MDEV-27341 Use SET PASSWORD to change PAM service

SET PASSWORD = PASSWORD('foo') would fail for pam plugin with ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin but SET PASSWORD = 'foo' would not. Now it will.

MDEV-27341 Use SET PASSWORD to change PAM service
SET PASSWORD = PASSWORD('foo') would fail for pam plugin with ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin but SET PASSWORD = 'foo' would not. Now it will.
7b555ff2 · Sergei Golubchik · da76d25a · 7b555ff2 · 7b555ff2 · 7b555ff2
Commit 7b555ff2 authored Jan 05, 2022 by Sergei Golubchik
4 changed files
--- a/include/mysql/plugin_auth.h
+++ b/include/mysql/plugin_auth.h
@@ -147,7 +147,8 @@ struct st_mysql_auth

    @return 0 for ok, 1 for error

-    Can be NULL.
+    Can be NULL, in this case one will not be able to use SET PASSWORD or
+    PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
  */
  int (*hash_password)(const char *password, size_t password_length,
                       char *hash, size_t *hash_length);

--- a/mysql-test/suite/plugins/r/pam.result
+++ b/mysql-test/suite/plugins/r/pam.result
@@ -91,4 +91,21 @@ select user(), current_user(), database();
 user()	current_user()	database()
 PAM_TEST@localhost	PAM_TEST@%	test
 drop user PAM_TEST;
+#
+# MDEV-27341 Use SET PASSWORD to change PAM service
+#
+create user pam_test identified via pam using 'mariadb_mtr';
+Challenge input first.
+Enter: *************************
+Now, the magic number!
+PIN: 9225
+select user(), current_user(), database();
+user()	current_user()	database()
+pam_test@localhost	pam_test@%	test
+set password='foo';
+ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin
+show create user;
+CREATE USER for pam_test@%
+CREATE USER `pam_test`@`%` IDENTIFIED VIA pam USING 'mariadb_mtr'
+drop user pam_test;
 uninstall plugin pam;
--- a/mysql-test/suite/plugins/t/pam.test
+++ b/mysql-test/suite/plugins/t/pam.test
@@ -45,7 +45,6 @@ EOF
 --echo #
 --echo # athentication is successful
 --echo #
--error 0
 --exec $MYSQL_TEST -u test_pam -pgoodpassword --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good2.txt

 --echo #
@@ -106,6 +105,22 @@ set global pam_winbind_workaround=1;
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
 drop user PAM_TEST;

+--echo #
+--echo # MDEV-27341 Use SET PASSWORD to change PAM service
+--echo #
+create user pam_test identified via pam using 'mariadb_mtr';
+--write_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
+not very secret challenge
+9225
+select user(), current_user(), database();
+error ER_SET_PASSWORD_AUTH_PLUGIN;
+set password='foo';
+show create user;
+EOF
+--exec $MYSQL_TEST -u pam_test < $MYSQLTEST_VARDIR/tmp/setpwd.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
+drop user pam_test;
+
 let $count_sessions= 1;
 --source include/wait_until_count_sessions.inc
 uninstall plugin pam;
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2135,6 +2135,12 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
    goto end;
  }

+  if (thd->lex->sql_command == SQLCOM_SET_OPTION && !info->hash_password)
+  {
+    res= ER_SET_PASSWORD_AUTH_PLUGIN;
+    goto end;
+  }
+
  if (info->hash_password &&
      validate_password(thd, user, pwtext, auth->auth_string.length))
  {