From fd7569ea6b3ca283ac1afc7da4170ac8c2411da9 Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Wed, 4 Nov 2020 13:39:38 +1100
Subject: [PATCH] MDEV-24098: SHOW CREATE USER invalid for both PASSWORD and
 LOCKED

The parser of CREATE USER accepts ACCOUNT LOCK before PASSWORD
EXPIRE but not the other way around.

This just changes the SHOW CREATE USER to output a sql syntax that
is valid.

Thanks to Robert Bindar for analysis.
---
 mysql-test/main/lock_user.result | 8 ++++++++
 mysql-test/main/lock_user.test   | 7 +++++++
 sql/sql_acl.cc                   | 6 +++---
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/mysql-test/main/lock_user.result b/mysql-test/main/lock_user.result
index 5048c5a9bee..a0d2b40572c 100644
--- a/mysql-test/main/lock_user.result
+++ b/mysql-test/main/lock_user.result
@@ -130,5 +130,13 @@ connection default;
 #
 alter user user1@localhost account lock;
 ERROR HY000: Access denied, this account is locked
+#
+# MDEV-24098 SHOW CREATE USER invalid for both PASSWORD EXPIRE and
+# and LOCKED
+#
+alter user user1@localhost PASSWORD EXPIRE;
+show create user user1@localhost;
+CREATE USER for user1@localhost
+CREATE USER `user1`@`localhost` ACCOUNT LOCK PASSWORD EXPIRE
 drop user user1@localhost;
 drop user user2@localhost;
diff --git a/mysql-test/main/lock_user.test b/mysql-test/main/lock_user.test
index 17ce1cc79da..504c6c5ac10 100644
--- a/mysql-test/main/lock_user.test
+++ b/mysql-test/main/lock_user.test
@@ -137,6 +137,13 @@ alter user user1@localhost account lock;
 --error ER_ACCOUNT_HAS_BEEN_LOCKED
 --change_user user1
 
+--echo #
+--echo # MDEV-24098 SHOW CREATE USER invalid for both PASSWORD EXPIRE and
+--echo # and LOCKED
+--echo #
+alter user user1@localhost PASSWORD EXPIRE;
+show create user user1@localhost;
+
 drop user user1@localhost;
 drop user user2@localhost;
 
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 86cea04f91e..57e8411b084 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8950,6 +8950,9 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
   append_identifier(thd, &result, username, strlen(username));
   add_user_parameters(thd, &result, acl_user, false);
 
+  if (acl_user->account_locked)
+    result.append(STRING_WITH_LEN(" ACCOUNT LOCK"));
+
   if (acl_user->password_expired)
     result.append(STRING_WITH_LEN(" PASSWORD EXPIRE"));
   else if (!acl_user->password_lifetime)
@@ -8961,9 +8964,6 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
     result.append(STRING_WITH_LEN(" DAY"));
   }
 
-  if (acl_user->account_locked)
-    result.append(STRING_WITH_LEN(" ACCOUNT LOCK"));
-
   protocol->prepare_for_resend();
   protocol->store(result.ptr(), result.length(), result.charset());
   if (protocol->write())