PostgreSQL Source Code  git master
hba.h File Reference
#include "libpq/pqcomm.h"
#include "nodes/pg_list.h"
#include "regex/regex.h"
Include dependency graph for hba.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  HbaLine
 
struct  IdentLine
 

Macros

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */
 

Typedefs

typedef enum UserAuth UserAuth
 
typedef enum IPCompareMethod IPCompareMethod
 
typedef enum ConnType ConnType
 
typedef enum ClientCertMode ClientCertMode
 
typedef enum ClientCertName ClientCertName
 
typedef struct HbaLine HbaLine
 
typedef struct IdentLine IdentLine
 
typedef struct Port hbaPort
 

Enumerations

enum  UserAuth {
  uaReject, uaImplicitReject, uaTrust, uaIdent,
  uaPassword, uaMD5, uaSCRAM, uaGSS,
  uaSSPI, uaPAM, uaBSD, uaLDAP,
  uaCert, uaRADIUS
}
 
enum  IPCompareMethod { ipCmpMask, ipCmpSameHost, ipCmpSameNet, ipCmpAll }
 
enum  ConnType {
  ctLocal, ctHost, ctHostSSL, ctHostNoSSL,
  ctHostGSS, ctHostNoGSS
}
 
enum  ClientCertMode { clientCertOff, clientCertCA, clientCertFull }
 
enum  ClientCertName { clientCertCN, clientCertDN }
 

Functions

bool load_hba (void)
 
bool load_ident (void)
 
const char * hba_authname (UserAuth auth_method)
 
void hba_getauthmethod (hbaPort *port)
 
int check_usermap (const char *usermap_name, const char *pg_role, const char *auth_user, bool case_sensitive)
 
bool pg_isblank (const char c)
 

Macro Definition Documentation

◆ USER_AUTH_LAST

#define USER_AUTH_LAST   uaPeer /* Must be last value of this enum */

Definition at line 42 of file hba.h.

Referenced by hba_authname().

Typedef Documentation

◆ ClientCertMode

◆ ClientCertName

◆ ConnType

typedef enum ConnType ConnType

◆ HbaLine

typedef struct HbaLine HbaLine

◆ hbaPort

typedef struct Port hbaPort

Definition at line 136 of file hba.h.

◆ IdentLine

typedef struct IdentLine IdentLine

◆ IPCompareMethod

◆ UserAuth

typedef enum UserAuth UserAuth

Enumeration Type Documentation

◆ ClientCertMode

Enumerator
clientCertOff 
clientCertCA 
clientCertFull 

Definition at line 67 of file hba.h.

68 {
ClientCertMode
Definition: hba.h:67

◆ ClientCertName

Enumerator
clientCertCN 
clientCertDN 

Definition at line 74 of file hba.h.

75 {
ClientCertName
Definition: hba.h:74

◆ ConnType

enum ConnType
Enumerator
ctLocal 
ctHost 
ctHostSSL 
ctHostNoSSL 
ctHostGSS 
ctHostNoGSS 

Definition at line 57 of file hba.h.

58 {
59  ctLocal,
60  ctHost,
61  ctHostSSL,
63  ctHostGSS,
65 } ConnType;
Definition: hba.h:61
Definition: hba.h:63
ConnType
Definition: hba.h:57
Definition: hba.h:59
Definition: hba.h:60

◆ IPCompareMethod

Enumerator
ipCmpMask 
ipCmpSameHost 
ipCmpSameNet 
ipCmpAll 

Definition at line 49 of file hba.h.

50 {
51  ipCmpMask,
54  ipCmpAll
Definition: hba.h:51
IPCompareMethod
Definition: hba.h:49
Definition: hba.h:54

◆ UserAuth

enum UserAuth
Enumerator
uaReject 
uaImplicitReject 
uaTrust 
uaIdent 
uaPassword 
uaMD5 
uaSCRAM 
uaGSS 
uaSSPI 
uaPAM 
uaBSD 
uaLDAP 
uaCert 
uaRADIUS 

Definition at line 25 of file hba.h.

26 {
27  uaReject,
28  uaImplicitReject, /* Not a user-visible option */
29  uaTrust,
30  uaIdent,
31  uaPassword,
32  uaMD5,
33  uaSCRAM,
34  uaGSS,
35  uaSSPI,
36  uaPAM,
37  uaBSD,
38  uaLDAP,
39  uaCert,
40  uaRADIUS,
41  uaPeer
42 #define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
43 } UserAuth;
UserAuth
Definition: hba.h:25
Definition: hba.h:30
Definition: hba.h:38
Definition: hba.h:32
Definition: hba.h:35
Definition: hba.h:34
Definition: hba.h:31
Definition: hba.h:39
Definition: hba.h:27
Definition: hba.h:29
Definition: hba.h:33
Definition: hba.h:37
Definition: hba.h:36
Definition: hba.h:40

Function Documentation

◆ check_usermap()

int check_usermap ( const char *  usermap_name,
const char *  pg_role,
const char *  auth_user,
bool  case_sensitive 
)

Definition at line 2968 of file hba.c.

References check_ident_usermap(), ereport, errmsg(), error(), lfirst, LOG, pg_strcasecmp(), STATUS_ERROR, and STATUS_OK.

Referenced by auth_peer(), CheckSCRAMAuth(), and ident_inet().

2972 {
2973  bool found_entry = false,
2974  error = false;
2975 
2976  if (usermap_name == NULL || usermap_name[0] == '\0')
2977  {
2978  if (case_insensitive)
2979  {
2980  if (pg_strcasecmp(pg_role, auth_user) == 0)
2981  return STATUS_OK;
2982  }
2983  else
2984  {
2985  if (strcmp(pg_role, auth_user) == 0)
2986  return STATUS_OK;
2987  }
2988  ereport(LOG,
2989  (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2990  pg_role, auth_user)));
2991  return STATUS_ERROR;
2992  }
2993  else
2994  {
2995  ListCell *line_cell;
2996 
2997  foreach(line_cell, parsed_ident_lines)
2998  {
2999  check_ident_usermap(lfirst(line_cell), usermap_name,
3000  pg_role, auth_user, case_insensitive,
3001  &found_entry, &error);
3002  if (found_entry || error)
3003  break;
3004  }
3005  }
3006  if (!found_entry && !error)
3007  {
3008  ereport(LOG,
3009  (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
3010  usermap_name, pg_role, auth_user)));
3011  }
3012  return found_entry ? STATUS_OK : STATUS_ERROR;
3013 }
static void check_ident_usermap(IdentLine *identLine, const char *usermap_name, const char *pg_role, const char *ident_user, bool case_insensitive, bool *found_p, bool *error_p)
Definition: hba.c:2833
static void error(void)
Definition: sql-dyntest.c:147
#define STATUS_ERROR
Definition: c.h:1171
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
#define LOG
Definition: elog.h:26
#define STATUS_OK
Definition: c.h:1170
#define ereport(elevel,...)
Definition: elog.h:157
static List * parsed_ident_lines
Definition: hba.c:112
#define lfirst(lc)
Definition: pg_list.h:169
int errmsg(const char *fmt,...)
Definition: elog.c:909

◆ hba_authname()

const char* hba_authname ( UserAuth  auth_method)

Definition at line 3147 of file hba.c.

References lengthof, StaticAssertStmt, USER_AUTH_LAST, and UserAuthName.

Referenced by fill_hba_line(), and set_authn_id().

3148 {
3149  /*
3150  * Make sure UserAuthName[] tracks additions to the UserAuth enum
3151  */
3153  "UserAuthName[] must match the UserAuth enum");
3154 
3155  return UserAuthName[auth_method];
3156 }
static const char *const UserAuthName[]
Definition: hba.c:121
#define lengthof(array)
Definition: c.h:734
#define StaticAssertStmt(condition, errmessage)
Definition: c.h:918
#define USER_AUTH_LAST
Definition: hba.h:42

◆ hba_getauthmethod()

void hba_getauthmethod ( hbaPort port)

Definition at line 3134 of file hba.c.

References check_hba().

Referenced by ClientAuthentication().

3135 {
3136  check_hba(port);
3137 }
static void check_hba(hbaPort *port)
Definition: hba.c:2115

◆ load_hba()

bool load_hba ( void  )

Definition at line 2229 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode(), errcode_for_file_access(), errmsg(), FreeFile(), HbaFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_hba_line(), PostmasterContext, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

2230 {
2231  FILE *file;
2232  List *hba_lines = NIL;
2233  ListCell *line;
2234  List *new_parsed_lines = NIL;
2235  bool ok = true;
2236  MemoryContext linecxt;
2237  MemoryContext oldcxt;
2238  MemoryContext hbacxt;
2239 
2240  file = AllocateFile(HbaFileName, "r");
2241  if (file == NULL)
2242  {
2243  ereport(LOG,
2245  errmsg("could not open configuration file \"%s\": %m",
2246  HbaFileName)));
2247  return false;
2248  }
2249 
2250  linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
2251  FreeFile(file);
2252 
2253  /* Now parse all the lines */
2256  "hba parser context",
2258  oldcxt = MemoryContextSwitchTo(hbacxt);
2259  foreach(line, hba_lines)
2260  {
2261  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
2262  HbaLine *newline;
2263 
2264  /* don't parse lines that already have errors */
2265  if (tok_line->err_msg != NULL)
2266  {
2267  ok = false;
2268  continue;
2269  }
2270 
2271  if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
2272  {
2273  /* Parse error; remember there's trouble */
2274  ok = false;
2275 
2276  /*
2277  * Keep parsing the rest of the file so we can report errors on
2278  * more than the first line. Error has already been logged, no
2279  * need for more chatter here.
2280  */
2281  continue;
2282  }
2283 
2284  new_parsed_lines = lappend(new_parsed_lines, newline);
2285  }
2286 
2287  /*
2288  * A valid HBA file must have at least one entry; else there's no way to
2289  * connect to the postmaster. But only complain about this if we didn't
2290  * already have parsing errors.
2291  */
2292  if (ok && new_parsed_lines == NIL)
2293  {
2294  ereport(LOG,
2295  (errcode(ERRCODE_CONFIG_FILE_ERROR),
2296  errmsg("configuration file \"%s\" contains no entries",
2297  HbaFileName)));
2298  ok = false;
2299  }
2300 
2301  /* Free tokenizer memory */
2302  MemoryContextDelete(linecxt);
2303  MemoryContextSwitchTo(oldcxt);
2304 
2305  if (!ok)
2306  {
2307  /* File contained one or more errors, so bail out */
2308  MemoryContextDelete(hbacxt);
2309  return false;
2310  }
2311 
2312  /* Loaded new file successfully, replace the one we use */
2313  if (parsed_hba_context != NULL)
2315  parsed_hba_context = hbacxt;
2316  parsed_hba_lines = new_parsed_lines;
2317 
2318  return true;
2319 }
Definition: hba.h:80
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:218
#define AllocSetContextCreate
Definition: memutils.h:173
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:205
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
int errcode(int sqlerrcode)
Definition: elog.c:698
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1004
static List * parsed_hba_lines
Definition: hba.c:101
char * HbaFileName
Definition: guc.c:599
static MemoryContext parsed_hba_context
Definition: hba.c:102
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:721
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2373
List * lappend(List *list, void *datum)
Definition: list.c:336
static HbaLine * parse_hba_line(TokenizedLine *tok_line, int elevel)
Definition: hba.c:968
#define ereport(elevel,...)
Definition: elog.h:157
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:478
int FreeFile(FILE *file)
Definition: fd.c:2572
int errmsg(const char *fmt,...)
Definition: elog.c:909
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:50

◆ load_ident()

bool load_ident ( void  )

Definition at line 3023 of file hba.c.

References AllocateFile(), ALLOCSET_SMALL_SIZES, AllocSetContextCreate, Assert, ereport, TokenizedLine::err_msg, errcode_for_file_access(), errmsg(), FreeFile(), IdentLine::ident_user, IdentFileName, lappend(), lfirst, LOG, MemoryContextDelete(), MemoryContextSwitchTo(), newline(), NIL, parse_ident_line(), pg_regfree(), PostmasterContext, IdentLine::re, and tokenize_file().

Referenced by PerformAuthentication(), PostmasterMain(), and SIGHUP_handler().

3024 {
3025  FILE *file;
3026  List *ident_lines = NIL;
3027  ListCell *line_cell,
3028  *parsed_line_cell;
3029  List *new_parsed_lines = NIL;
3030  bool ok = true;
3031  MemoryContext linecxt;
3032  MemoryContext oldcxt;
3033  MemoryContext ident_context;
3034  IdentLine *newline;
3035 
3036  file = AllocateFile(IdentFileName, "r");
3037  if (file == NULL)
3038  {
3039  /* not fatal ... we just won't do any special ident maps */
3040  ereport(LOG,
3042  errmsg("could not open usermap file \"%s\": %m",
3043  IdentFileName)));
3044  return false;
3045  }
3046 
3047  linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
3048  FreeFile(file);
3049 
3050  /* Now parse all the lines */
3052  ident_context = AllocSetContextCreate(PostmasterContext,
3053  "ident parser context",
3055  oldcxt = MemoryContextSwitchTo(ident_context);
3056  foreach(line_cell, ident_lines)
3057  {
3058  TokenizedLine *tok_line = (TokenizedLine *) lfirst(line_cell);
3059 
3060  /* don't parse lines that already have errors */
3061  if (tok_line->err_msg != NULL)
3062  {
3063  ok = false;
3064  continue;
3065  }
3066 
3067  if ((newline = parse_ident_line(tok_line)) == NULL)
3068  {
3069  /* Parse error; remember there's trouble */
3070  ok = false;
3071 
3072  /*
3073  * Keep parsing the rest of the file so we can report errors on
3074  * more than the first line. Error has already been logged, no
3075  * need for more chatter here.
3076  */
3077  continue;
3078  }
3079 
3080  new_parsed_lines = lappend(new_parsed_lines, newline);
3081  }
3082 
3083  /* Free tokenizer memory */
3084  MemoryContextDelete(linecxt);
3085  MemoryContextSwitchTo(oldcxt);
3086 
3087  if (!ok)
3088  {
3089  /*
3090  * File contained one or more errors, so bail out, first being careful
3091  * to clean up whatever we allocated. Most stuff will go away via
3092  * MemoryContextDelete, but we have to clean up regexes explicitly.
3093  */
3094  foreach(parsed_line_cell, new_parsed_lines)
3095  {
3096  newline = (IdentLine *) lfirst(parsed_line_cell);
3097  if (newline->ident_user[0] == '/')
3098  pg_regfree(&newline->re);
3099  }
3100  MemoryContextDelete(ident_context);
3101  return false;
3102  }
3103 
3104  /* Loaded new file successfully, replace the one we use */
3105  if (parsed_ident_lines != NIL)
3106  {
3107  foreach(parsed_line_cell, parsed_ident_lines)
3108  {
3109  newline = (IdentLine *) lfirst(parsed_line_cell);
3110  if (newline->ident_user[0] == '/')
3111  pg_regfree(&newline->re);
3112  }
3113  }
3114  if (parsed_ident_context != NULL)
3116 
3117  parsed_ident_context = ident_context;
3118  parsed_ident_lines = new_parsed_lines;
3119 
3120  return true;
3121 }
#define NIL
Definition: pg_list.h:65
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:218
#define AllocSetContextCreate
Definition: memutils.h:173
regex_t re
Definition: hba.h:132
#define ALLOCSET_SMALL_SIZES
Definition: memutils.h:205
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
#define LOG
Definition: elog.h:26
static chr newline(void)
Definition: regc_lex.c:1004
char * err_msg
Definition: hba.c:94
int errcode_for_file_access(void)
Definition: elog.c:721
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2373
char * IdentFileName
Definition: guc.c:600
List * lappend(List *list, void *datum)
Definition: list.c:336
#define ereport(elevel,...)
Definition: elog.h:157
static List * parsed_ident_lines
Definition: hba.c:112
static MemoryContext parsed_ident_context
Definition: hba.c:113
#define Assert(condition)
Definition: c.h:804
#define lfirst(lc)
Definition: pg_list.h:169
static MemoryContext tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
Definition: hba.c:478
Definition: hba.h:125
int FreeFile(FILE *file)
Definition: fd.c:2572
char * ident_user
Definition: hba.h:130
int errmsg(const char *fmt,...)
Definition: elog.c:909
static IdentLine * parse_ident_line(TokenizedLine *tok_line)
Definition: hba.c:2756
void pg_regfree(regex_t *re)
Definition: regfree.c:49
Definition: pg_list.h:50
MemoryContext PostmasterContext
Definition: mcxt.c:50

◆ pg_isblank()

bool pg_isblank ( const char  c)

Definition at line 160 of file hba.c.

Referenced by interpret_ident_response(), and next_token().

161 {
162  return c == ' ' || c == '\t' || c == '\r';
163 }
char * c