credcheck policies ignored completely when running create role inside a PL/pgSQL block #64
Description
After we configured credcheck on all our clusters we discovered a loophole. Some create role logic was placed inside a PL/pgSQL block, which apparently completely skips the credcheck extension policies unfortunately. See test below:
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'test10')
THEN
CREATE ROLE test10 LOGIN PASSWORD '101!!010101010abc!' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
END IF;
END
$$;
postgres=# select rolname, rolvaliduntil, rolpassword, current_setting('credcheck.password_valid_until') password_valid_until from pg_roles where rolname ='test10';
rolname | rolvaliduntil | rolpassword | password_valid_until
---------+---------------+-------------+----------------------
test10 | | ******** | 365
postgres=# drop role test10;
DROP ROLE
CREATE ROLE test10 LOGIN PASSWORD '101!!010101010abc!' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
postgres=# select rolname, rolvaliduntil, rolpassword, current_setting('credcheck.password_valid_until') password_valid_until from pg_roles where rolname ='test10';
rolname | rolvaliduntil | rolpassword | password_valid_until
---------+------------------------+-------------+----------------------
test10 | 2027-03-19 00:00:00+01 | ******** | 365