pg_datatype_password

This Release
pg_datatype_password 1.0.0
Date
Status
Stable
Abstract
PostgreSQL data type for storing blowfish encrypted and salted passwords which can be queried against clear text.
Description
User can transparently query encrypted passwords against clear password coming from web application etc. Every password is encryped using different salt, therefore even same passwords are represented with different encryped text. See https://www.postgresql.org/docs/current/static/pgcrypto.html
Released By
ozum
License
MIT
Resources
Special Files
Tags

Extensions

pg_datatype_password 1.0.0
PostgreSQL data type for storing blowfish encrypted and salted passwords which can be queried against clear text.

README

pg_datatype_password

Abstract

PostgreSQL data type for storing blowfish encrypted and salted passwords which can be queried against clear text.

Description

This is a PostgreSQL extension which adds custom base data type called password and related operators. This module requires pgcrypto module.

User can transparently query encrypted passwords against clear password coming from web application etc. Every password is encryped using different salt, therefore even same passwords are represented with different encryped text. See [https://www.postgresql.org/docs/current/static/pgcrypto.html](pgcrypto documentation)

Synopsis

On CLI:

$ make install

On SQL:

```SQL CREATE EXTENSION pgcrypto; CREATE EXTENSION pg_datatype_password;

CREATE TABLE app_user ( id SERIAL, password password, CONSTRAINT pkey PRIMARY KEY(id) );

CREATE TRIGGER encrypt_password BEFORE INSERT OR UPDATE OF password ON app_user FOR EACH ROW EXECUTE PROCEDURE t_encrypt_password();

-- Password is inserted as encrypted because of trigger. INSERT INTO app_user (password) VALUES ('MySecret'); INSERT INTO app_user (password) VALUES ('MySecret'); ```

SQL SELECT * FROM app_user;

id | password ------|--------------- 1 | $2a$08$uTmBdGeSABWFM.scyi3DB.d0G.9Lmof6j06dc.PTdkiS4AeyoCjGu 2 | $2a$08$oTyyV8VlUMXWmWPsUbuzNOHZImN3FB79dNZkgjxaDH8/gWCU8/Jli

```SQL -- Test with clear password such as coming from web application. -- See two passwords encrypted differently even they were same as clear text, because every password is created with different salt. SELECT * FROM app_user WHERE id = 1 AND password = 'MySecret';

```

id | password ------|--------------- 1 | $2a$08$uTmBdGeSABWFM.scyi3DB.d0G.9Lmof6j06dc.PTdkiS4AeyoCjGu 2 | $2a$08$oTyyV8VlUMXWmWPsUbuzNOHZImN3FB79dNZkgjxaDH8/gWCU8/Jli

SQL -- Cannot be tested with encrypted password. SELECT * FROM app_user WHERE id = 1 AND password = '$2a$08$uTmBdGeSABWFM.scyi3DB.d0G.9Lmof6j06dc.PTdkiS4AeyoCjGu';

id | password ------|--------------- |

Contribution Needed !!!

It would be much better and elegant solution, if input function of password base type would directly encrypt given input and return encrypted result. Then there would be no need the extra trigger. Module becomes much more transparent than it's current state.

Because of PostgreSQL's ctype input limitation for procedural languages, this function have to be written in C. Please see [https://www.postgresql.org/docs/current/static/sql-createtype.html](PostgreSQL documentation)

PR for the input function is very welcome.

What is included?

  • password data type
  • = and <> comparison operators to compare clear text with encrypted password.
  • t_encrypt_password trigger

Install

To build it, just do this:

make
make installcheck
make install

If you encounter an error such as:

"Makefile", line 8: Need an operator

You need to use GNU make, which may well be installed on your system as gmake:

gmake
gmake install
gmake installcheck

If you encounter an error such as:

make: pg_config: Command not found

Be sure that you have pg_config installed and in your path. If you used a package management system such as RPM to install PostgreSQL, be sure that the -devel package is also installed. If necessary tell the build process where to find it:

env PG_CONFIG=/path/to/pg_config make && make installcheck && make install

And finally, if all that fails (and if you're on PostgreSQL 8.1 or lower, it likely will), copy the entire distribution directory to the contrib/ subdirectory of the PostgreSQL source tree and try it there without pg_config:

env NO_PGXS=1 make && make installcheck && make install

If you encounter an error such as:

ERROR:  must be owner of database regression

You need to run the test suite using a super user, such as the default "postgres" super user:

make installcheck PGUSER=postgres

Once pg_datatype_password is installed, you can add it to a database. If you're running PostgreSQL 9.1.0 or greater, it's a simple as connecting to a database as a super user and running:

CREATE EXTENSION pg_datatype_password;

If you've upgraded your cluster to PostgreSQL 9.1 and already had pg_datatype_password installed, you can upgrade it to a properly packaged extension with:

CREATE EXTENSION pg_datatype_password FROM unpackaged;

For versions of PostgreSQL less than 9.1.0, you'll need to run the installation script:

psql -d mydb -f /path/to/pgsql/share/contrib/pg_datatype_password.sql

If you want to install pg_datatype_password and all of its supporting objects into a specific schema, use the PGOPTIONS environment variable to specify the schema, like so:

PGOPTIONS=--search_path=extensions psql -d mydb -f pg_datatype_password.sql

Dependencies

The pg_datatype_password requires pgcrypto module.

Copyright and License

See LICENSE file. Copyright (c) 2016 Özüm Eldoğan.