From 9278b2e18167060715f77a14c6a42058df79a69c Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 14 Nov 2016 18:24:10 +0900 Subject: [PATCH 6/9] Add clause PASSWORD (val USING protocol) to CREATE/ALTER ROLE This clause allows users to be able to enforce with which protocol a given password is used with. if the value given is already encrypted, the value is used as-is. This extension is useful to support future protocols, particularly SCRAM-SHA-256. --- doc/src/sgml/ref/alter_role.sgml | 10 +++++ doc/src/sgml/ref/create_role.sgml | 26 +++++++++++ src/backend/commands/user.c | 90 ++++++++++++++++++++++++++++++++++++--- src/backend/parser/gram.y | 7 +++ 4 files changed, 126 insertions(+), 7 deletions(-) diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index da36ad9..43e45d50 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -34,6 +34,7 @@ ALTER ROLE role_specification [ WIT | BYPASSRLS | NOBYPASSRLS | CONNECTION LIMIT connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' + | PASSWORD ( 'password' USING 'method' ) | VALID UNTIL 'timestamp' ALTER ROLE name RENAME TO new_name @@ -169,6 +170,7 @@ ALTER ROLE { role_specification | A NOBYPASSRLS CONNECTION LIMIT connlimit PASSWORD password + PASSWORD ( 'password' USING 'method' ) ENCRYPTED UNENCRYPTED VALID UNTIL 'timestamp' @@ -280,6 +282,14 @@ ALTER ROLE davide WITH PASSWORD 'hu8jmn3'; + Change a role's password using MD5-encryption: + + +ALTER ROLE lionel WITH PASSWORD ('hu8jmn3' USING 'md5'); + + + + Remove a role's password: diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 38cd4c8..25911ec 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -34,6 +34,7 @@ CREATE ROLE name [ [ WITH ] connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' + | PASSWORD ( 'password' USING 'method' ) | VALID UNTIL 'timestamp' | IN ROLE role_name [, ...] | IN GROUP role_name [, ...] @@ -245,6 +246,23 @@ CREATE ROLE name [ [ WITH ] + PASSWORD ( 'password' USING 'method' ) + + + Sets the role's password using the requested method. (A password + is only of use for roles having the LOGIN + attribute, but you can nonetheless define one for roles without it.) + If you do not plan to use password authentication you can omit this + option. The methods supported are md5 to enforce + a password to be MD5-encrypted, and plain to use an + unencrypted password. If the password string is already in + MD5-encrypted format, then it is stored encrypted even if + plain is specified. + + + + + VALID UNTIL 'timestamp' @@ -426,6 +444,14 @@ CREATE USER davide WITH PASSWORD 'jw8s0F4'; + Create a role with a MD5-encrypted password: + + +CREATE USER lionel WITH PASSWORD ('asdh7as' USING 'md5'); + + + + Create a role with a password that is valid until the end of 2004. After one second has ticked in 2005, the password is no longer valid. diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index def8ea1..19eeb04 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -176,7 +176,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) if (strcmp(defel->defname, "password") == 0 || strcmp(defel->defname, "encryptedPassword") == 0 || - strcmp(defel->defname, "unencryptedPassword") == 0) + strcmp(defel->defname, "unencryptedPassword") == 0 || + strcmp(defel->defname, "methodPassword") == 0) { if (dpassword) ereport(ERROR, @@ -184,10 +185,49 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) errmsg("conflicting or redundant options"), parser_errposition(pstate, defel->location))); dpassword = defel; - if (strcmp(defel->defname, "encryptedPassword") == 0) + if (strcmp(defel->defname, "password") == 0) + { + /* + * Password type is enforced with GUC password_encryption + * here. + */ + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "encryptedPassword") == 0) + { password_type = PASSWORD_TYPE_MD5; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } else if (strcmp(defel->defname, "unencryptedPassword") == 0) + { password_type = PASSWORD_TYPE_PLAINTEXT; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "methodPassword") == 0) + { + /* + * This is a list of two elements, the password is first and + * then there is the method wanted by caller. + */ + if (dpassword && dpassword->arg) + { + char *method = strVal(lsecond((List *) dpassword->arg)); + + password = strVal(linitial((List *) dpassword->arg)); + + if (strcmp(method, "md5") == 0) + password_type = PASSWORD_TYPE_MD5; + else if (strcmp(method, "plain") == 0) + password_type = PASSWORD_TYPE_PLAINTEXT; + else + ereport(ERROR, + (errcode(ERRCODE_SYNTAX_ERROR), + errmsg("unsupported password method %s", method))); + } + } } else if (strcmp(defel->defname, "sysid") == 0) { @@ -307,8 +347,6 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) defel->defname); } - if (dpassword && dpassword->arg) - password = strVal(dpassword->arg); if (dissuper) issuper = intVal(dissuper->arg) != 0; if (dinherit) @@ -582,6 +620,7 @@ AlterRole(AlterRoleStmt *stmt) if (strcmp(defel->defname, "password") == 0 || strcmp(defel->defname, "encryptedPassword") == 0 || + strcmp(defel->defname, "methodPassword") == 0 || strcmp(defel->defname, "unencryptedPassword") == 0) { if (dpassword) @@ -589,10 +628,49 @@ AlterRole(AlterRoleStmt *stmt) (errcode(ERRCODE_SYNTAX_ERROR), errmsg("conflicting or redundant options"))); dpassword = defel; - if (strcmp(defel->defname, "encryptedPassword") == 0) + if (strcmp(defel->defname, "password") == 0) + { + /* + * Password type is enforced with GUC password_encryption + * here. + */ + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "encryptedPassword") == 0) + { password_type = PASSWORD_TYPE_MD5; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } else if (strcmp(defel->defname, "unencryptedPassword") == 0) + { password_type = PASSWORD_TYPE_PLAINTEXT; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "methodPassword") == 0) + { + /* + * This is a list of two elements, the password is first and + * then there is the method wanted by caller. + */ + if (dpassword && dpassword->arg) + { + char *method = strVal(lsecond((List *) dpassword->arg)); + + if (strcmp(method, "md5") == 0) + password_type = PASSWORD_TYPE_MD5; + else if (strcmp(method, "plain") == 0) + password_type = PASSWORD_TYPE_PLAINTEXT; + else + ereport(ERROR, + (errcode(ERRCODE_SYNTAX_ERROR), + errmsg("unsupported password method %s", method))); + + password = strVal(linitial((List *) dpassword->arg)); + } + } } else if (strcmp(defel->defname, "superuser") == 0) { @@ -680,8 +758,6 @@ AlterRole(AlterRoleStmt *stmt) defel->defname); } - if (dpassword && dpassword->arg) - password = strVal(dpassword->arg); if (dissuper) issuper = intVal(dissuper->arg); if (dinherit) diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y index 0ec1cd3..fad4571 100644 --- a/src/backend/parser/gram.y +++ b/src/backend/parser/gram.y @@ -938,6 +938,13 @@ AlterOptRoleElem: { $$ = makeDefElem("password", NULL, @1); } + | PASSWORD '(' Sconst USING Sconst ')' + { + $$ = makeDefElem("methodPassword", + (Node *)list_make2(makeString($3), + makeString($5)), + @1); + } | ENCRYPTED PASSWORD Sconst { $$ = makeDefElem("encryptedPassword", -- 2.10.2