0004-Refactor-decision-making-of-password-encryption-into.patch
application/x-download
Filename: 0004-Refactor-decision-making-of-password-encryption-into.patch
Type: application/x-download
Part: 3
Patch
Format: format-patch
Series: patch 0004
Subject: Refactor decision-making of password encryption into a single routine
| File | + | − |
|---|---|---|
| src/backend/commands/user.c | 60 | 24 |
From 9a6115b693d31871d8bfa3e618fa323f17fc4661 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Mon, 26 Sep 2016 13:51:15 +0900
Subject: [PATCH 4/8] Refactor decision-making of password encryption into a
single routine
This routine was duplicated for CREATE ROLE and ALTER ROLE, and while
there is little gain by doing it now if there is only plain password
and md5-encryption support, this eases the decision-making regarding
if and how a password needs to be encrypted if there are more protocols
supported, like SCRAM.
---
src/backend/commands/user.c | 84 ++++++++++++++++++++++++++++++++-------------
1 file changed, 60 insertions(+), 24 deletions(-)
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index fa3e984..2e89f1f 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
static void DelRoleMems(const char *rolename, Oid roleid,
List *memberSpecs, List *memberIds,
bool admin_opt);
+static char *encrypt_password(char *passwd, char *rolname,
+ int passwd_type);
/* Check if current user has createrole privileges */
@@ -64,6 +66,48 @@ have_createrole_privilege(void)
return has_createrole_privilege(GetUserId());
}
+/*
+ * Encrypt a password if necessary for insertion in pg_authid.
+ *
+ * If a password is found as already MD5-encrypted, no error is raised
+ * to ease the dump and reload of such data. Returns a palloc'ed string
+ * holding the encrypted password.
+ */
+static char *
+encrypt_password(char *password, char *rolname, int passwd_type)
+{
+ char *res;
+
+ Assert(password != NULL);
+
+ /*
+ * If a password is already identified as MD5-encrypted, it is used
+ * as such. If the password given is not encrypted, adapt it depending
+ * on the type wanted by the caller of this routine.
+ */
+ if (isMD5(password))
+ res = pstrdup(password);
+ else
+ {
+ switch (passwd_type)
+ {
+ case PASSWORD_TYPE_PLAINTEXT:
+ res = pstrdup(password);
+ break;
+ case PASSWORD_TYPE_MD5:
+ res = (char *) palloc(MD5_PASSWD_LEN + 1);
+ if (!pg_md5_encrypt(password, rolname,
+ strlen(rolname),
+ res))
+ elog(ERROR, "password encryption failed");
+ break;
+ default:
+ Assert(0); /* should not come here */
+ }
+ }
+
+ return res;
+}
/*
* CREATE ROLE
@@ -81,7 +125,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
ListCell *option;
char *password = NULL; /* user password */
int password_type = Password_encryption;
- char encrypted_password[MD5_PASSWD_LEN + 1];
+ char *encrypted_passwd;
bool issuper = false; /* Make the user a superuser? */
bool inherit = true; /* Auto inherit privileges? */
bool createrole = false; /* Can this user create roles? */
@@ -393,17 +437,13 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
if (password)
{
- if (password_type == PASSWORD_TYPE_PLAINTEXT || isMD5(password))
- new_record[Anum_pg_authid_rolpassword - 1] =
- CStringGetTextDatum(password);
- else
- {
- if (!pg_md5_encrypt(password, stmt->role, strlen(stmt->role),
- encrypted_password))
- elog(ERROR, "password encryption failed");
- new_record[Anum_pg_authid_rolpassword - 1] =
- CStringGetTextDatum(encrypted_password);
- }
+ encrypted_passwd = encrypt_password(password,
+ stmt->role,
+ password_type);
+
+ new_record[Anum_pg_authid_rolpassword - 1] =
+ CStringGetTextDatum(encrypted_passwd);
+ pfree(encrypted_passwd);
}
else
new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
@@ -506,7 +546,7 @@ AlterRole(AlterRoleStmt *stmt)
char *rolename = NULL;
char *password = NULL; /* user password */
int password_type = Password_encryption;
- char encrypted_password[MD5_PASSWD_LEN + 1];
+ char *encrypted_passwd;
int issuper = -1; /* Make the user a superuser? */
int inherit = -1; /* Auto inherit privileges? */
int createrole = -1; /* Can this user create roles? */
@@ -804,18 +844,14 @@ AlterRole(AlterRoleStmt *stmt)
/* password */
if (password)
{
- if (password_type == PASSWORD_TYPE_PLAINTEXT || isMD5(password))
- new_record[Anum_pg_authid_rolpassword - 1] =
- CStringGetTextDatum(password);
- else
- {
- if (!pg_md5_encrypt(password, rolename, strlen(rolename),
- encrypted_password))
- elog(ERROR, "password encryption failed");
- new_record[Anum_pg_authid_rolpassword - 1] =
- CStringGetTextDatum(encrypted_password);
- }
+ encrypted_passwd = encrypt_password(password,
+ rolename,
+ password_type);
+
+ new_record[Anum_pg_authid_rolpassword - 1] =
+ CStringGetTextDatum(encrypted_passwd);
new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
+ pfree(encrypted_passwd);
}
/* unset password */
--
2.10.0