]> granicus.if.org Git - postgresql/blob - src/backend/libpq/hba.c
Reduce hash size for compute_array_stats, compute_tsvector_stats.
[postgresql] / src / backend / libpq / hba.c
1 /*-------------------------------------------------------------------------
2  *
3  * hba.c
4  *        Routines to handle host based authentication (that's the scheme
5  *        wherein you authenticate a user by seeing what IP address the system
6  *        says he comes from and choosing authentication method based on it).
7  *
8  * Portions Copyright (c) 1996-2012, PostgreSQL Global Development Group
9  * Portions Copyright (c) 1994, Regents of the University of California
10  *
11  *
12  * IDENTIFICATION
13  *        src/backend/libpq/hba.c
14  *
15  *-------------------------------------------------------------------------
16  */
17 #include "postgres.h"
18
19 #include <ctype.h>
20 #include <pwd.h>
21 #include <fcntl.h>
22 #include <sys/param.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
26 #include <unistd.h>
27
28 #include "catalog/pg_collation.h"
29 #include "libpq/ip.h"
30 #include "libpq/libpq.h"
31 #include "postmaster/postmaster.h"
32 #include "regex/regex.h"
33 #include "replication/walsender.h"
34 #include "storage/fd.h"
35 #include "utils/acl.h"
36 #include "utils/guc.h"
37 #include "utils/lsyscache.h"
38 #include "utils/memutils.h"
39
40
41 #define atooid(x)  ((Oid) strtoul((x), NULL, 10))
42 #define atoxid(x)  ((TransactionId) strtoul((x), NULL, 10))
43
44 #define MAX_TOKEN       256
45
46 /* callback data for check_network_callback */
47 typedef struct check_network_data
48 {
49         IPCompareMethod method;         /* test method */
50         SockAddr   *raddr;                      /* client's actual address */
51         bool            result;                 /* set to true if match */
52 } check_network_data;
53
54
55 #define token_is_keyword(t, k)  (!t->quoted && strcmp(t->string, k) == 0)
56 #define token_matches(t, k)  (strcmp(t->string, k) == 0)
57
58 /*
59  * A single string token lexed from the HBA config file, together with whether
60  * the token had been quoted.
61  */
62 typedef struct HbaToken
63 {
64         char   *string;
65         bool    quoted;
66 } HbaToken;
67
68 /*
69  * pre-parsed content of HBA config file: list of HbaLine structs.
70  * parsed_hba_context is the memory context where it lives.
71  */
72 static List *parsed_hba_lines = NIL;
73 static MemoryContext parsed_hba_context = NULL;
74
75 /*
76  * These variables hold the pre-parsed contents of the ident usermap
77  * configuration file.  ident_lines is a triple-nested list of lines, fields
78  * and tokens, as returned by tokenize_file.  There will be one line in
79  * ident_lines for each (non-empty, non-comment) line of the file.  Note there
80  * will always be at least one field, since blank lines are not entered in the
81  * data structure.  ident_line_nums is an integer list containing the actual
82  * line number for each line represented in ident_lines.  ident_context is
83  * the memory context holding all this.
84  */
85 static List *ident_lines = NIL;
86 static List *ident_line_nums = NIL;
87 static MemoryContext ident_context = NULL;
88
89
90 static MemoryContext tokenize_file(const char *filename, FILE *file,
91                           List **lines, List **line_nums);
92 static List *tokenize_inc_file(List *tokens, const char *outer_filename,
93                                   const char *inc_filename);
94 static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
95                                    int line_num);
96
97 /*
98  * isblank() exists in the ISO C99 spec, but it's not very portable yet,
99  * so provide our own version.
100  */
101 bool
102 pg_isblank(const char c)
103 {
104         return c == ' ' || c == '\t' || c == '\r';
105 }
106
107
108 /*
109  * Grab one token out of fp. Tokens are strings of non-blank
110  * characters bounded by blank characters, commas, beginning of line, and
111  * end of line. Blank means space or tab. Tokens can be delimited by
112  * double quotes (this allows the inclusion of blanks, but not newlines).
113  *
114  * The token, if any, is returned at *buf (a buffer of size bufsz).
115  * Also, we set *initial_quote to indicate whether there was quoting before
116  * the first character.  (We use that to prevent "@x" from being treated
117  * as a file inclusion request.  Note that @"x" should be so treated;
118  * we want to allow that to support embedded spaces in file paths.)
119  * We set *terminating_comma to indicate whether the token is terminated by a
120  * comma (which is not returned.)
121  *
122  * If successful: store null-terminated token at *buf and return TRUE.
123  * If no more tokens on line: set *buf = '\0' and return FALSE.
124  *
125  * Leave file positioned at the character immediately after the token or EOF,
126  * whichever comes first. If no more tokens on line, position the file to the
127  * beginning of the next line or EOF, whichever comes first.
128  *
129  * Handle comments.
130  */
131 static bool
132 next_token(FILE *fp, char *buf, int bufsz, bool *initial_quote,
133                    bool *terminating_comma)
134 {
135         int                     c;
136         char       *start_buf = buf;
137         char       *end_buf = buf + (bufsz - 2);
138         bool            in_quote = false;
139         bool            was_quote = false;
140         bool            saw_quote = false;
141
142         /* end_buf reserves two bytes to ensure we can append \n and \0 */
143         Assert(end_buf > start_buf);
144
145         *initial_quote = false;
146         *terminating_comma = false;
147
148         /* Move over initial whitespace and commas */
149         while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
150                 ;
151
152         if (c == EOF || c == '\n')
153         {
154                 *buf = '\0';
155                 return false;
156         }
157
158         /*
159          * Build a token in buf of next characters up to EOF, EOL, unquoted comma,
160          * or unquoted whitespace.
161          */
162         while (c != EOF && c != '\n' &&
163                    (!pg_isblank(c) || in_quote))
164         {
165                 /* skip comments to EOL */
166                 if (c == '#' && !in_quote)
167                 {
168                         while ((c = getc(fp)) != EOF && c != '\n')
169                                 ;
170                         /* If only comment, consume EOL too; return EOL */
171                         if (c != EOF && buf == start_buf)
172                                 c = getc(fp);
173                         break;
174                 }
175
176                 if (buf >= end_buf)
177                 {
178                         *buf = '\0';
179                         ereport(LOG,
180                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
181                            errmsg("authentication file token too long, skipping: \"%s\"",
182                                           start_buf)));
183                         /* Discard remainder of line */
184                         while ((c = getc(fp)) != EOF && c != '\n')
185                                 ;
186                         break;
187                 }
188
189                 /* we do not pass back the comma in the token */
190                 if (c == ',' && !in_quote)
191                 {
192                         *terminating_comma = true;
193                         break;
194                 }
195
196                 if (c != '"' || was_quote)
197                         *buf++ = c;
198
199                 /* Literal double-quote is two double-quotes */
200                 if (in_quote && c == '"')
201                         was_quote = !was_quote;
202                 else
203                         was_quote = false;
204
205                 if (c == '"')
206                 {
207                         in_quote = !in_quote;
208                         saw_quote = true;
209                         if (buf == start_buf)
210                                 *initial_quote = true;
211                 }
212
213                 c = getc(fp);
214         }
215
216         /*
217          * Put back the char right after the token (critical in case it is EOL,
218          * since we need to detect end-of-line at next call).
219          */
220         if (c != EOF)
221                 ungetc(c, fp);
222
223         *buf = '\0';
224
225         return (saw_quote || buf > start_buf);
226 }
227
228 static HbaToken *
229 make_hba_token(char *token, bool quoted)
230 {
231         HbaToken   *hbatoken;
232         int                     toklen;
233
234         toklen = strlen(token);
235         hbatoken = (HbaToken *) palloc(sizeof(HbaToken) + toklen + 1);
236         hbatoken->string = (char *) hbatoken + sizeof(HbaToken);
237         hbatoken->quoted = quoted;
238         memcpy(hbatoken->string, token, toklen + 1);
239
240         return hbatoken;
241 }
242
243 /*
244  * Copy a HbaToken struct into freshly palloc'd memory.
245  */
246 static HbaToken *
247 copy_hba_token(HbaToken *in)
248 {
249         HbaToken *out = make_hba_token(in->string, in->quoted);
250
251         return out;
252 }
253
254
255 /*
256  * Tokenize one HBA field from a file, handling file inclusion and comma lists.
257  *
258  * The result is a List of HbaToken structs for each individual token,
259  * or NIL if we reached EOL.
260  */
261 static List *
262 next_field_expand(const char *filename, FILE *file)
263 {
264         char            buf[MAX_TOKEN];
265         bool            trailing_comma;
266         bool            initial_quote;
267         List       *tokens = NIL;
268
269         do
270         {
271                 if (!next_token(file, buf, sizeof(buf), &initial_quote, &trailing_comma))
272                         break;
273
274                 /* Is this referencing a file? */
275                 if (!initial_quote && buf[0] == '@' && buf[1] != '\0')
276                         tokens = tokenize_inc_file(tokens, filename, buf + 1);
277                 else
278                         tokens = lappend(tokens, make_hba_token(buf, initial_quote));
279         } while (trailing_comma);
280
281         return tokens;
282 }
283
284 /*
285  * tokenize_inc_file
286  *              Expand a file included from another file into an hba "field"
287  *
288  * Opens and tokenises a file included from another HBA config file with @,
289  * and returns all values found therein as a flat list of HbaTokens.  If a
290  * @-token is found, recursively expand it.  The given token list is used as
291  * initial contents of list (so foo,bar,@baz does what you expect).  
292  */
293 static List *
294 tokenize_inc_file(List *tokens,
295                                   const char *outer_filename,
296                                   const char *inc_filename)
297 {
298         char       *inc_fullname;
299         FILE       *inc_file;
300         List       *inc_lines;
301         List       *inc_line_nums;
302         ListCell   *inc_line;
303         MemoryContext linecxt;
304
305         if (is_absolute_path(inc_filename))
306         {
307                 /* absolute path is taken as-is */
308                 inc_fullname = pstrdup(inc_filename);
309         }
310         else
311         {
312                 /* relative path is relative to dir of calling file */
313                 inc_fullname = (char *) palloc(strlen(outer_filename) + 1 +
314                                                                            strlen(inc_filename) + 1);
315                 strcpy(inc_fullname, outer_filename);
316                 get_parent_directory(inc_fullname);
317                 join_path_components(inc_fullname, inc_fullname, inc_filename);
318                 canonicalize_path(inc_fullname);
319         }
320
321         inc_file = AllocateFile(inc_fullname, "r");
322         if (inc_file == NULL)
323         {
324                 ereport(LOG,
325                                 (errcode_for_file_access(),
326                                  errmsg("could not open secondary authentication file \"@%s\" as \"%s\": %m",
327                                                 inc_filename, inc_fullname)));
328                 pfree(inc_fullname);
329                 return tokens;
330         }
331
332         /* There is possible recursion here if the file contains @ */
333         linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines, &inc_line_nums);
334
335         FreeFile(inc_file);
336         pfree(inc_fullname);
337
338         foreach(inc_line, inc_lines)
339         {
340                 List       *inc_fields = lfirst(inc_line);
341                 ListCell   *inc_field;
342
343                 foreach(inc_field, inc_fields)
344                 {
345                         List       *inc_tokens = lfirst(inc_field);
346                         ListCell   *inc_token;
347
348                         foreach(inc_token, inc_tokens)
349                         {
350                                 HbaToken   *token = lfirst(inc_token);
351
352                                 tokens = lappend(tokens, copy_hba_token(token));
353                         }
354                 }
355         }
356
357         MemoryContextDelete(linecxt);
358         return tokens;
359 }
360
361 /*
362  * Tokenize the given file, storing the resulting data into two Lists: a
363  * List of lines, and a List of line numbers.
364  *
365  * The list of lines is a triple-nested List structure.  Each line is a List of
366  * fields, and each field is a List of HbaTokens.
367  *
368  * filename must be the absolute path to the target file.
369  *
370  * Return value is a memory context which contains all memory allocated by
371  * this function.
372  */
373 static MemoryContext
374 tokenize_file(const char *filename, FILE *file,
375                           List **lines, List **line_nums)
376 {
377         List       *current_line = NIL;
378         List       *current_field = NIL;
379         int                     line_number = 1;
380         MemoryContext   linecxt;
381         MemoryContext   oldcxt;
382
383         linecxt = AllocSetContextCreate(TopMemoryContext,
384                                                                         "tokenize file cxt",
385                                                                         ALLOCSET_DEFAULT_MINSIZE,
386                                                                         ALLOCSET_DEFAULT_INITSIZE,
387                                                                         ALLOCSET_DEFAULT_MAXSIZE);
388         oldcxt = MemoryContextSwitchTo(linecxt);
389
390         *lines = *line_nums = NIL;
391
392         while (!feof(file) && !ferror(file))
393         {
394                 current_field = next_field_expand(filename, file);
395
396                 /* add tokens to list, unless we are at EOL or comment start */
397                 if (list_length(current_field) > 0)
398                 {
399                         if (current_line == NIL)
400                         {
401                                 /* make a new line List, record its line number */
402                                 current_line = lappend(current_line, current_field);
403                                 *lines = lappend(*lines, current_line);
404                                 *line_nums = lappend_int(*line_nums, line_number);
405                         }
406                         else
407                         {
408                                 /* append tokens to current line's list */
409                                 current_line = lappend(current_line, current_field);
410                         }
411                 }
412                 else
413                 {
414                         /* we are at real or logical EOL, so force a new line List */
415                         current_line = NIL;
416                         line_number++;
417                 }
418         }
419
420         MemoryContextSwitchTo(oldcxt);
421
422         return linecxt;
423 }
424
425
426 /*
427  * Does user belong to role?
428  *
429  * userid is the OID of the role given as the attempted login identifier.
430  * We check to see if it is a member of the specified role name.
431  */
432 static bool
433 is_member(Oid userid, const char *role)
434 {
435         Oid                     roleid;
436
437         if (!OidIsValid(userid))
438                 return false;                   /* if user not exist, say "no" */
439
440         roleid = get_role_oid(role, true);
441
442         if (!OidIsValid(roleid))
443                 return false;                   /* if target role not exist, say "no" */
444
445         /* 
446          * See if user is directly or indirectly a member of role.
447          * For this purpose, a superuser is not considered to be automatically
448          * a member of the role, so group auth only applies to explicit
449          * membership.
450          */
451         return is_member_of_role_nosuper(userid, roleid);
452 }
453
454 /*
455  * Check HbaToken list for a match to role, allowing group names.
456  */
457 static bool
458 check_role(const char *role, Oid roleid, List *tokens)
459 {
460         ListCell           *cell;
461         HbaToken           *tok;
462
463         foreach(cell, tokens)
464         {
465                 tok = lfirst(cell);
466                 if (!tok->quoted && tok->string[0] == '+')
467                 {
468                         if (is_member(roleid, tok->string + 1))
469                                 return true;
470                 }
471                 else if (token_matches(tok, role) ||
472                                  token_is_keyword(tok, "all"))
473                         return true;
474         }
475         return false;
476 }
477
478 /*
479  * Check to see if db/role combination matches HbaToken list.
480  */
481 static bool
482 check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
483 {
484         ListCell           *cell;
485         HbaToken           *tok;
486
487         foreach(cell, tokens)
488         {
489                 tok = lfirst(cell);
490                 if (am_walsender)
491                 {
492                         /* walsender connections can only match replication keyword */
493                         if (token_is_keyword(tok, "replication"))
494                                 return true;
495                 }
496                 else if (token_is_keyword(tok, "all"))
497                         return true;
498                 else if (token_is_keyword(tok, "sameuser"))
499                 {
500                         if (strcmp(dbname, role) == 0)
501                                 return true;
502                 }
503                 else if (token_is_keyword(tok, "samegroup") ||
504                                  token_is_keyword(tok, "samerole"))
505                 {
506                         if (is_member(roleid, dbname))
507                                 return true;
508                 }
509                 else if (token_is_keyword(tok, "replication"))
510                         continue;                       /* never match this if not walsender */
511                 else if (token_matches(tok, dbname))
512                         return true;
513         }
514         return false;
515 }
516
517 static bool
518 ipv4eq(struct sockaddr_in * a, struct sockaddr_in * b)
519 {
520         return (a->sin_addr.s_addr == b->sin_addr.s_addr);
521 }
522
523 #ifdef HAVE_IPV6
524
525 static bool
526 ipv6eq(struct sockaddr_in6 * a, struct sockaddr_in6 * b)
527 {
528         int                     i;
529
530         for (i = 0; i < 16; i++)
531                 if (a->sin6_addr.s6_addr[i] != b->sin6_addr.s6_addr[i])
532                         return false;
533
534         return true;
535 }
536 #endif   /* HAVE_IPV6 */
537
538 /*
539  * Check whether host name matches pattern.
540  */
541 static bool
542 hostname_match(const char *pattern, const char *actual_hostname)
543 {
544         if (pattern[0] == '.')          /* suffix match */
545         {
546                 size_t          plen = strlen(pattern);
547                 size_t          hlen = strlen(actual_hostname);
548
549                 if (hlen < plen)
550                         return false;
551
552                 return (pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
553         }
554         else
555                 return (pg_strcasecmp(pattern, actual_hostname) == 0);
556 }
557
558 /*
559  * Check to see if a connecting IP matches a given host name.
560  */
561 static bool
562 check_hostname(hbaPort *port, const char *hostname)
563 {
564         struct addrinfo *gai_result,
565                            *gai;
566         int                     ret;
567         bool            found;
568
569         /* Lookup remote host name if not already done */
570         if (!port->remote_hostname)
571         {
572                 char            remote_hostname[NI_MAXHOST];
573
574                 if (pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
575                                                            remote_hostname, sizeof(remote_hostname),
576                                                            NULL, 0,
577                                                            0) != 0)
578                         return false;
579
580                 port->remote_hostname = pstrdup(remote_hostname);
581         }
582
583         if (!hostname_match(hostname, port->remote_hostname))
584                 return false;
585
586         /* Lookup IP from host name and check against original IP */
587
588         if (port->remote_hostname_resolv == +1)
589                 return true;
590         if (port->remote_hostname_resolv == -1)
591                 return false;
592
593         ret = getaddrinfo(port->remote_hostname, NULL, NULL, &gai_result);
594         if (ret != 0)
595                 ereport(ERROR,
596                                 (errmsg("could not translate host name \"%s\" to address: %s",
597                                                 port->remote_hostname, gai_strerror(ret))));
598
599         found = false;
600         for (gai = gai_result; gai; gai = gai->ai_next)
601         {
602                 if (gai->ai_addr->sa_family == port->raddr.addr.ss_family)
603                 {
604                         if (gai->ai_addr->sa_family == AF_INET)
605                         {
606                                 if (ipv4eq((struct sockaddr_in *) gai->ai_addr,
607                                                    (struct sockaddr_in *) & port->raddr.addr))
608                                 {
609                                         found = true;
610                                         break;
611                                 }
612                         }
613 #ifdef HAVE_IPV6
614                         else if (gai->ai_addr->sa_family == AF_INET6)
615                         {
616                                 if (ipv6eq((struct sockaddr_in6 *) gai->ai_addr,
617                                                    (struct sockaddr_in6 *) & port->raddr.addr))
618                                 {
619                                         found = true;
620                                         break;
621                                 }
622                         }
623 #endif
624                 }
625         }
626
627         if (gai_result)
628                 freeaddrinfo(gai_result);
629
630         if (!found)
631                 elog(DEBUG2, "pg_hba.conf host name \"%s\" rejected because address resolution did not return a match with IP address of client",
632                          hostname);
633
634         port->remote_hostname_resolv = found ? +1 : -1;
635
636         return found;
637 }
638
639 /*
640  * Check to see if a connecting IP matches the given address and netmask.
641  */
642 static bool
643 check_ip(SockAddr *raddr, struct sockaddr * addr, struct sockaddr * mask)
644 {
645         if (raddr->addr.ss_family == addr->sa_family)
646         {
647                 /* Same address family */
648                 if (!pg_range_sockaddr(&raddr->addr,
649                                                            (struct sockaddr_storage *) addr,
650                                                            (struct sockaddr_storage *) mask))
651                         return false;
652         }
653 #ifdef HAVE_IPV6
654         else if (addr->sa_family == AF_INET &&
655                          raddr->addr.ss_family == AF_INET6)
656         {
657                 /*
658                  * If we're connected on IPv6 but the file specifies an IPv4 address
659                  * to match against, promote the latter to an IPv6 address before
660                  * trying to match the client's address.
661                  */
662                 struct sockaddr_storage addrcopy,
663                                         maskcopy;
664
665                 memcpy(&addrcopy, &addr, sizeof(addrcopy));
666                 memcpy(&maskcopy, &mask, sizeof(maskcopy));
667                 pg_promote_v4_to_v6_addr(&addrcopy);
668                 pg_promote_v4_to_v6_mask(&maskcopy);
669
670                 if (!pg_range_sockaddr(&raddr->addr, &addrcopy, &maskcopy))
671                         return false;
672         }
673 #endif   /* HAVE_IPV6 */
674         else
675         {
676                 /* Wrong address family, no IPV6 */
677                 return false;
678         }
679
680         return true;
681 }
682
683 /*
684  * pg_foreach_ifaddr callback: does client addr match this machine interface?
685  */
686 static void
687 check_network_callback(struct sockaddr * addr, struct sockaddr * netmask,
688                                            void *cb_data)
689 {
690         check_network_data *cn = (check_network_data *) cb_data;
691         struct sockaddr_storage mask;
692
693         /* Already found a match? */
694         if (cn->result)
695                 return;
696
697         if (cn->method == ipCmpSameHost)
698         {
699                 /* Make an all-ones netmask of appropriate length for family */
700                 pg_sockaddr_cidr_mask(&mask, NULL, addr->sa_family);
701                 cn->result = check_ip(cn->raddr, addr, (struct sockaddr *) & mask);
702         }
703         else
704         {
705                 /* Use the netmask of the interface itself */
706                 cn->result = check_ip(cn->raddr, addr, netmask);
707         }
708 }
709
710 /*
711  * Use pg_foreach_ifaddr to check a samehost or samenet match
712  */
713 static bool
714 check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
715 {
716         check_network_data cn;
717
718         cn.method = method;
719         cn.raddr = raddr;
720         cn.result = false;
721
722         errno = 0;
723         if (pg_foreach_ifaddr(check_network_callback, &cn) < 0)
724         {
725                 elog(LOG, "error enumerating network interfaces: %m");
726                 return false;
727         }
728
729         return cn.result;
730 }
731
732
733 /*
734  * Macros used to check and report on invalid configuration options.
735  * INVALID_AUTH_OPTION = reports when an option is specified for a method where it's
736  *                                               not supported.
737  * REQUIRE_AUTH_OPTION = same as INVALID_AUTH_OPTION, except it also checks if the
738  *                                               method is actually the one specified. Used as a shortcut when
739  *                                               the option is only valid for one authentication method.
740  * MANDATORY_AUTH_ARG  = check if a required option is set for an authentication method,
741  *                                               reporting error if it's not.
742  */
743 #define INVALID_AUTH_OPTION(optname, validmethods) do {\
744         ereport(LOG, \
745                         (errcode(ERRCODE_CONFIG_FILE_ERROR), \
746                          /* translator: the second %s is a list of auth methods */ \
747                          errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
748                                         optname, _(validmethods)), \
749                          errcontext("line %d of configuration file \"%s\"", \
750                                         line_num, HbaFileName))); \
751         return false; \
752 } while (0);
753
754 #define REQUIRE_AUTH_OPTION(methodval, optname, validmethods) do {\
755         if (hbaline->auth_method != methodval) \
756                 INVALID_AUTH_OPTION(optname, validmethods); \
757 } while (0);
758
759 #define MANDATORY_AUTH_ARG(argvar, argname, authname) do {\
760         if (argvar == NULL) {\
761                 ereport(LOG, \
762                                 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
763                                  errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
764                                                 authname, argname), \
765                                  errcontext("line %d of configuration file \"%s\"", \
766                                                 line_num, HbaFileName))); \
767                 return false; \
768         } \
769 } while (0);
770
771 /*
772  * IDENT_FIELD_ABSENT:
773  * Throw an error and exit the function if the given ident field ListCell is
774  * not populated.
775  *
776  * IDENT_MULTI_VALUE:
777  * Throw an error and exit the function if the given ident token List has more
778  * than one element.
779  */
780 #define IDENT_FIELD_ABSENT(field) do {\
781         if (!field) { \
782                 ereport(LOG, \
783                                 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
784                                  errmsg("missing entry in file \"%s\" at end of line %d", \
785                                                 IdentFileName, line_number))); \
786                 *error_p = true; \
787                 return; \
788         } \
789 } while (0);
790
791 #define IDENT_MULTI_VALUE(tokens) do {\
792         if (tokens->length > 1) { \
793                 ereport(LOG, \
794                                 (errcode(ERRCODE_CONFIG_FILE_ERROR), \
795                                  errmsg("multiple values in ident field"), \
796                                  errcontext("line %d of configuration file \"%s\"", \
797                                                 line_number, IdentFileName))); \
798                 *error_p = true; \
799                 return; \
800         } \
801 } while (0);
802
803
804 /*
805  * Parse one tokenised line from the hba config file and store the result in a
806  * HbaLine structure, or NULL if parsing fails.
807  *
808  * The tokenised line is a List of fields, each field being a List of
809  * HbaTokens.
810  *
811  * Note: this function leaks memory when an error occurs.  Caller is expected
812  * to have set a memory context that will be reset if this function returns
813  * NULL.
814  */
815 static HbaLine *
816 parse_hba_line(List *line, int line_num)
817 {
818         char       *str;
819         struct addrinfo *gai_result;
820         struct addrinfo hints;
821         int                     ret;
822         char       *cidr_slash;
823         char       *unsupauth;
824         ListCell   *field;
825         List       *tokens;
826         ListCell   *tokencell;
827         HbaToken   *token;
828         HbaLine    *parsedline;
829
830         parsedline = palloc0(sizeof(HbaLine));
831         parsedline->linenumber = line_num;
832
833         /* Check the record type. */
834         field = list_head(line);
835         tokens = lfirst(field);
836         if (tokens->length > 1)
837         {
838                 ereport(LOG,
839                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
840                                  errmsg("multiple values specified for connection type"),
841                                  errhint("Specify exactly one connection type per line."),
842                                  errcontext("line %d of configuration file \"%s\"",
843                                                         line_num, HbaFileName)));
844                 return NULL;
845         }
846         token = linitial(tokens);
847         if (strcmp(token->string, "local") == 0)
848         {
849 #ifdef HAVE_UNIX_SOCKETS
850                 parsedline->conntype = ctLocal;
851 #else
852                 ereport(LOG,
853                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
854                                  errmsg("local connections are not supported by this build"),
855                                  errcontext("line %d of configuration file \"%s\"",
856                                                         line_num, HbaFileName)));
857                 return NULL;
858 #endif
859         }
860         else if (strcmp(token->string, "host") == 0 ||
861                          strcmp(token->string, "hostssl") == 0 ||
862                          strcmp(token->string, "hostnossl") == 0)
863         {
864
865                 if (token->string[4] == 's')    /* "hostssl" */
866                 {
867                         /* SSL support must be actually active, else complain */
868 #ifdef USE_SSL
869                         if (EnableSSL)
870                                 parsedline->conntype = ctHostSSL;
871                         else
872                         {
873                                 ereport(LOG,
874                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
875                                                  errmsg("hostssl requires SSL to be turned on"),
876                                                  errhint("Set ssl = on in postgresql.conf."),
877                                                  errcontext("line %d of configuration file \"%s\"",
878                                                                         line_num, HbaFileName)));
879                                 return NULL;
880                         }
881 #else
882                         ereport(LOG,
883                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
884                                          errmsg("hostssl is not supported by this build"),
885                           errhint("Compile with --with-openssl to use SSL connections."),
886                                          errcontext("line %d of configuration file \"%s\"",
887                                                                 line_num, HbaFileName)));
888                         return NULL;
889 #endif
890                 }
891 #ifdef USE_SSL
892                 else if (token->string[4] == 'n')               /* "hostnossl" */
893                 {
894                         parsedline->conntype = ctHostNoSSL;
895                 }
896 #endif
897                 else
898                 {
899                         /* "host", or "hostnossl" and SSL support not built in */
900                         parsedline->conntype = ctHost;
901                 }
902         }                                                       /* record type */
903         else
904         {
905                 ereport(LOG,
906                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
907                                  errmsg("invalid connection type \"%s\"",
908                                                 token->string),
909                                  errcontext("line %d of configuration file \"%s\"",
910                                                         line_num, HbaFileName)));
911                 return NULL;
912         }
913
914         /* Get the databases. */
915         field = lnext(field);
916         if (!field)
917         {
918                 ereport(LOG,
919                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
920                                  errmsg("end-of-line before database specification"),
921                                  errcontext("line %d of configuration file \"%s\"",
922                                                         line_num, HbaFileName)));
923                 return NULL;
924         }
925         parsedline->databases = NIL;
926         tokens = lfirst(field);
927         foreach(tokencell, tokens)
928         {
929                 parsedline->databases = lappend(parsedline->databases,
930                                                                                 copy_hba_token(lfirst(tokencell)));
931         }
932
933         /* Get the roles. */
934         field = lnext(field);
935         if (!field)
936         {
937                 ereport(LOG,
938                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
939                                  errmsg("end-of-line before role specification"),
940                                  errcontext("line %d of configuration file \"%s\"",
941                                                         line_num, HbaFileName)));
942                 return NULL;
943         }
944         parsedline->roles = NIL;
945         tokens = lfirst(field);
946         foreach(tokencell, tokens)
947         {
948                 parsedline->roles = lappend(parsedline->roles,
949                                                                         copy_hba_token(lfirst(tokencell)));
950         }
951
952         if (parsedline->conntype != ctLocal)
953         {
954                 /* Read the IP address field. (with or without CIDR netmask) */
955                 field = lnext(field);
956                 if (!field)
957                 {
958                         ereport(LOG,
959                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
960                                          errmsg("end-of-line before IP address specification"),
961                                          errcontext("line %d of configuration file \"%s\"",
962                                                                 line_num, HbaFileName)));
963                         return NULL;
964                 }
965                 tokens = lfirst(field);
966                 if (tokens->length > 1)
967                 {
968                         ereport(LOG,
969                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
970                                          errmsg("multiple values specified for host address"),
971                                          errhint("Specify one address range per line."),
972                                          errcontext("line %d of configuration file \"%s\"",
973                                                                 line_num, HbaFileName)));
974                         return NULL;
975                 }
976                 token = linitial(tokens);
977
978                 if (token_is_keyword(token, "all"))
979                 {
980                         parsedline->ip_cmp_method = ipCmpAll;
981                 }
982                 else if (token_is_keyword(token, "samehost"))
983                 {
984                         /* Any IP on this host is allowed to connect */
985                         parsedline->ip_cmp_method = ipCmpSameHost;
986                 }
987                 else if (token_is_keyword(token, "samenet"))
988                 {
989                         /* Any IP on the host's subnets is allowed to connect */
990                         parsedline->ip_cmp_method = ipCmpSameNet;
991                 }
992                 else
993                 {
994                         /* IP and netmask are specified */
995                         parsedline->ip_cmp_method = ipCmpMask;
996
997                         /* need a modifiable copy of token */
998                         str = pstrdup(token->string);
999
1000                         /* Check if it has a CIDR suffix and if so isolate it */
1001                         cidr_slash = strchr(str, '/');
1002                         if (cidr_slash)
1003                                 *cidr_slash = '\0';
1004
1005                         /* Get the IP address either way */
1006                         hints.ai_flags = AI_NUMERICHOST;
1007                         hints.ai_family = PF_UNSPEC;
1008                         hints.ai_socktype = 0;
1009                         hints.ai_protocol = 0;
1010                         hints.ai_addrlen = 0;
1011                         hints.ai_canonname = NULL;
1012                         hints.ai_addr = NULL;
1013                         hints.ai_next = NULL;
1014
1015                         ret = pg_getaddrinfo_all(str, NULL, &hints, &gai_result);
1016                         if (ret == 0 && gai_result)
1017                                 memcpy(&parsedline->addr, gai_result->ai_addr,
1018                                            gai_result->ai_addrlen);
1019                         else if (ret == EAI_NONAME)
1020                                 parsedline->hostname = str;
1021                         else
1022                         {
1023                                 ereport(LOG,
1024                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1025                                                  errmsg("invalid IP address \"%s\": %s",
1026                                                                 str, gai_strerror(ret)),
1027                                                  errcontext("line %d of configuration file \"%s\"",
1028                                                                         line_num, HbaFileName)));
1029                                 if (gai_result)
1030                                         pg_freeaddrinfo_all(hints.ai_family, gai_result);
1031                                 return NULL;
1032                         }
1033
1034                         pg_freeaddrinfo_all(hints.ai_family, gai_result);
1035
1036                         /* Get the netmask */
1037                         if (cidr_slash)
1038                         {
1039                                 if (parsedline->hostname)
1040                                 {
1041                                         ereport(LOG,
1042                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1043                                                          errmsg("specifying both host name and CIDR mask is invalid: \"%s\"",
1044                                                                         token->string),
1045                                                          errcontext("line %d of configuration file \"%s\"",
1046                                                                                 line_num, HbaFileName)));
1047                                         return NULL;
1048                                 }
1049
1050                                 if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
1051                                                                                   parsedline->addr.ss_family) < 0)
1052                                 {
1053                                         ereport(LOG,
1054                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1055                                                          errmsg("invalid CIDR mask in address \"%s\"",
1056                                                                         token->string),
1057                                                    errcontext("line %d of configuration file \"%s\"",
1058                                                                           line_num, HbaFileName)));
1059                                         return NULL;
1060                                 }
1061                                 pfree(str);
1062                         }
1063                         else if (!parsedline->hostname)
1064                         {
1065                                 /* Read the mask field. */
1066                                 pfree(str);
1067                                 field = lnext(field);
1068                                 if (!field)
1069                                 {
1070                                         ereport(LOG,
1071                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1072                                                   errmsg("end-of-line before netmask specification"),
1073                                                          errhint("Specify an address range in CIDR notation, or provide a separate netmask."),
1074                                                    errcontext("line %d of configuration file \"%s\"",
1075                                                                           line_num, HbaFileName)));
1076                                         return NULL;
1077                                 }
1078                                 tokens = lfirst(field);
1079                                 if (tokens->length > 1)
1080                                 {
1081                                         ereport(LOG,
1082                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1083                                                      errmsg("multiple values specified for netmask"),
1084                                                          errcontext("line %d of configuration file \"%s\"",
1085                                                                                 line_num, HbaFileName)));
1086                                         return NULL;
1087                                 }
1088                                 token = linitial(tokens);
1089
1090                                 ret = pg_getaddrinfo_all(token->string, NULL,
1091                                                                                  &hints, &gai_result);
1092                                 if (ret || !gai_result)
1093                                 {
1094                                         ereport(LOG,
1095                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1096                                                          errmsg("invalid IP mask \"%s\": %s",
1097                                                                         token->string, gai_strerror(ret)),
1098                                                    errcontext("line %d of configuration file \"%s\"",
1099                                                                           line_num, HbaFileName)));
1100                                         if (gai_result)
1101                                                 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1102                                         return NULL;
1103                                 }
1104
1105                                 memcpy(&parsedline->mask, gai_result->ai_addr,
1106                                            gai_result->ai_addrlen);
1107                                 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1108
1109                                 if (parsedline->addr.ss_family != parsedline->mask.ss_family)
1110                                 {
1111                                         ereport(LOG,
1112                                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1113                                                          errmsg("IP address and mask do not match"),
1114                                                    errcontext("line %d of configuration file \"%s\"",
1115                                                                           line_num, HbaFileName)));
1116                                         return NULL;
1117                                 }
1118                         }
1119                 }
1120         }                                                       /* != ctLocal */
1121
1122         /* Get the authentication method */
1123         field = lnext(field);
1124         if (!field)
1125         {
1126                 ereport(LOG,
1127                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1128                                  errmsg("end-of-line before authentication method"),
1129                                  errcontext("line %d of configuration file \"%s\"",
1130                                                         line_num, HbaFileName)));
1131                 return NULL;
1132         }
1133         tokens = lfirst(field);
1134         if (tokens->length > 1)
1135         {
1136                 ereport(LOG,
1137                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1138                                  errmsg("multiple values specified for authentication type"),
1139                                  errhint("Specify exactly one authentication type per line."),
1140                                  errcontext("line %d of configuration file \"%s\"",
1141                                                         line_num, HbaFileName)));
1142                 return NULL;
1143         }
1144         token = linitial(tokens);
1145
1146         unsupauth = NULL;
1147         if (strcmp(token->string, "trust") == 0)
1148                 parsedline->auth_method = uaTrust;
1149         else if (strcmp(token->string, "ident") == 0)
1150                 parsedline->auth_method = uaIdent;
1151         else if (strcmp(token->string, "peer") == 0)
1152                 parsedline->auth_method = uaPeer;
1153         else if (strcmp(token->string, "password") == 0)
1154                 parsedline->auth_method = uaPassword;
1155         else if (strcmp(token->string, "krb5") == 0)
1156 #ifdef KRB5
1157                 parsedline->auth_method = uaKrb5;
1158 #else
1159                 unsupauth = "krb5";
1160 #endif
1161         else if (strcmp(token->string, "gss") == 0)
1162 #ifdef ENABLE_GSS
1163                 parsedline->auth_method = uaGSS;
1164 #else
1165                 unsupauth = "gss";
1166 #endif
1167         else if (strcmp(token->string, "sspi") == 0)
1168 #ifdef ENABLE_SSPI
1169                 parsedline->auth_method = uaSSPI;
1170 #else
1171                 unsupauth = "sspi";
1172 #endif
1173         else if (strcmp(token->string, "reject") == 0)
1174                 parsedline->auth_method = uaReject;
1175         else if (strcmp(token->string, "md5") == 0)
1176         {
1177                 if (Db_user_namespace)
1178                 {
1179                         ereport(LOG,
1180                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1181                                          errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
1182                                          errcontext("line %d of configuration file \"%s\"",
1183                                                                 line_num, HbaFileName)));
1184                         return NULL;
1185                 }
1186                 parsedline->auth_method = uaMD5;
1187         }
1188         else if (strcmp(token->string, "pam") == 0)
1189 #ifdef USE_PAM
1190                 parsedline->auth_method = uaPAM;
1191 #else
1192                 unsupauth = "pam";
1193 #endif
1194         else if (strcmp(token->string, "ldap") == 0)
1195 #ifdef USE_LDAP
1196                 parsedline->auth_method = uaLDAP;
1197 #else
1198                 unsupauth = "ldap";
1199 #endif
1200         else if (strcmp(token->string, "cert") == 0)
1201 #ifdef USE_SSL
1202                 parsedline->auth_method = uaCert;
1203 #else
1204                 unsupauth = "cert";
1205 #endif
1206         else if (strcmp(token->string, "radius") == 0)
1207                 parsedline->auth_method = uaRADIUS;
1208         else
1209         {
1210                 ereport(LOG,
1211                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1212                                  errmsg("invalid authentication method \"%s\"",
1213                                                 token->string),
1214                                  errcontext("line %d of configuration file \"%s\"",
1215                                                         line_num, HbaFileName)));
1216                 return NULL;
1217         }
1218
1219         if (unsupauth)
1220         {
1221                 ereport(LOG,
1222                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1223                                  errmsg("invalid authentication method \"%s\": not supported by this build",
1224                                                 token->string),
1225                                  errcontext("line %d of configuration file \"%s\"",
1226                                                         line_num, HbaFileName)));
1227                 return NULL;
1228         }
1229
1230         /*
1231          * XXX: When using ident on local connections, change it to peer, for
1232          * backwards compatibility.
1233          */
1234         if (parsedline->conntype == ctLocal &&
1235                 parsedline->auth_method == uaIdent)
1236                 parsedline->auth_method = uaPeer;
1237
1238         /* Invalid authentication combinations */
1239         if (parsedline->conntype == ctLocal &&
1240                 parsedline->auth_method == uaKrb5)
1241         {
1242                 ereport(LOG,
1243                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1244                          errmsg("krb5 authentication is not supported on local sockets"),
1245                                  errcontext("line %d of configuration file \"%s\"",
1246                                                         line_num, HbaFileName)));
1247                 return NULL;
1248         }
1249
1250         if (parsedline->conntype == ctLocal &&
1251                 parsedline->auth_method == uaGSS)
1252         {
1253                 ereport(LOG,
1254                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1255                    errmsg("gssapi authentication is not supported on local sockets"),
1256                                  errcontext("line %d of configuration file \"%s\"",
1257                                                         line_num, HbaFileName)));
1258                 return NULL;
1259         }
1260
1261         if (parsedline->conntype != ctLocal &&
1262                 parsedline->auth_method == uaPeer)
1263         {
1264                 ereport(LOG,
1265                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1266                         errmsg("peer authentication is only supported on local sockets"),
1267                                  errcontext("line %d of configuration file \"%s\"",
1268                                                         line_num, HbaFileName)));
1269                 return NULL;
1270         }
1271
1272         /*
1273          * SSPI authentication can never be enabled on ctLocal connections,
1274          * because it's only supported on Windows, where ctLocal isn't supported.
1275          */
1276
1277
1278         if (parsedline->conntype != ctHostSSL &&
1279                 parsedline->auth_method == uaCert)
1280         {
1281                 ereport(LOG,
1282                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1283                                  errmsg("cert authentication is only supported on hostssl connections"),
1284                                  errcontext("line %d of configuration file \"%s\"",
1285                                                         line_num, HbaFileName)));
1286                 return NULL;
1287         }
1288
1289         /* Parse remaining arguments */
1290         while ((field = lnext(field)) != NULL)
1291         {
1292                 tokens = lfirst(field);
1293                 foreach(tokencell, tokens)
1294                 {
1295                         char       *val;
1296                         token = lfirst(tokencell);
1297
1298                         str = pstrdup(token->string);
1299                         val = strchr(str, '=');
1300                         if (val == NULL)
1301                         {
1302                                 /*
1303                                  * Got something that's not a name=value pair.
1304                                  */
1305                                 ereport(LOG,
1306                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1307                                                  errmsg("authentication option not in name=value format: %s", token->string),
1308                                                  errcontext("line %d of configuration file \"%s\"",
1309                                                                         line_num, HbaFileName)));
1310                                 return NULL;
1311                         }
1312
1313                         *val++ = '\0';  /* str now holds "name", val holds "value" */
1314                         if (!parse_hba_auth_opt(str, val, parsedline, line_num))
1315                                 /* parse_hba_auth_opt already logged the error message */
1316                                 return NULL;
1317                         pfree(str);
1318                 }
1319         }
1320
1321         /*
1322          * Check if the selected authentication method has any mandatory arguments
1323          * that are not set.
1324          */
1325         if (parsedline->auth_method == uaLDAP)
1326         {
1327                 MANDATORY_AUTH_ARG(parsedline->ldapserver, "ldapserver", "ldap");
1328
1329                 /*
1330                  * LDAP can operate in two modes: either with a direct bind, using
1331                  * ldapprefix and ldapsuffix, or using a search+bind, using
1332                  * ldapbasedn, ldapbinddn, ldapbindpasswd and ldapsearchattribute.
1333                  * Disallow mixing these parameters.
1334                  */
1335                 if (parsedline->ldapprefix || parsedline->ldapsuffix)
1336                 {
1337                         if (parsedline->ldapbasedn ||
1338                                 parsedline->ldapbinddn ||
1339                                 parsedline->ldapbindpasswd ||
1340                                 parsedline->ldapsearchattribute)
1341                         {
1342                                 ereport(LOG,
1343                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1344                                                  errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, or ldapsearchattribute together with ldapprefix"),
1345                                                  errcontext("line %d of configuration file \"%s\"",
1346                                                                         line_num, HbaFileName)));
1347                                 return NULL;
1348                         }
1349                 }
1350                 else if (!parsedline->ldapbasedn)
1351                 {
1352                         ereport(LOG,
1353                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1354                                          errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
1355                                          errcontext("line %d of configuration file \"%s\"",
1356                                                                 line_num, HbaFileName)));
1357                         return NULL;
1358                 }
1359         }
1360
1361         if (parsedline->auth_method == uaRADIUS)
1362         {
1363                 MANDATORY_AUTH_ARG(parsedline->radiusserver, "radiusserver", "radius");
1364                 MANDATORY_AUTH_ARG(parsedline->radiussecret, "radiussecret", "radius");
1365         }
1366
1367         /*
1368          * Enforce any parameters implied by other settings.
1369          */
1370         if (parsedline->auth_method == uaCert)
1371         {
1372                 parsedline->clientcert = true;
1373         }
1374
1375         return parsedline;
1376 }
1377
1378 /*
1379  * Parse one name-value pair as an authentication option into the given
1380  * HbaLine.  Return true if we successfully parse the option, false if we
1381  * encounter an error.
1382  */
1383 static bool
1384 parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
1385 {
1386         if (strcmp(name, "map") == 0)
1387         {
1388                 if (hbaline->auth_method != uaIdent &&
1389                         hbaline->auth_method != uaPeer &&
1390                         hbaline->auth_method != uaKrb5 &&
1391                         hbaline->auth_method != uaGSS &&
1392                         hbaline->auth_method != uaSSPI &&
1393                         hbaline->auth_method != uaCert)
1394                         INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert"));
1395                 hbaline->usermap = pstrdup(val);
1396         }
1397         else if (strcmp(name, "clientcert") == 0)
1398         {
1399                 /*
1400                  * Since we require ctHostSSL, this really can never happen
1401                  * on non-SSL-enabled builds, so don't bother checking for
1402                  * USE_SSL.
1403                  */
1404                 if (hbaline->conntype != ctHostSSL)
1405                 {
1406                         ereport(LOG,
1407                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1408                                          errmsg("clientcert can only be configured for \"hostssl\" rows"),
1409                                    errcontext("line %d of configuration file \"%s\"",
1410                                                           line_num, HbaFileName)));
1411                         return false;
1412                 }
1413                 if (strcmp(val, "1") == 0)
1414                 {
1415                         if (!secure_loaded_verify_locations())
1416                         {
1417                                 ereport(LOG,
1418                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1419                                                  errmsg("client certificates can only be checked if a root certificate store is available"),
1420                                                  errhint("Make sure the configuration parameter \"ssl_ca_file\" is set."),
1421                                    errcontext("line %d of configuration file \"%s\"",
1422                                                           line_num, HbaFileName)));
1423                                 return false;
1424                         }
1425                         hbaline->clientcert = true;
1426                 }
1427                 else
1428                 {
1429                         if (hbaline->auth_method == uaCert)
1430                         {
1431                                 ereport(LOG,
1432                                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1433                                                  errmsg("clientcert can not be set to 0 when using \"cert\" authentication"),
1434                                    errcontext("line %d of configuration file \"%s\"",
1435                                                           line_num, HbaFileName)));
1436                                 return false;
1437                         }
1438                         hbaline->clientcert = false;
1439                 }
1440         }
1441         else if (strcmp(name, "pamservice") == 0)
1442         {
1443                 REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam");
1444                 hbaline->pamservice = pstrdup(val);
1445         }
1446         else if (strcmp(name, "ldaptls") == 0)
1447         {
1448                 REQUIRE_AUTH_OPTION(uaLDAP, "ldaptls", "ldap");
1449                 if (strcmp(val, "1") == 0)
1450                         hbaline->ldaptls = true;
1451                 else
1452                         hbaline->ldaptls = false;
1453         }
1454         else if (strcmp(name, "ldapserver") == 0)
1455         {
1456                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapserver", "ldap");
1457                 hbaline->ldapserver = pstrdup(val);
1458         }
1459         else if (strcmp(name, "ldapport") == 0)
1460         {
1461                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapport", "ldap");
1462                 hbaline->ldapport = atoi(val);
1463                 if (hbaline->ldapport == 0)
1464                 {
1465                         ereport(LOG,
1466                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1467                                          errmsg("invalid LDAP port number: \"%s\"", val),
1468                                    errcontext("line %d of configuration file \"%s\"",
1469                                                           line_num, HbaFileName)));
1470                         return false;
1471                 }
1472         }
1473         else if (strcmp(name, "ldapbinddn") == 0)
1474         {
1475                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap");
1476                 hbaline->ldapbinddn = pstrdup(val);
1477         }
1478         else if (strcmp(name, "ldapbindpasswd") == 0)
1479         {
1480                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap");
1481                 hbaline->ldapbindpasswd = pstrdup(val);
1482         }
1483         else if (strcmp(name, "ldapsearchattribute") == 0)
1484         {
1485                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap");
1486                 hbaline->ldapsearchattribute = pstrdup(val);
1487         }
1488         else if (strcmp(name, "ldapbasedn") == 0)
1489         {
1490                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap");
1491                 hbaline->ldapbasedn = pstrdup(val);
1492         }
1493         else if (strcmp(name, "ldapprefix") == 0)
1494         {
1495                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap");
1496                 hbaline->ldapprefix = pstrdup(val);
1497         }
1498         else if (strcmp(name, "ldapsuffix") == 0)
1499         {
1500                 REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
1501                 hbaline->ldapsuffix = pstrdup(val);
1502         }
1503         else if (strcmp(name, "krb_server_hostname") == 0)
1504         {
1505                 REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5");
1506                 hbaline->krb_server_hostname = pstrdup(val);
1507         }
1508         else if (strcmp(name, "krb_realm") == 0)
1509         {
1510                 if (hbaline->auth_method != uaKrb5 &&
1511                         hbaline->auth_method != uaGSS &&
1512                         hbaline->auth_method != uaSSPI)
1513                         INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi"));
1514                 hbaline->krb_realm = pstrdup(val);
1515         }
1516         else if (strcmp(name, "include_realm") == 0)
1517         {
1518                 if (hbaline->auth_method != uaKrb5 &&
1519                         hbaline->auth_method != uaGSS &&
1520                         hbaline->auth_method != uaSSPI)
1521                         INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi"));
1522                 if (strcmp(val, "1") == 0)
1523                         hbaline->include_realm = true;
1524                 else
1525                         hbaline->include_realm = false;
1526         }
1527         else if (strcmp(name, "radiusserver") == 0)
1528         {
1529                 struct addrinfo *gai_result;
1530                 struct addrinfo hints;
1531                 int ret;
1532
1533                 REQUIRE_AUTH_OPTION(uaRADIUS, "radiusserver", "radius");
1534
1535                 MemSet(&hints, 0, sizeof(hints));
1536                 hints.ai_socktype = SOCK_DGRAM;
1537                 hints.ai_family = AF_UNSPEC;
1538
1539                 ret = pg_getaddrinfo_all(val, NULL, &hints, &gai_result);
1540                 if (ret || !gai_result)
1541                 {
1542                         ereport(LOG,
1543                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1544                                          errmsg("could not translate RADIUS server name \"%s\" to address: %s",
1545                                                         val, gai_strerror(ret)),
1546                                    errcontext("line %d of configuration file \"%s\"",
1547                                                           line_num, HbaFileName)));
1548                         if (gai_result)
1549                                 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1550                         return false;
1551                 }
1552                 pg_freeaddrinfo_all(hints.ai_family, gai_result);
1553                 hbaline->radiusserver = pstrdup(val);
1554         }
1555         else if (strcmp(name, "radiusport") == 0)
1556         {
1557                 REQUIRE_AUTH_OPTION(uaRADIUS, "radiusport", "radius");
1558                 hbaline->radiusport = atoi(val);
1559                 if (hbaline->radiusport == 0)
1560                 {
1561                         ereport(LOG,
1562                                         (errcode(ERRCODE_CONFIG_FILE_ERROR),
1563                                          errmsg("invalid RADIUS port number: \"%s\"", val),
1564                                    errcontext("line %d of configuration file \"%s\"",
1565                                                           line_num, HbaFileName)));
1566                         return false;
1567                 }
1568         }
1569         else if (strcmp(name, "radiussecret") == 0)
1570         {
1571                 REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecret", "radius");
1572                 hbaline->radiussecret = pstrdup(val);
1573         }
1574         else if (strcmp(name, "radiusidentifier") == 0)
1575         {
1576                 REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifier", "radius");
1577                 hbaline->radiusidentifier = pstrdup(val);
1578         }
1579         else
1580         {
1581                 ereport(LOG,
1582                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1583                         errmsg("unrecognized authentication option name: \"%s\"",
1584                                    name),
1585                                  errcontext("line %d of configuration file \"%s\"",
1586                                                         line_num, HbaFileName)));
1587                 return false;
1588         }
1589         return true;
1590 }
1591
1592 /*
1593  *      Scan the pre-parsed hba file, looking for a match to the port's connection
1594  *      request.
1595  */
1596 static void
1597 check_hba(hbaPort *port)
1598 {
1599         Oid                     roleid;
1600         ListCell   *line;
1601         HbaLine    *hba;
1602
1603         /* Get the target role's OID.  Note we do not error out for bad role. */
1604         roleid = get_role_oid(port->user_name, true);
1605
1606         foreach(line, parsed_hba_lines)
1607         {
1608                 hba = (HbaLine *) lfirst(line);
1609
1610                 /* Check connection type */
1611                 if (hba->conntype == ctLocal)
1612                 {
1613                         if (!IS_AF_UNIX(port->raddr.addr.ss_family))
1614                                 continue;
1615                 }
1616                 else
1617                 {
1618                         if (IS_AF_UNIX(port->raddr.addr.ss_family))
1619                                 continue;
1620
1621                         /* Check SSL state */
1622 #ifdef USE_SSL
1623                         if (port->ssl)
1624                         {
1625                                 /* Connection is SSL, match both "host" and "hostssl" */
1626                                 if (hba->conntype == ctHostNoSSL)
1627                                         continue;
1628                         }
1629                         else
1630                         {
1631                                 /* Connection is not SSL, match both "host" and "hostnossl" */
1632                                 if (hba->conntype == ctHostSSL)
1633                                         continue;
1634                         }
1635 #else
1636                         /* No SSL support, so reject "hostssl" lines */
1637                         if (hba->conntype == ctHostSSL)
1638                                 continue;
1639 #endif
1640
1641                         /* Check IP address */
1642                         switch (hba->ip_cmp_method)
1643                         {
1644                                 case ipCmpMask:
1645                                         if (hba->hostname)
1646                                         {
1647                                                 if (!check_hostname(port,
1648                                                                                         hba->hostname))
1649                                                         continue;
1650                                         }
1651                                         else
1652                                         {
1653                                                 if (!check_ip(&port->raddr,
1654                                                                           (struct sockaddr *) & hba->addr,
1655                                                                           (struct sockaddr *) & hba->mask))
1656                                                         continue;
1657                                         }
1658                                         break;
1659                                 case ipCmpAll:
1660                                         break;
1661                                 case ipCmpSameHost:
1662                                 case ipCmpSameNet:
1663                                         if (!check_same_host_or_net(&port->raddr,
1664                                                                                                 hba->ip_cmp_method))
1665                                                 continue;
1666                                         break;
1667                                 default:
1668                                         /* shouldn't get here, but deem it no-match if so */
1669                                         continue;
1670                         }
1671                 }                                               /* != ctLocal */
1672
1673                 /* Check database and role */
1674                 if (!check_db(port->database_name, port->user_name, roleid,
1675                                           hba->databases))
1676                         continue;
1677
1678                 if (!check_role(port->user_name, roleid, hba->roles))
1679                         continue;
1680
1681                 /* Found a record that matched! */
1682                 port->hba = hba;
1683                 return;
1684         }
1685
1686         /* If no matching entry was found, then implicitly reject. */
1687         hba = palloc0(sizeof(HbaLine));
1688         hba->auth_method = uaImplicitReject;
1689         port->hba = hba;
1690 }
1691
1692 /*
1693  * Read the config file and create a List of HbaLine records for the contents.
1694  *
1695  * The configuration is read into a temporary list, and if any parse error
1696  * occurs the old list is kept in place and false is returned.  Only if the
1697  * whole file parses OK is the list replaced, and the function returns true.
1698  *
1699  * On a false result, caller will take care of reporting a FATAL error in case
1700  * this is the initial startup.  If it happens on reload, we just keep running
1701  * with the old data.
1702  */
1703 bool
1704 load_hba(void)
1705 {
1706         FILE       *file;
1707         List       *hba_lines = NIL;
1708         List       *hba_line_nums = NIL;
1709         ListCell   *line,
1710                            *line_num;
1711         List       *new_parsed_lines = NIL;
1712         bool            ok = true;
1713         MemoryContext   linecxt;
1714         MemoryContext   oldcxt;
1715         MemoryContext   hbacxt;
1716
1717         file = AllocateFile(HbaFileName, "r");
1718         if (file == NULL)
1719         {
1720                 ereport(LOG,
1721                                 (errcode_for_file_access(),
1722                                  errmsg("could not open configuration file \"%s\": %m",
1723                                                 HbaFileName)));
1724                 return false;
1725         }
1726
1727         linecxt = tokenize_file(HbaFileName, file, &hba_lines, &hba_line_nums);
1728         FreeFile(file);
1729
1730         /* Now parse all the lines */
1731         hbacxt = AllocSetContextCreate(TopMemoryContext,
1732                                                                    "hba parser context",
1733                                                                    ALLOCSET_DEFAULT_MINSIZE,
1734                                                                    ALLOCSET_DEFAULT_MINSIZE,
1735                                                                    ALLOCSET_DEFAULT_MAXSIZE);
1736         oldcxt = MemoryContextSwitchTo(hbacxt);
1737         forboth(line, hba_lines, line_num, hba_line_nums)
1738         {
1739                 HbaLine    *newline;
1740
1741                 if ((newline = parse_hba_line(lfirst(line), lfirst_int(line_num))) == NULL)
1742                 {
1743                         /*
1744                          * Parse error in the file, so indicate there's a problem.  NB: a
1745                          * problem in a line will free the memory for all previous lines as
1746                          * well!
1747                          */
1748                         MemoryContextReset(hbacxt);
1749                         new_parsed_lines = NIL;
1750                         ok = false;
1751
1752                         /*
1753                          * Keep parsing the rest of the file so we can report errors on
1754                          * more than the first row. Error has already been reported in the
1755                          * parsing function, so no need to log it here.
1756                          */
1757                         continue;
1758                 }
1759
1760                 new_parsed_lines = lappend(new_parsed_lines, newline);
1761         }
1762
1763         /*
1764          * A valid HBA file must have at least one entry; else there's no way
1765          * to connect to the postmaster.  But only complain about this if we
1766          * didn't already have parsing errors.
1767          */
1768         if (ok && new_parsed_lines == NIL)
1769         {
1770                 ereport(LOG,
1771                                 (errcode(ERRCODE_CONFIG_FILE_ERROR),
1772                                  errmsg("configuration file \"%s\" contains no entries",
1773                                                 HbaFileName)));
1774                 ok = false;
1775         }
1776
1777         /* Free tokenizer memory */
1778         MemoryContextDelete(linecxt);
1779         MemoryContextSwitchTo(oldcxt);
1780
1781         if (!ok)
1782         {
1783                 /* File contained one or more errors, so bail out */
1784                 MemoryContextDelete(hbacxt);
1785                 return false;
1786         }
1787
1788         /* Loaded new file successfully, replace the one we use */
1789         if (parsed_hba_context != NULL)
1790                 MemoryContextDelete(parsed_hba_context);
1791         parsed_hba_context = hbacxt;
1792         parsed_hba_lines = new_parsed_lines;
1793
1794         return true;
1795 }
1796
1797 /*
1798  *      Process one line from the ident config file.
1799  *
1800  *      Take the line and compare it to the needed map, pg_role and ident_user.
1801  *      *found_p and *error_p are set according to our results.
1802  */
1803 static void
1804 parse_ident_usermap(List *line, int line_number, const char *usermap_name,
1805                                         const char *pg_role, const char *ident_user,
1806                                         bool case_insensitive, bool *found_p, bool *error_p)
1807 {
1808         ListCell   *field;
1809         List       *tokens;
1810         HbaToken   *token;
1811         char       *file_map;
1812         char       *file_pgrole;
1813         char       *file_ident_user;
1814
1815         *found_p = false;
1816         *error_p = false;
1817
1818         Assert(line != NIL);
1819         field = list_head(line);
1820
1821         /* Get the map token (must exist) */
1822         tokens = lfirst(field);
1823         IDENT_MULTI_VALUE(tokens);
1824         token = linitial(tokens);
1825         file_map = token->string;
1826
1827         /* Get the ident user token */
1828         field = lnext(field);
1829         IDENT_FIELD_ABSENT(field);
1830         tokens = lfirst(field);
1831         IDENT_MULTI_VALUE(tokens);
1832         token = linitial(tokens);
1833         file_ident_user = token->string;
1834
1835         /* Get the PG rolename token */
1836         field = lnext(field);
1837         IDENT_FIELD_ABSENT(field);
1838         tokens = lfirst(field);
1839         IDENT_MULTI_VALUE(tokens);
1840         token = linitial(tokens);
1841         file_pgrole = token->string;
1842
1843         if (strcmp(file_map, usermap_name) != 0)
1844                 /* Line does not match the map name we're looking for, so just abort */
1845                 return;
1846
1847         /* Match? */
1848         if (file_ident_user[0] == '/')
1849         {
1850                 /*
1851                  * When system username starts with a slash, treat it as a regular
1852                  * expression. In this case, we process the system username as a
1853                  * regular expression that returns exactly one match. This is replaced
1854                  * for \1 in the database username string, if present.
1855                  */
1856                 int                     r;
1857                 regex_t         re;
1858                 regmatch_t      matches[2];
1859                 pg_wchar   *wstr;
1860                 int                     wlen;
1861                 char       *ofs;
1862                 char       *regexp_pgrole;
1863
1864                 wstr = palloc((strlen(file_ident_user + 1) + 1) * sizeof(pg_wchar));
1865                 wlen = pg_mb2wchar_with_len(file_ident_user + 1, wstr, strlen(file_ident_user + 1));
1866
1867                 /*
1868                  * XXX: Major room for optimization: regexps could be compiled when
1869                  * the file is loaded and then re-used in every connection.
1870                  */
1871                 r = pg_regcomp(&re, wstr, wlen, REG_ADVANCED, C_COLLATION_OID);
1872                 if (r)
1873                 {
1874                         char            errstr[100];
1875
1876                         pg_regerror(r, &re, errstr, sizeof(errstr));
1877                         ereport(LOG,
1878                                         (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
1879                                          errmsg("invalid regular expression \"%s\": %s",
1880                                                         file_ident_user + 1, errstr)));
1881
1882                         pfree(wstr);
1883                         *error_p = true;
1884                         return;
1885                 }
1886                 pfree(wstr);
1887
1888                 wstr = palloc((strlen(ident_user) + 1) * sizeof(pg_wchar));
1889                 wlen = pg_mb2wchar_with_len(ident_user, wstr, strlen(ident_user));
1890
1891                 r = pg_regexec(&re, wstr, wlen, 0, NULL, 2, matches, 0);
1892                 if (r)
1893                 {
1894                         char            errstr[100];
1895
1896                         if (r != REG_NOMATCH)
1897                         {
1898                                 /* REG_NOMATCH is not an error, everything else is */
1899                                 pg_regerror(r, &re, errstr, sizeof(errstr));
1900                                 ereport(LOG,
1901                                                 (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
1902                                          errmsg("regular expression match for \"%s\" failed: %s",
1903                                                         file_ident_user + 1, errstr)));
1904                                 *error_p = true;
1905                         }
1906
1907                         pfree(wstr);
1908                         pg_regfree(&re);
1909                         return;
1910                 }
1911                 pfree(wstr);
1912
1913                 if ((ofs = strstr(file_pgrole, "\\1")) != NULL)
1914                 {
1915                         /* substitution of the first argument requested */
1916                         if (matches[1].rm_so < 0)
1917                         {
1918                                 ereport(LOG,
1919                                                 (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
1920                                                  errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",
1921                                                                 file_ident_user + 1, file_pgrole)));
1922                                 pg_regfree(&re);
1923                                 *error_p = true;
1924                                 return;
1925                         }
1926
1927                         /*
1928                          * length: original length minus length of \1 plus length of match
1929                          * plus null terminator
1930                          */
1931                         regexp_pgrole = palloc0(strlen(file_pgrole) - 2 + (matches[1].rm_eo - matches[1].rm_so) + 1);
1932                         strncpy(regexp_pgrole, file_pgrole, (ofs - file_pgrole));
1933                         memcpy(regexp_pgrole + strlen(regexp_pgrole),
1934                                    ident_user + matches[1].rm_so,
1935                                    matches[1].rm_eo - matches[1].rm_so);
1936                         strcat(regexp_pgrole, ofs + 2);
1937                 }
1938                 else
1939                 {
1940                         /* no substitution, so copy the match */
1941                         regexp_pgrole = pstrdup(file_pgrole);
1942                 }
1943
1944                 pg_regfree(&re);
1945
1946                 /*
1947                  * now check if the username actually matched what the user is trying
1948                  * to connect as
1949                  */
1950                 if (case_insensitive)
1951                 {
1952                         if (pg_strcasecmp(regexp_pgrole, pg_role) == 0)
1953                                 *found_p = true;
1954                 }
1955                 else
1956                 {
1957                         if (strcmp(regexp_pgrole, pg_role) == 0)
1958                                 *found_p = true;
1959                 }
1960                 pfree(regexp_pgrole);
1961
1962                 return;
1963         }
1964         else
1965         {
1966                 /* Not regular expression, so make complete match */
1967                 if (case_insensitive)
1968                 {
1969                         if (pg_strcasecmp(file_pgrole, pg_role) == 0 &&
1970                                 pg_strcasecmp(file_ident_user, ident_user) == 0)
1971                                 *found_p = true;
1972                 }
1973                 else
1974                 {
1975                         if (strcmp(file_pgrole, pg_role) == 0 &&
1976                                 strcmp(file_ident_user, ident_user) == 0)
1977                                 *found_p = true;
1978                 }
1979         }
1980         return;
1981 }
1982
1983
1984 /*
1985  *      Scan the (pre-parsed) ident usermap file line by line, looking for a match
1986  *
1987  *      See if the user with ident username "auth_user" is allowed to act
1988  *      as Postgres user "pg_role" according to usermap "usermap_name".
1989  *
1990  *      Special case: Usermap NULL, equivalent to what was previously called
1991  *      "sameuser" or "samerole", means don't look in the usermap file.
1992  *      That's an implied map wherein "pg_role" must be identical to
1993  *      "auth_user" in order to be authorized.
1994  *
1995  *      Iff authorized, return STATUS_OK, otherwise return STATUS_ERROR.
1996  */
1997 int
1998 check_usermap(const char *usermap_name,
1999                           const char *pg_role,
2000                           const char *auth_user,
2001                           bool case_insensitive)
2002 {
2003         bool            found_entry = false,
2004                                 error = false;
2005
2006         if (usermap_name == NULL || usermap_name[0] == '\0')
2007         {
2008                 if (case_insensitive)
2009                 {
2010                         if (pg_strcasecmp(pg_role, auth_user) == 0)
2011                                 return STATUS_OK;
2012                 }
2013                 else
2014                 {
2015                         if (strcmp(pg_role, auth_user) == 0)
2016                                 return STATUS_OK;
2017                 }
2018                 ereport(LOG,
2019                                 (errmsg("provided user name (%s) and authenticated user name (%s) do not match",
2020                                                 pg_role, auth_user)));
2021                 return STATUS_ERROR;
2022         }
2023         else
2024         {
2025                 ListCell   *line_cell,
2026                                    *num_cell;
2027
2028                 forboth(line_cell, ident_lines, num_cell, ident_line_nums)
2029                 {
2030                         parse_ident_usermap(lfirst(line_cell), lfirst_int(num_cell),
2031                                                   usermap_name, pg_role, auth_user, case_insensitive,
2032                                                                 &found_entry, &error);
2033                         if (found_entry || error)
2034                                 break;
2035                 }
2036         }
2037         if (!found_entry && !error)
2038         {
2039                 ereport(LOG,
2040                                 (errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",
2041                                                 usermap_name, pg_role, auth_user)));
2042         }
2043         return found_entry ? STATUS_OK : STATUS_ERROR;
2044 }
2045
2046
2047 /*
2048  * Read the ident config file and populate ident_lines and ident_line_nums.
2049  *
2050  * Like parsed_hba_lines, ident_lines is a triple-nested List of lines, fields
2051  * and tokens.
2052  */
2053 void
2054 load_ident(void)
2055 {
2056         FILE       *file;
2057
2058         if (ident_context != NULL)
2059         {
2060                 MemoryContextDelete(ident_context);
2061                 ident_context = NULL;
2062         }
2063
2064         file = AllocateFile(IdentFileName, "r");
2065         if (file == NULL)
2066         {
2067                 /* not fatal ... we just won't do any special ident maps */
2068                 ereport(LOG,
2069                                 (errcode_for_file_access(),
2070                                  errmsg("could not open usermap file \"%s\": %m",
2071                                                 IdentFileName)));
2072         }
2073         else
2074         {
2075                 ident_context = tokenize_file(IdentFileName, file, &ident_lines,
2076                                                                           &ident_line_nums);
2077                 FreeFile(file);
2078         }
2079 }
2080
2081
2082
2083 /*
2084  *      Determine what authentication method should be used when accessing database
2085  *      "database" from frontend "raddr", user "user".  Return the method and
2086  *      an optional argument (stored in fields of *port), and STATUS_OK.
2087  *
2088  *      If the file does not contain any entry matching the request, we return
2089  *      method = uaImplicitReject.
2090  */
2091 void
2092 hba_getauthmethod(hbaPort *port)
2093 {
2094         check_hba(port);
2095 }