O error! */
765 int save_errno = errno;
766
767 ereport(elevel,
768 (errcode_for_file_access(),
770 errno = save_errno;
772 filename);
773 break;
774 }
775
776 /* Parse fields */
779 {
780 List *current_field;
781
783 elevel, depth, &err_msg);
784 /* add field to line, unless we are at EOL or comment start */
786 {
787 /*
788 * lappend() may do its own allocations, so move to the
789 * context for the list of tokens.
790 */
792 current_line = lappend(current_line, current_field);
793 MemoryContextSwitchTo(oldcxt);
794 }
795 }
796
797 /*
798 * Reached EOL; no need to emit line to TokenizedAuthLine list if it's
799 * boring.
800 */
802 goto next_line;
803
804 /* If the line is valid, check if that's an include directive */
806 {
807 AuthToken *first,
808 *second;
809
812
814 {
816 elevel, depth + 1, false, &err_msg);
817
818 if (err_msg)
819 goto process_line;
820
821 /*
822 * tokenize_auth_file() has taken care of creating the
823 * TokenizedAuthLines.
824 */
825 goto next_line;
826 }
828 {
829 char **filenames;
831 int num_filenames;
832 StringInfoData err_buf;
833
835 &num_filenames, &err_msg);
836
837 if (!filenames)
838 {
839 /* the error is in err_msg, so create an entry */
840 goto process_line;
841 }
842
843 initStringInfo(&err_buf);
845 {
847 elevel, depth + 1, false, &err_msg);
848 /* cumulate errors if any */
849 if (err_msg)
850 {
853 appendStringInfoString(&err_buf, err_msg);
854 }
855 }
856
857 /* clean up things */
860 pfree(filenames);
861
862 /*
863 * If there were no errors, the line is fully processed,
864 * bypass the general TokenizedAuthLine processing.
865 */
867 goto next_line;
868
869 /* Otherwise, process the cumulated errors, if any. */
870 err_msg = err_buf.data;
871 goto process_line;
872 }
874 {
875
877 elevel, depth + 1, true, &err_msg);
878 if (err_msg)
879 goto process_line;
880
881 /*
882 * tokenize_auth_file() has taken care of creating the
883 * TokenizedAuthLines.
884 */
885 goto next_line;
886 }
887 }
888
889process_line:
890
891 /*
892 * General processing: report the error if any and emit line to the
893 * TokenizedAuthLine. This is saved in the memory context dedicated
894 * to this list.
895 */
898 tok_line->fields = current_line;
900 tok_line->line_num = line_number;
903 *tok_lines = lappend(*tok_lines, tok_line);
904 MemoryContextSwitchTo(oldcxt);
905
906next_line:
907 line_number += continuations + 1;
908 callback_arg.linenum = line_number;
909 }
910
911 MemoryContextSwitchTo(funccxt);
912 MemoryContextDelete(linecxt);
913
915}
char ** GetConfFilesInDir(const char *includedir, const char *calling_file, int elevel, int *num_filenames, char **err_msg)
Definition: conffiles.c:70
static List * next_field_expand(const char *filename, char **lineptr, int elevel, int depth, char **err_msg)
Definition: hba.c:381
static void tokenize_include_file(const char *outer_filename, const char *inc_filename, List **tok_lines, int elevel, int depth, bool missing_ok, char **err_msg)
Definition: hba.c:440
bool pg_get_line_append(FILE *stream, StringInfo buf, PromptInterruptContext *prompt_ctx)
Definition: pg_get_line.c:124
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:230
Definition: elog.h:295
Definition: stringinfo.h:47
Definition: mbprint.h:17
Definition: hba.c:64
References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, appendStringInfoChar(), appendStringInfoString(), ErrorContextCallback::arg, Assert(), buf, ErrorContextCallback::callback, CONF_FILE_START_DEPTH, CurrentMemoryContext, StringInfoData::data, ereport, TokenizedAuthLine::err_msg, errcode_for_file_access(), errmsg(), error_context_stack, TokenizedAuthLine::fields, TokenizedAuthLine::file_name, tokenize_error_callback_arg::filename, filename, GetConfFilesInDir(), i, initStringInfo(), lappend(), StringInfoData::len, TokenizedAuthLine::line_num, tokenize_error_callback_arg::linenum, linitial, linitial_node, list_length(), lsecond_node, MemoryContextDelete(), MemoryContextSwitchTo(), next_field_expand(), NIL, palloc0(), pfree(), pg_get_line_append(), pg_strip_crlf(), ErrorContextCallback::previous, psprintf(), pstrdup(), TokenizedAuthLine::raw_line, resetStringInfo(), AuthToken::string, tokenize_context, tokenize_error_callback(), and tokenize_include_file().
Referenced by fill_hba_view(), fill_ident_view(), load_hba(), load_ident(), tokenize_expand_file(), and tokenize_include_file().
