min_password_length_v6.patch
application/octet-stream
Filename: min_password_length_v6.patch
Type: application/octet-stream
Part: 0
Patch
Format: unified
Series: patch v6
| File | + | − |
|---|---|---|
| contrib/passwordcheck/expected/passwordcheck.out | 5 | 1 |
| contrib/passwordcheck/passwordcheck.c | 23 | 4 |
| contrib/passwordcheck/sql/passwordcheck.sql | 5 | 2 |
| doc/src/sgml/passwordcheck.sgml | 35 | 0 |
diff --git a/contrib/passwordcheck/expected/passwordcheck.out b/contrib/passwordcheck/expected/passwordcheck.out
index 2027681daf..a49b913e46 100644
--- a/contrib/passwordcheck/expected/passwordcheck.out
+++ b/contrib/passwordcheck/expected/passwordcheck.out
@@ -1,9 +1,13 @@
LOAD 'passwordcheck';
+SET passwordcheck.min_password_length = 12;
CREATE USER regress_passwordcheck_user1;
-- ok
ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password';
-- error: too short
-ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt';
+ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshort';
+ERROR: password is too short
+-- error: too short
+ALTER USER regress_passwordcheck_user1 PASSWORD 'äbcdefghijk';
ERROR: password is too short
-- error: contains user name
ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1';
diff --git a/contrib/passwordcheck/passwordcheck.c b/contrib/passwordcheck/passwordcheck.c
index 0785618f2a..f4f90274b7 100644
--- a/contrib/passwordcheck/passwordcheck.c
+++ b/contrib/passwordcheck/passwordcheck.c
@@ -6,6 +6,8 @@
* Copyright (c) 2009-2024, PostgreSQL Global Development Group
*
* Author: Laurenz Albe <laurenz.albe@wien.gv.at>
+ * Author: Maurizio Boriani <maurizio@boriani.cloud>
+ * Author: Emanuele Musella <emamuse86@gmail.com>
*
* IDENTIFICATION
* contrib/passwordcheck/passwordcheck.c
@@ -20,17 +22,19 @@
#include <crack.h>
#endif
+#include "commands/explain.h"
#include "commands/user.h"
#include "fmgr.h"
#include "libpq/crypt.h"
+#include "utils/guc.h"
PG_MODULE_MAGIC;
/* Saved hook value in case of unload */
static check_password_hook_type prev_check_password_hook = NULL;
-/* passwords shorter than this will be rejected */
-#define MIN_PWD_LENGTH 8
+/* GUC variables */
+static int min_pwd_len;
/*
* check_password
@@ -84,7 +88,7 @@ check_password(const char *username,
* For unencrypted passwords we can perform better checks
*/
const char *password = shadow_pass;
- int pwdlen = strlen(password);
+ int pwdlen = pg_mbstrlen(password);
int i;
bool pwd_has_letter,
pwd_has_nonletter;
@@ -93,7 +97,7 @@ check_password(const char *username,
#endif
/* enforce minimum length */
- if (pwdlen < MIN_PWD_LENGTH)
+ if (pwdlen < min_pwd_len)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password is too short")));
@@ -142,6 +146,21 @@ check_password(const char *username,
void
_PG_init(void)
{
+ /* Define custom GUC variables. */
+ DefineCustomIntVariable("passwordcheck.min_password_length",
+ "Sets the minimum allowed password length.",
+ NULL,
+ &min_pwd_len,
+ 8,
+ 0, INT_MAX,
+ PGC_SUSET,
+ GUC_UNIT_BYTE,
+ NULL,
+ NULL,
+ NULL);
+
+ MarkGUCPrefixReserved("passwordcheck");
+
/* activate password checks when the module is loaded */
prev_check_password_hook = check_password_hook;
check_password_hook = check_password;
diff --git a/contrib/passwordcheck/sql/passwordcheck.sql b/contrib/passwordcheck/sql/passwordcheck.sql
index 1fbd6b0e96..4b0cea82d4 100644
--- a/contrib/passwordcheck/sql/passwordcheck.sql
+++ b/contrib/passwordcheck/sql/passwordcheck.sql
@@ -1,12 +1,15 @@
LOAD 'passwordcheck';
-
+SET passwordcheck.min_password_length = 12;
CREATE USER regress_passwordcheck_user1;
-- ok
ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password';
-- error: too short
-ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt';
+ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshort';
+
+-- error: too short
+ALTER USER regress_passwordcheck_user1 PASSWORD 'äbcdefghijk';
-- error: contains user name
ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1';
diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml
index 601f489227..f847ff1860 100644
--- a/doc/src/sgml/passwordcheck.sgml
+++ b/doc/src/sgml/passwordcheck.sgml
@@ -59,4 +59,39 @@
</para>
</caution>
+ <sect2 id="passwordcheck-configuration-parameters">
+ <title>Configuration Parameters</title>
+
+ <para>
+ There is a configuration parameter that control the behavior
+ <filename>passwordcheck</filename>. This is the minumum password length.
+ </para>
+
+ <variablelist>
+ <varlistentry id="passwordcheck-configuration-parameters-min-password-length">
+ <term>
+ <varname>passwordcheck.min_password_length</varname> (<type>integer</type>)
+ <indexterm>
+ <primary><varname>passwordcheck.min_password_length</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ <varname>passwordcheck.min_password_length</varname> is the minimum length
+ of accepted password on database users.
+ If not setted the default is 8 bytes.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+<programlisting>
+# postgresql.conf
+session_preload_libraries = 'passwordcheck'
+passwordcheck.min_password_length = 12
+
+</programlisting>
+
+ </sect2>
+
</sect1>