Skip to content

M
mariadb
Commit 8934794a authored by Sergei Golubchik's avatar Sergei Golubchik
Browse files
Options

password validation function in sql_acl.cc

parent c98b2b39
Hide whitespace changes
Inline Side-by-side
Showing with 98 additions and 0 deletions
mysql-test/suite/plugins/r/simple_password_check.result
View file @ 8934794a
...@@ -70,4 +70,35 @@ NUMERIC_BLOCK_SIZE 1 ...@@ -70,4 +70,35 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL ENUM_VALUE_LIST NULL
READ_ONLY NO READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED COMMAND_LINE_ARGUMENT REQUIRED
create user foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to `FooBar1!` identified by 'FooBar1!';
ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345';
drop user foo1;
set global simple_password_check_digits=3;
set global simple_password_check_letters_same_case=3;
set global simple_password_check_other_characters=3;
show variables like 'simple_password_check_%';
Variable_name Value
simple_password_check_digits 3
simple_password_check_letters_same_case 3
simple_password_check_minimal_length 12
simple_password_check_other_characters 3
create user foo1 identified by '123:qwe:ASD!';
drop user foo1;
create user foo1 identified by '-23:qwe:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements
create user foo1 identified by '123:4we:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements
create user foo1 identified by '123:qwe:4SD!';
ERROR HY000: Your password does not satisfy the current policy requirements
create user foo1 identified by '123:qwe:ASD4';
ERROR HY000: Your password does not satisfy the current policy requirements
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd';
drop user foo1;
mysql-test/suite/plugins/t/simple_password_check.test
View file @ 8934794a
...@@ -13,4 +13,43 @@ select * from information_schema.plugins where plugin_name='simple_password_chec ...@@ -13,4 +13,43 @@ select * from information_schema.plugins where plugin_name='simple_password_chec
select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1; select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1;
--horizontal_results --horizontal_results
--error ER_NOT_VALID_PASSWORD
create user foo1 identified by 'pwd';
--error ER_NOT_VALID_PASSWORD
grant select on *.* to foo1 identified by 'pwd';
--error ER_NOT_VALID_PASSWORD
grant select on *.* to `FooBar1!` identified by 'FooBar1!';
grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345';
drop user foo1;
set global simple_password_check_digits=3;
set global simple_password_check_letters_same_case=3;
set global simple_password_check_other_characters=3;
show variables like 'simple_password_check_%';
create user foo1 identified by '123:qwe:ASD!';
drop user foo1;
--error ER_NOT_VALID_PASSWORD
create user foo1 identified by '-23:qwe:ASD!';
--error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:4we:ASD!';
--error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:4SD!';
--error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:ASD4';
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd';
drop user foo1;
sql/sql_acl.cc
View file @ 8934794a
...@@ -47,6 +47,7 @@ ...@@ -47,6 +47,7 @@
#include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT #include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT
#include <sql_common.h> #include <sql_common.h>
#include <mysql/plugin_auth.h> #include <mysql/plugin_auth.h>
#include <mysql/plugin_password_validation.h>
#include "sql_connect.h" #include "sql_connect.h"
#include "hostname.h" #include "hostname.h"
#include "sql_db.h" #include "sql_db.h"
...@@ -872,6 +873,24 @@ static void free_acl_role(ACL_ROLE *role) ...@@ -872,6 +873,24 @@ static void free_acl_role(ACL_ROLE *role)
delete_dynamic(&(role->parent_grantee)); delete_dynamic(&(role->parent_grantee));
} }
struct validation_data { LEX_STRING *user, *password; };
static my_bool do_validate(THD *, plugin_ref plugin, void *arg)
{
struct validation_data *data= (struct validation_data *)arg;
struct st_mysql_password_validation *handler=
(st_mysql_password_validation *)plugin_decl(plugin)->info;
return handler->validate_password(data->user, data->password);
}
static bool validate_password(LEX_STRING *user, LEX_STRING *password)
{
struct validation_data data= { user, password };
return plugin_foreach(NULL, do_validate,
MariaDB_PASSWORD_VALIDATION_PLUGIN, &data);
}
/** /**
Convert scrambled password to binary form, according to scramble type, Convert scrambled password to binary form, according to scramble type,
Binary form is stored in user.salt. Binary form is stored in user.salt.
...@@ -977,6 +996,15 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) ...@@ -977,6 +996,15 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
return true; return true;
} }
if (user->password.length || !user->auth.length)
{
if (validate_password(&user->user, &user->password))
{
my_error(ER_NOT_VALID_PASSWORD, MYF(0));
return true;
}
}
if (user->password.length) if (user->password.length)
{ {
size_t scramble_length; size_t scramble_length;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7