MDEV-26647 (simple_password_check) Include password validation plugin information in the error message if the SQL statement is not satisfied password policy

Make the plugin reporting cause of the error.
This commit is contained in:
Oleksandr Byelkin 2021-10-20 11:37:14 +02:00
parent cc6bba008d
commit 15a2ff1231
4 changed files with 113 additions and 0 deletions

View File

@ -72,12 +72,36 @@ READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED COMMAND_LINE_ARGUMENT REQUIRED
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Too short password (< 8)
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Warning 1819 simple_password_check: Not enough special characters (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1; create user foo1;
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
grant select on *.* to foo1 identified by 'pwd'; grant select on *.* to foo1 identified by 'pwd';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Too short password (< 8)
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Warning 1819 simple_password_check: Not enough special characters (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
grant select on *.* to `FooBar1!` identified by 'FooBar1!'; grant select on *.* to `FooBar1!` identified by 'FooBar1!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345'; create user foo1 identified by 'aA.12345';
@ -100,27 +124,63 @@ create user foo1 identified by '123:qwe:ASD!';
drop user foo1; drop user foo1;
create user foo1 identified by '-23:qwe:ASD!'; create user foo1 identified by '-23:qwe:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough digits (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:4we:ASD!'; create user foo1 identified by '123:4we:ASD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough lower case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:4SD!'; create user foo1 identified by '123:qwe:4SD!';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough special characters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo1'@'%'
create user foo1 identified by '123:qwe:ASD!'; create user foo1 identified by '123:qwe:ASD!';
set password for foo1 = password('qwe:-23:ASD!'); set password for foo1 = password('qwe:-23:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough digits (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = old_password('4we:123:ASD!'); set password for foo1 = old_password('4we:123:ASD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = password('qwe:123:4SD!'); set password for foo1 = password('qwe:123:4SD!');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: Not enough special characters (< 3)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
select @@strict_password_validation; select @@strict_password_validation;
@@strict_password_validation @@strict_password_validation
1 1
set password for foo1 = ''; set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
@ -135,12 +195,21 @@ grant select on *.* to foo2 identified with mysql_old_password using '2222222222
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
Error 1396 Operation CREATE USER failed for 'foo2'@'%'
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
ERROR 28000: Can't find any matching row in the user table ERROR 28000: Can't find any matching row in the user table
update mysql.user set password='xxx' where user='foo1'; update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0; set global strict_password_validation=0;
set password for foo1 = ''; set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings;
Level Code Message
Warning 1819 simple_password_check: The password equal to the user name
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111'; create user foo2 identified by password '11111111111111111111111111111111111111111';

View File

@ -14,6 +14,8 @@ grant select on *.* to foobar identified by 'q-%^&*rty';
ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check) ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
show warnings; show warnings;
Level Code Message Level Code Message
Warning 1819 simple_password_check: Not enough upper case letters (< 1)
Warning 1819 simple_password_check: Not enough digits (< 1)
Error 1819 Your password does not satisfy the current policy requirements (simple_password_check) Error 1819 Your password does not satisfy the current policy requirements (simple_password_check)
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
grant select on *.* to foobar identified by 'q-%^&*rty'; grant select on *.* to foobar identified by 'q-%^&*rty';

View File

@ -15,16 +15,20 @@ select * from information_schema.system_variables where variable_name like 'simp
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
show warnings;
# Create user with no password. # Create user with no password.
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1; create user foo1;
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
grant select on *.* to foo1 identified by 'pwd'; grant select on *.* to foo1 identified by 'pwd';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
grant select on *.* to `FooBar1!` identified by 'FooBar1!'; grant select on *.* to `FooBar1!` identified by 'FooBar1!';
show warnings;
grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
@ -43,25 +47,32 @@ drop user foo1;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '-23:qwe:ASD!'; create user foo1 identified by '-23:qwe:ASD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:4we:ASD!'; create user foo1 identified by '123:4we:ASD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:4SD!'; create user foo1 identified by '123:qwe:4SD!';
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo1 identified by '123:qwe:ASD4'; create user foo1 identified by '123:qwe:ASD4';
show warnings;
create user foo1 identified by '123:qwe:ASD!'; create user foo1 identified by '123:qwe:ASD!';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:-23:ASD!'); set password for foo1 = password('qwe:-23:ASD!');
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('4we:123:ASD!'); set password for foo1 = old_password('4we:123:ASD!');
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = password('qwe:123:4SD!'); set password for foo1 = password('qwe:123:4SD!');
show warnings;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
show warnings;
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
# now, strict_password_validation # now, strict_password_validation
@ -69,6 +80,7 @@ select @@strict_password_validation;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = ''; set password for foo1 = '';
show warnings;
--error ER_OPTION_PREVENTS_STATEMENT --error ER_OPTION_PREVENTS_STATEMENT
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
--error ER_OPTION_PREVENTS_STATEMENT --error ER_OPTION_PREVENTS_STATEMENT
@ -83,6 +95,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
show warnings;
--error ER_PASSWORD_NO_MATCH --error ER_PASSWORD_NO_MATCH
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
@ -93,6 +106,7 @@ set global strict_password_validation=0;
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = ''; set password for foo1 = '';
show warnings;
set password for foo1 = '2222222222222222'; set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111'; set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111'; create user foo2 identified by password '11111111111111111111111111111111111111111';

View File

@ -29,7 +29,13 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
const char *ptr= password->str, *end= ptr + length; const char *ptr= password->str, *end= ptr + length;
if (strncmp(password->str, username->str, length) == 0) if (strncmp(password->str, username->str, length) == 0)
{
// warning used to do not change error code
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: The password equal to the user name",
ME_WARNING);
return 1; return 1;
}
/* everything non-ascii is the "other" character and is good for the password */ /* everything non-ascii is the "other" character and is good for the password */
for(; ptr < end; ptr++) for(; ptr < end; ptr++)
@ -43,6 +49,28 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
else else
others++; others++;
} }
// warnings used to do not change error code
if (length < min_length)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Too short password (< %u)",
ME_WARNING, min_length);
if (uppers < min_letters)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough upper case "
"letters (< %u)",ME_WARNING, min_letters);
if (lowers < min_letters)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough lower case "
"letters (< %u)",ME_WARNING, min_letters);
if (digits < min_digits)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough digits (< %u)",
ME_WARNING, min_digits);
if (others < min_others)
my_printf_error(ER_NOT_VALID_PASSWORD,
"simple_password_check: Not enough special "
"characters (< %u)",ME_WARNING, min_others);
/* remember TRUE means the password failed the validation */ /* remember TRUE means the password failed the validation */
return length < min_length || return length < min_length ||
uppers < min_letters || uppers < min_letters ||