static bool finish_set_pool(PgSocket *client, bool takeover)
{
PgUser *user = client->auth_user;
/* pool user may be forced */
if (client->db->forced_user) {
user = client->db->forced_user;
}
client->pool = get_pool(client->db, user);
if (!client->pool) {
disconnect_client(client, true, "no memory for pool");
return false;
}
if (cf_log_connections)
slog_info(client, "login attempt: db=%s user=%s", client->db->name, client->auth_user->name);
if (!check_fast_fail(client))
return false;
if (takeover)
return true;
if (client->pool->db->admin) {
if (!admin_post_login(client))
return false;
}
if (cf_auth_type <= AUTH_TRUST || client->own_user) {
if (!finish_client_login(client))
return false;
} else {
if (!send_client_authreq(client)) {
disconnect_client(client, false, "failed to send auth req");
return false;
}
}
return true;
}
/* decide on packets of client in login phase */
static bool handle_client_startup(PgSocket *client, PktHdr *pkt)
{
const char *passwd;
const uint8_t *key;
bool ok;
SBuf *sbuf = &client->sbuf;
/* don't tolerate partial packets */
if (incomplete_pkt(pkt)) {
disconnect_client(client, true, "client sent partial pkt in startup phase");
return false;
}
if (client->wait_for_welcome) {
if (finish_client_login(client)) {
/* the packet was already parsed */
sbuf_prepare_skip(sbuf, pkt->len);
return true;
} else
return false;
}
switch (pkt->type) {
case PKT_SSLREQ:
slog_noise(client, "C: req SSL");
slog_noise(client, "P: nak");
/* reject SSL attempt */
if (!sbuf_answer(&client->sbuf, "N", 1)) {
disconnect_client(client, false, "failed to nak SSL");
return false;
}
break;
case PKT_STARTUP_V2:
disconnect_client(client, true, "Old V2 protocol not supported");
return false;
case PKT_STARTUP:
if (client->pool) {
disconnect_client(client, true, "client re-sent startup pkt");
return false;
}
if (!decide_startup_pool(client, pkt))
return false;
if (client->pool->db->admin) {
if (!admin_pre_login(client))
return false;
}
if (cf_auth_type <= AUTH_TRUST || client->own_user) {
if (!finish_client_login(client))
return false;
} else {
if (!send_client_authreq(client)) {
disconnect_client(client, false, "failed to send auth req");
return false;
}
}
break;
case 'p': /* PasswordMessage */
/* haven't requested it */
if (cf_auth_type <= AUTH_TRUST) {
disconnect_client(client, true, "unrequested passwd pkt");
return false;
}
ok = mbuf_get_string(&pkt->data, &passwd);
if (ok && check_client_passwd(client, passwd)) {
if (!finish_client_login(client))
return false;
} else {
disconnect_client(client, true, "Auth failed");
return false;
}
break;
case PKT_CANCEL:
if (mbuf_avail_for_read(&pkt->data) == BACKENDKEY_LEN
&& mbuf_get_bytes(&pkt->data, BACKENDKEY_LEN, &key))
{
memcpy(client->cancel_key, key, BACKENDKEY_LEN);
accept_cancel_request(client);
} else
disconnect_client(client, false, "bad cancel request");
return false;
default:
disconnect_client(client, false, "bad packet");
return false;
}
sbuf_prepare_skip(sbuf, pkt->len);
client->request_time = get_cached_time();
return true;
}
static bool finish_set_pool(PgSocket *client, bool takeover)
{
PgUser *user = client->auth_user;
bool ok = false;
int auth;
/* pool user may be forced */
if (client->db->forced_user) {
user = client->db->forced_user;
}
client->pool = get_pool(client->db, user);
if (!client->pool) {
disconnect_client(client, true, "no memory for pool");
return false;
}
if (cf_log_connections) {
if (client->sbuf.tls) {
char infobuf[96] = "";
tls_get_connection_info(client->sbuf.tls, infobuf, sizeof infobuf);
slog_info(client, "login attempt: db=%s user=%s tls=%s",
client->db->name, client->auth_user->name, infobuf);
} else {
slog_info(client, "login attempt: db=%s user=%s tls=no",
client->db->name, client->auth_user->name);
}
}
if (!check_fast_fail(client))
return false;
if (takeover)
return true;
if (client->pool->db->admin) {
if (!admin_post_login(client))
return false;
}
if (client->own_user)
return finish_client_login(client);
auth = cf_auth_type;
if (auth == AUTH_HBA) {
auth = hba_eval(parsed_hba, &client->remote_addr, !!client->sbuf.tls,
client->db->name, client->auth_user->name);
}
/* remember method */
client->client_auth_type = auth;
switch (auth) {
case AUTH_ANY:
case AUTH_TRUST:
ok = finish_client_login(client);
break;
case AUTH_PLAIN:
case AUTH_MD5:
case AUTH_PAM:
ok = send_client_authreq(client);
break;
case AUTH_CERT:
ok = login_via_cert(client);
break;
case AUTH_PEER:
ok = login_as_unix_peer(client);
break;
default:
disconnect_client(client, true, "login rejected");
ok = false;
}
return ok;
}
