[BACKPORT 2.6] [#10943] YSQL: Masking ldapbindpasswd in logs after a…

…uthentication fails

Summary:
YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged.

Before the logs upon LDAP authentication failure could display something like the following:

```
2021-12-22 20:06:24.177 PST [62208] FATAL:  LDAP authentication failed for user "riemann"
2021-12-22 20:06:24.177 PST [62208] DETAIL:  Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0  ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123"
```

After these changes the corresponding logs will have the ldapbindpasswd field masked as such:

```
2021-12-22 20:09:27.990 PST [3970] FATAL:  LDAP authentication failed for user "riemann"
2021-12-22 20:09:27.990 PST [3970] DETAIL:  Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0  ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***"
```

Original commit: 785b8e3
Original revision: D14508

Test Plan: Jenkins: rebase: 2.6

Reviewers: mihnea, smishra

Reviewed By: smishra

Subscribers: yql, smishra

Differential Revision: https://phabricator.dev.yugabyte.com/D14522

src/postgres/src/backend/libpq/auth.c

@@ -333,8 +333,12 @@ auth_failed(Port *port, int status, char *logdetail)
 			break;
 	}
 
+	char *line_to_print = port->hba->maskedline;
+	if (!line_to_print)
+		line_to_print = port->hba->rawline;
+
 	cdetail = psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
-					   port->hba->linenumber, port->hba->rawline);
+					   port->hba->linenumber, line_to_print);
 	if (logdetail)
 		logdetail = psprintf("%s\n%s", logdetail, cdetail);
 	else

src/postgres/src/backend/libpq/hba.c

@@ -1705,6 +1705,51 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		parsedline->clientcert = true;
 	}
 
+	parsedline->maskedline = NULL;
+	if (parsedline->ldapbindpasswd)
+	{
+		/*
+		 * We manually mask ldapbindpasswd field of the the rawline
+		 * by creating a duplicate modified version of it and storing
+		 * that in the maskedline field
+		 */
+		static const char *passkey = "ldapbindpasswd=";
+		static const char *pass_replacement_string = "ldapbindpasswd=***";
+		char *passfield = strstr(parsedline->rawline, passkey);
+		Assert(passfield != NULL);
+
+		/*
+		 * Caching various string lengths
+		 */		
+		size_t total_len = strlen(parsedline->rawline);
+		size_t prefix_len = passfield - parsedline->rawline;
+		size_t passkey_len = strlen(passkey);
+		size_t passwd_len = strlen(parsedline->ldapbindpasswd);
+		size_t pass_replacement_string_len = strlen(pass_replacement_string);
+		size_t maskedlinelength = total_len - passkey_len - passwd_len
+									+ pass_replacement_string_len + 1;
+
+		parsedline->maskedline = palloc0(maskedlinelength);
+		size_t head = 0;
+		size_t copy_size = prefix_len;
+		strncpy(parsedline->maskedline + head, parsedline->rawline, copy_size);
+		head += copy_size;
+
+		copy_size = pass_replacement_string_len;
+		strncpy(parsedline->maskedline + head, 
+				pass_replacement_string, copy_size);
+		head += copy_size;
+
+		copy_size = total_len - prefix_len - passkey_len
+					- passwd_len;
+		strncpy(parsedline->maskedline + head, 
+				passfield + passkey_len
+				+ passwd_len, copy_size);
+		head += copy_size;
+
+		parsedline->maskedline[maskedlinelength - 1] = '\0';
+	}
+
 	return parsedline;
 }
 

src/postgres/src/include/libpq/hba.h

@@ -63,6 +63,7 @@ typedef struct HbaLine
 {
 	int			linenumber;
 	char	   *rawline;
+	char       *maskedline;
 	ConnType	conntype;
 	List	   *databases;
 	List	   *roles;