MDEV-26339 Account specifics to be handled before proxying

mysql-test/suite/plugins/r/pam.result

@@ -40,6 +40,35 @@ test_pam@localhost	pam_test@%	test
 #
 Now, the magic number!
 PIN: 9212
+#
+# MDEV-26339 Account specifics to be handled before proxying
+#
+alter user pam_test account lock;
+alter user pam_test require subject 'foobar';
+alter user pam_test password expire;
+Now, the magic number!
+PIN: 9212
+select user(), current_user(), database();
+user()	current_user()	database()
+test_pam@localhost	pam_test@%	test
+alter user pam_test account unlock;
+alter user pam_test require none;
+alter user pam_test identified by '';
+show create user pam_test;
+CREATE USER for pam_test@%
+CREATE USER `pam_test`@`%`
+alter user test_pam account lock;
+Now, the magic number!
+PIN: 9212
+alter user test_pam account unlock;
+alter user test_pam require subject 'foobar';
+Now, the magic number!
+PIN: 9212
+alter user test_pam require none;
+alter user test_pam password expire;
+Now, the magic number!
+PIN: 9212
+select user(), current_user(), database();
 drop user test_pam;
 drop user pam_test;
 create user PAM_TEST identified via pam using 'mariadb_mtr';

mysql-test/suite/plugins/t/pam.test

@@ -54,6 +54,36 @@ EOF
 --error 1
 --exec $MYSQL_TEST -u test_pam -pbadpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
 
+--echo #
+--echo # MDEV-26339 Account specifics to be handled before proxying
+--echo #
+
+# one can connect if the proxy account is locked
+alter user pam_test account lock;
+alter user pam_test require subject 'foobar';
+alter user pam_test password expire;
+--error 0
+--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
+alter user pam_test account unlock;
+alter user pam_test require none;
+alter user pam_test identified by '';
+show create user pam_test;
+
+#one cannot connect if the proxied account is locked
+alter user test_pam account lock;
+--error 1
+--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
+alter user test_pam account unlock;
+
+alter user test_pam require subject 'foobar';
+--error 1
+--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
+alter user test_pam require none;
+
+alter user test_pam password expire;
+--error 1
+--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
+
 drop user test_pam;
 drop user pam_test;
 create user PAM_TEST identified via pam using 'mariadb_mtr';

sql/sql_acl.cc

@@ -13932,7 +13932,45 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
 
   if (initialized) // if not --skip-grant-tables
   {
+    /*
+      OK. Let's check the SSL. Historically it was checked after the password,
+      as an additional layer, not instead of the password
+      (in which case it would've been a plugin too).
+    */
+    if (acl_check_ssl(thd, acl_user))
+    {
+      Host_errors errors;
+      errors.m_ssl= 1;
+      inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors);
+      login_failed_error(thd);
+      DBUG_RETURN(1);
+    }
+
+    if (acl_user->account_locked) {
+      status_var_increment(denied_connections);
+      my_error(ER_ACCOUNT_HAS_BEEN_LOCKED, MYF(0));
+      DBUG_RETURN(1);
+    }
+
+    bool client_can_handle_exp_pass= thd->client_capabilities &
+                                     CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
+    bool password_expired= thd->password != PASSWORD_USED_NO_MENTION
+                           && (acl_user->password_expired ||
+                               check_password_lifetime(thd, *acl_user));
+
+    if (!client_can_handle_exp_pass && disconnect_on_expired_password &&
+        password_expired)
+    {
+      status_var_increment(denied_connections);
+      my_error(ER_MUST_CHANGE_PASSWORD_LOGIN, MYF(0));
+      DBUG_RETURN(1);
+    }
+
+    sctx->password_expired= password_expired;
+
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
+    if (!password_expired)
+    {
       bool is_proxy_user= FALSE;
       const char *auth_user = acl_user->user.str;
       ACL_PROXY_USER *proxy_user;
@@ -13977,6 +14015,7 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
         acl_user= acl_proxy_user->copy(thd->mem_root);
         mysql_mutex_unlock(&acl_cache->lock);
       }
+    }
 #endif
 
     sctx->master_access= acl_user->access;
@@ -13987,41 +14026,6 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
     else
       *sctx->priv_host= 0;
 
-    /*
-      OK. Let's check the SSL. Historically it was checked after the password,
-      as an additional layer, not instead of the password
-      (in which case it would've been a plugin too).
-    */
-    if (acl_check_ssl(thd, acl_user))
-    {
-      Host_errors errors;
-      errors.m_ssl= 1;
-      inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors);
-      login_failed_error(thd);
-      DBUG_RETURN(1);
-    }
-
-    if (acl_user->account_locked) {
-      status_var_increment(denied_connections);
-      my_error(ER_ACCOUNT_HAS_BEEN_LOCKED, MYF(0));
-      DBUG_RETURN(1);
-    }
-
-    bool client_can_handle_exp_pass= thd->client_capabilities &
-                                     CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
-    bool password_expired= thd->password != PASSWORD_USED_NO_MENTION
-                           && (acl_user->password_expired ||
-                               check_password_lifetime(thd, *acl_user));
-
-    if (!client_can_handle_exp_pass && disconnect_on_expired_password &&
-        password_expired)
-    {
-      status_var_increment(denied_connections);
-      my_error(ER_MUST_CHANGE_PASSWORD_LOGIN, MYF(0));
-      DBUG_RETURN(1);
-    }
-
-    sctx->password_expired= password_expired;
 
     /*
       Don't allow the user to connect if he has done too many queries.