hbafuncs.c File Reference

#include "postgres.h"
#include "access/htup_details.h"
#include "catalog/objectaddress.h"
#include "common/ip.h"
#include "funcapi.h"
#include "libpq/hba.h"
#include "utils/array.h"
#include "utils/builtins.h"
#include "utils/guc.h"
#include "utils/tuplestore.h"

Include dependency graph for hbafuncs.c:

Go to the source code of this file.

Macros
#define	MAX_HBA_OPTIONS   15
#define	NUM_PG_HBA_FILE_RULES_ATTS   11
#define	NUM_PG_IDENT_FILE_MAPPINGS_ATTS   7

Functions
static ArrayType *	get_hba_options (HbaLine *hba)
static void	fill_hba_line (Tuplestorestate *tuple_store, TupleDesc tupdesc, int rule_number, char *filename, int lineno, HbaLine *hba, const char *err_msg)
static void	fill_hba_view (Tuplestorestate *tuple_store, TupleDesc tupdesc)
static void	fill_ident_line (Tuplestorestate *tuple_store, TupleDesc tupdesc, int map_number, char *filename, int lineno, IdentLine *ident, const char *err_msg)
static void	fill_ident_view (Tuplestorestate *tuple_store, TupleDesc tupdesc)
Datum	pg_hba_file_rules (PG_FUNCTION_ARGS)
Datum	pg_ident_file_mappings (PG_FUNCTION_ARGS)

Macro Definition Documentation

MAX_HBA_OPTIONS

#define MAX_HBA_OPTIONS   15

Definition at line 47 of file hbafuncs.c.

NUM_PG_HBA_FILE_RULES_ATTS

#define NUM_PG_HBA_FILE_RULES_ATTS   11

Definition at line 167 of file hbafuncs.c.

NUM_PG_IDENT_FILE_MAPPINGS_ATTS

#define NUM_PG_IDENT_FILE_MAPPINGS_ATTS   7

Definition at line 452 of file hbafuncs.c.

Function Documentation

fill_hba_line()

static void fill_hba_line ( Tuplestorestate *  tuple_store, TupleDesc  tupdesc, int  rule_number, char *  filename, int  lineno, HbaLine *  hba, const char *  err_msg  )

static

Definition at line 185 of file hbafuncs.c.

{
    Datum       values[NUM_PG_HBA_FILE_RULES_ATTS];
    bool        nulls[NUM_PG_HBA_FILE_RULES_ATTS];
    char        buffer[NI_MAXHOST];
    HeapTuple   tuple;
    int         index;
    ListCell   *lc;
    const char *typestr;
    const char *addrstr;
    const char *maskstr;
    ArrayType  *options;
 
    Assert(tupdesc->natts == NUM_PG_HBA_FILE_RULES_ATTS);
 
    memset(values, 0, sizeof(values));
    memset(nulls, 0, sizeof(nulls));
    index = 0;
 
    /* rule_number, nothing on error */
    if (err_msg)
        nulls[index++] = true;
    else
        values[index++] = Int32GetDatum(rule_number);
 
    /* file_name */
    values[index++] = CStringGetTextDatum(filename);
 
    /* line_number */
    values[index++] = Int32GetDatum(lineno);
 
    if (hba != NULL)
    {
        /* type */
        /* Avoid a default: case so compiler will warn about missing cases */
        typestr = NULL;
        switch (hba->conntype)
        {
            case ctLocal:
                typestr = "local";
                break;
            case ctHost:
                typestr = "host";
                break;
            case ctHostSSL:
                typestr = "hostssl";
                break;
            case ctHostNoSSL:
                typestr = "hostnossl";
                break;
            case ctHostGSS:
                typestr = "hostgssenc";
                break;
            case ctHostNoGSS:
                typestr = "hostnogssenc";
                break;
        }
        if (typestr)
            values[index++] = CStringGetTextDatum(typestr);
        else
            nulls[index++] = true;
 
        /* database */
        if (hba->databases)
        {
            /*
             * Flatten AuthToken list to string list.  It might seem that we
             * should re-quote any quoted tokens, but that has been rejected
             * on the grounds that it makes it harder to compare the array
             * elements to other system catalogs.  That makes entries like
             * "all" or "samerole" formally ambiguous ... but users who name
             * databases/roles that way are inflicting their own pain.
             */
            List       *names = NIL;
 
            foreach(lc, hba->databases)
            {
                AuthToken  *tok = lfirst(lc);
 
                names = lappend(names, tok->string);
            }
            values[index++] = PointerGetDatum(strlist_to_textarray(names));
        }
        else
            nulls[index++] = true;
 
        /* user */
        if (hba->roles)
        {
            /* Flatten AuthToken list to string list; see comment above */
            List       *roles = NIL;
 
            foreach(lc, hba->roles)
            {
                AuthToken  *tok = lfirst(lc);
 
                roles = lappend(roles, tok->string);
            }
            values[index++] = PointerGetDatum(strlist_to_textarray(roles));
        }
        else
            nulls[index++] = true;
 
        /* address and netmask */
        /* Avoid a default: case so compiler will warn about missing cases */
        addrstr = maskstr = NULL;
        switch (hba->ip_cmp_method)
        {
            case ipCmpMask:
                if (hba->hostname)
                {
                    addrstr = hba->hostname;
                }
                else
                {
                    /*
                     * Note: if pg_getnameinfo_all fails, it'll set buffer to
                     * "???", which we want to return.
                     */
                    if (hba->addrlen > 0)
                    {
                        if (pg_getnameinfo_all(&hba->addr, hba->addrlen,
                                               buffer, sizeof(buffer),
                                               NULL, 0,
                                               NI_NUMERICHOST) == 0)
                            clean_ipv6_addr(hba->addr.ss_family, buffer);
                        addrstr = pstrdup(buffer);
                    }
                    if (hba->masklen > 0)
                    {
                        if (pg_getnameinfo_all(&hba->mask, hba->masklen,
                                               buffer, sizeof(buffer),
                                               NULL, 0,
                                               NI_NUMERICHOST) == 0)
                            clean_ipv6_addr(hba->mask.ss_family, buffer);
                        maskstr = pstrdup(buffer);
                    }
                }
                break;
            case ipCmpAll:
                addrstr = "all";
                break;
            case ipCmpSameHost:
                addrstr = "samehost";
                break;
            case ipCmpSameNet:
                addrstr = "samenet";
                break;
        }
        if (addrstr)
            values[index++] = CStringGetTextDatum(addrstr);
        else
            nulls[index++] = true;
        if (maskstr)
            values[index++] = CStringGetTextDatum(maskstr);
        else
            nulls[index++] = true;
 
        /* auth_method */
        values[index++] = CStringGetTextDatum(hba_authname(hba->auth_method));
 
        /* options */
        options = get_hba_options(hba);
        if (options)
            values[index++] = PointerGetDatum(options);
        else
            nulls[index++] = true;
    }
    else
    {
        /* no parsing result, so set relevant fields to nulls */
        memset(&nulls[3], true, (NUM_PG_HBA_FILE_RULES_ATTS - 4) * sizeof(bool));
    }
 
    /* error */
    if (err_msg)
        values[NUM_PG_HBA_FILE_RULES_ATTS - 1] = CStringGetTextDatum(err_msg);
    else
        nulls[NUM_PG_HBA_FILE_RULES_ATTS - 1] = true;
 
    tuple = heap_form_tuple(tupdesc, values, nulls);
    tuplestore_puttuple(tuple_store, tuple);
}

References HbaLine::addr, HbaLine::addrlen, Assert, HbaLine::auth_method, clean_ipv6_addr(), HbaLine::conntype, CStringGetTextDatum, ctHost, ctHostGSS, ctHostNoGSS, ctHostNoSSL, ctHostSSL, ctLocal, HbaLine::databases, fb(), filename, get_hba_options(), hba_authname(), heap_form_tuple(), HbaLine::hostname, Int32GetDatum(), HbaLine::ip_cmp_method, ipCmpAll, ipCmpMask, ipCmpSameHost, ipCmpSameNet, lappend(), lfirst, HbaLine::mask, HbaLine::masklen, TupleDescData::natts, NIL, NUM_PG_HBA_FILE_RULES_ATTS, pg_getnameinfo_all(), PointerGetDatum, pstrdup(), HbaLine::roles, strlist_to_textarray(), tuplestore_puttuple(), and values.

Referenced by fill_hba_view().

fill_hba_view()

static void fill_hba_view ( Tuplestorestate *  tuple_store, TupleDesc  tupdesc  )

static

Definition at line 376 of file hbafuncs.c.

{
    FILE       *file;
    List       *hba_lines = NIL;
    ListCell   *line;
    int         rule_number = 0;
    MemoryContext hbacxt;
    MemoryContext oldcxt;
 
    /*
     * In the unlikely event that we can't open pg_hba.conf, we throw an
     * error, rather than trying to report it via some sort of view entry.
     * (Most other error conditions should result in a message in a view
     * entry.)
     */
    file = open_auth_file(HbaFileName, ERROR, 0, NULL);
 
    tokenize_auth_file(HbaFileName, file, &hba_lines, DEBUG3, 0);
 
    /* Now parse all the lines */
    hbacxt = AllocSetContextCreate(CurrentMemoryContext,
                                   "hba parser context",
                                   ALLOCSET_SMALL_SIZES);
    oldcxt = MemoryContextSwitchTo(hbacxt);
    foreach(line, hba_lines)
    {
        TokenizedAuthLine *tok_line = (TokenizedAuthLine *) lfirst(line);
        HbaLine    *hbaline = NULL;
 
        /* don't parse lines that already have errors */
        if (tok_line->err_msg == NULL)
            hbaline = parse_hba_line(tok_line, DEBUG3);
 
        /* No error, set a new rule number */
        if (tok_line->err_msg == NULL)
            rule_number++;
 
        fill_hba_line(tuple_store, tupdesc, rule_number,
                      tok_line->file_name, tok_line->line_num, hbaline,
                      tok_line->err_msg);
    }
 
    /* Free tokenizer memory */
    free_auth_file(file, 0);
    /* Free parse_hba_line memory */
    MemoryContextSwitchTo(oldcxt);
    MemoryContextDelete(hbacxt);
}

References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, CurrentMemoryContext, DEBUG3, ERROR, fb(), fill_hba_line(), free_auth_file(), HbaFileName, lfirst, MemoryContextDelete(), MemoryContextSwitchTo(), NIL, open_auth_file(), parse_hba_line(), and tokenize_auth_file().

Referenced by pg_hba_file_rules().

fill_ident_line()

static void fill_ident_line ( Tuplestorestate *  tuple_store, TupleDesc  tupdesc, int  map_number, char *  filename, int  lineno, IdentLine *  ident, const char *  err_msg  )

static

Definition at line 470 of file hbafuncs.c.

{
    Datum       values[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
    bool        nulls[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
    HeapTuple   tuple;
    int         index;
 
    Assert(tupdesc->natts == NUM_PG_IDENT_FILE_MAPPINGS_ATTS);
 
    memset(values, 0, sizeof(values));
    memset(nulls, 0, sizeof(nulls));
    index = 0;
 
    /* map_number, nothing on error */
    if (err_msg)
        nulls[index++] = true;
    else
        values[index++] = Int32GetDatum(map_number);
 
    /* file_name */
    values[index++] = CStringGetTextDatum(filename);
 
    /* line_number */
    values[index++] = Int32GetDatum(lineno);
 
    if (ident != NULL)
    {
        values[index++] = CStringGetTextDatum(ident->usermap);
        values[index++] = CStringGetTextDatum(ident->system_user->string);
        values[index++] = CStringGetTextDatum(ident->pg_user->string);
    }
    else
    {
        /* no parsing result, so set relevant fields to nulls */
        memset(&nulls[3], true, (NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 4) * sizeof(bool));
    }
 
    /* error */
    if (err_msg)
        values[NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 1] = CStringGetTextDatum(err_msg);
    else
        nulls[NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 1] = true;
 
    tuple = heap_form_tuple(tupdesc, values, nulls);
    tuplestore_puttuple(tuple_store, tuple);
}

References Assert, CStringGetTextDatum, fb(), filename, heap_form_tuple(), ident, Int32GetDatum(), TupleDescData::natts, NUM_PG_IDENT_FILE_MAPPINGS_ATTS, tuplestore_puttuple(), and values.

Referenced by fill_ident_view().

fill_ident_view()

static void fill_ident_view ( Tuplestorestate *  tuple_store, TupleDesc  tupdesc  )

static

Definition at line 523 of file hbafuncs.c.

{
    FILE       *file;
    List       *ident_lines = NIL;
    ListCell   *line;
    int         map_number = 0;
    MemoryContext identcxt;
    MemoryContext oldcxt;
 
    /*
     * In the unlikely event that we can't open pg_ident.conf, we throw an
     * error, rather than trying to report it via some sort of view entry.
     * (Most other error conditions should result in a message in a view
     * entry.)
     */
    file = open_auth_file(IdentFileName, ERROR, 0, NULL);
 
    tokenize_auth_file(IdentFileName, file, &ident_lines, DEBUG3, 0);
 
    /* Now parse all the lines */
    identcxt = AllocSetContextCreate(CurrentMemoryContext,
                                     "ident parser context",
                                     ALLOCSET_SMALL_SIZES);
    oldcxt = MemoryContextSwitchTo(identcxt);
    foreach(line, ident_lines)
    {
        TokenizedAuthLine *tok_line = (TokenizedAuthLine *) lfirst(line);
        IdentLine  *identline = NULL;
 
        /* don't parse lines that already have errors */
        if (tok_line->err_msg == NULL)
            identline = parse_ident_line(tok_line, DEBUG3);
 
        /* no error, set a new mapping number */
        if (tok_line->err_msg == NULL)
            map_number++;
 
        fill_ident_line(tuple_store, tupdesc, map_number,
                        tok_line->file_name, tok_line->line_num,
                        identline, tok_line->err_msg);
    }
 
    /* Free tokenizer memory */
    free_auth_file(file, 0);
    /* Free parse_ident_line memory */
    MemoryContextSwitchTo(oldcxt);
    MemoryContextDelete(identcxt);
}

References ALLOCSET_SMALL_SIZES, AllocSetContextCreate, CurrentMemoryContext, DEBUG3, ERROR, fb(), fill_ident_line(), free_auth_file(), IdentFileName, lfirst, MemoryContextDelete(), MemoryContextSwitchTo(), NIL, open_auth_file(), parse_ident_line(), and tokenize_auth_file().

Referenced by pg_ident_file_mappings().

get_hba_options()

static ArrayType * get_hba_options ( HbaLine *  hba )

static

Definition at line 54 of file hbafuncs.c.

{
    int         noptions;
    Datum       options[MAX_HBA_OPTIONS];
 
    noptions = 0;
 
    if (hba->auth_method == uaGSS || hba->auth_method == uaSSPI)
    {
        if (hba->include_realm)
            options[noptions++] =
                CStringGetTextDatum("include_realm=true");
 
        if (hba->krb_realm)
            options[noptions++] =
                CStringGetTextDatum(psprintf("krb_realm=%s", hba->krb_realm));
    }
 
    if (hba->usermap)
        options[noptions++] =
            CStringGetTextDatum(psprintf("map=%s", hba->usermap));
 
    if (hba->clientcert != clientCertOff)
        options[noptions++] =
            CStringGetTextDatum(psprintf("clientcert=%s", (hba->clientcert == clientCertCA) ? "verify-ca" : "verify-full"));
 
    if (hba->pamservice)
        options[noptions++] =
            CStringGetTextDatum(psprintf("pamservice=%s", hba->pamservice));
 
    if (hba->auth_method == uaLDAP)
    {
        if (hba->ldapserver)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapserver=%s", hba->ldapserver));
 
        if (hba->ldapport)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapport=%d", hba->ldapport));
 
        if (hba->ldapscheme)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapscheme=%s", hba->ldapscheme));
 
        if (hba->ldaptls)
            options[noptions++] =
                CStringGetTextDatum("ldaptls=true");
 
        if (hba->ldapprefix)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapprefix=%s", hba->ldapprefix));
 
        if (hba->ldapsuffix)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapsuffix=%s", hba->ldapsuffix));
 
        if (hba->ldapbasedn)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapbasedn=%s", hba->ldapbasedn));
 
        if (hba->ldapbinddn)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapbinddn=%s", hba->ldapbinddn));
 
        if (hba->ldapbindpasswd)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapbindpasswd=%s",
                                             hba->ldapbindpasswd));
 
        if (hba->ldapsearchattribute)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapsearchattribute=%s",
                                             hba->ldapsearchattribute));
 
        if (hba->ldapsearchfilter)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapsearchfilter=%s",
                                             hba->ldapsearchfilter));
 
        if (hba->ldapscope)
            options[noptions++] =
                CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
    }
 
    if (hba->auth_method == uaOAuth)
    {
        if (hba->oauth_issuer)
            options[noptions++] =
                CStringGetTextDatum(psprintf("issuer=%s", hba->oauth_issuer));
 
        if (hba->oauth_scope)
            options[noptions++] =
                CStringGetTextDatum(psprintf("scope=%s", hba->oauth_scope));
 
        if (hba->oauth_validator)
            options[noptions++] =
                CStringGetTextDatum(psprintf("validator=%s", hba->oauth_validator));
 
        if (hba->oauth_skip_usermap)
            options[noptions++] =
                CStringGetTextDatum(psprintf("delegate_ident_mapping=true"));
    }
 
    /* If you add more options, consider increasing MAX_HBA_OPTIONS. */
    Assert(noptions <= MAX_HBA_OPTIONS);
 
    if (noptions > 0)
        return construct_array_builtin(options, noptions, TEXTOID);
    else
        return NULL;
}

References Assert, HbaLine::auth_method, HbaLine::clientcert, clientCertCA, clientCertOff, construct_array_builtin(), CStringGetTextDatum, fb(), HbaLine::include_realm, HbaLine::krb_realm, HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscheme, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, MAX_HBA_OPTIONS, noptions, HbaLine::oauth_issuer, HbaLine::oauth_scope, HbaLine::oauth_skip_usermap, HbaLine::oauth_validator, HbaLine::pamservice, psprintf(), uaGSS, uaLDAP, uaOAuth, uaSSPI, and HbaLine::usermap.

Referenced by fill_hba_line().

pg_hba_file_rules()

Datum pg_hba_file_rules

(

PG_FUNCTION_ARGS

)

Definition at line 432 of file hbafuncs.c.

{
    ReturnSetInfo *rsi;
 
    /*
     * Build tuplestore to hold the result rows.  We must use the Materialize
     * mode to be safe against HBA file changes while the cursor is open. It's
     * also more efficient than having to look up our current position in the
     * parsed list every time.
     */
    InitMaterializedSRF(fcinfo, 0);
 
    /* Fill the tuplestore */
    rsi = (ReturnSetInfo *) fcinfo->resultinfo;
    fill_hba_view(rsi->setResult, rsi->setDesc);
 
    PG_RETURN_NULL();
}

References fill_hba_view(), InitMaterializedSRF(), PG_RETURN_NULL, ReturnSetInfo::setDesc, and ReturnSetInfo::setResult.

pg_ident_file_mappings()

Datum pg_ident_file_mappings

(

PG_FUNCTION_ARGS

)

Definition at line 576 of file hbafuncs.c.

{
    ReturnSetInfo *rsi;
 
    /*
     * Build tuplestore to hold the result rows.  We must use the Materialize
     * mode to be safe against HBA file changes while the cursor is open. It's
     * also more efficient than having to look up our current position in the
     * parsed list every time.
     */
    InitMaterializedSRF(fcinfo, 0);
 
    /* Fill the tuplestore */
    rsi = (ReturnSetInfo *) fcinfo->resultinfo;
    fill_ident_view(rsi->setResult, rsi->setDesc);
 
    PG_RETURN_NULL();
}

References fill_ident_view(), InitMaterializedSRF(), PG_RETURN_NULL, ReturnSetInfo::setDesc, and ReturnSetInfo::setResult.