######################## t/grant_alter_user_qa.test ###################################
# Testing CREATE/ALTER/GRANT USER new syntax and                                      #
# new variable "log-builtin-as-identified-by-password" default value "OFF"         #
#                                                                                     #
# Test for WL#6409                                                                    #
# Created : 2014-12-15                                                                #
# Modified: 2014-02-02  WL#6054                                                       #
# Author  : Lalit Choudhary                                                           #
#######################################################################################

# Save the initial number of concurrent sessions
--source include/count_sessions.inc
--source include/have_plugin_auth.inc
--source include/have_log_bin.inc
--echo #
--echo # WL#6409: CREATE/ALTER USER
--echo #

call mtr.add_suppression("\\[Warning\\] \\[[^]]*\\] Server shutdown in progress");

# Official builds include separate debug enabled plugins to be used by
# the debug enabled server. But the non-debug *client* should not use them.

let PLUGIN_AUTH_OPT=`SELECT TRIM(TRAILING '/debug' FROM '$PLUGIN_AUTH_OPT')`;

--echo # CREATE USER
--echo
CREATE USER user1;
query_vertical SELECT host,user,plugin FROM mysql.user
WHERE USER='user1';

--echo
--error ER_PARSE_ERROR
CREATE USER user3@%;

# Sequence of the attributes. provide password first and auth_plugin later on
--error ER_PARSE_ERROR
CREATE USER user3@localhost BY 'auth_string' WITH 'sha_256_password';

CREATE USER "user2"@'%';
query_vertical SELECT host,user,plugin FROM mysql.user
WHERE USER='user2';

# IDENTIFIED WITH 'mysql_native_password' AS with plaintest
--error ER_PASSWORD_FORMAT
CREATE USER user9@localhost IDENTIFIED WITH 'mysql_native_password' AS 'auth_string';
--echo
# IDENTIFIED WITH 'mysql_native_password' AS with hash_string password
CREATE USER user10@localhost
            IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$ABCDEFGHIJKLMNOPQRSTabcdefgh01234567ijklmnop89012345ABCDEFGH678';

--echo
CREATE USER u1@localhost;
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='u1';

CREATE USER u2@localhost IDENTIFIED BY 'auth_string';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='u2';

--echo
--error ER_PARSE_ERROR
CREATE USER user5@localhost IDENTIFIED  AS 'auth_string';

CREATE USER u3@localhost IDENTIFIED WITH 'sha256_password';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='u3';

CREATE USER u4@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='u4';

# Testing connection
--connect(con1, localhost, u4,'auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

--echo
CREATE USER user4@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='user4';
--echo
CREATE USER user6@localhost IDENTIFIED WITH 'mysql_native_password';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='user6';
--echo
CREATE USER user7@localhost
            IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
query_vertical SELECT User,plugin FROM mysql.user
WHERE USER='user7';
--echo
# Testing connection
--connect(con1, localhost, user7, 'auth_string#%y')
SELECT USER();
connection default;
disconnect con1;

CREATE USER user8@localhost
            IDENTIFIED WITH 'mysql_native_password'
            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
            PASSWORD EXPIRE NEVER;
query_vertical SELECT User,plugin,password_expired,
password_lifetime FROM mysql.user WHERE USER='user8';

# Testing connection
--connect(con1, localhost, user8,'auth_string')
SELECT USER();
connection default;
disconnect con1;

--echo # Tesing with test_plugin_server plugin
CREATE USER tu1@localhost IDENTIFIED WITH 'test_plugin_server';
query_vertical SELECT User,plugin,password_expired,
password_expired FROM mysql.user WHERE USER='tu1';

CREATE USER tu2@localhost IDENTIFIED WITH 'test_plugin_server'
            BY 'auth_@13*' PASSWORD EXPIRE;
query_vertical SELECT User,plugin,password_expired
FROM mysql.user WHERE USER='tu2';

--echo
CREATE USER tu3@localhost IDENTIFIED WITH 'test_plugin_server' AS '%auth_O0s-tring';
query_vertical SELECT User,plugin,password_expired
FROM mysql.user WHERE USER='tu3';

--echo
CREATE USER u5@localhost REQUIRE SSL;
query_vertical SELECT User,plugin,ssl_type
FROM mysql.user WHERE USER='u5';

CREATE USER u6@localhost IDENTIFIED BY 'auth_string' REQUIRE X509;
query_vertical SELECT User,plugin,ssl_type
FROM mysql.user WHERE USER='u6';

CREATE USER tu4@localhost IDENTIFIED WITH 'test_plugin_server' BY 'djgsj743$'
                          REQUIRE SSL;
query_vertical SELECT User,plugin,ssl_type
FROM mysql.user WHERE USER='tu4';

CREATE USER tu5@localhost IDENTIFIED WITH 'test_plugin_server' AS 'dwh@#ghd$!'
                          REQUIRE X509;
query_vertical SELECT User,plugin,ssl_type
FROM mysql.user WHERE USER='tu5';

CREATE USER u7@localhost IDENTIFIED WITH 'sha256_password' REQUIRE CIPHER 'cipher';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject FROM mysql.user WHERE USER='u7';

CREATE USER u8@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA'
PASSWORD EXPIRE NEVER;
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,x509_issuer,
x509_subject,password_expired,password_lifetime FROM mysql.user WHERE USER='u8';

# Testing connection
--connect(con1, localhost, u8,'auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER u9@localhost REQUIRE SUBJECT 'sub';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject FROM mysql.user WHERE USER='u9';

CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string#y'
REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
PASSWORD EXPIRE DEFAULT;
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,x509_issuer,
x509_subject,password_expired,password_lifetime FROM mysql.user WHERE USER='u10';

# Testing connection
--connect(con1, localhost, u10,'auth_string#y',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER tu6@localhost IDENTIFIED WITH 'test_plugin_server' AS '#hGrt0O6'
REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,x509_issuer,
x509_subject,max_questions,max_user_connections FROM mysql.user WHERE USER='tu6';

CREATE USER u11@localhost WITH MAX_QUERIES_PER_HOUR 2;
query_vertical SELECT User,plugin,max_questions
FROM mysql.user WHERE USER='u11';

CREATE USER u12@localhost IDENTIFIED BY 'auth_string'
                          WITH MAX_QUERIES_PER_HOUR 2 PASSWORD EXPIRE NEVER;
query_vertical SELECT User,plugin,max_questions,
password_expired,password_lifetime FROM mysql.user WHERE USER='u12';

CREATE USER u13@localhost IDENTIFIED WITH 'sha256_password'
                          WITH MAX_CONNECTIONS_PER_HOUR 2;
query_vertical SELECT User,plugin,max_connections
FROM mysql.user WHERE USER='u13';

CREATE USER u14@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                          WITH MAX_USER_CONNECTIONS 2  PASSWORD EXPIRE INTERVAL 999 DAY;
query_vertical SELECT User,plugin,max_user_connections,
password_expired,password_lifetime FROM mysql.user WHERE USER='u14';

CREATE USER u15@localhost,
            u16@localhost IDENTIFIED BY 'auth_string',
            u17@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u15';
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u16';
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u17';

CREATE USER u18@localhost,
            u19@localhost IDENTIFIED BY 'auth_string',
            u20@localhost IDENTIFIED WITH 'sha256_password',
            u21@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string',
            u22@localhost IDENTIFIED WITH 'test_plugin_server',
            u23@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_&string'
            REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
            WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u18';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u19';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u20';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u21';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u22';
query_vertical SELECT User,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_questions,max_user_connections,password_expired,
password_lifetime FROM mysql.user WHERE USER='u23';

DROP USER tu1@localhost,tu2@localhost,tu3@localhost,tu4@localhost,tu5@localhost,
          tu6@localhost,user1@'%',user2@'%',user4@localhost,user6@localhost,
          user7@localhost,user8@localhost,user10@localhost,u1@localhost,u2@localhost,
          u3@localhost,u4@localhost,u5@localhost,u6@localhost,u7@localhost,u8@localhost,
          u9@localhost,u10@localhost,u11@localhost,u12@localhost,u13@localhost,
          u14@localhost,u15@localhost,u16@localhost,u17@localhost,u18@localhost,
          u19@localhost,u20@localhost,u21@localhost,u22@localhost,u23@localhost;

--echo # ALTER USER

CREATE USER u1@localhost;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime
FROM mysql.user WHERE USER='u1';

--echo # Its a no op
ALTER USER u1@localhost;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime
FROM mysql.user WHERE USER='u1';

CREATE USER u2@localhost IDENTIFIED WITH 'mysql_native_password';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u2';
ALTER USER u2@localhost IDENTIFIED WITH 'mysql_native_password' PASSWORD EXPIRE NEVER;
# Look for auth_string and password last changed field
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u2';

# Testing connection
--connect(con1, localhost, u2)
--error ER_MUST_CHANGE_PASSWORD
SELECT USER();
--disable_ps_protocol
ALTER USER USER() IDENTIFIED BY 'abc';
--enable_ps_protocol
connection default;
disconnect con1;
--echo
CREATE USER u3@localhost IDENTIFIED WITH 'sha256_password';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u3';

ALTER USER u3@localhost IDENTIFIED WITH 'mysql_native_password'
                        AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
# Look for plugin,auth_string and password expired field
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u3';

# Testing connection
--connect(con1, localhost, u3, 'auth_string')
SELECT USER();
connection default;
disconnect con1;

ALTER USER u3@localhost IDENTIFIED WITH 'test_plugin_server' BY 'auth_string';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u3';

ALTER USER u3@localhost
           REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
           WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2
           PASSWORD EXPIRE NEVER;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u3';

CREATE USER u4@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u4';
ALTER USER u4@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string';
# Look for plugin,auth_string field
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u4';

CREATE USER u5@localhost REQUIRE SSL;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u5';

ALTER USER u5@localhost IDENTIFIED WITH 'sha256_password';
# Look for plugin,auth_string, password expired field
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u5';

# Testing connection
--connect(con1, localhost, u5,,,,,SSL)
SET PASSWORD='new_auth_string';
SELECT USER();
connection default;
disconnect con1;

CREATE USER u6@localhost IDENTIFIED BY 'auth_string' REQUIRE X509;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u6';
ALTER USER u6@localhost IDENTIFIED WITH 'test_plugin_server'
                        AS 'new_auth_string' REQUIRE SSL;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u6';

CREATE USER u7@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                         REQUIRE CIPHER 'ECDHE-RSA-AES128-GCM-SHA256';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u7';
ALTER USER u7@localhost IDENTIFIED WITH 'sha256_password' BY 'new_auth_string'
                        REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA';
# Look for plugin,auth_string, password expired, SSL type field
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u7';

# Testing connection
--connect(con1, localhost, u7,'new_auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER u8@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                         REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u8';
ALTER USER u8@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                        REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256";
# Look for plugin,auth_string, password expired, SSL fields
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u8';
# Testing connection
--connect(con1, localhost, u8,'auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER tu1@localhost IDENTIFIED WITH 'mysql_native_password'
                          BY 'auth_string' REQUIRE ISSUER 'issuer';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='tu1';
ALTER USER tu1@localhost IDENTIFIED WITH 'sha256_password'
                         REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256";
# Look for plugin,auth_string, password expired, SSL fields
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='tu1';

CREATE USER u9@localhost REQUIRE SUBJECT 'sub';
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u9';
ALTER USER u9@localhost
           REQUIRE ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u9';

ALTER USER u9@localhost IDENTIFIED WITH 'test_plugin_server' BY 'auth_string77hg'
                        REQUIRE ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u9';

CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                          REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
                          SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                          ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u10';
ALTER USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                         REQUIRE SSL;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u10';

# Testing connection
--connect(con1, localhost, u10,'auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER u11@localhost WITH MAX_QUERIES_PER_HOUR 2;
--replace_column 8 #
query_vertical SELECT User,max_questions FROM mysql.user WHERE USER='u11';
ALTER USER u11@localhost WITH MAX_QUERIES_PER_HOUR 6;
--replace_column 8 #
query_vertical SELECT User,max_questions FROM mysql.user WHERE USER='u11';

CREATE USER u12@localhost IDENTIFIED BY 'auth_string'
                          WITH MAX_QUERIES_PER_HOUR 2;
--replace_column 8 #
query_vertical SELECT User,max_questions FROM mysql.user WHERE USER='u12';
ALTER USER u12@localhost IDENTIFIED WITH 'sha256_password'
                         WITH MAX_QUERIES_PER_HOUR 8;
--replace_column 8 #
query_vertical SELECT User,max_questions FROM mysql.user WHERE USER='u12';

ALTER USER u12@localhost IDENTIFIED WITH 'test_plugin_server'
                         WITH MAX_QUERIES_PER_HOUR 1000;
--replace_column 8 #
query_vertical SELECT User,max_questions FROM mysql.user WHERE USER='u12';


CREATE USER u13@localhost IDENTIFIED WITH 'sha256_password'
                          WITH MAX_CONNECTIONS_PER_HOUR 2;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u13';
ALTER USER u13@localhost PASSWORD EXPIRE;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u13';

# Testing connection
--connect(con1, localhost, u13,,,,,SSL)
--error ER_MUST_CHANGE_PASSWORD
SELECT USER();
--disable_ps_protocol
ALTER USER USER() IDENTIFIED BY 'new_pwd_string';
--enable_ps_protocol
disconnect con1;
--connect(con1, localhost, u13,'new_pwd_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;


CREATE USER u14@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                          WITH MAX_USER_CONNECTIONS 2;
--replace_column 9 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u14';
ALTER USER u14@localhost WITH MAX_USER_CONNECTIONS 12 PASSWORD EXPIRE INTERVAL 365 DAY;
--replace_column 9 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u14';

CREATE USER tu2@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                          WITH MAX_USER_CONNECTIONS 2 ;
--replace_column 10 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,max_questions,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='tu2';
ALTER USER tu2@localhost WITH MAX_USER_CONNECTIONS 12 MAX_QUERIES_PER_HOUR 543
                         PASSWORD EXPIRE INTERVAL 365 DAY;
--replace_column 10 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,max_questions,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='tu2';

# Testing connection
--connect(con1, localhost, tu2,'auth_string',,,,SSL)
SELECT USER();
connection default;
disconnect con1;

CREATE USER u15@localhost,
            u16@localhost IDENTIFIED WITH 'sha256_password',
            u17@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u15';
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u16';
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u17';

ALTER USER u15@localhost IDENTIFIED WITH 'sha256_password',
           u16@localhost,
           u17@localhost IDENTIFIED BY 'new_auth_string'
                         PASSWORD EXPIRE DEFAULT;
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u15';
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u16';
--replace_column 7 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,password_lifetime
FROM mysql.user WHERE USER='u17';

CREATE USER u18@localhost,
            u19@localhost IDENTIFIED BY 'auth_string',
            u20@localhost IDENTIFIED WITH 'sha256_password',
            u21@localhost IDENTIFIED WITH 'sha256_password' BY '!Y_TOdh6)',
            u22@localhost IDENTIFIED WITH 'sha256_password',
            u23@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_&string'
            REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
            WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
--replace_column 10 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,
max_questions,password_last_changed,password_lifetime FROM mysql.user
WHERE USER BETWEEN 'u18' AND 'u23' order by 1;
ALTER USER u18@localhost,
           u19@localhost,
           u20@localhost,
           u21@localhost,
           u22@localhost,
           u23@localhost
           REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
           WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2
           PASSWORD EXPIRE NEVER;
--replace_column 10 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,max_user_connections,
max_questions,password_last_changed,password_lifetime FROM mysql.user
WHERE USER BETWEEN 'u18' AND 'u23' order by 1;

DROP USER tu1@localhost,tu2@localhost,u1@localhost, u2@localhost, u3@localhost,
          u4@localhost, u5@localhost,u6@localhost, u7@localhost, u8@localhost,
          u9@localhost, u10@localhost,u11@localhost, u12@localhost, u13@localhost,
          u14@localhost,u15@localhost, u16@localhost, u17@localhost, u18@localhost,
          u19@localhost, u20@localhost, u21@localhost,u22@localhost,u23@localhost;

--echo # ALTER USER with current user

CREATE USER u1@localhost IDENTIFIED BY 'abc';
--connect(con1, localhost, u1, abc)
SELECT USER();
connection default;
ALTER USER u1@localhost PASSWORD EXPIRE;
disconnect con1;

--connect(con1, localhost, u1, abc)
--error ER_MUST_CHANGE_PASSWORD
SELECT USER();
SET PASSWORD = 'def';
--disable_warnings
connection default;
disconnect con1;
--enable_warnings

--connect(con1, localhost, u1, def)
SELECT USER();
connection default;
ALTER USER u1@localhost PASSWORD EXPIRE;
disconnect con1;

--connect(con1, localhost, u1, def)
--error ER_MUST_CHANGE_PASSWORD
SELECT USER();
# Password set to current user
--disable_ps_protocol
--error ER_PARSE_ERROR
ALTER USER IDENTIFIED BY 'npwd';
ALTER USER USER() IDENTIFIED BY 'abc';
--enable_ps_protocol
disconnect con1;

--connect(con1, localhost, u1, abc)
SELECT USER();
connection default;
ALTER USER u1@localhost PASSWORD EXPIRE;
disconnect con1;

--connect(con1, localhost, u1, abc)
--error ER_MUST_CHANGE_PASSWORD
SELECT USER();
connection default;
ALTER USER u1@localhost IDENTIFIED BY 'def';
disconnect con1;

--connect(con1, localhost, u1, def)
SELECT USER();
connection default;
DROP USER u1@localhost;
disconnect con1;

--echo # ALTER USER with current user is allowed to set only credential information

CREATE USER u1@localhost, u2@localhost IDENTIFIED BY 'abc';
GRANT ALL ON *.* TO u2@localhost;
--connect(con1, localhost, u2, abc)
--error ER_PARSE_ERROR
ALTER USER USER() IDENTIFIED WITH 'sha256_password';
--error ER_PARSE_ERROR
ALTER USER USER() IDENTIFIED BY 'def', u2@localhost PASSWORD EXPIRE;
--error ER_PARSE_ERROR
ALTER USER USER() IDENTIFIED BY 'def' PASSWORD EXPIRE;
--error ER_PARSE_ERROR
ALTER USER ;
ALTER USER u2@localhost IDENTIFIED BY 'auth_string'
                        PASSWORD EXPIRE INTERVAL 45 DAY;
--replace_column 8 #
query_vertical SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
plugin,password_expired,
password_last_changed,password_lifetime FROM mysql.user WHERE USER='u2';
connection default;
disconnect con1;
DROP USER u1@localhost, u2@localhost;

# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc

--echo # SHOW CREATE USER

CREATE USER u1@localhost;
SHOW CREATE USER u1@localhost;

CREATE USER u2@localhost IDENTIFIED BY 'auth_string';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u2@localhost;
--echo # DDL output for SHOW CREATE USER u2@localhost and recreating user
DROP USER u2@localhost;
CREATE USER 'u2'@'localhost' IDENTIFIED WITH 'mysql_native_password'
                             AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             REQUIRE NONE;

--connect(con1,localhost,u2,auth_string)
SELECT USER();
connection default;
disconnect con1;
--echo

CREATE USER u3@localhost IDENTIFIED WITH 'sha256_password';
SHOW CREATE USER u3@localhost;
ALTER USER u3@localhost IDENTIFIED BY 'auth_string';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u3@localhost;

CREATE USER u4@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u4@localhost;


CREATE USER user1@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER user1@localhost;

--echo
CREATE USER user2@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER user2@localhost;
--echo
CREATE USER u5@localhost REQUIRE SSL;
SHOW CREATE USER u5@localhost;
ALTER USER u5@localhost REQUIRE X509;
--echo # SHOW CREATE USER after ALTER user attributes
SHOW CREATE USER u5@localhost;

CREATE USER u6@localhost IDENTIFIED BY 'auth_string'
                         REQUIRE X509 PASSWORD EXPIRE INTERVAL 5 DAY;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u6@localhost;

ALTER USER u6@localhost IDENTIFIED BY 'auth_string'
                        REQUIRE X509 PASSWORD EXPIRE INTERVAL 19 DAY;
--echo # SHOW CREATE USER after ALTER user attributes
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u6@localhost;
--echo # Recreating user from SHOW CREATE output
DROP USER u6@localhost;
CREATE USER 'u6'@'localhost' IDENTIFIED WITH 'mysql_native_password'
                             AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             REQUIRE X509 PASSWORD EXPIRE INTERVAL 19 DAY;

CREATE USER u7@localhost IDENTIFIED WITH 'sha256_password'
                         REQUIRE CIPHER 'cipher';
SHOW CREATE USER u7@localhost;

CREATE USER u8@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                         REQUIRE ISSUER 'issuer';
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u8@localhost;

CREATE USER u9@localhost REQUIRE SUBJECT 'sub';
SHOW CREATE USER u9@localhost;

CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
            SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u10@localhost;

ALTER USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
           REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
           SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
           ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
           WITH MAX_CONNECTIONS_PER_HOUR 1000
           MAX_USER_CONNECTIONS 20 MAX_QUERIES_PER_HOUR 60
           MAX_UPDATES_PER_HOUR 100;
--echo # SHOW CREATE USER after ALTER user attributes
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u10@localhost;


CREATE USER u11@localhost WITH MAX_QUERIES_PER_HOUR 2;
SHOW CREATE USER u11@localhost;

CREATE USER u12@localhost IDENTIFIED BY 'auth_string'
                          WITH MAX_QUERIES_PER_HOUR 2;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u12@localhost;

CREATE USER u13@localhost IDENTIFIED WITH 'sha256_password'
                          WITH MAX_CONNECTIONS_PER_HOUR 2;
SHOW CREATE USER u13@localhost;

CREATE USER u14@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
                          WITH MAX_USER_CONNECTIONS 2;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u14@localhost;

CREATE USER u15@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
            REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            CIPHER 'cipher' WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u15@localhost;

ALTER USER u15@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
                         WITH MAX_CONNECTIONS_PER_HOUR 1000
                              MAX_USER_CONNECTIONS 20 MAX_QUERIES_PER_HOUR 60
                              MAX_UPDATES_PER_HOUR 100;
--echo # SHOW CREATE USER after ALTER user attributes
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER u15@localhost;
--echo # Recreating user from SHOW CREATE output
DROP USER u15@localhost;
CREATE USER 'u15'@'localhost' IDENTIFIED WITH 'mysql_native_password'
            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
            REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
            ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA'
            CIPHER 'cipher'
            WITH MAX_QUERIES_PER_HOUR 60 MAX_UPDATES_PER_HOUR 100
            MAX_CONNECTIONS_PER_HOUR 1000 MAX_USER_CONNECTIONS 20
            PASSWORD EXPIRE DEFAULT;

DROP USER user1@localhost,u1@localhost, u2@localhost, u3@localhost, u4@localhost,
          u5@localhost,u6@localhost, u7@localhost, u8@localhost, u9@localhost,
          u10@localhost,u11@localhost, u12@localhost, u13@localhost,
          u14@localhost,u15@localhost;

CREATE USER user1@localhost IDENTIFIED WITH 'mysql_native_password'
            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
            REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client'
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            WITH MAX_CONNECTIONS_PER_HOUR 1000 MAX_USER_CONNECTIONS 20
                 MAX_QUERIES_PER_HOUR 60 MAX_UPDATES_PER_HOUR 100;

--replace_column 3 #
query_vertical SELECT user,plugin,ssl_type,ssl_cipher,
x509_issuer,x509_subject,max_user_connections,
max_questions,max_updates,max_connections FROM mysql.user
WHERE USER='user1';

--echo
GRANT SELECT ON *.* TO user1@localhost;
GRANT SELECT,INSERT,UPDATE ON mysql.* TO user1@localhost;

--echo
SHOW GRANTS FOR user1@localhost;
--echo
REVOKE INSERT,UPDATE ON mysql.* FROM user1@localhost;

SHOW GRANTS FOR user1@localhost;
--echo

CREATE USER user3@localhost IDENTIFIED BY 'auth_string';

--echo # Cleanup
DROP USER user1@localhost,user2@localhost,user3@localhost;

--echo
--echo # SET PASSWORD Tests
--echo
CREATE USER user1@localhost IDENTIFIED BY 'auth_string';
CREATE USER user2@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string1';

SET PASSWORD FOR user1@localhost='auth_xyz@';
SET PASSWORD FOR user2@localhost='gd636@gj';

--echo
CREATE USER user4@localhost;
ALTER USER user4@localhost PASSWORD EXPIRE;
SET PASSWORD FOR user4@localhost='';

CREATE USER user3@localhost IDENTIFIED  BY 'auth_string';
CREATE USER user5@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string1';

SET PASSWORD FOR user3@localhost='auth_abc';
GRANT SELECT ON *.* TO user3@localhost;

--connect(con1, localhost, user3, auth_abc)
SELECT USER();
SET PASSWORD='auth_xyz';
--replace_column 3 #
query_vertical SELECT user,plugin,ssl_type,password_expired,
password_lifetime FROM mysql.user where  user='user3';
connection default;
disconnect con1;

--echo
SET PASSWORD FOR user4@localhost='auth_xyz';
--replace_column 3 #
query_vertical SELECT user,plugin,ssl_type,
password_expired,password_lifetime FROM mysql.user where  user='user4';
--echo
SET PASSWORD FOR user5@localhost='auth_dhsga5';
--replace_column 3 #
query_vertical SELECT user,plugin,ssl_type,
password_expired,password_lifetime FROM mysql.user where  user='user5';


# Resetting password with a non-ssl connection using mysqladmin,it should throw warning.
GRANT ALL ON *.* TO user4@localhost;
--exec $MYSQLADMIN --no-defaults -S $MASTER_MYSOCK -P $MASTER_MYPORT -uuser4 --password=auth_xyz password new_auth  2>&1
# Testing connection
--connect(con1, localhost, user4, new_auth)
SELECT USER();
connection default;
disconnect con1;

# With ssl connection
--exec $MYSQLADMIN --no-defaults -S $MASTER_MYSOCK -P $MASTER_MYPORT -uuser4 --password=new_auth password new_auth_ssl --ssl-mode=REQUIRED 2>&1

# Testing connection
--connect(con1, localhost, user4, new_auth_ssl)
SELECT USER();
--replace_column 3 #
query_vertical SELECT user,plugin,ssl_type,
password_expired,password_lifetime FROM mysql.user where  user='user4';
connection default;
disconnect con1;

--echo
CREATE USER user6@localhost IDENTIFIED BY 'auth_string';
--replace_column 3 #
query_vertical SELECT user,plugin,
password_expired FROM mysql.user WHERE USER='user6';

ALTER USER user6@localhost IDENTIFIED WITH 'sha256_password';
--replace_column 3 #
query_vertical SELECT user,plugin,
password_expired FROM mysql.user WHERE USER='user6';

SET PASSWORD FOR user6@localhost='plaintext_password';
--replace_column 3 #
query_vertical SELECT user,plugin
FROM mysql.user WHERE USER='user6';

# Testing connection
--connect(con1, localhost, user6, 'plaintext_password',,,,SSL)
SELECT USER();
connection default;
disconnect con1;


--echo
--echo # Cleanup
DROP USER user1@localhost,user2@localhost,user3@localhost,
          user4@localhost,user5@localhost,user6@localhost;

# Write file to make mysql-test-run.pl wait for the server to stop
let $expect_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $expect_file

# Request shutdown
--send_shutdown

# Call script that will poll the server waiting for it to disapear
--source include/wait_until_disconnected.inc

--echo # Restart server.
--exec echo "restart:" > $expect_file

# Turn on reconnect
--enable_reconnect

# Call script that will poll the server waiting for it to be back online again
--source include/wait_until_connected_again.inc

SHOW GLOBAL VARIABLES LIKE 'log_bin';

# Get rid of previous tests binlog
--disable_query_log
reset master;
--enable_query_log

CREATE USER u1 IDENTIFIED WITH 'mysql_native_password' BY 'azundris1';
CREATE USER user8@localhost IDENTIFIED WITH 'mysql_native_password'
                            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
CREATE USER user1@localhost IDENTIFIED WITH 'sha256_password'
                            REQUIRE SSL;
CREATE USER user11@localhost IDENTIFIED WITH 'mysql_native_password'
                             PASSWORD EXPIRE NEVER ACCOUNT LOCK;
CREATE USER user12@localhost IDENTIFIED WITH 'sha256_password'
                             PASSWORD EXPIRE NEVER;

CREATE USER u2@localhost IDENTIFIED BY 'meow';
CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password'
                          REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
                          SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                          ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
                          WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
ALTER USER u10@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
                         REQUIRE SSL;
ALTER USER user11@localhost IDENTIFIED WITH 'sha256_password'
                            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
                            SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
                            PASSWORD EXPIRE  DEFAULT ACCOUNT UNLOCK;
ALTER USER user12@localhost IDENTIFIED WITH 'mysql_native_password'
                            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                            ACCOUNT UNLOCK PASSWORD  EXPIRE INTERVAL 90 DAY;
CREATE USER user13@localhost IDENTIFIED BY 'auth_string' ACCOUNT UNLOCK;
ALTER USER user13@localhost WITH MAX_QUERIES_PER_HOUR 22
                            MAX_USER_CONNECTIONS 4 ACCOUNT LOCK PASSWORD EXPIRE NEVER;
CREATE USER user14@localhost IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             ACCOUNT LOCK;
CREATE USER user15@localhost IDENTIFIED WITH 'mysql_native_password' BY 'azundris1'
                             PASSWORD EXPIRE NEVER ACCOUNT UNLOCK;
ALTER USER user15@localhost PASSWORD EXPIRE DEFAULT ACCOUNT LOCK;
CREATE USER user16@localhost IDENTIFIED WITH 'mysql_native_password' AS  '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             ACCOUNT LOCK PASSWORD EXPIRE NEVER;
ALTER USER user16@localhost PASSWORD EXPIRE INTERVAL 10 DAY ACCOUNT LOCK;
--connect(con1, localhost, u1, 'azundris1')
SELECT USER();
ALTER USER USER() IDENTIFIED BY 'new-auth';
connection default;
disconnect con1;

CREATE USER user10@localhost
            IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
--echo # Show binlog events
--let $mask_user_password_events= 1
--source include/show_binlog_events.inc
--let $mask_user_password_events= 0

# Cleanup
DROP USER user1@localhost,user8@localhost,user10@localhost,user11@localhost,
          user12@localhost,user13@localhost,user14@localhost,user15@localhost,
          user16@localhost,u10@localhost,u1,u2@localhost;

# Make sure we start with a clean slate. log_tables.test says this is OK.
TRUNCATE TABLE mysql.general_log;

--echo --------------- general log ---------------------------------------

SET @old_log_output=    @@global.log_output;
SET @old_general_log=         @@global.general_log;
SET @old_general_log_file=    @@global.general_log_file;

let $general_file_off = $MYSQLTEST_VARDIR/log/create_or_alter_user.log;
--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
eval SET GLOBAL general_log_file = '$general_file_off';
SET GLOBAL log_output =       'FILE,TABLE';
SET GLOBAL general_log=       'ON';

CREATE USER u1 IDENTIFIED WITH 'mysql_native_password' BY 'azundris1';
CREATE USER user8@localhost IDENTIFIED WITH 'mysql_native_password'
                            AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
CREATE USER user1@localhost IDENTIFIED WITH 'sha256_password' REQUIRE SSL;
CREATE USER user11@localhost IDENTIFIED WITH 'mysql_native_password'
                             PASSWORD EXPIRE NEVER ACCOUNT LOCK;
CREATE USER user12@localhost IDENTIFIED WITH 'sha256_password'
                             PASSWORD EXPIRE NEVER;

CREATE USER u2@localhost IDENTIFIED BY 'meow';
CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password'
            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
            SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
ALTER USER u10@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
                         REQUIRE SSL;
ALTER USER user11@localhost IDENTIFIED WITH 'sha256_password'
           REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
           SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
           ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
           PASSWORD EXPIRE  DEFAULT ACCOUNT UNLOCK;
ALTER USER user12@localhost IDENTIFIED WITH 'mysql_native_password'
           AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
           ACCOUNT UNLOCK PASSWORD  EXPIRE INTERVAL 90 DAY;
CREATE USER user13@localhost IDENTIFIED BY 'auth_string' ACCOUNT UNLOCK;
ALTER USER user13@localhost WITH MAX_QUERIES_PER_HOUR 22
                            MAX_USER_CONNECTIONS 4 ACCOUNT LOCK PASSWORD EXPIRE NEVER;
CREATE USER user14@localhost IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             ACCOUNT LOCK;
CREATE USER user15@localhost IDENTIFIED WITH 'mysql_native_password' BY 'azundris1'
                             PASSWORD EXPIRE NEVER ACCOUNT UNLOCK;
ALTER USER user15@localhost PASSWORD EXPIRE DEFAULT ACCOUNT LOCK;
CREATE USER user16@localhost IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF'
                             ACCOUNT LOCK PASSWORD EXPIRE NEVER;
ALTER USER user16@localhost PASSWORD EXPIRE INTERVAL 10 DAY ACCOUNT LOCK;
--connect(con1, localhost, u1, 'azundris1')
SELECT USER();
ALTER USER USER() IDENTIFIED BY 'new-auth';
connection default;
disconnect con1;

CREATE USER user10@localhost IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';

--echo Show what is logged:
--echo ------ rewrite ------
SELECT argument FROM mysql.general_log WHERE argument LIKE 'CREATE USER %' AND
                                             command_type NOT LIKE 'Prepare';
SELECT argument FROM mysql.general_log WHERE argument LIKE 'ALTER USER %' AND
                                             command_type NOT LIKE 'Prepare';
SELECT argument FROM mysql.general_log WHERE argument LIKE 'SET PASSWORD %';
SELECT argument FROM mysql.general_log WHERE argument LIKE 'GRANT %'AND
                                             command_type NOT LIKE 'Prepare';
--echo ------ done ------

# Cleanup
DROP USER user1@localhost,user8@localhost,user10@localhost,user11@localhost,
          user12@localhost,user13@localhost,user14@localhost,user15@localhost,
          user16@localhost,u10@localhost,u1,u2@localhost;

--remove_file $general_file_off

SET GLOBAL general_log_file=  @old_general_log_file;
SET GLOBAL general_log=       @old_general_log;
SET GLOBAL log_output=        @old_log_output;
TRUNCATE TABLE mysql.general_log;

--echo
--echo Bug #20602525 ALTER USER DOES NOT VERIFY AUTH PLUGIN
--echo

CREATE USER u1;
--error ER_PLUGIN_IS_NOT_LOADED
ALTER USER u1 IDENTIFIED WITH 'invalid_plugin';
--error ER_PLUGIN_IS_NOT_LOADED
ALTER USER u1 IDENTIFIED WITH 'invalid_plugin' BY 'secret';
--error ER_PLUGIN_IS_NOT_LOADED
ALTER USER u1 IDENTIFIED WITH 'invalid_plugin' AS 'secret';

#cleanup
DROP USER u1;

--echo
--echo Bug #20364862 MYSQLADMIN PASSWORD AFFECTS EXTERNAL AUTH ACCOUNTS
--echo

connection default;
CREATE USER bug20364862_user@localhost IDENTIFIED WITH test_plugin_server AS 'bug20364862_dest';
CREATE USER bug20364862_dest@localhost IDENTIFIED BY 'dest_password';
GRANT PROXY ON bug20364862_dest@localhost TO bug20364862_user@localhost;
CREATE DATABASE db1;
GRANT ALL PRIVILEGES ON db1.* TO bug20364862_dest@localhost WITH GRANT OPTION;

# An unprivileged user trying to alter credentials through ALTER USER should get error
# if plugin puts restriction over who can alter credentials
--error 1
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "ALTER USER USER() IDENTIFIED BY 'qa_test_2_dest';" 2>&1

# SET PASSWORD does not make any sense if mysql.user.authentication_string is
# not used as password store
--error 1
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "SET PASSWORD = 'qa_test_2_dest'" 2>&1

connection default;
# Make sure that previous SET PASSWORD didn't modify anything
SELECT USER, AUTHENTICATION_STRING FROM mysql.user WHERE user like 'bug20364862_user';

# Grant a user ability to update mysql.*
GRANT UPDATE ON mysql.* TO bug20364862_dest@localhost;
FLUSH PRIVILEGES;

# ALTER should work now
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "ALTER USER USER() IDENTIFIED BY 'qa_test_2_dest'; ALTER USER USER() IDENTIFIED BY 'bug20364862_dest';" 2>&1

# SET PASSWORD should still return an error
--error 1
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "SET PASSWORD = 'qa_test_2_dest';" 2>&1

connection default;
# Make sure that previous SET PASSWORD didn't modify anything
SELECT USER, AUTHENTICATION_STRING FROM mysql.user WHERE user like 'bug20364862_user';

# Grant a user ability to create user
REVOKE UPDATE ON mysql.* FROM bug20364862_dest@localhost;
GRANT CREATE USER ON *.* TO bug20364862_dest@localhost;
FLUSH PRIVILEGES;

# ALTER should work now
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "ALTER USER USER() IDENTIFIED BY 'qa_test_2_dest'; ALTER USER USER() IDENTIFIED BY 'bug20364862_dest';" 2>&1
# SET PASSWORD should error out
--error 1
--exec $MYSQL $PLUGIN_AUTH_OPT -h localhost -P $MASTER_MYPORT -u bug20364862_user --password=bug20364862_dest -e "SET PASSWORD = 'qa_test_2_dest';" 2>&1

connection default;
# Make sure that previous SET PASSWORD didn't modify anything
SELECT USER, AUTHENTICATION_STRING FROM mysql.user WHERE user like 'bug20364862_user';

DROP DATABASE db1;
DROP USER bug20364862_user@localhost;
DROP USER bug20364862_dest@localhost;

--echo
--echo Bug #20625566 SHOW CREATE USER ALLOWS ACCESS TO OTHER USERS PASSWORD HASH
--echo

--echo # Restarting the server

# Write file to make mysql-test-run.pl wait for the server to stop
let $expect_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $expect_file

# Request shutdown
--send_shutdown

# Call script that will poll the server waiting for it to disapear
--source include/wait_until_disconnected.inc

--echo # Restart server.
--exec echo "restart:" > $expect_file

# Turn on reconnect
--enable_reconnect

# Call script that will poll the server waiting for it to be back online again
--source include/wait_until_connected_again.inc

CREATE USER user1@localhost;
CREATE USER user1@47.9.9.9 IDENTIFIED BY 'pass1';
CREATE USER user2 IDENTIFIED BY 'pass2';

--echo # case1 without any privileges
--connect(con1, localhost, user1,)
SELECT USER(), CURRENT_USER();
SHOW CREATE USER user1@localhost;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER user1@47.9.9.9;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER user2;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER invalid_user;
disconnect con1;
connection default;

--echo # case2 with SELECT privilege on mysql db
GRANT SELECT ON mysql.* TO user1@localhost;
--connect(con1, localhost, user1,)
SELECT USER(), CURRENT_USER();
SHOW CREATE USER user1@localhost;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER user1@47.9.9.9;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/
SHOW CREATE USER user2;
--error ER_CANNOT_USER
SHOW CREATE USER invalid_user;
disconnect con1;
connection default;

--echo # case3 with all global privileges except SELECT
GRANT ALL ON *.* TO user1@localhost;
REVOKE SELECT ON *.* FROM user1@localhost;
REVOKE CREATE USER ON *.* FROM user1@localhost;
REVOKE SELECT ON mysql.* FROM user1@localhost;
SHOW GRANTS FOR user1@localhost;
--connect(con1, localhost, user1,)
SELECT USER(), CURRENT_USER();
SHOW CREATE USER user1@localhost;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER user1@47.9.9.9;
disconnect con1;
connection default;

--echo # case4 with irrelevant privilege on mysql db
REVOKE ALL ON *.* FROM user1@localhost;
SHOW GRANTS FOR user1@localhost;
GRANT UPDATE ON mysql.* TO user1@localhost;
SHOW GRANTS FOR user1@localhost;
--connect(con1, localhost, user1,)
SELECT USER(), CURRENT_USER();
SHOW CREATE USER user1@localhost;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER user1@47.9.9.9;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER user2;
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER invalid_user;
disconnect con1;
connection default;

--echo # case4 test for proxy user
CREATE USER bug20625566_user@localhost IDENTIFIED WITH test_plugin_server
         AS 'bug20625566_dest';
CREATE USER bug20625566_dest@localhost IDENTIFIED BY 'dest_password';
GRANT PROXY ON bug20625566_dest@localhost TO bug20625566_user@localhost;
--connect(con1, localhost, bug20625566_user,bug20625566_dest)
SELECT USER(), CURRENT_USER();
--error ER_DBACCESS_DENIED_ERROR
SHOW CREATE USER bug20625566_user@localhost;
--replace_regex /AS '(.*)' REQUIRE/AS '<non-deterministic-password-hash>' REQUIRE/ 
SHOW CREATE USER bug20625566_dest@localhost;
disconnect con1;
connection default;

# cleanup
DROP USER user1@localhost, user1@47.9.9.9, user2,
          bug20625566_user@localhost, bug20625566_dest@localhost;