Apply new/0006-Add-clause-PASSWORD-val-USING-protocol-to-CREATE-ALT.patch

afiskon · afiskon · commit b1362f81319d · 2016-12-01T19:05:12.000+03:00
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
@@ -34,6 +34,7 @@ ALTER ROLE <replaceable class="PARAMETER">role_specification</replaceable> [ WIT
     | BYPASSRLS | NOBYPASSRLS
     | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
     | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
+    | PASSWORD ( '<replaceable class="PARAMETER">password</replaceable>' USING '<replaceable class="PARAMETER">method</replaceable>' )
     | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
 
 ALTER ROLE <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>new_name</replaceable>
@@ -169,6 +170,7 @@ ALTER ROLE { <replaceable class="PARAMETER">role_specification</replaceable> | A
       <term><literal>NOBYPASSRLS</literal></term>
       <term><literal>CONNECTION LIMIT</literal> <replaceable class="parameter">connlimit</replaceable></term>
       <term><literal>PASSWORD</> <replaceable class="parameter">password</replaceable></term>
+      <term><literal>PASSWORD</> ( '<replaceable class="parameter">password</replaceable>' USING '<replaceable class="parameter">method</replaceable>' )</term>
       <term><literal>ENCRYPTED</></term>
       <term><literal>UNENCRYPTED</></term>
       <term><literal>VALID UNTIL</literal> '<replaceable class="parameter">timestamp</replaceable>'</term>
@@ -279,6 +281,14 @@ ALTER ROLE davide WITH PASSWORD 'hu8jmn3';
 </programlisting>
   </para>
 
+  <para>
+   Change a role's password using MD5-encryption:
+
+<programlisting>
+ALTER ROLE lionel WITH PASSWORD ('hu8jmn3' USING 'md5');
+</programlisting>
+  </para>
+
   <para>
    Remove a role's password:
 
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
@@ -34,6 +34,7 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
     | BYPASSRLS | NOBYPASSRLS
     | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
     | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
+    | PASSWORD ( '<replaceable class="PARAMETER">password</replaceable>' USING '<replaceable class="PARAMETER">method</replaceable>' )
     | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
     | IN ROLE <replaceable class="PARAMETER">role_name</replaceable> [, ...]
     | IN GROUP <replaceable class="PARAMETER">role_name</replaceable> [, ...]
@@ -244,6 +245,23 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term><literal>PASSWORD</> ( '<replaceable class="parameter">password</replaceable>' USING '<replaceable class="parameter">method</replaceable>' )</term>
+      <listitem>
+       <para>
+        Sets the role's password using the requested method.  (A password
+        is only of use for roles having the <literal>LOGIN</literal>
+        attribute, but you can nonetheless define one for roles without it.)
+        If you do not plan to use password authentication you can omit this
+        option. The methods supported are <literal>md5</> to enforce
+        a password to be MD5-encrypted, and <literal>plain</> to use an
+        unencrypted password.  If the password string is already in
+        MD5-encrypted format, then it is stored encrypted even if
+        <literal>plain</> is specified.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><literal>VALID UNTIL</literal> '<replaceable class="parameter">timestamp</replaceable>'</term>
       <listitem>
@@ -425,6 +443,14 @@ CREATE USER davide WITH PASSWORD 'jw8s0F4';
    that it implies <literal>LOGIN</>.)
   </para>
 
+  <para>
+   Create a role with a MD5-encrypted password:
+
+<programlisting>
+CREATE USER lionel WITH PASSWORD ('asdh7as' USING 'md5');
+</programlisting>
+  </para>
+
   <para>
    Create a role with a password that is valid until the end of 2004.
    After one second has ticked in 2005, the password is no longer
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
@@ -176,18 +176,58 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 
 		if (strcmp(defel->defname, "password") == 0 ||
 			strcmp(defel->defname, "encryptedPassword") == 0 ||
-			strcmp(defel->defname, "unencryptedPassword") == 0)
+			strcmp(defel->defname, "unencryptedPassword") == 0 ||
+			strcmp(defel->defname, "methodPassword") == 0)
 		{
 			if (dpassword)
 				ereport(ERROR,
 						(errcode(ERRCODE_SYNTAX_ERROR),
 						 errmsg("conflicting or redundant options"),
 						 parser_errposition(pstate, defel->location)));
 			dpassword = defel;
-			if (strcmp(defel->defname, "encryptedPassword") == 0)
+			if (strcmp(defel->defname, "password") == 0)
+			{
+				/*
+				 * Password type is enforced with GUC password_encryption
+				 * here.
+				 */
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
+			else if (strcmp(defel->defname, "encryptedPassword") == 0)
+			{
 				password_type = PASSWORD_TYPE_MD5;
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
 			else if (strcmp(defel->defname, "unencryptedPassword") == 0)
+			{
 				password_type = PASSWORD_TYPE_PLAINTEXT;
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
+			else if (strcmp(defel->defname, "methodPassword") == 0)
+			{
+				/*
+				 * This is a list of two elements, the password is first and
+				 * then there is the method wanted by caller.
+				 */
+				if (dpassword && dpassword->arg)
+				{
+					char *method = strVal(lsecond((List *) dpassword->arg));
+
+					password = strVal(linitial((List *) dpassword->arg));
+
+					if (strcmp(method, "md5") == 0)
+						password_type = PASSWORD_TYPE_MD5;
+					else if (strcmp(method, "plain") == 0)
+						password_type = PASSWORD_TYPE_PLAINTEXT;
+					else
+						ereport(ERROR,
+							(errcode(ERRCODE_SYNTAX_ERROR),
+							 errmsg("unsupported password method %s", method)));
+				}
+			}
 		}
 		else if (strcmp(defel->defname, "sysid") == 0)
 		{
@@ -307,8 +347,6 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 defel->defname);
 	}
 
-	if (dpassword && dpassword->arg)
-		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg) != 0;
 	if (dinherit)
@@ -582,17 +620,57 @@ AlterRole(AlterRoleStmt *stmt)
 
 		if (strcmp(defel->defname, "password") == 0 ||
 			strcmp(defel->defname, "encryptedPassword") == 0 ||
+			strcmp(defel->defname, "methodPassword") == 0 ||
 			strcmp(defel->defname, "unencryptedPassword") == 0)
 		{
 			if (dpassword)
 				ereport(ERROR,
 						(errcode(ERRCODE_SYNTAX_ERROR),
 						 errmsg("conflicting or redundant options")));
 			dpassword = defel;
-			if (strcmp(defel->defname, "encryptedPassword") == 0)
+			if (strcmp(defel->defname, "password") == 0)
+			{
+				/*
+				 * Password type is enforced with GUC password_encryption
+				 * here.
+				 */
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
+			else if (strcmp(defel->defname, "encryptedPassword") == 0)
+			{
 				password_type = PASSWORD_TYPE_MD5;
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
 			else if (strcmp(defel->defname, "unencryptedPassword") == 0)
+			{
 				password_type = PASSWORD_TYPE_PLAINTEXT;
+				if (dpassword && dpassword->arg)
+					password = strVal(dpassword->arg);
+			}
+			else if (strcmp(defel->defname, "methodPassword") == 0)
+			{
+				/*
+				 * This is a list of two elements, the password is first and
+				 * then there is the method wanted by caller.
+				 */
+				if (dpassword && dpassword->arg)
+				{
+					char *method = strVal(lsecond((List *) dpassword->arg));
+
+					if (strcmp(method, "md5") == 0)
+						password_type = PASSWORD_TYPE_MD5;
+					else if (strcmp(method, "plain") == 0)
+						password_type = PASSWORD_TYPE_PLAINTEXT;
+					else
+						ereport(ERROR,
+							(errcode(ERRCODE_SYNTAX_ERROR),
+							 errmsg("unsupported password method %s", method)));
+
+					password = strVal(linitial((List *) dpassword->arg));
+				}
+			}
 		}
 		else if (strcmp(defel->defname, "superuser") == 0)
 		{
@@ -680,8 +758,6 @@ AlterRole(AlterRoleStmt *stmt)
 				 defel->defname);
 	}
 
-	if (dpassword && dpassword->arg)
-		password = strVal(dpassword->arg);
 	if (dissuper)
 		issuper = intVal(dissuper->arg);
 	if (dinherit)
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
@@ -936,6 +936,13 @@ AlterOptRoleElem:
 				{
 					$$ = makeDefElem("password", NULL, @1);
 				}
+			| PASSWORD '(' Sconst USING Sconst ')'
+				{
+					$$ = makeDefElem("methodPassword",
+									 (Node *)list_make2(makeString($3),
+														makeString($5)),
+									 @1);
+				}
 			| ENCRYPTED PASSWORD Sconst
 				{
 					$$ = makeDefElem("encryptedPassword",

Original file line number	Diff line number	Diff line change
`@@ -936,6 +936,13 @@ AlterOptRoleElem:`
`936`	`936`	`{`
`937`	`937`	`$$ = makeDefElem("password", NULL, @1);`
`938`	`938`	`}`
	`939`	`+ \| PASSWORD '(' Sconst USING Sconst ')'`
	`940`	`+ {`
	`941`	`+ $$ = makeDefElem("methodPassword",`
	`942`	`+ (Node *)list_make2(makeString($3),`
	`943`	`+ makeString($5)),`
	`944`	`+ @1);`
	`945`	`+ }`
`939`	`946`	`\| ENCRYPTED PASSWORD Sconst`
`940`	`947`	`{`
`941`	`948`	`$$ = makeDefElem("encryptedPassword",`