NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3c44e7d

committed

Allow tests to pass in OpenSSL FIPS mode (rest)

This adds alternative expected files for various tests.In src/test/regress/sql/password.sql, we make a small change to thetest so that the CREATE ROLE still succeeds even if the ALTER ROLEthat attempts to set a password might fail. That way, the roles areavailable for the rest of the test file in either case.Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Reviewed-by: Daniel Gustafsson <daniel@yesql.se>Discussion:https://www.postgresql.org/message-id/flat/dbbd927f-ef1f-c9a1-4ec6-c759778ac852%40enterprisedb.com

1 parent8d5573b commit3c44e7dCopy full SHA for 3c44e7d

File tree

6 files changed

+348

-4

lines changed

contrib
- passwordcheck/expected
  - passwordcheck_1.out
- uuid-ossp/expected
  - uuid_ossp_1.out
src/test/regress
- expected
- sql
  - password.sql

6 files changed

+348

-4

lines changed

`‎contrib/passwordcheck/expected/passwordcheck_1.out`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+LOAD 'passwordcheck';`
	`2`	`+CREATE USER regress_passwordcheck_user1;`
	`3`	`+-- ok`
	`4`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password';`
	`5`	`+-- error: too short`
	`6`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt';`
	`7`	`+ERROR: password is too short`
	`8`	`+-- error: contains user name`
	`9`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'xyzregress_passwordcheck_user1';`
	`10`	`+ERROR: password must not contain user name`
	`11`	`+-- error: contains only letters`
	`12`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'alessnicelongpassword';`
	`13`	`+ERROR: password must contain both letters and nonletters`
	`14`	`+-- encrypted ok (password is "secret")`
	`15`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'md592350e12ac34e52dd598f90893bb3ae7';`
	`16`	`+-- error: password is user name`
	`17`	`+ALTER USER regress_passwordcheck_user1 PASSWORD 'md507a112732ed9f2087fa90b192d44e358';`
	`18`	`+DROP USER regress_passwordcheck_user1;`

`‎contrib/uuid-ossp/expected/uuid_ossp_1.out`

Lines changed: 135 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,135 @@`
	`1`	`+CREATE EXTENSION "uuid-ossp";`
	`2`	`+SELECT uuid_nil();`
	`3`	`+ uuid_nil`
	`4`	`+--------------------------------------`
	`5`	`+ 00000000-0000-0000-0000-000000000000`
	`6`	`+(1 row)`
	`7`	`+`
	`8`	`+SELECT uuid_ns_dns();`
	`9`	`+ uuid_ns_dns`
	`10`	`+--------------------------------------`
	`11`	`+ 6ba7b810-9dad-11d1-80b4-00c04fd430c8`
	`12`	`+(1 row)`
	`13`	`+`
	`14`	`+SELECT uuid_ns_url();`
	`15`	`+ uuid_ns_url`
	`16`	`+--------------------------------------`
	`17`	`+ 6ba7b811-9dad-11d1-80b4-00c04fd430c8`
	`18`	`+(1 row)`
	`19`	`+`
	`20`	`+SELECT uuid_ns_oid();`
	`21`	`+ uuid_ns_oid`
	`22`	`+--------------------------------------`
	`23`	`+ 6ba7b812-9dad-11d1-80b4-00c04fd430c8`
	`24`	`+(1 row)`
	`25`	`+`
	`26`	`+SELECT uuid_ns_x500();`
	`27`	`+ uuid_ns_x500`
	`28`	`+--------------------------------------`
	`29`	`+ 6ba7b814-9dad-11d1-80b4-00c04fd430c8`
	`30`	`+(1 row)`
	`31`	`+`
	`32`	`+-- some quick and dirty field extraction functions`
	`33`	`+-- this is actually timestamp concatenated with clock sequence, per RFC 4122`
	`34`	`+CREATE FUNCTION uuid_timestamp_bits(uuid) RETURNS varbit AS`
	`35`	`+$$ SELECT ('x' \|\| substr($1::text, 15, 4) \|\| substr($1::text, 10, 4) \|\|`
	`36`	`+ substr($1::text, 1, 8) \|\| substr($1::text, 20, 4))::bit(80)`
	`37`	`+ & x'0FFFFFFFFFFFFFFF3FFF' $$`
	`38`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`39`	`+CREATE FUNCTION uuid_version_bits(uuid) RETURNS varbit AS`
	`40`	`+$$ SELECT ('x' \|\| substr($1::text, 15, 2))::bit(8) & '11110000' $$`
	`41`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`42`	`+CREATE FUNCTION uuid_reserved_bits(uuid) RETURNS varbit AS`
	`43`	`+$$ SELECT ('x' \|\| substr($1::text, 20, 2))::bit(8) & '11000000' $$`
	`44`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`45`	`+CREATE FUNCTION uuid_multicast_bit(uuid) RETURNS bool AS`
	`46`	`+$$ SELECT (('x' \|\| substr($1::text, 25, 2))::bit(8) & '00000001') != '00000000' $$`
	`47`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`48`	`+CREATE FUNCTION uuid_local_admin_bit(uuid) RETURNS bool AS`
	`49`	`+$$ SELECT (('x' \|\| substr($1::text, 25, 2))::bit(8) & '00000010') != '00000000' $$`
	`50`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`51`	`+CREATE FUNCTION uuid_node(uuid) RETURNS text AS`
	`52`	`+$$ SELECT substr($1::text, 25) $$`
	`53`	`+LANGUAGE SQL STRICT IMMUTABLE;`
	`54`	`+-- Ideally, the multicast bit would never be set in V1 output, but the`
	`55`	`+-- UUID library may fall back to MC if it can't get the system MAC address.`
	`56`	`+-- Also, the local-admin bit might be set (if so, we're probably inside a VM).`
	`57`	`+-- So we can't test either bit here.`
	`58`	`+SELECT uuid_version_bits(uuid_generate_v1()),`
	`59`	`+ uuid_reserved_bits(uuid_generate_v1());`
	`60`	`+ uuid_version_bits \| uuid_reserved_bits`
	`61`	`+-------------------+--------------------`
	`62`	`+ 00010000 \| 10000000`
	`63`	`+(1 row)`
	`64`	`+`
	`65`	`+-- Although RFC 4122 only requires the multicast bit to be set in V1MC style`
	`66`	`+-- UUIDs, our implementation always sets the local-admin bit as well.`
	`67`	`+SELECT uuid_version_bits(uuid_generate_v1mc()),`
	`68`	`+ uuid_reserved_bits(uuid_generate_v1mc()),`
	`69`	`+ uuid_multicast_bit(uuid_generate_v1mc()),`
	`70`	`+ uuid_local_admin_bit(uuid_generate_v1mc());`
	`71`	`+ uuid_version_bits \| uuid_reserved_bits \| uuid_multicast_bit \| uuid_local_admin_bit`
	`72`	`+-------------------+--------------------+--------------------+----------------------`
	`73`	`+ 00010000 \| 10000000 \| t \| t`
	`74`	`+(1 row)`
	`75`	`+`
	`76`	`+-- timestamp+clock sequence should be monotonic increasing in v1`
	`77`	`+SELECT uuid_timestamp_bits(uuid_generate_v1()) < uuid_timestamp_bits(uuid_generate_v1());`
	`78`	`+ ?column?`
	`79`	`+----------`
	`80`	`+ t`
	`81`	`+(1 row)`
	`82`	`+`
	`83`	`+SELECT uuid_timestamp_bits(uuid_generate_v1mc()) < uuid_timestamp_bits(uuid_generate_v1mc());`
	`84`	`+ ?column?`
	`85`	`+----------`
	`86`	`+ t`
	`87`	`+(1 row)`
	`88`	`+`
	`89`	`+-- Ideally, the node value is stable in V1 addresses, but OSSP UUID`
	`90`	`+-- falls back to V1MC behavior if it can't get the system MAC address.`
	`91`	`+SELECT CASE WHEN uuid_multicast_bit(uuid_generate_v1()) AND`
	`92`	`+ uuid_local_admin_bit(uuid_generate_v1()) THEN`
	`93`	`+ true -- punt, no test`
	`94`	`+ ELSE`
	`95`	`+ uuid_node(uuid_generate_v1()) = uuid_node(uuid_generate_v1())`
	`96`	`+ END;`
	`97`	`+ case`
	`98`	`+------`
	`99`	`+ t`
	`100`	`+(1 row)`
	`101`	`+`
	`102`	`+-- In any case, V1MC node addresses should be random.`
	`103`	`+SELECT uuid_node(uuid_generate_v1()) <> uuid_node(uuid_generate_v1mc());`
	`104`	`+ ?column?`
	`105`	`+----------`
	`106`	`+ t`
	`107`	`+(1 row)`
	`108`	`+`
	`109`	`+SELECT uuid_node(uuid_generate_v1mc()) <> uuid_node(uuid_generate_v1mc());`
	`110`	`+ ?column?`
	`111`	`+----------`
	`112`	`+ t`
	`113`	`+(1 row)`
	`114`	`+`
	`115`	`+SELECT uuid_generate_v3(uuid_ns_dns(), 'www.widgets.com');`
	`116`	`+ERROR: could not initialize MD5 context: unsupported`
	`117`	`+SELECT uuid_generate_v5(uuid_ns_dns(), 'www.widgets.com');`
	`118`	`+ uuid_generate_v5`
	`119`	`+--------------------------------------`
	`120`	`+ 21f7f8de-8051-5b89-8680-0195ef798b6a`
	`121`	`+(1 row)`
	`122`	`+`
	`123`	`+SELECT uuid_version_bits(uuid_generate_v4()),`
	`124`	`+ uuid_reserved_bits(uuid_generate_v4());`
	`125`	`+ uuid_version_bits \| uuid_reserved_bits`
	`126`	`+-------------------+--------------------`
	`127`	`+ 01000000 \| 10000000`
	`128`	`+(1 row)`
	`129`	`+`
	`130`	`+SELECT uuid_generate_v4() <> uuid_generate_v4();`
	`131`	`+ ?column?`
	`132`	`+----------`
	`133`	`+ t`
	`134`	`+(1 row)`
	`135`	`+`

`‎src/test/regress/expected/md5_1.out`

Lines changed: 35 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,35 @@`
	`1`	`+--`
	`2`	`+-- MD5 test suite - from IETF RFC 1321`
	`3`	`+-- (see: https://www.rfc-editor.org/rfc/rfc1321)`
	`4`	`+--`
	`5`	`+-- (The md5() function will error in OpenSSL FIPS mode. By keeping`
	`6`	`+-- this test in a separate file, it is easier to manage variant`
	`7`	`+-- results.)`
	`8`	`+select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";`
	`9`	`+ERROR: could not compute MD5 hash: unsupported`
	`10`	`+select md5('a') = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE";`
	`11`	`+ERROR: could not compute MD5 hash: unsupported`
	`12`	`+select md5('abc') = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE";`
	`13`	`+ERROR: could not compute MD5 hash: unsupported`
	`14`	`+select md5('message digest') = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE";`
	`15`	`+ERROR: could not compute MD5 hash: unsupported`
	`16`	`+select md5('abcdefghijklmnopqrstuvwxyz') = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE";`
	`17`	`+ERROR: could not compute MD5 hash: unsupported`
	`18`	`+select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE";`
	`19`	`+ERROR: could not compute MD5 hash: unsupported`
	`20`	`+select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890') = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE";`
	`21`	`+ERROR: could not compute MD5 hash: unsupported`
	`22`	`+select md5(''::bytea) = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";`
	`23`	`+ERROR: could not compute MD5 hash: unsupported`
	`24`	`+select md5('a'::bytea) = '0cc175b9c0f1b6a831c399e269772661' AS "TRUE";`
	`25`	`+ERROR: could not compute MD5 hash: unsupported`
	`26`	`+select md5('abc'::bytea) = '900150983cd24fb0d6963f7d28e17f72' AS "TRUE";`
	`27`	`+ERROR: could not compute MD5 hash: unsupported`
	`28`	`+select md5('message digest'::bytea) = 'f96b697d7cb7938d525a2f31aaf161d0' AS "TRUE";`
	`29`	`+ERROR: could not compute MD5 hash: unsupported`
	`30`	`+select md5('abcdefghijklmnopqrstuvwxyz'::bytea) = 'c3fcd3d76192e4007dfb496cca67e13b' AS "TRUE";`
	`31`	`+ERROR: could not compute MD5 hash: unsupported`
	`32`	`+select md5('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'::bytea) = 'd174ab98d277d9f5a5611c2c9f419d9f' AS "TRUE";`
	`33`	`+ERROR: could not compute MD5 hash: unsupported`
	`34`	`+select md5('12345678901234567890123456789012345678901234567890123456789012345678901234567890'::bytea) = '57edf4a22be3c955ac49da2e2107b67a' AS "TRUE";`
	`35`	`+ERROR: could not compute MD5 hash: unsupported`

`‎src/test/regress/expected/password.out`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,10 @@ SET password_encryption = 'md5'; -- ok`
`12`	`12`	`SET password_encryption = 'scram-sha-256'; -- ok`
`13`	`13`	`-- consistency of password entries`
`14`	`14`	`SET password_encryption = 'md5';`
`15`		`-CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';`
`16`		`-CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';`
	`15`	`+CREATE ROLE regress_passwd1;`
	`16`	`+ALTER ROLE regress_passwd1 PASSWORD 'role_pwd1';`
	`17`	`+CREATE ROLE regress_passwd2;`
	`18`	`+ALTER ROLE regress_passwd2 PASSWORD 'role_pwd2';`
`17`	`19`	`SET password_encryption = 'scram-sha-256';`
`18`	`20`	`CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';`
`19`	`21`	`CREATE ROLE regress_passwd4 PASSWORD NULL;`

`‎src/test/regress/expected/password_1.out`

Lines changed: 152 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,152 @@`
	`1`	`+--`
	`2`	`+-- Tests for password types`
	`3`	`+--`
	`4`	`+-- Tests for GUC password_encryption`
	`5`	`+SET password_encryption = 'novalue'; -- error`
	`6`	`+ERROR: invalid value for parameter "password_encryption": "novalue"`
	`7`	`+HINT: Available values: md5, scram-sha-256.`
	`8`	`+SET password_encryption = true; -- error`
	`9`	`+ERROR: invalid value for parameter "password_encryption": "true"`
	`10`	`+HINT: Available values: md5, scram-sha-256.`
	`11`	`+SET password_encryption = 'md5'; -- ok`
	`12`	`+SET password_encryption = 'scram-sha-256'; -- ok`
	`13`	`+-- consistency of password entries`
	`14`	`+SET password_encryption = 'md5';`
	`15`	`+CREATE ROLE regress_passwd1;`
	`16`	`+ALTER ROLE regress_passwd1 PASSWORD 'role_pwd1';`
	`17`	`+ERROR: password encryption failed: unsupported`
	`18`	`+CREATE ROLE regress_passwd2;`
	`19`	`+ALTER ROLE regress_passwd2 PASSWORD 'role_pwd2';`
	`20`	`+ERROR: password encryption failed: unsupported`
	`21`	`+SET password_encryption = 'scram-sha-256';`
	`22`	`+CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';`
	`23`	`+CREATE ROLE regress_passwd4 PASSWORD NULL;`
	`24`	`+-- check list of created entries`
	`25`	`+--`
	`26`	`+-- The scram secret will look something like:`
	`27`	`+-- SCRAM-SHA-256$4096:E4HxLGtnRzsYwg==$6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=`
	`28`	`+--`
	`29`	`+-- Since the salt is random, the exact value stored will be different on every test`
	`30`	`+-- run. Use a regular expression to mask the changing parts.`
	`31`	`+SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
	`32`	`+ FROM pg_authid`
	`33`	`+ WHERE rolname LIKE 'regress_passwd%'`
	`34`	`+ ORDER BY rolname, rolpassword;`
	`35`	`+ rolname \| rolpassword_masked`
	`36`	`+-----------------+---------------------------------------------------`
	`37`	`+ regress_passwd1 \|`
	`38`	`+ regress_passwd2 \|`
	`39`	`+ regress_passwd3 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`40`	`+ regress_passwd4 \|`
	`41`	`+(4 rows)`
	`42`	`+`
	`43`	`+-- Rename a role`
	`44`	`+ALTER ROLE regress_passwd2 RENAME TO regress_passwd2_new;`
	`45`	`+-- md5 entry should have been removed`
	`46`	`+SELECT rolname, rolpassword`
	`47`	`+ FROM pg_authid`
	`48`	`+ WHERE rolname LIKE 'regress_passwd2_new'`
	`49`	`+ ORDER BY rolname, rolpassword;`
	`50`	`+ rolname \| rolpassword`
	`51`	`+---------------------+-------------`
	`52`	`+ regress_passwd2_new \|`
	`53`	`+(1 row)`
	`54`	`+`
	`55`	`+ALTER ROLE regress_passwd2_new RENAME TO regress_passwd2;`
	`56`	`+-- Change passwords with ALTER USER. With plaintext or already-encrypted`
	`57`	`+-- passwords.`
	`58`	`+SET password_encryption = 'md5';`
	`59`	`+-- encrypt with MD5`
	`60`	`+ALTER ROLE regress_passwd2 PASSWORD 'foo';`
	`61`	`+ERROR: password encryption failed: unsupported`
	`62`	`+-- already encrypted, use as they are`
	`63`	`+ALTER ROLE regress_passwd1 PASSWORD 'md5cd3578025fe2c3d7ed1b9a9b26238b70';`
	`64`	`+ALTER ROLE regress_passwd3 PASSWORD 'SCRAM-SHA-256$4096:VLK4RMaQLCvNtQ==$6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=';`
	`65`	`+SET password_encryption = 'scram-sha-256';`
	`66`	`+-- create SCRAM secret`
	`67`	`+ALTER ROLE regress_passwd4 PASSWORD 'foo';`
	`68`	`+-- already encrypted with MD5, use as it is`
	`69`	`+CREATE ROLE regress_passwd5 PASSWORD 'md5e73a4b11df52a6068f8b39f90be36023';`
	`70`	`+-- This looks like a valid SCRAM-SHA-256 secret, but it is not`
	`71`	`+-- so it should be hashed with SCRAM-SHA-256.`
	`72`	`+CREATE ROLE regress_passwd6 PASSWORD 'SCRAM-SHA-256$1234';`
	`73`	`+-- These may look like valid MD5 secrets, but they are not, so they`
	`74`	`+-- should be hashed with SCRAM-SHA-256.`
	`75`	`+-- trailing garbage at the end`
	`76`	`+CREATE ROLE regress_passwd7 PASSWORD 'md5012345678901234567890123456789zz';`
	`77`	`+-- invalid length`
	`78`	`+CREATE ROLE regress_passwd8 PASSWORD 'md501234567890123456789012345678901zz';`
	`79`	`+-- Changing the SCRAM iteration count`
	`80`	`+SET scram_iterations = 1024;`
	`81`	`+CREATE ROLE regress_passwd9 PASSWORD 'alterediterationcount';`
	`82`	`+SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
	`83`	`+ FROM pg_authid`
	`84`	`+ WHERE rolname LIKE 'regress_passwd%'`
	`85`	`+ ORDER BY rolname, rolpassword;`
	`86`	`+ rolname \| rolpassword_masked`
	`87`	`+-----------------+---------------------------------------------------`
	`88`	`+ regress_passwd1 \| md5cd3578025fe2c3d7ed1b9a9b26238b70`
	`89`	`+ regress_passwd2 \|`
	`90`	`+ regress_passwd3 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`91`	`+ regress_passwd4 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`92`	`+ regress_passwd5 \| md5e73a4b11df52a6068f8b39f90be36023`
	`93`	`+ regress_passwd6 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`94`	`+ regress_passwd7 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`95`	`+ regress_passwd8 \| SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>`
	`96`	`+ regress_passwd9 \| SCRAM-SHA-256$1024:<salt>$<storedkey>:<serverkey>`
	`97`	`+(9 rows)`
	`98`	`+`
	`99`	`+-- An empty password is not allowed, in any form`
	`100`	`+CREATE ROLE regress_passwd_empty PASSWORD '';`
	`101`	`+NOTICE: empty string is not a valid password, clearing password`
	`102`	`+ALTER ROLE regress_passwd_empty PASSWORD 'md585939a5ce845f1a1b620742e3c659e0a';`
	`103`	`+ALTER ROLE regress_passwd_empty PASSWORD 'SCRAM-SHA-256$4096:hpFyHTUsSWcR7O9P$LgZFIt6Oqdo27ZFKbZ2nV+vtnYM995pDh9ca6WSi120=:qVV5NeluNfUPkwm7Vqat25RjSPLkGeoZBQs6wVv+um4=';`
	`104`	`+NOTICE: empty string is not a valid password, clearing password`
	`105`	`+SELECT rolpassword FROM pg_authid WHERE rolname='regress_passwd_empty';`
	`106`	`+ rolpassword`
	`107`	`+-------------`
	`108`	`+`
	`109`	`+(1 row)`
	`110`	`+`
	`111`	`+-- Test with invalid stored and server keys.`
	`112`	`+--`
	`113`	`+-- The first is valid, to act as a control. The others have too long`
	`114`	`+-- stored/server keys. They will be re-hashed.`
	`115`	`+CREATE ROLE regress_passwd_sha_len0 PASSWORD 'SCRAM-SHA-256$4096:A6xHKoH/494E941doaPOYg==$Ky+A30sewHIH3VHQLRN9vYsuzlgNyGNKCh37dy96Rqw=:COPdlNiIkrsacU5QoxydEuOH6e/KfiipeETb/bPw8ZI=';`
	`116`	`+CREATE ROLE regress_passwd_sha_len1 PASSWORD 'SCRAM-SHA-256$4096:A6xHKoH/494E941doaPOYg==$Ky+A30sewHIH3VHQLRN9vYsuzlgNyGNKCh37dy96RqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=:COPdlNiIkrsacU5QoxydEuOH6e/KfiipeETb/bPw8ZI=';`
	`117`	`+CREATE ROLE regress_passwd_sha_len2 PASSWORD 'SCRAM-SHA-256$4096:A6xHKoH/494E941doaPOYg==$Ky+A30sewHIH3VHQLRN9vYsuzlgNyGNKCh37dy96Rqw=:COPdlNiIkrsacU5QoxydEuOH6e/KfiipeETb/bPw8ZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';`
	`118`	`+-- Check that the invalid secrets were re-hashed. A re-hashed secret`
	`119`	`+-- should not contain the original salt.`
	`120`	`+SELECT rolname, rolpassword not like '%A6xHKoH/494E941doaPOYg==%' as is_rolpassword_rehashed`
	`121`	`+ FROM pg_authid`
	`122`	`+ WHERE rolname LIKE 'regress_passwd_sha_len%'`
	`123`	`+ ORDER BY rolname;`
	`124`	`+ rolname \| is_rolpassword_rehashed`
	`125`	`+-------------------------+-------------------------`
	`126`	`+ regress_passwd_sha_len0 \| f`
	`127`	`+ regress_passwd_sha_len1 \| t`
	`128`	`+ regress_passwd_sha_len2 \| t`
	`129`	`+(3 rows)`
	`130`	`+`
	`131`	`+DROP ROLE regress_passwd1;`
	`132`	`+DROP ROLE regress_passwd2;`
	`133`	`+DROP ROLE regress_passwd3;`
	`134`	`+DROP ROLE regress_passwd4;`
	`135`	`+DROP ROLE regress_passwd5;`
	`136`	`+DROP ROLE regress_passwd6;`
	`137`	`+DROP ROLE regress_passwd7;`
	`138`	`+DROP ROLE regress_passwd8;`
	`139`	`+DROP ROLE regress_passwd9;`
	`140`	`+DROP ROLE regress_passwd_empty;`
	`141`	`+DROP ROLE regress_passwd_sha_len0;`
	`142`	`+DROP ROLE regress_passwd_sha_len1;`
	`143`	`+DROP ROLE regress_passwd_sha_len2;`
	`144`	`+-- all entries should have been removed`
	`145`	`+SELECT rolname, rolpassword`
	`146`	`+ FROM pg_authid`
	`147`	`+ WHERE rolname LIKE 'regress_passwd%'`
	`148`	`+ ORDER BY rolname, rolpassword;`
	`149`	`+ rolname \| rolpassword`
	`150`	`+---------+-------------`
	`151`	`+(0 rows)`
	`152`	`+`

`‎src/test/regress/sql/password.sql`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,10 @@ SET password_encryption = 'scram-sha-256'; -- ok`
`10`	`10`
`11`	`11`	`-- consistency of password entries`
`12`	`12`	`SET password_encryption='md5';`
`13`		`-CREATE ROLE regress_passwd1 PASSWORD'role_pwd1';`
`14`		`-CREATE ROLE regress_passwd2 PASSWORD'role_pwd2';`
	`13`	`+CREATE ROLE regress_passwd1;`
	`14`	`+ALTER ROLE regress_passwd1 PASSWORD'role_pwd1';`
	`15`	`+CREATE ROLE regress_passwd2;`
	`16`	`+ALTER ROLE regress_passwd2 PASSWORD'role_pwd2';`
`15`	`17`	`SET password_encryption='scram-sha-256';`
`16`	`18`	`CREATE ROLE regress_passwd3 PASSWORD'role_pwd3';`
`17`	`19`	`CREATE ROLE regress_passwd4 PASSWORDNULL;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3c44e7d

File tree

6 files changed

6 files changed

`‎contrib/passwordcheck/expected/passwordcheck_1.out`

`‎contrib/uuid-ossp/expected/uuid_ossp_1.out`

`‎src/test/regress/expected/md5_1.out`

`‎src/test/regress/expected/password.out`

`‎src/test/regress/expected/password_1.out`

`‎src/test/regress/sql/password.sql`

0 commit comments