MDEV-9245 password "reuse prevention" validation plugin

2025-08-08 11:22:35 +03:00 · 2021-08-19 13:30:45 +02:00
parent 9d1a8665cb
commit bc82b6c03b
4 changed files with 379 additions and 0 deletions
--- a/mysql-test/suite/plugins/r/password_reuse_check.result
+++ b/mysql-test/suite/plugins/r/password_reuse_check.result
@@ -0,0 +1,71 @@
+install soname "password_reuse_check";
+set global password_reuse_check_interval= 0;
+# Default value (sould be unlimited i.e. 0)
+SHOW GLOBAL VARIABLES like "password_reuse_check%";
+Variable_name	Value
+password_reuse_check_interval	0
+# insert user
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+show warnings;
+Level	Code	Message
+Error	1819	Your password does not satisfy the current policy requirements
+alter user user_name@localhost identified by 'test_pwd';
+ERROR HY000: Operation ALTER USER failed for 'user_name'@'localhost'
+show warnings;
+Level	Code	Message
+Error	1819	Your password does not satisfy the current policy requirements
+Error	1396	Operation ALTER USER failed for 'user_name'@'localhost'
+# check exparation
+set global password_reuse_check_interval= 10;
+alter user user_name@localhost identified by 'test_pwd';
+ERROR HY000: Operation ALTER USER failed for 'user_name'@'localhost'
+show warnings;
+Level	Code	Message
+Error	1819	Your password does not satisfy the current policy requirements
+Error	1396	Operation ALTER USER failed for 'user_name'@'localhost'
+select hex(hash) from mysql.password_reuse_check_history;
+hex(hash)
+6276C87127F2B65FC6B24E94E324A02FF0D393D7FB7DEAF6F5F49F0A8AB006711D5C6EF67E36A251AB6337E7E20D312F9ED66D70EB699A6EC85B1E0BC7F376C0
+# emulate old password
+update mysql.password_reuse_check_history set time= date_sub(now(), interval
+11 day);
+alter user user_name@localhost identified by 'test_pwd';
+show warnings;
+Level	Code	Message
+drop user user_name@localhost;
+show create table mysql.password_reuse_check_history;
+Table	Create Table
+password_reuse_check_history	CREATE TABLE `password_reuse_check_history` (
+  `hash` binary(64) NOT NULL,
+  `time` timestamp NOT NULL DEFAULT current_timestamp(),
+  PRIMARY KEY (`hash`),
+  KEY `tm` (`time`)
+) ENGINE=Aria DEFAULT CHARSET=latin1 PAGE_CHECKSUM=1
+select count(*) from mysql.password_reuse_check_history;
+count(*)
+1
+drop table mysql.password_reuse_check_history;
+# test error messages
+set global password_reuse_check_interval= 0;
+drop table if exists mysql.password_reuse_check_history;
+Warnings:
+Note	1051	Unknown table 'mysql.password_reuse_check_history'
+# test error messages
+create table mysql.password_reuse_check_history (wrong_structure int);
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+show warnings;
+Level	Code	Message
+Warning	1105	password_reuse_check:[1054] Unknown column 'hash' in 'field list'
+Error	1819	Your password does not satisfy the current policy requirements
+set global password_reuse_check_interval= 10;
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+show warnings;
+Level	Code	Message
+Warning	1105	password_reuse_check:[1054] Unknown column 'time' in 'where clause'
+Error	1819	Your password does not satisfy the current policy requirements
+drop table mysql.password_reuse_check_history;
+uninstall plugin password_reuse_check;
--- a/mysql-test/suite/plugins/t/password_reuse_check.test
+++ b/mysql-test/suite/plugins/t/password_reuse_check.test
@@ -0,0 +1,73 @@
+--source include/not_embedded.inc
+
+if (!$PASSWORD_REUSE_CHECK_SO) {
+  skip No PASSWORD_REUSE_CHECK plugin;
+}
+
+install soname "password_reuse_check";
+
+set global password_reuse_check_interval= 0;
+
+--echo # Default value (sould be unlimited i.e. 0)
+SHOW GLOBAL VARIABLES like "password_reuse_check%";
+
+--echo # insert user
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+show warnings;
+
+--error ER_CANNOT_USER
+alter user user_name@localhost identified by 'test_pwd';
+show warnings;
+
+# Plugin does not work for it
+#--error ER_NOT_VALID_PASSWORD
+#SET PASSWORD FOR user_name@localhost = PASSWORD('test_pwd');
+
+--echo # check exparation
+
+set global password_reuse_check_interval= 10;
+
+--error ER_CANNOT_USER
+alter user user_name@localhost identified by 'test_pwd';
+show warnings;
+select hex(hash) from mysql.password_reuse_check_history;
+
+--echo # emulate old password
+update mysql.password_reuse_check_history set time= date_sub(now(), interval
+11 day);
+
+alter user user_name@localhost identified by 'test_pwd';
+show warnings;
+
+drop user user_name@localhost;
+
+show create table mysql.password_reuse_check_history;
+select count(*) from mysql.password_reuse_check_history;
+
+drop table mysql.password_reuse_check_history;
+
+--echo # test error messages
+
+set global password_reuse_check_interval= 0;
+
+drop table if exists mysql.password_reuse_check_history;
+
+--echo # test error messages
+
+create table mysql.password_reuse_check_history (wrong_structure int);
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+show warnings;
+
+set global password_reuse_check_interval= 10;
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to user_name@localhost identified by 'test_pwd';
+show warnings;
+
+drop table mysql.password_reuse_check_history;
+uninstall plugin password_reuse_check;