NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf60a0e9

committed

Add more columns to pg_stat_ssl

Add columns client_serial and issuer_dn to pg_stat_ssl. These allowuniquely identifying the client certificate.Rename the existing column clientdn to client_dn, to make the namingmore consistent and easier to read.Discussion:https://www.postgresql.org/message-id/flat/398754d8-6bb5-c5cf-e7b8-22e5f0983caf@2ndquadrant.com/

1 parent00d1e88 commitf60a0e9Copy full SHA for f60a0e9

File tree

11 files changed

+102

-25

lines changed

doc/src/sgml
- monitoring.sgml
src
- backend
  - catalog
    - system_views.sql
  - libpq
    - be-secure-openssl.c
  - postmaster
    - pgstat.c
  - utils/adt
    - pgstatfuncs.c
- include
  - catalog
    - catversion.h
    - pg_proc.dat
  - libpq
    - libpq-be.h
  - pgstat.h
- test
  - regress/expected
    - rules.out
  - ssl/t
    - 001_ssltests.pl

11 files changed

+102

-25

lines changed

`‎doc/src/sgml/monitoring.sgml‎`

Lines changed: 18 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -2201,15 +2201,31 @@ SELECT pid, wait_event_type, wait_event FROM pg_stat_activity WHERE wait_event i`
`2201`	`2201`	`or NULL if SSL is not in use on this connection</entry>`
`2202`	`2202`	`</row>`
`2203`	`2203`	`<row>`
`2204`		`- <entry><structfield>clientdn</structfield></entry>`
	`2204`	`+ <entry><structfield>client_dn</structfield></entry>`
`2205`	`2205`	`<entry><type>text</type></entry>`
`2206`	`2206`	`<entry>Distinguished Name (DN) field from the client certificate`
`2207`	`2207`	`used, or NULL if no client certificate was supplied or if SSL`
`2208`	`2208`	`is not in use on this connection. This field is truncated if the`
`2209`	`2209`	`DN field is longer than <symbol>NAMEDATALEN</symbol> (64 characters`
`2210`		`- in a standard build)`
	`2210`	`+ in a standard build).`
`2211`	`2211`	`</entry>`
`2212`	`2212`	`</row>`
	`2213`	`+ <row>`
	`2214`	`+ <entry><structfield>client_serial</structfield></entry>`
	`2215`	`+ <entry><type>numeric</type></entry>`
	`2216`	`+ <entry>Serial number of the client certificate, or NULL if no client`
	`2217`	`+ certificate was supplied or if SSL is not in use on this connection. The`
	`2218`	`+ combination of certificate serial number and certificate issuer uniquely`
	`2219`	`+ identifies a certificate (unless the issuer erroneously reuses serial`
	`2220`	`+ numbers).</entry>`
	`2221`	`+ </row>`
	`2222`	`+ <row>`
	`2223`	`+ <entry><structfield>issuer_dn</structfield></entry>`
	`2224`	`+ <entry><type>text</type></entry>`
	`2225`	`+ <entry>DN of the issuer of the client certificate, or NULL if no client`
	`2226`	`+ certificate was supplied or if SSL is not in use on this connection.`
	`2227`	`+ This field is truncated like <structfield>client_dn</structfield>.</entry>`
	`2228`	`+ </row>`
`2213`	`2229`	`</tbody>`
`2214`	`2230`	`</tgroup>`
`2215`	`2231`	`</table>`

`‎src/backend/catalog/system_views.sql‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -782,7 +782,9 @@ CREATE VIEW pg_stat_ssl AS`
`782`	`782`	`S.sslcipherAS cipher,`
`783`	`783`	`S.sslbitsAS bits,`
`784`	`784`	`S.sslcompressionAS compression,`
`785`		`-S.sslclientdnAS clientdn`
	`785`	`+S.ssl_client_dnAS client_dn,`
	`786`	`+S.ssl_client_serialAS client_serial,`
	`787`	`+S.ssl_issuer_dnAS issuer_dn`
`786`	`788`	`FROM pg_stat_get_activity(NULL)AS S;`
`787`	`789`
`788`	`790`	`CREATEVIEWpg_replication_slotsAS`

`‎src/backend/libpq/be-secure-openssl.c‎`

Lines changed: 30 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1109,14 +1109,43 @@ be_tls_get_cipher(Port *port)`
`1109`	`1109`	`}`
`1110`	`1110`
`1111`	`1111`	`void`
`1112`		`-be_tls_get_peerdn_name(Portport,charptr,size_tlen)`
	`1112`	`+be_tls_get_peer_subject_name(Portport,charptr,size_tlen)`
`1113`	`1113`	`{`
`1114`	`1114`	`if (port->peer)`
`1115`	`1115`	`strlcpy(ptr,X509_NAME_to_cstring(X509_get_subject_name(port->peer)),len);`
`1116`	`1116`	`else`
`1117`	`1117`	`ptr[0]='\0';`
`1118`	`1118`	`}`
`1119`	`1119`
	`1120`	`+void`
	`1121`	`+be_tls_get_peer_issuer_name(Portport,charptr,size_tlen)`
	`1122`	`+{`
	`1123`	`+if (port->peer)`
	`1124`	`+strlcpy(ptr,X509_NAME_to_cstring(X509_get_issuer_name(port->peer)),len);`
	`1125`	`+else`
	`1126`	`+ptr[0]='\0';`
	`1127`	`+}`
	`1128`	`+`
	`1129`	`+void`
	`1130`	`+be_tls_get_peer_serial(Portport,charptr,size_tlen)`
	`1131`	`+{`
	`1132`	`+if (port->peer)`
	`1133`	`+{`
	`1134`	`+ASN1_INTEGER*serial;`
	`1135`	`+BIGNUM*b;`
	`1136`	`+char*decimal;`
	`1137`	`+`
	`1138`	`+serial=X509_get_serialNumber(port->peer);`
	`1139`	`+b=ASN1_INTEGER_to_BN(serial,NULL);`
	`1140`	`+decimal=BN_bn2dec(b);`
	`1141`	`+BN_free(b);`
	`1142`	`+strlcpy(ptr,decimal,len);`
	`1143`	`+OPENSSL_free(decimal);`
	`1144`	`+}`
	`1145`	`+else`
	`1146`	`+ptr[0]='\0';`
	`1147`	`+}`
	`1148`	`+`
`1120`	`1149`	`#ifdefHAVE_X509_GET_SIGNATURE_NID`
`1121`	`1150`	`char*`
`1122`	`1151`	`be_tls_get_certificate_hash(Portport,size_tlen)`

`‎src/backend/postmaster/pgstat.c‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2906,7 +2906,9 @@ pgstat_bestart(void)`
`2906`	`2906`	`beentry->st_sslstatus->ssl_compression=be_tls_get_compression(MyProcPort);`
`2907`	`2907`	`strlcpy(beentry->st_sslstatus->ssl_version,be_tls_get_version(MyProcPort),NAMEDATALEN);`
`2908`	`2908`	`strlcpy(beentry->st_sslstatus->ssl_cipher,be_tls_get_cipher(MyProcPort),NAMEDATALEN);`
`2909`		`-be_tls_get_peerdn_name(MyProcPort,beentry->st_sslstatus->ssl_clientdn,NAMEDATALEN);`
	`2909`	`+be_tls_get_peer_subject_name(MyProcPort,beentry->st_sslstatus->ssl_client_dn,NAMEDATALEN);`
	`2910`	`+be_tls_get_peer_serial(MyProcPort,beentry->st_sslstatus->ssl_client_serial,NAMEDATALEN);`
	`2911`	`+be_tls_get_peer_issuer_name(MyProcPort,beentry->st_sslstatus->ssl_issuer_dn,NAMEDATALEN);`
`2910`	`2912`	`}`
`2911`	`2913`	`else`
`2912`	`2914`	`{`

`‎src/backend/utils/adt/pgstatfuncs.c‎`

Lines changed: 18 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -541,7 +541,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS)`
`541`	`541`	`Datum`
`542`	`542`	`pg_stat_get_activity(PG_FUNCTION_ARGS)`
`543`	`543`	`{`
`544`		`-#definePG_STAT_GET_ACTIVITY_COLS24`
	`544`	`+#definePG_STAT_GET_ACTIVITY_COLS26`
`545`	`545`	`intnum_backends=pgstat_fetch_stat_numbackends();`
`546`	`546`	`intcurr_backend;`
`547`	`547`	`intpid=PG_ARGISNULL(0) ?-1 :PG_GETARG_INT32(0);`
`@@ -652,15 +652,29 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)`
`652`	`652`	`values[20]=CStringGetTextDatum(beentry->st_sslstatus->ssl_cipher);`
`653`	`653`	`values[21]=Int32GetDatum(beentry->st_sslstatus->ssl_bits);`
`654`	`654`	`values[22]=BoolGetDatum(beentry->st_sslstatus->ssl_compression);`
`655`		`-if (beentry->st_sslstatus->ssl_clientdn[0])`
`656`		`-values[23]=CStringGetTextDatum(beentry->st_sslstatus->ssl_clientdn);`
	`655`	`+`
	`656`	`+if (beentry->st_sslstatus->ssl_client_dn[0])`
	`657`	`+values[23]=CStringGetTextDatum(beentry->st_sslstatus->ssl_client_dn);`
`657`	`658`	`else`
`658`	`659`	`nulls[23]= true;`
	`660`	`+`
	`661`	`+if (beentry->st_sslstatus->ssl_client_serial[0])`
	`662`	`+values[24]=DirectFunctionCall3(numeric_in,`
	`663`	`+CStringGetDatum(beentry->st_sslstatus->ssl_client_serial),`
	`664`	`+ObjectIdGetDatum(InvalidOid),`
	`665`	`+Int32GetDatum(-1));`
	`666`	`+else`
	`667`	`+nulls[24]= true;`
	`668`	`+`
	`669`	`+if (beentry->st_sslstatus->ssl_issuer_dn[0])`
	`670`	`+values[25]=CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn);`
	`671`	`+else`
	`672`	`+nulls[25]= true;`
`659`	`673`	`}`
`660`	`674`	`else`
`661`	`675`	`{`
`662`	`676`	`values[18]=BoolGetDatum(false);/* ssl */`
`663`		`-nulls[19]=nulls[20]=nulls[21]=nulls[22]=nulls[23]= true;`
	`677`	`+nulls[19]=nulls[20]=nulls[21]=nulls[22]=nulls[23]=nulls[24]=nulls[25]=true;`
`664`	`678`	`}`
`665`	`679`
`666`	`680`	`/* Values only available to role member or pg_read_all_stats */`

`‎src/include/catalog/catversion.h‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`*/`
`54`	`54`
`55`	`55`	`/yyyymmddN /`
`56`		`-#defineCATALOG_VERSION_NO201901041`
	`56`	`+#defineCATALOG_VERSION_NO201902011`
`57`	`57`
`58`	`58`	`#endif`

`‎src/include/catalog/pg_proc.dat‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -5058,9 +5058,9 @@`
`5058`	`5058`	`proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f',`
`5059`	`5059`	`proretset => 't', provolatile => 's', proparallel => 'r',`
`5060`	`5060`	`prorettype => 'record', proargtypes => 'int4',`
`5061`		`- proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,bool,text}',`
`5062`		`- proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',`
`5063`		`- proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,sslcompression,sslclientdn}',`
	`5061`	`+ proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,bool,text,numeric,text}',`
	`5062`	`+ proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',`
	`5063`	`+ proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,sslcompression,ssl_client_dn,ssl_client_serial,ssl_issuer_dn}',`
`5064`	`5064`	`prosrc => 'pg_stat_get_activity' },`
`5065`	`5065`	`{ oid => '3318',`
`5066`	`5066`	`descr => 'statistics: information about progress of backends running maintenance command',`

`‎src/include/libpq/libpq-be.h‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,9 @@ extern intbe_tls_get_cipher_bits(Port *port);`
`258`	`258`	`externboolbe_tls_get_compression(Port*port);`
`259`	`259`	`externconstcharbe_tls_get_version(Portport);`
`260`	`260`	`externconstcharbe_tls_get_cipher(Portport);`
`261`		`-externvoidbe_tls_get_peerdn_name(Portport,charptr,size_tlen);`
	`261`	`+externvoidbe_tls_get_peer_subject_name(Portport,charptr,size_tlen);`
	`262`	`+externvoidbe_tls_get_peer_issuer_name(Portport,charptr,size_tlen);`
	`263`	`+externvoidbe_tls_get_peer_serial(Portport,charptr,size_tlen);`
`262`	`264`
`263`	`265`	`/*`
`264`	`266`	`* Get the server certificate hash for SCRAM channel binding type`

`‎src/include/pgstat.h‎`

Lines changed: 13 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -950,15 +950,25 @@ typedef enum ProgressCommandType`
`950`	`950`	`*`
`951`	`951`	`* For each backend, we keep the SSL status in a separate struct, that`
`952`	`952`	`* is only filled in if SSL is enabled.`
	`953`	`+ *`
	`954`	`+ * All char arrays must be null-terminated.`
`953`	`955`	`*/`
`954`	`956`	`typedefstructPgBackendSSLStatus`
`955`	`957`	`{`
`956`	`958`	`/* Information about SSL connection */`
`957`	`959`	`intssl_bits;`
`958`	`960`	`boolssl_compression;`
`959`		`-charssl_version[NAMEDATALEN];/* MUST be null-terminated */`
`960`		`-charssl_cipher[NAMEDATALEN];/* MUST be null-terminated */`
`961`		`-charssl_clientdn[NAMEDATALEN];/* MUST be null-terminated */`
	`961`	`+charssl_version[NAMEDATALEN];`
	`962`	`+charssl_cipher[NAMEDATALEN];`
	`963`	`+charssl_client_dn[NAMEDATALEN];`
	`964`	`+`
	`965`	`+/*`
	`966`	`+ * serial number is max "20 octets" per RFC 5280, so this size should be`
	`967`	`+ * fine`
	`968`	`+ */`
	`969`	`+charssl_client_serial[NAMEDATALEN];`
	`970`	`+`
	`971`	`+charssl_issuer_dn[NAMEDATALEN];`
`962`	`972`	`}PgBackendSSLStatus;`
`963`	`973`
`964`	`974`

`‎src/test/regress/expected/rules.out‎`

Lines changed: 6 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1731,7 +1731,7 @@ pg_stat_activity\| SELECT s.datid,`
`1731`	`1731`	`s.backend_xmin,`
`1732`	`1732`	`s.query,`
`1733`	`1733`	`s.backend_type`
`1734`		`- FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression,sslclientdn)`
	`1734`	`+ FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression,ssl_client_dn, ssl_client_serial, ssl_issuer_dn)`
`1735`	`1735`	`LEFT JOIN pg_database d ON ((s.datid = d.oid)))`
`1736`	`1736`	`LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));`
`1737`	`1737`	`pg_stat_all_indexes\| SELECT c.oid AS relid,`
`@@ -1863,7 +1863,7 @@ pg_stat_replication\| SELECT s.pid,`
`1863`	`1863`	`w.sync_priority,`
`1864`	`1864`	`w.sync_state,`
`1865`	`1865`	`w.reply_time`
`1866`		`- FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression,sslclientdn)`
	`1866`	`+ FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression,ssl_client_dn, ssl_client_serial, ssl_issuer_dn)`
`1867`	`1867`	`JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid)))`
`1868`	`1868`	`LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));`
`1869`	`1869`	`pg_stat_ssl\| SELECT s.pid,`
`@@ -1872,8 +1872,10 @@ pg_stat_ssl\| SELECT s.pid,`
`1872`	`1872`	`s.sslcipher AS cipher,`
`1873`	`1873`	`s.sslbits AS bits,`
`1874`	`1874`	`s.sslcompression AS compression,`
`1875`		`- s.sslclientdn AS clientdn`
`1876`		`- FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, sslclientdn);`
	`1875`	`+ s.ssl_client_dn AS client_dn,`
	`1876`	`+ s.ssl_client_serial AS client_serial,`
	`1877`	`+ s.ssl_issuer_dn AS issuer_dn`
	`1878`	`+ FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn);`
`1877`	`1879`	`pg_stat_subscription\| SELECT su.oid AS subid,`
`1878`	`1880`	`su.subname,`
`1879`	`1881`	`st.pid,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf60a0e9

File tree

11 files changed

11 files changed

`‎doc/src/sgml/monitoring.sgml‎`

`‎src/backend/catalog/system_views.sql‎`

`‎src/backend/libpq/be-secure-openssl.c‎`

`‎src/backend/postmaster/pgstat.c‎`

`‎src/backend/utils/adt/pgstatfuncs.c‎`

`‎src/include/catalog/catversion.h‎`

`‎src/include/catalog/pg_proc.dat‎`

`‎src/include/libpq/libpq-be.h‎`

`‎src/include/pgstat.h‎`

`‎src/test/regress/expected/rules.out‎`

0 commit comments