NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit8607630

committed

Rename some variables related to ident files in hba.{c,h}

The code that handles authentication for user maps was pretty confusingwith its choice of variable names. It involves two types of users: asystem user and a Postgres user (well, role), and these were not namedconsistently throughout the code that processes the user maps loadedfrom pg_ident.conf at authentication.This commit changes the following things to improve the situation:- Rename "pg_role" to "pg_user" and "token" to "system_user" inIndetLine. These choices are more consistent with the pg_ident.confexample in the docs, as well. "token" has been introduced recently infc579e1, and it is way worse than the choice before that, "ident_user".- Switch the order of the fields in IdentLine to map with the order ofthe items in the ident files, as of map name, system user and PG user.- In check_ident_usermap(), rename "regexp_pgrole" to "expanded_pg_user"when processing a regexp for the system user entry in a user map. Thisvariable does not store a regular expression at all: it would be eithera string or a substitution to \1 if the Postgres role is specified assuch.Author: Jelte FennemaDiscussion:https://postgr.es/m/CAGECzQTkwELHUOAKhvdA+m3tWbUQySHHkExJV8GAZ1pwgbEgXg@mail.gmail.com

1 parentbfd2542 commit8607630Copy full SHA for 8607630

File tree

3 files changed

+44

-44

lines changed

src
- backend
  - libpq
    - hba.c
  - utils/adt
    - hbafuncs.c
- include/libpq
  - hba.h

3 files changed

+44

-44

lines changed

`‎src/backend/libpq/hba.c‎`

Lines changed: 39 additions & 39 deletions

Original file line number	Diff line number	Diff line change
`@@ -2792,21 +2792,21 @@ parse_ident_line(TokenizedAuthLine *tok_line, int elevel)`
`2792`	`2792`	`token=linitial(tokens);`
`2793`	`2793`
`2794`	`2794`	`/* Copy the ident user token */`
`2795`		`-parsedline->token=copy_auth_token(token);`
	`2795`	`+parsedline->system_user=copy_auth_token(token);`
`2796`	`2796`
`2797`	`2797`	`/* Get the PG rolename token */`
`2798`	`2798`	`field=lnext(tok_line->fields,field);`
`2799`	`2799`	`IDENT_FIELD_ABSENT(field);`
`2800`	`2800`	`tokens=lfirst(field);`
`2801`	`2801`	`IDENT_MULTI_VALUE(tokens);`
`2802`	`2802`	`token=linitial(tokens);`
`2803`		`-parsedline->pg_role=pstrdup(token->string);`
	`2803`	`+parsedline->pg_user=pstrdup(token->string);`
`2804`	`2804`
`2805`	`2805`	`/*`
`2806`	`2806`	`* Now that the field validation is done, compile a regex from the user`
`2807`	`2807`	`* token, if necessary.`
`2808`	`2808`	`*/`
`2809`		`-if (regcomp_auth_token(parsedline->token,file_name,line_num,`
	`2809`	`+if (regcomp_auth_token(parsedline->system_user,file_name,line_num,`
`2810`	`2810`	`err_msg,elevel))`
`2811`	`2811`	`{`
`2812`	`2812`	`/* err_msg includes the error to report */`
`@@ -2819,12 +2819,12 @@ parse_ident_line(TokenizedAuthLine *tok_line, int elevel)`
`2819`	`2819`	`/*`
`2820`	`2820`	`*Process one line from the parsed ident config lines.`
`2821`	`2821`	`*`
`2822`		`- *Compare input parsed ident line to the needed map,pg_role andident_user.`
	`2822`	`+ *Compare input parsed ident line to the needed map,pg_user andsystem_user.`
`2823`	`2823`	`*found_p and error_p are set according to our results.`
`2824`	`2824`	`*/`
`2825`	`2825`	`staticvoid`
`2826`	`2826`	`check_ident_usermap(IdentLineidentLine,constcharusermap_name,`
`2827`		`-constcharpg_role,constcharident_user,`
	`2827`	`+constcharpg_user,constcharsystem_user,`
`2828`	`2828`	`boolcase_insensitive,boolfound_p,boolerror_p)`
`2829`	`2829`	`{`
`2830`	`2830`	`*found_p= false;`
`@@ -2835,7 +2835,7 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2835`	`2835`	`return;`
`2836`	`2836`
`2837`	`2837`	`/* Match? */`
`2838`		`-if (token_has_regexp(identLine->token))`
	`2838`	`+if (token_has_regexp(identLine->system_user))`
`2839`	`2839`	`{`
`2840`	`2840`	`/*`
`2841`	`2841`	`* Process the system username as a regular expression that returns`
`@@ -2845,27 +2845,27 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2845`	`2845`	`intr;`
`2846`	`2846`	`regmatch_tmatches[2];`
`2847`	`2847`	`char*ofs;`
`2848`		`-char*regexp_pgrole;`
	`2848`	`+char*expanded_pg_user;`
`2849`	`2849`
`2850`		`-r=regexec_auth_token(ident_user,identLine->token,2,matches);`
	`2850`	`+r=regexec_auth_token(system_user,identLine->system_user,2,matches);`
`2851`	`2851`	`if (r)`
`2852`	`2852`	`{`
`2853`	`2853`	`charerrstr[100];`
`2854`	`2854`
`2855`	`2855`	`if (r!=REG_NOMATCH)`
`2856`	`2856`	`{`
`2857`	`2857`	`/* REG_NOMATCH is not an error, everything else is */`
`2858`		`-pg_regerror(r,identLine->token->regex,errstr,sizeof(errstr));`
	`2858`	`+pg_regerror(r,identLine->system_user->regex,errstr,sizeof(errstr));`
`2859`	`2859`	`ereport(LOG,`
`2860`	`2860`	`(errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),`
`2861`	`2861`	`errmsg("regular expression match for \"%s\" failed: %s",`
`2862`		`-identLine->token->string+1,errstr)));`
	`2862`	`+identLine->system_user->string+1,errstr)));`
`2863`	`2863`	`*error_p= true;`
`2864`	`2864`	`}`
`2865`	`2865`	`return;`
`2866`	`2866`	`}`
`2867`	`2867`
`2868`		`-if ((ofs=strstr(identLine->pg_role,"\\1"))!=NULL)`
	`2868`	`+if ((ofs=strstr(identLine->pg_user,"\\1"))!=NULL)`
`2869`	`2869`	`{`
`2870`	`2870`	`intoffset;`
`2871`	`2871`
`@@ -2875,7 +2875,7 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2875`	`2875`	`ereport(LOG,`
`2876`	`2876`	`(errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),`
`2877`	`2877`	`errmsg("regular expression \"%s\" has no subexpressions as requested by backreference in \"%s\"",`
`2878`		`-identLine->token->string+1,identLine->pg_role)));`
	`2878`	`+identLine->system_user->string+1,identLine->pg_user)));`
`2879`	`2879`	`*error_p= true;`
`2880`	`2880`	`return;`
`2881`	`2881`	`}`
`@@ -2884,18 +2884,18 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2884`	`2884`	`* length: original length minus length of \1 plus length of match`
`2885`	`2885`	`* plus null terminator`
`2886`	`2886`	`*/`
`2887`		`-regexp_pgrole=palloc0(strlen(identLine->pg_role)-2+ (matches[1].rm_eo-matches[1].rm_so)+1);`
`2888`		`-offset=ofs-identLine->pg_role;`
`2889`		`-memcpy(regexp_pgrole,identLine->pg_role,offset);`
`2890`		`-memcpy(regexp_pgrole+offset,`
`2891`		`-ident_user+matches[1].rm_so,`
	`2887`	`+expanded_pg_user=palloc0(strlen(identLine->pg_user)-2+ (matches[1].rm_eo-matches[1].rm_so)+1);`
	`2888`	`+offset=ofs-identLine->pg_user;`
	`2889`	`+memcpy(expanded_pg_user,identLine->pg_user,offset);`
	`2890`	`+memcpy(expanded_pg_user+offset,`
	`2891`	`+system_user+matches[1].rm_so,`
`2892`	`2892`	`matches[1].rm_eo-matches[1].rm_so);`
`2893`		`-strcat(regexp_pgrole,ofs+2);`
	`2893`	`+strcat(expanded_pg_user,ofs+2);`
`2894`	`2894`	`}`
`2895`	`2895`	`else`
`2896`	`2896`	`{`
`2897`	`2897`	`/* no substitution, so copy the match */`
`2898`		`-regexp_pgrole=pstrdup(identLine->pg_role);`
	`2898`	`+expanded_pg_user=pstrdup(identLine->pg_user);`
`2899`	`2899`	`}`
`2900`	`2900`
`2901`	`2901`	`/*`
`@@ -2904,15 +2904,15 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2904`	`2904`	`*/`
`2905`	`2905`	`if (case_insensitive)`
`2906`	`2906`	`{`
`2907`		`-if (pg_strcasecmp(regexp_pgrole,pg_role)==0)`
	`2907`	`+if (pg_strcasecmp(expanded_pg_user,pg_user)==0)`
`2908`	`2908`	`*found_p= true;`
`2909`	`2909`	`}`
`2910`	`2910`	`else`
`2911`	`2911`	`{`
`2912`		`-if (strcmp(regexp_pgrole,pg_role)==0)`
	`2912`	`+if (strcmp(expanded_pg_user,pg_user)==0)`
`2913`	`2913`	`*found_p= true;`
`2914`	`2914`	`}`
`2915`		`-pfree(regexp_pgrole);`
	`2915`	`+pfree(expanded_pg_user);`
`2916`	`2916`
`2917`	`2917`	`return;`
`2918`	`2918`	`}`
`@@ -2921,14 +2921,14 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2921`	`2921`	`/* Not regular expression, so make complete match */`
`2922`	`2922`	`if (case_insensitive)`
`2923`	`2923`	`{`
`2924`		`-if (pg_strcasecmp(identLine->pg_role,pg_role)==0&&`
`2925`		`-pg_strcasecmp(identLine->token->string,ident_user)==0)`
	`2924`	`+if (pg_strcasecmp(identLine->pg_user,pg_user)==0&&`
	`2925`	`+pg_strcasecmp(identLine->system_user->string,system_user)==0)`
`2926`	`2926`	`*found_p= true;`
`2927`	`2927`	`}`
`2928`	`2928`	`else`
`2929`	`2929`	`{`
`2930`		`-if (strcmp(identLine->pg_role,pg_role)==0&&`
`2931`		`-strcmp(identLine->token->string,ident_user)==0)`
	`2930`	`+if (strcmp(identLine->pg_user,pg_user)==0&&`
	`2931`	`+strcmp(identLine->system_user->string,system_user)==0)`
`2932`	`2932`	`*found_p= true;`
`2933`	`2933`	`}`
`2934`	`2934`	`}`
`@@ -2938,20 +2938,20 @@ check_ident_usermap(IdentLine identLine, const char usermap_name,`
`2938`	`2938`	`/*`
`2939`	`2939`	`*Scan the (pre-parsed) ident usermap file line by line, looking for a match`
`2940`	`2940`	`*`
`2941`		`- *See if the user with ident username "auth_user" is allowed to act`
`2942`		`- *asPostgres user "pg_role" according to usermap "usermap_name".`
	`2941`	`+ *See if thesystemuser with ident username "system_user" is allowed to act as`
	`2942`	`+ *Postgres user "pg_user" according to usermap "usermap_name".`
`2943`	`2943`	`*`
`2944`	`2944`	`*Special case: Usermap NULL, equivalent to what was previously called`
`2945`	`2945`	`*"sameuser" or "samerole", means don't look in the usermap file.`
`2946`		`- *That's an implied map wherein "pg_role" must be identical to`
`2947`		`- *"auth_user" in order to be authorized.`
	`2946`	`+ *That's an implied map wherein "pg_user" must be identical to`
	`2947`	`+ *"system_user" in order to be authorized.`
`2948`	`2948`	`*`
`2949`	`2949`	`*Iff authorized, return STATUS_OK, otherwise return STATUS_ERROR.`
`2950`	`2950`	`*/`
`2951`	`2951`	`int`
`2952`	`2952`	`check_usermap(constchar*usermap_name,`
`2953`		`-constchar*pg_role,`
`2954`		`-constchar*auth_user,`
	`2953`	`+constchar*pg_user,`
	`2954`	`+constchar*system_user,`
`2955`	`2955`	`boolcase_insensitive)`
`2956`	`2956`	`{`
`2957`	`2957`	`boolfound_entry= false,`
`@@ -2961,17 +2961,17 @@ check_usermap(const char *usermap_name,`
`2961`	`2961`	`{`
`2962`	`2962`	`if (case_insensitive)`
`2963`	`2963`	`{`
`2964`		`-if (pg_strcasecmp(pg_role,auth_user)==0)`
	`2964`	`+if (pg_strcasecmp(pg_user,system_user)==0)`
`2965`	`2965`	`returnSTATUS_OK;`
`2966`	`2966`	`}`
`2967`	`2967`	`else`
`2968`	`2968`	`{`
`2969`		`-if (strcmp(pg_role,auth_user)==0)`
	`2969`	`+if (strcmp(pg_user,system_user)==0)`
`2970`	`2970`	`returnSTATUS_OK;`
`2971`	`2971`	`}`
`2972`	`2972`	`ereport(LOG,`
`2973`	`2973`	`(errmsg("provided user name (%s) and authenticated user name (%s) do not match",`
`2974`		`-pg_role,auth_user)));`
	`2974`	`+pg_user,system_user)));`
`2975`	`2975`	`returnSTATUS_ERROR;`
`2976`	`2976`	`}`
`2977`	`2977`	`else`
`@@ -2981,7 +2981,7 @@ check_usermap(const char *usermap_name,`
`2981`	`2981`	`foreach(line_cell,parsed_ident_lines)`
`2982`	`2982`	`{`
`2983`	`2983`	`check_ident_usermap(lfirst(line_cell),usermap_name,`
`2984`		`-pg_role,auth_user,case_insensitive,`
	`2984`	`+pg_user,system_user,case_insensitive,`
`2985`	`2985`	`&found_entry,&error);`
`2986`	`2986`	`if (found_entry\|\|error)`
`2987`	`2987`	`break;`
`@@ -2991,7 +2991,7 @@ check_usermap(const char *usermap_name,`
`2991`	`2991`	`{`
`2992`	`2992`	`ereport(LOG,`
`2993`	`2993`	`(errmsg("no match in usermap \"%s\" for user \"%s\" authenticated as \"%s\"",`
`2994`		`-usermap_name,pg_role,auth_user)));`
	`2994`	`+usermap_name,pg_user,system_user)));`
`2995`	`2995`	`}`
`2996`	`2996`	`returnfound_entry ?STATUS_OK :STATUS_ERROR;`
`2997`	`2997`	`}`
`@@ -3073,7 +3073,7 @@ load_ident(void)`
`3073`	`3073`	`foreach(parsed_line_cell,new_parsed_lines)`
`3074`	`3074`	`{`
`3075`	`3075`	`newline= (IdentLine*)lfirst(parsed_line_cell);`
`3076`		`-free_auth_token(newline->token);`
	`3076`	`+free_auth_token(newline->system_user);`
`3077`	`3077`	`}`
`3078`	`3078`	`MemoryContextDelete(ident_context);`
`3079`	`3079`	`return false;`
`@@ -3085,7 +3085,7 @@ load_ident(void)`
`3085`	`3085`	`foreach(parsed_line_cell,parsed_ident_lines)`
`3086`	`3086`	`{`
`3087`	`3087`	`newline= (IdentLine*)lfirst(parsed_line_cell);`
`3088`		`-free_auth_token(newline->token);`
	`3088`	`+free_auth_token(newline->system_user);`
`3089`	`3089`	`}`
`3090`	`3090`	`}`
`3091`	`3091`	`if (parsed_ident_context!=NULL)`

`‎src/backend/utils/adt/hbafuncs.c‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -492,8 +492,8 @@ fill_ident_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,`
`492`	`492`	`if (ident!=NULL)`
`493`	`493`	`{`
`494`	`494`	`values[index++]=CStringGetTextDatum(ident->usermap);`
`495`		`-values[index++]=CStringGetTextDatum(ident->token->string);`
`496`		`-values[index++]=CStringGetTextDatum(ident->pg_role);`
	`495`	`+values[index++]=CStringGetTextDatum(ident->system_user->string);`
	`496`	`+values[index++]=CStringGetTextDatum(ident->pg_user);`
`497`	`497`	`}`
`498`	`498`	`else`
`499`	`499`	`{`

`‎src/include/libpq/hba.h‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -142,8 +142,8 @@ typedef struct IdentLine`
`142`	`142`	`intlinenumber;`
`143`	`143`
`144`	`144`	`char*usermap;`
`145`		`-char*pg_role;`
`146`		`-AuthToken*token;`
	`145`	`+AuthToken*system_user;`
	`146`	`+char*pg_user;`
`147`	`147`	`}IdentLine;`
`148`	`148`
`149`	`149`	`/*`
`@@ -172,7 +172,7 @@ extern bool load_ident(void);`
`172`	`172`	`externconstchar*hba_authname(UserAuthauth_method);`
`173`	`173`	`externvoidhba_getauthmethod(hbaPort*port);`
`174`	`174`	`externintcheck_usermap(constchar*usermap_name,`
`175`		`-constcharpg_role,constcharauth_user,`
	`175`	`+constcharpg_user,constcharsystem_user,`
`176`	`176`	`boolcase_insensitive);`
`177`	`177`	`externHbaLineparse_hba_line(TokenizedAuthLinetok_line,intelevel);`
`178`	`178`	`externIdentLineparse_ident_line(TokenizedAuthLinetok_line,intelevel);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8607630

File tree

3 files changed

3 files changed

`‎src/backend/libpq/hba.c‎`

`‎src/backend/utils/adt/hbafuncs.c‎`

`‎src/include/libpq/hba.h‎`

0 commit comments