From 48d9e4dda4a454c2bc3d909922a8374da52340cb Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 14 Nov 2016 18:24:10 +0900 Subject: [PATCH 3/8] Add clause PASSWORD (val USING protocol) to CREATE/ALTER ROLE This clause allows users to be able to enforce with which protocol a given password is used with. if the value given is already encrypted, the value is used as-is. This extension is useful to support future protocols, particularly SCRAM-SHA-256. --- doc/src/sgml/ref/alter_role.sgml | 10 +++++ doc/src/sgml/ref/create_role.sgml | 26 +++++++++++ src/backend/commands/user.c | 90 ++++++++++++++++++++++++++++++++++++--- src/backend/parser/gram.y | 7 +++ 4 files changed, 126 insertions(+), 7 deletions(-) diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index da36ad9696..43e45d504d 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -34,6 +34,7 @@ ALTER ROLE role_specification [ WIT | BYPASSRLS | NOBYPASSRLS | CONNECTION LIMIT connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' + | PASSWORD ( 'password' USING 'method' ) | VALID UNTIL 'timestamp' ALTER ROLE name RENAME TO new_name @@ -169,6 +170,7 @@ ALTER ROLE { role_specification | A NOBYPASSRLS CONNECTION LIMIT connlimit PASSWORD password + PASSWORD ( 'password' USING 'method' ) ENCRYPTED UNENCRYPTED VALID UNTIL 'timestamp' @@ -280,6 +282,14 @@ ALTER ROLE davide WITH PASSWORD 'hu8jmn3'; + Change a role's password using MD5-encryption: + + +ALTER ROLE lionel WITH PASSWORD ('hu8jmn3' USING 'md5'); + + + + Remove a role's password: diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 2ae576ede6..be87a211c8 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -34,6 +34,7 @@ CREATE ROLE name [ [ WITH ] connlimit | [ ENCRYPTED | UNENCRYPTED ] PASSWORD 'password' + | PASSWORD ( 'password' USING 'method' ) | VALID UNTIL 'timestamp' | IN ROLE role_name [, ...] | IN GROUP role_name [, ...] @@ -242,6 +243,23 @@ CREATE ROLE name [ [ WITH ] + PASSWORD ( 'password' USING 'method' ) + + + Sets the role's password using the requested method. (A password + is only of use for roles having the LOGIN + attribute, but you can nonetheless define one for roles without it.) + If you do not plan to use password authentication you can omit this + option. The methods supported are md5 to enforce + a password to be MD5-encrypted, and plain to use an + unencrypted password. If the password string is already in + MD5-encrypted format, then it is stored encrypted even if + plain is specified. + + + + + VALID UNTIL 'timestamp' @@ -423,6 +441,14 @@ CREATE USER davide WITH PASSWORD 'jw8s0F4'; + Create a role with a MD5-encrypted password: + + +CREATE USER lionel WITH PASSWORD ('asdh7as' USING 'md5'); + + + + Create a role with a password that is valid until the end of 2004. After one second has ticked in 2005, the password is no longer valid. diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 994c093250..6fca7e16bd 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -130,7 +130,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) if (strcmp(defel->defname, "password") == 0 || strcmp(defel->defname, "encryptedPassword") == 0 || - strcmp(defel->defname, "unencryptedPassword") == 0) + strcmp(defel->defname, "unencryptedPassword") == 0 || + strcmp(defel->defname, "methodPassword") == 0) { if (dpassword) ereport(ERROR, @@ -138,10 +139,49 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) errmsg("conflicting or redundant options"), parser_errposition(pstate, defel->location))); dpassword = defel; - if (strcmp(defel->defname, "encryptedPassword") == 0) + if (strcmp(defel->defname, "password") == 0) + { + /* + * Password type is enforced with GUC password_encryption + * here. + */ + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "encryptedPassword") == 0) + { password_type = PASSWORD_TYPE_MD5; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } else if (strcmp(defel->defname, "unencryptedPassword") == 0) + { password_type = PASSWORD_TYPE_PLAINTEXT; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "methodPassword") == 0) + { + /* + * This is a list of two elements, the password is first and + * then there is the method wanted by caller. + */ + if (dpassword && dpassword->arg) + { + char *method = strVal(lsecond((List *) dpassword->arg)); + + password = strVal(linitial((List *) dpassword->arg)); + + if (strcmp(method, "md5") == 0) + password_type = PASSWORD_TYPE_MD5; + else if (strcmp(method, "plain") == 0) + password_type = PASSWORD_TYPE_PLAINTEXT; + else + ereport(ERROR, + (errcode(ERRCODE_SYNTAX_ERROR), + errmsg("unsupported password method %s", method))); + } + } } else if (strcmp(defel->defname, "sysid") == 0) { @@ -261,8 +301,6 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) defel->defname); } - if (dpassword && dpassword->arg) - password = strVal(dpassword->arg); if (dissuper) issuper = intVal(dissuper->arg) != 0; if (dinherit) @@ -534,6 +572,7 @@ AlterRole(AlterRoleStmt *stmt) if (strcmp(defel->defname, "password") == 0 || strcmp(defel->defname, "encryptedPassword") == 0 || + strcmp(defel->defname, "methodPassword") == 0 || strcmp(defel->defname, "unencryptedPassword") == 0) { if (dpassword) @@ -541,10 +580,49 @@ AlterRole(AlterRoleStmt *stmt) (errcode(ERRCODE_SYNTAX_ERROR), errmsg("conflicting or redundant options"))); dpassword = defel; - if (strcmp(defel->defname, "encryptedPassword") == 0) + if (strcmp(defel->defname, "password") == 0) + { + /* + * Password type is enforced with GUC password_encryption + * here. + */ + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "encryptedPassword") == 0) + { password_type = PASSWORD_TYPE_MD5; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } else if (strcmp(defel->defname, "unencryptedPassword") == 0) + { password_type = PASSWORD_TYPE_PLAINTEXT; + if (dpassword && dpassword->arg) + password = strVal(dpassword->arg); + } + else if (strcmp(defel->defname, "methodPassword") == 0) + { + /* + * This is a list of two elements, the password is first and + * then there is the method wanted by caller. + */ + if (dpassword && dpassword->arg) + { + char *method = strVal(lsecond((List *) dpassword->arg)); + + if (strcmp(method, "md5") == 0) + password_type = PASSWORD_TYPE_MD5; + else if (strcmp(method, "plain") == 0) + password_type = PASSWORD_TYPE_PLAINTEXT; + else + ereport(ERROR, + (errcode(ERRCODE_SYNTAX_ERROR), + errmsg("unsupported password method %s", method))); + + password = strVal(linitial((List *) dpassword->arg)); + } + } } else if (strcmp(defel->defname, "superuser") == 0) { @@ -632,8 +710,6 @@ AlterRole(AlterRoleStmt *stmt) defel->defname); } - if (dpassword && dpassword->arg) - password = strVal(dpassword->arg); if (dissuper) issuper = intVal(dissuper->arg); if (dinherit) diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y index e833b2eba5..c519128389 100644 --- a/src/backend/parser/gram.y +++ b/src/backend/parser/gram.y @@ -987,6 +987,13 @@ AlterOptRoleElem: { $$ = makeDefElem("password", NULL, @1); } + | PASSWORD '(' Sconst USING Sconst ')' + { + $$ = makeDefElem("methodPassword", + (Node *)list_make2(makeString($3), + makeString($5)), + @1); + } | ENCRYPTED PASSWORD Sconst { $$ = makeDefElem("encryptedPassword", -- 2.12.0