Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pHHxG-0006uU-T5 for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Jan 2023 05:22:47 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pHHxE-00070e-79 for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Jan 2023 05:22:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pHHxC-0006zY-In for pgsql-hackers@lists.postgresql.org; Mon, 16 Jan 2023 05:22:43 +0000 Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pHHx8-0003RC-Dm for pgsql-hackers@lists.postgresql.org; Mon, 16 Jan 2023 05:22:41 +0000 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1933A5C0070; Mon, 16 Jan 2023 00:22:35 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 16 Jan 2023 00:22:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1673846555; x=1673932955; bh=sRa3uL5gpH U4v29u2OQw0EkckS+rEUJG5LxJNrdtipo=; b=oEr41vQwiNgRH7T+CBLpZsjHjB k//emhvh3XkRt+wPyq/svioXtTP0qiCpzqiY36bsT14Hbih2kzTEJdmCyUIsPumL tlaI+rHPU0EUQQG+AOZdsW/i8EKVymYEplecz3JSQ3MgGBQoNecUrbJkEXo6iXoU 4k+XIZSDTN9Go6oOTG6/wUC+AkUzUNd0ErrqiOOsDc9mJiFocIVpffgDFQEDZELj mpQ7M/4J5CBM49NkQKIa0p9iVqGY3XtdqcToYrxxmq85RQ44g5ILzMZZVOJPQeLh qZwIk2KaM4iDfd4D6p0qQLUXgnp/ARxjekMV6O4IqPWTmSFRXdLnGAdBtb6Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1673846555; x=1673932955; bh=sRa3uL5gpHU4v29u2OQw0EkckS+r EUJG5LxJNrdtipo=; b=D6vuzm3aSv5KX8L1pjeak/cHAo+SN66X0P5nE32vbmVl 5CI5ozVpzwDY7UGojKzqnCejSBtOmBr02aZTe6rFrxwpuGNf5RKNCzGqJ57oK1Sk 2yEAkGqXWnZ1RhTaPg9Vji2ZKbAXntktHvA6xgyPAS7QaqOhHkeVSpO3OobnFqpe xcZZY2yP/JY0xKjmznoxmeSJcDfoSo4n31Wa/xhTHRD/CyVOm2BhWRf5MlU3OZ7E pjZFMwTHd8r3JEnPGXLtgAgDG/B4PwTpND4+cuMnsSfc9bYMffxe6LAjGX3M89D+ O5X1AGRAwMCE2278N1fw/eZVXPB5POwUh2WLoLoZ1g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedruddtfedgkedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdljedtmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredt tddvnecuhfhrohhmpefoihgthhgrvghlucfrrghquhhivghruceomhhitghhrggvlhesph grqhhuihgvrhdrgiihiieqnecuggftrfgrthhtvghrnhepteelieefudffhffhtdetleeg geegfffhkeeuveetiefgudduvedutefggeeivdejnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiih ii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 16 Jan 2023 00:22:32 -0500 (EST) Date: Mon, 16 Jan 2023 14:22:27 +0900 From: Michael Paquier To: Jelte Fennema Cc: Jelte Fennema , "isaac.morland@gmail.com" , "pgsql-hackers@lists.postgresql.org" , Nathan Bossart , Andrew Dunstan Subject: Re: [EXTERNAL] Re: [PATCH] Support using "all" for the db user in pg_ident.conf Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tNmOO70C/8EOxd4r" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --tNmOO70C/8EOxd4r Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 13, 2023 at 09:19:10AM +0100, Jelte Fennema wrote: >> Even if folks applying quotes >> would not be able anymore to replace the pattern, the risk seems a bit >> remote? >=20 > Yeah I agree the risk is remote. To be clear, the main pattern I'm > worried about breaking is simply "\1". Where people had put > quotes around \1 for no reason. All in all, I'm fine if 0003 gets > merged, but I'd also be fine with it if it doesn't. Both the risk > and the advantage seem fairly small. Still, I am having a few second thoughts about 0003 after thinking about it over the weekend. Except if I am missing something, there are no issues with 0004 if we keep the current behavior of always replacing \1 even if pg-user is quoted? I would certainly add a new test case either way. >> I don't see how much that's different from the recent discussion with >> regexps added for databases and users to pg_hba.conf. And consistency >> sounds pretty good to me here. >=20 > It's not much different, except that here also all and + change their mea= ning > (for pg_hba.conf those special cases already existed). Mainly I called it= out > because I realised this discussion was called out in that commit too. >=20 >> Regexps can have commas >=20 > That's a really good reason to allow quoted regexes indeed. Even for pg_i= dent > entries, commas in unquoted regexes would cause the AuthToken parsing to = fail. >=20 > Is there anything you still want to see changed about any of the patches? + /* + * Mark the token as quoted, so it will only be compared litera= lly + * and not for special meanings like, such as "all" and members= hip + * checks using the + prefix. + */ + expanded_pg_user_token =3D make_auth_token(expanded_pg_user, tr= ue); It is critical to quote this AuthToken after the replacement, indeed. Or we are in big trouble. - /* no substitution, so copy the match */ - expanded_pg_user =3D pstrdup(identLine->pg_user->string); + expanded_pg_user_token =3D identLine->pg_user; Perhaps it would be simpler to use copy_auth_token() in this code path and always free the resulting token? In the code path where system-user is a regexp, could it be better to skip the replacement of \1 in the new AuthToken if pg-user is itself a regexp? The compiled regexp would be the same, but it could be considered as a bit confusing, as it can be thought that the compiled regexp of pg-user happened after the replacement? No issues with 0002 after a second look, so applied to move on. -- Michael --tNmOO70C/8EOxd4r Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmPE3xMACgkQnvQgOdby QH3fdhAAiyNOOmg4cO5YjyjfQ/6LhW4hSXAVetKQPjBbmzC26Xuhr//csydFFkGx caC7h81FRKr22clQgFI9j7EfinPtid2QabFexcGEeSP/wO0C0kFIqJpvfa+/0Kni JhpC9o2onQJZOfkn22MvR6MRlEHZ2K7OFx7vRy7zDEbEWdftbFsemp/CVOqUzPjc EsZFTBzPSiWA52gK+ysZUCfSp45dgc/apwro3ahHhqgQ7wyhjpO6typnf1zuU9zp G6TRF8sBVFVZUZIklbEOamZr4LsBDLkyNu5ecKuKa55gjkh2729De1iE8c+vtvY7 LObCM1Eu3yWI/L1mGMwtI8STrjInLNz9z/w3NkELdkvda3dPSGn6OQOTJWjL3rp8 Ztb0/ZeqPWLUllwzZBy92tI6wga8RJgrkKawPCyZMN10yOV7aftlpyccw07+j0a8 v8yT7nPISdyL2ROMkuhICoZNKus+cjwHu0l3QPd364RfwZMlmPfBKZh/zbpSxmHv yDkVf/DNTrx8Z7HxVcxPyQbjs8zFbIEcWHLSVjpvfC7u4Wb7Jdz6g6VINEJ3EMV7 CtpnJXvgYbWMYZtasEV9msAscC3RGefLR6tDCbPImosK7iTI0KLIGcOgaKRW/fcG t/J+NOQXYJzRa60uhPESCjuYH6h/tsqN4EkbdgvNANWsCLpUNQo= =vlkp -----END PGP SIGNATURE----- --tNmOO70C/8EOxd4r--