passwordcheck: Add test suite

Also improve one error message.

Reviewed-by: David Steele <david@pgmasters.net>

6 files changed, 50 insertions, 1 deletions

diff --git a/contrib/passwordcheck/.gitignore b/contrib/passwordcheck/.gitignore
new file mode 100644
index 00000000000..5dcb3ff9723
--- /dev/null
+++ b/contrib/passwordcheck/.gitignore
@@ -0,0 +1,4 @@
+# Generated subdirectories
+/log/
+/results/
+/tmp_check/
diff --git a/contrib/passwordcheck/Makefile b/contrib/passwordcheck/Makefile
index 4652aeb3d7c..7edc968b908 100644
--- a/contrib/passwordcheck/Makefile
+++ b/contrib/passwordcheck/Makefile
@@ -8,6 +8,11 @@ PGFILEDESC = "passwordcheck - strengthen user password checks"
 # PG_CPPFLAGS = -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/usr/lib/cracklib_dict"'
 # SHLIB_LINK = -lcrack
 
+REGRESS_OPTS = --temp-config $(srcdir)/passwordcheck.conf
+REGRESS = passwordcheck
+# disabled because these tests require setting shared_preload_libraries
+NO_INSTALLCHECK = 1
+
 ifdef USE_PGXS
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)
diff --git a/contrib/passwordcheck/expected/passwordcheck.out b/contrib/passwordcheck/expected/passwordcheck.out
new file mode 100644
index 00000000000..b3515df3e83
--- /dev/null
+++ b/contrib/passwordcheck/expected/passwordcheck.out
@@ -0,0 +1,18 @@
+CREATE USER regress_user1;
+-- ok
+ALTER USER regress_user1 PASSWORD 'a_nice_long_password';
+-- error: too short
+ALTER USER regress_user1 PASSWORD 'tooshrt';
+ERROR:  password is too short
+-- error: contains user name
+ALTER USER regress_user1 PASSWORD 'xyzregress_user1';
+ERROR:  password must not contain user name
+-- error: contains only letters
+ALTER USER regress_user1 PASSWORD 'alessnicelongpassword';
+ERROR:  password must contain both letters and nonletters
+-- encrypted ok (password is "secret")
+ALTER USER regress_user1 PASSWORD 'md51a44d829a20a23eac686d9f0d258af13';
+-- error: password is user name
+ALTER USER regress_user1 PASSWORD 'md5e589150ae7d28f93333afae92b36ef48';
+ERROR:  password must not equal user name
+DROP USER regress_user1;
diff --git a/contrib/passwordcheck/passwordcheck.c b/contrib/passwordcheck/passwordcheck.c
index b80fd458ad7..64d43462f06 100644
--- a/contrib/passwordcheck/passwordcheck.c
+++ b/contrib/passwordcheck/passwordcheck.c
@@ -70,7 +70,7 @@ check_password(const char *username,
 		if (plain_crypt_verify(username, shadow_pass, username, &logdetail) == STATUS_OK)
 			ereport(ERROR,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("password must not contain user name")));
+					 errmsg("password must not equal user name")));
 	}
 	else
 	{
diff --git a/contrib/passwordcheck/passwordcheck.conf b/contrib/passwordcheck/passwordcheck.conf
new file mode 100644
index 00000000000..f6604f3d6b7
--- /dev/null
+++ b/contrib/passwordcheck/passwordcheck.conf
@@ -0,0 +1 @@
+shared_preload_libraries = 'passwordcheck'
diff --git a/contrib/passwordcheck/sql/passwordcheck.sql b/contrib/passwordcheck/sql/passwordcheck.sql
new file mode 100644
index 00000000000..59c84f522ec
--- /dev/null
+++ b/contrib/passwordcheck/sql/passwordcheck.sql
@@ -0,0 +1,21 @@
+CREATE USER regress_user1;
+
+-- ok
+ALTER USER regress_user1 PASSWORD 'a_nice_long_password';
+
+-- error: too short
+ALTER USER regress_user1 PASSWORD 'tooshrt';
+
+-- error: contains user name
+ALTER USER regress_user1 PASSWORD 'xyzregress_user1';
+
+-- error: contains only letters
+ALTER USER regress_user1 PASSWORD 'alessnicelongpassword';
+
+-- encrypted ok (password is "secret")
+ALTER USER regress_user1 PASSWORD 'md51a44d829a20a23eac686d9f0d258af13';
+
+-- error: password is user name
+ALTER USER regress_user1 PASSWORD 'md5e589150ae7d28f93333afae92b36ef48';
+
+DROP USER regress_user1;