On Thu, Aug 17, 2023 at 9:46 AM Stephen Frost <sfr...@snowman.net> wrote: > Don't like 'skipped' but that feels closer. > > How about 'connection bypassed authentication'?
Works for me; see v2. Thanks! --Jacob
From 5404c28391d2faae8a306e4e21c2ddfe1b70b53e Mon Sep 17 00:00:00 2001 From: Jacob Champion <champio...@gmail.com> Date: Wed, 16 Aug 2023 14:48:49 -0700 Subject: [PATCH v2] log_connections: add entries for "trust" connections Allow DBAs to audit unexpected "trust" connections. Previously, you had to notice the absence of a "connection authenticated" line between the "connection received" and "connection authorized" entries. Now it's called out explicitly. --- src/backend/libpq/auth.c | 15 +++++++++++++++ src/test/authentication/t/001_password.pl | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index e7571aaddb..a68e1c9b52 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -645,6 +645,21 @@ ClientAuthentication(Port *port) #endif } + if (Log_connections + && (status == STATUS_OK) && !MyClientConnectionInfo.authn_id) + { + /* + * No authentication was actually performed; this happens e.g. when the + * trust method is in use. For audit purposes, log a breadcrumb to + * explain where in the HBA this happened. + */ + ereport(LOG, + errmsg("connection bypassed authentication: user=\"%s\" method=%s " + "(%s:%d)", + port->user_name, hba_authname(port->hba->auth_method), + port->hba->sourcefile, port->hba->linenumber)); + } + if (ClientAuthentication_hook) (*ClientAuthentication_hook) (port, status); diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 12552837a8..3440afbaaa 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -140,8 +140,14 @@ $node->safe_psql('postgres', "CREATE database regex_testdb;"); # considered to be authenticated. reset_pg_hba($node, 'all', 'all', 'trust'); test_conn($node, 'user=scram_role', 'trust', 0, + log_like => [ + qr/connection bypassed authentication: user="scram_role" method=trust/ + ], log_unlike => [qr/connection authenticated:/]); test_conn($node, 'user=md5_role', 'trust', 0, + log_like => [ + qr/connection bypassed authentication: user="md5_role" method=trust/ + ], log_unlike => [qr/connection authenticated:/]); # SYSTEM_USER is null when not authenticated. -- 2.39.2