Add new message for explicit rejection by pg_hba.conf. Implicit

rejection retains same message as before.

Add new message for explicit rejection by pg_hba.conf. Implicit
rejection retains same message as before.
cfac7022 · Simon Riggs · 7bc76d51 · cfac7022 · cfac7022 · cfac7022
Commit cfac7022 authored Apr 19, 2010 by Simon Riggs
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 10 deletions

src/backend/libpq/auth.c src/backend/libpq/auth.c +37 -6

src/backend/libpq/hba.c src/backend/libpq/hba.c +3 -3

src/include/libpq/hba.h src/include/libpq/hba.h +2 -1

No files found.
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.198 2010/03/30 16:08:22 petere Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.199 2010/04/19 19:02:18 sriggs Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -363,11 +363,42 @@ ClientAuthentication(Port *port)
 		case uaReject:

 			/*
-			 * This could have come from an explicit "reject" entry in
-			 * pg_hba.conf, but more likely it means there was no matching
-			 * entry.  Take pity on the poor user and issue a helpful error
-			 * message.  NOTE: this is not a security breach, because all the
-			 * info reported here is known at the frontend and must be assumed
+			 * An explicit "reject" entry in pg_hba.conf. Take pity on the poor
+			 * user and issue a helpful error message.
+			 * NOTE: this is not a security breach, because all the info
+			 * reported here is known at the frontend and must be assumed
+			 * known to bad guys. We're merely helping out the less clueful
+			 * good guys.
+			 */
+			{
+				char		hostinfo[NI_MAXHOST];
+
+				pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+								   hostinfo, sizeof(hostinfo),
+								   NULL, 0,
+								   NI_NUMERICHOST);
+
+#ifdef USE_SSL
+				ereport(FATAL,
+						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+						 errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\", %s",
+							  hostinfo, port->user_name, port->database_name,
+								port->ssl ? _("SSL on") : _("SSL off"))));
+#else
+				ereport(FATAL,
+						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+						 errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\"",
+						   hostinfo, port->user_name, port->database_name)));
+#endif
+				break;
+			}
+
+		case uaImplicitReject:
+
+			/*
+			 * No matching entry so tell the user we fell through.
+			 * NOTE: this is not a security breach, because all the info
+			 * reported here is known at the frontend and must be assumed
 			 * known to bad guys. We're merely helping out the less clueful
 			 * good guys.
 			 */

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.204 2010/03/24 17:05:45 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.205 2010/04/19 19:02:18 sriggs Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1389,9 +1389,9 @@ check_hba(hbaPort *port)
 		return true;
 	}

-	/* If no matching entry was found, synthesize 'reject' entry. */
+	/* If no matching entry was found, then implicitly reject. */
 	hba = palloc0(sizeof(HbaLine));
-	hba->auth_method = uaReject;
+	hba->auth_method = uaImplicitReject;
 	port->hba = hba;
 	return true;


--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
 *	  Interface to hba.c
 *
 *
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.61 2010/01/27 12:12:00 mha Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.62 2010/04/19 19:02:18 sriggs Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -18,6 +18,7 @@
 typedef enum UserAuth
 {
 	uaReject,
+	uaImplicitReject,
 	uaKrb5,
 	uaTrust,
 	uaIdent,