PostgreSQL Source Code git master
Loading...
Searching...
No Matches
Data Structures | Macros | Typedefs | Functions | Variables
oauth.h File Reference
#include "libpq/libpq-be.h"
#include "libpq/sasl.h"
Include dependency graph for oauth.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  ValidatorModuleState
 
struct  ValidatorModuleResult
 
struct  OAuthValidatorCallbacks
 

Macros

#define PG_OAUTH_VALIDATOR_MAGIC   0x20250220
 

Typedefs

typedef struct ValidatorModuleState ValidatorModuleState
 
typedef struct ValidatorModuleResult ValidatorModuleResult
 
typedef void(* ValidatorStartupCB) (ValidatorModuleState *state)
 
typedef void(* ValidatorShutdownCB) (ValidatorModuleState *state)
 
typedef bool(* ValidatorValidateCB) (const ValidatorModuleState *state, const char *token, const char *role, ValidatorModuleResult *result)
 
typedef struct OAuthValidatorCallbacks OAuthValidatorCallbacks
 
typedef const OAuthValidatorCallbacks *(* OAuthValidatorModuleInit) (void)
 

Functions

void RegisterOAuthHBAOptions (ValidatorModuleState *state, int num, const char *opts[])
 
const charGetOAuthHBAOption (const ValidatorModuleState *state, const char *optname)
 
PGDLLEXPORT const OAuthValidatorCallbacks_PG_oauth_validator_module_init (void)
 
bool check_oauth_validator (HbaLine *hbaline, int elevel, char **err_msg)
 
bool valid_oauth_hba_option_name (const char *name)
 

Variables

PGDLLIMPORT charoauth_validator_libraries_string
 
PGDLLIMPORT const pg_be_sasl_mech pg_be_oauth_mech
 

Macro Definition Documentation

◆ PG_OAUTH_VALIDATOR_MAGIC

#define PG_OAUTH_VALIDATOR_MAGIC   0x20250220

Definition at line 88 of file oauth.h.

Typedef Documentation

◆ OAuthValidatorCallbacks

typedef struct OAuthValidatorCallbacks OAuthValidatorCallbacks

◆ OAuthValidatorModuleInit

typedef const OAuthValidatorCallbacks *(* OAuthValidatorModuleInit) (void)

Definition at line 115 of file oauth.h.

◆ ValidatorModuleResult

typedef struct ValidatorModuleResult ValidatorModuleResult

◆ ValidatorModuleState

typedef struct ValidatorModuleState ValidatorModuleState

◆ ValidatorShutdownCB

typedef void(* ValidatorShutdownCB) (ValidatorModuleState *state)

Definition at line 77 of file oauth.h.

◆ ValidatorStartupCB

typedef void(* ValidatorStartupCB) (ValidatorModuleState *state)

Definition at line 76 of file oauth.h.

◆ ValidatorValidateCB

typedef bool(* ValidatorValidateCB) (const ValidatorModuleState *state, const char *token, const char *role, ValidatorModuleResult *result)

Definition at line 78 of file oauth.h.

Function Documentation

◆ _PG_oauth_validator_module_init()

PGDLLEXPORT const OAuthValidatorCallbacks * _PG_oauth_validator_module_init ( void  )
extern

Definition at line 35 of file fail_validator.c.

36{
37 return &validator_callbacks;
38}
validator_callbacks
static const OAuthValidatorCallbacks validator_callbacks
Definition fail_validator.c:28

References validator_callbacks, validator_callbacks, and validator_callbacks.

◆ check_oauth_validator()

bool check_oauth_validator ( HbaLine hbaline,
int  elevel,
char **  err_msg 
)
extern

Definition at line 857 of file auth-oauth.c.

858{
859 int line_num = hbaline->linenumber;
860 const char *file_name = hbaline->sourcefile;
861 char *rawstring;
862 List *elemlist = NIL;
863
864 *err_msg = NULL;
865
866 if (oauth_validator_libraries_string[0] == '\0')
867 {
868 ereport(elevel,
869 errcode(ERRCODE_CONFIG_FILE_ERROR),
870 errmsg("parameter \"%s\" must be set for authentication method \"%s\"",
871 "oauth_validator_libraries", "oauth"),
872 errcontext("line %d of configuration file \"%s\"",
873 line_num, file_name));
874 *err_msg = psprintf("parameter \"%s\" must be set for authentication method \"%s\"",
875 "oauth_validator_libraries", "oauth");
876 return false;
877 }
878
879 /* SplitDirectoriesString needs a modifiable copy */
880 rawstring = pstrdup(oauth_validator_libraries_string);
881
882 if (!SplitDirectoriesString(rawstring, ',', &elemlist))
883 {
884 /* syntax error in list */
885 ereport(elevel,
886 errcode(ERRCODE_CONFIG_FILE_ERROR),
887 errmsg("invalid list syntax in parameter \"%s\"",
888 "oauth_validator_libraries"));
889 *err_msg = psprintf("invalid list syntax in parameter \"%s\"",
890 "oauth_validator_libraries");
891 goto done;
892 }
893
894 if (!hbaline->oauth_validator)
895 {
896 if (elemlist->length == 1)
897 {
898 hbaline->oauth_validator = pstrdup(linitial(elemlist));
899 goto done;
900 }
901
902 ereport(elevel,
903 errcode(ERRCODE_CONFIG_FILE_ERROR),
904 errmsg("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
905 "oauth_validator_libraries"),
906 errcontext("line %d of configuration file \"%s\"",
907 line_num, file_name));
908 *err_msg = psprintf("authentication method \"oauth\" requires option \"validator\" to be set when \"%s\" contains multiple options",
909 "oauth_validator_libraries");
910 goto done;
911 }
912
913 foreach_ptr(char, allowed, elemlist)
914 {
915 if (strcmp(allowed, hbaline->oauth_validator) == 0)
916 goto done;
917 }
918
919 ereport(elevel,
920 errcode(ERRCODE_INVALID_PARAMETER_VALUE),
921 errmsg("validator \"%s\" is not permitted by \"%s\"",
922 hbaline->oauth_validator, "oauth_validator_libraries"),
923 errcontext("line %d of configuration file \"%s\"",
924 line_num, file_name));
925 *err_msg = psprintf("validator \"%s\" is not permitted by \"%s\"",
926 hbaline->oauth_validator, "oauth_validator_libraries");
927
928done:
929 list_free_deep(elemlist);
930 pfree(rawstring);
931
932 return (*err_msg == NULL);
933}
oauth_validator_libraries_string
char * oauth_validator_libraries_string
Definition auth-oauth.c:35
errcode
int errcode(int sqlerrcode)
Definition elog.c:875
errcontext
#define errcontext
Definition elog.h:200
ereport
#define ereport(elevel,...)
Definition elog.h:152
list_free_deep
void list_free_deep(List *list)
Definition list.c:1560
pstrdup
char * pstrdup(const char *in)
Definition mcxt.c:1910
pfree
void pfree(void *pointer)
Definition mcxt.c:1619
errmsg
static char * errmsg
Definition oauth_hook_client.c:61
NIL
#define NIL
Definition pg_list.h:68
foreach_ptr
#define foreach_ptr(type, var, lst)
Definition pg_list.h:501
linitial
#define linitial(l)
Definition pg_list.h:178
fb
static int fb(int x)
Definition preproc-init.c:92
psprintf
char * psprintf(const char *fmt,...)
Definition psprintf.c:43
List
Definition pg_list.h:54
SplitDirectoriesString
bool SplitDirectoriesString(char *rawstring, char separator, List **namelist)
Definition varlena.c:2953

References ereport, errcode(), errcontext, errmsg, fb(), foreach_ptr, linitial, list_free_deep(), NIL, oauth_validator_libraries_string, pfree(), psprintf(), pstrdup(), and SplitDirectoriesString().

Referenced by parse_hba_line().

◆ GetOAuthHBAOption()

const char * GetOAuthHBAOption ( const ValidatorModuleState state,
const char optname 
)
extern

Definition at line 1092 of file auth-oauth.c.

1093{
1094 HbaLine *hba = MyProcPort->hba;
1095 ListCell *lc_k;
1096 ListCell *lc_v;
1097 const char *ret = NULL;
1098
1099 if (!ValidatorOptionsChecked)
1100 {
1101 /*
1102 * Prevent the startup_cb from retrieving HBA options that it has just
1103 * registered. This probably seems strange -- why refuse to hand out
1104 * information we already know? -- but this lets us reserve the
1105 * ability to perform the startup_cb call earlier, before we know
1106 * which HBA line is matched by a connection, without breaking this
1107 * API.
1108 */
1109 return NULL;
1110 }
1111
1112 if (!state || !hba)
1113 {
1114 Assert(false);
1115 return NULL;
1116 }
1117
1118 Assert(list_length(hba->oauth_opt_keys) == list_length(hba->oauth_opt_vals));
1119
1120 forboth(lc_k, hba->oauth_opt_keys, lc_v, hba->oauth_opt_vals)
1121 {
1122 const char *key = lfirst(lc_k);
1123 const char *val = lfirst(lc_v);
1124
1125 if (strcmp(key, optname) == 0)
1126 {
1127 /*
1128 * Don't return yet -- when regular HBA options are specified more
1129 * than once, the last one wins. Do the same for these options.
1130 */
1131 ret = val;
1132 }
1133 }
1134
1135 return ret;
1136}
ValidatorOptionsChecked
static bool ValidatorOptionsChecked
Definition auth-oauth.c:51
Assert
#define Assert(condition)
Definition c.h:943
MyProcPort
struct Port * MyProcPort
Definition globals.c:53
val
long val
Definition informix.c:689
lfirst
#define lfirst(lc)
Definition pg_list.h:172
list_length
static int list_length(const List *l)
Definition pg_list.h:152
forboth
#define forboth(cell1, list1, cell2, list2)
Definition pg_list.h:550
HbaLine
Definition hba.h:95
HbaLine::oauth_opt_vals
List * oauth_opt_vals
Definition hba.h:135
HbaLine::oauth_opt_keys
List * oauth_opt_keys
Definition hba.h:134
Port::hba
HbaLine * hba
Definition libpq-be.h:165

References Assert, fb(), forboth, Port::hba, lfirst, list_length(), MyProcPort, HbaLine::oauth_opt_keys, HbaLine::oauth_opt_vals, val, and ValidatorOptionsChecked.

Referenced by validate_token(), and validator_startup().

◆ RegisterOAuthHBAOptions()

void RegisterOAuthHBAOptions ( ValidatorModuleState state,
int  num,
const char opts[] 
)
extern

Definition at line 951 of file auth-oauth.c.

953{
954 MemoryContext oldcontext;
955
956 if (!state)
957 {
958 Assert(false);
959 return;
960 }
961
962 oldcontext = MemoryContextSwitchTo(ValidatorMemoryContext);
963
964 for (int i = 0; i < num; i++)
965 {
966 if (!valid_oauth_hba_option_name(opts[i]))
967 {
968 /*
969 * The user can't set this option in the HBA, so GetOAuthHBAOption
970 * would always return NULL.
971 */
972 ereport(WARNING,
973 errmsg("HBA option name \"%s\" is invalid and will be ignored",
974 opts[i]),
975 /* translator: the second %s is a function name */
976 errcontext("validator module \"%s\", in call to %s",
977 MyProcPort->hba->oauth_validator,
978 "RegisterOAuthHBAOptions"));
979 continue;
980 }
981
982 ValidatorOptions = lappend(ValidatorOptions, pstrdup(opts[i]));
983 }
984
985 MemoryContextSwitchTo(oldcontext);
986
987 /*
988 * Wait to validate the HBA against the registered options until later
989 * (see check_validator_hba_options()).
990 *
991 * Delaying allows the validator to make multiple registration calls, to
992 * append to the list; it lets us make the check in a place where we can
993 * report the error without leaking details to the client; and it avoids
994 * exporting the order of operations between HBA matching and the
995 * startup_cb call as an API guarantee. (The last issue may become
996 * relevant with a threaded model.)
997 */
998}
ValidatorMemoryContext
static MemoryContext ValidatorMemoryContext
Definition auth-oauth.c:49
ValidatorOptions
static List * ValidatorOptions
Definition auth-oauth.c:50
valid_oauth_hba_option_name
bool valid_oauth_hba_option_name(const char *name)
Definition auth-oauth.c:1005
WARNING
#define WARNING
Definition elog.h:37
i
int i
Definition isn.c:77
lappend
List * lappend(List *list, void *datum)
Definition list.c:339
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition palloc.h:138
opts
static AmcheckOptions opts
Definition pg_amcheck.c:112
HbaLine::oauth_validator
char * oauth_validator
Definition hba.h:132

References Assert, ereport, errcontext, errmsg, Port::hba, i, lappend(), MemoryContextSwitchTo(), MyProcPort, HbaLine::oauth_validator, opts, pstrdup(), valid_oauth_hba_option_name(), ValidatorMemoryContext, ValidatorOptions, and WARNING.

Referenced by validator_startup().

◆ valid_oauth_hba_option_name()

bool valid_oauth_hba_option_name ( const char name)
extern

Definition at line 1005 of file auth-oauth.c.

1006{
1007 /*
1008 * This list is not incredibly principled, since the goal is just to bound
1009 * compatibility guarantees for our HBA parser. Alphanumerics seem
1010 * obviously fine, and it's difficult to argue against the punctuation
1011 * that's already included in some HBA option names and identifiers.
1012 */
1013 static const char *name_allowed_set =
1014 "abcdefghijklmnopqrstuvwxyz"
1015 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1016 "0123456789_-";
1017
1018 size_t span;
1019
1020 if (!name[0])
1021 return false;
1022
1023 span = strspn(name, name_allowed_set);
1024 return name[span] == '\0';
1025}
name
const char * name
Definition wait_event_funcs.c:29

References fb(), and name.

Referenced by parse_hba_auth_opt(), and RegisterOAuthHBAOptions().

Variable Documentation

◆ oauth_validator_libraries_string

PGDLLIMPORT char* oauth_validator_libraries_string
extern

Definition at line 35 of file auth-oauth.c.

Referenced by check_oauth_validator().

◆ pg_be_oauth_mech

PGDLLIMPORT const pg_be_sasl_mech pg_be_oauth_mech
extern

Definition at line 54 of file auth-oauth.c.

54 {
55 .get_mechanisms = oauth_get_mechanisms,
56 .init = oauth_init,
57 .exchange = oauth_exchange,
58
59 .max_message_length = PG_MAX_AUTH_TOKEN_LENGTH,
60};
oauth_init
static void * oauth_init(Port *port, const char *selected_mech, const char *shadow_pass)
Definition auth-oauth.c:109
oauth_get_mechanisms
static void oauth_get_mechanisms(Port *port, StringInfo buf)
Definition auth-oauth.c:96
oauth_exchange
static int oauth_exchange(void *opaq, const char *input, int inputlen, char **output, int *outputlen, const char **logdetail)
Definition auth-oauth.c:144
PG_MAX_AUTH_TOKEN_LENGTH
#define PG_MAX_AUTH_TOKEN_LENGTH
Definition auth.h:33

Referenced by ClientAuthentication().