user.c

PostgreSQL7.4.6 for Linux

/*-------------------------------------------------------------------------
 *
 * user.c
 *	  Commands for manipulating users and groups.
 *
 * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
 * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.128 2003/10/02 06:36:37 petere Exp $
 *
 *-------------------------------------------------------------------------
 */
#include "postgres.h"

#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>

#include "access/heapam.h"
#include "catalog/catname.h"
#include "catalog/indexing.h"
#include "catalog/pg_database.h"
#include "catalog/pg_group.h"
#include "catalog/pg_shadow.h"
#include "catalog/pg_type.h"
#include "commands/user.h"
#include "libpq/crypt.h"
#include "miscadmin.h"
#include "storage/pmsignal.h"
#include "utils/acl.h"
#include "utils/array.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/syscache.h"


#define PWD_FILE		"pg_pwd"
#define USER_GROUP_FILE "pg_group"


extern bool Password_encryption;

static bool user_file_update_needed = false;
static bool group_file_update_needed = false;


static void CheckPgUserAclNotNull(void);
static void UpdateGroupMembership(Relation group_rel, HeapTuple group_tuple,
					  List *members);
static IdList *IdListToArray(List *members);
static List *IdArrayToList(IdList *oldarray);


/*
 *	fputs_quote
 *
 *	Outputs string in quotes, with double-quotes duplicated.
 *	We could use quote_ident(), but that expects a TEXT argument.
 */
static void
fputs_quote(char *str, FILE *fp)
{
	fputc('"', fp);
	while (*str)
	{
		fputc(*str, fp);
		if (*str == '"')
			fputc('"', fp);
		str++;
	}
	fputc('"', fp);
}


/*
 * group_getfilename --- get full pathname of group file
 *
 * Note that result string is palloc'd, and should be freed by the caller.
 */
char *
group_getfilename(void)
{
	int			bufsize;
	char	   *pfnam;

	bufsize = strlen(DataDir) + strlen("/global/") +
		strlen(USER_GROUP_FILE) + 1;
	pfnam = (char *) palloc(bufsize);
	snprintf(pfnam, bufsize, "%s/global/%s", DataDir, USER_GROUP_FILE);

	return pfnam;
}


/*
 * Get full pathname of password file.
 *
 * Note that result string is palloc'd, and should be freed by the caller.
 */
char *
user_getfilename(void)
{
	int			bufsize;
	char	   *pfnam;

	bufsize = strlen(DataDir) + strlen("/global/") +
		strlen(PWD_FILE) + 1;
	pfnam = (char *) palloc(bufsize);
	snprintf(pfnam, bufsize, "%s/global/%s", DataDir, PWD_FILE);

	return pfnam;
}


/*
 * write_group_file: update the flat group file
 */
static void
write_group_file(Relation grel)
{
	char	   *filename,
			   *tempname;
	int			bufsize;
	FILE	   *fp;
	mode_t		oumask;
	HeapScanDesc scan;
	HeapTuple	tuple;
	TupleDesc	dsc = RelationGetDescr(grel);

	/*
	 * Create a temporary filename to be renamed later.  This prevents the
	 * backend from clobbering the pg_group file while the postmaster
	 * might be reading from it.
	 */
	filename = group_getfilename();
	bufsize = strlen(filename) + 12;
	tempname = (char *) palloc(bufsize);
	snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);

	oumask = umask((mode_t) 077);
	fp = AllocateFile(tempname, "w");
	umask(oumask);
	if (fp == NULL)
		ereport(ERROR,
				(errcode_for_file_access(),
			  errmsg("could not write to temporary file \"%s\": %m", tempname)));

	/*
	 * Read pg_group and write the file.  Note we use SnapshotSelf to
	 * ensure we see all effects of current transaction.  (Perhaps could
	 * do a CommandCounterIncrement beforehand, instead?)
	 */
	scan = heap_beginscan(grel, SnapshotSelf, 0, NULL);
	while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
	{
		Datum		datum,
					grolist_datum;
		bool		isnull;
		char	   *groname;
		IdList	   *grolist_p;
		AclId	   *aidp;
		int			i,
					j,
					num;
		char	   *usename;
		bool		first_user = true;

		datum = heap_getattr(tuple, Anum_pg_group_groname, dsc, &isnull);
		/* ignore NULL groupnames --- shouldn't happen */
		if (isnull)
			continue;
		groname = NameStr(*DatumGetName(datum));

		/*
		 * Check for invalid characters in the group name.
		 */
		i = strcspn(groname, "\n");
		if (groname[i] != '\0')
		{
			ereport(LOG,
					(errmsg("invalid group name \"%s\"", groname)));
			continue;
		}

		grolist_datum = heap_getattr(tuple, Anum_pg_group_grolist, dsc, &isnull);
		/* Ignore NULL group lists */
		if (isnull)
			continue;

		/* be sure the IdList is not toasted */
		grolist_p = DatumGetIdListP(grolist_datum);

		/* scan grolist */
		num = IDLIST_NUM(grolist_p);
		aidp = IDLIST_DAT(grolist_p);
		for (i = 0; i < num; ++i)
		{
			tuple = SearchSysCache(SHADOWSYSID,
								   PointerGetDatum(aidp[i]),
								   0, 0, 0);
			if (HeapTupleIsValid(tuple))
			{
				usename = NameStr(((Form_pg_shadow) GETSTRUCT(tuple))->usename);

				/*
				 * Check for illegal characters in the user name.
				 */
				j = strcspn(usename, "\n");
				if (usename[j] != '\0')
				{
					ereport(LOG,
						  (errmsg("invalid user name \"%s\"", usename)));
					continue;
				}

				/*
				 * File format is: "dbname"    "user1" "user2" "user3"
				 */
				if (first_user)
				{
					fputs_quote(groname, fp);
					fputs("\t", fp);
				}
				else
					fputs(" ", fp);

				first_user = false;
				fputs_quote(usename, fp);

				ReleaseSysCache(tuple);
			}
		}
		if (!first_user)
			fputs("\n", fp);
		/* if IdList was toasted, free detoasted copy */
		if ((Pointer) grolist_p != DatumGetPointer(grolist_datum))
			pfree(grolist_p);
	}
	heap_endscan(scan);

	fflush(fp);
	if (ferror(fp))
		ereport(ERROR,
				(errcode_for_file_access(),
			  errmsg("could not write to temporary file \"%s\": %m", tempname)));
	FreeFile(fp);

	/*
	 * Rename the temp file to its final name, deleting the old pg_pwd. We
	 * expect that rename(2) is an atomic action.
	 */
	if (rename(tempname, filename))
		ereport(ERROR,
				(errcode_for_file_access(),
				 errmsg("could not rename file \"%s\" to \"%s\": %m",
						tempname, filename)));

	pfree((void *) tempname);
	pfree((void *) filename);
}


/*
 * write_user_file: update the flat password file
 */
static void
write_user_file(Relation urel)
{
	char	   *filename,
			   *tempname;
	int			bufsize;
	FILE	   *fp;
	mode_t		oumask;
	HeapScanDesc scan;
	HeapTuple	tuple;
	TupleDesc	dsc = RelationGetDescr(urel);

	/*
	 * Create a temporary filename to be renamed later.  This prevents the
	 * backend from clobbering the pg_pwd file while the postmaster might
	 * be reading from it.
	 */
	filename = user_getfilename();
	bufsize = strlen(filename) + 12;
	tempname = (char *) palloc(bufsize);
	snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);

	oumask = umask((mode_t) 077);
	fp = AllocateFile(tempname, "w");
	umask(oumask);
	if (fp == NULL)
		ereport(ERROR,
				(errcode_for_file_access(),
			  errmsg("could not write to temporary file \"%s\": %m", tempname)));

	/*
	 * Read pg_shadow and write the file.  Note we use SnapshotSelf to
	 * ensure we see all effects of current transaction.  (Perhaps could
	 * do a CommandCounterIncrement beforehand, instead?)
	 */
	scan = heap_beginscan(urel, SnapshotSelf, 0, NULL);
	while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
	{
		Datum		datum;
		bool		isnull;
		char	   *usename,
				   *passwd,
				   *valuntil;
		int			i;

		datum = heap_getattr(tuple, Anum_pg_shadow_usename, dsc, &isnull);
		/* ignore NULL usernames (shouldn't happen) */
		if (isnull)
			continue;
		usename = NameStr(*DatumGetName(datum));

		datum = heap_getattr(tuple, Anum_pg_shadow_passwd, dsc, &isnull);

		/*
		 * It can be argued that people having a null password shouldn't
		 * be allowed to connect under password authentication, because
		 * they need to have a password set up first. If you think
		 * assuming an empty password in that case is better, change this
		 * logic to look something like the code for valuntil.
		 */
		if (isnull)
			continue;

		passwd = DatumGetCString(DirectFunctionCall1(textout, datum));

		datum = heap_getattr(tuple, Anum_pg_shadow_valuntil, dsc, &isnull);
		if (isnull)
			valuntil = pstrdup("");
		else
			valuntil = DatumGetCString(DirectFunctionCall1(abstimeout, datum));

		/*
		 * Check for illegal characters in the username and password.
		 */
		i = strcspn(usename, "\n");
		if (usename[i] != '\0')
		{
			ereport(LOG,
					(errmsg("invalid user name \"%s\"", usename)));
			continue;
		}
		i = strcspn(passwd, "\n");
		if (passwd[i] != '\0')
		{
			ereport(LOG,
					(errmsg("invalid user password \"%s\"", passwd)));
			continue;
		}

		/*
		 * The extra columns we emit here are not really necessary. To
		 * remove them, the parser in backend/libpq/crypt.c would need to
		 * be adjusted.
		 */
		fputs_quote(usename, fp);
		fputs(" ", fp);
		fputs_quote(passwd, fp);
		fputs(" ", fp);
		fputs_quote(valuntil, fp);
		fputs("\n", fp);

		pfree(passwd);
		pfree(valuntil);
	}
	heap_endscan(scan);

	fflush(fp);
	if (ferror(fp))
		ereport(ERROR,
				(errcode_for_file_access(),
			  errmsg("could not write to temporary file \"%s\": %m", tempname)));
	FreeFile(fp);

	/*
	 * Rename the temp file to its final name, deleting the old pg_pwd. We
	 * expect that rename(2) is an atomic action.
	 */
	if (rename(tempname, filename))
		ereport(ERROR,
				(errcode_for_file_access(),
				 errmsg("could not rename file \"%s\" to \"%s\": %m",
						tempname, filename)));

	pfree((void *) tempname);
	pfree((void *) filename);
}


/*
 * This trigger is fired whenever someone modifies pg_shadow or pg_group
 * via general-purpose INSERT/UPDATE/DELETE commands.
 *
 * XXX should probably have two separate triggers.
 */
Datum
update_pg_pwd_and_pg_group(PG_FUNCTION_ARGS)
{
	user_file_update_needed = true;
	group_file_update_needed = true;

	return PointerGetDatum(NULL);
}


/*
 * This routine is called during transaction commit or abort.
 *
 * On commit, if we've written pg_shadow or pg_group during the current
 * transaction, update the flat files and signal the postmaster.
 *
 * On abort, just reset the static flags so we don't try to do it on the
 * next successful commit.
 *
 * NB: this should be the last step before actual transaction commit.
 * If any error aborts the transaction after we run this code, the postmaster
 * will still have received and cached the changed data; so minimize the
 * window for such problems.
 */
void
AtEOXact_UpdatePasswordFile(bool isCommit)
{
	Relation	urel = NULL;
	Relation	grel = NULL;

	if (!(user_file_update_needed || group_file_update_needed))
		return;

	if (!isCommit)
	{
		user_file_update_needed = false;
		group_file_update_needed = false;
		return;
	}

	/*
	 * We use ExclusiveLock to ensure that only one backend writes the
	 * flat file(s) at a time.	That's sufficient because it's okay to
	 * allow plain reads of the tables in parallel.  There is some chance
	 * of a deadlock here (if we were triggered by a user update of
	 * pg_shadow or pg_group, which likely won't have gotten a strong
	 * enough lock), so get the locks we need before writing anything.
	 */
	if (user_file_update_needed)
		urel = heap_openr(ShadowRelationName, ExclusiveLock);
	if (group_file_update_needed)
		grel = heap_openr(GroupRelationName, ExclusiveLock);

	/* Okay to write the files */
	if (user_file_update_needed)
	{
		user_file_update_needed = false;
		write_user_file(urel);
		heap_close(urel, NoLock);
	}

	if (group_file_update_needed)
	{
		group_file_update_needed = false;
		write_group_file(grel);
		heap_close(grel, NoLock);
	}

	/*
	 * Signal the postmaster to reload its password & group-file cache.
	 */
	SendPostmasterSignal(PMSIGNAL_PASSWORD_CHANGE);
}



/*
 * CREATE USER
 */
void
CreateUser(CreateUserStmt *stmt)
{
	Relation	pg_shadow_rel;
	TupleDesc	pg_shadow_dsc;
	HeapScanDesc scan;
	HeapTuple	tuple;
	Datum		new_record[Natts_pg_shadow];
	char		new_record_nulls[Natts_pg_shadow];
	bool		user_exists = false,
				sysid_exists = false,
				havesysid = false;
	int			max_id;
	List	   *item,
			   *option;
	char	   *password = NULL;	/* PostgreSQL user password */
	bool		encrypt_password = Password_encryption; /* encrypt password? */
	char		encrypted_password[MD5_PASSWD_LEN + 1];
	int			sysid = 0;		/* PgSQL system id (valid if havesysid) */
	bool		createdb = false;		/* Can the user create databases? */
	bool		createuser = false;		/* Can this user create users? */
	List	   *groupElts = NIL;	/* The groups the user is a member of */
	char	   *validUntil = NULL;		/* The time the login is valid
										 * until */
	DefElem    *dpassword = NULL;
	DefElem    *dsysid = NULL;
	DefElem    *dcreatedb = NULL;
	DefElem    *dcreateuser = NULL;
	DefElem    *dgroupElts = NULL;
	DefElem    *dvalidUntil = NULL;

	/* Extract options from the statement node tree */
	foreach(option, stmt->options)
	{
		DefElem    *defel = (DefElem *) lfirst(option);

		if (strcmp(defel->defname, "password") == 0 ||
			strcmp(defel->defname, "encryptedPassword") == 0 ||
			strcmp(defel->defname, "unencryptedPassword") == 0)
		{
			if (dpassword)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dpassword = defel;
			if (strcmp(defel->defname, "encryptedPassword") == 0)
				encrypt_password = true;
			else if (strcmp(defel->defname, "unencryptedPassword") == 0)
				encrypt_password = false;
		}
		else if (strcmp(defel->defname, "sysid") == 0)
		{
			if (dsysid)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dsysid = defel;
		}
		else if (strcmp(defel->defname, "createdb") == 0)
		{
			if (dcreatedb)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dcreatedb = defel;
		}
		else if (strcmp(defel->defname, "createuser") == 0)
		{
			if (dcreateuser)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dcreateuser = defel;
		}
		else if (strcmp(defel->defname, "groupElts") == 0)
		{
			if (dgroupElts)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dgroupElts = defel;
		}
		else if (strcmp(defel->defname, "validUntil") == 0)
		{
			if (dvalidUntil)
				ereport(ERROR,
						(errcode(ERRCODE_SYNTAX_ERROR),
						 errmsg("conflicting or redundant options")));
			dvalidUntil = defel;
		}
		else
			elog(ERROR, "option \"%s\" not recognized",
				 defel->defname);
	}

	if (dcreatedb)
		createdb = intVal(dcreatedb->arg) != 0;
	if (dcreateuser)
		createuser = intVal(dcreateuser->arg) != 0;
	if (dsysid)
	{
		sysid = intVal(dsysid->arg);
		if (sysid <= 0)