diff --git a/mysql-test/r/mysqld--help.result b/mysql-test/r/mysqld--help.result index f263dfebad9..e8ceaac0a1f 100644 --- a/mysql-test/r/mysqld--help.result +++ b/mysql-test/r/mysqld--help.result @@ -987,6 +987,11 @@ The following options may be given as the first argument: --stored-program-cache=# The soft upper limit for number of cached stored routines for one connection. + --strict-password-validation + When password validation plugins are enabled, reject + passwords that cannot be validated (passwords specified + as a hash) + (Defaults to on; use --skip-strict-password-validation to disable.) -s, --symbolic-links Enable symbolic link support. --sync-binlog=# Synchronously flush binary log to disk after every #th @@ -1348,6 +1353,7 @@ sort-buffer-size 2097152 sql-mode stack-trace TRUE stored-program-cache 256 +strict-password-validation TRUE symbolic-links FALSE sync-binlog 0 sync-frm FALSE diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result index 3c0e01ed0a3..b6906fc923a 100644 --- a/mysql-test/suite/plugins/r/simple_password_check.result +++ b/mysql-test/suite/plugins/r/simple_password_check.result @@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements set password for foo1 = old_password('qwe:123:ASD4'); ERROR HY000: Your password does not satisfy the current policy requirements set password for foo1 = password('qwe:123:ASD!'); +select @@strict_password_validation; +@@strict_password_validation +1 +set password for foo1 = ''; +ERROR HY000: Your password does not satisfy the current policy requirements +set password for foo1 = '2222222222222222'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +set password for foo1 = '11111111111111111111111111111111111111111'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +create user foo2 identified by password '11111111111111111111111111111111111111111'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +grant select on *.* to foo2 identified by password '2222222222222222'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; +ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement +create user foo2 identified with mysql_native_password using ''; +ERROR HY000: Your password does not satisfy the current policy requirements +grant select on *.* to foo2 identified with mysql_old_password; +ERROR HY000: Your password does not satisfy the current policy requirements +update mysql.user set password='xxx' where user='foo1'; +set global strict_password_validation=0; +set password for foo1 = ''; +ERROR HY000: Your password does not satisfy the current policy requirements +set password for foo1 = '2222222222222222'; +set password for foo1 = '11111111111111111111111111111111111111111'; +create user foo2 identified by password '11111111111111111111111111111111111111111'; +drop user foo2; +grant select on *.* to foo2 identified by password '2222222222222222'; +drop user foo2; +create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111'; +drop user foo2; +grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; +drop user foo2; +set global strict_password_validation=1; drop user foo1; uninstall plugin simple_password_check; create user foo1 identified by 'pwd'; diff --git a/mysql-test/suite/plugins/t/simple_password_check.test b/mysql-test/suite/plugins/t/simple_password_check.test index c322bebdfe3..c31e31154e3 100644 --- a/mysql-test/suite/plugins/t/simple_password_check.test +++ b/mysql-test/suite/plugins/t/simple_password_check.test @@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!'); --error ER_NOT_VALID_PASSWORD set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = password('qwe:123:ASD!'); + +# now, strict_password_validation +select @@strict_password_validation; + +--error ER_NOT_VALID_PASSWORD +set password for foo1 = ''; +--error ER_OPTION_PREVENTS_STATEMENT +set password for foo1 = '2222222222222222'; +--error ER_OPTION_PREVENTS_STATEMENT +set password for foo1 = '11111111111111111111111111111111111111111'; +--error ER_OPTION_PREVENTS_STATEMENT +create user foo2 identified by password '11111111111111111111111111111111111111111'; +--error ER_OPTION_PREVENTS_STATEMENT +grant select on *.* to foo2 identified by password '2222222222222222'; +--error ER_OPTION_PREVENTS_STATEMENT +create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111'; +--error ER_OPTION_PREVENTS_STATEMENT +grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; +--error ER_NOT_VALID_PASSWORD +create user foo2 identified with mysql_native_password using ''; +--error ER_NOT_VALID_PASSWORD +grant select on *.* to foo2 identified with mysql_old_password; + +# direct updates are not protected +update mysql.user set password='xxx' where user='foo1'; + +set global strict_password_validation=0; + +--error ER_NOT_VALID_PASSWORD +set password for foo1 = ''; +set password for foo1 = '2222222222222222'; +set password for foo1 = '11111111111111111111111111111111111111111'; +create user foo2 identified by password '11111111111111111111111111111111111111111'; +drop user foo2; +grant select on *.* to foo2 identified by password '2222222222222222'; +drop user foo2; +create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111'; +drop user foo2; +grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; +drop user foo2; + +set global strict_password_validation=1; drop user foo1; uninstall plugin simple_password_check; diff --git a/mysql-test/suite/sys_vars/r/all_vars.result b/mysql-test/suite/sys_vars/r/all_vars.result index 1bd4e394f6a..840da8405c3 100644 --- a/mysql-test/suite/sys_vars/r/all_vars.result +++ b/mysql-test/suite/sys_vars/r/all_vars.result @@ -10,5 +10,6 @@ there should be *no* long test name listed below: select distinct variable_name as `there should be *no* variables listed below:` from t2 left join t1 on variable_name=test_name where test_name is null; there should be *no* variables listed below: +strict_password_validation drop table t1; drop table t2; diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result index 7b44c74c757..f8a4f312179 100644 --- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result +++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result @@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE 1 ENUM_VALUE_LIST NULL READ_ONLY NO COMMAND_LINE_ARGUMENT REQUIRED +VARIABLE_NAME STRICT_PASSWORD_VALIDATION +SESSION_VALUE NULL +GLOBAL_VALUE ON +GLOBAL_VALUE_ORIGIN COMPILE-TIME +DEFAULT_VALUE ON +VARIABLE_SCOPE GLOBAL +VARIABLE_TYPE BOOLEAN +VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash) +NUMERIC_MIN_VALUE NULL +NUMERIC_MAX_VALUE NULL +NUMERIC_BLOCK_SIZE NULL +ENUM_VALUE_LIST OFF,ON +READ_ONLY NO +COMMAND_LINE_ARGUMENT OPTIONAL VARIABLE_NAME SYNC_BINLOG SESSION_VALUE NULL GLOBAL_VALUE 0 diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result index c6c14b3383b..c669298e141 100644 --- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result +++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result @@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE 1 ENUM_VALUE_LIST NULL READ_ONLY NO COMMAND_LINE_ARGUMENT REQUIRED +VARIABLE_NAME STRICT_PASSWORD_VALIDATION +SESSION_VALUE NULL +GLOBAL_VALUE ON +GLOBAL_VALUE_ORIGIN COMPILE-TIME +DEFAULT_VALUE ON +VARIABLE_SCOPE GLOBAL +VARIABLE_TYPE BOOLEAN +VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash) +NUMERIC_MIN_VALUE NULL +NUMERIC_MAX_VALUE NULL +NUMERIC_BLOCK_SIZE NULL +ENUM_VALUE_LIST OFF,ON +READ_ONLY NO +COMMAND_LINE_ARGUMENT OPTIONAL VARIABLE_NAME SYNC_BINLOG SESSION_VALUE NULL GLOBAL_VALUE 0 diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 6b9e5e456de..fb7c14d3222 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0; my_bool opt_show_slave_auth_info; my_bool opt_log_slave_updates= 0; my_bool opt_replicate_annotate_row_events= 0; -my_bool opt_mysql56_temporal_format= 0; +my_bool opt_mysql56_temporal_format=0, strict_password_validation= 1; char *opt_slave_skip_errors; /* diff --git a/sql/mysqld.h b/sql/mysqld.h index 19616867ce9..ff595afcf97 100644 --- a/sql/mysqld.h +++ b/sql/mysqld.h @@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum; extern my_bool opt_stack_trace; extern my_bool opt_expect_abort; extern my_bool opt_slave_sql_verify_checksum; -extern my_bool opt_mysql56_temporal_format; +extern my_bool opt_mysql56_temporal_format, strict_password_validation; extern ulong binlog_checksum_options; extern bool max_user_connections_checking; extern ulong opt_binlog_dbug_fsync_sleep; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index a8e7ef5db30..bbae17eb472 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password) MariaDB_PASSWORD_VALIDATION_PLUGIN, &data); } +static my_bool check_if_exists(THD *, plugin_ref, void *) +{ + return TRUE; +} + +static bool has_validation_plugins() +{ + return plugin_foreach(NULL, check_if_exists, + MariaDB_PASSWORD_VALIDATION_PLUGIN, NULL); +} + /** Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt. @@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) return true; } } + else + { + if (strict_password_validation && has_validation_plugins()) + { + my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--strict-password-validation"); + return true; + } + } if (user->password.length && !user->auth.length) { diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index 6c1118e43ff..145948e381d 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format( "Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns.", GLOBAL_VAR(opt_mysql56_temporal_format), CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG); + +static Sys_var_mybool Sys_strict_password_validation( + "strict_password_validation", + "When password validation plugins are enabled, reject passwords " + "that cannot be validated (passwords specified as a hash)", + GLOBAL_VAR(strict_password_validation), + CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG);