NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit215cb4f

committed

Revert "Apply 0005-Refactor-decision-making-of-password-encryption-into.patch + cherry-pickbabe05b"

This reverts commit2cc896b.

1 parentdedd3ba commit215cb4fCopy full SHA for 215cb4f

File tree

5 files changed

+56

-120

lines changed

doc/src/sgml
- config.sgml
src
- backend
  - commands
    - user.c
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- include/commands
  - user.h

5 files changed

+56

-120

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 8 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1166,22 +1166,21 @@ include_dir 'conf.d'`
`1166`	`1166`	`</varlistentry>`
`1167`	`1167`
`1168`	`1168`	`<varlistentry id="guc-password-encryption" xreflabel="password_encryption">`
`1169`		`- <term><varname>password_encryption</varname> (<type>enum</type>)`
	`1169`	`+ <term><varname>password_encryption</varname> (<type>boolean</type>)`
`1170`	`1170`	`<indexterm>`
`1171`	`1171`	`<primary><varname>password_encryption</> configuration parameter</primary>`
`1172`	`1172`	`</indexterm>`
`1173`	`1173`	`</term>`
`1174`	`1174`	`<listitem>`
`1175`	`1175`	`<para>`
`1176`		`- When a password is specified in <xref linkend="sql-createuser"> or`
`1177`		`-<xreflinkend="sql-alterrole">without writing either <literal>ENCRYPTED</>`
`1178`		`-or <literal>UNENCRYPTED</>, this parameter determines whether the`
`1179`		`-password is to be encrypted. The default value is<literal>md5</>, which`
`1180`		`-stores the password as an MD5 hash. Setting this to<literal>plain</> stores`
`1181`		`-it in plaintext. <literal>on</> and<literal>off</> are also accepted, as`
`1182`		`-aliases for <literal>md5</> and <literal>plain</>, respectively.`
	`1176`	`+ When a password is specified in <xref`
	`1177`	`+ linkend="sql-createuser">or`
	`1178`	`+<xref linkend="sql-alterrole">`
	`1179`	`+without writing either<literal>ENCRYPTED</> or`
	`1180`	`+ <literal>UNENCRYPTED</>, this parameter determines whether the`
	`1181`	`+password is to be encrypted. The default is<literal>on</>`
	`1182`	`+(encrypt the password).`
`1183`	`1183`	`</para>`
`1184`		`-`
`1185`	`1184`	`</listitem>`
`1186`	`1185`	`</varlistentry>`
`1187`	`1186`

`‎src/backend/commands/user.c`

Lines changed: 31 additions & 67 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ Oidbinary_upgrade_next_pg_authid_oid = InvalidOid;`
`44`	`44`
`45`	`45`
`46`	`46`	`/* GUC parameter */`
`47`		`-intPassword_encryption=PASSWORD_TYPE_MD5;`
	`47`	`+externboolPassword_encryption;`
`48`	`48`
`49`	`49`	`/* Hook to check passwords in CreateRole() and AlterRole() */`
`50`	`50`	`check_password_hook_typecheck_password_hook=NULL;`
`@@ -55,8 +55,6 @@ static void AddRoleMems(const char *rolename, Oid roleid,`
`55`	`55`	`staticvoidDelRoleMems(constchar*rolename,Oidroleid,`
`56`	`56`	`ListmemberSpecs,ListmemberIds,`
`57`	`57`	`booladmin_opt);`
`58`		`-staticcharencrypt_password(charpasswd,char*rolname,`
`59`		`-intpasswd_type);`
`60`	`58`
`61`	`59`
`62`	`60`	`/* Check if current user has createrole privileges */`
`@@ -66,48 +64,6 @@ have_createrole_privilege(void)`
`66`	`64`	`returnhas_createrole_privilege(GetUserId());`
`67`	`65`	`}`
`68`	`66`
`69`		`-/*`
`70`		`- * Encrypt a password if necessary for insertion in pg_authid.`
`71`		`- *`
`72`		`- * If a password is found as already MD5-encrypted, no error is raised`
`73`		`- * to ease the dump and reload of such data. Returns a palloc'ed string`
`74`		`- * holding the encrypted password.`
`75`		`- */`
`76`		`-staticchar*`
`77`		`-encrypt_password(charpassword,charrolname,intpasswd_type)`
`78`		`-{`
`79`		`-char*res;`
`80`		`-`
`81`		`-Assert(password!=NULL);`
`82`		`-`
`83`		`-/*`
`84`		`- * If a password is already identified as MD5-encrypted, it is used`
`85`		`- * as such. If the password given is not encrypted, adapt it depending`
`86`		`- * on the type wanted by the caller of this routine.`
`87`		`- */`
`88`		`-if (isMD5(password))`
`89`		`-res=pstrdup(password);`
`90`		`-else`
`91`		`-{`
`92`		`-switch (passwd_type)`
`93`		`-{`
`94`		`-casePASSWORD_TYPE_PLAINTEXT:`
`95`		`-res=pstrdup(password);`
`96`		`-break;`
`97`		`-casePASSWORD_TYPE_MD5:`
`98`		`-res= (char*)palloc(MD5_PASSWD_LEN+1);`
`99`		`-if (!pg_md5_encrypt(password,rolname,`
`100`		`-strlen(rolname),`
`101`		`-res))`
`102`		`-elog(ERROR,"password encryption failed");`
`103`		`-break;`
`104`		`-default:`
`105`		`-Assert(0);/* should not come here */`
`106`		`-}`
`107`		`-}`
`108`		`-`
`109`		`-returnres;`
`110`		`-}`
`111`	`67`
`112`	`68`	`/*`
`113`	`69`	`* CREATE ROLE`
`@@ -124,8 +80,8 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`124`	`80`	`ListCell*item;`
`125`	`81`	`ListCell*option;`
`126`	`82`	`charpassword=NULL;/ user password */`
`127`		`-intpassword_type=Password_encryption;/* encrypt password? */`
`128`		`-char*encrypted_passwd;`
	`83`	`+boolencrypt_password=Password_encryption;/* encrypt password? */`
	`84`	`+charencrypted_password[MD5_PASSWD_LEN+1];`
`129`	`85`	`boolissuper= false;/* Make the user a superuser? */`
`130`	`86`	`boolinherit= true;/* Auto inherit privileges? */`
`131`	`87`	`boolcreaterole= false;/* Can this user create roles? */`
`@@ -184,9 +140,9 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`184`	`140`	`parser_errposition(pstate,defel->location)));`
`185`	`141`	`dpassword=defel;`
`186`	`142`	`if (strcmp(defel->defname,"encryptedPassword")==0)`
`187`		`-password_type=PASSWORD_TYPE_MD5;`
	`143`	`+encrypt_password=true;`
`188`	`144`	`elseif (strcmp(defel->defname,"unencryptedPassword")==0)`
`189`		`-password_type=PASSWORD_TYPE_PLAINTEXT;`
	`145`	`+encrypt_password=false;`
`190`	`146`	`}`
`191`	`147`	`elseif (strcmp(defel->defname,"sysid")==0)`
`192`	`148`	`{`
`@@ -437,13 +393,17 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`437`	`393`
`438`	`394`	`if (password)`
`439`	`395`	`{`
`440`		`-encrypted_passwd=encrypt_password(password,`
`441`		`-stmt->role,`
`442`		`-password_type);`
`443`		`-`
`444`		`-new_record[Anum_pg_authid_rolpassword-1]=`
`445`		`-CStringGetTextDatum(encrypted_passwd);`
`446`		`-pfree(encrypted_passwd);`
	`396`	`+if (!encrypt_password\|\|isMD5(password))`
	`397`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`398`	`+CStringGetTextDatum(password);`
	`399`	`+else`
	`400`	`+{`
	`401`	`+if (!pg_md5_encrypt(password,stmt->role,strlen(stmt->role),`
	`402`	`+encrypted_password))`
	`403`	`+elog(ERROR,"password encryption failed");`
	`404`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`405`	`+CStringGetTextDatum(encrypted_password);`
	`406`	`+}`
`447`	`407`	`}`
`448`	`408`	`else`
`449`	`409`	`new_record_nulls[Anum_pg_authid_rolpassword-1]= true;`
`@@ -545,8 +505,8 @@ AlterRole(AlterRoleStmt *stmt)`
`545`	`505`	`ListCell*option;`
`546`	`506`	`char*rolename=NULL;`
`547`	`507`	`charpassword=NULL;/ user password */`
`548`		`-intpassword_type=Password_encryption;/* encrypt password? */`
`549`		`-char*encrypted_passwd;`
	`508`	`+boolencrypt_password=Password_encryption;/* encrypt password? */`
	`509`	`+charencrypted_password[MD5_PASSWD_LEN+1];`
`550`	`510`	`intissuper=-1;/* Make the user a superuser? */`
`551`	`511`	`intinherit=-1;/* Auto inherit privileges? */`
`552`	`512`	`intcreaterole=-1;/* Can this user create roles? */`
`@@ -590,9 +550,9 @@ AlterRole(AlterRoleStmt *stmt)`
`590`	`550`	`errmsg("conflicting or redundant options")));`
`591`	`551`	`dpassword=defel;`
`592`	`552`	`if (strcmp(defel->defname,"encryptedPassword")==0)`
`593`		`-password_type=PASSWORD_TYPE_MD5;`
	`553`	`+encrypt_password=true;`
`594`	`554`	`elseif (strcmp(defel->defname,"unencryptedPassword")==0)`
`595`		`-password_type=PASSWORD_TYPE_PLAINTEXT;`
	`555`	`+encrypt_password=false;`
`596`	`556`	`}`
`597`	`557`	`elseif (strcmp(defel->defname,"superuser")==0)`
`598`	`558`	`{`
`@@ -844,14 +804,18 @@ AlterRole(AlterRoleStmt *stmt)`
`844`	`804`	`/* password */`
`845`	`805`	`if (password)`
`846`	`806`	`{`
`847`		`-encrypted_passwd=encrypt_password(password,`
`848`		`-rolename,`
`849`		`-password_type);`
`850`		`-`
`851`		`-new_record[Anum_pg_authid_rolpassword-1]=`
`852`		`-CStringGetTextDatum(encrypted_passwd);`
	`807`	`+if (!encrypt_password\|\|isMD5(password))`
	`808`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`809`	`+CStringGetTextDatum(password);`
	`810`	`+else`
	`811`	`+{`
	`812`	`+if (!pg_md5_encrypt(password,rolename,strlen(rolename),`
	`813`	`+encrypted_password))`
	`814`	`+elog(ERROR,"password encryption failed");`
	`815`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`816`	`+CStringGetTextDatum(encrypted_password);`
	`817`	`+}`
`853`	`818`	`new_record_repl[Anum_pg_authid_rolpassword-1]= true;`
`854`		`-pfree(encrypted_passwd);`
`855`	`819`	`}`
`856`	`820`
`857`	`821`	`/* unset password */`

`‎src/backend/utils/misc/guc.c`

Lines changed: 13 additions & 31 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,6 @@`
`35`	`35`	`#include"catalog/namespace.h"`
`36`	`36`	`#include"commands/async.h"`
`37`	`37`	`#include"commands/prepare.h"`
`38`		`-#include"commands/user.h"`
`39`	`38`	`#include"commands/vacuum.h"`
`40`	`39`	`#include"commands/variable.h"`
`41`	`40`	`#include"commands/trigger.h"`
`@@ -396,24 +395,6 @@ static const struct config_enum_entry force_parallel_mode_options[] = {`
`396`	`395`	`{NULL,0, false}`
`397`	`396`	`};`
`398`	`397`
`399`		`-/*`
`400`		`- * password_encryption used to be a boolean, so accept all the likely`
`401`		`- * variants of "on" and "off", too.`
`402`		`- */`
`403`		`-staticconststructconfig_enum_entrypassword_encryption_options[]= {`
`404`		`-{"plain",PASSWORD_TYPE_PLAINTEXT, false},`
`405`		`-{"md5",PASSWORD_TYPE_MD5, false},`
`406`		`-{"off",PASSWORD_TYPE_PLAINTEXT, false},`
`407`		`-{"on",PASSWORD_TYPE_MD5, false},`
`408`		`-{"true",PASSWORD_TYPE_MD5, true},`
`409`		`-{"false",PASSWORD_TYPE_PLAINTEXT, true},`
`410`		`-{"yes",PASSWORD_TYPE_MD5, true},`
`411`		`-{"no",PASSWORD_TYPE_PLAINTEXT, true},`
`412`		`-{"1",PASSWORD_TYPE_MD5, true},`
`413`		`-{"0",PASSWORD_TYPE_PLAINTEXT, true},`
`414`		`-{NULL,0, false}`
`415`		`-};`
`416`		`-`
`417`	`398`	`/*`
`418`	`399`	`* Options for enum values stored in other modules`
`419`	`400`	`*/`
`@@ -444,6 +425,8 @@ boolcheck_function_bodies = true;`
`444`	`425`	`booldefault_with_oids= false;`
`445`	`426`	`boolSQL_inheritance= true;`
`446`	`427`
	`428`	`+boolPassword_encryption= true;`
	`429`	`+`
`447`	`430`	`intlog_min_error_statement=ERROR;`
`448`	`431`	`intlog_min_messages=WARNING;`
`449`	`432`	`intclient_min_messages=NOTICE;`
`@@ -1342,6 +1325,17 @@ static struct config_bool ConfigureNamesBool[] =`
`1342`	`1325`	`true,`
`1343`	`1326`	`NULL,NULL,NULL`
`1344`	`1327`	`},`
	`1328`	`+{`
	`1329`	`+{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,`
	`1330`	`+gettext_noop("Encrypt passwords."),`
	`1331`	`+gettext_noop("When a password is specified in CREATE USER or "`
	`1332`	`+"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "`
	`1333`	`+"this parameter determines whether the password is to be encrypted.")`
	`1334`	`+},`
	`1335`	`+&Password_encryption,`
	`1336`	`+true,`
	`1337`	`+NULL,NULL,NULL`
	`1338`	`+},`
`1345`	`1339`	`{`
`1346`	`1340`	`{"transform_null_equals",PGC_USERSET,COMPAT_OPTIONS_CLIENT,`
`1347`	`1341`	`gettext_noop("Treats \"expr=NULL\" as \"expr IS NULL\"."),`
`@@ -3913,18 +3907,6 @@ static struct config_enum ConfigureNamesEnum[] =`
`3913`	`3907`	`NULL,NULL,NULL`
`3914`	`3908`	`},`
`3915`	`3909`
`3916`		`-{`
`3917`		`-{"password_encryption",PGC_USERSET,CONN_AUTH_SECURITY,`
`3918`		`-gettext_noop("Encrypt passwords."),`
`3919`		`-gettext_noop("When a password is specified in CREATE USER or "`
`3920`		`-"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "`
`3921`		`-"this parameter determines whether the password is to be encrypted.")`
`3922`		`-},`
`3923`		`-&Password_encryption,`
`3924`		`-PASSWORD_TYPE_MD5,password_encryption_options,`
`3925`		`-NULL,NULL,NULL`
`3926`		`-},`
`3927`		`-`
`3928`	`3910`	`/* End-of-list marker */`
`3929`	`3911`	`{`
`3930`	`3912`	`{NULL,0,0,NULL,NULL},NULL,0,NULL,NULL,NULL,NULL`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ listen_addresses = '*'# what IP address(es) to listen on;`
`85`	`85`	`#ssl_key_file = 'server.key'# (change requires restart)`
`86`	`86`	`#ssl_ca_file = ''# (change requires restart)`
`87`	`87`	`#ssl_crl_file = ''# (change requires restart)`
`88`		`-#password_encryption =md5# md5 or plain`
	`88`	`+#password_encryption =on`
`89`	`89`	`#db_user_namespace = off`
`90`	`90`	`#row_security = on`
`91`	`91`

`‎src/include/commands/user.h`

Lines changed: 3 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,19 +16,10 @@`
`16`	`16`	`#include"parser/parse_node.h"`
`17`	`17`
`18`	`18`
`19`		`-/*`
`20`		`- * Types of password, for Password_encryption GUC and the password_type`
`21`		`- * argument of the check-password hook.`
`22`		`- */`
`23`		`-typedefenumPasswordType`
`24`		`-{`
`25`		`-PASSWORD_TYPE_PLAINTEXT=0,`
`26`		`-PASSWORD_TYPE_MD5`
`27`		`-}PasswordType;`
`28`		`-`
`29`		`-externintPassword_encryption;/* GUC */`
`30`		`-`
`31`	`19`	`/* Hook to check passwords in CreateRole() and AlterRole() */`
	`20`	`+#definePASSWORD_TYPE_PLAINTEXT0`
	`21`	`+#definePASSWORD_TYPE_MD51`
	`22`	`+`
`32`	`23`	`typedefvoid (check_password_hook_type) (constcharusername,constchar*password,intpassword_type,Datumvaliduntil_time,boolvaliduntil_null);`
`33`	`24`
`34`	`25`	`externPGDLLIMPORTcheck_password_hook_typecheck_password_hook;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit215cb4f

File tree

5 files changed

5 files changed

`‎doc/src/sgml/config.sgml`

`‎src/backend/commands/user.c`

`‎src/backend/utils/misc/guc.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

`‎src/include/commands/user.h`

0 commit comments