MDEV-9273 ERROR 1819 on grant statment for existing user

Cannot do password validation in fix_lex_user(), we don't know there what "GRANT ... TO user" means - creating a new user with an empty password (need validation) or granting privileges to an existing user (no validation needed). Move validation down into replace_user_table(). And copy into check_change_password().

MDEV-9273 ERROR 1819 on grant statment for existing user
Cannot do password validation in fix_lex_user(), we don't know there what "GRANT ... TO user" means - creating a new user with an empty password (need validation) or granting privileges to an existing user (no validation needed). Move validation down into replace_user_table(). And copy into check_change_password().
68910e70 · Sergei Golubchik · d14c4c78 · 68910e70 · 68910e70 · 68910e70
Commit 68910e70 authored Jan 24, 2016 by Sergei Golubchik
3 changed files
--- a/mysql-test/suite/plugins/r/simple_password_check.result
+++ b/mysql-test/suite/plugins/r/simple_password_check.result
@@ -79,6 +79,7 @@ ERROR HY000: Your password does not satisfy the current policy requirements
 grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;
 create user foo1 identified by 'aA.12345';
+grant select on *.* to foo1;
 drop user foo1;
 set global simple_password_check_digits=3;
 set global simple_password_check_letters_same_case=3;
@@ -129,7 +130,7 @@ ERROR HY000: The MariaDB server is running with the --strict-password-validation
 create user foo2 identified with mysql_native_password using '';
 ERROR HY000: Your password does not satisfy the current policy requirements
 grant select on *.* to foo2 identified with mysql_old_password;
-ERROR HY000: Your password does not satisfy the current policy requirements
+ERROR 28000: Can't find any matching row in the user table
 update mysql.user set password='xxx' where user='foo1';
 set global strict_password_validation=0;
 set password for foo1 = '';

--- a/mysql-test/suite/plugins/t/simple_password_check.test
+++ b/mysql-test/suite/plugins/t/simple_password_check.test
@@ -26,6 +26,7 @@ grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;

 create user foo1 identified by 'aA.12345';
+grant select on *.* to foo1;
 drop user foo1;

 set global simple_password_check_digits=3;
@@ -78,7 +79,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
 grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
 --error ER_NOT_VALID_PASSWORD
 create user foo2 identified with mysql_native_password using '';
--error ER_NOT_VALID_PASSWORD
+--error ER_PASSWORD_NO_MATCH
 grant select on *.* to foo2 identified with mysql_old_password;

 # direct updates are not protected

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1050,9 +1050,6 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
    return true;
  }

-  if (validate_password(user))
-    return true;
-
  if (user->pwtext.length && !user->pwhash.length)
  {
    size_t scramble_length;
@@ -2747,7 +2744,8 @@ bool check_change_password(THD *thd, LEX_USER *user)
 {
  LEX_USER *real_user= get_current_user(thd, user);

-  if (fix_and_copy_user(real_user, user, thd))
+  if (fix_and_copy_user(real_user, user, thd) ||
+      validate_password(real_user))
    return true;

  *user= *real_user;
@@ -3461,6 +3459,10 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER &combo,
    store_record(table,record[1]);			// Save copy for update
  }

+  if (!old_row_exists || combo.pwtext.length || combo.pwhash.length)
+    if (validate_password(&combo))
+      goto end;
+
  /* Update table columns with new privileges */

  Field **tmp_field;