password validation function in sql_acl.cc

8934794a · Sergei Golubchik · c98b2b39 · 8934794a · 8934794a · 8934794a
Commit 8934794a authored Nov 25, 2014 by Sergei Golubchik
3 changed files
--- a/mysql-test/suite/plugins/r/simple_password_check.result
+++ b/mysql-test/suite/plugins/r/simple_password_check.result
@@ -70,4 +70,35 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+create user foo1 identified by 'pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to foo1 identified by 'pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to `FooBar1!` identified by 'FooBar1!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
+drop user `BarFoo1!`;
+create user foo1 identified by 'aA.12345';
+drop user foo1;
+set global simple_password_check_digits=3;
+set global simple_password_check_letters_same_case=3;
+set global simple_password_check_other_characters=3;
+show variables like 'simple_password_check_%';
+Variable_name	Value
+simple_password_check_digits	3
+simple_password_check_letters_same_case	3
+simple_password_check_minimal_length	12
+simple_password_check_other_characters	3
+create user foo1 identified by '123:qwe:ASD!';
+drop user foo1;
+create user foo1 identified by '-23:qwe:ASD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:4we:ASD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:qwe:4SD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:qwe:ASD4';
+ERROR HY000: Your password does not satisfy the current policy requirements
 uninstall plugin simple_password_check;
+create user foo1 identified by 'pwd';
+drop user foo1;
--- a/mysql-test/suite/plugins/t/simple_password_check.test
+++ b/mysql-test/suite/plugins/t/simple_password_check.test
@@ -13,4 +13,43 @@ select * from information_schema.plugins where plugin_name='simple_password_chec
 select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1;
 --horizontal_results

+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by 'pwd';
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to foo1 identified by 'pwd';
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to `FooBar1!` identified by 'FooBar1!';
+
+grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
+drop user `BarFoo1!`;
+
+create user foo1 identified by 'aA.12345';
+drop user foo1;
+
+set global simple_password_check_digits=3;
+set global simple_password_check_letters_same_case=3;
+set global simple_password_check_other_characters=3;
+show variables like 'simple_password_check_%';
+
+create user foo1 identified by '123:qwe:ASD!';
+drop user foo1;
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '-23:qwe:ASD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:4we:ASD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:qwe:4SD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:qwe:ASD4';
+
 uninstall plugin simple_password_check;
+
+create user foo1 identified by 'pwd';
+drop user foo1;
+
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -47,6 +47,7 @@
 #include "lock.h"                               // MYSQL_LOCK_IGNORE_TIMEOUT
 #include <sql_common.h>
 #include <mysql/plugin_auth.h>
+#include <mysql/plugin_password_validation.h>
 #include "sql_connect.h"
 #include "hostname.h"
 #include "sql_db.h"
@@ -872,6 +873,24 @@ static void free_acl_role(ACL_ROLE *role)
  delete_dynamic(&(role->parent_grantee));
 }

+struct validation_data { LEX_STRING *user, *password; };
+
+static my_bool do_validate(THD *, plugin_ref plugin, void *arg)
+{
+  struct validation_data *data= (struct validation_data *)arg;
+  struct st_mysql_password_validation *handler=
+    (st_mysql_password_validation *)plugin_decl(plugin)->info;
+  return handler->validate_password(data->user, data->password);
+}
+
+
+static bool validate_password(LEX_STRING *user, LEX_STRING *password)
+{
+  struct validation_data data= { user, password };
+  return plugin_foreach(NULL, do_validate,
+                        MariaDB_PASSWORD_VALIDATION_PLUGIN, &data);
+}
+
 /**
  Convert scrambled password to binary form, according to scramble type,
  Binary form is stored in user.salt.
@@ -977,6 +996,15 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
    return true;
  }

+  if (user->password.length || !user->auth.length)
+  {
+    if (validate_password(&user->user, &user->password))
+    {
+      my_error(ER_NOT_VALID_PASSWORD, MYF(0));
+      return true;
+    }
+  }
+
  if (user->password.length)
  {
    size_t scramble_length;