From 6382339144256a3668b7c0102e10353b46203659 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= <vicentiu@mariadb.org>
Date: Sun, 16 Jun 2024 14:01:36 +0300
Subject: [PATCH] MDEV-34311: Alter USER should reset all account limit
 counters

This commit introduces a reset of password errors counter on any alter user
command for the altered user. This is done so as to not require a
complete privilege system reload.
---
 mysql-test/main/max_password_errors.result | 23 +++++++++++++++----
 mysql-test/main/max_password_errors.test   | 26 ++++++++++++++++++++--
 sql/share/errmsg-utf8.txt                  |  6 ++---
 sql/sql_acl.cc                             |  5 ++++-
 4 files changed, 50 insertions(+), 10 deletions(-)

diff --git a/mysql-test/main/max_password_errors.result b/mysql-test/main/max_password_errors.result
index 020761b4f2e..9ee7d0d448d 100644
--- a/mysql-test/main/max_password_errors.result
+++ b/mysql-test/main/max_password_errors.result
@@ -9,10 +9,10 @@ connect  con1, localhost, u, bad_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, good_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 connect(localhost,u,bad_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, bad_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 FLUSH PRIVILEGES;
 connect  con1, localhost, u, good_pass;
 disconnect con1;
@@ -27,7 +27,7 @@ ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 disconnect con1;
 connection default;
 FLUSH PRIVILEGES;
@@ -40,6 +40,21 @@ ERROR 28000: Access denied for user 'root'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 disconnect con1;
 connection default;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, good_pass;
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
+ALTER USER u ACCOUNT UNLOCK;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect con1, localhost, u, good_pass;
+disconnect con1;
+connection default;
 DROP USER u;
-FLUSH PRIVILEGES;
 set global max_password_errors=@old_max_password_errors;
diff --git a/mysql-test/main/max_password_errors.test b/mysql-test/main/max_password_errors.test
index 1debca0258d..3642746e83f 100644
--- a/mysql-test/main/max_password_errors.test
+++ b/mysql-test/main/max_password_errors.test
@@ -59,6 +59,28 @@ connect (con1, localhost, root, bad_pass);
 connect (con1, localhost, u, good_pass);
 disconnect con1;
 connection default;
+
+# Block u again
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_USER_IS_BLOCKED;
+connect(con1, localhost, u, good_pass);
+
+# Unblock foo
+ALTER USER u ACCOUNT UNLOCK;
+
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+
+connect(con1, localhost, u, good_pass);
+disconnect con1;
+connection default;
+
 DROP USER u;
-FLUSH PRIVILEGES;
-set global max_password_errors=@old_max_password_errors;
\ No newline at end of file
+set global max_password_errors=@old_max_password_errors;
diff --git a/sql/share/errmsg-utf8.txt b/sql/share/errmsg-utf8.txt
index 9e2211eb4f0..76a26c6b700 100644
--- a/sql/share/errmsg-utf8.txt
+++ b/sql/share/errmsg-utf8.txt
@@ -9922,9 +9922,9 @@ ER_BACKUP_UNKNOWN_STAGE
         eng "Unknown backup stage: '%s'. Stage should be one of START, FLUSH, BLOCK_DDL, BLOCK_COMMIT or END"
         spa "Fase de respaldo desconocida: '%s'. La fase debería de ser una de START, FLUSH, BLOCK_DDL, BLOCK_COMMIT o END"
 ER_USER_IS_BLOCKED
-        chi "由于凭证错误太多，用户被阻止;用'FLUSH PRIVILEGES'解锁"
-        eng "User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'"
-        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'FLUSH PRIVILEGES'"
+        chi "由于凭证错误太多，用户被阻止;用'ALTER USER / FLUSH PRIVILEGES'解锁"
+        eng "User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'"
+        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'ALTER USER / FLUSH PRIVILEGES'"
 ER_ACCOUNT_HAS_BEEN_LOCKED
         chi "访问拒绝，此帐户已锁定"
         eng "Access denied, this account is locked"
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index e58fb5f4870..c5c83046c6a 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -263,7 +263,7 @@ public:
     PASSWD_ERROR_INCREMENT
   };
 
-  inline void update_password_errors(PASSWD_ERROR_ACTION action)
+  void update_password_errors(PASSWD_ERROR_ACTION action)
   {
     switch (action)
     {
@@ -3560,6 +3560,9 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
     break;
   }
 
+  // Any alter user resets password_errors;
+  acl_user->update_password_errors(ACL_USER::PASSWD_ERROR_CLEAR);
+
   return 0;
 }