database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

libpq: Add support for require_auth to control authorized auth methods

Browse Source 
The new connection parameter require_auth allows a libpq client to
define a list of comma-separated acceptable authentication types for use
with the server.  There is no negotiation: if the server does not
present one of the allowed authentication requests, the connection
attempt done by the client fails.

The following keywords can be defined in the list:
- password, for AUTH_REQ_PASSWORD.
- md5, for AUTH_REQ_MD5.
- gss, for AUTH_REQ_GSS[_CONT].
- sspi, for AUTH_REQ_SSPI and AUTH_REQ_GSS_CONT.
- scram-sha-256, for AUTH_REQ_SASL[_CONT|_FIN].
- creds, for AUTH_REQ_SCM_CREDS (perhaps this should be removed entirely
now).
- none, to control unauthenticated connections.

All the methods that can be defined in the list can be negated, like
"!password", in which case the server must NOT use the listed
authentication type.  The special method "none" allows/disallows the use
of unauthenticated connections (but it does not govern transport-level
authentication via TLS or GSSAPI).

Internally, the patch logic is tied to check_expected_areq(), that was
used for channel_binding, ensuring that an incoming request is
compatible with conn->require_auth.  It also introduces a new flag,
conn->client_finished_auth, which is set by various authentication
routines when the client side of the handshake is finished.  This
signals to check_expected_areq() that an AUTH_REQ_OK from the server is
expected, and allows the client to complain if the server bypasses
authentication entirely, with for example the reception of a too-early
AUTH_REQ_OK message.

Regression tests are added in authentication TAP tests for all the
keywords supported (except "creds", because it is around only for
compatibility reasons).  A new TAP script has been added for SSPI, as
there was no script dedicated to it yet.  It relies on SSPI being the
default authentication method on Windows, as set by pg_regress.

Author: Jacob Champion
Reviewed-by: Peter Eisentraut, David G. Johnston, Michael Paquier
Discussion: https://postgr.es/m/9e5a8ccddb8355ea9fa4b75a1e3a9edc88a70cd3.camel@vmware.com
This commit is contained in:
Michael Paquier
2023-03-14 14:00:05 +09:00
parent 727400994d
commit 3a465cc678
12 changed files with 779 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
doc/src/sgml/libpq.sgml
View File

@ -1220,6 +1220,111 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-require-auth" xreflabel="require_auth">
<term><literal>require_auth</literal></term>
<listitem>
<para>
Specifies the authentication method that the client requires from the
server. If the server does not use the required method to authenticate
the client, or if the authentication handshake is not fully completed by
the server, the connection will fail. A comma-separated list of methods
may also be provided, of which the server must use exactly one in order
for the connection to succeed. By default, any authentication method is
accepted, and the server is free to skip authentication altogether.
</para>
<para>
Methods may be negated with the addition of a <literal>!</literal>
prefix, in which case the server must <emphasis>not</emphasis> attempt
the listed method; any other method is accepted, and the server is free
not to authenticate the client at all. If a comma-separated list is
provided, the server may not attempt <emphasis>any</emphasis> of the
listed negated methods. Negated and non-negated forms may not be
combined in the same setting.
</para>
<para>
As a final special case, the <literal>none</literal> method requires the
server not to use an authentication challenge. (It may also be negated,
to require some form of authentication.)
</para>
<para>
The following methods may be specified:
<variablelist>
<varlistentry>
<term><literal>password</literal></term>
<listitem>
<para>
The server must request plaintext password authentication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>md5</literal></term>
<listitem>
<para>
The server must request MD5 hashed password authentication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>gss</literal></term>
<listitem>
<para>
The server must either request a Kerberos handshake via
<acronym>GSSAPI</acronym> or establish a
<acronym>GSS</acronym>-encrypted channel (see also
<xref linkend="libpq-connect-gssencmode" />).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>sspi</literal></term>
<listitem>
<para>
The server must request Windows <acronym>SSPI</acronym>
authentication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>scram-sha-256</literal></term>
<listitem>
<para>
The server must successfully complete a SCRAM-SHA-256 authentication
exchange with the client.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>creds</literal></term>
<listitem>
<para>
The server must request SCM credential authentication (deprecated
as of <productname>PostgreSQL</productname> 9.1).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>none</literal></term>
<listitem>
<para>
The server must not prompt the client for an authentication
exchange. (This does not prohibit client certificate authentication
via TLS, nor GSS authentication via its encrypted transport.)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-channel-binding" xreflabel="channel_binding">
<term><literal>channel_binding</literal></term>
<listitem>
@ -7774,6 +7879,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
</para>
</listitem>
<listitem>
<para>
<indexterm>
<primary><envar>PGREQUIREAUTH</envar></primary>
</indexterm>
<envar>PGREQUIREAUTH</envar> behaves the same as the <xref
linkend="libpq-connect-require-auth"/> connection parameter.
</para>
</listitem>
<listitem>
<para>
<indexterm>