Commit b8140467 authored by Sergei Golubchik's avatar Sergei Golubchik

validate SET PASSWORD

parent dccd85e7
...@@ -99,6 +99,17 @@ create user foo1 identified by '123:qwe:4SD!'; ...@@ -99,6 +99,17 @@ create user foo1 identified by '123:qwe:4SD!';
ERROR HY000: Your password does not satisfy the current policy requirements ERROR HY000: Your password does not satisfy the current policy requirements
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
ERROR HY000: Your password does not satisfy the current policy requirements ERROR HY000: Your password does not satisfy the current policy requirements
create user foo1 identified by '123:qwe:ASD!';
set password for foo1 = password('qwe:-23:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = old_password('4we:123:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = password('qwe:123:4SD!');
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = old_password('qwe:123:ASD4');
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = password('qwe:123:ASD!');
drop user foo1;
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
drop user foo1; drop user foo1;
...@@ -48,6 +48,18 @@ create user foo1 identified by '123:qwe:4SD!'; ...@@ -48,6 +48,18 @@ create user foo1 identified by '123:qwe:4SD!';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
create user foo1 identified by '123:qwe:ASD!';
--error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:-23:ASD!');
--error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('4we:123:ASD!');
--error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:123:4SD!');
--error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('qwe:123:ASD4');
set password for foo1 = password('qwe:123:ASD!');
drop user foo1;
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
......
...@@ -851,10 +851,7 @@ int set_var_user::update(THD *thd) ...@@ -851,10 +851,7 @@ int set_var_user::update(THD *thd)
int set_var_password::check(THD *thd) int set_var_password::check(THD *thd)
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
user= get_current_user(thd, user); return check_change_password(thd, user);
/* Returns 1 as the function sends error to client */
return check_change_password(thd, user->host.str, user->user.str,
password, strlen(password)) ? 1 : 0;
#else #else
return 0; return 0;
#endif #endif
...@@ -863,9 +860,7 @@ int set_var_password::check(THD *thd) ...@@ -863,9 +860,7 @@ int set_var_password::check(THD *thd)
int set_var_password::update(THD *thd) int set_var_password::update(THD *thd)
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
/* Returns 1 as the function sends error to client */ return change_password(thd, user);
return change_password(thd, user->host.str, user->user.str, password) ?
1 : 0;
#else #else
return 0; return 0;
#endif #endif
......
...@@ -321,10 +321,8 @@ class set_var_user: public set_var_base ...@@ -321,10 +321,8 @@ class set_var_user: public set_var_base
class set_var_password: public set_var_base class set_var_password: public set_var_base
{ {
LEX_USER *user; LEX_USER *user;
char *password;
public: public:
set_var_password(LEX_USER *user_arg,char *password_arg) set_var_password(LEX_USER *user_arg) :user(user_arg)
:user(user_arg), password(password_arg)
{} {}
int check(THD *thd); int check(THD *thd);
int update(THD *thd); int update(THD *thd);
......
...@@ -349,6 +349,7 @@ ulong role_global_merges= 0, role_db_merges= 0, role_table_merges= 0, ...@@ -349,6 +349,7 @@ ulong role_global_merges= 0, role_db_merges= 0, role_table_merges= 0,
#endif #endif
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
static bool fix_and_copy_user(LEX_USER *to, LEX_USER *from, THD *thd);
static void update_hostname(acl_host_and_ip *host, const char *hostname); static void update_hostname(acl_host_and_ip *host, const char *hostname);
static ulong get_sort(uint count,...); static ulong get_sort(uint count,...);
static bool show_proxy_grants (THD *, const char *, const char *, static bool show_proxy_grants (THD *, const char *, const char *,
...@@ -965,10 +966,25 @@ static bool fix_user_plugin_ptr(ACL_USER *user) ...@@ -965,10 +966,25 @@ static bool fix_user_plugin_ptr(ACL_USER *user)
/* /*
transform equivalent LEX_USER values to one: Validates the password, calculates password hash, transforms
username IDENTIFIED BY PASSWORD xxx equivalent LEX_USER representations.
username IDENTIFIED VIA mysql_native_password USING xxx
etc Upon entering this function:
- if user->plugin is specified, user->auth is the plugin auth data.
- if user->plugin is mysql_native_password or mysql_old_password,
user->auth if the password hash, and LEX_USER is transformed
to match the next case (that is, user->plugin is cleared).
- if user->plugin is NOT specified, built-in auth is assumed, that is
mysql_native_password or mysql_old_password. In that case,
user->auth is the password hash. And user->password is the original
plain-text password. Either one can be set or even both.
Upon exiting this function:
- user->password is the password hash, as the mysql.user.password column
- user->plugin is the plugin name, as the mysql.user.plugin column
- user->auth is the plugin auth data, as the mysql.user.authentication_string column
*/ */
static bool fix_lex_user(THD *thd, LEX_USER *user) static bool fix_lex_user(THD *thd, LEX_USER *user)
{ {
...@@ -1005,7 +1021,7 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) ...@@ -1005,7 +1021,7 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
} }
} }
if (user->password.length) if (user->password.length && !user->auth.length)
{ {
size_t scramble_length; size_t scramble_length;
void (*make_scramble)(char *, const char *, size_t); void (*make_scramble)(char *, const char *, size_t);
...@@ -2691,32 +2707,23 @@ static int check_alter_user(THD *thd, const char *host, const char *user) ...@@ -2691,32 +2707,23 @@ static int check_alter_user(THD *thd, const char *host, const char *user)
Check if the user is allowed to change password Check if the user is allowed to change password
@param thd THD @param thd THD
@param host Hostname for the user @param user User, hostname, new password or password hash
@param user User name
@param new_password New password
@param new_password_len The length of the new password
new_password cannot be NULL
@return Error status @return Error status
@retval 0 OK @retval 0 OK
@retval 1 ERROR; In this case the error is sent to the client. @retval 1 ERROR; In this case the error is sent to the client.
*/ */
int check_change_password(THD *thd, const char *host, const char *user, bool check_change_password(THD *thd, LEX_USER *user)
char *new_password, uint new_password_len)
{ {
if (check_alter_user(thd, host, user)) LEX_USER *real_user= get_current_user(thd, user);
return 1;
size_t len= strlen(new_password); if (fix_and_copy_user(real_user, user, thd))
if (len && len != SCRAMBLED_PASSWORD_CHAR_LENGTH && return true;
len != SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
{ *user= *real_user;
my_error(ER_PASSWD_LENGTH, MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH);
return 1; return check_alter_user(thd, user->host.str, user->user.str);
}
return 0;
} }
...@@ -2724,39 +2731,33 @@ int check_change_password(THD *thd, const char *host, const char *user, ...@@ -2724,39 +2731,33 @@ int check_change_password(THD *thd, const char *host, const char *user,
Change a password for a user. Change a password for a user.
@param thd THD @param thd THD
@param host Hostname @param user User, hostname, new password hash
@param user User name
@param new_password New password hash for host@user
@return Error code @return Error code
@retval 0 ok @retval 0 ok
@retval 1 ERROR; In this case the error is sent to the client. @retval 1 ERROR; In this case the error is sent to the client.
*/ */
bool change_password(THD *thd, const char *host, const char *user, bool change_password(THD *thd, LEX_USER *user)
char *new_password)
{ {
TABLE_LIST tables[TABLES_MAX]; TABLE_LIST tables[TABLES_MAX];
/* Buffer should be extended when password length is extended. */ /* Buffer should be extended when password length is extended. */
char buff[512]; char buff[512];
ulong query_length= 0; ulong query_length= 0;
enum_binlog_format save_binlog_format; enum_binlog_format save_binlog_format;
uint new_password_len= (uint) strlen(new_password);
int result=0; int result=0;
const CSET_STRING query_save __attribute__((unused)) = thd->query_string; const CSET_STRING query_save __attribute__((unused)) = thd->query_string;
DBUG_ENTER("change_password"); DBUG_ENTER("change_password");
DBUG_PRINT("enter",("host: '%s' user: '%s' new_password: '%s'", DBUG_PRINT("enter",("host: '%s' user: '%s' new_password: '%s'",
host,user,new_password)); user->host.str, user->user.str, user->password.str));
DBUG_ASSERT(host != 0); // Ensured by parent DBUG_ASSERT(user->host.str != 0); // Ensured by parent
if (check_change_password(thd, host, user, new_password, new_password_len))
DBUG_RETURN(1);
if (mysql_bin_log.is_open() || if (mysql_bin_log.is_open() ||
(WSREP(thd) && !IF_WSREP(thd->wsrep_applier, 0))) (WSREP(thd) && !IF_WSREP(thd->wsrep_applier, 0)))
{ {
query_length= sprintf(buff, "SET PASSWORD FOR '%-.120s'@'%-.120s'='%-.120s'", query_length= sprintf(buff, "SET PASSWORD FOR '%-.120s'@'%-.120s'='%-.120s'",
safe_str(user), safe_str(host), new_password); safe_str(user->user.str), safe_str(user->host.str),
safe_str(user->password.str));
} }
if (WSREP(thd) && !IF_WSREP(thd->wsrep_applier, 0)) if (WSREP(thd) && !IF_WSREP(thd->wsrep_applier, 0))
...@@ -2781,7 +2782,7 @@ bool change_password(THD *thd, const char *host, const char *user, ...@@ -2781,7 +2782,7 @@ bool change_password(THD *thd, const char *host, const char *user,
mysql_mutex_lock(&acl_cache->lock); mysql_mutex_lock(&acl_cache->lock);
ACL_USER *acl_user; ACL_USER *acl_user;
if (!(acl_user= find_user_exact(host, user))) if (!(acl_user= find_user_exact(user->host.str, user->user.str)))
{ {
mysql_mutex_unlock(&acl_cache->lock); mysql_mutex_unlock(&acl_cache->lock);
my_message(ER_PASSWORD_NO_MATCH, ER(ER_PASSWORD_NO_MATCH), MYF(0)); my_message(ER_PASSWORD_NO_MATCH, ER(ER_PASSWORD_NO_MATCH), MYF(0));
...@@ -2792,10 +2793,10 @@ bool change_password(THD *thd, const char *host, const char *user, ...@@ -2792,10 +2793,10 @@ bool change_password(THD *thd, const char *host, const char *user,
if (acl_user->plugin.str == native_password_plugin_name.str || if (acl_user->plugin.str == native_password_plugin_name.str ||
acl_user->plugin.str == old_password_plugin_name.str) acl_user->plugin.str == old_password_plugin_name.str)
{ {
acl_user->auth_string.str= strmake_root(&acl_memroot, new_password, new_password_len); acl_user->auth_string.str= strmake_root(&acl_memroot, user->password.str, user->password.length);
acl_user->auth_string.length= new_password_len; acl_user->auth_string.length= user->password.length;
set_user_salt(acl_user, new_password, new_password_len); set_user_salt(acl_user, user->password.str, user->password.length);
set_user_plugin(acl_user, new_password_len); set_user_plugin(acl_user, user->password.length);
} }
else else
push_warning(thd, Sql_condition::WARN_LEVEL_NOTE, push_warning(thd, Sql_condition::WARN_LEVEL_NOTE,
...@@ -2804,7 +2805,7 @@ bool change_password(THD *thd, const char *host, const char *user, ...@@ -2804,7 +2805,7 @@ bool change_password(THD *thd, const char *host, const char *user,
if (update_user_table(thd, tables[USER_TABLE].table, if (update_user_table(thd, tables[USER_TABLE].table,
safe_str(acl_user->host.hostname), safe_str(acl_user->host.hostname),
safe_str(acl_user->user.str), safe_str(acl_user->user.str),
new_password, new_password_len)) user->password.str, user->password.length))
{ {
mysql_mutex_unlock(&acl_cache->lock); /* purecov: deadcode */ mysql_mutex_unlock(&acl_cache->lock); /* purecov: deadcode */
goto end; goto end;
...@@ -5660,11 +5661,8 @@ static bool has_auth(LEX_USER *user, LEX *lex) ...@@ -5660,11 +5661,8 @@ static bool has_auth(LEX_USER *user, LEX *lex)
lex->mqh.specified_limits; lex->mqh.specified_limits;
} }
static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, THD *thd) static bool fix_and_copy_user(LEX_USER *to, LEX_USER *from, THD *thd)
{ {
if (fix_lex_user(thd, from))
return true;
if (to != from) if (to != from)
{ {
/* preserve authentication information, if LEX_USER was reallocated */ /* preserve authentication information, if LEX_USER was reallocated */
...@@ -5673,6 +5671,17 @@ static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, THD *thd) ...@@ -5673,6 +5671,17 @@ static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, THD *thd)
to->auth= from->auth; to->auth= from->auth;
} }
if (fix_lex_user(thd, to))
return true;
return false;
}
static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, THD *thd)
{
if (fix_and_copy_user(to, from, thd))
return true;
// if changing auth for an existing user // if changing auth for an existing user
if (has_auth(to, thd->lex) && find_user_exact(to->host.str, to->user.str)) if (has_auth(to, thd->lex) && find_user_exact(to->host.str, to->user.str))
{ {
......
...@@ -206,10 +206,8 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len); ...@@ -206,10 +206,8 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len);
bool acl_getroot(Security_context *sctx, char *user, char *host, bool acl_getroot(Security_context *sctx, char *user, char *host,
char *ip, char *db); char *ip, char *db);
bool acl_check_host(const char *host, const char *ip); bool acl_check_host(const char *host, const char *ip);
int check_change_password(THD *thd, const char *host, const char *user, bool check_change_password(THD *thd, LEX_USER *user);
char *password, uint password_len); bool change_password(THD *thd, LEX_USER *user);
bool change_password(THD *thd, const char *host, const char *user,
char *password);
bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke); bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke);
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
......
...@@ -1637,7 +1637,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize); ...@@ -1637,7 +1637,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
table_ident_opt_wild create_like table_ident_opt_wild create_like
%type <simple_string> %type <simple_string>
remember_name remember_end opt_db text_or_password remember_tok_start remember_name remember_end opt_db remember_tok_start
wild_and_where wild_and_where
%type <string> %type <string>
...@@ -14045,7 +14045,6 @@ user_maybe_role: ...@@ -14045,7 +14045,6 @@ user_maybe_role:
if (!($$=(LEX_USER*)thd->calloc(sizeof(LEX_USER)))) if (!($$=(LEX_USER*)thd->calloc(sizeof(LEX_USER))))
MYSQL_YYABORT; MYSQL_YYABORT;
$$->user= current_user; $$->user= current_user;
$$->password= null_lex_str;
$$->plugin= empty_lex_str; $$->plugin= empty_lex_str;
$$->auth= empty_lex_str; $$->auth= empty_lex_str;
} }
...@@ -14753,41 +14752,17 @@ option_value_no_option_type: ...@@ -14753,41 +14752,17 @@ option_value_no_option_type:
MYSQL_YYABORT; MYSQL_YYABORT;
lex->var_list.push_back(var); lex->var_list.push_back(var);
} }
| PASSWORD_SYM equal text_or_password | PASSWORD_SYM opt_for_user text_or_password
{
LEX *lex= thd->lex;
LEX_USER *user;
sp_pcontext *spc= lex->spcont;
LEX_STRING pw;
pw.str= (char *)"password";
pw.length= 8;
if (spc && spc->find_variable(pw, false))
{ {
my_error(ER_SP_BAD_VAR_SHADOW, MYF(0), pw.str); LEX *lex = Lex;
MYSQL_YYABORT; set_var_password *var= new set_var_password(lex->definer);
}
if (!(user=(LEX_USER*) thd->calloc(sizeof(LEX_USER))))
MYSQL_YYABORT;
user->user= current_user;
set_var_password *var= new set_var_password(user, $3);
if (var == NULL) if (var == NULL)
MYSQL_YYABORT; MYSQL_YYABORT;
thd->lex->var_list.push_back(var); lex->var_list.push_back(var);
thd->lex->autocommit= TRUE; lex->autocommit= TRUE;
if (lex->sphead) if (lex->sphead)
lex->sphead->m_flags|= sp_head::HAS_SET_AUTOCOMMIT_STMT; lex->sphead->m_flags|= sp_head::HAS_SET_AUTOCOMMIT_STMT;
} }
| PASSWORD_SYM FOR_SYM user equal text_or_password
{
set_var_password *var= new set_var_password($3,$5);
if (var == NULL)
MYSQL_YYABORT;
Lex->var_list.push_back(var);
Lex->autocommit= TRUE;
if (Lex->sphead)
Lex->sphead->m_flags|= sp_head::HAS_SET_AUTOCOMMIT_STMT;
}
; ;
...@@ -14927,26 +14902,36 @@ isolation_types: ...@@ -14927,26 +14902,36 @@ isolation_types:
| SERIALIZABLE_SYM { $$= ISO_SERIALIZABLE; } | SERIALIZABLE_SYM { $$= ISO_SERIALIZABLE; }
; ;
text_or_password: opt_for_user:
TEXT_STRING { $$=$1.str;} equal
| PASSWORD_SYM '(' TEXT_STRING ')' {
{ LEX *lex= thd->lex;
$$= $3.length ? sp_pcontext *spc= lex->spcont;
Item_func_password::alloc(thd, $3.str, $3.length, LEX_STRING pw= { C_STRING_WITH_LEN("password") };
thd->variables.old_passwords ?
Item_func_password::OLD : if (spc && spc->find_variable(pw, false))
Item_func_password::NEW) : {
$3.str; my_error(ER_SP_BAD_VAR_SHADOW, MYF(0), pw.str);
if ($$ == NULL)
MYSQL_YYABORT; MYSQL_YYABORT;
} }
if (!(lex->definer= (LEX_USER*) thd->calloc(sizeof(LEX_USER))))
MYSQL_YYABORT;
lex->definer->user= current_user;
lex->definer->plugin= empty_lex_str;
lex->definer->auth= empty_lex_str;
}
| FOR_SYM user equal { Lex->definer= $2; }
;
text_or_password:
TEXT_STRING { Lex->definer->auth= $1;}
| PASSWORD_SYM '(' TEXT_STRING ')' { Lex->definer->password= $3; }
| OLD_PASSWORD_SYM '(' TEXT_STRING ')' | OLD_PASSWORD_SYM '(' TEXT_STRING ')'
{ {
$$= $3.length ? Item_func_password:: Lex->definer->password= $3;
alloc(thd, $3.str, $3.length, Item_func_password::OLD) : Lex->definer->auth.str= Item_func_password::alloc(thd,
$3.str; $3.str, $3.length, Item_func_password::OLD);
if ($$ == NULL) Lex->definer->auth.length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323;
MYSQL_YYABORT;
} }
; ;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment