4493d40a-92aa-4162-9dfc-bfc4ec0996e6
/
polardbxengine
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
polardbxengine/mysql-test/suite/auth_sec/t/password_require_current.test

337 lines
13 KiB
Plaintext
Raw Permalink Blame History

###############################################################################
# WL#11544: Current password required for SET PASSWORD #
# This test file covers the scenarios if the current password #
# needs to be specified at the time of changing it. #
# The behavior is controlled by the 'password_require_current', #
# flag in the mysql.user table and and a global server variable. #
# #
# Here is a matrix that indicates how the policy is enforced for #
# non privileged users. The flag value in the table gets the #
# higher precedence over server variable. #
# #
# -- Column value ------- Global variable value -----------Policy #
# -- N ------- OFF ----------- exempt #
# -- N ------- ON ----------- exempt #
# -- Y ------- OFF ----------- require #
# -- Y ------- ON ----------- require #
# -- NULL ------- OFF ----------- exempt #
# -- NULL ------- ON ----------- require #
# #
# Creation Date: 2018-03-23 #
# #
###############################################################################
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
--echo # Default server variable value must be OFF
SELECT @@global.password_require_current;
--let $NON_PRIV_USER = non_priv_usr
--let $PRIV_USER = priv_usr
--let $PWRD_1 = pwd1
--let $PWRD_2 = pwd2
--echo
--echo ########################################################################
--echo # 1. Create user without any PASSWPRD REQUIRE CURRENT clause which
--echo # must be equivalent to DEFAULT clause
--echo ########################################################################
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2';
--let $CURRENT_PASSWORD_REQUIRE = DEFAULT
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER, $PRIV_USER;
--echo
--echo ########################################################################
--echo # 2. Create user with PASSWPRD REQUIRE CURRENT DEFAULT clause
--echo ########################################################################
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
PASSWORD REQUIRE CURRENT DEFAULT;
--let $CURRENT_PASSWORD_REQUIRE=DEFAULT
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER, $PRIV_USER;
--echo
--echo ########################################################################
--echo # 3. Create user with CURRENT clause
--echo ########################################################################
eval CREATE USER IF NOT EXISTS $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2' PASSWORD REQUIRE CURRENT;
--let $CURRENT_PASSWORD_REQUIRE=CURRENT
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER, $PRIV_USER;
--echo
--echo ########################################################################
--echo # 4. Create user with OPTIONAL clause
--echo ########################################################################
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
PASSWORD REQUIRE CURRENT OPTIONAL;
--let $CURRENT_PASSWORD_REQUIRE=OPTIONAL
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER, $PRIV_USER;
--echo
--echo ########################################################################
--echo # 5. Verify the ALTER USER scenarios
--echo ########################################################################
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
PASSWORD REQUIRE CURRENT;
--echo #
--echo # Change password_require_current --> password_require_current_optional
--echo #
eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
WITH MAX_USER_CONNECTIONS 2
PASSWORD REQUIRE CURRENT OPTIONAL
PASSWORD EXPIRE NEVER;
--let $CURRENT_PASSWORD_REQUIRE=OPTIONAL
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
--echo #
--echo # Change password_require_optional --> password_require_current_default
--echo #
eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
PASSWORD EXPIRE DEFAULT
PASSWORD REUSE INTERVAL 0 DAY
PASSWORD REQUIRE CURRENT DEFAULT;
--let $CURRENT_PASSWORD_REQUIRE=DEFAULT
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
--echo #
--echo # Change password_require_default --> password_require_current
--echo #
eval ALTER USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1',
$PRIV_USER IDENTIFIED BY '$PWRD_2'
WITH MAX_QUERIES_PER_HOUR 100
PASSWORD HISTORY 0
PASSWORD REQUIRE CURRENT;
--let $CURRENT_PASSWORD_REQUIRE=CURRENT
--source ../include/password_require_current_priv_user.inc
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER, $PRIV_USER;
--echo
--echo ########################################################################
--echo # 6. Change password after privileges are granted/revoked from the user
--echo ########################################################################
--let $NON_PRIV_USER = usr1
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1' PASSWORD REQUIRE CURRENT;
--source ../include/password_require_current_non_priv_user.inc
--let $CURRENT_PASSWORD_REQUIRE=CURRENT
--let $PRIV_USER = $NON_PRIV_USER
--let $PWRD_2 = $PWRD_1
--let $NON_PRIV_USER = usr2
eval CREATE USER $NON_PRIV_USER IDENTIFIED BY '$PWRD_1' PASSWORD REQUIRE CURRENT;
--source ../include/password_require_current_priv_user.inc
eval DROP USER $NON_PRIV_USER;
--let $NON_PRIV_USER = $PRIV_USER
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER;
--echo
--echo ########################################################################
--echo # 7. Change password of an user using old auth plugin with empty password
--echo ########################################################################
eval CREATE USER $NON_PRIV_USER IDENTIFIED WITH 'mysql_native_password'
PASSWORD REQUIRE CURRENT;
--let $PWRD_1=
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER;
eval CREATE USER $NON_PRIV_USER IDENTIFIED WITH 'sha256_password'
PASSWORD REQUIRE CURRENT;
--let $PWRD_1=
--source ../include/password_require_current_non_priv_user.inc
eval DROP USER $NON_PRIV_USER;
--echo
--echo ########################################################################
--echo # 8. Change the password of multiple users at once.
--echo ########################################################################
CREATE USER u1, u2, u3;
GRANT SELECT, CREATE USER ON *.* to 'u1' WITH GRANT OPTION;
connect(con1,localhost,u1,,);
SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%';
ALTER USER u1 IDENTIFIED BY '' REPLACE '', u2 IDENTIFIED BY '',
u3 IDENTIFIED BY '' PASSWORD REQUIRE CURRENT OPTIONAL;
# password_require_current field must be updated for all three users
SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%';
ALTER USER u2 IDENTIFIED BY '', u1 IDENTIFIED BY '' REPLACE '',
u3 IDENTIFIED BY '';
ALTER USER u3 IDENTIFIED BY '' , u2 IDENTIFIED BY '',
u1 IDENTIFIED BY '' REPLACE '';
--error ER_CURRENT_PASSWORD_NOT_REQUIRED
ALTER USER u1 IDENTIFIED BY '' REPLACE '', u2 IDENTIFIED BY '' REPLACE '';
--error ER_CURRENT_PASSWORD_NOT_REQUIRED
ALTER USER u2 IDENTIFIED BY '' REPLACE '', u1 IDENTIFIED BY '';
--error ER_CURRENT_PASSWORD_NOT_REQUIRED
ALTER USER u1 IDENTIFIED BY '123',
u2 IDENTIFIED BY '123' REPLACE '',
u3 IDENTIFIED BY '';
connection default;
disconnect con1;
DROP USER u1, u2, u3;
--echo
--echo ########################################################################
--echo # 9. Change the password as well as password require current clause
--echo # of an user
--echo ########################################################################
CREATE USER u1, u2;
SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%';
connect(con1,localhost,u1,,);
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER USER u1 IDENTIFIED BY '' REPLACE '' PASSWORD REQUIRE CURRENT;
connection default;
disconnect con1;
# Grant privilege to the user
GRANT SELECT, CREATE USER ON *.* to 'u1' WITH GRANT OPTION;
connect(con1,localhost,u1,,);
ALTER USER u1 IDENTIFIED BY '' REPLACE '' PASSWORD REQUIRE CURRENT;
# password_require_current field must be updated for u1 only
SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%';
# Replace clause is optional for privilege clause even though
# password_require_current is set
ALTER USER u1 IDENTIFIED BY '' PASSWORD REQUIRE CURRENT OPTIONAL;
# password_require_current field must be updated for u1 only
SELECT user, password_require_current FROM mysql.user WHERE USER LIKE 'u%';
connection default;
disconnect con1;
DROP USER u1, u2;
--echo
--echo ########################################################################
--echo # 10. Change the password of proxy user and proxied user
--echo ########################################################################
CREATE USER 'u1' IDENTIFIED with 'mysql_native_password';
CREATE USER 'u2' IDENTIFIED with 'mysql_native_password';
GRANT PROXY ON 'u1' TO 'u2';
SET @@global.check_proxy_users = ON;
SET @@global.mysql_native_password_proxy_users = ON;
SET @@global.password_require_current = ON;
connect(con1,localhost,u1,,);
SET PASSWORD='abc' REPLACE '';
ALTER USER u1 IDENTIFIED BY '' REPLACE 'abc';
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER USER u2 IDENTIFIED BY '' REPLACE '';
connection default;
disconnect con1;
connect(con1,localhost,u2,,);
SET PASSWORD='abc' REPLACE '';
ALTER USER USER() IDENTIFIED BY '' REPLACE 'abc';
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER USER u1 IDENTIFIED BY 'abc' REPLACE '';
connection default;
disconnect con1;
GRANT CREATE USER ON *.* to 'u1' WITH GRANT OPTION;
connect(con1,localhost,u1,,);
SELECT USER();
SELECT CURRENT_USER();
SET PASSWORD='abc' REPLACE '';
--error ER_CURRENT_PASSWORD_NOT_REQUIRED
ALTER USER u2 IDENTIFIED BY 'abc' REPLACE '';
connection default;
disconnect con1;
connect(con1,localhost,u2,,);
SELECT USER();
SELECT CURRENT_USER();
SET PASSWORD='abc' REPLACE '';
--error ER_CURRENT_PASSWORD_NOT_REQUIRED
ALTER USER u1 IDENTIFIED BY '' REPLACE 'abc';
connection default;
disconnect con1;
DROP USER u1, u2;
SET @@global.check_proxy_users = OFF;
SET @@global.mysql_native_password_proxy_users = OFF;
SET @@global.password_require_current = OFF;
--echo
--echo ########################################################################
--echo # 11. Negative Tests
--echo ########################################################################
--error ER_PARSE_ERROR
CREATE USER non_priv_usr PASSWORD REQUIRE;
--error ER_PARSE_ERROR
CREATE USER non_priv_usr PASSWORD REQUIRE PASSWORD EXPIRE DEFAULT;
--error ER_PARSE_ERROR
CREATE USER non_priv_usr IDENTIFIED BY '123' REPLACE '133';
--error ER_PARSE_ERROR
ALTER USER user() IDENTIFIED BY 'pwd1' REPLACE;
--error ER_PARSE_ERROR
ALTER USER root IDENTIFIED BY 'pwd1' REPLACE;
--error ER_PARSE_ERROR
SET PASSWORD='' REPLACE;
--error ER_PARSE_ERROR
SET PASSWORD FOR root='' REPLACE;
--error ER_PARSE_ERROR
ALTER USER user() IDENTIFIED AS '$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED' replace '' ;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
Reference in New Issue View Git Blame Copy Permalink