fix(pgwire): correctly handle and reject gssapi request (#15785)

Signed-off-by: Bugen Zhao <[email protected]>
risingwavelabs · Mar 22, 2024 · a34b4f8 · a34b4f8
1 parent bd9dcfc
commit a34b4f8
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/src/utils/pgwire/src/pg_message.rs b/src/utils/pgwire/src/pg_message.rs
@@ -32,6 +32,7 @@ use crate::types::Row;
 #[derive(Debug)]
 pub enum FeMessage {
     Ssl,
+    Gss,
     Startup(FeStartupMessage),
     Query(FeQueryMessage),
     Parse(FeParseMessage),
@@ -338,6 +339,7 @@ impl FeStartupMessage {
             196608 => Ok(FeMessage::Startup(FeStartupMessage::build_with_payload(
                 &payload,
             )?)),
+            80877104 => Ok(FeMessage::Gss),
             80877103 => Ok(FeMessage::Ssl),
             // Cancel request code.
             80877102 => FeCancelMessage::parse(Bytes::from(payload)),
@@ -382,7 +384,8 @@ pub enum BeMessage<'a> {
     CommandComplete(BeCommandCompleteMessage),
     NoticeResponse(&'a str),
     // Single byte - used in response to SSLRequest/GSSENCRequest.
-    EncryptionResponseYes,
+    EncryptionResponseSsl,
+    EncryptionResponseGss,
     EncryptionResponseNo,
     EmptyQueryResponse,
     ParseComplete,
@@ -637,10 +640,14 @@ impl<'a> BeMessage<'a> {
                 write_body(buf, |_| Ok(())).unwrap();
             }
 
-            BeMessage::EncryptionResponseYes => {
+            BeMessage::EncryptionResponseSsl => {
                 buf.put_u8(b'S');
             }
 
+            BeMessage::EncryptionResponseGss => {
+                buf.put_u8(b'G');
+            }
+
             BeMessage::EncryptionResponseNo => {
                 buf.put_u8(b'N');
             }

diff --git a/src/utils/pgwire/src/pg_protocol.rs b/src/utils/pgwire/src/pg_protocol.rs
@@ -385,6 +385,7 @@ where
         }
 
         match msg {
+            FeMessage::Gss => self.process_gss_msg().await?,
             FeMessage::Ssl => self.process_ssl_msg().await?,
             FeMessage::Startup(msg) => self.process_startup_msg(msg)?,
             FeMessage::Password(msg) => self.process_password_msg(msg).await?,
@@ -454,11 +455,17 @@ where
         ))
     }
 
+    async fn process_gss_msg(&mut self) -> PsqlResult<()> {
+        // We don't support GSSAPI, so we just say no gracefully.
+        self.stream.write(&BeMessage::EncryptionResponseNo).await?;
+        Ok(())
+    }
+
     async fn process_ssl_msg(&mut self) -> PsqlResult<()> {
         if let Some(context) = self.tls_context.as_ref() {
             // If got and ssl context, say yes for ssl connection.
             // Construct ssl stream and replace with current one.
-            self.stream.write(&BeMessage::EncryptionResponseYes).await?;
+            self.stream.write(&BeMessage::EncryptionResponseSsl).await?;
             let ssl_stream = self.stream.ssl(context).await?;
             self.stream = Conn::Ssl(ssl_stream);
         } else {