Add new message for explicit rejection by pg_hba.conf. Implicit

rejection retains same message as before.

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 89e86ea..ac26317 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.198 2010/03/30 16:08:22 petere Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.199 2010/04/19 19:02:18 sriggs Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -363,11 +363,42 @@ ClientAuthentication(Port *port)
                case uaReject:
 
                        /*
-                        * This could have come from an explicit "reject" entry in
-                        * pg_hba.conf, but more likely it means there was no matching
-                        * entry.  Take pity on the poor user and issue a helpful error
-                        * message.  NOTE: this is not a security breach, because all the
-                        * info reported here is known at the frontend and must be assumed
+                        * An explicit "reject" entry in pg_hba.conf. Take pity on the poor
+                        * user and issue a helpful error message.
+                        * NOTE: this is not a security breach, because all the info
+                        * reported here is known at the frontend and must be assumed
+                        * known to bad guys. We're merely helping out the less clueful
+                        * good guys.
+                        */
+                       {
+                               char            hostinfo[NI_MAXHOST];
+
+                               pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+                                                                  hostinfo, sizeof(hostinfo),
+                                                                  NULL, 0,
+                                                                  NI_NUMERICHOST);
+
+#ifdef USE_SSL
+                               ereport(FATAL,
+                                               (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                                                errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\", %s",
+                                                         hostinfo, port->user_name, port->database_name,
+                                                               port->ssl ? _("SSL on") : _("SSL off"))));
+#else
+                               ereport(FATAL,
+                                               (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                                                errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\"",
+                                                  hostinfo, port->user_name, port->database_name)));
+#endif
+                               break;
+                       }
+
+               case uaImplicitReject:
+
+                       /*
+                        * No matching entry so tell the user we fell through.
+                        * NOTE: this is not a security breach, because all the info
+                        * reported here is known at the frontend and must be assumed
                         * known to bad guys. We're merely helping out the less clueful
                         * good guys.
                         */

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 90ef86d..11443f7 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.204 2010/03/24 17:05:45 tgl Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.205 2010/04/19 19:02:18 sriggs Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -1389,9 +1389,9 @@ check_hba(hbaPort *port)
                return true;
        }
 
-       /* If no matching entry was found, synthesize 'reject' entry. */
+       /* If no matching entry was found, then implicitly reject. */
        hba = palloc0(sizeof(HbaLine));
-       hba->auth_method = uaReject;
+       hba->auth_method = uaImplicitReject;
        port->hba = hba;
        return true;
 

diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 54261bb..5f1365e 100644 (file)
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
  *       Interface to hba.c
  *
  *
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.61 2010/01/27 12:12:00 mha Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.62 2010/04/19 19:02:18 sriggs Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -18,6 +18,7 @@
 typedef enum UserAuth
 {
        uaReject,
+       uaImplicitReject,
        uaKrb5,
        uaTrust,
        uaIdent,