1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
|
#
# Test per-user-account lock
#
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
call mtr.add_suppression('Can not read and process value of User_attributes column from mysql.user table for user');
CREATE USER foo@localhost IDENTIFIED BY 'foo';
--echo # Should be empty
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # Should fail
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail with the same error
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": 2, "password_lock_time_days": 2}}' WHERE user='foo';
FLUSH PRIVILEGES;
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # Should still fail with policy
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # FR5: Should still fail with policy because of locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
DROP USER foo@localhost;
--echo # FR1
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 6;
--echo # Test FR2 : should have the composite JSON and 2 subkeys
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # FR1.1
ALTER USER foo@localhost FAILED_LOGIN_ATTEMPTS 2;
SELECT user_attributes FROM mysql.user WHERE user='foo';
ALTER USER foo@localhost PASSWORD_LOCK_TIME 3;
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # Should still fail with policy
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # FR1.2 Should still fail with policy because of locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
ALTER USER foo@localhost IDENTIFIED BY 'foo';
--echo # FR1.5 Should fail locked even after ALTER USER
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
FLUSH PRIVILEGES;
--echo # FR1.3 Should fail unlocked after FLUSH PRIVILEGES
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should still fail with policy because of locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # FR1.8 Successful login doesn't work when account is locked.
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcont,localhost,foo,foo,test);
enable_query_log;
--echo # FR11 ACCOUNT UNLOCK will remove the password failed lock too.
ALTER USER foo@localhost ACCOUNT UNLOCK;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
CREATE USER bar@localhost IDENTIFIED BY 'bar';
--echo # bar should fail as unlocked: policy doesn't apply to it
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,bar,,test);
enable_query_log;
# Cleanup
connection default;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
DROP USER foo@localhost;
DROP USER bar@localhost;
--echo # Test SHOW CREATE USER
CREATE USER foo@localhost FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Must contain FAILED_LOGIN_ATTEMPTS and PASSWORD_LOCK_TIME
SHOW CREATE USER foo@localhost;
CREATE USER failed_login_attempts@localhost FAILED_LOGIN_ATTEMPTS 2;
--echo # FR3 Must contain FAILED_LOGIN_ATTEMPTS
--echo # FR9 missing PASSWORD_LOCK_TIME: assume zero
SHOW CREATE USER failed_login_attempts@localhost;
CREATE USER password_lock_time@localhost PASSWORD_LOCK_TIME 3;
--echo # FR3 Must contain PASSWORD_LOCK_TIME
--echo # FR10 missing FAILED_LOGIN_ATTEMPTS: assume zero
SHOW CREATE USER password_lock_time@localhost;
--echo # Show create user must be replayable
--let $file = $MYSQLTEST_VARDIR/tmp/wl3515.sql
--exec $MYSQL test -N -e "SHOW CREATE USER foo@localhost" > $file
DROP USER foo@localhost;
--echo # Should not fail
--exec $MYSQL test < $file 2>&1
--echo # cleanup SHOW CREATE
remove_file $file;
DROP USER foo@localhost, failed_login_attempts@localhost, password_lock_time@localhost;
--echo # Test FR1.6
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
ALTER USER foo@localhost FAILED_LOGIN_ATTEMPTS 0;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail as unlocked: tracking turned off by login attempts 0
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--replace_regex /AS .* REQUIRE NONE/AS <secret> REQUIRE NONE/
SHOW CREATE USER foo@localhost;
ALTER USER foo@localhost FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 0;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail as unlocked: tracking turned off by password lock time 0
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--replace_regex /AS .* REQUIRE NONE/AS <secret> REQUIRE NONE/
SHOW CREATE USER foo@localhost;
DROP USER foo@localhost;
--echo # Test FR1.7
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
ALTER USER foo@localhost FAILED_LOGIN_ATTEMPTS 2;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail as locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
--replace_regex /AS .* REQUIRE NONE/AS <secret> REQUIRE NONE/
SHOW CREATE USER foo@localhost;
ALTER USER foo@localhost PASSWORD_LOCK_TIME 3;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail as locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
--replace_regex /AS .* REQUIRE NONE/AS <secret> REQUIRE NONE/
SHOW CREATE USER foo@localhost;
DROP USER foo@localhost;
--echo # Test FR1.9: a successful login resets the failed count
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
connect(con1,localhost,foo,foo,test);
connection default;
disconnect con1;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo # Should fail as unlocked: the first failure count removed by a connect
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # Should fail as locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
DROP USER foo@localhost;
--echo # Test FR2.1: invalid JSON values
CREATE USER foo@localhost;
--echo # Test wrong composite type
UPDATE mysql.user SET user_attributes='{"Password_locking": 1}' WHERE user='foo';
FLUSH PRIVILEGES;
SELECT user,host,user_attributes FROM mysql.user WHERE user='foo';
--error ER_CANNOT_USER
SHOW CREATE USER foo@localhost;
--echo # test negative login attempts
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": -2, "password_lock_time_days": 2}}' WHERE user='foo';
FLUSH PRIVILEGES;
--error ER_CANNOT_USER
SHOW CREATE USER foo@localhost;
--echo # test negative password lock time
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": 2, "password_lock_time_days": -2}}' WHERE user='foo';
FLUSH PRIVILEGES;
--error ER_CANNOT_USER
SHOW CREATE USER foo@localhost;
--echo # test wrong login attempts
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": "2", "password_lock_time_days": 2}}' WHERE user='foo';
FLUSH PRIVILEGES;
--error ER_CANNOT_USER
SHOW CREATE USER foo@localhost;
--echo # test wrong password lock time
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": 2, "password_lock_time_days": "2"}}' WHERE user='foo';
FLUSH PRIVILEGES;
--error ER_CANNOT_USER
SHOW CREATE USER foo@localhost;
--echo # test missing login attempts
UPDATE mysql.user SET user_attributes='{"Password_locking": {"password_lock_time_days": 2}}' WHERE user='foo';
FLUSH PRIVILEGES;
SHOW CREATE USER foo@localhost;
--echo # test missing password lock time
UPDATE mysql.user SET user_attributes='{"Password_locking": {"failed_login_attempts": 2}}' WHERE user='foo';
FLUSH PRIVILEGES;
SHOW CREATE USER foo@localhost;
--echo # cleanup
UPDATE mysql.user SET user_attributes=NULL WHERE user='foo';
FLUSH PRIVILEGES;
DROP USER foo@localhost;
--echo # Test FR6: password auto-lock and account lock
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3 ACCOUNT LOCK;
--echo # Should fail with account locked
disable_query_log;
--error ER_ACCOUNT_HAS_BEEN_LOCKED
connect(errcon,localhost,foo,foo,test);
enable_query_log;
--echo # Should fail with access denied
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,foo,,test);
enable_query_log;
--echo # FR6: Should still fail with policy because of locked
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,foo,,test);
enable_query_log;
DROP USER foo@localhost;
--echo # FR7: check locking and proxies
SET GLOBAL check_proxy_users = ON;
SET GLOBAL mysql_native_password_proxy_users = ON;
CREATE USER proxied_to_user@localhost IDENTIFIED WITH 'mysql_native_password' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
CREATE USER proxy_user@localhost IDENTIFIED WITH 'mysql_native_password' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
GRANT PROXY ON proxied_to_user@localhost TO proxy_user@localhost;
connect(con1,localhost,proxy_user,,test);
SELECT USER(), CURRENT_USER(), @@session.proxy_user;
connection default;
disconnect con1;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,proxy_user,proxy_user,test);
enable_query_log;
--echo # FR8: Should fail as locked even with native auth
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,proxy_user,proxy_user,test);
enable_query_log;
--echo # Should fail as unlocked: different user locked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,proxied_to_user,proxied_to_user,test);
enable_query_log;
REVOKE PROXY ON proxied_to_user@localhost FROM proxy_user@localhost;
DROP USER proxied_to_user@localhost, proxy_user@localhost;
SET GLOBAL check_proxy_users = DEFAULT;
SET GLOBAL mysql_native_password_proxy_users = DEFAULT;
--echo # Test COM_CHANGE_USER
CREATE USER foo@localhost IDENTIFIED BY 'foo' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 2;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
change_user foo,,test;
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
change_user foo,,test;
enable_query_log;
ALTER USER foo@localhost ACCOUNT UNLOCK;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
change_user foo,,test;
enable_query_log;
DROP USER foo@localhost;
--echo # Test for bug #30465813: FAILED_LOGIN_ATTEMPTS CLAUSE ERASES OTHER ATTRIBUTES
--echo # FROM USER_ATTRIBUTES FIELD
SET GLOBAL partial_revokes=1;
CREATE USER u1 identified by 'pwd';
GRANT CREATE ON *.* TO u1;
REVOKE CREATE ON mysql.* FROM u1;
SELECT user_attributes FROM mysql.user WHERE USER = 'u1';
ALTER USER u1 FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Should still contain the restrictions.
SELECT user_attributes FROM mysql.user WHERE USER = 'u1';
ALTER USER u1 FAILED_LOGIN_ATTEMPTS 0 PASSWORD_LOCK_TIME 0;
--echo # Should contain only the restrictions.
SELECT user_attributes FROM mysql.user WHERE USER = 'u1';
DROP USER u1;
SET GLOBAL partial_revokes=DEFAULT;
--echo # Test for FR13: limits
--error ER_PARSE_ERROR
CREATE USER foo@localhost FAILED_LOGIN_ATTEMPTS -1;
--error ER_WRONG_VALUE
CREATE USER goo@localhost FAILED_LOGIN_ATTEMPTS 32768;
CREATE USER foo@localhost FAILED_LOGIN_ATTEMPTS 32767;
DROP USER foo@localhost;
--error ER_PARSE_ERROR
CREATE USER foo@localhost PASSWORD_LOCK_TIME -1;
--error ER_WRONG_VALUE
CREATE USER goo@localhost PASSWORD_LOCK_TIME 32768;
CREATE USER foo@localhost PASSWORD_LOCK_TIME 32767;
DROP USER foo@localhost;
--echo # Bug #30481379: TEMPORARY ACCOUNT LOCK DOES NOT WORK FOR ANONYMOUS USER
CREATE USER ''@localhost IDENTIFIED BY 'pwd' FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME 3;
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
connect(errcon,localhost,non-existent,,test);
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
connect(errcon,localhost,non-existent2,,test);
enable_query_log;
DROP USER ''@localhost;
--echo #
--echo # user account password in conjunction with other user attributes and annotations
--echo #
CREATE USER foo@localhost IDENTIFIED BY 'foo' PASSWORD_LOCK_TIME 3 FAILED_LOGIN_ATTEMPTS 2;
ALTER USER foo@localhost ATTRIBUTE "{ \"test\": \"account locking\" }";
ALTER USER foo@localhost COMMENT "This is a test account for verifying that password locking and user attributes won't interfer with one and another.";
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
change_user foo,,test;
enable_query_log;
--echo # we lock foo user account
disable_query_log;
--error ER_USER_ACCESS_DENIED_FOR_USER_ACCOUNT_BLOCKED_BY_PASSWORD_LOCK
change_user foo,,test;
enable_query_log;
ALTER USER foo@localhost ACCOUNT UNLOCK;
--echo # Check that we idn't drop the COMMENT or METADATA
SELECT user_attributes FROM mysql.user WHERE user='foo';
--echo # Should fail as unlocked
disable_query_log;
--error ER_ACCESS_DENIED_ERROR
change_user foo,,test;
enable_query_log;
DROP USER foo@localhost;
--echo # End of 8.0 tests
|
