mirror of
https://github.com/postgres/postgres.git
synced 2025-05-21 15:54:08 +03:00
bfd2542001
A comment in hba.h mentioned that AuthTokens are used when building the IdentLines from pg_ident.conf, but since 8fea868 that has added support of regexps for databases and roles in pg_hba.conf, it is also the case of HBA files. This refreshes the comment to refer to both HBA and ident files. Issue spotted while going through a different patch.
187 lines
4.4 KiB
C
187 lines
4.4 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* hba.h
|
|
* Interface to hba.c
|
|
*
|
|
*
|
|
* src/include/libpq/hba.h
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#ifndef HBA_H
|
|
#define HBA_H
|
|
|
|
#include "libpq/pqcomm.h" /* pgrminclude ignore */ /* needed for NetBSD */
|
|
#include "nodes/pg_list.h"
|
|
#include "regex/regex.h"
|
|
|
|
|
|
/*
|
|
* The following enum represents the authentication methods that
|
|
* are supported by PostgreSQL.
|
|
*
|
|
* Note: keep this in sync with the UserAuthName array in hba.c.
|
|
*/
|
|
typedef enum UserAuth
|
|
{
|
|
uaReject,
|
|
uaImplicitReject, /* Not a user-visible option */
|
|
uaTrust,
|
|
uaIdent,
|
|
uaPassword,
|
|
uaMD5,
|
|
uaSCRAM,
|
|
uaGSS,
|
|
uaSSPI,
|
|
uaPAM,
|
|
uaBSD,
|
|
uaLDAP,
|
|
uaCert,
|
|
uaRADIUS,
|
|
uaPeer
|
|
#define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
|
|
} UserAuth;
|
|
|
|
/*
|
|
* Data structures representing pg_hba.conf entries
|
|
*/
|
|
|
|
typedef enum IPCompareMethod
|
|
{
|
|
ipCmpMask,
|
|
ipCmpSameHost,
|
|
ipCmpSameNet,
|
|
ipCmpAll
|
|
} IPCompareMethod;
|
|
|
|
typedef enum ConnType
|
|
{
|
|
ctLocal,
|
|
ctHost,
|
|
ctHostSSL,
|
|
ctHostNoSSL,
|
|
ctHostGSS,
|
|
ctHostNoGSS,
|
|
} ConnType;
|
|
|
|
typedef enum ClientCertMode
|
|
{
|
|
clientCertOff,
|
|
clientCertCA,
|
|
clientCertFull
|
|
} ClientCertMode;
|
|
|
|
typedef enum ClientCertName
|
|
{
|
|
clientCertCN,
|
|
clientCertDN
|
|
} ClientCertName;
|
|
|
|
/*
|
|
* A single string token lexed from an authentication configuration file
|
|
* (pg_ident.conf or pg_hba.conf), together with whether the token has
|
|
* been quoted. If "string" begins with a slash, it may optionally
|
|
* contain a regular expression (currently used for pg_ident.conf when
|
|
* building IdentLines and for pg_hba.conf when building HbaLines).
|
|
*/
|
|
typedef struct AuthToken
|
|
{
|
|
char *string;
|
|
bool quoted;
|
|
regex_t *regex;
|
|
} AuthToken;
|
|
|
|
typedef struct HbaLine
|
|
{
|
|
char *sourcefile;
|
|
int linenumber;
|
|
char *rawline;
|
|
ConnType conntype;
|
|
List *databases;
|
|
List *roles;
|
|
struct sockaddr_storage addr;
|
|
int addrlen; /* zero if we don't have a valid addr */
|
|
struct sockaddr_storage mask;
|
|
int masklen; /* zero if we don't have a valid mask */
|
|
IPCompareMethod ip_cmp_method;
|
|
char *hostname;
|
|
UserAuth auth_method;
|
|
char *usermap;
|
|
char *pamservice;
|
|
bool pam_use_hostname;
|
|
bool ldaptls;
|
|
char *ldapscheme;
|
|
char *ldapserver;
|
|
int ldapport;
|
|
char *ldapbinddn;
|
|
char *ldapbindpasswd;
|
|
char *ldapsearchattribute;
|
|
char *ldapsearchfilter;
|
|
char *ldapbasedn;
|
|
int ldapscope;
|
|
char *ldapprefix;
|
|
char *ldapsuffix;
|
|
ClientCertMode clientcert;
|
|
ClientCertName clientcertname;
|
|
char *krb_realm;
|
|
bool include_realm;
|
|
bool compat_realm;
|
|
bool upn_username;
|
|
List *radiusservers;
|
|
char *radiusservers_s;
|
|
List *radiussecrets;
|
|
char *radiussecrets_s;
|
|
List *radiusidentifiers;
|
|
char *radiusidentifiers_s;
|
|
List *radiusports;
|
|
char *radiusports_s;
|
|
} HbaLine;
|
|
|
|
typedef struct IdentLine
|
|
{
|
|
int linenumber;
|
|
|
|
char *usermap;
|
|
char *pg_role;
|
|
AuthToken *token;
|
|
} IdentLine;
|
|
|
|
/*
|
|
* TokenizedAuthLine represents one line lexed from an authentication
|
|
* configuration file. Each item in the "fields" list is a sub-list of
|
|
* AuthTokens. We don't emit a TokenizedAuthLine for empty or all-comment
|
|
* lines, so "fields" is never NIL (nor are any of its sub-lists).
|
|
*
|
|
* Exception: if an error occurs during tokenization, we might have
|
|
* fields == NIL, in which case err_msg != NULL.
|
|
*/
|
|
typedef struct TokenizedAuthLine
|
|
{
|
|
List *fields; /* List of lists of AuthTokens */
|
|
char *file_name; /* File name of origin */
|
|
int line_num; /* Line number */
|
|
char *raw_line; /* Raw line text */
|
|
char *err_msg; /* Error message if any */
|
|
} TokenizedAuthLine;
|
|
|
|
/* kluge to avoid including libpq/libpq-be.h here */
|
|
typedef struct Port hbaPort;
|
|
|
|
extern bool load_hba(void);
|
|
extern bool load_ident(void);
|
|
extern const char *hba_authname(UserAuth auth_method);
|
|
extern void hba_getauthmethod(hbaPort *port);
|
|
extern int check_usermap(const char *usermap_name,
|
|
const char *pg_role, const char *auth_user,
|
|
bool case_insensitive);
|
|
extern HbaLine *parse_hba_line(TokenizedAuthLine *tok_line, int elevel);
|
|
extern IdentLine *parse_ident_line(TokenizedAuthLine *tok_line, int elevel);
|
|
extern bool pg_isblank(const char c);
|
|
extern FILE *open_auth_file(const char *filename, int elevel, int depth,
|
|
char **err_msg);
|
|
extern void free_auth_file(FILE *file, int depth);
|
|
extern void tokenize_auth_file(const char *filename, FILE *file,
|
|
List **tok_lines, int elevel, int depth);
|
|
|
|
#endif /* HBA_H */
|