Add validations of wd_lifecheck_password and recovery_password format

author Masaya Kawamoto <kawamoto@sraoss.co.jp>

Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)

committer Masaya Kawamoto <kawamoto@sraoss.co.jp>

Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)
author Masaya Kawamoto <kawamoto@sraoss.co.jp>
Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)
committer Masaya Kawamoto <kawamoto@sraoss.co.jp>
Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)
diff --git a/src/auth/pool_passwd.c b/src/auth/pool_passwd.c

index 3a9107bcd9c2ccfbd572c284fb76e01c6d82f1a1..81c258b57c97d1f40ecef6d36a886341a228e391 100644 (file)
--- a/src/auth/pool_passwd.c
+++ b/src/auth/pool_passwd.c
@@ -680,3 +680,44 @@ read_pool_key(char *key_file_path)
  
  #undef LINELEN
  }
+
+/*
+ * Check password type is md5 hashed or not. recovery_password and
+ * wd_lifecheck_password are not allowed to be md5 hashed format.
+ * The kind of returns of this function is follow;
+ *  0: password is not md5 hashed
+ * -1: password is md5 hashed
+ * -2: password is not found
+ */
+int
+chceck_password_type_is_not_md5(char *username, char *password_in_config)
+{
+       PasswordType passwordType = PASSWORD_TYPE_UNKNOWN;
+       PasswordMapping *password_mapping = NULL;
+
+       /*
+        * if the password specified in config is empty string or NULL look for the
+        * password in pool_passwd file
+        */
+       if (password_in_config == NULL || strlen(password_in_config) == 0)
+       {
+               password_mapping = pool_get_user_credentials(username);
+               if (password_mapping == NULL)
+               {
+                       return -2;
+               }
+               passwordType = password_mapping->pgpoolUser.passwordType;
+       }
+       else
+       {
+               passwordType = get_password_type(password_in_config);
+       }
+
+       /* if the password type is MD5 hash return -1*/
+       if (passwordType == PASSWORD_TYPE_MD5)
+       {
+               return -1;
+       }
+
+       return 0;
+}
+\ No newline at end of file
diff --git a/src/include/auth/pool_passwd.h b/src/include/auth/pool_passwd.h

index bbcaaa8100fb8c407fae1b6d7176f13e3deff4cc..9ec244b31afcada6e91b6f7770a27ed51f2fb512 100644 (file)
--- a/src/include/auth/pool_passwd.h
+++ b/src/include/auth/pool_passwd.h
@@ -85,4 +85,5 @@ extern char *get_decrypted_password(const char *shadow_pass);
  extern char *read_pool_key(char *key_file_path);
  extern char *get_pgpool_config_user_password(char *username, char *password_in_config);
  extern void delete_passwordMapping(PasswordMapping * pwdMapping);
+extern int chceck_password_type_is_not_md5(char *username, char *password_in_config);
  #endif                                                 /* POOL_PASSWD_H */
diff --git a/src/pcp_con/recovery.c b/src/pcp_con/recovery.c

index 088826b7aa86ab09f574486052cae312744537e4..a104b4c068f788bb7ae03c4dfe34edfaca0c21cd 100644 (file)
--- a/src/pcp_con/recovery.c
+++ b/src/pcp_con/recovery.c
@@ -94,8 +94,18 @@ start_recovery(int recovery_node)
  
         conn = connect_backend_libpq(backend);
         if (conn == NULL)
+       {
+               if(chceck_password_type_is_not_md5(pool_config->recovery_user, pool_config->recovery_password) == -1)
+               {
+                       ereport(ERROR,
+                                       (errmsg("the password of recovery_user %s is invalid format",
+                                                       pool_config->recovery_user),
+                                       errdetail("recovery_password is not allowed to be md5 hashed format")));
+               }
                 ereport(ERROR,
                                 (errmsg("node recovery failed, unable to connect to main node: %d ", node_id)));
+       }
+
  
         PG_TRY();
         {
diff --git a/src/watchdog/wd_lifecheck.c b/src/watchdog/wd_lifecheck.c

index 1f2fd3af3f2cf75c72744dc81d0b9f98734901b1..e62ca01428cb7d82bc1140cf7c03e9b277664de3 100644 (file)
--- a/src/watchdog/wd_lifecheck.c
+++ b/src/watchdog/wd_lifecheck.c
@@ -1016,7 +1016,16 @@ wd_ping_pgpool(LifeCheckNode * node, char* password)
  
         conn = create_conn(node->hostName, node->pgpoolPort, password);
         if (conn == NULL)
+       {
+               if(chceck_password_type_is_not_md5(pool_config->wd_lifecheck_user, pool_config->wd_lifecheck_password) == -1)
+               {
+                       ereport(ERROR,
+                                       (errmsg("the password of wd_lifecheck_user %s is invalid format",
+                                               pool_config->recovery_user),
+                                       errdetail("wd_lifecheck_password is not allowed to be md5 hashed format")));
+               }
                 return WD_NG;
+       }
         return ping_pgpool(conn);
  }
author	Masaya Kawamoto <kawamoto@sraoss.co.jp>
	Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)
committer	Masaya Kawamoto <kawamoto@sraoss.co.jp>
	Thu, 10 Feb 2022 01:39:52 +0000 (01:39 +0000)
src/auth/pool_passwd.c		patch \| blob \| blame \| history
src/include/auth/pool_passwd.h		patch \| blob \| blame \| history
src/pcp_con/recovery.c		patch \| blob \| blame \| history
src/watchdog/wd_lifecheck.c		patch \| blob \| blame \| history