*** a/src/backend/libpq/hba.c --- b/src/backend/libpq/hba.c *************** *** 60,68 **** typedef struct check_network_data bool result; /* set to true if match */ } check_network_data; ! #define token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0) ! #define token_matches(t, k) (strcmp(t->string, k) == 0) /* * A single string token lexed from the HBA config file, together with whether --- 60,77 ---- bool result; /* set to true if match */ } check_network_data; + typedef enum token_type + { + QUOTED_STRING, /* Quoted STRING */ + UNQUOTED_STRING, /* Unquoted string */ + SPECIAL_PLUS_QUOTED_STRING /* Is also unquoted string but after '+' it is + * quoted eg: +"ROLENAME". used for special + * handling incase of user-group/roles */ + } token_type; ! #define token_is_keyword(t, k) (t->toktype != QUOTED_STRING && pg_strcasecmp(t->string, k) == 0) ! #define token_matches(t, k) ((t->toktype == QUOTED_STRING && strcmp(t->string, k) == 0) \ ! || (t->toktype != QUOTED_STRING && pg_strcasecmp(t->string, k) == 0)) /* * A single string token lexed from the HBA config file, together with whether *************** *** 71,77 **** typedef struct check_network_data typedef struct HbaToken { char *string; ! bool quoted; } HbaToken; /* --- 80,86 ---- typedef struct HbaToken { char *string; ! token_type toktype; } HbaToken; /* *************** *** 123,128 **** pg_isblank(const char c) --- 132,141 ---- * the first character. (We use that to prevent "@x" from being treated * as a file inclusion request. Note that @"x" should be so treated; * we want to allow that to support embedded spaces in file paths.) + * we set *special_plus_quote to indicate whether there was quoting after "+" + * charecter. (We use this to prevent +"ROLENAME" from treating as unquoted + * string as first charecter is not '"', but which require special handling + * only incase of role/user-group name). * We set *terminating_comma to indicate whether the token is terminated by a * comma (which is not returned.) * *************** *** 137,143 **** pg_isblank(const char c) */ static bool next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, ! bool *terminating_comma) { int c; char *start_buf = buf; --- 150,156 ---- */ static bool next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, ! bool *special_plus_quote, bool *terminating_comma) { int c; char *start_buf = buf; *************** *** 151,156 **** next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, --- 164,170 ---- *initial_quote = false; *terminating_comma = false; + *special_plus_quote = false; /* Move over initial whitespace and commas */ while ((c = (*(*lineptr)++)) != '\0' && (pg_isblank(c) || c == ',')) *************** *** 162,167 **** next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, --- 176,186 ---- return false; } + if ((c == '+') && *(*lineptr) == '"') + { + *special_plus_quote = true; + } + /* * Build a token in buf of next characters up to EOF, EOL, unquoted comma, * or unquoted whitespace. *************** *** 232,238 **** next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote, } static HbaToken * ! make_hba_token(char *token, bool quoted) { HbaToken *hbatoken; int toklen; --- 251,257 ---- } static HbaToken * ! make_hba_token(char *token, token_type toktype) { HbaToken *hbatoken; int toklen; *************** *** 240,246 **** make_hba_token(char *token, bool quoted) toklen = strlen(token); hbatoken = (HbaToken *) palloc(sizeof(HbaToken) + toklen + 1); hbatoken->string = (char *) hbatoken + sizeof(HbaToken); ! hbatoken->quoted = quoted; memcpy(hbatoken->string, token, toklen + 1); return hbatoken; --- 259,265 ---- toklen = strlen(token); hbatoken = (HbaToken *) palloc(sizeof(HbaToken) + toklen + 1); hbatoken->string = (char *) hbatoken + sizeof(HbaToken); ! hbatoken->toktype = toktype; memcpy(hbatoken->string, token, toklen + 1); return hbatoken; *************** *** 252,258 **** make_hba_token(char *token, bool quoted) static HbaToken * copy_hba_token(HbaToken *in) { ! HbaToken *out = make_hba_token(in->string, in->quoted); return out; } --- 271,277 ---- static HbaToken * copy_hba_token(HbaToken *in) { ! HbaToken *out = make_hba_token(in->string, in->toktype); return out; } *************** *** 270,287 **** next_field_expand(const char *filename, char **lineptr) char buf[MAX_TOKEN]; bool trailing_comma; bool initial_quote; List *tokens = NIL; do { ! if (!next_token(lineptr, buf, sizeof(buf), &initial_quote, &trailing_comma)) break; /* Is this referencing a file? */ if (!initial_quote && buf[0] == '@' && buf[1] != '\0') tokens = tokenize_inc_file(tokens, filename, buf + 1); else ! tokens = lappend(tokens, make_hba_token(buf, initial_quote)); } while (trailing_comma); return tokens; --- 289,309 ---- char buf[MAX_TOKEN]; bool trailing_comma; bool initial_quote; + bool special_plus_quote; List *tokens = NIL; do { ! if (!next_token(lineptr, buf, sizeof(buf), &initial_quote, &special_plus_quote, &trailing_comma)) break; /* Is this referencing a file? */ if (!initial_quote && buf[0] == '@' && buf[1] != '\0') tokens = tokenize_inc_file(tokens, filename, buf + 1); + else if (special_plus_quote) + tokens = lappend(tokens, make_hba_token(buf, SPECIAL_PLUS_QUOTED_STRING)); else ! tokens = lappend(tokens, make_hba_token(buf, initial_quote ? QUOTED_STRING : UNQUOTED_STRING)); } while (trailing_comma); return tokens; *************** *** 489,497 **** check_role(const char *role, Oid roleid, List *tokens) foreach(cell, tokens) { tok = lfirst(cell); ! if (!tok->quoted && tok->string[0] == '+') { ! if (is_member(roleid, tok->string + 1)) return true; } else if (token_matches(tok, role) || --- 511,538 ---- foreach(cell, tokens) { tok = lfirst(cell); ! if (tok->toktype != QUOTED_STRING && tok->string[0] == '+') { ! char *usergreoup; ! ! /* ! * '+' follewed by QUOTES denote case sensitive rolename i.e. ! * +"ROLENAME" matches only with "ROLENAME" ! */ ! if (tok->toktype == SPECIAL_PLUS_QUOTED_STRING) ! { ! usergreoup = pstrdup(tok->string + 1); ! } ! else ! { ! char *p; ! ! usergreoup = pstrdup(tok->string + 1); ! for (p = usergreoup; *p; p++) ! *p = pg_tolower(*p); ! } ! ! if (is_member(roleid, usergreoup)) return true; } else if (token_matches(tok, role) || *************** *** 881,887 **** parse_hba_line(List *line, int line_num, char *raw_line) return NULL; } token = linitial(tokens); ! if (strcmp(token->string, "local") == 0) { #ifdef HAVE_UNIX_SOCKETS parsedline->conntype = ctLocal; --- 922,928 ---- return NULL; } token = linitial(tokens); ! if (pg_strcasecmp(token->string, "local") == 0) { #ifdef HAVE_UNIX_SOCKETS parsedline->conntype = ctLocal; *************** *** 894,905 **** parse_hba_line(List *line, int line_num, char *raw_line) return NULL; #endif } ! else if (strcmp(token->string, "host") == 0 || ! strcmp(token->string, "hostssl") == 0 || ! strcmp(token->string, "hostnossl") == 0) { ! if (token->string[4] == 's') /* "hostssl" */ { /* SSL support must be actually active, else complain */ #ifdef USE_SSL --- 935,946 ---- return NULL; #endif } ! else if (pg_strcasecmp(token->string, "host") == 0 || ! pg_strcasecmp(token->string, "hostssl") == 0 || ! pg_strcasecmp(token->string, "hostnossl") == 0) { ! if ((token->string[4] == 's') || (token->string[4] == 'S')) /* "hostssl" */ { /* SSL support must be actually active, else complain */ #ifdef USE_SSL *************** *** 926,932 **** parse_hba_line(List *line, int line_num, char *raw_line) #endif } #ifdef USE_SSL ! else if (token->string[4] == 'n') /* "hostnossl" */ { parsedline->conntype = ctHostNoSSL; } --- 967,973 ---- #endif } #ifdef USE_SSL ! else if ((token->string[4] == 'n') || (token->string[4] == 'N')) /* "hostnossl" */ { parsedline->conntype = ctHostNoSSL; } *************** *** 1181,1209 **** parse_hba_line(List *line, int line_num, char *raw_line) token = linitial(tokens); unsupauth = NULL; ! if (strcmp(token->string, "trust") == 0) parsedline->auth_method = uaTrust; ! else if (strcmp(token->string, "ident") == 0) parsedline->auth_method = uaIdent; ! else if (strcmp(token->string, "peer") == 0) parsedline->auth_method = uaPeer; ! else if (strcmp(token->string, "password") == 0) parsedline->auth_method = uaPassword; ! else if (strcmp(token->string, "gss") == 0) #ifdef ENABLE_GSS parsedline->auth_method = uaGSS; #else unsupauth = "gss"; #endif ! else if (strcmp(token->string, "sspi") == 0) #ifdef ENABLE_SSPI parsedline->auth_method = uaSSPI; #else unsupauth = "sspi"; #endif ! else if (strcmp(token->string, "reject") == 0) parsedline->auth_method = uaReject; ! else if (strcmp(token->string, "md5") == 0) { if (Db_user_namespace) { --- 1222,1250 ---- token = linitial(tokens); unsupauth = NULL; ! if (pg_strcasecmp(token->string, "trust") == 0) parsedline->auth_method = uaTrust; ! else if (pg_strcasecmp(token->string, "ident") == 0) parsedline->auth_method = uaIdent; ! else if (pg_strcasecmp(token->string, "peer") == 0) parsedline->auth_method = uaPeer; ! else if (pg_strcasecmp(token->string, "password") == 0) parsedline->auth_method = uaPassword; ! else if (pg_strcasecmp(token->string, "gss") == 0) #ifdef ENABLE_GSS parsedline->auth_method = uaGSS; #else unsupauth = "gss"; #endif ! else if (pg_strcasecmp(token->string, "sspi") == 0) #ifdef ENABLE_SSPI parsedline->auth_method = uaSSPI; #else unsupauth = "sspi"; #endif ! else if (pg_strcasecmp(token->string, "reject") == 0) parsedline->auth_method = uaReject; ! else if (pg_strcasecmp(token->string, "md5") == 0) { if (Db_user_namespace) { *************** *** 1216,1240 **** parse_hba_line(List *line, int line_num, char *raw_line) } parsedline->auth_method = uaMD5; } ! else if (strcmp(token->string, "pam") == 0) #ifdef USE_PAM parsedline->auth_method = uaPAM; #else unsupauth = "pam"; #endif ! else if (strcmp(token->string, "ldap") == 0) #ifdef USE_LDAP parsedline->auth_method = uaLDAP; #else unsupauth = "ldap"; #endif ! else if (strcmp(token->string, "cert") == 0) #ifdef USE_SSL parsedline->auth_method = uaCert; #else unsupauth = "cert"; #endif ! else if (strcmp(token->string, "radius") == 0) parsedline->auth_method = uaRADIUS; else { --- 1257,1281 ---- } parsedline->auth_method = uaMD5; } ! else if (pg_strcasecmp(token->string, "pam") == 0) #ifdef USE_PAM parsedline->auth_method = uaPAM; #else unsupauth = "pam"; #endif ! else if (pg_strcasecmp(token->string, "ldap") == 0) #ifdef USE_LDAP parsedline->auth_method = uaLDAP; #else unsupauth = "ldap"; #endif ! else if (pg_strcasecmp(token->string, "cert") == 0) #ifdef USE_SSL parsedline->auth_method = uaCert; #else unsupauth = "cert"; #endif ! else if (pg_strcasecmp(token->string, "radius") == 0) parsedline->auth_method = uaRADIUS; else { *************** *** 1408,1414 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) hbaline->ldapscope = LDAP_SCOPE_SUBTREE; #endif ! if (strcmp(name, "map") == 0) { if (hbaline->auth_method != uaIdent && hbaline->auth_method != uaPeer && --- 1449,1455 ---- hbaline->ldapscope = LDAP_SCOPE_SUBTREE; #endif ! if (pg_strcasecmp(name, "map") == 0) { if (hbaline->auth_method != uaIdent && hbaline->auth_method != uaPeer && *************** *** 1418,1424 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } ! else if (strcmp(name, "clientcert") == 0) { /* * Since we require ctHostSSL, this really can never happen on --- 1459,1465 ---- INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } ! else if (pg_strcasecmp(name, "clientcert") == 0) { /* * Since we require ctHostSSL, this really can never happen on *************** *** 1461,1472 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) hbaline->clientcert = false; } } ! else if (strcmp(name, "pamservice") == 0) { REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam"); hbaline->pamservice = pstrdup(val); } ! else if (strcmp(name, "ldapurl") == 0) { #ifdef LDAP_API_FEATURE_X_OPENLDAP LDAPURLDesc *urldata; --- 1502,1513 ---- hbaline->clientcert = false; } } ! else if (pg_strcasecmp(name, "pamservice") == 0) { REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam"); hbaline->pamservice = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapurl") == 0) { #ifdef LDAP_API_FEATURE_X_OPENLDAP LDAPURLDesc *urldata; *************** *** 1515,1521 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) errmsg("LDAP URLs not supported on this platform"))); #endif /* not OpenLDAP */ } ! else if (strcmp(name, "ldaptls") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldaptls", "ldap"); if (strcmp(val, "1") == 0) --- 1556,1562 ---- errmsg("LDAP URLs not supported on this platform"))); #endif /* not OpenLDAP */ } ! else if (pg_strcasecmp(name, "ldaptls") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldaptls", "ldap"); if (strcmp(val, "1") == 0) *************** *** 1523,1534 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) else hbaline->ldaptls = false; } ! else if (strcmp(name, "ldapserver") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapserver", "ldap"); hbaline->ldapserver = pstrdup(val); } ! else if (strcmp(name, "ldapport") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapport", "ldap"); hbaline->ldapport = atoi(val); --- 1564,1575 ---- else hbaline->ldaptls = false; } ! else if (pg_strcasecmp(name, "ldapserver") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapserver", "ldap"); hbaline->ldapserver = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapport") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapport", "ldap"); hbaline->ldapport = atoi(val); *************** *** 1542,1585 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) return false; } } ! else if (strcmp(name, "ldapbinddn") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap"); hbaline->ldapbinddn = pstrdup(val); } ! else if (strcmp(name, "ldapbindpasswd") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap"); hbaline->ldapbindpasswd = pstrdup(val); } ! else if (strcmp(name, "ldapsearchattribute") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap"); hbaline->ldapsearchattribute = pstrdup(val); } ! else if (strcmp(name, "ldapbasedn") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap"); hbaline->ldapbasedn = pstrdup(val); } ! else if (strcmp(name, "ldapprefix") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap"); hbaline->ldapprefix = pstrdup(val); } ! else if (strcmp(name, "ldapsuffix") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap"); hbaline->ldapsuffix = pstrdup(val); } ! else if (strcmp(name, "krb_realm") == 0) { if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi")); hbaline->krb_realm = pstrdup(val); } ! else if (strcmp(name, "include_realm") == 0) { if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) --- 1583,1626 ---- return false; } } ! else if (pg_strcasecmp(name, "ldapbinddn") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap"); hbaline->ldapbinddn = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapbindpasswd") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap"); hbaline->ldapbindpasswd = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapsearchattribute") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap"); hbaline->ldapsearchattribute = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapbasedn") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap"); hbaline->ldapbasedn = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapprefix") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap"); hbaline->ldapprefix = pstrdup(val); } ! else if (pg_strcasecmp(name, "ldapsuffix") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap"); hbaline->ldapsuffix = pstrdup(val); } ! else if (pg_strcasecmp(name, "krb_realm") == 0) { if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi")); hbaline->krb_realm = pstrdup(val); } ! else if (pg_strcasecmp(name, "include_realm") == 0) { if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) *************** *** 1589,1595 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) else hbaline->include_realm = false; } ! else if (strcmp(name, "radiusserver") == 0) { struct addrinfo *gai_result; struct addrinfo hints; --- 1630,1636 ---- else hbaline->include_realm = false; } ! else if (pg_strcasecmp(name, "radiusserver") == 0) { struct addrinfo *gai_result; struct addrinfo hints; *************** *** 1617,1623 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) pg_freeaddrinfo_all(hints.ai_family, gai_result); hbaline->radiusserver = pstrdup(val); } ! else if (strcmp(name, "radiusport") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiusport", "radius"); hbaline->radiusport = atoi(val); --- 1658,1664 ---- pg_freeaddrinfo_all(hints.ai_family, gai_result); hbaline->radiusserver = pstrdup(val); } ! else if (pg_strcasecmp(name, "radiusport") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiusport", "radius"); hbaline->radiusport = atoi(val); *************** *** 1631,1642 **** parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) return false; } } ! else if (strcmp(name, "radiussecret") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecret", "radius"); hbaline->radiussecret = pstrdup(val); } ! else if (strcmp(name, "radiusidentifier") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifier", "radius"); hbaline->radiusidentifier = pstrdup(val); --- 1672,1683 ---- return false; } } ! else if (pg_strcasecmp(name, "radiussecret") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecret", "radius"); hbaline->radiussecret = pstrdup(val); } ! else if (pg_strcasecmp(name, "radiusidentifier") == 0) { REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifier", "radius"); hbaline->radiusidentifier = pstrdup(val);