public inbox for [email protected]
help / color / mirror / Atom feedFrom: Julien Rouhaud <[email protected]>
Subject: [PATCH v8 6/6] POC: Add a pg_hba_matches() function.
Date: Tue, 22 Feb 2022 21:34:54 +0800
Catversion is bumped.
Author: Julien Rouhaud
Reviewed-by: FIXME
Discussion: https://postgr.es/m/20220223045959.35ipdsvbxcstrhya%40jrouhaud
---
src/backend/catalog/system_functions.sql | 9 ++
src/backend/libpq/hba.c | 138 +++++++++++++++++++++++
src/include/catalog/pg_proc.dat | 7 ++
3 files changed, 154 insertions(+)
diff --git a/src/backend/catalog/system_functions.sql b/src/backend/catalog/system_functions.sql
index 73da687d5d..bfee72f705 100644
--- a/src/backend/catalog/system_functions.sql
+++ b/src/backend/catalog/system_functions.sql
@@ -594,6 +594,15 @@ LANGUAGE internal
STRICT IMMUTABLE PARALLEL SAFE
AS 'unicode_is_normalized';
+CREATE OR REPLACE FUNCTION
+ pg_hba_matches(
+ IN address inet, IN role text, IN ssl bool DEFAULT false,
+ OUT file_name text, OUT line_num int4, OUT raw_line text)
+RETURNS RECORD
+LANGUAGE INTERNAL
+VOLATILE
+AS 'pg_hba_matches';
+
--
-- The default permissions for functions mean that anyone can execute them.
-- A number of functions shouldn't be executable by just anyone, but rather
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 814bfcf30d..70e7c871a8 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -27,6 +27,7 @@
#include <unistd.h>
#include "access/htup_details.h"
+#include "catalog/pg_authid.h"
#include "catalog/pg_collation.h"
#include "catalog/pg_type.h"
#include "common/ip.h"
@@ -42,6 +43,7 @@
#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/guc.h"
+#include "utils/inet.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/varlena.h"
@@ -2983,3 +2985,139 @@ hba_authname(UserAuth auth_method)
return UserAuthName[auth_method];
}
+
+#define PG_HBA_MATCHES_ATTS 3
+
+/*
+ * SQL-accessible SRF to return the entries that match the given connection
+ * info, if any.
+ */
+Datum pg_hba_matches(PG_FUNCTION_ARGS)
+{
+ MemoryContext ctxt;
+ inet *address = NULL;
+ bool ssl_in_use = false;
+ hbaPort *port = palloc0(sizeof(hbaPort));
+ TupleDesc tupdesc;
+ Datum values[PG_HBA_MATCHES_ATTS];
+ bool isnull[PG_HBA_MATCHES_ATTS];
+
+ if (!is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES))
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("only superuser or a member of the pg_read_server_files role may call this function")));
+
+ if (PG_ARGISNULL(0))
+ port->raddr.addr.ss_family = AF_UNIX;
+ else
+ {
+ int bits;
+ char *ptr;
+ char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255/128")];
+
+ address = PG_GETARG_INET_PP(0);
+
+ bits = ip_maxbits(address) - ip_bits(address);
+ if (bits != 0)
+ {
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("Invalid address")));
+ }
+
+ /* force display of max bits, regardless of masklen... */
+ if (pg_inet_net_ntop(ip_family(address), ip_addr(address),
+ ip_maxbits(address), tmp, sizeof(tmp)) == NULL)
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_BINARY_REPRESENTATION),
+ errmsg("could not format inet value: %m")));
+
+ /* Suppress /n if present (shouldn't happen now) */
+ if ((ptr = strchr(tmp, '/')) != NULL)
+ *ptr = '\0';
+
+ switch (ip_family(address))
+ {
+ case PGSQL_AF_INET:
+ {
+ struct sockaddr_in *dst;
+
+ dst = (struct sockaddr_in *) &port->raddr.addr;
+ dst->sin_family = AF_INET;
+
+ /* ip_addr(address) always contains network representation */
+ memcpy(&dst->sin_addr, &ip_addr(address), sizeof(dst->sin_addr));
+
+ break;
+ }
+ /* See pg_inet_net_ntop() for details about those constants */
+ case PGSQL_AF_INET6:
+#if defined(AF_INET6) && AF_INET6 != PGSQL_AF_INET6
+ case AF_INET6:
+#endif
+ {
+ struct sockaddr_in6 *dst;
+
+ dst = (struct sockaddr_in6 *) &port->raddr.addr;
+ dst->sin6_family = AF_INET6;
+
+ /* ip_addr(address) always contains network representation */
+ memcpy(&dst->sin6_addr, &ip_addr(address), sizeof(dst->sin6_addr));
+
+ break;
+ }
+ default:
+ elog(ERROR, "unexpected ip_family: %d", ip_family(address));
+ break;
+ }
+ }
+
+ if (PG_ARGISNULL(1))
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("parameter role is mandatory")));
+ port->user_name = text_to_cstring(PG_GETARG_TEXT_PP(1));
+
+ if (!PG_ARGISNULL(2))
+ ssl_in_use = PG_GETARG_BOOL(2);
+
+ port->ssl_in_use = ssl_in_use;
+
+ tupdesc = CreateTemplateTupleDesc(PG_HBA_MATCHES_ATTS);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 1, "file_name",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 2, "line_num",
+ INT4OID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 3, "raw_line",
+ TEXTOID, -1, 0);
+
+ BlessTupleDesc(tupdesc);
+
+ memset(isnull, 0, sizeof(isnull));
+
+ /* FIXME rework API to not rely on PostmasterContext */
+ ctxt = AllocSetContextCreate(CurrentMemoryContext, "load_hba",
+ ALLOCSET_DEFAULT_SIZES);
+ PostmasterContext = AllocSetContextCreate(ctxt,
+ "Postmaster",
+ ALLOCSET_DEFAULT_SIZES);
+ parsed_hba_context = NULL;
+ if (!load_hba())
+ ereport(ERROR,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("Invalidation auth configuration file")));
+
+ check_hba(port);
+
+ if (port->hba->auth_method == uaImplicitReject)
+ PG_RETURN_NULL();
+
+ values[0] = CStringGetTextDatum(port->hba->sourcefile);
+ values[1] = Int32GetDatum(port->hba->linenumber);
+ values[2] = CStringGetTextDatum(port->hba->rawline);
+
+ MemoryContextDelete(PostmasterContext);
+ PostmasterContext = NULL;
+
+ return HeapTupleGetDatum(heap_form_tuple(tupdesc, values, isnull));
+}
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index d66b2443a4..f6609a4a5f 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -6139,6 +6139,13 @@
proargmodes => '{o,o,o,o,o,o,o}',
proargnames => '{mapping_number,file_name,line_number,map_name,sys_name,pg_username,error}',
prosrc => 'pg_ident_file_mappings' },
+{ oid => '9557', descr => 'show wether the given connection would match an hba line',
+ proname => 'pg_hba_matches', provolatile => 'v', prorettype => 'record',
+ proargtypes => 'inet text bool', proisstrict => 'f',
+ proallargtypes => '{inet,text,bool,text,int4,text}',
+ proargmodes => '{i,i,i,o,o,o}',
+ proargnames => '{address,role,ssl,file_name,line_num,raw_line}',
+ prosrc => 'pg_hba_matches' },
{ oid => '1371', descr => 'view system lock information',
proname => 'pg_lock_status', prorows => '1000', proretset => 't',
provolatile => 'v', prorettype => 'record', proargtypes => '',
--
2.37.0
--lqayot32rzm7n4sf--
view thread (16+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: [PATCH v8 6/6] POC: Add a pg_hba_matches() function.
In-Reply-To: <no-message-id-1858834@localhost>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox