From 8934794a7043d3d62422613df26df9b37e450e0b Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 25 Nov 2014 18:53:40 +0100 Subject: [PATCH] password validation function in sql_acl.cc --- .../plugins/r/simple_password_check.result | 31 +++++++++++++++ .../plugins/t/simple_password_check.test | 39 +++++++++++++++++++ sql/sql_acl.cc | 28 +++++++++++++ 3 files changed, 98 insertions(+) diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result index c5e711ae35d..6682cc5bbbd 100644 --- a/mysql-test/suite/plugins/r/simple_password_check.result +++ b/mysql-test/suite/plugins/r/simple_password_check.result @@ -70,4 +70,35 @@ NUMERIC_BLOCK_SIZE 1 ENUM_VALUE_LIST NULL READ_ONLY NO COMMAND_LINE_ARGUMENT REQUIRED +create user foo1 identified by 'pwd'; +ERROR HY000: Your password does not satisfy the current policy requirements +grant select on *.* to foo1 identified by 'pwd'; +ERROR HY000: Your password does not satisfy the current policy requirements +grant select on *.* to `FooBar1!` identified by 'FooBar1!'; +ERROR HY000: Your password does not satisfy the current policy requirements +grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; +drop user `BarFoo1!`; +create user foo1 identified by 'aA.12345'; +drop user foo1; +set global simple_password_check_digits=3; +set global simple_password_check_letters_same_case=3; +set global simple_password_check_other_characters=3; +show variables like 'simple_password_check_%'; +Variable_name Value +simple_password_check_digits 3 +simple_password_check_letters_same_case 3 +simple_password_check_minimal_length 12 +simple_password_check_other_characters 3 +create user foo1 identified by '123:qwe:ASD!'; +drop user foo1; +create user foo1 identified by '-23:qwe:ASD!'; +ERROR HY000: Your password does not satisfy the current policy requirements +create user foo1 identified by '123:4we:ASD!'; +ERROR HY000: Your password does not satisfy the current policy requirements +create user foo1 identified by '123:qwe:4SD!'; +ERROR HY000: Your password does not satisfy the current policy requirements +create user foo1 identified by '123:qwe:ASD4'; +ERROR HY000: Your password does not satisfy the current policy requirements uninstall plugin simple_password_check; +create user foo1 identified by 'pwd'; +drop user foo1; diff --git a/mysql-test/suite/plugins/t/simple_password_check.test b/mysql-test/suite/plugins/t/simple_password_check.test index 6cac4820fce..882fe0afe39 100644 --- a/mysql-test/suite/plugins/t/simple_password_check.test +++ b/mysql-test/suite/plugins/t/simple_password_check.test @@ -13,4 +13,43 @@ select * from information_schema.plugins where plugin_name='simple_password_chec select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1; --horizontal_results +--error ER_NOT_VALID_PASSWORD +create user foo1 identified by 'pwd'; + +--error ER_NOT_VALID_PASSWORD +grant select on *.* to foo1 identified by 'pwd'; + +--error ER_NOT_VALID_PASSWORD +grant select on *.* to `FooBar1!` identified by 'FooBar1!'; + +grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; +drop user `BarFoo1!`; + +create user foo1 identified by 'aA.12345'; +drop user foo1; + +set global simple_password_check_digits=3; +set global simple_password_check_letters_same_case=3; +set global simple_password_check_other_characters=3; +show variables like 'simple_password_check_%'; + +create user foo1 identified by '123:qwe:ASD!'; +drop user foo1; + +--error ER_NOT_VALID_PASSWORD +create user foo1 identified by '-23:qwe:ASD!'; + +--error ER_NOT_VALID_PASSWORD +create user foo1 identified by '123:4we:ASD!'; + +--error ER_NOT_VALID_PASSWORD +create user foo1 identified by '123:qwe:4SD!'; + +--error ER_NOT_VALID_PASSWORD +create user foo1 identified by '123:qwe:ASD4'; + uninstall plugin simple_password_check; + +create user foo1 identified by 'pwd'; +drop user foo1; + diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c5e47d6633e..1a27fa8209b 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -47,6 +47,7 @@ #include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT #include #include +#include #include "sql_connect.h" #include "hostname.h" #include "sql_db.h" @@ -872,6 +873,24 @@ static void free_acl_role(ACL_ROLE *role) delete_dynamic(&(role->parent_grantee)); } +struct validation_data { LEX_STRING *user, *password; }; + +static my_bool do_validate(THD *, plugin_ref plugin, void *arg) +{ + struct validation_data *data= (struct validation_data *)arg; + struct st_mysql_password_validation *handler= + (st_mysql_password_validation *)plugin_decl(plugin)->info; + return handler->validate_password(data->user, data->password); +} + + +static bool validate_password(LEX_STRING *user, LEX_STRING *password) +{ + struct validation_data data= { user, password }; + return plugin_foreach(NULL, do_validate, + MariaDB_PASSWORD_VALIDATION_PLUGIN, &data); +} + /** Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt. @@ -977,6 +996,15 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) return true; } + if (user->password.length || !user->auth.length) + { + if (validate_password(&user->user, &user->password)) + { + my_error(ER_NOT_VALID_PASSWORD, MYF(0)); + return true; + } + } + if (user->password.length) { size_t scramble_length;