1996-10-11 11:12:18 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* hba.h
|
1997-09-07 07:04:48 +02:00
|
|
|
* Interface to hba.c
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/include/libpq/hba.h
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#ifndef HBA_H
|
1997-09-07 07:04:48 +02:00
|
|
|
#define HBA_H
|
1996-10-11 11:12:18 +02:00
|
|
|
|
2012-06-10 21:20:04 +02:00
|
|
|
#include "libpq/pqcomm.h" /* pgrminclude ignore */ /* needed for NetBSD */
|
2002-04-04 06:25:54 +02:00
|
|
|
#include "nodes/pg_list.h"
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
#include "regex/regex.h"
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2005-02-26 19:43:34 +01:00
|
|
|
|
2017-01-31 00:00:26 +01:00
|
|
|
/*
|
|
|
|
* The following enum represents the authentication methods that
|
|
|
|
* are supported by PostgreSQL.
|
|
|
|
*
|
|
|
|
* Note: keep this in sync with the UserAuthName array in hba.c.
|
|
|
|
*/
|
1998-02-26 05:46:47 +01:00
|
|
|
typedef enum UserAuth
|
|
|
|
{
|
2001-10-28 07:26:15 +01:00
|
|
|
uaReject,
|
2017-01-31 00:00:26 +01:00
|
|
|
uaImplicitReject, /* Not a user-visible option */
|
2001-10-28 07:26:15 +01:00
|
|
|
uaTrust,
|
|
|
|
uaIdent,
|
|
|
|
uaPassword,
|
2007-07-10 15:14:22 +02:00
|
|
|
uaMD5,
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
uaSCRAM,
|
2007-07-23 12:16:54 +02:00
|
|
|
uaGSS,
|
2008-10-23 15:31:10 +02:00
|
|
|
uaSSPI,
|
|
|
|
uaPAM,
|
2016-04-08 19:51:54 +02:00
|
|
|
uaBSD,
|
2008-11-20 12:48:26 +01:00
|
|
|
uaLDAP,
|
2010-01-27 13:12:00 +01:00
|
|
|
uaCert,
|
2011-03-19 18:44:35 +01:00
|
|
|
uaRADIUS,
|
|
|
|
uaPeer
|
2017-01-31 00:00:26 +01:00
|
|
|
#define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
|
1998-01-26 02:42:53 +01:00
|
|
|
} UserAuth;
|
|
|
|
|
2009-10-01 03:58:58 +02:00
|
|
|
typedef enum IPCompareMethod
|
|
|
|
{
|
|
|
|
ipCmpMask,
|
|
|
|
ipCmpSameHost,
|
2010-10-18 21:14:47 +02:00
|
|
|
ipCmpSameNet,
|
|
|
|
ipCmpAll
|
2009-10-01 03:58:58 +02:00
|
|
|
} IPCompareMethod;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
typedef enum ConnType
|
|
|
|
{
|
|
|
|
ctLocal,
|
|
|
|
ctHost,
|
|
|
|
ctHostSSL,
|
|
|
|
ctHostNoSSL
|
|
|
|
} ConnType;
|
|
|
|
|
2011-06-20 23:20:14 +02:00
|
|
|
typedef struct HbaLine
|
2008-09-15 14:32:57 +02:00
|
|
|
{
|
|
|
|
int linenumber;
|
2013-03-10 15:54:37 +01:00
|
|
|
char *rawline;
|
2008-09-15 14:32:57 +02:00
|
|
|
ConnType conntype;
|
2011-06-20 23:20:14 +02:00
|
|
|
List *databases;
|
|
|
|
List *roles;
|
2008-09-15 14:32:57 +02:00
|
|
|
struct sockaddr_storage addr;
|
|
|
|
struct sockaddr_storage mask;
|
2009-10-01 03:58:58 +02:00
|
|
|
IPCompareMethod ip_cmp_method;
|
2010-10-15 21:53:39 +02:00
|
|
|
char *hostname;
|
2008-09-15 14:32:57 +02:00
|
|
|
UserAuth auth_method;
|
2008-10-23 15:31:10 +02:00
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
char *usermap;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *pamservice;
|
2016-04-08 16:45:16 +02:00
|
|
|
bool pam_use_hostname;
|
2008-10-23 15:31:10 +02:00
|
|
|
bool ldaptls;
|
|
|
|
char *ldapserver;
|
|
|
|
int ldapport;
|
2009-12-12 22:35:21 +01:00
|
|
|
char *ldapbinddn;
|
|
|
|
char *ldapbindpasswd;
|
|
|
|
char *ldapsearchattribute;
|
|
|
|
char *ldapbasedn;
|
2012-12-04 05:29:56 +01:00
|
|
|
int ldapscope;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *ldapprefix;
|
|
|
|
char *ldapsuffix;
|
2008-11-20 10:29:36 +01:00
|
|
|
bool clientcert;
|
2009-01-07 13:38:11 +01:00
|
|
|
char *krb_realm;
|
2009-01-07 14:09:21 +01:00
|
|
|
bool include_realm;
|
2016-04-08 20:23:52 +02:00
|
|
|
bool compat_realm;
|
|
|
|
bool upn_username;
|
2017-03-22 17:55:16 +01:00
|
|
|
List *radiusservers;
|
|
|
|
char *radiusservers_s;
|
|
|
|
List *radiussecrets;
|
|
|
|
char *radiussecrets_s;
|
|
|
|
List *radiusidentifiers;
|
|
|
|
char *radiusidentifiers_s;
|
|
|
|
List *radiusports;
|
|
|
|
char *radiusports_s;
|
2008-09-15 14:32:57 +02:00
|
|
|
} HbaLine;
|
|
|
|
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
typedef struct IdentLine
|
|
|
|
{
|
2013-05-29 22:58:43 +02:00
|
|
|
int linenumber;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
|
|
|
|
char *usermap;
|
|
|
|
char *ident_user;
|
|
|
|
char *pg_role;
|
2013-05-29 22:58:43 +02:00
|
|
|
regex_t re;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
} IdentLine;
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/* kluge to avoid including libpq/libpq-be.h here */
|
1999-09-27 05:13:16 +02:00
|
|
|
typedef struct Port hbaPort;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
extern bool load_hba(void);
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
extern bool load_ident(void);
|
2011-06-20 23:20:14 +02:00
|
|
|
extern void hba_getauthmethod(hbaPort *port);
|
2009-06-11 16:49:15 +02:00
|
|
|
extern int check_usermap(const char *usermap_name,
|
|
|
|
const char *pg_role, const char *auth_user,
|
|
|
|
bool case_sensitive);
|
2008-08-01 11:09:49 +02:00
|
|
|
extern bool pg_isblank(const char c);
|
2001-10-28 07:26:15 +01:00
|
|
|
|
2005-10-15 04:49:52 +02:00
|
|
|
#endif /* HBA_H */
|