Commit 15a2ff12 authored by Oleksandr Byelkin's avatar Oleksandr Byelkin

MDEV-26647 (simple_password_check) Include password validation plugin...

MDEV-26647 (simple_password_check) Include password validation plugin information in the error message if the SQL statement is not satisfied password policy

Make the plugin reporting cause of the error.
parent cc6bba00
...@@ -72,12 +72,36 @@ READ_ONLY NO ...@@ -72,12 +72,36 @@ READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED COMMAND_LINE_ARGUMENT REQUIRED
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Too short password (< 8)
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Warning 1819 simple_password_check: Not enough special characters (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1; create user foo1;
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
grant select on *.* to foo1 identified by 'pwd'; grant select on *.* to foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Too short password (< 8)
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Warning 1819 simple_password_check: Not enough special characters (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
grant select on *.* to `FooBar1!` identified by 'FooBar1!'; grant select on *.* to `FooBar1!` identified by 'FooBar1!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345'; create user foo1 identified by 'aA.12345';
...@@ -100,27 +124,63 @@ create user foo1 identified by '123:qwe:ASD!'; ...@@ -100,27 +124,63 @@ create user foo1 identified by '123:qwe:ASD!';
drop user foo1; drop user foo1;
create user foo1 identified by '-23:qwe:ASD!'; create user foo1 identified by '-23:qwe:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough digits (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:4we:ASD!'; create user foo1 identified by '123:4we:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough lower case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:4SD!'; create user foo1 identified by '123:qwe:4SD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough special characters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:ASD!'; create user foo1 identified by '123:qwe:ASD!';
set password for foo1 = password('qwe:-23:ASD!'); set password for foo1 = password('qwe:-23:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough digits (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = old_password('4we:123:ASD!'); set password for foo1 = old_password('4we:123:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = password('qwe:123:4SD!'); set password for foo1 = password('qwe:123:4SD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough special characters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
select @@strict_password_validation; select @@strict_password_validation;
@@strict_password_validation @@strict_password_validation
1 1
set password for foo1 = ''; set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
...@@ -135,12 +195,21 @@ grant select on *.* to foo2 identified with mysql_old_password using '2222222222 ...@@ -135,12 +195,21 @@ grant select on *.* to foo2 identified with mysql_old_password using '2222222222
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo2'@'%'
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
ERROR 28000: Can't find any matching row in the user table ERROR 28000: Can't find any matching row in the user table
update mysql.user set password='xxx' where user='foo1'; update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0; set global strict_password_validation=0;
set password for foo1 = ''; set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111'; create user foo2 identified by password '11111111111111111111111111111111111111111';
......
...@@ -14,6 +14,8 @@ grant select on *.* to foobar identified by 'q-%^&*rty'; ...@@ -14,6 +14,8 @@ grant select on *.* to foobar identified by 'q-%^&*rty';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings; show warnings;
Level Code Message Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check) Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
grant select on *.* to foobar identified by 'q-%^&*rty'; grant select on *.* to foobar identified by 'q-%^&*rty';
......
...@@ -15,16 +15,20 @@ select * from information_schema.system_variables where variable_name like 'simp ...@@ -15,16 +15,20 @@ select * from information_schema.system_variables where variable_name like 'simp
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
show warnings;
# Create user with no password. # Create user with no password.
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1; create user foo1;
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
grant select on *.* to foo1 identified by 'pwd'; grant select on *.* to foo1 identified by 'pwd';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
grant select on *.* to `FooBar1!` identified by 'FooBar1!'; grant select on *.* to `FooBar1!` identified by 'FooBar1!';
show warnings;
grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
...@@ -43,25 +47,32 @@ drop user foo1; ...@@ -43,25 +47,32 @@ drop user foo1;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '-23:qwe:ASD!'; create user foo1 identified by '-23:qwe:ASD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:4we:ASD!'; create user foo1 identified by '123:4we:ASD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:4SD!'; create user foo1 identified by '123:qwe:4SD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
show warnings;
create user foo1 identified by '123:qwe:ASD!'; create user foo1 identified by '123:qwe:ASD!';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:-23:ASD!'); set password for foo1 = password('qwe:-23:ASD!');
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('4we:123:ASD!'); set password for foo1 = old_password('4we:123:ASD!');
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:123:4SD!'); set password for foo1 = password('qwe:123:4SD!');
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
show warnings;
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
# now, strict_password_validation # now, strict_password_validation
...@@ -69,6 +80,7 @@ select @@strict_password_validation; ...@@ -69,6 +80,7 @@ select @@strict_password_validation;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = ''; set password for foo1 = '';
show warnings;
--error ER_OPTION_PREVENTS_STATEMENT --error ER_OPTION_PREVENTS_STATEMENT
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
--error ER_OPTION_PREVENTS_STATEMENT --error ER_OPTION_PREVENTS_STATEMENT
...@@ -83,6 +95,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111 ...@@ -83,6 +95,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
show warnings;
--error ER_PASSWORD_NO_MATCH --error ER_PASSWORD_NO_MATCH
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
...@@ -93,6 +106,7 @@ set global strict_password_validation=0; ...@@ -93,6 +106,7 @@ set global strict_password_validation=0;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = ''; set password for foo1 = '';
show warnings;
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111'; create user foo2 identified by password '11111111111111111111111111111111111111111';
......
...@@ -29,7 +29,13 @@ static int validate(MYSQL_CONST_LEX_STRING *username, ...@@ -29,7 +29,13 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
const char *ptr= password->str, *end= ptr + length; const char *ptr= password->str, *end= ptr + length;
if (strncmp(password->str, username->str, length) == 0) if (strncmp(password->str, username->str, length) == 0)
{
// warning used to do not change error code
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: The password equal to the user name",
ME_WARNING);
return 1; return 1;
}
/* everything non-ascii is the "other" character and is good for the password */ /* everything non-ascii is the "other" character and is good for the password */
for(; ptr < end; ptr++) for(; ptr < end; ptr++)
...@@ -43,6 +49,28 @@ static int validate(MYSQL_CONST_LEX_STRING *username, ...@@ -43,6 +49,28 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
else else
others++; others++;
} }
// warnings used to do not change error code
if (length < min_length)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Too short password (< %u)",
ME_WARNING, min_length);
if (uppers < min_letters)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough upper case "
"letters (< %u)",ME_WARNING, min_letters);
if (lowers < min_letters)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough lower case "
"letters (< %u)",ME_WARNING, min_letters);
if (digits < min_digits)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough digits (< %u)",
ME_WARNING, min_digits);
if (others < min_others)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough special "
"characters (< %u)",ME_WARNING, min_others);
/* remember TRUE means the password failed the validation */ /* remember TRUE means the password failed the validation */
return length < min_length || return length < min_length ||
uppers < min_letters || uppers < min_letters ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment