readme index

2022-05-12 10:42:58 +02:00 · 2022-05-12 10:42:29 +02:00 · 2022-05-12 10:41:40 +02:00 · 2022-05-12 10:39:15 +02:00 · 2022-05-12 10:37:40 +02:00 · 2022-05-12 10:36:16 +02:00
5 changed files with 157 additions and 91 deletions
@@ -1,13 +1,36 @@
 # PostgreSQL expiration date management functions
 ## Table of Contents
 1. [TOC](README.md#postgresql-expiration-date-management-functions)
 	1. [Description](README.md#description)
 	2. [Instructions](README.md#instructions)
 	3. [Helper script](README.md#helper-script)
 	4. [RDS considerations](README.md#rds-considerations)
 	5. [Security considerations](README.md#security-considerations)
 ## Description
 This project tries to find a way to allow users the management of the `VALID UNTIL` expiration clause by themself.
-All without granting `super` permissions and having a histoc of changes on a _pseudo-audit_ table
+Everyghin without granting `super` permissions and having a histoc of changes on a _pseudo-audit_ table.
 You can easly combine this functions with the [passwordcheck extra](https://github.com/michaelpq/pg_plugins/tree/main/passwordcheck_extra) extension, the regex inside `dba.change_valid_until` match the _default_ requirements in the extension for special characters and you can change the variable `_min_password_length` to match your requirements (in the case you changed it, of course).
 | :warning: WARNING          |
 |:---------------------------|
 | Amazon RDS has some notes at the end... |
 | :warning: WARNING          |
 ## Instructions
 ### First deploy
 Modify `passchanger.sql` according your needings:
  * Change `_min_password_length` on `change_my_password` function
  * Change `_password_lifetime` on `change_valid_until` function
 Deploy `passchanger.sql` on the desired cluster/database.
 It will:
@@ -18,6 +41,17 @@ It will:
  * Create the 2 needed functions and grant permissions on them to `dba`
 ### Updates
 Just execute the `CREATE OR REPLACE FUNCTION` part of the `passchanger.sql` file.
 | :warning: WARNING          |
 |:---------------------------|
 | Amazon RDS has some notes at the end... |
 | :warning: WARNING          |
 ### Allowing users to use that functions
 Take the file `grants_to_grant.sql` and modify the username _dodger_ so it match the username that should have the permissions.
 Execute the grants on the cluster/database you have deployed `passchanger.sql`
@@ -43,3 +77,26 @@ dodger@ciberterminal.net $ bash password_creator.sh
 select dba.change_my_password('<Wl}TxqRPBQaV_N<rU#A') ;
 -- ##############################################
 ```
 ## RDS considerations
 As Amazon has modified Postgresql so you don't have access as a *real* superuser and the _dangerous_ function
 `change_valid_until` should run as the owner of the database (the user created when you deploy the database through AWS)
 There's a `passchanger_rds.sql` file which should be used instead of the normal one.
 For updates you should change the owner of the `change_valid_until` to the database _owner_:
 ```
 ALTER FUNCTION dba.change_valid_until(text) OWNER TO _DATABASEOWNER;
 ```
 Modify `_DATABASEOWNER` according your admin username...
 ## Security considerations
  * Non-RDS `change_valid_until` function does not uses `ALTER USER` to modify `VALID UNTIL`, it makes an `update pg_catalog.pg_authid set rolvaliduntil` instead, so the `dba` user has only grant over that table/column instead of granting additional permissions to him.
  * RDS `change_valid_until` should run as the database owner, is the only way to make this work as you can't access `pg_catalog.pg_authid` on rds, it uses `ALTER USER ... VALID UNTIL` instead.
@@ -14,11 +14,3 @@ GRANT INSERT ON TABLE dba.pwdhistory TO dodger;
 -- SET SESSION AUTORIZATION dodger ;
 'tV4{A#&x|P%hKM9*}4a0'
 select dba.change_my_password( 'XFF{O>%|<e%_#F$pHqaB' ) ;
 XFF{O>%|<e%_#F$pHqaB
@@ -1,12 +0,0 @@
 -- grant usage for schema dba
 grant usage on schema dba to dodger ;
 -- grant execute on the function change_my_password
 grant execute on function dba.change_my_password(text) to dodger;
 -- grant execute on the function change_valid_until
 grant execute on function dba.change_valid_until(text) to dodger;
 -- only insert is needed to allow audit trace
 GRANT INSERT ON TABLE dba.pwdhistory TO dodger;
@@ -39,6 +39,8 @@ ALTER TABLE IF EXISTS dba.pwdhistory
 -- ######################################
 -- ######################################
 drop function if exists dba.change_valid_until ;
 CREATE OR REPLACE FUNCTION dba.change_valid_until(_usename text)
    RETURNS integer
    SECURITY DEFINER
@@ -49,44 +51,45 @@ AS $BODY$
 declare
    _invokingfunction text := '';
    _matches text;
-   _password_lifetime int := 120;  -- specify password lifetime
+    _password_lifetime integer := 120 ;  -- specify password lifetime in days
    _retval  INTEGER;
    _expiration_date numeric ;
 begin
    select extract(epoch from localtimestamp) into _expiration_date;
    select _expiration_date+(_password_lifetime*24*60*60) into _expiration_date;
    select query into _invokingfunction from pg_stat_activity where pid = pg_backend_pid() ;
--     raise notice 'Invoking function: %', _invokingfunction;
+    -- first, checking the invoking function
    --_matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''\\)[[:space:]]{0,};' , 'i');
    _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(.*\\)[[:space:]]{0,};' , 'i');
 --     raise notice 'Matches: %', _matches;
    if _matches IS NOT NULL then
-      EXECUTE format('update pg_catalog.pg_authid set rolvaliduntil=now() + interval ''120 days'' where rolname=''%I'' ', _usename);
+      -- then checking the regex for the password
-      return 0;
+        _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\([[:space:]]{0,}''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''[[:space:]]{0,}\\)[[:space:]]{0,};' , 'i');
        _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''\\)[[:space:]]{0,};' , 'i');
        if _matches IS NOT NULL then
-            --EXECUTE format('update pg_catalog.pg_authid set rolvaliduntil=now() + interval ''120 days'' where rolname=''%I'' ', _usename);
+            EXECUTE format('update pg_catalog.pg_authid set rolvaliduntil=to_timestamp(%L) where rolname=%L ', _expiration_date, _usename);
-            EXECUTE format('ALTER ROLE ''%I'' WITH PASSWORD ''%L'' VALID UNTIL now() + interval ''%I days'' ;', _usename, _thepassword, _password_lifetime)
+            -- INTO _retval;
-            INTO _retval;
+            RETURN 0;
            RETURN _retval;
        else
            raise exception 'Regular expresion for password check failed'
            using errcode = '22023'  -- 22023 = "invalid_parameter_value'
            , detail = 'Check your generated password an try again'
            , hint = 'Read the official documentation' ;
            RETURN 1;
        end if;
-    else  -- also catches NULL
+    else  
      -- also catches NULL
      -- raise custom error
      raise exception 'You''re not allowed to run this function directly'
      using errcode = '22023'  -- 22023 = "invalid_parameter_value'
          , detail = 'Please call dba.change_my_password function.'
          , hint = 'Invoked function: ' || _invokingfunction ;
      RETURN 1;
    end if;
 end
 $BODY$;
-ALTER FUNCTION dba.change_valid_until(text)
+ALTER FUNCTION dba.change_valid_until(text) OWNER TO dba;
    OWNER TO dba;
 REVOKE EXECUTE ON FUNCTION dba.change_valid_until(text) From PUBLIC;
 CREATE OR REPLACE FUNCTION dba.change_my_password(_password text)
    RETURNS integer
    SECURITY INVOKER
@@ -99,12 +102,14 @@ declare
    _usename text := '';
    _useraddress text := '';
    _userapp text := '';
    _retval integer ;
 begin
   select user into _usename;
   if user = 'postgres' then
      raise exception 'This function should not be run by user postgres'
      using errcode = '22024'  -- 22023 = "invalid_parameter_value'
          , detail = 'Use a named user only.' ;
      return 1;
   end if;
   if length(_password) < _min_password_length then
@@ -114,24 +119,34 @@ begin
      using errcode = '22023'  -- 22023 = "invalid_parameter_value'
          , detail = 'Please check your password.'
          , hint = 'Password must be at least ' || _min_password_length || ' characters.';
      return 1;
   end if;
   select client_addr into _useraddress from pg_stat_activity where pid = pg_backend_pid() ;
   select application_name into _userapp from pg_stat_activity where pid = pg_backend_pid() ;
    --PERFORM dba.change_valid_until(_usename) ;
    SELECT dba.change_valid_until(_usename)
        INTO _retval;
    -- this will be executed by the username invoking this function
    if _retval = 0 then
        EXECUTE format('ALTER USER %I WITH PASSWORD %L', _usename, _password);
    PERFORM dba.change_valid_until(_usename) ;
        insert into dba.pwdhistory
               (usename, usename_addres, application_name, password, changed_on)
        values (_usename, _useraddress, _userapp, md5(_password),now());
        raise notice 'Password changed' ;
    else
        raise exception 'Could not change expiration date, please check'
        using errcode = '22023'  -- 22023 = "invalid_parameter_value'
            , detail = 'contact the dba' ;
        return 1;
    end if;
    return 0;
 end
 $BODY$;
-ALTER FUNCTION dba.change_my_password(text)
+ALTER FUNCTION dba.change_my_password(text) OWNER TO dba;
    OWNER TO dba;
 REVOKE EXECUTE ON FUNCTION dba.change_my_password(text) From PUBLIC;
@@ -6,11 +6,10 @@ create schema dba ;
 create role dba with NOLOGIN NOINHERIT ;
 -- grants for dba
-GRANT rds_superuser TO dba ;
+-- GRANT rds_superuser TO dba ;
 -- grant select on pg_catalog.pg_authid to dba ;
-grant pg_read_all_stats to dba ;
+-- grant pg_read_all_stats to dba ;
 -- password history table
 CREATE TABLE IF NOT EXISTS dba.pwdhistory
@@ -40,7 +39,7 @@ ALTER TABLE IF EXISTS dba.pwdhistory
 -- ######################################
 -- ######################################
-drop function dba.change_valid_until ;
+drop function if exists dba.change_valid_until ;
 CREATE OR REPLACE FUNCTION dba.change_valid_until(_usename text, _thepassword text)
    RETURNS integer
@@ -52,23 +51,24 @@ AS $BODY$
 declare
    _invokingfunction text := '';
    _matches text;
-   _password_lifetime int := 120;  -- specify password lifetime
+    _password_lifetime integer := 120 ;  -- specify password lifetime in days
-   _retval  INTEGER;
+    _retval  integer;
-   _expiration_date text;
+    _expiration_epoch numeric ;
    _expiration_date timestamp ;
 begin
-    select now() + interval '120 days' into _expiration_date ;
+    select extract(epoch from localtimestamp) into _expiration_epoch;
    select _expiration_epoch+(_password_lifetime*24*60*60) into _expiration_epoch;
    select to_timestamp(_expiration_epoch) into _expiration_date ;
    select query into _invokingfunction from pg_stat_activity where pid = pg_backend_pid() ;
--     raise notice 'Invoking function: %', _invokingfunction;
+    -- first, checking the invoking function
    --_matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''\\)[[:space:]]{0,};' , 'i');
    _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(.*\\)[[:space:]]{0,};' , 'i');
 --     raise notice 'Matches: %', _matches;
    if _matches IS NOT NULL then
 --        _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''\\)[[:space:]]{0,};' , 'i');
    _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\(.*\\)[[:space:]]{0,};' , 'i');
    if _matches IS NOT NULL then
-            --EXECUTE format('update pg_catalog.pg_authid set rolvaliduntil=now() + interval ''120 days'' where rolname=''%I'' ', _usename);
+        -- then checking the regex for the password
-            EXECUTE format('ALTER ROLE %I WITH PASSWORD %L VALID UNTIL ''%I'' ;', _usename, _thepassword, _expiration_date);
+        _matches := regexp_matches(_invokingfunction, E'select dba\.change_my_password\\([[:space:]]{0,}''([[:alnum:]]|@|\\$|#|%|\\^|&|\\*|\\(|\\)|\\_|\\+|\\{|\\}|\\||<|>|\\?|=|!){11,100}''[[:space:]]{0,}\\)[[:space:]]{0,};' , 'i');
-            --EXECUTE format('ALTER ROLE %I WITH PASSWORD %L VALID UNTIL now() + interval ''120 days'' ;', _usename, _thepassword);
+        if _matches IS NOT NULL then
 --            EXECUTE format('ALTER ROLE %I WITH PASSWORD %L VALID UNTIL to_timestamp(%L) ;', _usename, _thepassword, _expiration_date);
            EXECUTE format('ALTER ROLE %I WITH PASSWORD %L VALID UNTIL %L ;', _usename, _thepassword, _expiration_date);
            -- INTO _retval;
            RETURN 0;
        else
@@ -76,22 +76,26 @@ begin
            using errcode = '22023'  -- 22023 = "invalid_parameter_value'
            , detail = 'Check your generated password (' || _thepassword || ') an try again'
            , hint = 'Read the official documentation' ;
            RETURN 1;
        end if;
-    else  -- also catches NULL
+    else  
      -- also catches NULL
      -- raise custom error
      raise exception 'You''re not allowed to run this function directly'
      using errcode = '22023'  -- 22023 = "invalid_parameter_value'
          , detail = 'Please call dba.change_my_password function.'
          , hint = 'Invoked function: ' || _invokingfunction ;
      RETURN 1;
    end if;
 end
 $BODY$;
-- ALTER FUNCTION dba.change_valid_until(text, text) OWNER TO postgres;
+-- ALTER FUNCTION dba.change_valid_until(text, text) OWNER TO dba;
 ALTER FUNCTION dba.change_valid_until(text, text) OWNER TO dba;
 REVOKE EXECUTE ON FUNCTION dba.change_valid_until(text, text) From PUBLIC;
 drop function if exists dba.change_my_password ;
 CREATE OR REPLACE FUNCTION dba.change_my_password(_password text)
    RETURNS integer
    SECURITY INVOKER
@@ -104,12 +108,14 @@ declare
    _usename text := '';
    _useraddress text := '';
    _userapp text := '';
    _retval integer ;
 begin
    select user into _usename;
    if user = 'postgres' then
        raise exception 'This function should not be run by user postgres'
        using errcode = '22024'  -- 22023 = "invalid_parameter_value'
          , detail = 'Use a named user only.' ;
      return 1;
    end if;
    if length(_password) < _min_password_length then
@@ -119,19 +125,27 @@ begin
      using errcode = '22023'  -- 22023 = "invalid_parameter_value'
          , detail = 'Please check your password.'
          , hint = 'Password must be at least ' || _min_password_length || ' characters.';
      return 1;
    end if;
    select client_addr into _useraddress from pg_stat_activity where pid = pg_backend_pid() ;
    select application_name into _userapp from pg_stat_activity where pid = pg_backend_pid() ;
-   PERFORM dba.change_valid_until(_usename, _password) ;
+    --PERFORM dba.change_valid_until(_usename, _password) ;
    SELECT dba.change_valid_until(_usename, _password)
        INTO _retval;
    if _retval = 0 then
        insert into dba.pwdhistory
               (usename, usename_addres, application_name, password, changed_on)
        values (_usename, _useraddress, _userapp, md5(_password),now());
--
+        raise notice 'Password changed' ;
--
+    else
--
+        raise exception 'Could not change expiration date, please check'
        using errcode = '22023'  -- 22023 = "invalid_parameter_value'
            , detail = 'contact the dba' ;
        return 1;
    end if;
    return 0;
 end
Author	SHA1	Message	Date
dodger	cede091499	readme index	2022-05-12 10:42:58 +02:00
dodger	0b7982acdd	readme index	2022-05-12 10:42:29 +02:00
dodger	731b1af845	readme index	2022-05-12 10:41:40 +02:00
dodger	78413a5eab	readme index	2022-05-12 10:39:15 +02:00
dodger	748a179781	readme index	2022-05-12 10:37:40 +02:00
dodger	d51a0e1650	readme index	2022-05-12 10:36:16 +02:00
dodger	beeaf571aa	readme improvements	2022-05-12 10:31:10 +02:00
dodger	0aa4bd81fb	more detailed readme	2022-05-12 09:05:39 +02:00
dodger	dbe1c21dd6	Updated readme	2022-05-10 11:26:18 +02:00
dodger	c856d5462f	changes and bugfixes	2022-05-10 11:20:19 +02:00
dodger	aa85a3b78b	changes applied to rds	2022-05-10 11:08:27 +02:00
dodger	72aceed586	huge improvements	2022-05-10 11:04:24 +02:00
dodger	6b86f3f111	minor bugfix	2022-05-09 18:12:54 +02:00
dodger	3d8b1bd3d9	Merged documentation	2022-05-09 18:05:15 +02:00
dodger	2f364bce8a	Improvements	2022-05-09 18:02:43 +02:00
dodger	7138110090	Added README_rds.md	2022-05-09 17:59:16 +02:00
dodger	66fa61fdb6	bugfixes	2022-05-09 17:56:31 +02:00
dodger	270db13e60	bugfixes	2022-05-09 17:56:08 +02:00