## Test cases for authorization plugins --source include/xplugin_preamble.inc --source include/xplugin_create_user.inc # ## Setup # call mtr.add_suppression("Maximum number of authentication attempts reached"); call mtr.add_suppression("Access denied for user .*"); --write_file $MYSQL_TMP_DIR/auth_seq.tmp -->import connection_auth_mechanism_memory_helpers.macro -->import connection.macro -->echo # -->echo ## Try to authenticate two times, last one succesfull -->echo # newsession seq -; callmacro Verify_its_xprotocol_connection; callmacro Enable_ssl_on_xprotocol_and_transmision_layer; expecterror ER_ACCESS_DENIED_ERROR; login xuser_native native test sha256_memory; login xuser_native native test plain; closesession; -->echo # -->echo ## 1. User must be able to perform authentication sequence with different mechanism -->echo ## -->echo ## * Try to authenticate three times, last one succesfull -->echo ## -->echo ## Requirements: PROTO1 -->echo # -->echo newsession seq -; callmacro Verify_its_xprotocol_connection; callmacro Enable_ssl_on_xprotocol_and_transmision_layer; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 sha256 test sha256_memory; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 sha256 test mysql41; login xuser_sha256 sha256 test plain; closesession; -->echo # -->echo ## 2. Server must disconnect user that tries too many authentications -->echo ## -->echo ## * Try to authenticate three times, after last error connection is disconnected -->echo ## -->echo ## Requirements: PROTO2 -->echo # -->echo newsession seq -; callmacro Verify_its_xprotocol_connection; callmacro Enable_ssl_on_xprotocol_and_transmision_layer; expecterror ER_ACCESS_DENIED_ERROR; login xuser_cache2 wrong_pass test sha256_memory; expecterror ER_ACCESS_DENIED_ERROR; login xuser_cache2 wrong_pass test mysql41; expecterror ER_ACCESS_DENIED_ERROR; login xuser_cache2 wrong_pass test plain; peerdisc 30000 30000; -->echo -->echo ####################################################################### -->echo ## 3. After succesfull authentication, user must be able to reset session and use -->echo ## authentication sequence -->echo ## -->echo ## * Establish a session, reset it, try to do the sequence ending succesful -->echo ## * Establish a session, reset it, try to do the sequence ending with failure -->echo ## -->echo ## Requirements: PROTO3 -->echo # -->echo -->echo ####################################################################### -->echo # Sequence succesfull newsession seq -; callmacro Verify_its_xprotocol_connection; callmacro Enable_ssl_on_xprotocol_and_transmision_layer; login xuser_sha256 sha256 test sha256_memory; Mysqlx.Session.Reset { } recvtype Mysqlx.Ok; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 sha256 test mysql41; login xuser_sha256 sha256 test sha256_memory; closesession; -->echo -->echo ####################################################################### -->echo # Sequence failed newsession seq -; callmacro Verify_its_xprotocol_connection; callmacro Enable_ssl_on_xprotocol_and_transmision_layer; login xuser_sha256 sha256 test sha256_memory; Mysqlx.Session.Reset { } recvtype Mysqlx.Ok; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 wrong_pass test mysql41; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 wrong_pass test sha256_memory; expecterror ER_ACCESS_DENIED_ERROR; login xuser_sha256 wrong_pass test plain; peerdisc 30000 30000; EOF --write_file $MYSQL_TMP_DIR/auth_errors.tmp -->import connection.macro callmacro Verify_its_xprotocol_connection; expecterror ER_ACCESS_DENIED_ERROR; login locked_user pass test sha256_memory; expecterror ER_ACCESS_DENIED_ERROR; login locked_user pass test mysql41; EOF # ## Error handling part # CREATE USER user_to_lock@localhost IDENTIFIED WITH 'caching_sha2_password' BY 'xxx'; GRANT ALL ON *.* TO user_to_lock@localhost; # Cache user password exec $MYSQLXTEST -u user_to_lock -p "xxx" --ssl-mode=required --execute "select 1"; ALTER USER user_to_lock@localhost ACCOUNT LOCK; # Use mysqlxclient library that is going to choose first error from the sequence exec $MYSQLXTEST -u user_to_lock -p "xxx" --ssl-mode=DISABLED --cached-auth --mysql41-auth --expect-error ER_ACCOUNT_HAS_BEEN_LOCKED; # Use raw protocol message and show that first error in the sequence is ACCOUNT_LOCKED exec $MYSQLXTEST -u user_to_lock -p "xxx" --no-auth --file=$MYSQL_TMP_DIR/auth_errors.tmp 2>&1; # ## Authentication sequence part # --let $MYSQLXTEST=$MYSQLXTEST -ux_root --ssl-cipher='AES256-SHA' --source ../include/create_mysql_accounts_for_xplugin_tests.inc exec $MYSQLXTEST --file=$MYSQL_TMP_DIR/auth_seq.tmp 2>&1; # ## Postamble # --source include/xplugin_drop_user.inc --remove_file $MYSQL_TMP_DIR/auth_seq.tmp --remove_file $MYSQL_TMP_DIR/auth_errors.tmp DROP USER user_to_lock@localhost; --source ../include/remove_mysql_accounts_for_xplugin_tests.inc