diff --git a/contrib/passwordcheck/expected/passwordcheck.out b/contrib/passwordcheck/expected/passwordcheck.out index 2027681daf..8f1f0baaab 100644 --- a/contrib/passwordcheck/expected/passwordcheck.out +++ b/contrib/passwordcheck/expected/passwordcheck.out @@ -1,9 +1,10 @@ LOAD 'passwordcheck'; +SET passwordcheck.min_password_length = 12; CREATE USER regress_passwordcheck_user1; -- ok ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password'; -- error: too short -ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt'; +ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshort'; ERROR: password is too short -- error: contains user name ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1'; diff --git a/contrib/passwordcheck/passwordcheck.c b/contrib/passwordcheck/passwordcheck.c index 0785618f2a..f9a2c2db33 100644 --- a/contrib/passwordcheck/passwordcheck.c +++ b/contrib/passwordcheck/passwordcheck.c @@ -20,17 +20,23 @@ #include #endif +#include "commands/explain.h" #include "commands/user.h" #include "fmgr.h" #include "libpq/crypt.h" +#include "mb/pg_wchar.h" +#include "utils/guc.h" PG_MODULE_MAGIC; /* Saved hook value in case of unload */ static check_password_hook_type prev_check_password_hook = NULL; -/* passwords shorter than this will be rejected */ -#define MIN_PWD_LENGTH 8 +/* GUC variables */ +static int min_pwd_len; + +/* Max password length */ +#define PG_MAX_PASSWORD_LENGTH 128 /* * check_password @@ -93,7 +99,7 @@ check_password(const char *username, #endif /* enforce minimum length */ - if (pwdlen < MIN_PWD_LENGTH) + if (pwdlen < min_pwd_len) ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("password is too short"))); @@ -142,6 +148,21 @@ check_password(const char *username, void _PG_init(void) { + /* Define custom GUC variables. */ + DefineCustomIntVariable("passwordcheck.min_password_length", + "Sets the minimum allowed password length.", + NULL, + &min_pwd_len, + 8, + 8, PG_MAX_PASSWORD_LENGTH, + PGC_SUSET, + GUC_UNIT_BYTE, + NULL, + NULL, + NULL); + + MarkGUCPrefixReserved("passwordcheck"); + /* activate password checks when the module is loaded */ prev_check_password_hook = check_password_hook; check_password_hook = check_password; diff --git a/contrib/passwordcheck/sql/passwordcheck.sql b/contrib/passwordcheck/sql/passwordcheck.sql deleted file mode 100644 index 1fbd6b0e96..0000000000 --- a/contrib/passwordcheck/sql/passwordcheck.sql +++ /dev/null @@ -1,23 +0,0 @@ -LOAD 'passwordcheck'; - -CREATE USER regress_passwordcheck_user1; - --- ok -ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password'; - --- error: too short -ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt'; - --- error: contains user name -ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1'; - --- error: contains only letters -ALTER USER regress_passwordcheck_user1 PASSWORD 'alessnicelongpassword'; - --- encrypted ok (password is "secret") -ALTER USER regress_passwordcheck_user1 PASSWORD 'md592350e12ac34e52dd598f90893bb3ae7'; - --- error: password is user name -ALTER USER regress_passwordcheck_user1 PASSWORD 'md507a112732ed9f2087fa90b192d44e358'; - -DROP USER regress_passwordcheck_user1; diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml index 601f489227..160553b8e9 100644 --- a/doc/src/sgml/passwordcheck.sgml +++ b/doc/src/sgml/passwordcheck.sgml @@ -59,4 +59,30 @@ + + Configuration Parameters + + + There is a configuration parameter that control the behavior of + passwordcheck. This is the minumum password length. + + + + + + passwordcheck.min_password_length (integer) + + passwordcheck.min_password_length configuration parameter + + + + + passwordcheck.min_password_length is the minimum length + of accepted password on database users. + If not setted the default is 8. + + + + +