From cfac702223a904fb7db55db2084ac68611fd95dc Mon Sep 17 00:00:00 2001
From: Simon Riggs <simon@2ndQuadrant.com>
Date: Mon, 19 Apr 2010 19:02:18 +0000
Subject: [PATCH] Add new message for explicit rejection by pg_hba.conf.
Implicit rejection retains same message as before.
---
src/backend/libpq/auth.c | 43 ++++++++++++++++++++++++++++++++++------
src/backend/libpq/hba.c | 6 +++---
src/include/libpq/hba.h | 3 ++-
3 files changed, 42 insertions(+), 10 deletions(-)
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 89e86ea2f1e..ac26317d264 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.198 2010/03/30 16:08:22 petere Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.199 2010/04/19 19:02:18 sriggs Exp $
*
*-------------------------------------------------------------------------
*/
@@ -363,11 +363,42 @@ ClientAuthentication(Port *port)
case uaReject:
/*
- * This could have come from an explicit "reject" entry in
- * pg_hba.conf, but more likely it means there was no matching
- * entry. Take pity on the poor user and issue a helpful error
- * message. NOTE: this is not a security breach, because all the
- * info reported here is known at the frontend and must be assumed
+ * An explicit "reject" entry in pg_hba.conf. Take pity on the poor
+ * user and issue a helpful error message.
+ * NOTE: this is not a security breach, because all the info
+ * reported here is known at the frontend and must be assumed
+ * known to bad guys. We're merely helping out the less clueful
+ * good guys.
+ */
+ {
+ char hostinfo[NI_MAXHOST];
+
+ pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+ hostinfo, sizeof(hostinfo),
+ NULL, 0,
+ NI_NUMERICHOST);
+
+#ifdef USE_SSL
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\", %s",
+ hostinfo, port->user_name, port->database_name,
+ port->ssl ? _("SSL on") : _("SSL off"))));
+#else
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\"",
+ hostinfo, port->user_name, port->database_name)));
+#endif
+ break;
+ }
+
+ case uaImplicitReject:
+
+ /*
+ * No matching entry so tell the user we fell through.
+ * NOTE: this is not a security breach, because all the info
+ * reported here is known at the frontend and must be assumed
* known to bad guys. We're merely helping out the less clueful
* good guys.
*/
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 90ef86d1dbf..11443f76e2d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.204 2010/03/24 17:05:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.205 2010/04/19 19:02:18 sriggs Exp $
*
*-------------------------------------------------------------------------
*/
@@ -1389,9 +1389,9 @@ check_hba(hbaPort *port)
return true;
}
- /* If no matching entry was found, synthesize 'reject' entry. */
+ /* If no matching entry was found, then implicitly reject. */
hba = palloc0(sizeof(HbaLine));
- hba->auth_method = uaReject;
+ hba->auth_method = uaImplicitReject;
port->hba = hba;
return true;
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 54261bba61d..5f1365e3ba6 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
* Interface to hba.c
*
*
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.61 2010/01/27 12:12:00 mha Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.62 2010/04/19 19:02:18 sriggs Exp $
*
*-------------------------------------------------------------------------
*/
@@ -18,6 +18,7 @@
typedef enum UserAuth
{
uaReject,
+ uaImplicitReject,
uaKrb5,
uaTrust,
uaIdent,
--
GitLab