[CF 5792] v2 - pg_upgrade: warn about roles with md5 passwords

This branch was automatically generated by a robot using patches from an
email thread registered at:

https://commitfest.postgresql.org/patch/5792

The branch will be overwritten each time a new patch version is posted to
the thread, and also periodically to check for bitrot caused by changes
on the master branch.

Patch(es): https://www.postgresql.org/message-id/aD8sXgfJeIGLc7-t@nathan
Author(s): Nathan Bossart

Author: Commitfest Bot

src/backend/libpq/crypt.c

@@ -27,6 +27,8 @@
 /* Enables deprecation warnings for MD5 passwords. */
 bool		md5_password_warnings = true;
 
+static bool used_md5_auth = false;
+
 /*
  * Fetch stored password for a user, for authentication.
  *
@@ -210,6 +212,8 @@ md5_crypt_verify(const char *role, const char *shadow_pass,
 
 	Assert(md5_salt_len > 0);
 
+	used_md5_auth = true;
+
 	if (get_password_type(shadow_pass) != PASSWORD_TYPE_MD5)
 	{
 		/* incompatible password hash format. */
@@ -242,6 +246,19 @@ md5_crypt_verify(const char *role, const char *shadow_pass,
 	return retval;
 }
 
+void
+warn_if_md5_auth(void)
+{
+	if (md5_password_warnings && used_md5_auth)
+		ereport(WARNING,
+				(errcode(ERRCODE_WARNING_DEPRECATED_FEATURE),
+				 errmsg("authenticated with an MD5-encrypted password"),
+				 errdetail("MD5 password support is deprecated and will be removed in a future release of PostgreSQL."),
+				 errhint("Refer to the PostgreSQL documentation for details about migrating to another password type.")));
+
+	used_md5_auth = false;
+}
+
 /*
  * Check given password for given user, and return STATUS_OK or STATUS_ERROR.
  *

src/backend/utils/init/postinit.c

@@ -34,6 +34,7 @@
 #include "catalog/pg_db_role_setting.h"
 #include "catalog/pg_tablespace.h"
 #include "libpq/auth.h"
+#include "libpq/crypt.h"
 #include "libpq/libpq-be.h"
 #include "mb/pg_wchar.h"
 #include "miscadmin.h"
@@ -1234,6 +1235,8 @@ InitPostgres(const char *in_dbname, Oid dboid,
 	/* close the transaction we started above */
 	if (!bootstrap)
 		CommitTransactionCommand();
+
+	warn_if_md5_auth();
 }
 
 /*

src/bin/pg_upgrade/check.c

@@ -31,6 +31,7 @@ static void check_new_cluster_logical_replication_slots(void);
 static void check_new_cluster_subscription_configuration(void);
 static void check_old_cluster_for_valid_slots(void);
 static void check_old_cluster_subscription_state(void);
+static void check_for_md5_passwords(ClusterInfo *cluster);
 
 /*
  * DataTypesUsageChecks - definitions of data type checks for the old cluster
@@ -685,6 +686,12 @@ check_and_dump_old_cluster(void)
 	if (GET_MAJOR_VERSION(old_cluster.major_version) <= 905)
 		check_for_pg_role_prefix(&old_cluster);
 
+	/*
+	 * MD5 password support is deprecated.  Warn if any roles have MD5
+	 * passwords.
+	 */
+	check_for_md5_passwords(&old_cluster);
+
 	/*
 	 * While not a check option, we do this now because this is the only time
 	 * the old server is running.
@@ -2272,3 +2279,62 @@ check_old_cluster_subscription_state(void)
 	else
 		check_ok();
 }
+
+/*
+ * check_for_md5_passwords()
+ *
+ * As of v18, MD5 password support is marked as deprecated and to-be-removed in
+ * a future major release.
+ */
+static void
+check_for_md5_passwords(ClusterInfo *cluster)
+{
+	PGresult   *res;
+	PGconn	   *conn = connectToServer(cluster, "template1");
+	int			ntups;
+	int			i_roloid;
+	int			i_rolname;
+	FILE	   *script = NULL;
+	char		output_path[MAXPGPATH];
+
+	prep_status("Checking for roles with MD5 passwords");
+
+	snprintf(output_path, sizeof(output_path), "%s/%s",
+			 log_opts.basedir,
+			 "roles_with_md5_passwords.txt");
+
+	res = executeQueryOrDie(conn,
+							"SELECT oid AS roloid, rolname "
+							"FROM pg_catalog.pg_authid "
+							"WHERE rolpassword ~ '^md5'");
+
+	ntups = PQntuples(res);
+	i_roloid = PQfnumber(res, "roloid");
+	i_rolname = PQfnumber(res, "rolname");
+	for (int rowno = 0; rowno < ntups; rowno++)
+	{
+		if (script == NULL && (script = fopen_priv(output_path, "w")) == NULL)
+			pg_fatal("could not open file \"%s\": %m", output_path);
+		fprintf(script, "%s (oid=%s)\n",
+				PQgetvalue(res, rowno, i_rolname),
+				PQgetvalue(res, rowno, i_roloid));
+	}
+
+	PQclear(res);
+
+	PQfinish(conn);
+
+	if (script)
+	{
+		fclose(script);
+		report_status(PG_WARNING, "warning");
+		pg_log(PG_WARNING,
+			   "Your installation contains roles with MD5 passwords.\n"
+			   "Support for MD5-encrypted passwords is deprecated and will be\n"
+			   "removed in a future release of PostgreSQL.  A list of roles\n"
+			   "with MD5 passwords is in the file:\n"
+			   "    %s", output_path);
+	}
+	else
+		check_ok();
+}

src/include/libpq/crypt.h

@@ -53,6 +53,7 @@ extern char *get_role_password(const char *role, const char **logdetail);
 extern int	md5_crypt_verify(const char *role, const char *shadow_pass,
 							 const char *client_pass, const uint8 *md5_salt,
 							 int md5_salt_len, const char **logdetail);
+extern void warn_if_md5_auth(void);
 extern int	plain_crypt_verify(const char *role, const char *shadow_pass,
 							   const char *client_pass,
 							   const char **logdetail);

src/test/authentication/t/001_password.pl

@@ -68,6 +68,7 @@ sub test_conn
 $node->append_conf('postgresql.conf', "log_connections = on\n");
 # Needed to allow connect_fails to inspect postmaster log:
 $node->append_conf('postgresql.conf', "log_min_messages = debug2");
+$node->append_conf('postgresql.conf', "md5_password_warnings = off");
 $node->start;
 
 # Test behavior of log_connections GUC