[CF 5845] Carefully exposing information without authentication

This branch was automatically generated by a robot using patches from an
email thread registered at:

https://commitfest.postgresql.org/patch/5845

The branch will be overwritten each time a new patch version is posted to
the thread, and also periodically to check for bitrot caused by changes
on the master branch.

Patch(es): https://www.postgresql.org/message-id/CAKAnmmKxP7bOO7QOLdSk8dYoUxFRus2XC1nEbk6En9GgV_4JbA@mail.gmail.com
Author(s): Greg Sabino Mullane

Author: Commitfest Bot

doc/src/sgml/config.sgml

@@ -1077,6 +1077,84 @@ include_dir 'conf.d'
      </variablelist>
      </sect2>
 
+     <sect2 id="runtime-config-expose-settings">
+     <title>Expose Settings</title>
+
+     <variablelist>
+
+     <varlistentry id="guc-expose-recovery" xreflabel="expose_recovery">
+      <term><varname>expose_recovery</varname> (<type>boolean</type>)
+      <indexterm>
+       <primary><varname>expose_recovery</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Enables reporting if the server is in recovery mode without requiring
+        an authenticated login. Clients can send the string <literal>GET /replica</literal>
+        and will receive a 1 or 0. This is equivalent to logging in and running
+        <literal>SELECT pg_is_in_recovery()</literal>. A client can also send the
+        string <literal>HEAD /replica</literal> which will solely return an HTTP literal:
+        <literal>200</literal> if the server is in recovery, <literal>503</literal> if not.
+        (This allows a drop-in replacement to the same Patroni functionality)
+        Finally, a client can issue <literal>GET /info</literal> and receive the string
+        <literal>RECOVERY: </literal> followed by a 1 or 0.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-expose-sysid" xreflabel="expose_sysid">
+      <term><varname>expose_sysid</varname> (<type>boolean</type>)
+      <indexterm>
+       <primary><varname>expose_sysid</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Enables reporting the system identifier of the cluster without requiring
+        an authenticated login. Clients can send the string <literal>GET /sysid</literal>
+        and will receive the numeric system identifier. This is a unique number generated
+        by each cluster when initdb is run.
+       </para>
+       <para>
+        A client can issue <literal>GET /info</literal> and receive the string
+        <literal>SYSID: </literal> followed by the numeric system identifier.
+       </para>
+       <para>
+        This feature is useful for determining if the server is the same server as previously
+        encountered. Note than primary and replica servers will share the same system
+        identifier.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-expose-version" xreflabel="expose_version">
+      <term><varname>expose_version</varname> (<type>boolean</type>)
+      <indexterm>
+       <primary><varname>expose_version</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Enables reporting the numeric version of the Postgres cluster without requiring
+        an authenticated login. Clients can send the string <literal>GET /version</literal>
+        and will receive an integer representing the version.
+       </para>
+       <para>
+        A client can issue <literal>GET /info</literal> and receive the string
+        <literal>VERSION: </literal> followed by the numeric version.
+       </para>
+       <para>
+        This is particularly useful for non-Postgres systems (esp. security scanners) that
+        need a way to easily determine the version of Postgres in use without requiring
+        a Postgres client - or without needing any knowledge of the Postgres protocol at all.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     </variablelist>
+     </sect2>
+
      <sect2 id="runtime-config-connection-authentication">
      <title>Authentication</title>
 

src/backend/tcop/backend_startup.c

@@ -46,6 +46,10 @@
 bool		Trace_connection_negotiation = false;
 uint32		log_connections = 0;
 char	   *log_connections_string = NULL;
+bool		expose_recovery = false;
+bool		expose_sysid = false;
+bool		expose_version = false;
+
 
 /* Other globals */
 
@@ -65,6 +69,7 @@ static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
 static void process_startup_packet_die(SIGNAL_ARGS);
 static void StartupPacketTimeoutHandler(void);
 static bool validate_log_connections_options(List *elemlist, uint32 *flags);
+static bool ExposeInformation(pgsocket fd);
 
 /*
  * Entry point for a new backend process.
@@ -148,6 +153,15 @@ BackendInitialize(ClientSocket *client_sock, CAC_state cac)
 	StringInfoData ps_data;
 	MemoryContext oldcontext;
 
+	/*
+	 * Scan for a simple GET / HEAD request. If this is detected and
+	 * handled, we are done and can immediately exit
+	 */
+	if ((expose_recovery || expose_sysid || expose_version)
+		&& ExposeInformation(client_sock->sock))
+		proc_exit(0);
+	/* Should we do exit(0) here, despite the warnings in ipc.c? */
+
 	/* Tell fd.c about the long-lived FD associated with the client_sock */
 	ReserveExternalFD();
 
@@ -1126,3 +1140,180 @@ assign_log_connections(const char *newval, void *extra)
 {
 	log_connections = *((int *) extra);
 }
+
+
+static
+bool
+ExposeInformation(pgsocket fd)
+{
+
+/*
+ * ExposeInformation
+ *
+ *
+ * Handle early socket probe before full backend startup.
+ * Responds to small set of predefined endpoints (e.g. GET /info)
+ *
+ * Requires at least one "expose_" GUC to be true.
+ *
+ * Returns true if any endpoint is recognized.
+ */
+
+#define EXPOSE_MIN_QUERY 9		/* Shortest possible line: "Get /info" */
+#define EXPOSE_MAX_QUERY 16		/* Longest possible GET line */
+
+/* What information is being returned */
+	typedef enum
+	{
+		EXPOSE_NOTHING,
+		EXPOSE_HEAD_REPLICA,
+		EXPOSE_GET_ALL,
+		EXPOSE_GET_REPLICA,
+		EXPOSE_GET_SYSID,
+		EXPOSE_GET_VERSION,
+	}			ReturnType;
+
+	typedef struct
+	{
+		const char *endpoint;
+		const bool *require;
+		ReturnType	type;
+	}			endpoint_action;
+
+	static endpoint_action endpoint_actions[] =
+	{
+		{
+			"HEAD /replica", &expose_recovery, EXPOSE_HEAD_REPLICA
+		},
+		{
+			"GET /replica", &expose_recovery, EXPOSE_GET_REPLICA
+		},
+		{
+			"GET /sysid", &expose_sysid, EXPOSE_GET_SYSID
+		},
+		{
+			"GET /version", &expose_version, EXPOSE_GET_VERSION
+		},
+		{
+			"GET /info", NULL, EXPOSE_GET_ALL
+		}
+	};
+
+	ssize_t		n;
+	char		buf[EXPOSE_MAX_QUERY + 1];
+	int			type;
+
+	Assert(expose_recovery || expose_sysid || expose_version);
+
+	do
+	{
+		n = recv(fd, buf, EXPOSE_MAX_QUERY, MSG_PEEK);
+	} while (n < 0 && errno == EINTR);
+
+	/*
+	 * Leave as soon as possible if no chance we are interested. We also
+	 * simply return false for n == -1
+	 */
+	if (n < EXPOSE_MIN_QUERY)
+		return false;
+
+	buf[n] = '\0';
+
+	type = EXPOSE_NOTHING;
+	for (int i = 0; i < lengthof(endpoint_actions); i++)
+	{
+		if (
+			strncmp(buf, endpoint_actions[i].endpoint, strlen(endpoint_actions[i].endpoint)) == 0
+			&&
+			(endpoint_actions[i].require == NULL
+			 ||
+			 *(endpoint_actions[i].require)
+			 ))
+		{
+			type = endpoint_actions[i].type;
+			break;
+		}
+	}
+
+	if (type == EXPOSE_NOTHING)
+		return false;
+
+	{
+		static const char http_version[] = "HTTP/1.1";
+		static const char http_type[] = "Content-Type: text/plain";
+		static const char *http_conn = "Connection: close";
+		static const char http_len[] = "Content-Length";
+
+		StringInfoData msg;
+
+		if (type == EXPOSE_HEAD_REPLICA)
+		{
+			/*
+			 * Caller only cares about the HTTP response code, so no content
+			 * needed
+			 */
+
+			initStringInfoExt(&msg, 64);
+
+			appendStringInfo(&msg,
+							 "%s %s\r\n"
+							 "%s\r\n"
+							 "%s\r\n\r\n",
+							 http_version,
+							 (RecoveryInProgress() ? "200 OK" : "503 Service Unavailable"),
+							 http_type,
+							 http_conn
+				);
+		}
+		else
+		{
+			StringInfoData content;
+
+			initStringInfoExt(&content, 64);
+
+			if (expose_recovery && (type == EXPOSE_GET_ALL || type == EXPOSE_GET_REPLICA))
+				appendStringInfo(&content, "%s%d\r\n",
+								 type == EXPOSE_GET_ALL ? "RECOVERY: " : "",
+								 RecoveryInProgress() ? 1 : 0);
+			if (expose_sysid && (type == EXPOSE_GET_ALL || type == EXPOSE_GET_SYSID))
+				appendStringInfo(&content, "%s%lu\r\n",
+								 type == EXPOSE_GET_ALL ? "SYSID: " : "",
+								 GetSystemIdentifier());
+			if (expose_version && (type == EXPOSE_GET_ALL || type == EXPOSE_GET_VERSION))
+				appendStringInfo(&content, "%s%d\r\n",
+								 type == EXPOSE_GET_ALL ? "VERSION: " : "",
+								 PG_VERSION_NUM);
+
+			initStringInfoExt(&msg, 256);
+
+			appendStringInfo(&msg,
+							 "%s 200 OK\r\n"
+							 "%s\r\n"
+							 "%s: %d\r\n"
+							 "%s\r\n\r\n"
+							 "%s",
+							 http_version,
+							 http_type,
+							 http_len, content.len,
+							 http_conn,
+							 content.data
+				);
+
+			pfree(content.data);
+		}
+
+		do
+		{
+			n = send(fd, msg.data, msg.len, 0);
+		} while (n < 0 && errno == EINTR);
+
+		pfree(msg.data);
+
+		if (n < 0)
+			elog(DEBUG1, "could not send to client: %m");
+
+		return true;
+
+	}
+
+}

src/backend/utils/misc/guc_parameters.dat

@@ -106,6 +106,24 @@
   max => 'INT_MAX / 2',
 },
 
+{ name => 'expose_recovery', type => 'bool', context => 'PGC_SIGHUP', group => 'CLIENT_CONN_STATEMENT',
+  short_desc => 'Exposes if the server is in recovery mode without a login.',
+  variable => 'expose_recovery',
+  boot_val => 'false',
+},
+
+{ name => 'expose_sysid', type => 'bool', context => 'PGC_SIGHUP', group => 'CLIENT_CONN_STATEMENT',
+  short_desc => 'Exposes the system identifier without a login.',
+  variable => 'expose_sysid',
+  boot_val => 'false',
+},
+
+{ name => 'expose_version', type => 'bool', context => 'PGC_SIGHUP', group => 'CLIENT_CONN_STATEMENT',
+  short_desc => 'Exposes the server version without a login.',
+  variable => 'expose_version',
+  boot_val => 'false',
+},
+
 { name => 'array_nulls', type => 'bool', context => 'PGC_USERSET', group => 'COMPAT_OPTIONS_PREVIOUS',
   short_desc => 'Enables input of NULL elements in arrays.',
   long_desc => 'When turned on, unquoted NULL in an array input value means a null value; otherwise it is taken literally.',

src/backend/utils/misc/postgresql.conf.sample

@@ -91,6 +91,14 @@
 					# disconnection while running queries;
 					# 0 for never
 
+
+# - Expose information -
+
+#expose_recovery = off
+#expose_sysid = off
+#expose_version = off
+
+
 # - Authentication -
 
 #authentication_timeout = 1min		# 1s-600s

src/include/postmaster/postmaster.h

@@ -70,6 +70,10 @@ extern PGDLLIMPORT bool restart_after_crash;
 extern PGDLLIMPORT bool remove_temp_files_after_crash;
 extern PGDLLIMPORT bool send_abort_for_crash;
 extern PGDLLIMPORT bool send_abort_for_kill;
+extern PGDLLIMPORT bool expose_recovery;
+extern PGDLLIMPORT bool expose_sysid;
+extern PGDLLIMPORT bool expose_version;
+
 
 #ifdef WIN32
 extern PGDLLIMPORT HANDLE PostmasterHandle;

src/test/modules/test_misc/meson.build

@@ -18,6 +18,7 @@ tests += {
       't/007_catcache_inval.pl',
       't/008_replslot_single_user.pl',
       't/009_log_temp_files.pl',
+      't/010_expose.pl',
     ],
   },
 }