Commit 7c544ecd authored by Peter Eisentraut's avatar Peter Eisentraut

Fix RADIUS error reporting in hba file parsing

The RADIUS-related checks in parse_hba_line() did not respect elevel
and did not fill in *err_msg.  Also, verify_option_list_length()
pasted together error messages in an untranslatable way.  To fix the
latter, remove the function and do the error checking inline.  It's a
bit more verbose but only minimally longer, and it makes fixing the
first two issues straightforward.
Reviewed-by: default avatarMagnus Hagander <magnus@hagander.net>
Discussion: https://www.postgresql.org/message-id/flat/8381e425-8c23-99b3-15ec-3115001db1b2%40enterprisedb.com
parent 6ee41a30
...@@ -144,8 +144,6 @@ static List *tokenize_inc_file(List *tokens, const char *outer_filename, ...@@ -144,8 +144,6 @@ static List *tokenize_inc_file(List *tokens, const char *outer_filename,
const char *inc_filename, int elevel, char **err_msg); const char *inc_filename, int elevel, char **err_msg);
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
int elevel, char **err_msg); int elevel, char **err_msg);
static bool verify_option_list_length(List *options, const char *optionname,
List *comparelist, const char *comparename, int line_num);
static ArrayType *gethba_options(HbaLine *hba); static ArrayType *gethba_options(HbaLine *hba);
static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc, static void fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
int lineno, HbaLine *hba, const char *err_msg); int lineno, HbaLine *hba, const char *err_msg);
...@@ -1607,21 +1605,23 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) ...@@ -1607,21 +1605,23 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
if (list_length(parsedline->radiusservers) < 1) if (list_length(parsedline->radiusservers) < 1)
{ {
ereport(LOG, ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR), (errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("list of RADIUS servers cannot be empty"), errmsg("list of RADIUS servers cannot be empty"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName))); line_num, HbaFileName)));
*err_msg = "list of RADIUS servers cannot be empty";
return NULL; return NULL;
} }
if (list_length(parsedline->radiussecrets) < 1) if (list_length(parsedline->radiussecrets) < 1)
{ {
ereport(LOG, ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR), (errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("list of RADIUS secrets cannot be empty"), errmsg("list of RADIUS secrets cannot be empty"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName))); line_num, HbaFileName)));
*err_msg = "list of RADIUS secrets cannot be empty";
return NULL; return NULL;
} }
...@@ -1630,25 +1630,54 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) ...@@ -1630,25 +1630,54 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
* but that's already checked above), 1 (use the same value * but that's already checked above), 1 (use the same value
* everywhere) or the same as the number of servers. * everywhere) or the same as the number of servers.
*/ */
if (!verify_option_list_length(parsedline->radiussecrets, if (!(list_length(parsedline->radiussecrets) == 1 ||
"RADIUS secrets", list_length(parsedline->radiussecrets) == list_length(parsedline->radiusservers)))
parsedline->radiusservers, {
"RADIUS servers", ereport(elevel,
line_num)) (errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiussecrets),
list_length(parsedline->radiusservers)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
*err_msg = psprintf("the number of RADIUS secrets (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiussecrets),
list_length(parsedline->radiusservers));
return NULL; return NULL;
if (!verify_option_list_length(parsedline->radiusports, }
"RADIUS ports", if (!(list_length(parsedline->radiusports) == 0 ||
parsedline->radiusservers, list_length(parsedline->radiusports) == 1 ||
"RADIUS servers", list_length(parsedline->radiusports) == list_length(parsedline->radiusservers)))
line_num)) {
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiusports),
list_length(parsedline->radiusservers)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
*err_msg = psprintf("the number of RADIUS ports (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiusports),
list_length(parsedline->radiusservers));
return NULL; return NULL;
if (!verify_option_list_length(parsedline->radiusidentifiers, }
"RADIUS identifiers", if (!(list_length(parsedline->radiusidentifiers) == 0 ||
parsedline->radiusservers, list_length(parsedline->radiusidentifiers) == 1 ||
"RADIUS servers", list_length(parsedline->radiusidentifiers) == list_length(parsedline->radiusservers)))
line_num)) {
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiusidentifiers),
list_length(parsedline->radiusservers)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
*err_msg = psprintf("the number of RADIUS identifiers (%d) must be 1 or the same as the number of RADIUS servers (%d)",
list_length(parsedline->radiusidentifiers),
list_length(parsedline->radiusservers));
return NULL; return NULL;
} }
}
/* /*
* Enforce any parameters implied by other settings. * Enforce any parameters implied by other settings.
...@@ -1662,29 +1691,6 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) ...@@ -1662,29 +1691,6 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
} }
static bool
verify_option_list_length(List *options, const char *optionname,
List *comparelist, const char *comparename,
int line_num)
{
if (list_length(options) == 0 ||
list_length(options) == 1 ||
list_length(options) == list_length(comparelist))
return true;
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("the number of %s (%d) must be 1 or the same as the number of %s (%d)",
optionname,
list_length(options),
comparename,
list_length(comparelist)
),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
return false;
}
/* /*
* Parse one name-value pair as an authentication option into the given * Parse one name-value pair as an authentication option into the given
* HbaLine. Return true if we successfully parse the option, false if we * HbaLine. Return true if we successfully parse the option, false if we
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment