polardbxengine/mysql-test/t/rewrite_general_log.test

#
# WL#5706/Bug#58712/Bug#11746378
# Encrypt or remove passwords from slow, query, and binary logs
# (see sql/sql_rewrite.cc for bulk of implementation)
#

# make sure we start with a clean slate. log_tables.test says this is OK.
TRUNCATE TABLE mysql.general_log;

CALL mtr.add_suppression('Following users were specified in CREATE USER IF NOT EXISTS but they already exist');
CALL mtr.add_suppression('Following users were specified in ALTER USER IF EXISTS but they do not exist');

--echo --------------- general log ---------------------------------------

LET old_log_output=          `select @@global.log_output`;
LET old_general_log=         `select @@global.general_log`;
LET old_general_log_file=    `select @@global.general_log_file`;

--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file = '$MYSQLTEST_VARDIR/log/rewrite_general.log';
SET GLOBAL log_output =       'FILE,TABLE';
SET GLOBAL general_log=       'ON';

# SET NAMES / SET CHARSET
# keep these in lower case so we can tell them from the upper case rewrites!
set character set 'hebrew';
set charset default,@dummy='A';
set names 'latin1',@dummy='B';
set names 'latin1' collate 'latin1_german2_ci';
set names default,@dummy='c';

# 1.1.1.1

CREATE TABLE     t1(f1 INT, f2 INT, f3 INT, f4 INT);
CREATE PROCEDURE proc_rewrite_1() INSERT INTO test.t1 VALUES ("hocus pocus");
CREATE FUNCTION  func_rewrite_1(i INT) RETURNS INT DETERMINISTIC RETURN i+1;

CREATE USER test_user1 IDENTIFIED WITH mysql_native_password BY 'azundris1';
GRANT SELECT(f2), INSERT(f3), INDEX, UPDATE(f1,f3, f2, f4), ALTER on
      test.t1 TO test_user1;
GRANT ALL ON PROCEDURE test.proc_rewrite_1 TO test_user1;
GRANT EXECUTE ON FUNCTION test.func_rewrite_1 TO test_user1;

CREATE USER test_user3@localhost IDENTIFIED WITH mysql_native_password BY 'meow' REQUIRE SSL;
GRANT SELECT,USAGE ON test.* TO test_user3@localhost;
ALTER USER test_user3@localhost IDENTIFIED BY 'meow'
      REQUIRE X509 WITH
      MAX_QUERIES_PER_HOUR 1 MAX_UPDATES_PER_HOUR 2
      MAX_CONNECTIONS_PER_HOUR 3 MAX_USER_CONNECTIONS 4;
GRANT USAGE ON test.* TO test_user3@localhost WITH GRANT OPTION;
ALTER USER test_user3@localhost REQUIRE NONE;


DROP PROCEDURE proc_rewrite_1;
DROP FUNCTION  func_rewrite_1;
DROP TABLE     t1;

# 1.1.1.2
CREATE USER test_user2 IDENTIFIED WITH mysql_native_password BY 'azundris2';

# 1.1.1.3
--disable_warnings
CHANGE MASTER TO MASTER_PASSWORD='azundris3';
--enable_warnings

# 1.1.1.4
CREATE USER 'test_user4'@'localhost' IDENTIFIED WITH mysql_native_password;
ALTER USER 'test_user4'@'localhost' IDENTIFIED BY 'azundris4';
# 1.1.1.5
CREATE USER test_user5 IDENTIFIED WITH mysql_native_password AS
'*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF', test_user6 IDENTIFIED BY 'test';
ALTER USER IF EXISTS test_user5 IDENTIFIED BY 'test',
 test_user6 IDENTIFIED WITH mysql_native_password AS
 '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF', test_user7 IDENTIFIED BY 'test';
CREATE USER IF NOT EXISTS test_user6 IDENTIFIED BY 'test',
 test_user7 IDENTIFIED BY 'test';
ALTER USER test_user7 IDENTIFIED WITH mysql_native_password AS
 '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
# 1.1.1.6 : Literal <secret> must be printed in the log for empty password
CREATE USER test_user8 IDENTIFIED BY '';
ALTER USER test_user8 IDENTIFIED BY '';
CREATE USER test_user9 IDENTIFIED WITH 'caching_sha2_password' BY '';
ALTER  USER test_user9 IDENTIFIED WITH 'caching_sha2_password' BY '';
SET PASSWORD FOR test_user9 = "";
#1.1.1.7 : WL#11544, verify the newly added clauses
CREATE USER u1, u2;
GRANT CREATE USER ON *.* to 'u1' WITH GRANT OPTION;
connect(con1,localhost,u1,,);
SET PASSWORD = '' REPLACE '';
ALTER USER u1 IDENTIFIED BY '123' REPLACE '', u2 IDENTIFIED BY '456'
              PASSWORD REQUIRE CURRENT OPTIONAL;
ALTER USER u2 IDENTIFIED BY 'xyz', u1 IDENTIFIED BY 'abc' REPLACE '123';

connection default;
disconnect con1;

# clean-up
SET GLOBAL general_log=       'OFF';
DROP USER u1, u2;
DROP USER 'test_user4'@'localhost';
DROP USER 'test_user3'@'localhost';
DROP USER test_user9, test_user8;
DROP USER test_user7, test_user6,  test_user5;
DROP USER test_user2;
DROP USER test_user1;

# show general-logging to file is correct
CREATE TABLE test_log (argument TEXT);
--replace_result $MYSQLTEST_VARDIR ...
eval LOAD DATA LOCAL INFILE '$MYSQLTEST_VARDIR/log/rewrite_general.log'
     INTO TABLE test_log FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';

# all passwords ('azundris%') must have been obfuscated -> empty result set
--echo This line should be followed by two SELECTs with empty result sets
--replace_regex /.*Query	*//i
SELECT argument FROM test_log WHERE argument LIKE CONCAT('%azun','dris%');

# same for logging to table
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('%azun','dris%');

--echo Show that we logged stuff at all:
--echo ------ from file ------
--replace_regex /.*Execute	*//i
SELECT TRIM(LEADING '\t' FROM MID(argument,LOCATE('Query',argument)+5)) FROM
                test_log WHERE (argument LIKE '%BY %' OR argument LIKE '%AS %'
                OR argument LIKE '%PASSWORD %')
                AND argument NOT LIKE '%Prepare%';
--echo ------ from table ------
SELECT argument FROM mysql.general_log WHERE (argument LIKE '%BY %' OR
                    argument LIKE '%AS %' OR argument LIKE '%PASSWORD %')
                    AND command_type NOT LIKE 'Prepare';
--echo ------ done ------

--echo ------ rewrite ------
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('set ','character set %');
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('set ','names %');
SELECT argument FROM mysql.general_log WHERE argument LIKE 'GRANT %' AND command_type NOT LIKE 'Prepare';
--echo ------ done ------ see log_tables.test for more proof! :)

# Sanity check -- prove we log the correct hash. Must return one row. In case of ps-protocol mode the query returns 2 rows
SELECT COUNT(*)=1 OR COUNT(*)=2 FROM mysql.general_log WHERE argument LIKE 'CREATE USER%' AND argument LIKE CONCAT('%AS %');

--echo Bug#13958454 -- show we print SET @a:=5, but SELECT (@a:=5)
# We need the () in EXPLAIN, for (@e:=80)+5.
# In SET however, they'd break syntax.
# VIEWs do not accepted variables at this time.
EXPLAIN SELECT @a=5,@b:=10,@c:=20,@d:=40+5,(@e:=80)+5;

--echo
--echo End of 5.6 tests!
--echo

--echo #
--echo # Bug#16953758: PREPARED STATEMENT IS WRITTEN TO GENERAL QUERY LOG AFTER ITS EXECUTION IS FINISH
--echo #
TRUNCATE TABLE mysql.general_log;
SET GLOBAL general_log='ON';
SET @sql='SELECT command_type, argument FROM mysql.general_log WHERE argument LIKE "%Bug#16953758%"';
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;


--echo #
--echo # Bug#18616826: PREPARED STATEMENTS WHOSE EXECUTION FAIL ARE NOT LOGGED TO THE GENERAL LOG
--echo #
TRUNCATE TABLE mysql.general_log;
SET @sql='DROP TABLE 18616826_does_not_exist';
PREPARE stmt FROM @sql;
--error ER_BAD_TABLE_ERROR
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
SELECT command_type, argument FROM mysql.general_log WHERE argument LIKE "DROP TABLE 18616826_does_not_exist";

--echo
--echo End of 5.7 tests!
--echo

# Tests related to WL#11544 : Restart the server with --log-raw
# and check if password is in plaintext
--echo # shutdown the server from mtr.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc

--echo # restart the server.
--exec echo "restart: --log-raw" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc

--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file = '$MYSQLTEST_VARDIR/log/rewrite_general.log';
SET GLOBAL log_output =       'FILE,TABLE';
SET GLOBAL general_log=       'ON';

CREATE USER 'plaintext_test' IDENTIFIED BY 'pwd';
connect(con1,localhost,plaintext_test,'pwd',);
ALTER USER plaintext_test IDENTIFIED BY '' REPLACE 'pwd';
SET PASSWORD FOR plaintext_test='456' REPLACE '';
SET PASSWORD='789' REPLACE '456';
disconnect con1;
connection default;
DROP USER plaintext_test;

# Restart the server to original state
--echo # shutdown the server from mtr.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc

--echo # restart the server.
--exec echo "restart:" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc

# Password must be seen in cleartext with --log-raw option. In case of ps-protocol mode the query returns 9 rows
SELECT count(*)=6 or count(*)=9 FROM mysql.general_log WHERE argument LIKE '%plaintext_test%' or argument like '%789%';

# cleanup
DROP TABLE test_log;

--remove_file $MYSQLTEST_VARDIR/log/rewrite_general.log
--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file =  '$old_general_log_file';
eval SET GLOBAL log_output=        '$old_log_output';
eval SET GLOBAL general_log=       $old_general_log;

--echo
--echo End of 5.7 tests!
--echo