From 7ec74730be862ee45561a782390b646545a781d3 Mon Sep 17 00:00:00 2001 From: Masaya Kawamoto Date: Thu, 10 Feb 2022 01:39:52 +0000 Subject: [PATCH] Add validations of wd_lifecheck_password and recovery_password format This feature was reverted once due to regression test failure by dea2fbf65fdb3250f825e20f20fc3081779d8a3e. --- src/auth/pool_passwd.c | 41 ++++++++++++++++++++++++++++++++++ src/include/auth/pool_passwd.h | 1 + src/pcp_con/recovery.c | 10 +++++++++ src/watchdog/wd_lifecheck.c | 9 ++++++++ 4 files changed, 61 insertions(+) diff --git a/src/auth/pool_passwd.c b/src/auth/pool_passwd.c index 3a9107bcd..81c258b57 100644 --- a/src/auth/pool_passwd.c +++ b/src/auth/pool_passwd.c @@ -680,3 +680,44 @@ read_pool_key(char *key_file_path) #undef LINELEN } + +/* + * Check password type is md5 hashed or not. recovery_password and + * wd_lifecheck_password are not allowed to be md5 hashed format. + * The kind of returns of this function is follow; + * 0: password is not md5 hashed + * -1: password is md5 hashed + * -2: password is not found + */ +int +chceck_password_type_is_not_md5(char *username, char *password_in_config) +{ + PasswordType passwordType = PASSWORD_TYPE_UNKNOWN; + PasswordMapping *password_mapping = NULL; + + /* + * if the password specified in config is empty string or NULL look for the + * password in pool_passwd file + */ + if (password_in_config == NULL || strlen(password_in_config) == 0) + { + password_mapping = pool_get_user_credentials(username); + if (password_mapping == NULL) + { + return -2; + } + passwordType = password_mapping->pgpoolUser.passwordType; + } + else + { + passwordType = get_password_type(password_in_config); + } + + /* if the password type is MD5 hash return -1*/ + if (passwordType == PASSWORD_TYPE_MD5) + { + return -1; + } + + return 0; +} \ No newline at end of file diff --git a/src/include/auth/pool_passwd.h b/src/include/auth/pool_passwd.h index bbcaaa810..9ec244b31 100644 --- a/src/include/auth/pool_passwd.h +++ b/src/include/auth/pool_passwd.h @@ -85,4 +85,5 @@ extern char *get_decrypted_password(const char *shadow_pass); extern char *read_pool_key(char *key_file_path); extern char *get_pgpool_config_user_password(char *username, char *password_in_config); extern void delete_passwordMapping(PasswordMapping * pwdMapping); +extern int chceck_password_type_is_not_md5(char *username, char *password_in_config); #endif /* POOL_PASSWD_H */ diff --git a/src/pcp_con/recovery.c b/src/pcp_con/recovery.c index 088826b7a..a104b4c06 100644 --- a/src/pcp_con/recovery.c +++ b/src/pcp_con/recovery.c @@ -94,8 +94,18 @@ start_recovery(int recovery_node) conn = connect_backend_libpq(backend); if (conn == NULL) + { + if(chceck_password_type_is_not_md5(pool_config->recovery_user, pool_config->recovery_password) == -1) + { + ereport(ERROR, + (errmsg("the password of recovery_user %s is invalid format", + pool_config->recovery_user), + errdetail("recovery_password is not allowed to be md5 hashed format"))); + } ereport(ERROR, (errmsg("node recovery failed, unable to connect to main node: %d ", node_id))); + } + PG_TRY(); { diff --git a/src/watchdog/wd_lifecheck.c b/src/watchdog/wd_lifecheck.c index 1f2fd3af3..e62ca0142 100644 --- a/src/watchdog/wd_lifecheck.c +++ b/src/watchdog/wd_lifecheck.c @@ -1016,7 +1016,16 @@ wd_ping_pgpool(LifeCheckNode * node, char* password) conn = create_conn(node->hostName, node->pgpoolPort, password); if (conn == NULL) + { + if(chceck_password_type_is_not_md5(pool_config->wd_lifecheck_user, pool_config->wd_lifecheck_password) == -1) + { + ereport(ERROR, + (errmsg("the password of wd_lifecheck_user %s is invalid format", + pool_config->recovery_user), + errdetail("wd_lifecheck_password is not allowed to be md5 hashed format"))); + } return WD_NG; + } return ping_pgpool(conn); } -- 2.39.5