oauth.h File Reference

#include "libpq/libpq-be.h"
#include "libpq/sasl.h"

Include dependency graph for oauth.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	ValidatorModuleState
struct	ValidatorModuleResult
struct	OAuthValidatorCallbacks

Macros
#define	PG_OAUTH_VALIDATOR_MAGIC   0x20250220

Typedefs
typedef struct ValidatorModuleState	ValidatorModuleState
typedef struct ValidatorModuleResult	ValidatorModuleResult
typedef void(*	ValidatorStartupCB) (ValidatorModuleState *state)
typedef void(*	ValidatorShutdownCB) (ValidatorModuleState *state)
typedef bool(*	ValidatorValidateCB) (const ValidatorModuleState *state, const char *token, const char *role, ValidatorModuleResult *result)
typedef struct OAuthValidatorCallbacks	OAuthValidatorCallbacks
typedef const OAuthValidatorCallbacks *(*	OAuthValidatorModuleInit) (void)

Functions
void	RegisterOAuthHBAOptions (ValidatorModuleState *state, int num, const char *opts[])
const char *	GetOAuthHBAOption (const ValidatorModuleState *state, const char *optname)
PGDLLEXPORT const OAuthValidatorCallbacks *	_PG_oauth_validator_module_init (void)
bool	check_oauth_validator (HbaLine *hbaline, int elevel, char **err_msg)
bool	valid_oauth_hba_option_name (const char *name)

Variables
PGDLLIMPORT char *	oauth_validator_libraries_string
PGDLLIMPORT const pg_be_sasl_mech	pg_be_oauth_mech

Macro Definition Documentation

PG_OAUTH_VALIDATOR_MAGIC

#define PG_OAUTH_VALIDATOR_MAGIC   0x20250220

Definition at line 88 of file oauth.h.

Typedef Documentation

OAuthValidatorCallbacks

typedef struct OAuthValidatorCallbacks OAuthValidatorCallbacks

OAuthValidatorModuleInit

typedef const OAuthValidatorCallbacks *(* OAuthValidatorModuleInit) (void)

Definition at line 115 of file oauth.h.

ValidatorModuleResult

typedef struct ValidatorModuleResult ValidatorModuleResult

ValidatorModuleState

typedef struct ValidatorModuleState ValidatorModuleState

ValidatorShutdownCB

typedef void(* ValidatorShutdownCB) (ValidatorModuleState *state)

Definition at line 77 of file oauth.h.

ValidatorStartupCB

typedef void(* ValidatorStartupCB) (ValidatorModuleState *state)

Definition at line 76 of file oauth.h.

ValidatorValidateCB

typedef bool(* ValidatorValidateCB) (const ValidatorModuleState *state, const char *token, const char *role, ValidatorModuleResult *result)

Definition at line 78 of file oauth.h.

Function Documentation

_PG_oauth_validator_module_init()

PGDLLEXPORT const OAuthValidatorCallbacks * _PG_oauth_validator_module_init ( void  )

extern

Definition at line 35 of file fail_validator.c.

{
    return &validator_callbacks;
}

References validator_callbacks, validator_callbacks, and validator_callbacks.

check_oauth_validator()

bool check_oauth_validator ( HbaLine *  hbaline, int  elevel, char **  err_msg  )

extern

Definition at line 857 of file auth-oauth.c.

{
    int         line_num = hbaline->linenumber;
    const char *file_name = hbaline->sourcefile;
    char       *rawstring;
    List       *elemlist = NIL;
 
    *err_msg = NULL;
 
    if (oauth_validator_libraries_string[0] == '\0')
    {
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("oauth_validator_libraries must be set for authentication method %s",
                       "oauth"),
                errcontext("line %d of configuration file \"%s\"",
                           line_num, file_name));
        *err_msg = psprintf("oauth_validator_libraries must be set for authentication method %s",
                            "oauth");
        return false;
    }
 
    /* SplitDirectoriesString needs a modifiable copy */
    rawstring = pstrdup(oauth_validator_libraries_string);
 
    if (!SplitDirectoriesString(rawstring, ',', &elemlist))
    {
        /* syntax error in list */
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("invalid list syntax in parameter \"%s\"",
                       "oauth_validator_libraries"));
        *err_msg = psprintf("invalid list syntax in parameter \"%s\"",
                            "oauth_validator_libraries");
        goto done;
    }
 
    if (!hbaline->oauth_validator)
    {
        if (elemlist->length == 1)
        {
            hbaline->oauth_validator = pstrdup(linitial(elemlist));
            goto done;
        }
 
        ereport(elevel,
                errcode(ERRCODE_CONFIG_FILE_ERROR),
                errmsg("authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options"),
                errcontext("line %d of configuration file \"%s\"",
                           line_num, file_name));
        *err_msg = "authentication method \"oauth\" requires argument \"validator\" to be set when oauth_validator_libraries contains multiple options";
        goto done;
    }
 
    foreach_ptr(char, allowed, elemlist)
    {
        if (strcmp(allowed, hbaline->oauth_validator) == 0)
            goto done;
    }
 
    ereport(elevel,
            errcode(ERRCODE_INVALID_PARAMETER_VALUE),
            errmsg("validator \"%s\" is not permitted by %s",
                   hbaline->oauth_validator, "oauth_validator_libraries"),
            errcontext("line %d of configuration file \"%s\"",
                       line_num, file_name));
    *err_msg = psprintf("validator \"%s\" is not permitted by %s",
                        hbaline->oauth_validator, "oauth_validator_libraries");
 
done:
    list_free_deep(elemlist);
    pfree(rawstring);
 
    return (*err_msg == NULL);
}

References ereport, errcode(), errcontext, errmsg, fb(), foreach_ptr, linitial, list_free_deep(), NIL, oauth_validator_libraries_string, pfree(), psprintf(), pstrdup(), and SplitDirectoriesString().

Referenced by parse_hba_line().

GetOAuthHBAOption()

const char * GetOAuthHBAOption ( const ValidatorModuleState *  state, const char *  optname  )

extern

Definition at line 1090 of file auth-oauth.c.

{
    HbaLine    *hba = MyProcPort->hba;
    ListCell   *lc_k;
    ListCell   *lc_v;
    const char *ret = NULL;
 
    if (!ValidatorOptionsChecked)
    {
        /*
         * Prevent the startup_cb from retrieving HBA options that it has just
         * registered. This probably seems strange -- why refuse to hand out
         * information we already know? -- but this lets us reserve the
         * ability to perform the startup_cb call earlier, before we know
         * which HBA line is matched by a connection, without breaking this
         * API.
         */
        return NULL;
    }
 
    if (!state || !hba)
    {
        Assert(false);
        return NULL;
    }
 
    Assert(list_length(hba->oauth_opt_keys) == list_length(hba->oauth_opt_vals));
 
    forboth(lc_k, hba->oauth_opt_keys, lc_v, hba->oauth_opt_vals)
    {
        const char *key = lfirst(lc_k);
        const char *val = lfirst(lc_v);
 
        if (strcmp(key, optname) == 0)
        {
            /*
             * Don't return yet -- when regular HBA options are specified more
             * than once, the last one wins. Do the same for these options.
             */
            ret = val;
        }
    }
 
    return ret;
}

References Assert, fb(), forboth, Port::hba, lfirst, list_length(), MyProcPort, HbaLine::oauth_opt_keys, HbaLine::oauth_opt_vals, val, and ValidatorOptionsChecked.

Referenced by validate_token(), and validator_startup().

RegisterOAuthHBAOptions()

void RegisterOAuthHBAOptions ( ValidatorModuleState *  state, int  num, const char *  opts[]  )

extern

Definition at line 949 of file auth-oauth.c.

{
    MemoryContext oldcontext;
 
    if (!state)
    {
        Assert(false);
        return;
    }
 
    oldcontext = MemoryContextSwitchTo(ValidatorMemoryContext);
 
    for (int i = 0; i < num; i++)
    {
        if (!valid_oauth_hba_option_name(opts[i]))
        {
            /*
             * The user can't set this option in the HBA, so GetOAuthHBAOption
             * would always return NULL.
             */
            ereport(WARNING,
                    errmsg("HBA option name \"%s\" is invalid and will be ignored",
                           opts[i]),
            /* translator: the second %s is a function name */
                    errcontext("validator module \"%s\", in call to %s",
                               MyProcPort->hba->oauth_validator,
                               "RegisterOAuthHBAOptions"));
            continue;
        }
 
        ValidatorOptions = lappend(ValidatorOptions, pstrdup(opts[i]));
    }
 
    MemoryContextSwitchTo(oldcontext);
 
    /*
     * Wait to validate the HBA against the registered options until later
     * (see check_validator_hba_options()).
     *
     * Delaying allows the validator to make multiple registration calls, to
     * append to the list; it lets us make the check in a place where we can
     * report the error without leaking details to the client; and it avoids
     * exporting the order of operations between HBA matching and the
     * startup_cb call as an API guarantee. (The last issue may become
     * relevant with a threaded model.)
     */
}

References Assert, ereport, errcontext, errmsg, Port::hba, i, lappend(), MemoryContextSwitchTo(), MyProcPort, HbaLine::oauth_validator, opts, pstrdup(), valid_oauth_hba_option_name(), ValidatorMemoryContext, ValidatorOptions, and WARNING.

Referenced by validator_startup().

valid_oauth_hba_option_name()

bool valid_oauth_hba_option_name ( const char *  name )

extern

Definition at line 1003 of file auth-oauth.c.

{
    /*
     * This list is not incredibly principled, since the goal is just to bound
     * compatibility guarantees for our HBA parser. Alphanumerics seem
     * obviously fine, and it's difficult to argue against the punctuation
     * that's already included in some HBA option names and identifiers.
     */
    static const char *name_allowed_set =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        "0123456789_-";
 
    size_t      span;
 
    if (!name[0])
        return false;
 
    span = strspn(name, name_allowed_set);
    return name[span] == '\0';
}

References fb(), and name.

Referenced by parse_hba_auth_opt(), and RegisterOAuthHBAOptions().

Variable Documentation

oauth_validator_libraries_string

PGDLLIMPORT char* oauth_validator_libraries_string

extern

Definition at line 35 of file auth-oauth.c.

Referenced by check_oauth_validator().

pg_be_oauth_mech

PGDLLIMPORT const pg_be_sasl_mech pg_be_oauth_mech

extern

Definition at line 54 of file auth-oauth.c.

                                         {
    .get_mechanisms = oauth_get_mechanisms,
    .init = oauth_init,
    .exchange = oauth_exchange,
 
    .max_message_length = PG_MAX_AUTH_TOKEN_LENGTH,
};

Referenced by ClientAuthentication().