PostgreSQL Source Code  git master
hba.h File Reference
#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  HbaLine
 
struct  IdentLine
 

Macros

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */
 

Typedefs

typedef enum UserAuth UserAuth
 
typedef enum IPCompareMethod IPCompareMethod
 
typedef enum ConnType ConnType
 
typedef enum ClientCertMode ClientCertMode
 
typedef struct HbaLine HbaLine
 
typedef struct IdentLine IdentLine
 
typedef struct Port hbaPort
 

Enumerations

enum  UserAuth {
  uaReject, uaImplicitReject, uaTrust, uaIdent,
  uaPassword, uaMD5, uaSCRAM, uaGSS,
  uaSSPI, uaPAM, uaBSD, uaLDAP,
  uaCert, uaRADIUS
}
 
enum  IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
 
enum  ConnType {
  ctLocal, ctHost, ctHostSSL, ctHostNoSSL,
  ctHostGSS, ctHostNoGSS
}
 
enum  ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
 

Functions

bool load_hba (void)
 
bool load_ident (void)
 
void hba_getauthmethod (hbaPort *port)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
 
bool pg_isblank (const char c)
 

Macro Definition Documentation

◆ USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by fill_hba_line().

Typedef Documentation

◆ ClientCertMode

◆ ConnType

typedef enum ConnType ConnType

◆ HbaLine

typedef struct HbaLine HbaLine

◆ hbaPort

typedef struct Port hbaPort

Definition at line 129 of file hba.h.

◆ IdentLine

typedef struct IdentLine IdentLine

◆ IPCompareMethod

◆ UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

◆ ClientCertMode

Enumerator
clientCertOff 
clientCertCA 
clientCertFull 

Definition at line 67 of file hba.h.

68 {
ClientCertMode
Definition: hba.h:67

◆ ConnType

enum ConnType
Enumerator
ctLocal 
ctHost 
ctHostSSL 
ctHostNoSSL 
ctHostGSS 
ctHostNoGSS 

Definition at line 57 of file hba.h.

58 {
59  ctLocal,
60  ctHost,
61  ctHostSSL,
63  ctHostGSS,
65 } ConnType;
Definition: hba.h:61
Definition: hba.h:63
ConnType
Definition: hba.h:57
Definition: hba.h:59
Definition: hba.h:60

◆ IPCompareMethod

Enumerator
ipCmpMask 
ipCmpSameHost 
ipCmpSameNet 
ipCmpAll 

Definition at line 49 of file hba.h.

50 {
51  ipCmpMask,
54  ipCmpAll
Definition: hba.h:51
IPCompareMethod
Definition: hba.h:49
Definition: hba.h:54

◆ UserAuth

enum UserAuth
Enumerator
uaReject 
uaImplicitReject 
uaTrust 
uaIdent 
uaPassword 
uaMD5 
uaSCRAM 
uaGSS 
uaSSPI 
uaPAM 
uaBSD 
uaLDAP 
uaCert 
uaRADIUS 

Definition at line 25 of file hba.h.

26 {
27  uaReject,
28  uaImplicitReject, /* Not a user-visible option */
29  uaTrust,
30  uaIdent,
31  uaPassword,
32  uaMD5,
33  uaSCRAM,
34  uaGSS,
35  uaSSPI,
36  uaPAM,
37  uaBSD,
38  uaLDAP,
39  uaCert,
40  uaRADIUS,
41  uaPeer
42 #define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
43 } UserAuth;
UserAuth
Definition: hba.h:25
Definition: hba.h:30
Definition: hba.h:38
Definition: hba.h:32
Definition: hba.h:35
Definition: hba.h:34
Definition: hba.h:31
Definition: hba.h:39
Definition: hba.h:27
Definition: hba.h:29
Definition: hba.h:33
Definition: hba.h:37
Definition: hba.h:36
Definition: hba.h:40

Function Documentation

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_sensitive 
)

Definition at line 2943 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckSCRAMAuth(), and ident_inet().

2947 {
2948  bool found_entry = false,
2949  error = false;
2950 
2951  if (usermap_name == NULL || usermap_name[0] == '\0')
2952  {
2953  if (case_insensitive)
2954  {
2955  if (pg_strcasecmp(pg_role, auth_user) == 0)
2956  return STATUS_OK;
2957  }
2958  else
2959  {
2960  if (strcmp(pg_role, auth_user) == 0)
2961  return STATUS_OK;
2962  }
2963  ereport(LOG,
2964  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2965  pg_role, auth_user)));
2966  return STATUS_ERROR;
2967  }
2968  else
2969  {
2970  ListCell *line_cell;
2971 
2972  foreach(line_cell, parsed_ident_lines)
2973  {
2974  check_ident_usermap(lfirst(line_cell), usermap_name,
2975  pg_role, auth_user, case_insensitive,
2976  &found_entry, &error);
2977  if (found_entry || error)
2978  break;
2979  }
2980  }
2981  if (!found_entry && !error)
2982  {
2983  ereport(LOG,
2984  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2985  usermap_name, pg_role, auth_user)));
2986  }
2987  return found_entry ? STATUS_OK : STATUS_ERROR;
2988 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2808
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:1171
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define STATUS_OK
Definition: c.h:1170
#define ereport(elevel,...)
Definition: elog.h:155
static List * parsed_ident_lines
Definition: hba.c:112
#define lfirst(lc)
Definition: pg_list.h:169
int errmsg(const char *fmt,...)
Definition: elog.c:915

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3109 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3110 {
3111  check_hba(port);
3112 }
static void check_hba(hbaPort *port)
Definition: hba.c:2084

◆ load_hba()

bool load_hba ( void  )

Definition at line 2198 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2199 {
2200  FILE *file;
2201  List *hba_lines = NIL;
2202  ListCell *line;
2203  List *new_parsed_lines = NIL;
2204  bool ok = true;
2205  MemoryContext linecxt;
2206  MemoryContext oldcxt;
2207  MemoryContext hbacxt;
2208 
2209  file = AllocateFile(HbaFileName, "r");
2210  if (file == NULL)
2211  {
2212  ereport(LOG,
2214  errmsg("could not open configuration file \"%s\": %m",
2215  HbaFileName)));
2216  return false;
2217  }
2218 
2219  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2220  FreeFile(file);
2221 
2222  /* Now parse all the lines */
2225  "hba parser context",
2227  oldcxt = MemoryContextSwitchTo(hbacxt);
2228  foreach(line, hba_lines)
2229  {
2230  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2231  HbaLine *newline;
2232 
2233  /* don't parse lines that already have errors */
2234  if (tok_line->err_msg != NULL)
2235  {
2236  ok = false;
2237  continue;
2238  }
2239 
2240  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2241  {
2242  /* Parse error; remember there's trouble */
2243  ok = false;
2244 
2245  /*
2246  * Keep parsing the rest of the file so we can report errors on
2247  * more than the first line. Error has already been logged, no
2248  * need for more chatter here.
2249  */
2250  continue;
2251  }
2252 
2253  new_parsed_lines = lappend(new_parsed_lines, newline);
2254  }
2255 
2256  /*
2257  * A valid HBA file must have at least one entry; else there's no way to
2258  * connect to the postmaster. But only complain about this if we didn't
2259  * already have parsing errors.
2260  */
2261  if (ok && new_parsed_lines == NIL)
2262  {
2263  ereport(LOG,
2264  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2265  errmsg("configuration file \"%s\" contains no entries",
2266  HbaFileName)));
2267  ok = false;
2268  }
2269 
2270  /* Free tokenizer memory */
2271  MemoryContextDelete(linecxt);
2272  MemoryContextSwitchTo(oldcxt);
2273 
2274  if (!ok)
2275  {
2276  /* File contained one or more errors, so bail out */
2277  MemoryContextDelete(hbacxt);
2278  return false;
2279  }
2280 
2281  /* Loaded new file successfully, replace the one we use */
2282  if (parsed_hba_context != NULL)
2284  parsed_hba_context = hbacxt;
2285  parsed_hba_lines = new_parsed_lines;
2286 
2287  return true;
2288 }
Definition: hba.h:74
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:212
#define AllocSetContextCreate
Definition: memutils.h:170
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:704
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1004
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:559
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:727
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2354
List * lappend(List *list, void *datum)
Definition: list.c:336
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:968
#define ereport(elevel,...)
Definition: elog.h:155
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:478
int FreeFile(FILE *file)
Definition: fd.c:2553
int errmsg(const char *fmt,...)
Definition: elog.c:915
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ load_ident()

bool load_ident ( void  )

Definition at line 2998 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2999 {
3000  FILE *file;
3001  List *ident_lines = NIL;
3002  ListCell *line_cell,
3003  *parsed_line_cell;
3004  List *new_parsed_lines = NIL;
3005  bool ok = true;
3006  MemoryContext linecxt;
3007  MemoryContext oldcxt;
3008  MemoryContext ident_context;
3009  IdentLine *newline;
3010 
3011  file = AllocateFile(IdentFileName, "r");
3012  if (file == NULL)
3013  {
3014  /* not fatal ... we just won't do any special ident maps */
3015  ereport(LOG,
3017  errmsg("could not open usermap file \"%s\": %m",
3018  IdentFileName)));
3019  return false;
3020  }
3021 
3022  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3023  FreeFile(file);
3024 
3025  /* Now parse all the lines */
3027  ident_context = AllocSetContextCreate(PostmasterContext,
3028  "ident parser context",
3030  oldcxt = MemoryContextSwitchTo(ident_context);
3031  foreach(line_cell, ident_lines)
3032  {
3033  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3034 
3035  /* don't parse lines that already have errors */
3036  if (tok_line->err_msg != NULL)
3037  {
3038  ok = false;
3039  continue;
3040  }
3041 
3042  if ((newline = parse_ident_line(tok_line)) == NULL)
3043  {
3044  /* Parse error; remember there's trouble */
3045  ok = false;
3046 
3047  /*
3048  * Keep parsing the rest of the file so we can report errors on
3049  * more than the first line. Error has already been logged, no
3050  * need for more chatter here.
3051  */
3052  continue;
3053  }
3054 
3055  new_parsed_lines = lappend(new_parsed_lines, newline);
3056  }
3057 
3058  /* Free tokenizer memory */
3059  MemoryContextDelete(linecxt);
3060  MemoryContextSwitchTo(oldcxt);
3061 
3062  if (!ok)
3063  {
3064  /*
3065  * File contained one or more errors, so bail out, first being careful
3066  * to clean up whatever we allocated. Most stuff will go away via
3067  * MemoryContextDelete, but we have to clean up regexes explicitly.
3068  */
3069  foreach(parsed_line_cell, new_parsed_lines)
3070  {
3071  newline = (IdentLine *) lfirst(parsed_line_cell);
3072  if (newline->ident_user[0] == '/')
3073  pg_regfree(&newline->re);
3074  }
3075  MemoryContextDelete(ident_context);
3076  return false;
3077  }
3078 
3079  /* Loaded new file successfully, replace the one we use */
3080  if (parsed_ident_lines != NIL)
3081  {
3082  foreach(parsed_line_cell, parsed_ident_lines)
3083  {
3084  newline = (IdentLine *) lfirst(parsed_line_cell);
3085  if (newline->ident_user[0] == '/')
3086  pg_regfree(&newline->re);
3087  }
3088  }
3089  if (parsed_ident_context != NULL)
3091 
3092  parsed_ident_context = ident_context;
3093  parsed_ident_lines = new_parsed_lines;
3094 
3095  return true;
3096 }
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:212
#define AllocSetContextCreate
Definition: memutils.h:170
regex_t re
Definition: hba.h:125
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:202
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1004
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:727
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2354
char * IdentFileName
Definition: guc.c:560
List * lappend(List *list, void *datum)
Definition: list.c:336
#define ereport(elevel,...)
Definition: elog.h:155
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:478
Definition: hba.h:118
int FreeFile(FILE *file)
Definition: fd.c:2553
char * ident_user
Definition: hba.h:123
int errmsg(const char *fmt,...)
Definition: elog.c:915
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2731
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:46

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
char * c