mirror of
https://github.com/postgres/postgres.git
synced 2025-04-18 13:44:19 +03:00
7d430a5728
Discussion: https://www.postgresql.org/message-id/flat/25095db5-b595-4b85-9100-d358907c25b5%40eisentraut.org
102 lines
3.2 KiB
C
102 lines
3.2 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* oauth.h
|
|
* Interface to libpq/auth-oauth.c
|
|
*
|
|
* Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
* src/include/libpq/oauth.h
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#ifndef PG_OAUTH_H
|
|
#define PG_OAUTH_H
|
|
|
|
#include "libpq/libpq-be.h"
|
|
#include "libpq/sasl.h"
|
|
|
|
extern PGDLLIMPORT char *oauth_validator_libraries_string;
|
|
|
|
typedef struct ValidatorModuleState
|
|
{
|
|
/* Holds the server's PG_VERSION_NUM. Reserved for future extensibility. */
|
|
int sversion;
|
|
|
|
/*
|
|
* Private data pointer for use by a validator module. This can be used to
|
|
* store state for the module that will be passed to each of its
|
|
* callbacks.
|
|
*/
|
|
void *private_data;
|
|
} ValidatorModuleState;
|
|
|
|
typedef struct ValidatorModuleResult
|
|
{
|
|
/*
|
|
* Should be set to true if the token carries sufficient permissions for
|
|
* the bearer to connect.
|
|
*/
|
|
bool authorized;
|
|
|
|
/*
|
|
* If the token authenticates the user, this should be set to a palloc'd
|
|
* string containing the SYSTEM_USER to use for HBA mapping. Consider
|
|
* setting this even if result->authorized is false so that DBAs may use
|
|
* the logs to match end users to token failures.
|
|
*
|
|
* This is required if the module is not configured for ident mapping
|
|
* delegation. See the validator module documentation for details.
|
|
*/
|
|
char *authn_id;
|
|
} ValidatorModuleResult;
|
|
|
|
/*
|
|
* Validator module callbacks
|
|
*
|
|
* These callback functions should be defined by validator modules and returned
|
|
* via _PG_oauth_validator_module_init(). ValidatorValidateCB is the only
|
|
* required callback. For more information about the purpose of each callback,
|
|
* refer to the OAuth validator modules documentation.
|
|
*/
|
|
typedef void (*ValidatorStartupCB) (ValidatorModuleState *state);
|
|
typedef void (*ValidatorShutdownCB) (ValidatorModuleState *state);
|
|
typedef bool (*ValidatorValidateCB) (const ValidatorModuleState *state,
|
|
const char *token, const char *role,
|
|
ValidatorModuleResult *result);
|
|
|
|
/*
|
|
* Identifies the compiled ABI version of the validator module. Since the server
|
|
* already enforces the PG_MODULE_MAGIC number for modules across major
|
|
* versions, this is reserved for emergency use within a stable release line.
|
|
* May it never need to change.
|
|
*/
|
|
#define PG_OAUTH_VALIDATOR_MAGIC 0x20250220
|
|
|
|
typedef struct OAuthValidatorCallbacks
|
|
{
|
|
uint32 magic; /* must be set to PG_OAUTH_VALIDATOR_MAGIC */
|
|
|
|
ValidatorStartupCB startup_cb;
|
|
ValidatorShutdownCB shutdown_cb;
|
|
ValidatorValidateCB validate_cb;
|
|
} OAuthValidatorCallbacks;
|
|
|
|
/*
|
|
* Type of the shared library symbol _PG_oauth_validator_module_init which is
|
|
* required for all validator modules. This function will be invoked during
|
|
* module loading.
|
|
*/
|
|
typedef const OAuthValidatorCallbacks *(*OAuthValidatorModuleInit) (void);
|
|
extern PGDLLEXPORT const OAuthValidatorCallbacks *_PG_oauth_validator_module_init(void);
|
|
|
|
/* Implementation */
|
|
extern PGDLLIMPORT const pg_be_sasl_mech pg_be_oauth_mech;
|
|
|
|
/*
|
|
* Ensure a validator named in the HBA is permitted by the configuration.
|
|
*/
|
|
extern bool check_oauth_validator(HbaLine *hba, int elevel, char **err_msg);
|
|
|
|
#endif /* PG_OAUTH_H */
|