diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index 4c1052b3d42..eafc4309748 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -20,6 +20,7 @@ #include "common/scram-common.h" #include "libpq/crypt.h" #include "libpq/scram.h" +#include "miscadmin.h" #include "utils/builtins.h" #include "utils/syscache.h" #include "utils/timestamp.h" @@ -66,7 +67,19 @@ get_role_password(const char *role, const char **logdetail) datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_rolvaliduntil, &isnull); if (!isnull) + { vuntil = DatumGetTimestampTz(datum); + /* + * Cache the password expiration timestamp from pg_authid.rolvaliduntil + * during initial authentication so it can be checked throughout the + * lifetime of the connection. By changing this value from -1 to >= 0 + * we signal that password authentication was used. + */ + password_valid_until_timestamp = vuntil; + } + /* No expiration limit set */ + else + password_valid_until_timestamp = 0; ReleaseSysCache(roleTup); diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c index e54bf1e760f..49d3aaa9125 100644 --- a/src/backend/tcop/postgres.c +++ b/src/backend/tcop/postgres.c @@ -34,6 +34,7 @@ #include "access/parallel.h" #include "access/printtup.h" #include "access/xact.h" +#include "catalog/pg_authid.h" #include "catalog/pg_type.h" #include "commands/async.h" #include "commands/event_trigger.h" @@ -74,10 +75,12 @@ #include "tcop/utility.h" #include "utils/guc_hooks.h" #include "utils/injection_point.h" +#include "utils/inval.h" #include "utils/lsyscache.h" #include "utils/memutils.h" #include "utils/ps_status.h" #include "utils/snapmgr.h" +#include "utils/syscache.h" #include "utils/timeout.h" #include "utils/timestamp.h" #include "utils/varlena.h" @@ -105,6 +108,13 @@ int client_connection_check_interval = 0; /* flags for non-system relation kinds to restrict use */ int restrict_nonsystem_relation_kind; +/* + * Flag set by syscache listener to indicate if the user's password validity + * (rolvaliduntil) needs to be checked for expiration before the next + * command execution. + */ +static bool AuthCheckNeeded = false; + /* ---------------- * private typedefs etc * ---------------- @@ -163,6 +173,13 @@ static volatile sig_atomic_t RecoveryConflictPendingReasons[NUM_PROCSIGNALS]; static MemoryContext row_description_context = NULL; static StringInfoData row_description_buf; +/* + * Tracks whether the SysCache callback for AUTHOID has been registered. + * This ensures CacheRegisterSyscacheCallback is called exactly once during + * backend initialization, preventing redundant registrations in the main loop. + */ +static bool sys_cache_register_callback = false; + /* ---------------------------------------------------------------- * decls for routines only used in this file * ---------------------------------------------------------------- @@ -186,6 +203,7 @@ static void drop_unnamed_stmt(void); static void log_disconnections(int code, Datum arg); static void enable_statement_timeout(void); static void disable_statement_timeout(void); +static void CheckPasswordExpiration(void); /* ---------------------------------------------------------------- @@ -1050,6 +1068,27 @@ exec_simple_query(const char *query_string) */ start_xact_command(); + /* + * Check for password expiration if a relevant pg_authid change has occurred. + * AuthCheckNeeded is set by the syscache listener (AuthCacheInvalidated). + * CheckPasswordExpiration must only be called when the system is out of + * recovery and inside a valid transaction. + */ + if (!RecoveryInProgress() && IsTransactionState() && + password_valid_until_timestamp >= 0) + { + if (AuthCheckNeeded) + CheckPasswordExpiration(); + + if (password_valid_until_timestamp < GetCurrentTransactionStartTimestamp()) + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("Connection expired due to internal password policy enforcement"), + errdetail("User's password expired at %s.", + timestamptz_to_str(password_valid_until_timestamp)), + errhint("Reconnect with a renewed password"))); + } + /* * Zap any pre-existing unnamed statement. (While not strictly necessary, * it seems best to define simple-Query mode as if it used the unnamed @@ -4177,6 +4216,69 @@ PostgresSingleUserMain(int argc, char *argv[], PostgresMain(dbname, username); } +/* + * CheckPasswordExpiration + * + * Checks the current user's pg_authid.rolvaliduntil timestamp against the + * current transaction start time. If the role's valid-until time is in the + * past, the function terminates the backend process with a FATAL error, + * enforcing password expiration policy. + * This function is typically called only when the AuthCheckNeeded flag is set + * by the AuthCacheInvalidated syscache callback. + */ +static void +CheckPasswordExpiration(void) +{ + HeapTuple tuple; + + /* + * Look up the current user's entry in pg_authid. We must do this, even + * if only AuthCheckNeeded is set, because GetUserId() might return a + * different user ID than the one that triggered the invalidation (though + * that's unlikely for AUTHOID). + */ + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(GetUserId())); + + if (HeapTupleIsValid(tuple)) + { + Datum rolvaliduntil_datum; + bool validUntil_null; + + /* Get the expiration time column */ + rolvaliduntil_datum = SysCacheGetAttr(AUTHNAME, tuple, + Anum_pg_authid_rolvaliduntil, + &validUntil_null); + + if (!validUntil_null) + password_valid_until_timestamp = DatumGetTimestampTz(rolvaliduntil_datum); + else + password_valid_until_timestamp = 0; + + ReleaseSysCache(tuple); + } + /* Reset the flag after performing the check */ + AuthCheckNeeded = false; +} + +/* + * AuthCacheInvalidated + * Syscache callback function registered for the AUTHOID cache (pg_authid). + * + * This function is executed whenever a tuple in pg_authid is updated, inserted, + * or deleted. Its primary purpose is to catch changes to the currently + * connected user's 'rolvaliduntil' field. + * + * It sets the static flag AuthCheckNeeded to true, signaling to the main + * execution loop (exec_simple_query) that the user's password expiration + * status must be checked before the next command runs. + */ +static void +AuthCacheInvalidated(Datum arg, int cacheid, uint32 hashvalue) +{ + /* This callback is executed when an entry in pg_authid changes */ + AuthCheckNeeded = true; +} /* ---------------------------------------------------------------- * PostgresMain @@ -4518,6 +4620,20 @@ PostgresMain(const char *dbname, const char *username) if (!ignore_till_sync) send_ready_for_query = true; /* initially, or after error */ + + /* + * Register a SysCache listener for pg_authid changes (specifically for + * rolvaliduntil). This provides an event-driven mechanism to enforce + * password/authorization expiration immediately upon change, rather than + * relying on polling. The callback sets a flag (AuthCheckNeeded) which + * is checked before executing each simple query. + */ + if (!sys_cache_register_callback) + { + CacheRegisterSyscacheCallback(AUTHOID, AuthCacheInvalidated, (Datum) 0); + sys_cache_register_callback = true; + } + /* * Non-error queries loop here. */ diff --git a/src/backend/utils/init/globals.c b/src/backend/utils/init/globals.c index 36ad708b360..069138ec1d5 100644 --- a/src/backend/utils/init/globals.c +++ b/src/backend/utils/init/globals.c @@ -165,3 +165,10 @@ int notify_buffers = 16; int serializable_buffers = 32; int subtransaction_buffers = 0; int transaction_buffers = 0; + +/* + * Cached value of the current user's password expiration time (pg_authid.rolvaliduntil). + * This value is updated via CheckPasswordExpiration() when the AuthCheckNeeded + * flag is set by a syscache invalidation callback. + */ +TimestampTz password_valid_until_timestamp = -1; diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h index db559b39c4d..146c3769b2f 100644 --- a/src/include/miscadmin.h +++ b/src/include/miscadmin.h @@ -287,7 +287,7 @@ extern PGDLLIMPORT double VacuumCostDelay; extern PGDLLIMPORT int VacuumCostBalance; extern PGDLLIMPORT bool VacuumCostActive; - +extern PGDLLIMPORT TimestampTz password_valid_until_timestamp; /* in utils/misc/stack_depth.c */