Commit da76d25a authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-26339 Account specifics to be handled before proxying

parent 5e04c08d
...@@ -40,6 +40,35 @@ test_pam@localhost pam_test@% test ...@@ -40,6 +40,35 @@ test_pam@localhost pam_test@% test
# #
Now, the magic number! Now, the magic number!
PIN: 9212 PIN: 9212
#
# MDEV-26339 Account specifics to be handled before proxying
#
alter user pam_test account lock;
alter user pam_test require subject 'foobar';
alter user pam_test password expire;
Now, the magic number!
PIN: 9212
select user(), current_user(), database();
user() current_user() database()
test_pam@localhost pam_test@% test
alter user pam_test account unlock;
alter user pam_test require none;
alter user pam_test identified by '';
show create user pam_test;
CREATE USER for pam_test@%
CREATE USER `pam_test`@`%`
alter user test_pam account lock;
Now, the magic number!
PIN: 9212
alter user test_pam account unlock;
alter user test_pam require subject 'foobar';
Now, the magic number!
PIN: 9212
alter user test_pam require none;
alter user test_pam password expire;
Now, the magic number!
PIN: 9212
select user(), current_user(), database();
drop user test_pam; drop user test_pam;
drop user pam_test; drop user pam_test;
create user PAM_TEST identified via pam using 'mariadb_mtr'; create user PAM_TEST identified via pam using 'mariadb_mtr';
......
...@@ -54,6 +54,36 @@ EOF ...@@ -54,6 +54,36 @@ EOF
--error 1 --error 1
--exec $MYSQL_TEST -u test_pam -pbadpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt --exec $MYSQL_TEST -u test_pam -pbadpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
--echo #
--echo # MDEV-26339 Account specifics to be handled before proxying
--echo #
# one can connect if the proxy account is locked
alter user pam_test account lock;
alter user pam_test require subject 'foobar';
alter user pam_test password expire;
--error 0
--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
alter user pam_test account unlock;
alter user pam_test require none;
alter user pam_test identified by '';
show create user pam_test;
#one cannot connect if the proxied account is locked
alter user test_pam account lock;
--error 1
--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
alter user test_pam account unlock;
alter user test_pam require subject 'foobar';
--error 1
--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
alter user test_pam require none;
alter user test_pam password expire;
--error 1
--exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
drop user test_pam; drop user test_pam;
drop user pam_test; drop user pam_test;
create user PAM_TEST identified via pam using 'mariadb_mtr'; create user PAM_TEST identified via pam using 'mariadb_mtr';
......
...@@ -13932,7 +13932,45 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len) ...@@ -13932,7 +13932,45 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
if (initialized) // if not --skip-grant-tables if (initialized) // if not --skip-grant-tables
{ {
/*
OK. Let's check the SSL. Historically it was checked after the password,
as an additional layer, not instead of the password
(in which case it would've been a plugin too).
*/
if (acl_check_ssl(thd, acl_user))
{
Host_errors errors;
errors.m_ssl= 1;
inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors);
login_failed_error(thd);
DBUG_RETURN(1);
}
if (acl_user->account_locked) {
status_var_increment(denied_connections);
my_error(ER_ACCOUNT_HAS_BEEN_LOCKED, MYF(0));
DBUG_RETURN(1);
}
bool client_can_handle_exp_pass= thd->client_capabilities &
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
bool password_expired= thd->password != PASSWORD_USED_NO_MENTION
&& (acl_user->password_expired ||
check_password_lifetime(thd, *acl_user));
if (!client_can_handle_exp_pass && disconnect_on_expired_password &&
password_expired)
{
status_var_increment(denied_connections);
my_error(ER_MUST_CHANGE_PASSWORD_LOGIN, MYF(0));
DBUG_RETURN(1);
}
sctx->password_expired= password_expired;
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (!password_expired)
{
bool is_proxy_user= FALSE; bool is_proxy_user= FALSE;
const char *auth_user = acl_user->user.str; const char *auth_user = acl_user->user.str;
ACL_PROXY_USER *proxy_user; ACL_PROXY_USER *proxy_user;
...@@ -13977,6 +14015,7 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len) ...@@ -13977,6 +14015,7 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
acl_user= acl_proxy_user->copy(thd->mem_root); acl_user= acl_proxy_user->copy(thd->mem_root);
mysql_mutex_unlock(&acl_cache->lock); mysql_mutex_unlock(&acl_cache->lock);
} }
}
#endif #endif
sctx->master_access= acl_user->access; sctx->master_access= acl_user->access;
...@@ -13987,41 +14026,6 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len) ...@@ -13987,41 +14026,6 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
else else
*sctx->priv_host= 0; *sctx->priv_host= 0;
/*
OK. Let's check the SSL. Historically it was checked after the password,
as an additional layer, not instead of the password
(in which case it would've been a plugin too).
*/
if (acl_check_ssl(thd, acl_user))
{
Host_errors errors;
errors.m_ssl= 1;
inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors);
login_failed_error(thd);
DBUG_RETURN(1);
}
if (acl_user->account_locked) {
status_var_increment(denied_connections);
my_error(ER_ACCOUNT_HAS_BEEN_LOCKED, MYF(0));
DBUG_RETURN(1);
}
bool client_can_handle_exp_pass= thd->client_capabilities &
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
bool password_expired= thd->password != PASSWORD_USED_NO_MENTION
&& (acl_user->password_expired ||
check_password_lifetime(thd, *acl_user));
if (!client_can_handle_exp_pass && disconnect_on_expired_password &&
password_expired)
{
status_var_increment(denied_connections);
my_error(ER_MUST_CHANGE_PASSWORD_LOGIN, MYF(0));
DBUG_RETURN(1);
}
sctx->password_expired= password_expired;
/* /*
Don't allow the user to connect if he has done too many queries. Don't allow the user to connect if he has done too many queries.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment