aws / pg_tle

Framework for building trusted language extensions for PostgreSQL
Apache License 2.0
337 stars 31 forks source link

Login attempts could repeat depending on SSLMode and leads to incorrect count of attempts #274

Closed TianzeMYou closed 3 months ago

TianzeMYou commented 7 months ago

Description

For the lockout-after-a-specific-number-of-login-attempts example, login attempts could increment by 2 depending on SSLMode

https://www.postgresql.org/message-id/flat/17032-7ad69968e744de35%40postgresql.org#:~:text=It%20tries%20to%20connect%20with%20encryption%20and%20fails%2C%20then%20tries%20to%20connect%0Awithout%20encryption%20and%20also%20fails

Steps to reproduce

Run the example here with sslmode set to allow/prefer https://github.com/aws/pg_tle/blob/main/examples/client_lockout/client_lockout--1.0.sql

Expected outcome

Client should be locked out after 5 attempts

Actual outcome

Client is locked out before 5 attempts

Analysis

Could potentially check the SSLMode in hook sql, which requires a C code change. https://github.com/aws/pg_tle/blob/main/src/clientauth.c#L144-L166

adamguo0 commented 7 months ago

Since this is an expected and documented client-side behaviour [1], we shouldn't try to change this on the pg_tle side. However it's worth adding a note in the example for users to be aware.

[1] https://www.postgresql.org/docs/devel/libpq-connect.html#LIBPQ-CONNECT-SSLMODE