blob: 3f4c9acd8b0b3283437ac3b8c9269fb80ce11569 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
/*-------------------------------------------------------------------------
*
* oauth.h
* Interface to libpq/auth-oauth.c
*
* Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* src/include/libpq/oauth.h
*
*-------------------------------------------------------------------------
*/
#ifndef PG_OAUTH_H
#define PG_OAUTH_H
#include "libpq/libpq-be.h"
#include "libpq/sasl.h"
extern PGDLLIMPORT char *oauth_validator_libraries_string;
typedef struct ValidatorModuleState
{
/* Holds the server's PG_VERSION_NUM. Reserved for future extensibility. */
int sversion;
/*
* Private data pointer for use by a validator module. This can be used to
* store state for the module that will be passed to each of its
* callbacks.
*/
void *private_data;
} ValidatorModuleState;
typedef struct ValidatorModuleResult
{
/*
* Should be set to true if the token carries sufficient permissions for
* the bearer to connect.
*/
bool authorized;
/*
* If the token authenticates the user, this should be set to a palloc'd
* string containing the SYSTEM_USER to use for HBA mapping. Consider
* setting this even if result->authorized is false so that DBAs may use
* the logs to match end users to token failures.
*
* This is required if the module is not configured for ident mapping
* delegation. See the validator module documentation for details.
*/
char *authn_id;
} ValidatorModuleResult;
/*
* Validator module callbacks
*
* These callback functions should be defined by validator modules and returned
* via _PG_oauth_validator_module_init(). ValidatorValidateCB is the only
* required callback. For more information about the purpose of each callback,
* refer to the OAuth validator modules documentation.
*/
typedef void (*ValidatorStartupCB) (ValidatorModuleState *state);
typedef void (*ValidatorShutdownCB) (ValidatorModuleState *state);
typedef bool (*ValidatorValidateCB) (const ValidatorModuleState *state,
const char *token, const char *role,
ValidatorModuleResult *result);
/*
* Identifies the compiled ABI version of the validator module. Since the server
* already enforces the PG_MODULE_MAGIC number for modules across major
* versions, this is reserved for emergency use within a stable release line.
* May it never need to change.
*/
#define PG_OAUTH_VALIDATOR_MAGIC 0x20250220
typedef struct OAuthValidatorCallbacks
{
uint32 magic; /* must be set to PG_OAUTH_VALIDATOR_MAGIC */
ValidatorStartupCB startup_cb;
ValidatorShutdownCB shutdown_cb;
ValidatorValidateCB validate_cb;
} OAuthValidatorCallbacks;
/*
* Type of the shared library symbol _PG_oauth_validator_module_init which is
* required for all validator modules. This function will be invoked during
* module loading.
*/
typedef const OAuthValidatorCallbacks *(*OAuthValidatorModuleInit) (void);
extern PGDLLEXPORT const OAuthValidatorCallbacks *_PG_oauth_validator_module_init(void);
/* Implementation */
extern PGDLLIMPORT const pg_be_sasl_mech pg_be_oauth_mech;
/*
* Ensure a validator named in the HBA is permitted by the configuration.
*/
extern bool check_oauth_validator(HbaLine *hba, int elevel, char **err_msg);
#endif /* PG_OAUTH_H */
|
