Add auth_query feature

Adds a feature that allows setting auth passthrough for md5 auth.
It adds 4 new general config parameters:

- `auth_query`: An string containing a query that will be executed on boot
to obtain the hash of a given user. This query have to use a placeholder `$1`,
so pgcat can replace it with the user its trying to fetch the hash from.
- `auth_query_user`: The user to use for connecting to the server and executing the
auth_query.
- `auth_query_password`: The password to use for connecting to the server and executing the
auth_query.
- `auth_query_database`: The database to use for connecting to the server and executing the
auth_query.

The behavior is, at boot time, when validating server connections, a hash is fetched per server
and stored there. When new server connections are created, that hash is used for creating them,
if the hash could not be obtained for whatever reason, it falls back to the password set.

Client connections are also authenticated using the obtained hash.

Author: magec

.circleci/pgcat.toml

@@ -50,6 +50,11 @@ tls_private_key = ".circleci/server.key"
 admin_username = "admin_user"
 admin_password = "admin_pass"
 
+auth_query = "SELECT * FROM public.user_lookup('$1');"
+auth_query_user = "md5_auth_user"
+auth_query_password = "secret"
+auth_query_database = "postgres"
+
 # pool
 # configs are structured as pool.<pool_name>
 # the pool_name is what clients use as database name when connecting

.circleci/run_tests.sh

@@ -43,6 +43,21 @@ curl --fail localhost:9930/metrics
 export PGPASSWORD=sharding_user
 export PGDATABASE=sharded_db
 
+# Query auth test, we check that without passwords (and query auth) we can connect.
+PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_setup.sql
+sed -i 's/^password =/# password =/' .circleci/pgcat.toml
+kill -SIGTERM $(pgrep pgcat) # restart config
+start_pgcat "info"
+psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+
+# Query auth test, we check that when we have issues executing auth_query, passwords are used.
+# Also, that reload fetches new passwords
+sed -i 's/^# password =/password =/' .circleci/pgcat.toml
+PGDATABASE=postgres PGPASSWORD=postgres psql -e -h 127.0.0.1 -p 5432 -U postgres -f tests/sharding/query_auth_wrong_setup.sql
+kill -SIGTERM $(pgrep pgcat) # restart config
+start_pgcat "info"
+psql -U sharding_user -h 127.0.0.1 -p 6432 -c 'SELECT 1'
+
 # pgbench test
 pgbench -U sharding_user -i -h 127.0.0.1 -p 6432
 pgbench -U sharding_user -h 127.0.0.1 -p 6432 -t 500 -c 2 --protocol simple -f tests/pgbench/simple.sql

Cargo.lock

@@ -34,6 +34,8 @@ rustls-pemfile = "1"
 hyper = { version = "0.14", features = ["full"] }
 phf = { version = "0.11.1", features = ["macros"] }
 exitcode = "1.1.2"
+postgres-protocol = "0.6.4"
+fallible-iterator = "0.2"
 
 [target.'cfg(not(target_env = "msvc"))'.dependencies]
 jemallocator = "0.5.0"

Cargo.toml

@@ -0,0 +1,246 @@
+use crate::errors::Error;
+use crate::messages::simple_query;
+
+use crate::server::Server;
+use crate::stats::Reporter;
+
+use bytes::BytesMut;
+use fallible_iterator::FallibleIterator;
+use parking_lot::Mutex;
+
+use log::{debug, trace, warn};
+use postgres_protocol::message;
+use std::collections::HashMap;
+use std::sync::Arc;
+
+use crate::config::get_config;
+use crate::pool::ClientServerMap;
+
+pub struct AuthPassthrough {
+    password: String,
+    query: String,
+    user: String,
+    database: String,
+}
+
+impl AuthPassthrough {
+    /// Initializes an AuthPassthrough.
+    pub fn new(query: &str, user: &str, password: &str, database: &str) -> Self {
+        AuthPassthrough {
+            password: password.to_string(),
+            query: query.to_string(),
+            user: user.to_string(),
+            database: database.to_string(),
+        }
+    }
+
+    /// Returns an AuthPassthrough given the configuration.
+    /// If any of required values is not set, None is returned.
+    pub fn from_config() -> Option<Self> {
+        let config = get_config();
+
+        if config.general.auth_query_password.is_some()
+            && config.general.auth_query_user.is_some()
+            && config.general.auth_query_password.is_some()
+            && config.general.auth_query_database.is_some()
+        {
+            return Some(AuthPassthrough::new(
+                config.general.auth_query.as_ref().unwrap(),
+                config.general.auth_query_user.as_ref().unwrap(),
+                config.general.auth_query_password.as_ref().unwrap(),
+                config.general.auth_query_database.as_ref().unwrap(),
+            ));
+        }
+
+        None
+    }
+
+    /// Connects to server and executes auth_query for the specidief user.
+    /// If the response is a row with two columns containing the user
+    /// and its MD5 hash, the hash returned.
+    ///
+    /// Note that the query is executed, changing $1 with the name of the user
+    /// this is so we only hold in memory (and transfer) the least amount of 'sensitive' data.
+    /// Also, it is compatible with pgbouncer.
+    ///
+    /// # Arguments
+    ///
+    /// * `address` - An Address of the server we want to connect to.
+    /// * `user`    - A user that will be used to obtain the hash.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use pgcat::auth_passthrough::AuthPassthrough;
+    /// use pgcat::config::Address;
+    /// let auth_passthrough = AuthPassthrough::new("SELECT * FROM public.user_lookup('$1');", "postgres", "postgres", "postgres");
+    /// auth_passthrough.fetch_hash(&Address::default(), "foo");
+    /// ```
+    ///
+    pub async fn fetch_hash(
+        &self,
+        address: &crate::config::Address,
+        user: &str,
+    ) -> Result<String, Error> {
+        let auth_user = crate::config::User {
+            username: self.user.clone(),
+            password: Some(self.password.clone()),
+            pool_size: 1,
+            statement_timeout: 0,
+        };
+
+        let reporter: crate::stats::Reporter = Reporter::default();
+        let client_server_map: ClientServerMap = Arc::new(Mutex::new(HashMap::new()));
+
+        debug!("Connecting to server to obtain auth hashes.");
+        match Server::startup(
+            0,
+            address,
+            &auth_user,
+            &self.database,
+            client_server_map,
+            reporter,
+            &None,
+        )
+        .await
+        {
+            Ok(mut server) => {
+                debug!("Connected!, sending auth query.");
+                let auth_query = self.query.replace("$1", user);
+                send_auth_query(&mut server, &auth_query).await?;
+                debug!("Auth query sent ({}), waiting for data.", auth_query);
+                let mut message = recv_data(&mut server).await?;
+
+                match parse_query_message(&mut message).await {
+                    Ok(password_data) => {
+                        if password_data.len() == 2 && password_data.first().unwrap() == user {
+			    Ok(password_data.last().unwrap().to_string())
+                       } else {
+                            Err(Error::AuthPassthroughError(
+                                    "Data obtained from query does not follow the scheme 'user','hash'."
+                                        .to_string(),
+                                ))
+                        }
+                    }
+                    Err(err) => {
+			Err(Error::AuthPassthroughError(format!("Error trying to obtain password from auth_query, ignoring hash for user '{}'. Error: {:?}",
+								       user, err)))
+                    }
+                }
+            }
+            Err(err) => Err(Error::AuthPassthroughError(format!(
+                "Error trying to connect to {} to fetch password shadows using username '{}', {:?}",
+                address.host, self.user, err
+            ))),
+        }
+    }
+}
+
+async fn parse_query_message(message: &mut BytesMut) -> Result<Vec<String>, Error> {
+    let mut pair = Vec::<String>::new();
+    match message::backend::Message::parse(message) {
+        Ok(Some(message::backend::Message::RowDescription(_description))) => {}
+        Ok(Some(message::backend::Message::ErrorResponse(err))) => {
+            return Err(Error::ProtocolSyncError(format!(
+                "Protocol error parsing response. Err: {:?}",
+                err.fields()
+                    .iterator()
+                    .fold(String::default(), |acc, element| acc
+                        + element.unwrap().value())
+            )))
+        }
+        Ok(_) => {
+            return Err(Error::ProtocolSyncError(
+                "Protocol error, expected Row Description.".to_string(),
+            ))
+        }
+        Err(err) => {
+            return Err(Error::ProtocolSyncError(format!(
+                "Protocol error parsing response. Err: {:?}",
+                err
+            )))
+        }
+    }
+
+    while !message.is_empty() {
+        match message::backend::Message::parse(message) {
+            Ok(postgres_message) => {
+                match postgres_message {
+                    Some(message::backend::Message::DataRow(data)) => {
+                        let buf = data.buffer();
+                        trace!("Data: {:?}", buf);
+
+                        for item in data.ranges().iterator() {
+                            match item.as_ref() {
+                            Ok(range) => match range {
+                                Some(range) => {
+                                    pair.push(String::from_utf8_lossy(&buf[range.clone()]).to_string());
+                                }
+                                None => return Err(Error::ProtocolSyncError(String::from(
+                                    "Data expected while receiving query auth data, found nothing.",
+                                ))),
+                            },
+                            Err(err) => {
+                                return Err(Error::ProtocolSyncError(format!(
+                                    "Data error, err: {:?}",
+                                    err
+                                )))
+                            }
+                            }
+                        }
+                    }
+                    Some(message::backend::Message::CommandComplete(_)) => {}
+                    Some(message::backend::Message::ReadyForQuery(_)) => {}
+                    _ => {
+                        return Err(Error::ProtocolSyncError(
+                            "Unexpected message while receiving auth query data.".to_string(),
+                        ))
+                    }
+                }
+            }
+            Err(err) => {
+                return Err(Error::ProtocolSyncError(format!(
+                    "Parse error, err: {:?}",
+                    err
+                )))
+            }
+        };
+    }
+    Ok(pair)
+}
+
+async fn recv_data(server: &mut Server) -> Result<BytesMut, Error> {
+    let mut message = BytesMut::new();
+    loop {
+        match server.recv().await {
+            Ok(data) => message.extend_from_slice(&data[..]),
+            Err(err) => {
+                return Err(Error::AuthPassthroughError(format!(
+                    "Error receiving data from server err: {:?}",
+                    err
+                )))
+            }
+        }
+
+        if !server.is_data_available() {
+            break;
+        }
+    }
+    Ok(message)
+}
+
+async fn send_auth_query(server: &mut Server, query: &str) -> Result<(), Error> {
+    return match server.send(simple_query(query)).await {
+        Ok(()) => Ok(()),
+        Err(err) => {
+            let message = format!(
+                "Error trying to connect to {} to fetch password shadows using username {}, {:?}",
+                server.address().host,
+                server.address().username,
+                err
+            );
+            warn!("{}", message);
+            Err(Error::AuthPassthroughError(message))
+        }
+    };
+}

src/auth_passthrough.rs

@@ -493,13 +493,27 @@ where
             };
 
             // Compare server and client hashes.
-            let password_hash = md5_hash_password(
-                username,
-                &pool.settings.user.password.as_ref().unwrap(),
-                &salt,
-            );
+            let mut password_hash = if let Some(password) = pool.settings.user.password.as_ref() {
+                Some(md5_hash_password(username, password, &salt))
+            } else {
+                None
+            };
 
-            if password_hash != password_response {
+            if let Some(hash) = pool.auth_hash.as_ref() {
+                if let Some(stripped_hash) = hash.strip_prefix("md5") {
+                    password_hash = Some(md5_hash_second_pass(stripped_hash, &salt));
+                } else {
+                    warn!("Obtained hash from auth_query does not seem to be in md5 format, ignoring.");
+                }
+            }
+            if password_hash.is_none() {
+                warn!("Clien auth is not possible, you either have not set a valid auth_query or a password for {{ username: {:?}, pool_name: {:?}, application_name: {:?} }}", pool_name, username, application_name);
+                wrong_password(&mut write, username).await?;
+
+                return Err(Error::ClientError(format!("Invalid client auth {{ username: {:?}, pool_name: {:?}, application_name: {:?} }}", pool_name, username, application_name)));
+            }
+
+            if password_hash.unwrap() != password_response {
                 warn!("Invalid password {{ username: {:?}, pool_name: {:?}, application_name: {:?} }}", pool_name, username, application_name);
                 wrong_password(&mut write, username).await?;
 

src/client.rs

@@ -14,4 +14,5 @@ pub enum Error {
     StatementTimeout,
     ShuttingDown,
     AuthError(String),
+    AuthPassthroughError(String),
 }