gurjeet
diff --git a/‎README.multiple_passwords
Copy file name to clipboard
Lines changed: 21 additions & 1 deletion b/‎README.multiple_passwords
Copy file name to clipboard
Lines changed: 21 additions & 1 deletion
diff --git a/‎doc/src/sgml/client-auth.sgml
Lines changed: 1 addition & 1 deletion b/‎doc/src/sgml/client-auth.sgml
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/backend/catalog/Makefile
Lines changed: 2 additions & 2 deletions b/‎src/backend/catalog/Makefile
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/backend/catalog/system_views.sql
Lines changed: 1 addition & 2 deletions b/‎src/backend/catalog/system_views.sql
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/backend/commands/user.c
Lines changed: 5 additions & 43 deletions b/‎src/backend/commands/user.c
Lines changed: 5 additions & 43 deletions
diff --git a/‎src/backend/libpq/auth.c
Lines changed: 0 additions & 16 deletions b/‎src/backend/libpq/auth.c
Lines changed: 0 additions & 16 deletions
diff --git a/‎src/backend/libpq/crypt.c
Lines changed: 27 additions & 5 deletions b/‎src/backend/libpq/crypt.c
Lines changed: 27 additions & 5 deletions
diff --git a/‎src/include/commands/user.h
Lines changed: 0 additions & 1 deletion b/‎src/include/commands/user.h
Lines changed: 0 additions & 1 deletion
@@ -1,10 +1,30 @@
-Allow Users to have multiple passwords
+Allow Users to have Multiple Passwords
 ======================================
 
 This patchset allows the users to have multiple passwords. This is useful for
 cases when users are rolling over passwords, such that users/applications can
 start using new password before the old one expires.
 
+Notes
+-----
+
+is_role_valid() (backend/commands/user.c) is a new function that pulls out a
+small section of code from get_role_passwords() (backend/libpq.c). I don't think
+moving this code block to a new function gains us anything; in fact, it now
+forces us to call the new function in two new locations, which we didn't have to
+do before. It has to throw the same error messages as before, to maintain
+compatibility with external tools/libraries, hence it duplicates those messages
+as well, which is not ideal.
+
+Moreover, before the patch, in case of CheckPasswordAuth(), the error (if any)
+would have been thrown _after_ network communication done by sendAuthRequest()
+call. But after the patch, the error is thrown before the network interaction,
+hence this changes the order of network interaction and the error message. This
+may have security implications, too, but I'm unable to articulate one right now.
+
+So I removed the is_role_valid() function, and reverted the code removal from
+get_role_passwords().
+
 Patchset
 --------
 - 0001: Move passwords to a new catalog
 
@@ -1281,7 +1281,7 @@ omicron         bryanh                  guest1
    <para>
     <productname>PostgreSQL</productname> database passwords are
     separate from operating system user passwords. The password for
-    each database user is stored in the <literal>pg_authid</literal> system
+    each database user is stored in the <literal>pg_passwords</literal> system
     catalog. Passwords can be managed with the SQL commands
     <xref linkend="sql-createrole"/> and
     <xref linkend="sql-alterrole"/>,
 
@@ -90,7 +90,6 @@ CATALOG_HEADERS := \
 	pg_tablespace.h \
 	pg_authid.h \
 	pg_auth_members.h \
-	pg_auth_password.h \
 	pg_shdepend.h \
 	pg_shdescription.h \
 	pg_ts_config.h \
@@ -119,7 +118,8 @@ CATALOG_HEADERS := \
 	pg_publication_namespace.h \
 	pg_publication_rel.h \
 	pg_subscription.h \
-	pg_subscription_rel.h
+	pg_subscription_rel.h \
+	pg_auth_password.h
 
 GENERATED_HEADERS := $(CATALOG_HEADERS:%.h=%_d.h) schemapg.h system_fk_info.h
 
 
@@ -46,8 +46,7 @@ CREATE VIEW pg_shadow AS
     FROM pg_authid LEFT JOIN pg_db_role_setting s
     ON (pg_authid.oid = setrole AND setdatabase = 0)
     LEFT JOIN pg_auth_password p
-    ON p.roleid = pg_authid.oid
-
+    ON (p.roleid = pg_authid.oid)
     WHERE rolcanlogin;
 
 REVOKE ALL ON pg_shadow FROM public;
 
@@ -94,7 +94,7 @@ GrantRoleOptions createrole_self_grant_options;
 Interval *default_password_duration = NULL;
 
 /* default password name */
-const char* default_passname = "__def__";
+static const char* default_password_name = "__def__";
 
 /* Hook to check passwords in CreateRole() and AlterRole() */
 check_password_hook_type check_password_hook = NULL;
@@ -133,45 +133,7 @@ have_createrole_privilege(void)
 	return has_createrole_privilege(GetUserId());
 }
 
-/*
- * Is the role able to log in
-*/
-bool
-is_role_valid(const char *rolename, const char **logdetail)
-{
-	HeapTuple	roleTup;
-	Datum		datum;
-	bool		isnull;
-	TimestampTz vuntil = 0;
-
-	/* Get role info from pg_authid */
-	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
-	if (!HeapTupleIsValid(roleTup))
-	{
-		*logdetail = psprintf(_("Role \"%s\" does not exist."),
-							  rolename);
-		return false;			/* no such user */
-	}
-
-	datum = SysCacheGetAttr(AUTHNAME, roleTup,
-							Anum_pg_authid_rolvaliduntil, &isnull);
-	ReleaseSysCache(roleTup);
-
-	if (!isnull)
-		vuntil = DatumGetTimestampTz(datum);
-
-	if (!isnull && vuntil < GetCurrentTimestamp())
-	{
-		*logdetail = psprintf(_("User \"%s\" has an expired password."), rolename);
-		return false;
-	}
-
-	return true;
-}
-
-
-static
-bool
+static bool
 validate_and_get_salt(char *rolename, char **salt, const char **logdetail)
 {
 	char	  **current_secrets;
@@ -699,7 +661,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 								DirectFunctionCall1(namein, CStringGetDatum(passname));
 			else
 				new_password_record[Anum_pg_auth_password_name - 1] =
-								DirectFunctionCall1(namein, CStringGetDatum(default_passname));
+								DirectFunctionCall1(namein, CStringGetDatum(default_password_name));
 
 			/* open password table and insert it. */
 			pg_auth_password_rel = table_open(AuthPasswordRelationId, RowExclusiveLock);
@@ -1207,7 +1169,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 						DirectFunctionCall1(namein, CStringGetDatum(passname));
 				else
 					new_password_record[Anum_pg_auth_password_name - 1] =
-						DirectFunctionCall1(namein, CStringGetDatum(default_passname));
+						DirectFunctionCall1(namein, CStringGetDatum(default_password_name));
 			}
 		}
 	}
@@ -1248,7 +1210,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 		if (dpassName)
 			password_tuple = SearchSysCache2(AUTHPASSWORDNAME, ObjectIdGetDatum(roleid), CStringGetDatum(passname));
 		else
-			password_tuple = SearchSysCache2(AUTHPASSWORDNAME, ObjectIdGetDatum(roleid), CStringGetDatum(default_passname));
+			password_tuple = SearchSysCache2(AUTHPASSWORDNAME, ObjectIdGetDatum(roleid), CStringGetDatum(default_password_name));
 
 		if (new_password_record_nulls[Anum_pg_auth_password_password - 1] == true) /* delete existing password */
 		{
 
@@ -590,26 +590,10 @@ ClientAuthentication(Port *port)
 
 		case uaMD5:
 		case uaSCRAM:
-			/*
-			 * check to be sure we are not past rolvaliduntil
-			 */
-			if (!is_role_valid(port->user_name, &logdetail)) {
-				status = STATUS_ERROR;
-				break;
-			}
-
 			status = CheckPWChallengeAuth(port, &logdetail);
 			break;
 
 		case uaPassword:
-			/*
-			 * check to be sure we are not past rolvaliduntil
-			 */
-			if (!is_role_valid(port->user_name, &logdetail)) {
-				status = STATUS_ERROR;
-				break;
-			}
-
 			status = CheckPasswordAuth(port, &logdetail);
 			break;
 
 
@@ -47,32 +47,54 @@ get_role_passwords(const char *role, const char **logdetail, int *num)
 	CatCList   *passlist;
 	int		    i, j = 0, num_valid_passwords = 0;
 
+	*num = 0;
+
 	/* Get role info from pg_authid */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
 	if (!HeapTupleIsValid(roleTup))
 	{
 		*logdetail = psprintf(_("Role \"%s\" does not exist."),
 							  role);
-		*num = 0;
 		return NULL;			/* no such user */
 	}
 
+	datum = SysCacheGetAttr(AUTHNAME, roleTup,
+							Anum_pg_authid_rolvaliduntil, &isnull);
+	if (!isnull)
+		vuntil = DatumGetTimestampTz(datum);
+
+	current = GetCurrentTimestamp();
+
+	/*
+	 * Check to be sure we are not past rolvaliduntil
+	 */
+	if (!isnull && vuntil < current)
+	{
+		/*
+		 * Although it is the role that has expired, not one of its passwords,
+		 * below we complain that the password has expired. This is to maintain
+		 * compatibility with external tools that may have come to depend on
+		 * this message when a role expires.
+		 */
+		*logdetail = psprintf(_("User \"%s\" has an expired password."),
+							  role);
+		return NULL;
+	}
+
 	datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_oid, &isnull);
 	ReleaseSysCache(roleTup);
-	/* Find any existing password that is not the one being updated to get the salt */
+
+	/* Find any existing password that is not the one being updated, to get the salt */
 	passlist = SearchSysCacheList1(AUTHPASSWORDNAME, datum);
 
 	if (passlist->n_members == 0)
 	{
-		*num = 0;
 		*logdetail = psprintf(_("User \"%s\" has no password assigned."),
 							  role);
 		ReleaseCatCacheList(passlist);
 		return NULL;			/* user has no password */
 	}
 
-	current = GetCurrentTimestamp();
-
 	for (i = 0; i < passlist->n_members; i++)
 	{
 		HeapTuple	tup = &passlist->members[i]->tuple;
 
@@ -29,7 +29,6 @@ typedef void (*check_password_hook_type) (const char *username, const char *shad
 
 extern PGDLLIMPORT check_password_hook_type check_password_hook;
 
-extern bool is_role_valid(const char *rolename, const char **logdetail);
 extern Oid	CreateRole(ParseState *pstate, CreateRoleStmt *stmt);
 extern Oid	AlterRole(ParseState *pstate, AlterRoleStmt *stmt);
 extern Oid	AlterRoleSet(AlterRoleSetStmt *stmt);