Mercurial > gemma
comparison schema/manage_users.sql @ 262:92470caf81fd
Add database function to check password against policy
Though it is currently only used in sys_admin-exclusive
functions, it is exposed to normal users because there is
nothing to hide and users should be able to change (and
check) their password, too.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Fri, 27 Jul 2018 15:26:16 +0200 |
| parents | 946baea3d280 |
| children | 13ad969a9138 |
comparison
equal
deleted
inserted
replaced
| 261:ab9859981ee3 | 262:92470caf81fd |
|---|---|
| 1 -- | 1 -- |
| 2 -- Functions encapsulating user management functionality and | 2 -- Functions encapsulating user management functionality and |
| 3 -- exposing it to privileged users | 3 -- exposing it to appropriately privileged users |
| 4 -- | 4 -- |
| 5 | |
| 6 CREATE OR REPLACE FUNCTION users.check_password( | |
| 7 pw varchar | |
| 8 ) | |
| 9 RETURNS varchar | |
| 10 AS $$ | |
| 11 DECLARE | |
| 12 min_len CONSTANT int = 8; | |
| 13 BEGIN | |
| 14 IF char_length(pw) < min_len | |
| 15 OR pw NOT SIMILAR TO '%[^[:alnum:]]%' | |
| 16 OR pw NOT SIMILAR TO '%[[:digit:]]%' | |
| 17 THEN | |
| 18 RAISE invalid_password USING MESSAGE = 'Invalid password'; | |
| 19 ELSE | |
| 20 RETURN pw; | |
| 21 END IF; | |
| 22 END; | |
| 23 $$ | |
| 24 LANGUAGE plpgsql; | |
| 25 | |
| 5 | 26 |
| 6 CREATE OR REPLACE VIEW sys_admin.list_users AS | 27 CREATE OR REPLACE VIEW sys_admin.list_users AS |
| 7 SELECT r.rolname, p.* | 28 SELECT r.rolname, p.* |
| 8 FROM users.user_profiles p | 29 FROM users.user_profiles p |
| 9 JOIN pg_roles u ON p.username = u.rolname | 30 JOIN pg_roles u ON p.username = u.rolname |
| 28 WHERE ra.country = create_user.country; | 49 WHERE ra.country = create_user.country; |
| 29 END IF; | 50 END IF; |
| 30 INSERT INTO users.user_profiles VALUES ( | 51 INSERT INTO users.user_profiles VALUES ( |
| 31 username, country, map_extent, email_address); | 52 username, country, map_extent, email_address); |
| 32 EXECUTE format( | 53 EXECUTE format( |
| 33 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', username, userrole, pw); | 54 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', |
| 55 username, | |
| 56 userrole, | |
| 57 users.check_password(pw)); | |
| 34 END; | 58 END; |
| 35 $$ | 59 $$ |
| 36 LANGUAGE plpgsql | 60 LANGUAGE plpgsql |
| 37 SECURITY DEFINER; | 61 SECURITY DEFINER; |
| 38 | 62 |
| 81 'GRANT %I TO %I', new_userrole, cur_username); | 105 'GRANT %I TO %I', new_userrole, cur_username); |
| 82 | 106 |
| 83 IF new_pw IS NOT NULL AND new_pw <> '' | 107 IF new_pw IS NOT NULL AND new_pw <> '' |
| 84 THEN | 108 THEN |
| 85 EXECUTE format( | 109 EXECUTE format( |
| 86 'ALTER ROLE %I PASSWORD %L', cur_username, new_pw); | 110 'ALTER ROLE %I PASSWORD %L', |
| 111 cur_username, | |
| 112 users.check_password(new_pw)); | |
| 87 END IF; | 113 END IF; |
| 88 END; | 114 END; |
| 89 $$ | 115 $$ |
| 90 LANGUAGE plpgsql | 116 LANGUAGE plpgsql |
| 91 SECURITY DEFINER; | 117 SECURITY DEFINER; |