Add feature "Disallow password change" to disallow users to change

their password. This behavior is enabled by setting:
	credcheck.disallow_password_change=on
It returns the following message when a user tries to change its
password:
	ERROR:  you are not allowed to change your password.
Thanks to Jacute for the reature request.

Author: darold

README.md

@@ -8,6 +8,7 @@
 	- [Authentication failure ban](#authentication-failure-ban)
 	- [Authentication delay](#authentication-delay)
 	- [Force password change](#force-password-change)
+	- [Disallow password change](#disallow-password-change)
 	- [Warning before password expire](#warning-before-password-expire)
 	- [Examples](#examples)
 	- [Limitations](#limitations)
@@ -466,6 +467,19 @@ You can also force any user to change his password at any time using:
 ALTER USER user1 SET credcheck_internal.force_change_password = true;
 ```
 
+### [Disallow password change](#disallow-password-change)
+
+This feature disallow users to change their password. This behavior is enabled by setting `credcheck.disallow_password_change` to `true`. For example:
+
+```
+$ psql -h localhost -d test -U user1
+psql (17.5 (Ubuntu 17.5-1.pgdg24.04+1))
+SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
+Type "help" for help.
+
+test=> ALTER ROLE 'user1' PASSWORD 'My-New-Pass#123';
+ERROR:  you are not allowed to change your password.
+
 ### [Warning before password expire](#warning-before-password-expire)
 
 To send a warning to the user N days before his password expires you can set the number of days

credcheck.c

@@ -248,6 +248,7 @@ static int password_valid_max = 0;
 static int auth_delay_milliseconds = 0;
 static bool password_change_first_login = false;
 static bool force_change_password = false;
+static bool disallow_change_password = false;
 
 #if PG_VERSION_NUM >= 120000
 /*
@@ -870,6 +871,11 @@ password_guc()
 				NULL, &force_change_password, false, PGC_SUSET, 0,
 				NULL, NULL, NULL);
 
+	DefineCustomBoolVariable("credcheck.disallow_change_password",
+				gettext_noop("prevent users to change their password"),
+				NULL, &disallow_change_password, false, PGC_SUSET, 0,
+				NULL, NULL, NULL);
+
 }
 
 #if PG_VERSION_NUM >= 120000
@@ -1451,15 +1457,23 @@ cc_ProcessUtility(PEL_PROCESSUTILITY_PROTO)
 	{
 		Node *parsetree = pstmt->utilityStmt;
 
-		/* at first login we don't allow anything else than password change */
-		/*
-		 * When first login we don't allow anything else than password change.
-		 * Command \password issue a "show password_encryption" query after
-		 * change password prompts, allow it. The \password command will be
-		 * rejected anyway because it uses encrypted password.
-		 */
 		if (!is_in_whitelist(MyProcPort->user_name, username_whitelist))
 		{
+			/*
+			 * When disallow_change_password is enable we return
+			 * an error to any usertrying to change his password.
+			 */
+			if (nodeTag(parsetree) == T_AlterRoleStmt && disallow_change_password)
+				ereport(ERROR,
+						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+							errmsg(gettext_noop("you are not allowed to change your password."))));
+
+			/*
+			 * When first login we don't allow anything else than password change.
+			 * Command \password issue a "show password_encryption" query after
+			 * change password prompts, allow it. The \password command will be
+			 * rejected anyway because it uses encrypted password.
+			 */
 			if (nodeTag(parsetree) != T_AlterRoleStmt && force_change_password
 				&& strcmp(debug_query_string, "show password_encryption") != 0)
 				ereport(ERROR,