Michael Paquier 3a465cc678 libpq: Add support for require_auth to control authorized auth methods ... The new connection parameter require_auth allows a libpq client to define a list of comma-separated acceptable authentication types for use with the server. There is no negotiation: if the server does not present one of the allowed authentication requests, the connection attempt done by the client fails. The following keywords can be defined in the list: - password, for AUTH_REQ_PASSWORD. - md5, for AUTH_REQ_MD5. - gss, for AUTH_REQ_GSS[_CONT]. - sspi, for AUTH_REQ_SSPI and AUTH_REQ_GSS_CONT. - scram-sha-256, for AUTH_REQ_SASL[_CONT|_FIN]. - creds, for AUTH_REQ_SCM_CREDS (perhaps this should be removed entirely now). - none, to control unauthenticated connections. All the methods that can be defined in the list can be negated, like "!password", in which case the server must NOT use the listed authentication type. The special method "none" allows/disallows the use of unauthenticated connections (but it does not govern transport-level authentication via TLS or GSSAPI). Internally, the patch logic is tied to check_expected_areq(), that was used for channel_binding, ensuring that an incoming request is compatible with conn->require_auth. It also introduces a new flag, conn->client_finished_auth, which is set by various authentication routines when the client side of the handshake is finished. This signals to check_expected_areq() that an AUTH_REQ_OK from the server is expected, and allows the client to complain if the server bypasses authentication entirely, with for example the reception of a too-early AUTH_REQ_OK message. Regression tests are added in authentication TAP tests for all the keywords supported (except "creds", because it is around only for compatibility reasons). A new TAP script has been added for SSPI, as there was no script dedicated to it yet. It relies on SSPI being the default authentication method on Windows, as set by pg_regress. Author: Jacob Champion Reviewed-by: Peter Eisentraut, David G. Johnston, Michael Paquier Discussion: https://postgr.es/m/9e5a8ccddb8355ea9fa4b75a1e3a9edc88a70cd3.camel@vmware.com		2023-03-14 14:00:05 +09:00
..
backend	Fix JSON error reporting for many cases of erroneous string values.	2023-03-13 15:19:00 -04:00
bin	Add a DEFAULT option to COPY FROM	2023-03-13 10:01:56 -04:00
common	Fix JSON error reporting for many cases of erroneous string values.	2023-03-13 15:19:00 -04:00
fe_utils	Revert refactoring of restore command code to shell_restore.c	2023-02-06 08:28:42 +09:00
include	libpq: Add support for require_auth to control authorized auth methods	2023-03-14 14:00:05 +09:00
interfaces	libpq: Add support for require_auth to control authorized auth methods	2023-03-14 14:00:05 +09:00
makefiles	meson: Make auto the default of the ssl option	2023-03-13 07:04:11 +01:00
pl	Break up long GETTEXT_FILES lists	2023-03-08 15:05:43 +01:00
port	Remove gratuitous references to postmaster program	2023-01-26 10:48:32 +01:00
template	Use unnamed POSIX semaphores on Cygwin.	2023-01-06 10:33:28 +13:00
test	libpq: Add support for require_auth to control authorized auth methods	2023-03-14 14:00:05 +09:00
timezone	Fix outdated references to guc.c	2023-03-02 13:49:39 +01:00
tools	meson: Add target for installing test files & improve install_test_files	2023-03-08 11:12:10 -08:00
tutorial	Remove useless casts to (void *) in arguments of some system functions	2023-02-07 06:57:59 +01:00
.gitignore
DEVELOPERS
Makefile	Integrate pg_bsd_indent into our build/test infrastructure.	2023-02-12 12:22:21 -05:00
Makefile.global.in	autoconf: Move export_dynamic determination to configure	2022-12-06 18:55:28 -08:00
Makefile.shlib	autoconf: Rely on ar supporting index creation	2022-10-07 11:53:39 -07:00
meson.build	Integrate pg_bsd_indent into our build/test infrastructure.	2023-02-12 12:22:21 -05:00
nls-global.mk	Fix for make unportability	2022-07-13 09:15:01 +02:00