189 lines
4.8 KiB
Plaintext
189 lines
4.8 KiB
Plaintext
## Test cases for authorization plugins
|
|
|
|
--source include/xplugin_preamble.inc
|
|
--source include/xplugin_create_user.inc
|
|
|
|
|
|
#
|
|
## Setup
|
|
#
|
|
|
|
call mtr.add_suppression("Maximum number of authentication attempts reached");
|
|
call mtr.add_suppression("Access denied for user .*");
|
|
|
|
--write_file $MYSQL_TMP_DIR/auth_seq.tmp
|
|
-->import connection_auth_mechanism_memory_helpers.macro
|
|
-->import connection.macro
|
|
|
|
-->echo #
|
|
-->echo ## Try to authenticate two times, last one succesfull
|
|
-->echo #
|
|
newsession seq -;
|
|
|
|
callmacro Verify_its_xprotocol_connection;
|
|
callmacro Enable_ssl_on_xprotocol_and_transmision_layer;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_native native test sha256_memory;
|
|
|
|
login xuser_native native test plain;
|
|
closesession;
|
|
|
|
|
|
-->echo #
|
|
-->echo ## 1. User must be able to perform authentication sequence with different mechanism
|
|
-->echo ##
|
|
-->echo ## * Try to authenticate three times, last one succesfull
|
|
-->echo ##
|
|
-->echo ## Requirements: PROTO1
|
|
-->echo #
|
|
-->echo
|
|
|
|
newsession seq -;
|
|
callmacro Verify_its_xprotocol_connection;
|
|
|
|
callmacro Enable_ssl_on_xprotocol_and_transmision_layer;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 sha256 test sha256_memory;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 sha256 test mysql41;
|
|
|
|
login xuser_sha256 sha256 test plain;
|
|
closesession;
|
|
|
|
|
|
-->echo #
|
|
-->echo ## 2. Server must disconnect user that tries too many authentications
|
|
-->echo ##
|
|
-->echo ## * Try to authenticate three times, after last error connection is disconnected
|
|
-->echo ##
|
|
-->echo ## Requirements: PROTO2
|
|
-->echo #
|
|
-->echo
|
|
|
|
newsession seq -;
|
|
|
|
callmacro Verify_its_xprotocol_connection;
|
|
callmacro Enable_ssl_on_xprotocol_and_transmision_layer;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_cache2 wrong_pass test sha256_memory;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_cache2 wrong_pass test mysql41;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_cache2 wrong_pass test plain;
|
|
peerdisc 30000 30000;
|
|
|
|
|
|
-->echo
|
|
-->echo #######################################################################
|
|
-->echo ## 3. After succesfull authentication, user must be able to reset session and use
|
|
-->echo ## authentication sequence
|
|
-->echo ##
|
|
-->echo ## * Establish a session, reset it, try to do the sequence ending succesful
|
|
-->echo ## * Establish a session, reset it, try to do the sequence ending with failure
|
|
-->echo ##
|
|
-->echo ## Requirements: PROTO3
|
|
-->echo #
|
|
-->echo
|
|
-->echo #######################################################################
|
|
-->echo # Sequence succesfull
|
|
newsession seq -;
|
|
callmacro Verify_its_xprotocol_connection;
|
|
callmacro Enable_ssl_on_xprotocol_and_transmision_layer;
|
|
login xuser_sha256 sha256 test sha256_memory;
|
|
|
|
Mysqlx.Session.Reset {
|
|
}
|
|
recvtype Mysqlx.Ok;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 sha256 test mysql41;
|
|
|
|
login xuser_sha256 sha256 test sha256_memory;
|
|
|
|
closesession;
|
|
|
|
-->echo
|
|
-->echo #######################################################################
|
|
-->echo # Sequence failed
|
|
newsession seq -;
|
|
callmacro Verify_its_xprotocol_connection;
|
|
callmacro Enable_ssl_on_xprotocol_and_transmision_layer;
|
|
login xuser_sha256 sha256 test sha256_memory;
|
|
|
|
Mysqlx.Session.Reset {
|
|
}
|
|
recvtype Mysqlx.Ok;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 wrong_pass test mysql41;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 wrong_pass test sha256_memory;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login xuser_sha256 wrong_pass test plain;
|
|
|
|
peerdisc 30000 30000;
|
|
|
|
EOF
|
|
|
|
--write_file $MYSQL_TMP_DIR/auth_errors.tmp
|
|
-->import connection.macro
|
|
callmacro Verify_its_xprotocol_connection;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login locked_user pass test sha256_memory;
|
|
|
|
expecterror ER_ACCESS_DENIED_ERROR;
|
|
login locked_user pass test mysql41;
|
|
|
|
EOF
|
|
|
|
#
|
|
## Error handling part
|
|
#
|
|
|
|
CREATE USER user_to_lock@localhost IDENTIFIED WITH 'caching_sha2_password' BY 'xxx';
|
|
GRANT ALL ON *.* TO user_to_lock@localhost;
|
|
|
|
# Cache user password
|
|
exec $MYSQLXTEST -u user_to_lock -p "xxx" --ssl-mode=required --execute "select 1";
|
|
|
|
ALTER USER user_to_lock@localhost ACCOUNT LOCK;
|
|
|
|
# Use mysqlxclient library that is going to choose first error from the sequence
|
|
|
|
exec $MYSQLXTEST -u user_to_lock -p "xxx" --ssl-mode=DISABLED --cached-auth --mysql41-auth --expect-error ER_ACCOUNT_HAS_BEEN_LOCKED;
|
|
|
|
# Use raw protocol message and show that first error in the sequence is ACCOUNT_LOCKED
|
|
|
|
exec $MYSQLXTEST -u user_to_lock -p "xxx" --no-auth --file=$MYSQL_TMP_DIR/auth_errors.tmp 2>&1;
|
|
|
|
#
|
|
## Authentication sequence part
|
|
#
|
|
|
|
--let $MYSQLXTEST=$MYSQLXTEST -ux_root --ssl-cipher='AES256-SHA'
|
|
|
|
--source ../include/create_mysql_accounts_for_xplugin_tests.inc
|
|
|
|
|
|
exec $MYSQLXTEST --file=$MYSQL_TMP_DIR/auth_seq.tmp 2>&1;
|
|
|
|
#
|
|
## Postamble
|
|
#
|
|
--source include/xplugin_drop_user.inc
|
|
--remove_file $MYSQL_TMP_DIR/auth_seq.tmp
|
|
--remove_file $MYSQL_TMP_DIR/auth_errors.tmp
|
|
DROP USER user_to_lock@localhost;
|
|
|
|
--source ../include/remove_mysql_accounts_for_xplugin_tests.inc
|
|
|