feat: support authentication plugin selection in user manager

ansgarbecker · ansgarbecker · commit 07112a01d76b · 2026-05-28T20:40:33.000+02:00
Refs #1728
diff --git a/extra/locale/heidisql.po b/extra/locale/heidisql.po
@@ -6834,6 +6834,9 @@ msgstr "No password hash column available"
 msgid "Default role:"
 msgstr "Default role:"
 
+msgid "Plugin:"
+msgstr "Plugin:"
+
 msgid "Foreign key table not found"
 msgstr "Foreign key table not found"
 
diff --git a/source/dbstructures.mysql.pas b/source/dbstructures.mysql.pas
@@ -3244,7 +3244,10 @@ procedure TMySQLLib.AssignProcedures;
 { TMySqlProvider }
 
 function TMySqlProvider.GetSql(AId: TQueryId): string;
+var
+  IsMariaDB: Boolean;
 begin
+  IsMariaDB := ServerVersion >= 100000;
   case AId of
     qDatabaseDrop: Result := 'DROP DATABASE %s';
     qEmptyTable: Result := 'TRUNCATE %s';
@@ -3420,6 +3423,11 @@ function TMySqlProvider.GetSql(AId: TQueryId): string;
         ''
         )
       );
+    qGetAuthPlugins: Result := IfThen(
+      (FServerVersion >= 50100) or IsMariaDB, // mysql 5.1+ and all mariadb versions
+      'SELECT PLUGIN_NAME FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_TYPE=''AUTHENTICATION'' AND PLUGIN_STATUS=''ACTIVE''',
+      ''
+      );
     else Result := inherited;
   end;
 end;
diff --git a/source/dbstructures.pas b/source/dbstructures.pas
@@ -50,7 +50,7 @@ interface
     qShowFunctionStatus, qShowProcedureStatus, qShowTriggers, qShowEvents, qShowCreateTrigger,
     qHelpKeyword, qShowWarnings, qGetEnumTypes,
     qDropUser, qCreateRole, qDropRole, qReloadPrivileges, qGrantRole, qRevokeRole, qSetDefaultRole,
-    qAutoInc, qIndexVisible, qIndexInvisible);
+    qAutoInc, qIndexVisible, qIndexInvisible, qGetAuthPlugins);
   TSqlProvider = class
     strict protected
       FNetType: TNetType;
diff --git a/source/usermanager.lfm b/source/usermanager.lfm
@@ -173,7 +173,7 @@ object UserManagerForm: TUserManagerForm
     TabOrder = 1
     object PageControlSettings: TPageControl
       Left = 0
-      Height = 173
+      Height = 201
       Top = 0
       Width = 385
       ActivePage = tabCredentials
@@ -184,7 +184,7 @@ object UserManagerForm: TUserManagerForm
       object tabCredentials: TTabSheet
         AutoSize = True
         Caption = 'Credentials'
-        ClientHeight = 145
+        ClientHeight = 173
         ClientWidth = 377
         object lblUsername: TLabel
           AnchorSideLeft.Control = tabCredentials
@@ -306,13 +306,13 @@ object UserManagerForm: TUserManagerForm
           OnChange = Modification
         end
         object comboDefaultRole: TComboBox
-          AnchorSideTop.Control = editRepeatPassword
+          AnchorSideTop.Control = comboPlugins
           AnchorSideTop.Side = asrBottom
           AnchorSideRight.Control = tabCredentials
           AnchorSideRight.Side = asrBottom
           Left = 150
           Height = 23
-          Top = 117
+          Top = 145
           Width = 222
           Anchors = [akTop, akLeft, akRight]
           BorderSpacing.Around = 5
@@ -327,16 +327,43 @@ object UserManagerForm: TUserManagerForm
           AnchorSideTop.Side = asrCenter
           Left = 5
           Height = 15
-          Top = 121
+          Top = 149
           Width = 64
           BorderSpacing.Around = 5
           Caption = 'Default role:'
         end
+        object lblPlugin: TLabel
+          AnchorSideLeft.Control = tabCredentials
+          AnchorSideTop.Control = comboPlugins
+          AnchorSideTop.Side = asrCenter
+          Left = 5
+          Height = 15
+          Top = 121
+          Width = 37
+          BorderSpacing.Around = 5
+          Caption = 'Plugin:'
+        end
+        object comboPlugins: TComboBox
+          AnchorSideTop.Control = editRepeatPassword
+          AnchorSideTop.Side = asrBottom
+          AnchorSideRight.Control = tabCredentials
+          AnchorSideRight.Side = asrBottom
+          Left = 150
+          Height = 23
+          Top = 117
+          Width = 222
+          Anchors = [akTop, akLeft, akRight]
+          BorderSpacing.Around = 5
+          ItemHeight = 15
+          Style = csDropDownList
+          TabOrder = 5
+          OnChange = Modification
+        end
       end
       object tabLimitations: TTabSheet
         AutoSize = True
         Caption = 'Limitations'
-        ClientHeight = 145
+        ClientHeight = 173
         ClientWidth = 377
         ImageIndex = 1
         object lblMaxQueries: TLabel
@@ -450,7 +477,7 @@ object UserManagerForm: TUserManagerForm
       object tabSSL: TTabSheet
         AutoSize = True
         Caption = 'SSL options'
-        ClientHeight = 145
+        ClientHeight = 173
         ClientWidth = 377
         ImageIndex = 2
         object lblCipher: TLabel
@@ -562,20 +589,20 @@ object UserManagerForm: TUserManagerForm
     end
     object PageControlAccess: TPageControl
       Left = 0
-      Height = 150
-      Top = 173
+      Height = 122
+      Top = 201
       Width = 385
       ActivePage = tabPrivileges
       Align = alClient
       TabIndex = 0
       TabOrder = 1
       object tabPrivileges: TTabSheet
         Caption = 'Privileges'
-        ClientHeight = 122
+        ClientHeight = 94
         ClientWidth = 377
         object treePrivs: TLazVirtualStringTree
           Left = 0
-          Height = 94
+          Height = 66
           Top = 28
           Width = 377
           Align = alClient
@@ -626,11 +653,11 @@ object UserManagerForm: TUserManagerForm
       end
       object tabRoles: TTabSheet
         Caption = 'Roles'
-        ClientHeight = 122
+        ClientHeight = 94
         ClientWidth = 377
         object ValueListEditorRoles: TValueListEditor
           Left = 0
-          Height = 122
+          Height = 94
           Top = 0
           Width = 377
           Align = alClient
@@ -645,7 +672,7 @@ object UserManagerForm: TUserManagerForm
           OnGetPickList = ValueListEditorRolesGetPickList
           ColWidths = (
             64
-            292
+            309
           )
         end
       end
diff --git a/source/usermanager.pas b/source/usermanager.pas
@@ -32,7 +32,7 @@   TPrivComparer = class(TComparer<TPrivObj>)
   TUserProblem = (upNone, upEmptyPassword, upInvalidPasswordLen, upSkipNameResolve, upUnknown);
 
   TUser = class(TObject)
-    Username, Host, Password, Cipher, Issuer, Subject, DefaultRole: String;
+    Username, Host, Password, Cipher, Issuer, Subject, DefaultRole, Plugin: String;
     MaxQueries, MaxUpdates, MaxConnections, MaxUserConnections, SSL: Integer;
     Problem: TUserProblem;
     IsRole: Boolean;
@@ -63,6 +63,8 @@   EInputError = class(Exception);
   TUserManagerForm = class(TExtForm)
     btnCancel: TSpeedButton;
     btnSave: TSpeedButton;
+    comboPlugins: TComboBox;
+    lblPlugin: TLabel;
     pnlBottom: TPanel;
     pnlLeft: TPanel;
     listUsers: TLazVirtualStringTree;
@@ -197,11 +199,14 @@   TUserManagerForm = class(TExtForm)
     FUsers: TUserList;
     FModified, FAdded: Boolean;
     FHasIsRole, FHasDefaultRole: Boolean;
+    FHasPlugin: Boolean;
+    FPlugins: TStringList;
     FCloneGrants: TStringList;
     FPrivObjects: TPrivObjList;
     FPrivsGlobal, FPrivsDb, FPrivsTable, FPrivsRoutine, FPrivsColumn: TStringList;
     FConnection: TDBConnection;
     FColorReadPriv, FColorWritePriv, FColorAdminPriv: TColor;
+    FSQLPluginPrefix, FSQLPluginPassPrefix: String;
     procedure SetModified(Value: Boolean);
     property Modified: Boolean read FModified write SetModified;
     function GetPrivByNode(Node: PVirtualNode): TPrivObj;
@@ -296,7 +301,7 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
   Version, i: Integer;
   Users: TDBQuery;
   U: TUser;
-  tmp, PasswordExpr, IsRoleExpr, DefaultRoleExpr: String;
+  tmp, PasswordExpr, IsRoleExpr, DefaultRoleExpr, PluginExpr: String;
   SkipNameResolve,
   HasPassword, HasAuthString: Boolean;
   PasswordLengthMatters: Boolean;
@@ -328,6 +333,8 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
   FPrivsRoutine := InitPrivList('GRANT');
   FPrivsColumn := InitPrivList('INSERT,SELECT,UPDATE,REFERENCES');
   PasswordLengthMatters := True;
+  FSQLPluginPrefix := IfThen(FConnection.Parameters.IsMariaDB, 'VIA', 'WITH');
+  FSQLPluginPassPrefix := IfThen(FConnection.Parameters.IsMariaDB, 'USING', 'BY');
 
   if Version >= 40002 then begin
     FPrivsGlobal.Add('REPLICATION CLIENT');
@@ -419,6 +426,7 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
     HasAuthString := UserTableColumns.IndexOf('authentication_string') > -1;
     FHasIsRole := UserTableColumns.IndexOf('is_role') > -1;
     FHasDefaultRole := UserTableColumns.IndexOf('default_role') > -1;
+    FHasPlugin := UserTableColumns.IndexOf('plugin') > -1;
     if HasPassword and (not HasAuthString) then
       PasswordExpr := 'password'
     else if (not HasPassword) and HasAuthString then
@@ -430,14 +438,21 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
     PasswordExpr := PasswordExpr + ' AS ' + FConnection.QuoteIdent('password');
     IsRoleExpr := IfThen(FHasIsRole, 'is_role', FConnection.EscapeString('N')+' AS is_role');
     DefaultRoleExpr := IfThen(FHasDefaultRole, 'default_role', FConnection.EscapeString('')+' AS default_role');
+    PluginExpr := IfThen(FHasPlugin, 'plugin', FConnection.EscapeString('')+' AS plugin');
+    if FConnection.SqlProvider.Has(qGetAuthPlugins) then
+      FPlugins := FConnection.GetCol(FConnection.SqlProvider.GetSql(qGetAuthPlugins))
+    else
+      FPlugins := TStringList.Create;
+    comboPlugins.Enabled := FHasPlugin;
 
     Users := FConnection.GetResults(
       'SELECT '+
       FConnection.QuoteIdent('user') + ', ' +
       FConnection.QuoteIdent('host') + ', ' +
       PasswordExpr + ', ' +
       IsRoleExpr + ', ' +
-      DefaultRoleExpr + ' ' +
+      DefaultRoleExpr + ', ' +
+      PluginExpr + ' ' +
       'FROM '+FConnection.QuoteIdent('mysql')+'.'+FConnection.QuoteIdent('user')
       );
     FUsers := TUserList.Create(True);
@@ -449,6 +464,7 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
       U.Password := Users.Col('password');
       U.IsRole := UpperCase(Users.Col('is_role')) = 'Y';
       U.DefaultRole := Users.Col('default_role');
+      U.Plugin := Users.Col('plugin');
       U.Problem := upNone;
       if U.IsUser then begin
         if Length(U.Password) = 0 then
@@ -630,26 +646,35 @@ procedure TUserManagerForm.listUsersFocusChanged(Sender: TBaseVirtualTree; Node:
   User := nil;
   FPrivObjects.Clear;
   Caption := MainForm.actUserManager.Caption;
+  // Credentials tab
   editUsername.Clear;
   editFromHost.Clear;
   editPassword.Clear;
   editPassword.TextHint := '';
   editRepeatPassword.Clear;
+  comboPlugins.Items.Clear;
+  comboPlugins.Items.Add(_('None'));
+  comboPlugins.Items.AddStrings(FPlugins);
+  comboPlugins.ItemIndex := 0;
   comboDefaultRole.Items.Clear;
   comboDefaultRole.Items.Add(_('None'));
   FUsers.GetRoleNames(comboDefaultRole.Items);
   comboDefaultRole.ItemIndex := 0;
+  // Limitations tab
   spinMaxQueries.Value := 0;
   spinMaxUpdates.Value := 0;
   spinMaxConnections.Value := 0;
   spinMaxUserConnections.Value := 0;
+  // SSL tab
   comboSSL.ItemIndex := 0;
   comboSSL.OnChange(Sender);
   editCipher.Clear;
   editIssuer.Clear;
   editSubject.Clear;
+  // Page control
   tabPrivileges.Caption := _('Privileges');
   tabRoles.Caption := _('Roles');
+
   // All possible quote chars, escaped for RegExpr. Todo: use in all relevant expressions.
   RxQuotes := '['+QuoteRegExprMetaChars(FConnection.QuoteChars + FConnection.StringQuoteChar)+']';
 
@@ -663,6 +688,9 @@ procedure TUserManagerForm.listUsersFocusChanged(Sender: TBaseVirtualTree; Node:
     end;
     editUsername.Text := User.Username;
     editFromHost.Text := User.Host;
+    i := comboPlugins.Items.IndexOf(User.Plugin);
+    if i > -1 then
+      comboPlugins.ItemIndex := i;
     i := comboDefaultRole.Items.IndexOf(User.DefaultRole);
     if i > -1 then
       comboDefaultRole.ItemIndex := i;
@@ -1403,13 +1431,18 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
     // Create added user
     PasswordSet := False;
     if FAdded and (FConnection.ServerVersionInt >= 50002) then begin
-      Create := 'CREATE USER '+UserHost;
+      Create := 'CREATE USER '+UserHost+' ';
       if editPassword.Modified then begin
+        // Insert authentication plugin with minor MariaDB/MySQL difference
+        if comboPlugins.ItemIndex > 0 then
+          Create := Create + 'IDENTIFIED ' + FSQLPluginPrefix + ' ' + comboPlugins.Text+' ' + FSQLPluginPassPrefix + ' '
+        else
+          Create := Create + 'IDENTIFIED BY ';
         // Add "PASSWORD" clause when it's a hash already
         if (Copy(editPassword.Text, 1, 1) = '*') and (Length(editPassword.Text) = 41) then
-          Create := Create + ' IDENTIFIED BY PASSWORD '+FConnection.EscapeString(editPassword.Text)
+          Create := Create + 'PASSWORD '+FConnection.EscapeString(editPassword.Text)
         else
-          Create := Create + ' IDENTIFIED BY '+FConnection.EscapeString(editPassword.Text);
+          Create := Create + FConnection.EscapeString(editPassword.Text);
       end;
       FConnection.Query(Create);
       FConnection.ShowWarnings;
@@ -1477,6 +1510,12 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
 
       // General user options
       if (P.DBObj.NodeType = lntNone) and FocusedUser.IsUser then begin
+        // Plugin
+        if comboPlugins.ItemIndex > 0 then begin
+          FConnection.Query('ALTER USER ' + UserHost + ' IDENTIFIED ' + FSQLPluginPrefix + ' ' + comboPlugins.Text);
+          FConnection.ShowWarnings;
+        end;
+
         // SSL
         case comboSSL.ItemIndex of
           1: RequireClause := 'SSL';
@@ -1574,6 +1613,7 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
     FocusedUser.Host := editFromHost.Text;
     if editPassword.Modified then
       FocusedUser.Password := editPassword.Text;
+    FocusedUser.Plugin := IfThen(comboPlugins.ItemIndex=0, '', comboPlugins.Text);
     FocusedUser.DefaultRole := IfThen(comboDefaultRole.ItemIndex=0, '', comboDefaultRole.Text);
     FocusedUser.SSL := comboSSL.ItemIndex;
     FocusedUser.Cipher := editCipher.Text;
@@ -1814,7 +1854,9 @@ procedure TUser.ParseSettings(GrantOrCreate: String; Priv: TPrivObj);
   rx: TRegExpr;
   RequireClause, WithClause: String;
 begin
-  // REQUIRE SSL X509 ISSUER '456' SUBJECT '789' CIPHER '123' NONE
+  // CREATE USER ...
+  // mysql: IDENTIFIED WITH 'mysql_native_password' AS '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' REQUIRE SSL X509 ISSUER '456' SUBJECT '789' CIPHER '123' NONE
+  // mariadb: IDENTIFIED BY PASSWORD '23AE809DDACAF96A';
   rx := TRegExpr.Create;
   rx.ModifierI := True;
   rx.Expression := '\sREQUIRE\s+(.+)';
