Skip to content

Commit

Permalink
Support pg_hba.conf-style syntax
Browse files Browse the repository at this point in the history
Also add peer auth.

Main reason to have it is that unix and tcp connections may
want different auth and configuring it in plain .ini is pain.

As a bonus it provides ip-based filtering too.

No username mapping yet though.
  • Loading branch information
markokr committed Aug 3, 2015
1 parent 7d89b19 commit 4d85caf
Showing 12 changed files with 1,100 additions and 15 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ pgbouncer_SOURCES = \
src/admin.c \
src/client.c \
src/dnslookup.c \
src/hba.c \
src/janitor.c \
src/loader.c \
src/main.c \
6 changes: 6 additions & 0 deletions include/bouncer.h
Original file line number Diff line number Diff line change
@@ -108,6 +108,7 @@ extern int cf_sbuf_len;
#include "stats.h"
#include "takeover.h"
#include "janitor.h"
#include "hba.h"

/* to avoid allocations will use static buffers */
#define MAX_DBNAME 64
@@ -122,6 +123,9 @@ extern int cf_sbuf_len;
#define AUTH_MD5 5
#define AUTH_CREDS 6
#define AUTH_CERT 7
#define AUTH_PEER 8
#define AUTH_HBA 9
#define AUTH_REJECT 10

/* type codes for weird pkts */
#define PKT_STARTUP_V2 0x20000
@@ -415,6 +419,7 @@ extern usec_t cf_dns_zone_check_period;
extern int cf_auth_type;
extern char *cf_auth_file;
extern char *cf_auth_query;
extern char *cf_auth_hba_file;

extern char *cf_pidfile;

@@ -464,6 +469,7 @@ extern const struct CfLookup pool_mode_map[];
extern usec_t g_suspend_start;

extern struct DNSContext *adns;
extern struct HBA *parsed_hba;

static inline PgSocket * _MUSTCHECK
pop_socket(struct StatList *slist)
24 changes: 24 additions & 0 deletions include/hba.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/*
* Host-Based-Access-control file support.
*
* Copyright (c) 2015 Marko Kreen
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

struct HBA;

struct HBA *hba_load_rules(const char *fn);
void hba_free(struct HBA *hba);
int hba_eval(struct HBA *hba, PgAddr *addr, bool is_tls, const char *dbname, const char *username);

2 changes: 2 additions & 0 deletions include/system.h
Original file line number Diff line number Diff line change
@@ -67,6 +67,8 @@ static inline char *crypt(const char *p, const char *s) { return NULL; }
static inline int lstat(const char *path, struct stat *st) { return stat(path, st); }
#endif

bool check_unix_peer_name(int fd, const char *username);

void change_user(const char *user);

void change_file_mode(const char *fn, mode_t mode, const char *user, const char *group);
24 changes: 23 additions & 1 deletion src/client.c
Original file line number Diff line number Diff line change
@@ -171,10 +171,23 @@ static bool login_via_cert(PgSocket *client)
return false;
}

static bool login_as_unix_peer(PgSocket *client)
{
if (!pga_is_unix(&client->remote_addr))
goto fail;
if (!check_unix_peer_name(sbuf_socket(&client->sbuf), client->auth_user->name))
goto fail;
return finish_client_login(client);
fail:
disconnect_client(client, true, "unix socket login rejected");
return false;
}

static bool finish_set_pool(PgSocket *client, bool takeover)
{
PgUser *user = client->auth_user;
bool ok = false;
int auth;

/* pool user may be forced */
if (client->db->forced_user) {
@@ -212,7 +225,13 @@ static bool finish_set_pool(PgSocket *client, bool takeover)
if (client->own_user)
return finish_client_login(client);

switch (cf_auth_type) {
auth = cf_auth_type;
if (auth == AUTH_HBA) {
auth = hba_eval(parsed_hba, &client->remote_addr, !!client->sbuf.tls,
client->db->name, client->auth_user->name);
}

switch (auth) {
case AUTH_ANY:
case AUTH_TRUST:
ok = finish_client_login(client);
@@ -225,6 +244,9 @@ static bool finish_set_pool(PgSocket *client, bool takeover)
case AUTH_CERT:
ok = login_via_cert(client);
break;
case AUTH_PEER:
ok = login_as_unix_peer(client);
break;
default:
disconnect_client(client, true, "login rejected");
ok = false;
Loading

0 comments on commit 4d85caf

Please sign in to comment.