1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
#
# WL#5706/Bug#58712/Bug#11746378
# Encrypt or remove passwords from slow, query, and binary logs
# (see sql/sql_rewrite.cc for bulk of implementation)
#
# make sure we start with a clean slate. log_tables.test says this is OK.
TRUNCATE TABLE mysql.general_log;
CALL mtr.add_suppression('Following users were specified in CREATE USER IF NOT EXISTS but they already exist');
CALL mtr.add_suppression('Following users were specified in ALTER USER IF EXISTS but they do not exist');
--echo --------------- general log ---------------------------------------
LET old_log_output= `select @@global.log_output`;
LET old_general_log= `select @@global.general_log`;
LET old_general_log_file= `select @@global.general_log_file`;
--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file = '$MYSQLTEST_VARDIR/log/rewrite_general.log';
SET GLOBAL log_output = 'FILE,TABLE';
SET GLOBAL general_log= 'ON';
# SET NAMES / SET CHARSET
# keep these in lower case so we can tell them from the upper case rewrites!
set character set 'hebrew';
set charset default,@dummy='A';
set names 'latin1',@dummy='B';
set names 'latin1' collate 'latin1_german2_ci';
set names default,@dummy='c';
# 1.1.1.1
CREATE TABLE t1(f1 INT, f2 INT, f3 INT, f4 INT);
CREATE PROCEDURE proc_rewrite_1() INSERT INTO test.t1 VALUES ("hocus pocus");
CREATE FUNCTION func_rewrite_1(i INT) RETURNS INT DETERMINISTIC RETURN i+1;
CREATE USER test_user1 IDENTIFIED WITH mysql_native_password BY 'azundris1';
GRANT SELECT(f2), INSERT(f3), INDEX, UPDATE(f1,f3, f2, f4), ALTER on
test.t1 TO test_user1;
GRANT ALL ON PROCEDURE test.proc_rewrite_1 TO test_user1;
GRANT EXECUTE ON FUNCTION test.func_rewrite_1 TO test_user1;
CREATE USER test_user3@localhost IDENTIFIED WITH mysql_native_password BY 'meow' REQUIRE SSL;
GRANT SELECT,USAGE ON test.* TO test_user3@localhost;
ALTER USER test_user3@localhost IDENTIFIED BY 'meow'
REQUIRE X509 WITH
MAX_QUERIES_PER_HOUR 1 MAX_UPDATES_PER_HOUR 2
MAX_CONNECTIONS_PER_HOUR 3 MAX_USER_CONNECTIONS 4;
GRANT USAGE ON test.* TO test_user3@localhost WITH GRANT OPTION;
ALTER USER test_user3@localhost REQUIRE NONE;
DROP PROCEDURE proc_rewrite_1;
DROP FUNCTION func_rewrite_1;
DROP TABLE t1;
# 1.1.1.2
CREATE USER test_user2 IDENTIFIED WITH mysql_native_password BY 'azundris2';
# 1.1.1.3
--disable_warnings
CHANGE REPLICATION SOURCE TO SOURCE_PASSWORD='azundris3';
--enable_warnings
# 1.1.1.4
CREATE USER 'test_user4'@'localhost' IDENTIFIED WITH mysql_native_password;
ALTER USER 'test_user4'@'localhost' IDENTIFIED BY 'azundris4';
# 1.1.1.5
CREATE USER test_user5 IDENTIFIED WITH mysql_native_password AS
'*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF', test_user6 IDENTIFIED BY 'test';
ALTER USER IF EXISTS test_user5 IDENTIFIED BY 'test',
test_user6 IDENTIFIED WITH mysql_native_password AS
'*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF', test_user7 IDENTIFIED BY 'test';
CREATE USER IF NOT EXISTS test_user6 IDENTIFIED BY 'test',
test_user7 IDENTIFIED BY 'test';
ALTER USER test_user7 IDENTIFIED WITH mysql_native_password AS
'*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF';
# 1.1.1.6 : Literal <secret> must be printed in the log for empty password
CREATE USER test_user8 IDENTIFIED BY '';
ALTER USER test_user8 IDENTIFIED BY '';
CREATE USER test_user9 IDENTIFIED WITH 'caching_sha2_password' BY '';
ALTER USER test_user9 IDENTIFIED WITH 'caching_sha2_password' BY '';
SET PASSWORD FOR test_user9 = "";
#1.1.1.7 : WL#11544, verify the newly added clauses
CREATE USER u1, u2;
GRANT CREATE USER ON *.* to 'u1' WITH GRANT OPTION;
connect(con1,localhost,u1,,);
SET PASSWORD = '' REPLACE '';
ALTER USER u1 IDENTIFIED BY '123' REPLACE '', u2 IDENTIFIED BY '456'
PASSWORD REQUIRE CURRENT OPTIONAL;
ALTER USER u2 IDENTIFIED BY 'xyz', u1 IDENTIFIED BY 'abc' REPLACE '123';
connection default;
disconnect con1;
# clean-up
SET GLOBAL general_log= 'OFF';
DROP USER u1, u2;
DROP USER 'test_user4'@'localhost';
DROP USER 'test_user3'@'localhost';
DROP USER test_user9, test_user8;
DROP USER test_user7, test_user6, test_user5;
DROP USER test_user2;
DROP USER test_user1;
# show general-logging to file is correct
CREATE TABLE test_log (argument TEXT);
--replace_result $MYSQLTEST_VARDIR ...
eval LOAD DATA LOCAL INFILE '$MYSQLTEST_VARDIR/log/rewrite_general.log'
INTO TABLE test_log FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
# all passwords ('azundris%') must have been obfuscated -> empty result set
--echo This line should be followed by two SELECTs with empty result sets
--replace_regex /.*Query *//i
SELECT argument FROM test_log WHERE argument LIKE CONCAT('%azun','dris%');
# same for logging to table
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('%azun','dris%');
--echo Show that we logged stuff at all:
--echo ------ from file ------
--replace_regex /.*Execute *//i
SELECT TRIM(LEADING '\t' FROM MID(argument,LOCATE('Query',argument)+5)) FROM
test_log WHERE (argument LIKE '%BY %' OR argument LIKE '%AS %'
OR argument LIKE '%PASSWORD %')
AND argument NOT LIKE '%Prepare%';
--echo ------ from table ------
SELECT argument FROM mysql.general_log WHERE (argument LIKE '%BY %' OR
argument LIKE '%AS %' OR argument LIKE '%PASSWORD %')
AND command_type NOT LIKE 'Prepare';
--echo ------ done ------
--echo ------ rewrite ------
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('set ','character set %');
SELECT argument FROM mysql.general_log WHERE argument LIKE CONCAT('set ','names %');
SELECT argument FROM mysql.general_log WHERE argument LIKE 'GRANT %' AND command_type NOT LIKE 'Prepare';
--echo ------ done ------ see log_tables.test for more proof! :)
# Sanity check -- prove we log the correct hash. Must return one row. In case of ps-protocol mode the query returns 2 rows
SELECT COUNT(*)=1 OR COUNT(*)=2 FROM mysql.general_log WHERE argument LIKE 'CREATE USER%' AND argument LIKE CONCAT('%AS %');
--echo Bug#13958454 -- show we print SET @a:=5, but SELECT (@a:=5)
# We need the () in EXPLAIN, for (@e:=80)+5.
# In SET however, they'd break syntax.
# VIEWs do not accepted variables at this time.
EXPLAIN SELECT @a=5,@b:=10,@c:=20,@d:=40+5,(@e:=80)+5;
--echo
--echo End of 5.6 tests!
--echo
--echo #
--echo # Bug#16953758: PREPARED STATEMENT IS WRITTEN TO GENERAL QUERY LOG AFTER ITS EXECUTION IS FINISH
--echo #
TRUNCATE TABLE mysql.general_log;
SET GLOBAL general_log='ON';
SET @sql='SELECT command_type, argument FROM mysql.general_log WHERE argument LIKE "%Bug#16953758%"';
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
--echo #
--echo # Bug#18616826: PREPARED STATEMENTS WHOSE EXECUTION FAIL ARE NOT LOGGED TO THE GENERAL LOG
--echo #
TRUNCATE TABLE mysql.general_log;
SET @sql='DROP TABLE 18616826_does_not_exist';
PREPARE stmt FROM @sql;
--error ER_BAD_TABLE_ERROR
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
SELECT command_type, argument FROM mysql.general_log WHERE argument LIKE "DROP TABLE 18616826_does_not_exist";
--echo
--echo End of 5.7 tests!
--echo
# Tests related to WL#11544 : Restart the server with --log-raw
# and check if password is in plaintext
--echo # shutdown the server from mtr.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--echo # restart the server.
--exec echo "restart: --log-raw" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file = '$MYSQLTEST_VARDIR/log/rewrite_general.log';
SET GLOBAL log_output = 'FILE,TABLE';
SET GLOBAL general_log= 'ON';
CREATE USER 'plaintext_test' IDENTIFIED BY 'pwd';
connect(con1,localhost,plaintext_test,'pwd',);
ALTER USER plaintext_test IDENTIFIED BY '' REPLACE 'pwd';
SET PASSWORD FOR plaintext_test='456' REPLACE '';
SET PASSWORD='789' REPLACE '456';
disconnect con1;
connection default;
DROP USER plaintext_test;
# Restart the server to original state
--echo # shutdown the server from mtr.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--echo # restart the server.
--exec echo "restart:" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
# Password must be seen in cleartext with --log-raw option. In case of ps-protocol mode the query returns 9 rows
SELECT count(*)=6 or count(*)=9 FROM mysql.general_log WHERE argument LIKE '%plaintext_test%' or argument like '%789%';
# cleanup
DROP TABLE test_log;
--remove_file $MYSQLTEST_VARDIR/log/rewrite_general.log
--replace_result $MYSQLTEST_VARDIR ...
eval SET GLOBAL general_log_file = '$old_general_log_file';
eval SET GLOBAL log_output= '$old_log_output';
eval SET GLOBAL general_log= $old_general_log;
TRUNCATE TABLE mysql.general_log;
--echo
--echo End of 5.7 tests!
--echo
|
