Improve DNS lookup error handling. (#615)

DimCitus · web-flow · commit 742c4985a4ef · 2021-03-08T13:01:54.000+01:00
diff --git a/src/bin/pg_autoctl/cli_create_drop_node.c b/src/bin/pg_autoctl/cli_create_drop_node.c
@@ -1397,8 +1397,8 @@ check_hostname(const char *hostname)
 	}
 	else
 	{
-		char cidr[BUFSIZE];
-		char ipaddr[BUFSIZE];
+		char cidr[BUFSIZE] = { 0 };
+		char ipaddr[BUFSIZE] = { 0 };
 
 		if (!fetchLocalCIDR(hostname, cidr, BUFSIZE))
 		{
@@ -1407,7 +1407,9 @@ check_hostname(const char *hostname)
 					 hostname);
 		}
 
+		bool useHostname = false;
+
 		/* use pghba_check_hostname for log diagnostics */
-		(void) pghba_check_hostname(hostname, ipaddr, sizeof(ipaddr));
+		(void) pghba_check_hostname(hostname, ipaddr, BUFSIZE, &useHostname);
 	}
 }
diff --git a/src/bin/pg_autoctl/cli_do_show.c b/src/bin/pg_autoctl/cli_do_show.c
@@ -307,7 +307,7 @@ static void
 cli_show_reverse(int argc, char **argv)
 {
 	char ipaddr[BUFSIZE] = { 0 };
-
+	bool foundHostnameFromAddress = false;
 
 	if (argc != 1)
 	{
@@ -324,7 +324,9 @@ cli_show_reverse(int argc, char **argv)
 		exit(EXIT_CODE_BAD_ARGS);
 	}
 
-	if (!resolveHostnameForwardAndReverse(hostname, ipaddr, sizeof(ipaddr)))
+	if (!resolveHostnameForwardAndReverse(hostname, ipaddr, sizeof(ipaddr),
+										  &foundHostnameFromAddress) ||
+		!foundHostnameFromAddress)
 	{
 		log_fatal("Failed to find an IP address for hostname \"%s\" that "
 				  "matches hostname again in a reverse-DNS lookup.",
diff --git a/src/bin/pg_autoctl/ipaddr.c b/src/bin/pg_autoctl/ipaddr.c
@@ -679,13 +679,15 @@ findHostnameFromLocalIpAddress(char *localIpAddress, char *hostname, int size)
  * of the IP addresses that our hostname forward-DNS query returns.
  */
 bool
-resolveHostnameForwardAndReverse(const char *hostname, char *ipaddr, int size)
+resolveHostnameForwardAndReverse(const char *hostname, char *ipaddr, int size,
+								 bool *foundHostnameFromAddress)
 {
 	struct addrinfo *lookup, *ai;
 
-	bool foundHostnameFromAddress = false;
+	*foundHostnameFromAddress = false;
 
 	int error = getaddrinfo(hostname, NULL, 0, &lookup);
+
 	if (error != 0)
 	{
 		log_warn("Failed to resolve DNS name \"%s\": %s",
@@ -733,13 +735,13 @@ resolveHostnameForwardAndReverse(const char *hostname, char *ipaddr, int size)
 		/* compare reverse-DNS lookup result with our hostname */
 		if (strcmp(hbuf, hostname) == 0)
 		{
-			foundHostnameFromAddress = true;
+			*foundHostnameFromAddress = true;
 			break;
 		}
 	}
 	freeaddrinfo(lookup);
 
-	return foundHostnameFromAddress;
+	return true;
 }
 
 
diff --git a/src/bin/pg_autoctl/ipaddr.h b/src/bin/pg_autoctl/ipaddr.h
@@ -31,7 +31,8 @@ bool findHostnameFromLocalIpAddress(char *localIpAddress,
 									char *hostname, int size);
 
 bool resolveHostnameForwardAndReverse(const char *hostname,
-									  char *ipaddr, int size);
+									  char *ipaddr, int size,
+									  bool *foundHostnameFromAddress);
 
 bool ipaddrGetLocalHostname(char *hostname, size_t size);
 
diff --git a/src/bin/pg_autoctl/pghba.c b/src/bin/pg_autoctl/pghba.c
@@ -130,7 +130,12 @@ pghba_ensure_host_rule_exists(const char *hbaFilePath,
 	 *
 	 * HBA & DNS is hard.
 	 */
-	bool useHostname = pghba_check_hostname(host, ipaddr, sizeof(ipaddr));
+	bool useHostname = false;
+
+	if (!pghba_check_hostname(host, ipaddr, sizeof(ipaddr), &useHostname))
+	{
+		/* errors have already been logged (DNS failure) */
+	}
 
 	if (!useHostname)
 	{
@@ -331,8 +336,11 @@ pghba_ensure_host_rules_exist(const char *hbaFilePath,
 			 *
 			 * HBA & DNS is hard.
 			 */
-			useHostname =
-				pghba_check_hostname(node->host, ipaddr, sizeof(ipaddr));
+			if (!pghba_check_hostname(node->host, ipaddr, sizeof(ipaddr),
+									  &useHostname))
+			{
+				/* errors have already been logged (DNS failure) */
+			}
 
 			if (!useHostname)
 			{
@@ -709,7 +717,8 @@ pghba_enable_lan_cidr(PGSQL *pgsql,
  * resolve an IP address.)
  */
 bool
-pghba_check_hostname(const char *hostname, char *ipaddr, size_t size)
+pghba_check_hostname(const char *hostname,
+					 char *ipaddr, size_t size, bool *useHostname)
 {
 	/*
 	 * IP addresses do not require any DNS properties/lookups. Also hostname
@@ -720,27 +729,43 @@ pghba_check_hostname(const char *hostname, char *ipaddr, size_t size)
 	 */
 	if (strchr(hostname, '/') || ip_address_type(hostname) != IPTYPE_NONE)
 	{
+		*useHostname = true;
 		return true;
 	}
 
-	if (!resolveHostnameForwardAndReverse(hostname, ipaddr, size))
+	bool foundHostnameFromAddress = false;
+
+	if (!resolveHostnameForwardAndReverse(hostname, ipaddr, size,
+										  &foundHostnameFromAddress))
 	{
-		/* warn users about possible DNS misconfiguration */
-		log_warn("Failed to resolve hostname \"%s\" to an IP address that "
-				 "resolves back to the hostname on a reverse DNS lookup.",
-				 hostname);
+		/* errors have already been logged (DNS failure) */
+		*useHostname = true;
+		return false;
+	}
 
-		log_warn("Postgres might deny connection attempts from \"%s\", "
-				 "even with the new HBA rules.",
-				 hostname);
+	if (foundHostnameFromAddress)
+	{
+		*useHostname = true;
 
-		log_warn("Hint: correct setup of HBA with host names requires proper "
-				 "reverse DNS setup. You might want to use IP addresses.");
+		log_debug("pghba_check_hostname: \"%s\" <-> %s", hostname, ipaddr);
 
-		return false;
+		return true;
 	}
 
-	log_debug("pghba_check_hostname: \"%s\" <-> %s", hostname, ipaddr);
+	*useHostname = false;
+
+	/* warn users about possible DNS misconfiguration */
+	log_warn("Failed to resolve hostname \"%s\" to an IP address that "
+			 "resolves back to the hostname on a reverse DNS lookup.",
+			 hostname);
+
+	log_warn("Postgres might deny connection attempts from \"%s\", "
+			 "even with the new HBA rules.",
+			 hostname);
+
+	log_warn("Hint: correct setup of HBA with host names requires proper "
+			 "reverse DNS setup. You might want to use IP addresses.");
 
+	/* we could successfully check that we should not use the hostname */
 	return true;
 }
diff --git a/src/bin/pg_autoctl/pghba.h b/src/bin/pg_autoctl/pghba.h
@@ -49,6 +49,7 @@ bool pghba_enable_lan_cidr(PGSQL *pgsql,
 						   HBAEditLevel hbaLevel,
 						   const char *pgdata);
 
-bool pghba_check_hostname(const char *hostname, char *ipaddr, size_t size);
+bool pghba_check_hostname(const char *hostname, char *ipaddr, size_t size,
+						  bool *useHostname);
 
 #endif /* PGHBA_H */

Original file line number	Diff line number	Diff line change
`@@ -1397,8 +1397,8 @@ check_hostname(const char *hostname)`
`1397`	`1397`	`}`
`1398`	`1398`	`else`
`1399`	`1399`	`{`
`1400`		`- char cidr[BUFSIZE];`
`1401`		`- char ipaddr[BUFSIZE];`
	`1400`	`+ char cidr[BUFSIZE] = { 0 };`
	`1401`	`+ char ipaddr[BUFSIZE] = { 0 };`
`1402`	`1402`
`1403`	`1403`	`if (!fetchLocalCIDR(hostname, cidr, BUFSIZE))`
`1404`	`1404`	`{`
`@@ -1407,7 +1407,9 @@ check_hostname(const char *hostname)`
`1407`	`1407`	`hostname);`
`1408`	`1408`	`}`
`1409`	`1409`
	`1410`	`+ bool useHostname = false;`
	`1411`	`+`
`1410`	`1412`	`/* use pghba_check_hostname for log diagnostics */`
`1411`		`- (void) pghba_check_hostname(hostname, ipaddr, sizeof(ipaddr));`
	`1413`	`+ (void) pghba_check_hostname(hostname, ipaddr, BUFSIZE, &useHostname);`
`1412`	`1414`	`}`
`1413`	`1415`	`}`
Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,7 @@ static void`
`307`	`307`	`cli_show_reverse(int argc, char **argv)`
`308`	`308`	`{`
`309`	`309`	`char ipaddr[BUFSIZE] = { 0 };`
`310`		`-`
	`310`	`+ bool foundHostnameFromAddress = false;`
`311`	`311`
`312`	`312`	`if (argc != 1)`
`313`	`313`	`{`
`@@ -324,7 +324,9 @@ cli_show_reverse(int argc, char **argv)`
`324`	`324`	`exit(EXIT_CODE_BAD_ARGS);`
`325`	`325`	`}`
`326`	`326`
`327`		`- if (!resolveHostnameForwardAndReverse(hostname, ipaddr, sizeof(ipaddr)))`
	`327`	`+ if (!resolveHostnameForwardAndReverse(hostname, ipaddr, sizeof(ipaddr),`
	`328`	`+ &foundHostnameFromAddress) \|\|`
	`329`	`+ !foundHostnameFromAddress)`
`328`	`330`	`{`
`329`	`331`	`log_fatal("Failed to find an IP address for hostname \"%s\" that "`
`330`	`332`	`"matches hostname again in a reverse-DNS lookup.",`
Original file line number	Diff line number	Diff line change
`@@ -679,13 +679,15 @@ findHostnameFromLocalIpAddress(char localIpAddress, char hostname, int size)`
`679`	`679`	`* of the IP addresses that our hostname forward-DNS query returns.`
`680`	`680`	`*/`
`681`	`681`	`bool`
`682`		`-resolveHostnameForwardAndReverse(const char hostname, char ipaddr, int size)`
	`682`	`+resolveHostnameForwardAndReverse(const char hostname, char ipaddr, int size,`
	`683`	`+ bool *foundHostnameFromAddress)`
`683`	`684`	`{`
`684`	`685`	`struct addrinfo lookup, ai;`
`685`	`686`
`686`		`- bool foundHostnameFromAddress = false;`
	`687`	`+ *foundHostnameFromAddress = false;`
`687`	`688`
`688`	`689`	`int error = getaddrinfo(hostname, NULL, 0, &lookup);`
	`690`	`+`
`689`	`691`	`if (error != 0)`
`690`	`692`	`{`
`691`	`693`	`log_warn("Failed to resolve DNS name \"%s\": %s",`
`@@ -733,13 +735,13 @@ resolveHostnameForwardAndReverse(const char hostname, char ipaddr, int size)`
`733`	`735`	`/* compare reverse-DNS lookup result with our hostname */`
`734`	`736`	`if (strcmp(hbuf, hostname) == 0)`
`735`	`737`	`{`
`736`		`- foundHostnameFromAddress = true;`
	`738`	`+ *foundHostnameFromAddress = true;`
`737`	`739`	`break;`
`738`	`740`	`}`
`739`	`741`	`}`
`740`	`742`	`freeaddrinfo(lookup);`
`741`	`743`
`742`		`- return foundHostnameFromAddress;`
	`744`	`+ return true;`
`743`	`745`	`}`
`744`	`746`
`745`	`747`