From ffde1ab0f710a1b7a91195fefdb4aad74eccbf40 Mon Sep 17 00:00:00 2001 From: Matheus Alcantara Date: Thu, 20 Feb 2025 15:12:48 -0300 Subject: [PATCH v3 2/2] dblink: Add SCRAM pass-through authentication This enables SCRAM authentication for dblink_fdw when connecting to a foreign server using the same approach as it was implemented for postgres_fdw on 761c79508e. --- contrib/dblink/Makefile | 1 + contrib/dblink/dblink.c | 185 ++++++++++++++++++++++-- contrib/dblink/meson.build | 5 + contrib/dblink/t/001_auth_scram.pl | 220 +++++++++++++++++++++++++++++ doc/src/sgml/dblink.sgml | 81 ++++++++++- 5 files changed, 477 insertions(+), 15 deletions(-) create mode 100644 contrib/dblink/t/001_auth_scram.pl diff --git a/contrib/dblink/Makefile b/contrib/dblink/Makefile index d4c7ed625ab..fde0b49ddbb 100644 --- a/contrib/dblink/Makefile +++ b/contrib/dblink/Makefile @@ -13,6 +13,7 @@ PGFILEDESC = "dblink - connect to other PostgreSQL databases" REGRESS = dblink REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress +TAP_TESTS = 1 ifdef USE_PGXS PG_CONFIG = pg_config diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index 412734dc34f..fc7fb56b03e 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -43,6 +43,8 @@ #include "catalog/pg_foreign_server.h" #include "catalog/pg_type.h" #include "catalog/pg_user_mapping.h" +#include "commands/defrem.h" +#include "common/base64.h" #include "executor/spi.h" #include "foreign/foreign.h" #include "funcapi.h" @@ -112,9 +114,9 @@ static int get_attnum_pk_pos(int *pkattnums, int pknumatts, int key); static HeapTuple get_tuple_of_interest(Relation rel, int *pkattnums, int pknumatts, char **src_pkattvals); static Relation get_rel_from_relname(text *relname_text, LOCKMODE lockmode, AclMode aclmode); static char *generate_relation_name(Relation rel); -static void dblink_connstr_check(const char *connstr); +static void dblink_connstr_check(const char *connstr, bool useScramPassthrough); static bool dblink_connstr_has_pw(const char *connstr); -static void dblink_security_check(PGconn *conn, remoteConn *rconn, const char *connstr); +static void dblink_security_check(PGconn *conn, remoteConn *rconn, const char *connstr, bool useScramPassthrough); static void dblink_res_error(PGconn *conn, const char *conname, PGresult *res, bool fail, const char *fmt,...) pg_attribute_printf(5, 6); static char *get_connect_string(ForeignServer *foreign_server, UserMapping *user_mapping); @@ -129,6 +131,20 @@ static void restoreLocalGucs(int nestlevel); static PGconn *connect_pg_server(char *connstr_or_srvname, remoteConn *rconn, uint32 wait_event_info); +static bool + UseScramPassthrough(ForeignServer *foreign_server, UserMapping *user); + +static void + appendSCRAMKeysInfo(StringInfo buf); + +static bool + is_valid_dblink_fdw_option(const PQconninfoOption *options, const char *option, + Oid context); + + +static bool + dblink_connstr_has_scram_require_auth(const char *connstr); + /* Global */ static remoteConn *pconn = NULL; static HTAB *remoteConnHash = NULL; @@ -1915,7 +1931,7 @@ dblink_fdw_validator(PG_FUNCTION_ARGS) { DefElem *def = (DefElem *) lfirst(cell); - if (!is_valid_dblink_option(options, def->defname, context)) + if (!is_valid_dblink_fdw_option(options, def->defname, context)) { /* * Unknown option, or invalid option for the context specified, so @@ -2547,14 +2563,57 @@ deleteConnection(const char *name) errmsg("undefined connection name"))); } +bool +dblink_connstr_has_scram_require_auth(const char *connstr) +{ + PQconninfoOption *options; + PQconninfoOption *option; + bool result = false; + + options = PQconninfoParse(connstr, NULL); + if (options) + { + for (option = options; option->keyword != NULL; option++) + { + if (strcmp(option->keyword, "require_auth") == 0) + { + /* + * Continue iterating even if we found to make sure that there + * is no other declaration of require_auth that can overwrite + * the first. + */ + if (option->val != NULL && strcmp(option->val, "scram-sha-256") == 0) + result = true; + else + result = false; + } + } + PQconninfoFree(options); + } + + return result; +} + /* * We need to make sure that the connection made used credentials * which were provided by the user, so check what credentials were * used to connect and then make sure that they came from the user. */ static void -dblink_security_check(PGconn *conn, remoteConn *rconn, const char *connstr) +dblink_security_check(PGconn *conn, remoteConn *rconn, const char *connstr, bool useScramPassthrough) { + + if (useScramPassthrough) + { + if (dblink_connstr_has_scram_require_auth(connstr)) + return; + + ereport(ERROR, + (errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED), + errmsg("use_scram_passthrough can only be used with require_auth='scram-sha-256'"), + errhint("Ensure that there is not invalid require_auth on foreign server options"))); + } + /* Superuser bypasses security check */ if (superuser()) return; @@ -2615,16 +2674,29 @@ dblink_connstr_has_pw(const char *connstr) } /* - * For non-superusers, insist that the connstr specify a password, except - * if GSSAPI credentials have been delegated (and we check that they are used - * for the connection in dblink_security_check later). This prevents a - * password or GSSAPI credentials from being picked up from .pgpass, a - * service file, the environment, etc. We don't want the postgres user's - * passwords or Kerberos credentials to be accessible to non-superusers. + * For non-superusers, insist that the connstr specify a password, except if + * GSSAPI credentials have been delegated (and we check that they are used for + * the connection in dblink_security_check later) or if scram pass-through is + * being used. This prevents a password or GSSAPI credentials from being + * picked up from .pgpass, a service file, the environment, etc. We don't want + * the postgres user's passwords or Kerberos credentials to be accessible to + * non-superusers. In case of scram pass-through insist that the connstr + * specify require_auth=scram-sha-256 for a secure connection. */ static void -dblink_connstr_check(const char *connstr) +dblink_connstr_check(const char *connstr, bool useScramPassthrough) { + if (useScramPassthrough) + { + if (dblink_connstr_has_scram_require_auth(connstr)) + return; + + ereport(ERROR, + (errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED), + errmsg("use_scram_passthrough can only be used with require_auth='scram-sha-256'"), + errhint("Ensure that there is not invalid require_auth on foreign server options"))); + } + if (superuser()) return; @@ -2773,6 +2845,9 @@ get_connect_string(ForeignServer *foreign_server, UserMapping *user_mapping) if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, foreign_server->servername); + if (MyProcPort->has_scram_keys && UseScramPassthrough(foreign_server, user_mapping)) + appendSCRAMKeysInfo(&buf); + foreach(cell, fdw->options) { DefElem *def = lfirst(cell); @@ -2954,6 +3029,22 @@ is_valid_dblink_option(const PQconninfoOption *options, const char *option, return true; } + +/* + * Same as is_valid_dblink_option but also check for only dblink_fdw specific + * options. + */ +static bool +is_valid_dblink_fdw_option(const PQconninfoOption *options, const char *option, + Oid context) +{ + if (strcmp(option, "use_scram_passthrough") == 0) + return true; + + return is_valid_dblink_option(options, option, context); +} + + /* * Copy the remote session's values of GUCs that affect datatype I/O * and apply them locally in a new GUC nesting level. Returns the new @@ -3024,6 +3115,70 @@ restoreLocalGucs(int nestlevel) AtEOXact_GUC(true, nestlevel); } +/* + * Append SCRAM client key and server key information from the global + * MyProcPort into the given StringInfo buffer. + */ +static void +appendSCRAMKeysInfo(StringInfo buf) +{ + int len; + int encoded_len; + char *client_key; + char *server_key; + + + len = pg_b64_enc_len(sizeof(MyProcPort->scram_ClientKey)); + /* don't forget the zero-terminator */ + client_key = palloc0(len + 1); + encoded_len = pg_b64_encode((const char *) MyProcPort->scram_ClientKey, + sizeof(MyProcPort->scram_ClientKey), + client_key, len); + if (encoded_len < 0) + elog(ERROR, "could not encode SCRAM client key"); + + len = pg_b64_enc_len(sizeof(MyProcPort->scram_ServerKey)); + /* don't forget the zero-terminator */ + server_key = palloc0(len + 1); + encoded_len = pg_b64_encode((const char *) MyProcPort->scram_ServerKey, + sizeof(MyProcPort->scram_ServerKey), + server_key, len); + if (encoded_len < 0) + elog(ERROR, "could not encode SCRAM server key"); + + appendStringInfo(buf, "scram_client_key='%s'", client_key); + appendStringInfo(buf, "scram_server_key='%s'", server_key); + appendStringInfo(buf, "require_auth='scram-sha-256'"); + + pfree(client_key); + pfree(server_key); +} + + +static bool +UseScramPassthrough(ForeignServer *foreign_server, UserMapping *user) +{ + ListCell *cell; + + foreach(cell, foreign_server->options) + { + DefElem *def = lfirst(cell); + + if (strcmp(def->defname, "use_scram_passthrough") == 0) + return defGetBoolean(def); + } + + foreach(cell, user->options) + { + DefElem *def = (DefElem *) lfirst(cell); + + if (strcmp(def->defname, "use_scram_passthrough") == 0) + return defGetBoolean(def); + } + + return false; +} + /* * Connect to remote server. If connstr_or_srvname maps to a foreign server, * the associated properties and user mapping properties is also used to open @@ -3040,6 +3195,7 @@ connect_pg_server(char *connstr_or_srvname, remoteConn *rconn, uint32 wait_event Oid serverid; UserMapping *user_mapping; Oid userid = GetUserId(); + bool useScramPassthrough = false; /* first gather the server connstr options */ srvname = pstrdup(connstr_or_srvname); @@ -3050,13 +3206,15 @@ connect_pg_server(char *connstr_or_srvname, remoteConn *rconn, uint32 wait_event { serverid = foreign_server->serverid; user_mapping = GetUserMapping(userid, serverid); + useScramPassthrough = MyProcPort->has_scram_keys && UseScramPassthrough(foreign_server, user_mapping); connstr = get_connect_string(foreign_server, user_mapping); } else connstr = connstr_or_srvname; - dblink_connstr_check(connstr); + /* Verify the set of connection parameters. */ + dblink_connstr_check(connstr, useScramPassthrough); /* OK to make connection */ conn = libpqsrv_connect(connstr, wait_event_info); @@ -3075,7 +3233,8 @@ connect_pg_server(char *connstr_or_srvname, remoteConn *rconn, uint32 wait_event errdetail_internal("%s", msg))); } - dblink_security_check(conn, rconn, connstr); + /* Perform post-connection security checks. */ + dblink_security_check(conn, rconn, connstr, useScramPassthrough); /* attempt to set client encoding to match server encoding, if needed */ if (PQclientEncoding(conn) != GetDatabaseEncoding()) diff --git a/contrib/dblink/meson.build b/contrib/dblink/meson.build index 3ab78668288..dfd8eb6877e 100644 --- a/contrib/dblink/meson.build +++ b/contrib/dblink/meson.build @@ -36,4 +36,9 @@ tests += { ], 'regress_args': ['--dlpath', meson.build_root() / 'src/test/regress'], }, + 'tap': { + 'tests': [ + 't/001_auth_scram.pl', + ], + }, } diff --git a/contrib/dblink/t/001_auth_scram.pl b/contrib/dblink/t/001_auth_scram.pl new file mode 100644 index 00000000000..ac646d2a54d --- /dev/null +++ b/contrib/dblink/t/001_auth_scram.pl @@ -0,0 +1,220 @@ +# Copyright (c) 2024-2025, PostgreSQL Global Development Group + +# Test SCRAM authentication when opening a new connection with a foreign +# server. +# +# The test is executed by testing the SCRAM authentifcation on a looplback +# connection on the same server and with different servers. + +use strict; +use warnings FATAL => 'all'; +use PostgreSQL::Test::Utils; +use PostgreSQL::Test::Cluster; +use Test::More; + +my $hostaddr = '127.0.0.1'; +my $user = "user01"; + +my $db0 = "db0"; # For node1 +my $db1 = "db1"; # For node1 +my $db2 = "db2"; # For node2 +my $fdw_server = "db1_fdw"; +my $fdw_server2 = "db2_fdw"; +my $fdw_invalid_server = "db2_fdw_invalid"; # For invalid fdw options + +my $node1 = PostgreSQL::Test::Cluster->new('node1'); +my $node2 = PostgreSQL::Test::Cluster->new('node2'); + +$node1->init; +$node2->init; + +$node1->start; +$node2->start; + +# Test setup + +$node1->safe_psql('postgres', qq'CREATE USER $user WITH password \'pass\''); +$node2->safe_psql('postgres', qq'CREATE USER $user WITH password \'pass\''); +$ENV{PGPASSWORD} = "pass"; + +$node1->safe_psql('postgres', qq'CREATE DATABASE $db0'); +$node1->safe_psql('postgres', qq'CREATE DATABASE $db1'); +$node2->safe_psql('postgres', qq'CREATE DATABASE $db2'); + +setup_table($node1, $db1, "t"); +setup_table($node2, $db2, "t2"); + +$node1->safe_psql($db0, 'CREATE EXTENSION IF NOT EXISTS dblink'); +setup_fdw_server($node1, $db0, $fdw_server, $node1, $db1); +setup_fdw_server($node1, $db0, $fdw_server2, $node2, $db2); +setup_invalid_fdw_server($node1, $db0, $fdw_invalid_server, $node2, $db2); + +setup_user_mapping($node1, $db0, $fdw_server); +setup_user_mapping($node1, $db0, $fdw_server2); +setup_user_mapping($node1, $db0, $fdw_invalid_server); + +# Make the user have the same SCRAM key on both servers. Forcing to have the +# same iteration and salt. +my $rolpassword = $node1->safe_psql('postgres', + qq"SELECT rolpassword FROM pg_authid WHERE rolname = '$user';"); +$node2->safe_psql('postgres', qq"ALTER ROLE $user PASSWORD '$rolpassword'"); + +unlink($node1->data_dir . '/pg_hba.conf'); +unlink($node2->data_dir . '/pg_hba.conf'); + +$node1->append_conf( + 'pg_hba.conf', qq{ +local db0 all scram-sha-256 +local db1 all scram-sha-256 +}); +$node2->append_conf( + 'pg_hba.conf', qq{ +local db2 all scram-sha-256 +}); + +$node1->restart; +$node2->restart; + +# End of test setup + +test_fdw_auth($node1, $db0, "t", $fdw_server, + "SCRAM auth on the same database cluster must succeed"); + +test_fdw_auth($node1, $db0, "t2", $fdw_server2, + "SCRAM auth on a different database cluster must succeed"); + +test_fdw_auth_with_invalid_overwritten_require_auth($fdw_invalid_server); + +# Ensure that trust connections fail without superuser opt-in. +unlink($node1->data_dir . '/pg_hba.conf'); +unlink($node2->data_dir . '/pg_hba.conf'); + +$node1->append_conf( + 'pg_hba.conf', qq{ +local db0 all scram-sha-256 +local db1 all trust +}); +$node2->append_conf( + 'pg_hba.conf', qq{ +local db2 all trust +}); + +$node1->restart; +$node2->restart; + +my ($ret, $stdout, $stderr) = $node1->psql( + $db0, + "SELECT * FROM dblink('$fdw_server', 'SELECT * FROM t') AS t(a int, b int)", + connstr => $node1->connstr($db0) . " user=$user"); + +is($ret, 3, 'loopback trust fails on the same cluster'); +like( + $stderr, + qr/authentication method requirement "scram-sha-256" failed: server did not complete authentication/, + 'expected error from loopback trust (same cluster)'); + +($ret, $stdout, $stderr) = $node1->psql( + $db0, + "SELECT * FROM dblink('$fdw_server2', 'SELECT * FROM t2') AS t2(a int, b int)", + connstr => $node1->connstr($db0) . " user=$user"); + +is($ret, 3, 'loopback trust fails on a different cluster'); +like( + $stderr, + qr/authentication method requirement "scram-sha-256" failed: server did not complete authentication/, + 'expected error from loopback trust (different cluster)'); + +# Helper functions + +sub test_fdw_auth +{ + local $Test::Builder::Level = $Test::Builder::Level + 1; + + my ($node, $db, $tbl, $fdw, $testname) = @_; + my $connstr = $node->connstr($db) . qq' user=$user'; + + my $ret = $node->safe_psql( + $db, + qq"SELECT count(1) FROM dblink('$fdw', 'SELECT * FROM $tbl') AS $tbl(a int, b int)", + connstr => $connstr); + + is($ret, '10', $testname); +} + +sub test_fdw_auth_with_invalid_overwritten_require_auth +{ + + my ($fdw) = @_; + + my ($ret, $stdout, $stderr) = $node1->psql( + $db0, + "select * from dblink('$fdw', 'select * from t') as t(a int, b int)", + connstr => $node1->connstr($db0) . " user=$user"); + + is($ret, 3, 'loopback trust fails when overwriting require_auth'); + like( + $stderr, + qr/use_scram_passthrough can only be used with require_auth='scram-sha-256'/, + 'expected error when connecting to a fdw overwriting the require_auth'); +} + +sub setup_user_mapping +{ + my ($node, $db, $fdw) = @_; + + $node->safe_psql($db, + qq'CREATE USER MAPPING FOR $user SERVER $fdw OPTIONS (user \'$user\');' + ); + $node->safe_psql($db, qq'GRANT USAGE ON FOREIGN SERVER $fdw TO $user;'); + $node->safe_psql($db, qq'GRANT ALL ON SCHEMA public TO $user'); +} + +sub setup_invalid_user_mapping +{ + my ($node, $db, $fdw) = @_; + + $node->safe_psql($db, + qq'CREATE USER MAPPING FOR $user SERVER $fdw OPTIONS (user \'$user\', require_auth \'none\');' + ); + $node->safe_psql($db, qq'GRANT USAGE ON FOREIGN SERVER $fdw TO $user;'); + $node->safe_psql($db, qq'GRANT ALL ON SCHEMA public TO $user'); +} + +sub setup_fdw_server +{ + my ($node, $db, $fdw, $fdw_node, $dbname) = @_; + my $host = $fdw_node->host; + my $port = $fdw_node->port; + + $node->safe_psql( + $db, qq'CREATE SERVER $fdw FOREIGN DATA WRAPPER dblink_fdw options ( + host \'$host\', port \'$port\', dbname \'$dbname\', use_scram_passthrough \'true\') ' + ); +} + +sub setup_invalid_fdw_server +{ + my ($node, $db, $fdw, $fdw_node, $dbname) = @_; + my $host = $fdw_node->host; + my $port = $fdw_node->port; + + + $node->safe_psql( + $db, qq'CREATE SERVER $fdw FOREIGN DATA WRAPPER dblink_fdw options ( + host \'$host\', port \'$port\', dbname \'$dbname\', use_scram_passthrough \'true\', require_auth \'none\') ' + ); +} + +sub setup_table +{ + my ($node, $db, $tbl) = @_; + + $node->safe_psql($db, + qq'CREATE TABLE $tbl AS SELECT g as a, g + 1 as b FROM generate_series(1,10) g(g)' + ); + $node->safe_psql($db, qq'GRANT USAGE ON SCHEMA public TO $user'); + $node->safe_psql($db, qq'GRANT SELECT ON $tbl TO $user'); +} + +done_testing(); + diff --git a/doc/src/sgml/dblink.sgml b/doc/src/sgml/dblink.sgml index 81f35986c88..f6e1009c028 100644 --- a/doc/src/sgml/dblink.sgml +++ b/doc/src/sgml/dblink.sgml @@ -136,6 +136,82 @@ dblink_connect(text connname, text connstr) returns text + + Foreign Data Wrapper + + + A Foreign Data Wrapper can be used as a connection name parameter. The foreign + server can be created using CREATE SERVER and CREATE USER MAPPING commands. + + + + The authentication with the foreign server can be via password on USER + MAPPING or using SCRAM pass-through. The + use_scram_passthrough on CREATE SERVER options controls + whether dblink_fdw will use the SCRAM pass-through + authentication to connect to the foreign server. With SCRAM pass-through + authentication, dblink_fdw uses SCRAM-hashed secrets + instead of plain-text user passwords to connect to the remote server. This + avoids storing plain-text user passwords in PostgreSQL system catalogs. + + + + To use SCRAM pass-through authentication: + + + + The remote server must request SCRAM authentication. (If desired, + enforce this on the client side (FDW side) with the option + require_auth.) If another authentication method is + requested by the server, then that one will be used normally. + + + + + + The remote server can be of any PostgreSQL version that supports SCRAM. + Support for use_scram_passthrough is only required on + the client side (FDW side). + + + + + + The user mapping password is not used. (It could be set to support other + authentication methods, but that would arguably violate the point of this + feature, which is to avoid storing plain-text passwords.) + + + + + + The server running dblink_fdw and the remote server + must have identical SCRAM secrets (encrypted passwords) for the user being + used on dblink_fdw to authenticate on the foreign + server (same salt and iterations, not merely the same password). + + + + As a corollary, if FDW connections to multiple hosts are to be made, for + example for partitioned foreign tables/sharding, then all hosts must have + identical SCRAM secrets for the users involved. + + + + + + The current session on the PostgreSQL instance that makes the outgoing FDW + connections also must also use SCRAM authentication for its incoming client + connection. (Hence pass-through: SCRAM must be used going in + and out.) This is a technical requirement of the SCRAM protocol. + + + + + + + + Notes @@ -181,8 +257,9 @@ SELECT dblink_connect('myconn', 'dbname=postgres options=-csearch_path='); (1 row) -- FOREIGN DATA WRAPPER functionality --- Note: local connection must require password authentication for this to work properly --- Otherwise, you will receive the following error from dblink_connect(): +-- Note: local connection that don't use SCRAM pass-through require password +-- authentication for this to work properly. Otherwise, you will receive +-- the following error from dblink_connect(): -- ERROR: password is required -- DETAIL: Non-superuser cannot connect if the server does not request a password. -- HINT: Target server's authentication method must be changed. -- 2.39.5 (Apple Git-154)