Hi,
I recently had to work on some internal tool which, among other things, has to
merge pg_hba.conf and pg_ident.conf files between an existing (possibly
already updated) instance and some external repository.
My biggest concern is that any issue in either the external repository content
or the tool could leave the instance entirely unreachable. There are some
protection attemps to avoid that, but really there isn't any practical
possibility if one wants to make sure that some of the entries are left alone
or not hidden no matter what.
To address that, I'd like to propose the possibility to include files in hba
and ident configuration files. This was already discussed in the past, and in
my understanding this is mostly wanted, while some people expressed concerned
on a use case that wouldn't rely on thousands of entries.
In my case, there shouldn't be more than a dozen generated pg_hba/pg_ident
lines. All I want is to have my main hba (and ident) files do something like:
include hba_forbid_non_ssl.conf
include hba_superuser.conf
include hba_replication.conf
include hba_application_generated.conf
So that the tool has a way to make sure that it won't prevent dba login or
replication, or allow unsecure connections, and can simply rewrite its target
file rather than merging it, sorting it with weird rules and deciding which
lines are ok to be removed and which one aren't.
I'm attaching a patchset that implements $SUBJECT:
0001 adds a new pg_ident_file_mappings view, which is basically the same as
pg_hba_file_rules view but for mappings. It's probably already useful, for
instance if you need to tweak some regexp.
0002 adds a new "include" directive to both auth files, which will include the
given file at this exact position. I chose to do this is in the tokenization
rather than the parsing, as it makes things simpler in general, and also allows
a single code path for both files. It also adds 2 new columns to the
pg_hba_file_rules and pg_ident_file_mappings views: file_name and
(rule|mapping)_number, so it's possible to identify where a rule is coming from
and more importantly which has the priority over the over. Note that I only
added "include", but maybe people would want something like include_dir or
include_if_exists too.
Both patches have updated documentation, but no test yet. If there's an
agreement on the feature, I plan to add some TAP test for it.
Finally I also added 0003, which is a POC for a new pg_hba_matches() function,
that can help DBA to understand why their configuration isn't working as they
expect. This only to start the discussion on that topic, the code is for now
really hackish, as I don't know how much this is wanted and/or if some other
behavior would be better, and there's also no documentation or test. The
function for now only takes an optional inet (null means unix socket), the
target role and an optional ssl flag and returns the file, line and raw line
matching if any, or null. For instance:
=# select * from pg_hba_matches('127.0.0.1'::inet, 'postgres');
-[ RECORD 1 ]-----------------------------------------------------------------
file_name | /tmp/pgbuild/toto.conf
line_num | 5
raw_line | host all all 127.0.0.1/32 trust
I'm wondering for instance if it would be better to (optionally?) keep
iterating over the lines and print all lines that would have matched and in
which order, or if the function should return the parsed line information
rather than the raw line, although it could make the output worse if using huge
secondary auth files. I'm also not sure if the various possible flags (ssl,
gss) should be explicitly set or if the function should try various
permutations on its own.
Note that this function only works against the current configuration files, not
the one currently active. As far as I can see PostgresMain gets rid of
PostmasterContext, which is where they currently live, so they don't exist
anymore in the backends. To make it work we would have to always keep those in
each backend, but also reload them along with the main config file on SIGHUP.
Except on Windows (and -DEXEC_BACKEND), as the current version of auth files
are always used anyway. So would it make sense to add the possibility to use
the loaded files instead, given the required extra cost and the fact that it
wouldn't make sense on Windows? If yes, I guess that we should also allow that
in the pg_hba / pg_ident views.
While at it, I noticed this comment added in de16ab72388:
> The <filename>pg_hba.conf</filename> file is read on start-up and when
> the main server process receives a
> <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
> signal. If you edit the file on an
> active system, you will need to signal the postmaster
> (using <literal>pg_ctl reload</literal>, calling the SQL function
> <function>pg_reload_conf()</function>, or using <literal>kill
> -HUP</literal>) to make it re-read the file.
> [...]
> The preceding statement is not true on Microsoft Windows: there, any
> changes in the <filename>pg_hba.conf</filename> file are immediately
> applied by subsequent new connections.
I also find this comment a bit misleading. Wouldn't it be better to have a
similar statement for pg_ident, or at least a note that it applies to both
files?
>From 61437776c103b7a3520ab6486cc5f1e88df0f80a Mon Sep 17 00:00:00 2001
From: Julien Rouhaud <julien.rouh...@free.fr>
Date: Mon, 21 Feb 2022 17:38:34 +0800
Subject: [PATCH v1 1/3] Add a pg_ident_file_mappings view.
This view is similar to pg_hba_file_rules view, and can be also helpful to help
diagnosing configuration problems.
A following commit will add the possibility to include files in pg_hba and
pg_ident configuration files, which will then make this view even more useful.
Author: Julien Rouhaud
Reviewed-by: FIXME
Discussion: FIXME
---
doc/src/sgml/catalogs.sgml | 108 ++++++++++++++
doc/src/sgml/client-auth.sgml | 10 ++
doc/src/sgml/func.sgml | 5 +-
src/backend/catalog/system_views.sql | 6 +
src/backend/libpq/hba.c | 191 +++++++++++++++++++++++--
src/include/catalog/pg_proc.dat | 7 +
src/test/regress/expected/rules.out | 6 +
src/test/regress/expected/sysviews.out | 7 +
src/test/regress/sql/sysviews.sql | 3 +
9 files changed, 328 insertions(+), 15 deletions(-)
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 83987a9904..0de40a9626 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -9530,6 +9530,11 @@ SCRAM-SHA-256$<replaceable><iteration
count></replaceable>:<replaceable>&l
<entry>summary of client authentication configuration file
contents</entry>
</row>
+ <row>
+ <entry><link
linkend="view-pg-hba-file-rules"><structname>pg_ident_file_mappings</structname></link></entry>
+ <entry>summary of client user name mapping configuration file
contents</entry>
+ </row>
+
<row>
<entry><link
linkend="view-pg-indexes"><structname>pg_indexes</structname></link></entry>
<entry>indexes</entry>
@@ -10523,6 +10528,109 @@ SCRAM-SHA-256$<replaceable><iteration
count></replaceable>:<replaceable>&l
</para>
</sect1>
+ <sect1 id="view-pg-ident-file-mappings">
+ <title><structname>pg_ident_file_mappings</structname></title>
+
+ <indexterm zone="view-pg-ident-file-mappings">
+ <primary>pg_ident_file_mappings</primary>
+ </indexterm>
+
+ <para>
+ The view <structname>pg_ident_file_mappings</structname> provides a summary
+ of the contents of the client user name mapping configuration file,
+ <link
linkend="auth-username-maps"><filename>pg_ident.conf</filename></link>.
+ A row appears in this view for each
+ non-empty, non-comment line in the file, with annotations indicating
+ whether the rule could be applied successfully.
+ </para>
+
+ <para>
+ This view can be helpful for checking whether planned changes in the
+ authentication configuration file will work, or for diagnosing a previous
+ failure. Note that this view reports on the <emphasis>current</emphasis>
+ contents of the file, not on what was last loaded by the server.
+ </para>
+
+ <para>
+ By default, the <structname>pg_ident_file_mappings</structname> view can be
+ read only by superusers.
+ </para>
+
+ <table>
+ <title><structname>pg_ident_file_mappings</structname> Columns</title>
<tgroup
+ cols="1">
+ <thead>
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ Column Type
+ </para>
+ <para>
+ Description
+ </para></entry>
+ </row>
+ </thead>
+
+ <tbody>
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>line_number</structfield> <type>int4</type>
+ </para>
+ <para>
+ Line number of this rule in <filename>pg_ident.conf</filename>
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>map_name</structfield> <type>text</type>
+ </para>
+ <para>
+ Name of the map
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>sys_name</structfield> <type>text</type>
+ </para>
+ <para>
+ Detected user name of the client
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>pg_username</structfield> <type>text</type>
+ </para>
+ <para>
+ Requested PostgreSQL user name
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>error</structfield> <type>text</type>
+ </para>
+ <para>
+ If not null, an error message indicating why this line could not be
+ processed
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ Usually, a row reflecting an incorrect entry will have values for only
+ the <structfield>line_number</structfield> and
<structfield>error</structfield> fields.
+ </para>
+
+ <para>
+ See <xref linkend="client-authentication"/> for more information about
+ client authentication configuration.
+ </para>
+ </sect1>
+
<sect1 id="view-pg-indexes">
<title><structname>pg_indexes</structname></title>
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 02f0489112..142b0affcb 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -896,6 +896,16 @@ mymap /^(.*)@otherdomain\.com$ guest
-HUP</literal>) to make it re-read the file.
</para>
+ <para>
+ The system view
+ <link
linkend="view-pg-ident-file-mappings"><structname>pg_ident_file_mappings</structname></link>
+ can be helpful for pre-testing changes to the
+ <filename>pg_ident.conf</filename> file, or for diagnosing problems if
+ loading of the file did not have the desired effects. Rows in the view with
+ non-null <structfield>error</structfield> fields indicate problems in the
+ corresponding lines of the file.
+ </para>
+
<para>
A <filename>pg_ident.conf</filename> file that could be used in
conjunction with the <filename>pg_hba.conf</filename> file in <xref
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index df3cd5987b..bbac492043 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -25475,8 +25475,9 @@ SELECT collation for ('foo' COLLATE "de_DE");
sending a <systemitem>SIGHUP</systemitem> signal to the postmaster
process, which in turn sends <systemitem>SIGHUP</systemitem> to each
of its children.) You can use the
- <link
linkend="view-pg-file-settings"><structname>pg_file_settings</structname></link>
and
- <link
linkend="view-pg-hba-file-rules"><structname>pg_hba_file_rules</structname></link>
views
+ <link
linkend="view-pg-file-settings"><structname>pg_file_settings</structname></link>,
+ <link
linkend="view-pg-hba-file-rules"><structname>pg_hba_file_rules</structname></link>
and
+ <link
linkend="view-pg-hba-file-rules"><structname>pg_ident_file_mappings</structname></link>
views
to check the configuration files for possible errors, before reloading.
</para></entry>
</row>
diff --git a/src/backend/catalog/system_views.sql
b/src/backend/catalog/system_views.sql
index 3cb69b1f87..ef13f470b3 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -607,6 +607,12 @@ CREATE VIEW pg_hba_file_rules AS
REVOKE ALL ON pg_hba_file_rules FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION pg_hba_file_rules() FROM PUBLIC;
+CREATE VIEW pg_ident_file_mappings AS
+ SELECT * FROM pg_ident_file_mappings() AS A;
+
+REVOKE ALL ON pg_ident_file_mappings FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_ident_file_mappings() FROM PUBLIC;
+
CREATE VIEW pg_timezone_abbrevs AS
SELECT * FROM pg_timezone_abbrevs();
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index d84a40b726..9a9ce96fee 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -148,6 +148,9 @@ static ArrayType *gethba_options(HbaLine *hba);
static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
int lineno, HbaLine *hba,
const char *err_msg);
static void fill_hba_view(Tuplestorestate *tuple_store, TupleDesc tupdesc);
+static void fill_ident_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
+ int lineno, IdentLine
*ident, const char *err_msg);
+static void fill_ident_view(Tuplestorestate *tuple_store, TupleDesc tupdesc);
/*
@@ -914,25 +917,22 @@ do { \
} while (0)
/*
- * Macros for handling pg_ident problems.
- * Much as above, but currently the message level is hardwired as LOG
- * and there is no provision for an err_msg string.
+ * Macros for handling pg_ident problems, similar as above.
*
* IDENT_FIELD_ABSENT:
- * Log a message and exit the function if the given ident field ListCell is
- * not populated.
+ * Reports when the given ident field ListCell is not populated.
*
* IDENT_MULTI_VALUE:
- * Log a message and exit the function if the given ident token List has more
- * than one element.
+ * Reports if the given ident token List has more than one element.
*/
#define IDENT_FIELD_ABSENT(field) \
do { \
if (!field) { \
- ereport(LOG, \
+ ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("missing entry in file \"%s\" at end of
line %d", \
IdentFileName, line_num))); \
+ *err_msg = psprintf("missing entry at end of line"); \
return NULL; \
} \
} while (0)
@@ -940,11 +940,12 @@ do { \
#define IDENT_MULTI_VALUE(tokens) \
do { \
if (tokens->length > 1) { \
- ereport(LOG, \
+ ereport(elevel, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("multiple values in ident field"), \
errcontext("line %d of configuration file
\"%s\"", \
line_num,
IdentFileName))); \
+ *err_msg = psprintf("multiple values in ident field"); \
return NULL; \
} \
} while (0)
@@ -2753,7 +2754,8 @@ pg_hba_file_rules(PG_FUNCTION_ARGS)
* Parse one tokenised line from the ident config file and store the result in
* an IdentLine structure.
*
- * If parsing fails, log a message and return NULL.
+ * If parsing fails, log a message at ereport level elevel, store an error
+ * string in tok_line->err_msg and return NULL.
*
* If ident_user is a regular expression (ie. begins with a slash), it is
* compiled and stored in IdentLine structure.
@@ -2763,9 +2765,10 @@ pg_hba_file_rules(PG_FUNCTION_ARGS)
* NULL.
*/
static IdentLine *
-parse_ident_line(TokenizedLine *tok_line)
+parse_ident_line(TokenizedLine *tok_line, int elevel)
{
int line_num = tok_line->line_num;
+ char **err_msg = &tok_line->err_msg;
ListCell *field;
List *tokens;
HbaToken *token;
@@ -2819,11 +2822,14 @@ parse_ident_line(TokenizedLine *tok_line)
char errstr[100];
pg_regerror(r, &parsedline->re, errstr, sizeof(errstr));
- ereport(LOG,
+ ereport(elevel,
(errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
errmsg("invalid regular expression
\"%s\": %s",
parsedline->ident_user
+ 1, errstr)));
+ *err_msg = psprintf("invalid regular expression \"%s\":
%s",
+
parsedline->ident_user + 1, errstr);
+
pfree(wstr);
return NULL;
}
@@ -3074,7 +3080,7 @@ load_ident(void)
continue;
}
- if ((newline = parse_ident_line(tok_line)) == NULL)
+ if ((newline = parse_ident_line(tok_line, LOG)) == NULL)
{
/* Parse error; remember there's trouble */
ok = false;
@@ -3164,3 +3170,162 @@ hba_authname(UserAuth auth_method)
return UserAuthName[auth_method];
}
+
+/* Number of columns in pg_hba_file_mappings view */
+#define NUM_PG_IDENT_FILE_MAPPINGS_ATTS 5
+
+/*
+ * fill_ident_line: build one row of pg_ident_file_mappings view, add it to
+ * tuplestore
+ *
+ * tuple_store: where to store data
+ * tupdesc: tuple descriptor for the view
+ * lineno: pg_hba.conf line number (must always be valid)
+ * ident: parsed line data (can be NULL, in which case err_msg should be set)
+ * err_msg: error message (NULL if none)
+ *
+ * Note: leaks memory, but we don't care since this is run in a short-lived
+ * memory context.
+ */
+static void
+fill_ident_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
+ int lineno, IdentLine *ident, const char
*err_msg)
+{
+ Datum values[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
+ bool nulls[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
+ HeapTuple tuple;
+ int index;
+
+ Assert(tupdesc->natts == NUM_PG_IDENT_FILE_MAPPINGS_ATTS);
+
+ memset(values, 0, sizeof(values));
+ memset(nulls, 0, sizeof(nulls));
+ index = 0;
+
+ /* line_number */
+ values[index++] = Int32GetDatum(lineno);
+
+ if (ident != NULL)
+ {
+ values[index++] = CStringGetTextDatum(ident->usermap);
+ values[index++] = CStringGetTextDatum(ident->ident_user);
+ values[index++] = CStringGetTextDatum(ident->pg_role);
+ }
+ else
+ {
+ /* no parsing result, so set relevant fields to nulls */
+ memset(&nulls[1], true, (NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 2) *
sizeof(bool));
+ }
+
+ /* error */
+ if (err_msg)
+ values[NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 1] =
CStringGetTextDatum(err_msg);
+ else
+ nulls[NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 1] = true;
+
+ tuple = heap_form_tuple(tupdesc, values, nulls);
+ tuplestore_puttuple(tuple_store, tuple);
+}
+
+/*
+ * Read the pg_ident.conf file and fill the tuplestore with view records.
+ */
+static void
+fill_ident_view(Tuplestorestate *tuple_store, TupleDesc tupdesc)
+{
+ FILE *file;
+ List *ident_lines = NIL;
+ ListCell *line;
+ MemoryContext linecxt;
+ MemoryContext hbacxt;
+ MemoryContext oldcxt;
+
+ /*
+ * In the unlikely event that we can't open pg_hba.conf, we throw an
+ * error, rather than trying to report it via some sort of view entry.
+ * (Most other error conditions should result in a message in a view
+ * entry.)
+ */
+ file = AllocateFile(IdentFileName, "r");
+ if (file == NULL)
+ ereport(ERROR,
+ (errcode_for_file_access(),
+ errmsg("could not open usermap file \"%s\":
%m",
+ IdentFileName)));
+
+ linecxt = tokenize_file(HbaFileName, file, &ident_lines, DEBUG3);
+ FreeFile(file);
+
+ /* Now parse all the lines */
+ hbacxt = AllocSetContextCreate(CurrentMemoryContext,
+ "ident
parser context",
+
ALLOCSET_SMALL_SIZES);
+ oldcxt = MemoryContextSwitchTo(hbacxt);
+ foreach(line, ident_lines)
+ {
+ TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
+ IdentLine *identline = NULL;
+
+ /* don't parse lines that already have errors */
+ if (tok_line->err_msg == NULL)
+ identline = parse_ident_line(tok_line, DEBUG3);
+
+ fill_ident_line(tuple_store, tupdesc, tok_line->line_num,
identline,
+ tok_line->err_msg);
+ }
+
+ /* Free tokenizer memory */
+ MemoryContextDelete(linecxt);
+ MemoryContextSwitchTo(oldcxt);
+}
+
+/*
+ * SQL-accessible SRF to return all the entries in the pg_ident.conf file.
+ */
+Datum
+pg_ident_file_mappings(PG_FUNCTION_ARGS)
+{
+ Tuplestorestate *tuple_store;
+ TupleDesc tupdesc;
+ MemoryContext old_cxt;
+ ReturnSetInfo *rsi;
+
+ /*
+ * We must use the Materialize mode to be safe against ident file
changes
+ * while the cursor is open. It's also more efficient than having to
look
+ * up our current position in the parsed list every time.
+ */
+ rsi = (ReturnSetInfo *) fcinfo->resultinfo;
+
+ /* Check to see if caller supports us returning a tuplestore */
+ if (rsi == NULL || !IsA(rsi, ReturnSetInfo))
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("set-valued function called in context
that cannot accept a set")));
+ if (!(rsi->allowedModes & SFRM_Materialize))
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("materialize mode required, but it is
not allowed in this context")));
+
+ rsi->returnMode = SFRM_Materialize;
+
+ /* Build a tuple descriptor for our result type */
+ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
+ elog(ERROR, "return type must be a row type");
+
+ /* Build tuplestore to hold the result rows */
+ old_cxt = MemoryContextSwitchTo(rsi->econtext->ecxt_per_query_memory);
+
+ tuple_store =
+ tuplestore_begin_heap(rsi->allowedModes &
SFRM_Materialize_Random,
+ false, work_mem);
+ rsi->setDesc = tupdesc;
+ rsi->setResult = tuple_store;
+
+ MemoryContextSwitchTo(old_cxt);
+
+ /* Fill the tuplestore */
+ fill_ident_view(tuple_store, tupdesc);
+
+ PG_RETURN_NULL();
+}
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index 7f1ee97f55..2c8f5d9c13 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -6121,6 +6121,13 @@
proargmodes => '{o,o,o,o,o,o,o,o,o}',
proargnames =>
'{line_number,type,database,user_name,address,netmask,auth_method,options,error}',
prosrc => 'pg_hba_file_rules' },
+{ oid => '9556', descr => 'show pg_ident.conf mappings',
+ proname => 'pg_ident_file_mappings', prorows => '1000', proretset => 't',
+ provolatile => 'v', prorettype => 'record', proargtypes => '',
+ proallargtypes => '{int4,text,text,text,text}',
+ proargmodes => '{o,o,o,o,o}',
+ proargnames => '{line_number,map_name,sys_name,pg_usernamee,error}',
+ prosrc => 'pg_ident_file_mappings' },
{ oid => '1371', descr => 'view system lock information',
proname => 'pg_lock_status', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
diff --git a/src/test/regress/expected/rules.out
b/src/test/regress/expected/rules.out
index 1420288d67..62cf0d8674 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1347,6 +1347,12 @@ pg_hba_file_rules| SELECT a.line_number,
a.options,
a.error
FROM pg_hba_file_rules() a(line_number, type, database, user_name, address,
netmask, auth_method, options, error);
+pg_ident_file_mappings| SELECT a.line_number,
+ a.map_name,
+ a.sys_name,
+ a.pg_usernamee,
+ a.error
+ FROM pg_ident_file_mappings() a(line_number, map_name, sys_name,
pg_usernamee, error);
pg_indexes| SELECT n.nspname AS schemaname,
c.relname AS tablename,
i.relname AS indexname,
diff --git a/src/test/regress/expected/sysviews.out
b/src/test/regress/expected/sysviews.out
index 442eeb1e3f..d8a7df9498 100644
--- a/src/test/regress/expected/sysviews.out
+++ b/src/test/regress/expected/sysviews.out
@@ -55,6 +55,13 @@ select count(*) > 0 as ok from pg_hba_file_rules;
t
(1 row)
+-- We expect no user mapping in this test
+select count(*) = 0 as ok from pg_ident_file_mappings;
+ ok
+----
+ t
+(1 row)
+
-- There will surely be at least one active lock
select count(*) > 0 as ok from pg_locks;
ok
diff --git a/src/test/regress/sql/sysviews.sql
b/src/test/regress/sql/sysviews.sql
index 4980f07be2..4c1129e787 100644
--- a/src/test/regress/sql/sysviews.sql
+++ b/src/test/regress/sql/sysviews.sql
@@ -28,6 +28,9 @@ select count(*) >= 0 as ok from pg_file_settings;
-- There will surely be at least one rule
select count(*) > 0 as ok from pg_hba_file_rules;
+-- We expect no user mapping in this test
+select count(*) = 0 as ok from pg_ident_file_mappings;
+
-- There will surely be at least one active lock
select count(*) > 0 as ok from pg_locks;
--
2.33.1
>From fc24bf043a2792930a61dccfd82f94dd5ca23bee Mon Sep 17 00:00:00 2001
From: Julien Rouhaud <julien.rouh...@free.fr>
Date: Mon, 21 Feb 2022 15:45:26 +0800
Subject: [PATCH v1 2/3] Allow file inclusion in pg_hba and pg_ident files.
Author: Julien Rouhaud
Reviewed-by: FIXME
Discussion: FIXME
---
doc/src/sgml/catalogs.sgml | 48 ++++-
doc/src/sgml/client-auth.sgml | 34 +++-
src/backend/libpq/hba.c | 252 +++++++++++++++++++------
src/backend/libpq/pg_hba.conf.sample | 8 +-
src/backend/libpq/pg_ident.conf.sample | 8 +-
src/include/catalog/pg_proc.dat | 12 +-
src/include/libpq/hba.h | 1 +
src/test/regress/expected/rules.out | 12 +-
8 files changed, 304 insertions(+), 71 deletions(-)
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 0de40a9626..07c6679a52 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -10430,12 +10430,31 @@ SCRAM-SHA-256$<replaceable><iteration
count></replaceable>:<replaceable>&l
</thead>
<tbody>
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>rule_number</structfield> <type>int4</type>
+ </para>
+ <para>
+ Rule number, in priority order, of this rule if the rule is valid,
+ otherwise null
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>file_name</structfield> <type>text</type>
+ </para>
+ <para>
+ File name of this rule
+ </para></entry>
+ </row>
+
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>line_number</structfield> <type>int4</type>
</para>
<para>
- Line number of this rule in <filename>pg_hba.conf</filename>
+ Line number of this rule in the given file_name
</para></entry>
</row>
@@ -10571,6 +10590,33 @@ SCRAM-SHA-256$<replaceable><iteration
count></replaceable>:<replaceable>&l
</thead>
<tbody>
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>mapping_number</structfield> <type>int4</type>
+ </para>
+ <para>
+ Rule number, in priority order, of this mapping if the mapping is valid,
+ otherwise null
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>file_name</structfield> <type>text</type>
+ </para>
+ <para>
+ File name of this mapping
+ </para></entry>
+ </row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>line_number</structfield> <type>int4</type>
+ </para>
+ <para>
+ Line number of this mapping in the given file_name
+ </para></entry>
+ </row>
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>line_number</structfield> <type>int4</type>
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 142b0affcb..e1d0e103b3 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -89,8 +89,17 @@
</para>
<para>
- Each record specifies a connection type, a client IP address range
- (if relevant for the connection type), a database name, a user name,
+ Each record can either be an inclusion directive or an authentication rule.
+ Inclusion records specifies files that can be included, which contains
+ additional records. The records will be inserted in lieu of the inclusion
+ records. Those records only contains two fields: the
+ <literal>include</literal> directive and the file to be included. The file
+ can be a relative of absolute path, and can be double quoted if needed.
+ </para>
+
+ <para>
+ Each authentication record specifies a connection type, a client IP address
+ range (if relevant for the connection type), a database name, a user name,
and the authentication method to be used for connections matching
these parameters. The first record with a matching connection type,
client address, requested database, and user name is used to perform
@@ -103,6 +112,7 @@
<para>
A record can have several formats:
<synopsis>
+include <replaceable>file</replaceable>
local <replaceable>database</replaceable>
<replaceable>user</replaceable> <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
host <replaceable>database</replaceable>
<replaceable>user</replaceable> <replaceable>address</replaceable>
<replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
hostssl <replaceable>database</replaceable>
<replaceable>user</replaceable> <replaceable>address</replaceable>
<replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
@@ -118,6 +128,15 @@ hostnogssenc <replaceable>database</replaceable>
<replaceable>user</replaceabl
The meaning of the fields is as follows:
<variablelist>
+ <varlistentry>
+ <term><literal>include</literal></term>
+ <listitem>
+ <para>
+ This line will be replaced with the content of the given file.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><literal>local</literal></term>
<listitem>
@@ -835,8 +854,9 @@ local db1,db2,@demodbs all
md5
cluster's data directory. (It is possible to place the map file
elsewhere, however; see the <xref linkend="guc-ident-file"/>
configuration parameter.)
- The ident map file contains lines of the general form:
+ The ident map file contains lines of two general form:
<synopsis>
+<replaceable>include</replaceable> <replaceable>file</replaceable>
<replaceable>map-name</replaceable> <replaceable>system-username</replaceable>
<replaceable>database-username</replaceable>
</synopsis>
Comments, whitespace and line continuations are handled in the same way as
in
@@ -847,6 +867,14 @@ local db1,db2,@demodbs all
md5
database user name. The same <replaceable>map-name</replaceable> can be
used repeatedly to specify multiple user-mappings within a single map.
</para>
+ <para>
+ The lines can record can either be an inclusion directive or an
authentication rule.
+ Inclusion records specifies files that can be included, which contains
+ additional records. The records will be inserted in lieu of the inclusion
+ records. Those records only contains two fields: the
+ <literal>include</literal> directive and the file to be included. The file
+ can be a relative of absolute path, and can be double quoted if needed.
+ </para>
<para>
There is no restriction regarding how many database users a given
operating system user can correspond to, nor vice versa. Thus, entries
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 9a9ce96fee..8b72141342 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -89,11 +89,18 @@ typedef struct HbaToken
typedef struct TokenizedLine
{
List *fields; /* List of lists of HbaTokens */
+ char *file_name; /* File name */
int line_num; /* Line number */
char *raw_line; /* Raw line text */
char *err_msg; /* Error message if any */
} TokenizedLine;
+typedef enum HbaIncludeKind
+{
+ SecondaryAuthFile,
+ IncludedAuthFile
+} HbaIncludeKind;
+
/*
* pre-parsed content of HBA config file: list of HbaLine structs.
* parsed_hba_context is the memory context where it lives.
@@ -140,17 +147,25 @@ static const char *const UserAuthName[] =
static MemoryContext tokenize_file(const char *filename, FILE *file,
List
**tok_lines, int elevel);
+static void tokenize_file_with_context(MemoryContext linecxt,
+
const char *filename, FILE *file,
+ List
**tok_lines, int elevel);
static List *tokenize_inc_file(List *tokens, const char *outer_filename,
const char
*inc_filename, int elevel, char **err_msg);
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
int elevel, char
**err_msg);
static ArrayType *gethba_options(HbaLine *hba);
static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
- int lineno, HbaLine *hba,
const char *err_msg);
+ int rule_number, const char
*filename, int lineno,
+ HbaLine *hba, const char
*err_msg);
static void fill_hba_view(Tuplestorestate *tuple_store, TupleDesc tupdesc);
static void fill_ident_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
+ int mapping_number,
const char *filename,
int lineno, IdentLine
*ident, const char *err_msg);
static void fill_ident_view(Tuplestorestate *tuple_store, TupleDesc tupdesc);
+static FILE *open_inc_file(HbaIncludeKind kind, const char *inc_filename,
+ const char *outer_filename,
int elevel,
+ char **err_msg, char
**inc_fullname);
/*
@@ -390,36 +405,11 @@ tokenize_inc_file(List *tokens,
ListCell *inc_line;
MemoryContext linecxt;
- if (is_absolute_path(inc_filename))
- {
- /* absolute path is taken as-is */
- inc_fullname = pstrdup(inc_filename);
- }
- else
- {
- /* relative path is relative to dir of calling file */
- inc_fullname = (char *) palloc(strlen(outer_filename) + 1 +
-
strlen(inc_filename) + 1);
- strcpy(inc_fullname, outer_filename);
- get_parent_directory(inc_fullname);
- join_path_components(inc_fullname, inc_fullname, inc_filename);
- canonicalize_path(inc_fullname);
- }
+ inc_file = open_inc_file(SecondaryAuthFile, inc_filename,
outer_filename,
+ elevel, err_msg,
&inc_fullname);
- inc_file = AllocateFile(inc_fullname, "r");
if (inc_file == NULL)
- {
- int save_errno = errno;
-
- ereport(elevel,
- (errcode_for_file_access(),
- errmsg("could not open secondary
authentication file \"@%s\" as \"%s\": %m",
- inc_filename, inc_fullname)));
- *err_msg = psprintf("could not open secondary authentication
file \"@%s\" as \"%s\": %s",
- inc_filename,
inc_fullname, strerror(save_errno));
- pfree(inc_fullname);
return tokens;
- }
/* There is possible recursion here if the file contains @ */
linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines, elevel);
@@ -458,11 +448,37 @@ tokenize_inc_file(List *tokens,
return tokens;
}
+/*
+ * Tokenize the given file.
+ *
+ * Wrapper around tokenize_file_with_context, creating a decicated memory
+ * context.
+ *
+ * Return value is this memory context which contains all memory allocated by
+ * this function (it's a child of caller's context).
+ */
+static MemoryContext
+tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
+{
+ MemoryContext linecxt;
+ linecxt = AllocSetContextCreate(CurrentMemoryContext,
+
"tokenize_file",
+
ALLOCSET_SMALL_SIZES);
+
+ *tok_lines = NIL;
+
+ tokenize_file_with_context(linecxt, filename, file, tok_lines, elevel);
+
+ return linecxt;
+}
+
/*
* Tokenize the given file.
*
* The output is a list of TokenizedLine structs; see struct definition above.
*
+ * linecxt: memory context which must contain all memory allocated by the
+ * function
* filename: the absolute path to the target file
* file: the already-opened target file
* tok_lines: receives output list
@@ -471,27 +487,19 @@ tokenize_inc_file(List *tokens,
* Errors are reported by logging messages at ereport level elevel and by
* adding TokenizedLine structs containing non-null err_msg fields to the
* output list.
- *
- * Return value is a memory context which contains all memory allocated by
- * this function (it's a child of caller's context).
*/
-static MemoryContext
-tokenize_file(const char *filename, FILE *file, List **tok_lines, int elevel)
+static void
+tokenize_file_with_context(MemoryContext linecxt, const char *filename,
+ FILE *file, List
**tok_lines, int elevel)
{
- int line_number = 1;
StringInfoData buf;
- MemoryContext linecxt;
+ int line_number = 1;
MemoryContext oldcxt;
- linecxt = AllocSetContextCreate(CurrentMemoryContext,
-
"tokenize_file",
-
ALLOCSET_SMALL_SIZES);
oldcxt = MemoryContextSwitchTo(linecxt);
initStringInfo(&buf);
- *tok_lines = NIL;
-
while (!feof(file) && !ferror(file))
{
char *lineptr;
@@ -553,28 +561,76 @@ tokenize_file(const char *filename, FILE *file, List
**tok_lines, int elevel)
current_line = lappend(current_line,
current_field);
}
- /* Reached EOL; emit line to TokenizedLine list unless it's
boring */
- if (current_line != NIL || err_msg != NULL)
+ /*
+ * Reached EOL; no need to emit line to TokenizedLine list if
it's
+ * boring
+ */
+ if (current_line == NIL && err_msg == NULL)
+ goto next_line;
+
+ /* If the line is valid, check if that's an include directive */
+ if (err_msg == NULL && list_length(current_line) == 2)
+ {
+ HbaToken *first, *second;
+
+ first = linitial(linitial_node(List, current_line));
+ second = linitial(lsecond_node(List, current_line));
+
+ if (strcmp(first->string, "include") == 0)
+ {
+ char *inc_filename;
+ char *inc_fullname;
+ FILE *inc_file;
+
+ inc_filename = second->string;
+
+ inc_file = open_inc_file(IncludedAuthFile,
inc_filename,
+
filename, elevel, &err_msg,
+
&inc_fullname);
+
+ /*
+ * We could open the file, recursively process
it. Errors will
+ * be reported in the general TokenizedLine
processing.
+ */
+ if (inc_file != NULL)
+ {
+ tokenize_file_with_context(linecxt,
inc_fullname, inc_file,
+
tok_lines, elevel);
+
+ FreeFile(inc_file);
+ pfree(inc_fullname);
+
+ goto next_line;
+ }
+ else
+ {
+ /* We should got an error */
+ Assert(err_msg != NULL);
+ }
+ }
+ }
+
+ /* Emit line to TokenizedLine */
{
TokenizedLine *tok_line;
tok_line = (TokenizedLine *)
palloc(sizeof(TokenizedLine));
tok_line->fields = current_line;
+ tok_line->file_name = pstrdup(filename);
tok_line->line_num = line_number;
tok_line->raw_line = pstrdup(buf.data);
tok_line->err_msg = err_msg;
*tok_lines = lappend(*tok_lines, tok_line);
}
+next_line:
line_number += continuations + 1;
+
}
MemoryContextSwitchTo(oldcxt);
-
- return linecxt;
}
-
/*
* Does user belong to role?
*
@@ -981,6 +1037,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
HbaLine *parsedline;
parsedline = palloc0(sizeof(HbaLine));
+ parsedline->sourcefile = pstrdup(tok_line->file_name);
parsedline->linenumber = line_num;
parsedline->rawline = pstrdup(tok_line->raw_line);
@@ -2453,7 +2510,7 @@ gethba_options(HbaLine *hba)
}
/* Number of columns in pg_hba_file_rules view */
-#define NUM_PG_HBA_FILE_RULES_ATTS 9
+#define NUM_PG_HBA_FILE_RULES_ATTS 11
/*
* fill_hba_line: build one row of pg_hba_file_rules view, add it to tuplestore
@@ -2469,7 +2526,8 @@ gethba_options(HbaLine *hba)
*/
static void
fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
- int lineno, HbaLine *hba, const char *err_msg)
+ int rule_number, const char *filename, int lineno,
HbaLine *hba,
+ const char *err_msg)
{
Datum values[NUM_PG_HBA_FILE_RULES_ATTS];
bool nulls[NUM_PG_HBA_FILE_RULES_ATTS];
@@ -2488,6 +2546,13 @@ fill_hba_line(Tuplestorestate *tuple_store, TupleDesc
tupdesc,
memset(nulls, 0, sizeof(nulls));
index = 0;
+ /* rule_number */
+ if (err_msg)
+ nulls[index++] = true;
+ else
+ values[index++] = Int32GetDatum(rule_number);
+ /* file_name */
+ values[index++] = CStringGetTextDatum(filename);
/* line_number */
values[index++] = Int32GetDatum(lineno);
@@ -2631,7 +2696,7 @@ fill_hba_line(Tuplestorestate *tuple_store, TupleDesc
tupdesc,
else
{
/* no parsing result, so set relevant fields to nulls */
- memset(&nulls[1], true, (NUM_PG_HBA_FILE_RULES_ATTS - 2) *
sizeof(bool));
+ memset(&nulls[3], true, (NUM_PG_HBA_FILE_RULES_ATTS - 4) *
sizeof(bool));
}
/* error */
@@ -2653,6 +2718,7 @@ fill_hba_view(Tuplestorestate *tuple_store, TupleDesc
tupdesc)
FILE *file;
List *hba_lines = NIL;
ListCell *line;
+ int rule_number = 0;
MemoryContext linecxt;
MemoryContext hbacxt;
MemoryContext oldcxt;
@@ -2687,8 +2753,12 @@ fill_hba_view(Tuplestorestate *tuple_store, TupleDesc
tupdesc)
if (tok_line->err_msg == NULL)
hbaline = parse_hba_line(tok_line, DEBUG3);
- fill_hba_line(tuple_store, tupdesc, tok_line->line_num,
- hbaline, tok_line->err_msg);
+ /* No error, set a rule number */
+ if (tok_line->err_msg == NULL)
+ rule_number++;
+
+ fill_hba_line(tuple_store, tupdesc, rule_number,
tok_line->file_name,
+ tok_line->line_num, hbaline,
tok_line->err_msg);
}
/* Free tokenizer memory */
@@ -2698,6 +2768,64 @@ fill_hba_view(Tuplestorestate *tuple_store, TupleDesc
tupdesc)
MemoryContextDelete(hbacxt);
}
+static FILE *
+open_inc_file(HbaIncludeKind kind, const char *inc_filename,
+ const char *outer_filename, int elevel, char
**err_msg,
+ char **inc_fullname)
+{
+ FILE *inc_file;
+
+ if (is_absolute_path(inc_filename))
+ {
+ /* absolute path is taken as-is */
+ *inc_fullname = pstrdup(inc_filename);
+ }
+ else
+ {
+ /* relative path is relative to dir of calling file */
+ *inc_fullname = (char *) palloc(strlen(outer_filename) + 1 +
+
strlen(inc_filename) + 1);
+ strcpy(*inc_fullname, outer_filename);
+ get_parent_directory(*inc_fullname);
+ join_path_components(*inc_fullname, *inc_fullname,
inc_filename);
+ canonicalize_path(*inc_fullname);
+ }
+
+ inc_file = AllocateFile(*inc_fullname, "r");
+ if (inc_file == NULL)
+ {
+ int save_errno = errno;
+ const char *msglog;
+ const char *msgview;
+
+ switch (kind)
+ {
+ case SecondaryAuthFile:
+ msglog = "could not open secondary
authentication file \"@%s\" as \"%s\": %m";
+ msgview = "could not open secondary
authentication file \"@%s\" as \"%s\": %s";
+ break;
+ case IncludedAuthFile:
+ msglog = "could not open included
authentication file \"%s\" as \"%s\": %m";
+ msgview = "could not open included
authentication file \"%s\" as \"%s\": %s";
+ break;
+ default:
+ elog(ERROR, "unknown HbaIncludeKind: %d", kind);
+ break;
+ }
+
+ ereport(elevel,
+ (errcode_for_file_access(),
+ errmsg(msglog, inc_filename, *inc_fullname)));
+ *err_msg = psprintf(msgview, inc_filename, *inc_fullname,
+ strerror(save_errno));
+ pfree(*inc_fullname);
+ *inc_fullname = NULL;
+ return NULL;
+ }
+
+ return inc_file;
+}
+
/*
* SQL-accessible SRF to return all the entries in the pg_hba.conf file.
*/
@@ -3172,7 +3300,7 @@ hba_authname(UserAuth auth_method)
}
/* Number of columns in pg_hba_file_mappings view */
-#define NUM_PG_IDENT_FILE_MAPPINGS_ATTS 5
+#define NUM_PG_IDENT_FILE_MAPPINGS_ATTS 7
/*
* fill_ident_line: build one row of pg_ident_file_mappings view, add it to
@@ -3189,7 +3317,8 @@ hba_authname(UserAuth auth_method)
*/
static void
fill_ident_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
- int lineno, IdentLine *ident, const char
*err_msg)
+ int mapping_number, const char *filename, int
lineno,
+ IdentLine *ident, const char *err_msg)
{
Datum values[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
bool nulls[NUM_PG_IDENT_FILE_MAPPINGS_ATTS];
@@ -3202,6 +3331,13 @@ fill_ident_line(Tuplestorestate *tuple_store, TupleDesc
tupdesc,
memset(nulls, 0, sizeof(nulls));
index = 0;
+ /* mapping_number */
+ if (err_msg)
+ nulls[index++] = true;
+ else
+ values[index++] = Int32GetDatum(mapping_number);
+ /* file_name */
+ values[index++] = CStringGetTextDatum(filename);
/* line_number */
values[index++] = Int32GetDatum(lineno);
@@ -3214,7 +3350,7 @@ fill_ident_line(Tuplestorestate *tuple_store, TupleDesc
tupdesc,
else
{
/* no parsing result, so set relevant fields to nulls */
- memset(&nulls[1], true, (NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 2) *
sizeof(bool));
+ memset(&nulls[3], true, (NUM_PG_IDENT_FILE_MAPPINGS_ATTS - 4) *
sizeof(bool));
}
/* error */
@@ -3236,6 +3372,7 @@ fill_ident_view(Tuplestorestate *tuple_store, TupleDesc
tupdesc)
FILE *file;
List *ident_lines = NIL;
ListCell *line;
+ int mapping_number = 0;
MemoryContext linecxt;
MemoryContext hbacxt;
MemoryContext oldcxt;
@@ -3270,8 +3407,13 @@ fill_ident_view(Tuplestorestate *tuple_store, TupleDesc
tupdesc)
if (tok_line->err_msg == NULL)
identline = parse_ident_line(tok_line, DEBUG3);
- fill_ident_line(tuple_store, tupdesc, tok_line->line_num,
identline,
- tok_line->err_msg);
+ /* No error, set a rule number */
+ if (tok_line->err_msg == NULL)
+ mapping_number++;
+
+ fill_ident_line(tuple_store, tupdesc, mapping_number,
+ tok_line->file_name,
tok_line->line_num, identline,
+ tok_line->err_msg);
}
/* Free tokenizer memory */
diff --git a/src/backend/libpq/pg_hba.conf.sample
b/src/backend/libpq/pg_hba.conf.sample
index 5f3f63eb0c..0b6589a7b9 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -9,6 +9,7 @@
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
+# include FILE
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
@@ -18,7 +19,12 @@
#
# (The uppercase items must be replaced by actual values.)
#
-# The first field is the connection type:
+# If the first field is "include", it's not a mapping record but a directive to
+# include records from another file, specified in the field. FILE is the file
+# to include. It can be specified with a relative or absolute path, and can be
+# double quoted if it contains spaces.
+#
+# Otherwise the first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
diff --git a/src/backend/libpq/pg_ident.conf.sample
b/src/backend/libpq/pg_ident.conf.sample
index a5870e6448..138359cf03 100644
--- a/src/backend/libpq/pg_ident.conf.sample
+++ b/src/backend/libpq/pg_ident.conf.sample
@@ -7,12 +7,18 @@
#
# This file controls PostgreSQL user name mapping. It maps external
# user names to their corresponding PostgreSQL user names. Records
-# are of the form:
+# are one of these forms:
#
+# include FILE
# MAPNAME SYSTEM-USERNAME PG-USERNAME
#
# (The uppercase quantities must be replaced by actual values.)
#
+# If the first field is "include", it's not an authentication record but a
+# directive to include records from another file, specified in the field. FILE
+# is the file to include. It can be specified with a relative or absolute
+# path, and can be double quoted if it contains spaces.
+#
# MAPNAME is the (otherwise freely chosen) map name that was used in
# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the
# client. PG-USERNAME is the requested PostgreSQL user name. The
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index 2c8f5d9c13..2292115c85 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -6117,16 +6117,16 @@
{ oid => '3401', descr => 'show pg_hba.conf rules',
proname => 'pg_hba_file_rules', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
- proallargtypes => '{int4,text,_text,_text,text,text,text,_text,text}',
- proargmodes => '{o,o,o,o,o,o,o,o,o}',
- proargnames =>
'{line_number,type,database,user_name,address,netmask,auth_method,options,error}',
+ proallargtypes =>
'{int4,text,int4,text,_text,_text,text,text,text,_text,text}',
+ proargmodes => '{o,o,o,o,o,o,o,o,o,o,o}',
+ proargnames =>
'{rule_number,file_name,line_number,type,database,user_name,address,netmask,auth_method,options,error}',
prosrc => 'pg_hba_file_rules' },
{ oid => '9556', descr => 'show pg_ident.conf mappings',
proname => 'pg_ident_file_mappings', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
- proallargtypes => '{int4,text,text,text,text}',
- proargmodes => '{o,o,o,o,o}',
- proargnames => '{line_number,map_name,sys_name,pg_usernamee,error}',
+ proallargtypes => '{int4,text,int4,text,text,text,text}',
+ proargmodes => '{o,o,o,o,o,o,o}',
+ proargnames =>
'{mapping_number,file_name,line_number,map_name,sys_name,pg_usernamee,error}',
prosrc => 'pg_ident_file_mappings' },
{ oid => '1371', descr => 'view system lock information',
proname => 'pg_lock_status', prorows => '1000', proretset => 't',
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8d9f3821b1..45d6ce1f22 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -79,6 +79,7 @@ typedef enum ClientCertName
typedef struct HbaLine
{
+ char *sourcefile;
int linenumber;
char *rawline;
ConnType conntype;
diff --git a/src/test/regress/expected/rules.out
b/src/test/regress/expected/rules.out
index 62cf0d8674..e6f274cb59 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1337,7 +1337,9 @@ pg_group| SELECT pg_authid.rolname AS groname,
WHERE (pg_auth_members.roleid = pg_authid.oid)) AS grolist
FROM pg_authid
WHERE (NOT pg_authid.rolcanlogin);
-pg_hba_file_rules| SELECT a.line_number,
+pg_hba_file_rules| SELECT a.rule_number,
+ a.file_name,
+ a.line_number,
a.type,
a.database,
a.user_name,
@@ -1346,13 +1348,15 @@ pg_hba_file_rules| SELECT a.line_number,
a.auth_method,
a.options,
a.error
- FROM pg_hba_file_rules() a(line_number, type, database, user_name, address,
netmask, auth_method, options, error);
-pg_ident_file_mappings| SELECT a.line_number,
+ FROM pg_hba_file_rules() a(rule_number, file_name, line_number, type,
database, user_name, address, netmask, auth_method, options, error);
+pg_ident_file_mappings| SELECT a.mapping_number,
+ a.file_name,
+ a.line_number,
a.map_name,
a.sys_name,
a.pg_usernamee,
a.error
- FROM pg_ident_file_mappings() a(line_number, map_name, sys_name,
pg_usernamee, error);
+ FROM pg_ident_file_mappings() a(mapping_number, file_name, line_number,
map_name, sys_name, pg_usernamee, error);
pg_indexes| SELECT n.nspname AS schemaname,
c.relname AS tablename,
i.relname AS indexname,
--
2.33.1
>From eba83c6e02a565fbbc66779464de3ca99e9935c8 Mon Sep 17 00:00:00 2001
From: Julien Rouhaud <julien.rouh...@free.fr>
Date: Tue, 22 Feb 2022 21:34:54 +0800
Subject: [PATCH v1 3/3] POC: Add a pg_hba_matches() function.
Author: Julien Rouhaud
Reviewed-by: FIXME
Discussion: FIXME
---
src/backend/catalog/system_functions.sql | 9 ++
src/backend/libpq/hba.c | 127 +++++++++++++++++++++++
src/include/catalog/pg_proc.dat | 7 ++
3 files changed, 143 insertions(+)
diff --git a/src/backend/catalog/system_functions.sql
b/src/backend/catalog/system_functions.sql
index fd1421788e..ae839a4b76 100644
--- a/src/backend/catalog/system_functions.sql
+++ b/src/backend/catalog/system_functions.sql
@@ -594,6 +594,15 @@ LANGUAGE internal
STRICT IMMUTABLE PARALLEL SAFE
AS 'unicode_is_normalized';
+CREATE OR REPLACE FUNCTION
+ pg_hba_matches(
+ IN address inet, IN role text, IN ssl bool DEFAULT false,
+ OUT file_name text, OUT line_num int4, OUT raw_line text)
+RETURNS RECORD
+LANGUAGE INTERNAL
+VOLATILE
+AS 'pg_hba_matches';
+
--
-- The default permissions for functions mean that anyone can execute them.
-- A number of functions shouldn't be executable by just anyone, but rather
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 8b72141342..42fcf9edca 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -41,6 +41,7 @@
#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/guc.h"
+#include "utils/inet.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/varlena.h"
@@ -3471,3 +3472,129 @@ pg_ident_file_mappings(PG_FUNCTION_ARGS)
PG_RETURN_NULL();
}
+
+#define PG_HBA_MATCHES_ATTS 3
+
+/*
+ * SQL-accessible SRF to return the entries that match the given connection
+ * info, if any.
+ */
+Datum pg_hba_matches(PG_FUNCTION_ARGS)
+{
+ MemoryContext ctxt;
+ inet *address = NULL;
+ bool ssl_in_use = false;
+ hbaPort *port = palloc0(sizeof(hbaPort));
+ TupleDesc tupdesc;
+ Datum values[PG_HBA_MATCHES_ATTS];
+ bool isnull[PG_HBA_MATCHES_ATTS];
+
+ if (PG_ARGISNULL(0))
+ port->raddr.addr.ss_family = AF_UNIX;
+ else
+ {
+ int bits;
+ char *ptr;
+ char
tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255/128")];
+
+ address = PG_GETARG_INET_PP(0);
+
+ bits = ip_maxbits(address) - ip_bits(address);
+ if (bits != 0)
+ {
+ ereport(ERROR,
+
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("Invalid address")));
+ }
+
+ /* force display of max bits, regardless of masklen... */
+ if (pg_inet_net_ntop(ip_family(address), ip_addr(address),
+ ip_maxbits(address),
tmp, sizeof(tmp)) == NULL)
+ ereport(ERROR,
+
(errcode(ERRCODE_INVALID_BINARY_REPRESENTATION),
+ errmsg("could not format inet value:
%m")));
+
+ /* Suppress /n if present (shouldn't happen now) */
+ if ((ptr = strchr(tmp, '/')) != NULL)
+ *ptr = '\0';
+
+
+ /* See pg_inet_net_ntop() for details about those constants */
+ switch (ip_family(address))
+ {
+ case PGSQL_AF_INET:
+ {
+ struct sockaddr_in *dst;
+
+ dst = (struct sockaddr_in *) &port->raddr.addr;
+ dst->sin_family = AF_INET;
+ inet_pton(AF_INET, tmp, &dst->sin_addr);
+ break;
+ }
+ case PGSQL_AF_INET6:
+#if defined(AF_INET6) && AF_INET6 != PGSQL_AF_INET6
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *dst;
+
+ dst = (struct sockaddr_in6 *) &port->raddr.addr;
+ dst->sin6_family = AF_INET6;
+ inet_pton(AF_INET6, tmp, &dst->sin6_addr);
+ break;
+ }
+#endif
+ default:
+ elog(ERROR, "unexpected ip_family: %d",
ip_family(address));
+ break;
+ }
+ }
+
+ if (PG_ARGISNULL(1))
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("parameter role is mandatory")));
+ port->user_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
+
+ if (!PG_ARGISNULL(2))
+ ssl_in_use = PG_GETARG_BOOL(2);
+
+ port->ssl_in_use = ssl_in_use;
+
+ tupdesc = CreateTemplateTupleDesc(PG_HBA_MATCHES_ATTS);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 1, "file_name",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 2, "line_num",
+ INT4OID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 3, "raw_line",
+ TEXTOID, -1, 0);
+
+ BlessTupleDesc(tupdesc);
+
+ memset(isnull, 0, sizeof(isnull));
+
+ /* FIXME rework API to not rely on PostmasterContext */
+ ctxt = AllocSetContextCreate(CurrentMemoryContext, "load_hba",
+
ALLOCSET_DEFAULT_SIZES);
+ PostmasterContext = AllocSetContextCreate(ctxt,
+
"Postmaster",
+
ALLOCSET_DEFAULT_SIZES);
+ parsed_hba_context = NULL;
+ if (!load_hba())
+ ereport(ERROR,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("Invalidation auth configuration
file")));
+
+ check_hba(port);
+
+ if (port->hba->auth_method == uaImplicitReject)
+ PG_RETURN_NULL();
+
+ values[0] = CStringGetTextDatum(port->hba->sourcefile);
+ values[1] = Int32GetDatum(port->hba->linenumber);
+ values[2] = CStringGetTextDatum(port->hba->rawline);
+
+ MemoryContextDelete(PostmasterContext);
+ PostmasterContext = NULL;
+
+ return HeapTupleGetDatum(heap_form_tuple(tupdesc, values, isnull));
+}
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index 2292115c85..b33cad2848 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -6128,6 +6128,13 @@
proargmodes => '{o,o,o,o,o,o,o}',
proargnames =>
'{mapping_number,file_name,line_number,map_name,sys_name,pg_usernamee,error}',
prosrc => 'pg_ident_file_mappings' },
+{ oid => '9557', descr => 'show wether the given connection would match an hba
line',
+ proname => 'pg_hba_matches', provolatile => 'v', prorettype => 'record',
+ proargtypes => 'inet text bool', proisstrict => 'f',
+ proallargtypes => '{inet,text,bool,text,int4,text}',
+ proargmodes => '{i,i,i,o,o,o}',
+ proargnames => '{address,role,ssl,file_name,line_num,raw_line}',
+ prosrc => 'pg_hba_matches' },
{ oid => '1371', descr => 'view system lock information',
proname => 'pg_lock_status', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
--
2.33.1
