use crate::codec::{BackendMessage, BackendMessages, FrontendMessage, PostgresCodec}; use crate::config::Config; use crate::connect_tls::connect_tls; use crate::maybe_tls_stream::MaybeTlsStream; use crate::tls::{ChannelBinding, TlsConnect}; use crate::{Client, Connection, Error}; use fallible_iterator::FallibleIterator; use futures::channel::mpsc; use futures::{ready, Sink, SinkExt, Stream, TryStreamExt}; use postgres_protocol::authentication; use postgres_protocol::authentication::sasl; use postgres_protocol::authentication::sasl::ScramSha256; use postgres_protocol::message::backend::{AuthenticationSaslBody, Message}; use postgres_protocol::message::frontend; use std::collections::HashMap; use std::io; use std::pin::Pin; use std::task::{Context, Poll}; use tokio::codec::Framed; use tokio::io::{AsyncRead, AsyncWrite}; pub struct StartupStream { inner: Framed, PostgresCodec>, buf: BackendMessages, } impl Sink for StartupStream where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { type Error = io::Error; fn poll_ready(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll> { Pin::new(&mut self.inner).poll_ready(cx) } fn start_send(mut self: Pin<&mut Self>, item: FrontendMessage) -> io::Result<()> { Pin::new(&mut self.inner).start_send(item) } fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll> { Pin::new(&mut self.inner).poll_flush(cx) } fn poll_close(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll> { Pin::new(&mut self.inner).poll_close(cx) } } impl Stream for StartupStream where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { type Item = io::Result; fn poll_next( mut self: Pin<&mut Self>, cx: &mut Context<'_>, ) -> Poll>> { loop { match self.buf.next() { Ok(Some(message)) => return Poll::Ready(Some(Ok(message))), Ok(None) => {} Err(e) => return Poll::Ready(Some(Err(e))), } match ready!(Pin::new(&mut self.inner).poll_next(cx)) { Some(Ok(BackendMessage::Normal { messages, .. })) => self.buf = messages, Some(Ok(BackendMessage::Async(message))) => return Poll::Ready(Some(Ok(message))), Some(Err(e)) => return Poll::Ready(Some(Err(e))), None => return Poll::Ready(None), } } } } pub async fn connect_raw( stream: S, tls: T, config: &Config, ) -> Result<(Client, Connection), Error> where S: AsyncRead + AsyncWrite + Unpin, T: TlsConnect, { let (stream, channel_binding) = connect_tls(stream, config.ssl_mode, tls).await?; let mut stream = StartupStream { inner: Framed::new(stream, PostgresCodec), buf: BackendMessages::empty(), }; startup(&mut stream, config).await?; authenticate(&mut stream, channel_binding, config).await?; let (process_id, secret_key, parameters) = read_info(&mut stream).await?; let (sender, receiver) = mpsc::unbounded(); let client = Client::new(sender, config.ssl_mode, process_id, secret_key); let connection = Connection::new(stream.inner, parameters, receiver); Ok((client, connection)) } async fn startup(stream: &mut StartupStream, config: &Config) -> Result<(), Error> where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { let mut params = vec![("client_encoding", "UTF8"), ("timezone", "GMT")]; if let Some(user) = &config.user { params.push(("user", &**user)); } if let Some(dbname) = &config.dbname { params.push(("database", &**dbname)); } if let Some(options) = &config.options { params.push(("options", &**options)); } if let Some(application_name) = &config.application_name { params.push(("application_name", &**application_name)); } let mut buf = vec![]; frontend::startup_message(params, &mut buf).map_err(Error::encode)?; stream .send(FrontendMessage::Raw(buf)) .await .map_err(Error::io) } async fn authenticate( stream: &mut StartupStream, channel_binding: ChannelBinding, config: &Config, ) -> Result<(), Error> where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { match stream.try_next().await.map_err(Error::io)? { Some(Message::AuthenticationOk) => return Ok(()), Some(Message::AuthenticationCleartextPassword) => { let pass = config .password .as_ref() .ok_or_else(|| Error::config("password missing".into()))?; authenticate_password(stream, pass).await?; } Some(Message::AuthenticationMd5Password(body)) => { let user = config .user .as_ref() .ok_or_else(|| Error::config("user missing".into()))?; let pass = config .password .as_ref() .ok_or_else(|| Error::config("password missing".into()))?; let output = authentication::md5_hash(user.as_bytes(), pass, body.salt()); authenticate_password(stream, output.as_bytes()).await?; } Some(Message::AuthenticationSasl(body)) => { let pass = config .password .as_ref() .ok_or_else(|| Error::config("password missing".into()))?; authenticate_sasl(stream, body, channel_binding, pass).await?; } Some(Message::AuthenticationKerberosV5) | Some(Message::AuthenticationScmCredential) | Some(Message::AuthenticationGss) | Some(Message::AuthenticationSspi) => { return Err(Error::authentication( "unsupported authentication method".into(), )) } Some(Message::ErrorResponse(body)) => return Err(Error::db(body)), Some(_) => return Err(Error::unexpected_message()), None => return Err(Error::closed()), } match stream.try_next().await.map_err(Error::io)? { Some(Message::AuthenticationOk) => Ok(()), Some(Message::ErrorResponse(body)) => Err(Error::db(body)), Some(_) => Err(Error::unexpected_message()), None => Err(Error::closed()), } } async fn authenticate_password( stream: &mut StartupStream, password: &[u8], ) -> Result<(), Error> where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { let mut buf = vec![]; frontend::password_message(password, &mut buf).map_err(Error::encode)?; stream .send(FrontendMessage::Raw(buf)) .await .map_err(Error::io) } async fn authenticate_sasl( stream: &mut StartupStream, body: AuthenticationSaslBody, channel_binding: ChannelBinding, password: &[u8], ) -> Result<(), Error> where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { let mut has_scram = false; let mut has_scram_plus = false; let mut mechanisms = body.mechanisms(); while let Some(mechanism) = mechanisms.next().map_err(Error::parse)? { match mechanism { sasl::SCRAM_SHA_256 => has_scram = true, sasl::SCRAM_SHA_256_PLUS => has_scram_plus = true, _ => {} } } let channel_binding = channel_binding .tls_server_end_point .map(sasl::ChannelBinding::tls_server_end_point); let (channel_binding, mechanism) = if has_scram_plus { match channel_binding { Some(channel_binding) => (channel_binding, sasl::SCRAM_SHA_256_PLUS), None => (sasl::ChannelBinding::unsupported(), sasl::SCRAM_SHA_256), } } else if has_scram { match channel_binding { Some(_) => (sasl::ChannelBinding::unrequested(), sasl::SCRAM_SHA_256), None => (sasl::ChannelBinding::unsupported(), sasl::SCRAM_SHA_256), } } else { return Err(Error::authentication("unsupported SASL mechanism".into())); }; let mut scram = ScramSha256::new(password, channel_binding); let mut buf = vec![]; frontend::sasl_initial_response(mechanism, scram.message(), &mut buf).map_err(Error::encode)?; stream .send(FrontendMessage::Raw(buf)) .await .map_err(Error::io)?; let body = match stream.try_next().await.map_err(Error::io)? { Some(Message::AuthenticationSaslContinue(body)) => body, Some(Message::ErrorResponse(body)) => return Err(Error::db(body)), Some(_) => return Err(Error::unexpected_message()), None => return Err(Error::closed()), }; scram .update(body.data()) .map_err(|e| Error::authentication(e.into()))?; let mut buf = vec![]; frontend::sasl_response(scram.message(), &mut buf).map_err(Error::encode)?; stream .send(FrontendMessage::Raw(buf)) .await .map_err(Error::io)?; let body = match stream.try_next().await.map_err(Error::io)? { Some(Message::AuthenticationSaslFinal(body)) => body, Some(Message::ErrorResponse(body)) => return Err(Error::db(body)), Some(_) => return Err(Error::unexpected_message()), None => return Err(Error::closed()), }; scram .finish(body.data()) .map_err(|e| Error::authentication(e.into()))?; Ok(()) } async fn read_info( stream: &mut StartupStream, ) -> Result<(i32, i32, HashMap), Error> where S: AsyncRead + AsyncWrite + Unpin, T: AsyncRead + AsyncWrite + Unpin, { let mut process_id = 0; let mut secret_key = 0; let mut parameters = HashMap::new(); loop { match stream.try_next().await.map_err(Error::io)? { Some(Message::BackendKeyData(body)) => { process_id = body.process_id(); secret_key = body.secret_key(); } Some(Message::ParameterStatus(body)) => { parameters.insert( body.name().map_err(Error::parse)?.to_string(), body.value().map_err(Error::parse)?.to_string(), ); } Some(Message::NoticeResponse(_)) => {} Some(Message::ReadyForQuery(_)) => return Ok((process_id, secret_key, parameters)), Some(Message::ErrorResponse(body)) => return Err(Error::db(body)), Some(_) => return Err(Error::unexpected_message()), None => return Err(Error::closed()), } } }