############################################################################### # WL#11544: Current password required for SET PASSWORD # # This test file covers the scenarios if the current password # # needs to be specified at the time of changing it. # # The behavior is controlled by the 'password_require_current', # # flag in the mysql.user table and and a global server variable. # # # # Here is a matrix that indicates how the policy is enforced for # # non privileged users. The flag value in the table gets the # # higher precedence over server variable. # # # # -- Column value ------- Global variable value -----------Policy # # -- N ------- OFF ----------- exempt # # -- N ------- ON ----------- exempt # # -- Y ------- OFF ----------- require # # -- Y ------- ON ----------- require # # -- NULL ------- OFF ----------- exempt # # -- NULL ------- ON ----------- require # # # # Creation Date: 2018-03-23 # # # ############################################################################### # Save the initial number of concurrent sessions --source include/count_sessions.inc --echo # Default server variable value must be OFF SELECT @@global.password_require_current; --let $NON_PRIV_USER = non_priv_usr --let $PRIV_USER = priv_usr --let $PWRD_1 = pwd1 --let $PWRD_2 = pwd2 --echo --echo ######################################################################## --echo # 1. Create user without any PASSWPRD REQUIRE CURRENT clause which --echo # must be equivalent to DEFAULT clause --echo ######################################################################## eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2'; --let $CURRENT_PASSWORD_REQUIRE = DEFAULT --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER, $PRIV_USER; --echo --echo ######################################################################## --echo # 2. Create user with PASSWPRD REQUIRE CURRENT DEFAULT clause --echo ######################################################################## eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD REQUIRE CURRENT DEFAULT; --let $CURRENT_PASSWORD_REQUIRE=DEFAULT --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER, $PRIV_USER; --echo --echo ######################################################################## --echo # 3. Create user with CURRENT clause --echo ######################################################################## eval CREATE USER IF NOT EXISTS $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD REQUIRE CURRENT; --let $CURRENT_PASSWORD_REQUIRE=CURRENT --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER, $PRIV_USER; --echo --echo ######################################################################## --echo # 4. Create user with OPTIONAL clause --echo ######################################################################## eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD REQUIRE CURRENT OPTIONAL; --let $CURRENT_PASSWORD_REQUIRE=OPTIONAL --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER, $PRIV_USER; --echo --echo ######################################################################## --echo # 5. Verify the ALTER USER scenarios --echo ######################################################################## eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD REQUIRE CURRENT; --echo # --echo # Change password_require_current --> password_require_current_optional --echo # eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' WITH MAX_USER_CONNECTIONS 2 PASSWORD REQUIRE CURRENT OPTIONAL PASSWORD EXPIRE NEVER; --let $CURRENT_PASSWORD_REQUIRE=OPTIONAL --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc --echo # --echo # Change password_require_optional --> password_require_current_default --echo # eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD EXPIRE DEFAULT PASSWORD REUSE INTERVAL 0 DAY PASSWORD REQUIRE CURRENT DEFAULT; --let $CURRENT_PASSWORD_REQUIRE=DEFAULT --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc --echo # --echo # Change password_require_default --> password_require_current --echo # eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1', $PRIV_USER IDENTIFIED BY '$PWRD_2' WITH MAX_QUERIES_PER_HOUR 100 PASSWORD HISTORY 0 PASSWORD REQUIRE CURRENT; --let $CURRENT_PASSWORD_REQUIRE=CURRENT --source ../include/password_require_current_priv_user.inc --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER, $PRIV_USER; --echo --echo ######################################################################## --echo # 6. Change password after privileges are granted/revoked from the user --echo ######################################################################## --let $NON_PRIV_USER = usr1 eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1' PASSWORD REQUIRE CURRENT; --source ../include/password_require_current_non_priv_user.inc --let $CURRENT_PASSWORD_REQUIRE=CURRENT --let $PRIV_USER = $NON_PRIV_USER --let $PWRD_2 = $PWRD_1 --let $NON_PRIV_USER = usr2 eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1' PASSWORD REQUIRE CURRENT; --source ../include/password_require_current_priv_user.inc eval DROP USER $NON_PRIV_USER; --let $NON_PRIV_USER = $PRIV_USER --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER; --echo --echo ######################################################################## --echo # 7. Change password of an user using old auth plugin with empty password --echo ######################################################################## eval CREATE USER $NON_PRIV_USER IDENTIFIED WITH 'mysql_native_password' PASSWORD REQUIRE CURRENT; --let $PWRD_1= --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER; eval CREATE USER $NON_PRIV_USER IDENTIFIED WITH 'sha256_password' PASSWORD REQUIRE CURRENT; --let $PWRD_1= --source ../include/password_require_current_non_priv_user.inc eval DROP USER $NON_PRIV_USER; --echo --echo ######################################################################## --echo # 8. Change the password of multiple users at once. --echo ######################################################################## CREATE USER u1, u2, u3; GRANT SELECT, CREATE USER ON *.* to 'u1' WITH GRANT OPTION; connect(con1,localhost,u1,,); SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%'; ALTER USER u1 IDENTIFIED BY '' REPLACE '', u2 IDENTIFIED BY '', u3 IDENTIFIED BY '' PASSWORD REQUIRE CURRENT OPTIONAL; # password_require_current field must be updated for all three users SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%'; ALTER USER u2 IDENTIFIED BY '', u1 IDENTIFIED BY '' REPLACE '', u3 IDENTIFIED BY ''; ALTER USER u3 IDENTIFIED BY '' , u2 IDENTIFIED BY '', u1 IDENTIFIED BY '' REPLACE ''; --error ER_CURRENT_PASSWORD_NOT_REQUIRED ALTER USER u1 IDENTIFIED BY '' REPLACE '', u2 IDENTIFIED BY '' REPLACE ''; --error ER_CURRENT_PASSWORD_NOT_REQUIRED ALTER USER u2 IDENTIFIED BY '' REPLACE '', u1 IDENTIFIED BY ''; --error ER_CURRENT_PASSWORD_NOT_REQUIRED ALTER USER u1 IDENTIFIED BY '123', u2 IDENTIFIED BY '123' REPLACE '', u3 IDENTIFIED BY ''; connection default; disconnect con1; DROP USER u1, u2, u3; --echo --echo ######################################################################## --echo # 9. Change the password as well as password require current clause --echo # of an user --echo ######################################################################## CREATE USER u1, u2; SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%'; connect(con1,localhost,u1,,); --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER USER u1 IDENTIFIED BY '' REPLACE '' PASSWORD REQUIRE CURRENT; connection default; disconnect con1; # Grant privilege to the user GRANT SELECT, CREATE USER ON *.* to 'u1' WITH GRANT OPTION; connect(con1,localhost,u1,,); ALTER USER u1 IDENTIFIED BY '' REPLACE '' PASSWORD REQUIRE CURRENT; # password_require_current field must be updated for u1 only SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%'; # Replace clause is optional for privilege clause even though # password_require_current is set ALTER USER u1 IDENTIFIED BY '' PASSWORD REQUIRE CURRENT OPTIONAL; # password_require_current field must be updated for u1 only SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%'; connection default; disconnect con1; DROP USER u1, u2; --echo --echo ######################################################################## --echo # 10. Change the password of proxy user and proxied user --echo ######################################################################## CREATE USER 'u1' IDENTIFIED with 'mysql_native_password'; CREATE USER 'u2' IDENTIFIED with 'mysql_native_password'; GRANT PROXY ON 'u1' TO 'u2'; SET @@global.check_proxy_users = ON; SET @@global.mysql_native_password_proxy_users = ON; SET @@global.password_require_current = ON; connect(con1,localhost,u1,,); SET PASSWORD='abc' REPLACE ''; ALTER USER u1 IDENTIFIED BY '' REPLACE 'abc'; --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER USER u2 IDENTIFIED BY '' REPLACE ''; connection default; disconnect con1; connect(con1,localhost,u2,,); SET PASSWORD='abc' REPLACE ''; ALTER USER USER() IDENTIFIED BY '' REPLACE 'abc'; --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER USER u1 IDENTIFIED BY 'abc' REPLACE ''; connection default; disconnect con1; GRANT CREATE USER ON *.* to 'u1' WITH GRANT OPTION; connect(con1,localhost,u1,,); SELECT USER(); SELECT CURRENT_USER(); SET PASSWORD='abc' REPLACE ''; --error ER_CURRENT_PASSWORD_NOT_REQUIRED ALTER USER u2 IDENTIFIED BY 'abc' REPLACE ''; connection default; disconnect con1; connect(con1,localhost,u2,,); SELECT USER(); SELECT CURRENT_USER(); SET PASSWORD='abc' REPLACE ''; --error ER_CURRENT_PASSWORD_NOT_REQUIRED ALTER USER u1 IDENTIFIED BY '' REPLACE 'abc'; connection default; disconnect con1; DROP USER u1, u2; SET @@global.check_proxy_users = OFF; SET @@global.mysql_native_password_proxy_users = OFF; SET @@global.password_require_current = OFF; --echo --echo ######################################################################## --echo # 11. Negative Tests --echo ######################################################################## --error ER_PARSE_ERROR CREATE USER non_priv_usr PASSWORD REQUIRE; --error ER_PARSE_ERROR CREATE USER non_priv_usr PASSWORD REQUIRE PASSWORD EXPIRE DEFAULT; --error ER_PARSE_ERROR CREATE USER non_priv_usr IDENTIFIED BY '123' REPLACE '133'; --error ER_PARSE_ERROR ALTER USER user() IDENTIFIED BY 'pwd1' REPLACE; --error ER_PARSE_ERROR ALTER USER root IDENTIFIED BY 'pwd1' REPLACE; --error ER_PARSE_ERROR SET PASSWORD='' REPLACE; --error ER_PARSE_ERROR SET PASSWORD FOR root='' REPLACE; --error ER_PARSE_ERROR ALTER USER user() IDENTIFIED AS '$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED' replace '' ; # Wait till all disconnects are completed --source include/wait_until_count_sessions.inc