Skip to main content

Module pgwire

laminardb

Module pgwire 

Source
Expand description

Postgres wire endpoint. Trust by default; MD5 with pgwire_users; TLS with pgwire_tls_cert + pgwire_tls_key. Non-loopback binds require pgwire_allow_remote = true.

Structs§

ActiveCursor πŸ”’
ConnState πŸ”’
CursorInner πŸ”’
State that shares the cursor’s lifetime: the portal, the leftover-row buffer, and the exhausted flag. Held by Arc so a row stream can keep reading after ConnState::get returns.
FailureTracker πŸ”’
Rolling-window auth-failure count per peer IP.
LaminarAuthSource πŸ”’
Per-call salt + stored credential for the MD5 challenge flow. The stored value is either plaintext (legacy) or md5<32-hex>, the same format Postgres’ pg_authid uses, where the hex is md5(password β€– user). The pre-hashed form lets operators avoid plaintext at rest.
LaminarHandlerFactory
LaminarPgwireHandler
LaminarQueryParser
Resolves SQL to LaminarStmt, looking up stream schemas against the live LaminarDB so the extended-query Describe returns columns without running the query.
TlsConfigPaths πŸ”’
Owned counterpart to TlsPaths that the listener keeps for the lifetime of serve() so the file watcher can rebuild the acceptor without the original config still being in scope.
TlsPaths
TlsReloadState
Live TLS acceptor + paths needed to rebuild it on cert rotation. Reads on the accept path are a single mutex acquire and a cheap TlsAcceptor clone; reloads are triggered by the file watcher.

Enums§

FetchTarget πŸ”’
LaminarStmt
Parsed statement carried through Parse β†’ Bind β†’ Execute.
StartupAuth πŸ”’
Startup-phase dispatch. Md5 requires password auth; Trust accepts any connection. Selected once at listener startup based on whether pgwire_users is non-empty.
TlsMinVersion
Minimum TLS protocol version accepted on the pgwire listener. rustls already disables TLS 1.0/1.1; this narrows further when an operator needs TLS 1.3 only.

Constants§

MAX_TRACKED_IPS πŸ”’

Functions§

apply_set πŸ”’
SET handling. We thread plain SET name = value to the engine’s session-property store, and refuse SET TRANSACTION-class statements since we don’t honor isolation levels.
arrow_to_pg_type πŸ”’
build_client_cert_verifier πŸ”’
check_cert_expiry πŸ”’
Reject certs past notAfter; warn within 30 days.
classify_outcome πŸ”’
Stable audit code for a session’s exit status.
driver_select_response πŸ”’
Handle the SELECTs drivers issue at connect time. Single literal, SELECT version(), and SELECT current_schema() are answered inline. Anything else is rejected β€” real queries belong on /api/v1/sql.
encode_batch πŸ”’
encode_field_binary πŸ”’
Binary-encode a single Arrow value via postgres-types ToSql.
encode_field_text πŸ”’
encode_row πŸ”’
engine_metadata_response πŸ”’
Run a SHOW through the engine and stream its RecordBatch to the wire.
ensure_tls_provider πŸ”’
Idempotent install of aws-lc-rs as rustls’ default provider.
fetch_direction_count πŸ”’
FETCH NEXT and bare FETCH FORWARD map to a single row, matching PG.
fetch_response πŸ”’
Strict-PG FETCH: blocks until target rows are produced, the pump exits, or the broadcast lags. Lag/exit flips cursor.inner.exhausted so the next evict_idle_peer reaps the cursor. Text format only; SimpleQuery has no binary. Leftover rows from a multi-row frame stay in cursor.inner.pending so successive FETCHes consume the frame in order.
field_infos πŸ”’
Build pgwire FieldInfos from an Arrow schema. result_format (from a Bind) sets per-column text/binary; None defaults all-text.
handle_close πŸ”’
handle_declare_cursor πŸ”’
Open a SUBSCRIBE behind a cursor name. Rejects with 42P03 if the name is already in use on this connection (matches PG; user must CLOSE first).
handle_fetch πŸ”’
list_text_elements πŸ”’
Owned elements of a List<Utf8|LargeUtf8> row, NULLs preserved.
load_tls_acceptor πŸ”’
open_portal_for_subscribe πŸ”’
outer_md5_challenge πŸ”’
MD5 challenge response when only the inner hash is known: the client sends md5{hex(md5(inner_hex || salt))} and the server precomputes the same string for comparison.
parse_pre_hashed_md5 πŸ”’
If stored is a pg_authid-style pre-hash, return the inner hex (the bit after the md5 tag). Lowercase hex only; uppercase or other lengths fall back to plaintext handling.
pg_text_array_literal πŸ”’
Postgres text[] literal, e.g. {"en","ja",NULL}. Every element is quoted (NULL excepted) so commas/braces/quotes in values are unambiguous.
record_batch_response πŸ”’
serve
show_sql πŸ”’
Reconstruct a single SHOW statement from the parsed variant. Used by the pgwire dispatcher so a multi-statement query (SHOW SOURCES; SHOW SINKS) re-executes only the matching statement, not the whole input string.
standard_or_cursor_response πŸ”’
Wraps the original standard_response and intercepts cursor / transaction statements that need ConnState. Anything else falls through to the existing handler unchanged.
standard_response πŸ”’
Connection-setup statements: transaction control, SET, and a tiny set of catalog probes drivers send during handshake. Anything DDL/DML hits the β€œuse HTTP” error.
stream_subscribe_flushing πŸ”’
Stream a SUBSCRIBE, flushing the Sink after every batch.
subscription_query_response πŸ”’
Wrap a SubscriptionPortal in a pgwire Response::Query so the framework can chunk via Execute(max_rows) and emit PortalSuspended automatically. Used by the chunked extended-query path.
text_response πŸ”’
Single-row text response with one column.
try_reload_tls πŸ”’
Rebuild the TLS acceptor from state.paths and atomically swap it in. On any error the previous acceptor is left in place, so a bad rotation (truncated file, expired cert) doesn’t take TLS down.
unsupported_select πŸ”’
user_error πŸ”’
value_to_u64 πŸ”’
warn_if_key_world_readable πŸ”’
Warn if the key file is group/other-readable.
watch_tls_files πŸ”’
Watch the cert / key / client-CA files and call try_reload_tls after debounced changes. Mirrors the pattern in watcher.rs (parent-dir watch, debounce, then act). Runs until the channel closes; the caller drives shutdown by aborting the task that owns this future.

Type Aliases§

Md5Handler πŸ”’