feat: support authentication plugin selection in user manager, and fix complaint about invalid password length on user plugins which have no fixed password length

Refs #1728, #1671

Author: ansgarbecker

source/dbstructures.mysql.pas

@@ -3238,7 +3238,10 @@ procedure TMySQLLib.AssignProcedures;
 { TMySqlProvider }
 
 function TMySqlProvider.GetSql(AId: TQueryId): string;
+var
+  IsMariaDB: Boolean;
 begin
+  IsMariaDB := ServerVersion >= 100000;
   case AId of
     qDatabaseDrop: Result := 'DROP DATABASE %s';
     qEmptyTable: Result := 'TRUNCATE %s';
@@ -3414,6 +3417,11 @@ function TMySqlProvider.GetSql(AId: TQueryId): string;
         ''
         )
       );
+    qGetAuthPlugins: Result := IfThen(
+      (FServerVersion >= 50100) or IsMariaDB, // mysql 5.1+ and all mariadb versions
+      'SELECT PLUGIN_NAME FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_TYPE=''AUTHENTICATION'' AND PLUGIN_STATUS=''ACTIVE''',
+      ''
+      );
     else Result := inherited;
   end;
 end;

source/dbstructures.pas

@@ -52,7 +52,7 @@ interface
     qShowFunctionStatus, qShowProcedureStatus, qShowTriggers, qShowEvents, qShowCreateTrigger,
     qHelpKeyword, qShowWarnings, qGetEnumTypes,
     qDropUser, qCreateRole, qDropRole, qReloadPrivileges, qGrantRole, qRevokeRole, qSetDefaultRole,
-    qAutoInc, qIndexVisible, qIndexInvisible);
+    qAutoInc, qIndexVisible, qIndexInvisible, qGetAuthPlugins);
   TSqlProvider = class
     strict protected
       FNetType: TNetType;

source/usermanager.dfm

@@ -131,12 +131,16 @@ object UserManagerForm: TUserManagerForm
         item
           Position = 0
           Text = 'Username'
-          Width = 93
+          Width = 43
         end
         item
           Position = 1
           Text = 'Host'
           Width = 80
+        end
+        item
+          Position = 2
+          Text = 'Plugin'
         end>
     end
     object ToolBar1: TToolBar
@@ -212,15 +216,15 @@ object UserManagerForm: TUserManagerForm
       Left = 0
       Top = 0
       Width = 283
-      Height = 177
+      Height = 205
       ActivePage = tabCredentials
       Align = alTop
       TabOrder = 0
       object tabCredentials: TTabSheet
         Caption = 'Credentials'
         DesignSize = (
           275
-          148)
+          176)
         object lblUsername: TLabel
           Left = 3
           Top = 10
@@ -254,11 +258,18 @@ object UserManagerForm: TUserManagerForm
         end
         object lblDefaultRole: TLabel
           Left = 3
-          Top = 120
+          Top = 147
           Width = 67
           Height = 14
           Caption = 'Default role:'
         end
+        object lblPlugin: TLabel
+          Left = 3
+          Top = 120
+          Width = 36
+          Height = 14
+          Caption = 'Plugin:'
+        end
         object editRepeatPassword: TEdit
           Left = 176
           Top = 88
@@ -307,6 +318,16 @@ object UserManagerForm: TUserManagerForm
           OnChange = Modification
         end
         object comboDefaultRole: TComboBox
+          Left = 176
+          Top = 144
+          Width = 96
+          Height = 22
+          Style = csDropDownList
+          Anchors = [akLeft, akTop, akRight]
+          TabOrder = 5
+          OnChange = Modification
+        end
+        object comboPlugins: TComboBox
           Left = 176
           Top = 116
           Width = 96
@@ -322,7 +343,7 @@ object UserManagerForm: TUserManagerForm
         ImageIndex = 1
         DesignSize = (
           275
-          148)
+          176)
         object lblMaxQueries: TLabel
           Left = 3
           Top = 10
@@ -446,7 +467,7 @@ object UserManagerForm: TUserManagerForm
         ImageIndex = 2
         DesignSize = (
           275
-          148)
+          176)
         object lblCipher: TLabel
           Left = 3
           Top = 36
@@ -527,9 +548,9 @@ object UserManagerForm: TUserManagerForm
     end
     object PageControlAccess: TPageControl
       Left = 0
-      Top = 177
+      Top = 205
       Width = 283
-      Height = 139
+      Height = 111
       ActivePage = tabPrivileges
       Align = alClient
       TabOrder = 1
@@ -539,7 +560,7 @@ object UserManagerForm: TUserManagerForm
           Left = 0
           Top = 22
           Width = 275
-          Height = 88
+          Height = 60
           Align = alClient
           Header.AutoSizeIndex = 0
           Header.Height = 14
@@ -594,7 +615,7 @@ object UserManagerForm: TUserManagerForm
           Left = 0
           Top = 0
           Width = 275
-          Height = 110
+          Height = 82
           Align = alClient
           Strings.Strings = (
             'Roll=off')

source/usermanager.pas

@@ -32,7 +32,7 @@   TPrivComparer = class(TComparer<TPrivObj>)
   TUserProblem = (upNone, upEmptyPassword, upInvalidPasswordLen, upSkipNameResolve, upUnknown);
 
   TUser = class(TObject)
-    Username, Host, Password, Cipher, Issuer, Subject, DefaultRole: String;
+    Username, Host, Password, Cipher, Issuer, Subject, DefaultRole, Plugin: String;
     MaxQueries, MaxUpdates, MaxConnections, MaxUserConnections, SSL: Integer;
     Problem: TUserProblem;
     IsRole: Boolean;
@@ -61,6 +61,8 @@   EInputError = class(Exception);
   TUserManagerForm = class(TExtForm)
     btnCancel: TButton;
     btnSave: TButton;
+    comboPlugins: TComboBox;
+    lblPlugin: TLabel;
     pnlLeft: TPanel;
     listUsers: TVirtualStringTree;
     Splitter1: TSplitter;
@@ -192,11 +194,14 @@   TUserManagerForm = class(TExtForm)
     FUsers: TUserList;
     FModified, FAdded: Boolean;
     FHasIsRole, FHasDefaultRole: Boolean;
+    FHasPlugin: Boolean;
+    FPlugins: TStringList;
     FCloneGrants: TStringList;
     FPrivObjects: TPrivObjList;
     FPrivsGlobal, FPrivsDb, FPrivsTable, FPrivsRoutine, FPrivsColumn: TStringList;
     FConnection: TDBConnection;
     FColorReadPriv, FColorWritePriv, FColorAdminPriv: TColor;
+    FSQLPluginPrefix, FSQLPluginPassPrefix: String;
     procedure SetModified(Value: Boolean);
     property Modified: Boolean read FModified write SetModified;
     function GetPrivByNode(Node: PVirtualNode): TPrivObj;
@@ -265,10 +270,10 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
   Version, i: Integer;
   Users: TDBQuery;
   U: TUser;
-  tmp, PasswordExpr, IsRoleExpr, DefaultRoleExpr: String;
+  tmp, PasswordExpr, IsRoleExpr, DefaultRoleExpr, PluginExpr: String;
   SkipNameResolve,
   HasPassword, HasAuthString: Boolean;
-  PasswordLengthMatters: Boolean;
+  PasswordLengthMatters, PasswordLengthValid: Boolean;
   UserTableColumns: TStringList;
 
   function InitPrivList(Values: String): TStringList;
@@ -299,7 +304,8 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
   FPrivsTable := InitPrivList('ALTER,CREATE,DELETE,DROP,GRANT,INDEX');
   FPrivsRoutine := InitPrivList('GRANT');
   FPrivsColumn := InitPrivList('INSERT,SELECT,UPDATE,REFERENCES');
-  PasswordLengthMatters := True;
+  FSQLPluginPrefix := IfThen(FConnection.Parameters.IsMariaDB, 'VIA', 'WITH');
+  FSQLPluginPassPrefix := IfThen(FConnection.Parameters.IsMariaDB, 'USING', 'BY');
 
   if Version >= 40002 then begin
     FPrivsGlobal.Add('REPLICATION CLIENT');
@@ -332,11 +338,6 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
     PrivsDb.Add('PROXY');
   end;
   }
-  if Version >= 80000 then begin
-    // MySQL 8 has predefined length of hashed passwords only with
-    // mysql_native_password plugin enabled users
-    PasswordLengthMatters := False;
-  end;
   // See https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/#privileges-made-more-granular
   if FConnection.Parameters.IsMariaDB then begin
     if Version > 100502 then begin
@@ -391,6 +392,7 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
     HasAuthString := UserTableColumns.IndexOf('authentication_string') > -1;
     FHasIsRole := UserTableColumns.IndexOf('is_role') > -1;
     FHasDefaultRole := UserTableColumns.IndexOf('default_role') > -1;
+    FHasPlugin := UserTableColumns.IndexOf('plugin') > -1;
     if HasPassword and (not HasAuthString) then
       PasswordExpr := 'password'
     else if (not HasPassword) and HasAuthString then
@@ -402,14 +404,20 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
     PasswordExpr := PasswordExpr + ' AS ' + FConnection.QuoteIdent('password');
     IsRoleExpr := IfThen(FHasIsRole, 'is_role', FConnection.EscapeString('N')+' AS is_role');
     DefaultRoleExpr := IfThen(FHasDefaultRole, 'default_role', FConnection.EscapeString('')+' AS default_role');
+    PluginExpr := IfThen(FHasPlugin, 'plugin', FConnection.EscapeString('')+' AS plugin');
+    if FConnection.SqlProvider.Has(qGetAuthPlugins) then
+      FPlugins := FConnection.GetCol(FConnection.SqlProvider.GetSql(qGetAuthPlugins))
+    else
+      FPlugins := TStringList.Create;
 
     Users := FConnection.GetResults(
       'SELECT '+
       FConnection.QuoteIdent('user') + ', ' +
       FConnection.QuoteIdent('host') + ', ' +
       PasswordExpr + ', ' +
       IsRoleExpr + ', ' +
-      DefaultRoleExpr + ' ' +
+      DefaultRoleExpr + ', ' +
+      PluginExpr + ' ' +
       'FROM '+FConnection.QuoteIdent('mysql')+'.'+FConnection.QuoteIdent('user')
       );
     FUsers := TUserList.Create(True);
@@ -421,11 +429,14 @@ procedure TUserManagerForm.FormShow(Sender: TObject);
       U.Password := Users.Col('password');
       U.IsRole := UpperCase(Users.Col('is_role')) = 'Y';
       U.DefaultRole := Users.Col('default_role');
+      U.Plugin := Users.Col('plugin');
       U.Problem := upNone;
       if U.IsUser then begin
         if Length(U.Password) = 0 then
           U.Problem := upEmptyPassword;
-        if PasswordLengthMatters and (not (Length(U.Password) in [0, 16, 41])) then
+        PasswordLengthMatters := ExecRegExpr('(mysql_native_password|mysql_old_password)', U.Plugin) or (not FHasPlugin);
+        PasswordLengthValid := Byte(Length(U.Password)) in [0, 16, 41];
+        if PasswordLengthMatters and (not PasswordLengthValid) then
           U.Problem := upInvalidPasswordLen
         else if SkipNameResolve and U.HostRequiresNameResolve then
           U.Problem := upSkipNameResolve;
@@ -594,26 +605,35 @@ procedure TUserManagerForm.listUsersFocusChanged(Sender: TBaseVirtualTree; Node:
   User := nil;
   FPrivObjects.Clear;
   Caption := MainForm.actUserManager.Caption;
+  // Credentials tab
   editUsername.Clear;
   editFromHost.Clear;
   editPassword.Clear;
   editPassword.TextHint := '';
   editRepeatPassword.Clear;
+  comboPlugins.Items.Clear;
+  comboPlugins.Items.Add(_('None'));
+  comboPlugins.Items.AddStrings(FPlugins);
+  comboPlugins.ItemIndex := 0;
   comboDefaultRole.Items.Clear;
   comboDefaultRole.Items.Add(_('None'));
   FUsers.GetRoleNames(comboDefaultRole.Items);
   comboDefaultRole.ItemIndex := 0;
+  // Limitations tab
   udMaxQueries.Position := 0;
   udMaxUpdates.Position := 0;
   udMaxConnections.Position := 0;
   udMaxUserConnections.Position := 0;
+  // SSL tab
   comboSSL.ItemIndex := 0;
   comboSSL.OnChange(Sender);
   editCipher.Clear;
   editIssuer.Clear;
   editSubject.Clear;
+  // Page control
   tabPrivileges.Caption := _('Privileges');
   tabRoles.Caption := _('Roles');
+
   // All possible quote chars, escaped for RegExpr. Todo: use in all relevant expressions.
   RxQuotes := '['+QuoteRegExprMetaChars(FConnection.QuoteChars + FConnection.StringQuoteChar)+']';
 
@@ -627,6 +647,9 @@ procedure TUserManagerForm.listUsersFocusChanged(Sender: TBaseVirtualTree; Node:
     end;
     editUsername.Text := User.Username;
     editFromHost.Text := User.Host;
+    i := comboPlugins.Items.IndexOf(User.Plugin);
+    if i > -1 then
+      comboPlugins.ItemIndex := i;
     i := comboDefaultRole.Items.IndexOf(User.DefaultRole);
     if i > -1 then
       comboDefaultRole.ItemIndex := i;
@@ -872,6 +895,8 @@ procedure TUserManagerForm.listUsersFocusChanged(Sender: TBaseVirtualTree; Node:
   editPassword.Enabled := UserSelected and User.IsUser;
   lblRepeatPassword.Enabled := UserSelected and User.IsUser;
   editRepeatPassword.Enabled := UserSelected and User.IsUser;
+  comboPlugins.Enabled := UserSelected and User.IsUser and FHasPlugin;
+  lblPlugin.Enabled := comboPlugins.Enabled;
   comboDefaultRole.Enabled := UserSelected and User.IsUser and FHasDefaultRole;
   lblDefaultRole.Enabled := comboDefaultRole.Enabled;
   tabCredentials.Enabled := UserSelected;
@@ -945,6 +970,7 @@ procedure TUserManagerForm.listUsersGetText(Sender: TBaseVirtualTree; Node: PVir
   case Column of
     0: CellText := User.Username;
     1: CellText := User.Host;
+    2: CellText := User.Plugin;
   end;
 end;
 
@@ -1371,13 +1397,18 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
     // Create added user
     PasswordSet := False;
     if FAdded and (FConnection.ServerVersionInt >= 50002) then begin
-      Create := 'CREATE USER '+UserHost;
+      Create := 'CREATE USER '+UserHost+' ';
       if editPassword.Modified then begin
+        // Insert authentication plugin with minor MariaDB/MySQL difference
+        if comboPlugins.ItemIndex > 0 then
+          Create := Create + 'IDENTIFIED ' + FSQLPluginPrefix + ' ' + comboPlugins.Text+' ' + FSQLPluginPassPrefix + ' '
+        else
+          Create := Create + 'IDENTIFIED BY ';
         // Add "PASSWORD" clause when it's a hash already
         if (Copy(editPassword.Text, 1, 1) = '*') and (Length(editPassword.Text) = 41) then
-          Create := Create + ' IDENTIFIED BY PASSWORD '+FConnection.EscapeString(editPassword.Text)
+          Create := Create + 'PASSWORD '+FConnection.EscapeString(editPassword.Text)
         else
-          Create := Create + ' IDENTIFIED BY '+FConnection.EscapeString(editPassword.Text);
+          Create := Create + FConnection.EscapeString(editPassword.Text);
       end;
       FConnection.Query(Create);
       FConnection.ShowWarnings;
@@ -1445,6 +1476,12 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
 
       // General user options
       if (P.DBObj.NodeType = lntNone) and FocusedUser.IsUser then begin
+        // Plugin
+        if comboPlugins.ItemIndex > 0 then begin
+          FConnection.Query('ALTER USER ' + UserHost + ' IDENTIFIED ' + FSQLPluginPrefix + ' ' + comboPlugins.Text);
+          FConnection.ShowWarnings;
+        end;
+
         // SSL
         case comboSSL.ItemIndex of
           1: RequireClause := 'SSL';
@@ -1542,6 +1579,7 @@ procedure TUserManagerForm.btnSaveClick(Sender: TObject);
     FocusedUser.Host := editFromHost.Text;
     if editPassword.Modified then
       FocusedUser.Password := editPassword.Text;
+    FocusedUser.Plugin := IfThen(comboPlugins.ItemIndex=0, '', comboPlugins.Text);
     FocusedUser.DefaultRole := IfThen(comboDefaultRole.ItemIndex=0, '', comboDefaultRole.Text);
     FocusedUser.SSL := comboSSL.ItemIndex;
     FocusedUser.Cipher := editCipher.Text;
@@ -1782,7 +1820,9 @@ procedure TUser.ParseSettings(GrantOrCreate: String; Priv: TPrivObj);
   rx: TRegExpr;
   RequireClause, WithClause: String;
 begin
-  // REQUIRE SSL X509 ISSUER '456' SUBJECT '789' CIPHER '123' NONE
+  // CREATE USER ...
+  // mysql: IDENTIFIED WITH 'mysql_native_password' AS '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' REQUIRE SSL X509 ISSUER '456' SUBJECT '789' CIPHER '123' NONE
+  // mariadb: IDENTIFIED BY PASSWORD '23AE809DDACAF96A';
   rx := TRegExpr.Create;
   rx.ModifierI := True;
   rx.Expression := '\sREQUIRE\s+(.+)';