MDEV-26647 (simple_password_check) Include password validation plugin…

… information in the error message if the SQL statement is not satisfied password policy Make the plugin reporting cause of the error.
MariaDB · Jul 27, 2022 · 15a2ff1 · 15a2ff1
1 parent cc6bba0
commit 15a2ff1
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 0 deletions.
diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result
@@ -72,12 +72,36 @@ READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
 create user foo1 identified by 'pwd';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Too short password (< 8)
+Warning	1819	simple_password_check: Not enough upper case letters (< 1)
+Warning	1819	simple_password_check: Not enough digits (< 1)
+Warning	1819	simple_password_check: Not enough special characters (< 1)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 create user foo1;
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: The password equal to the user name
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 grant select on *.* to foo1 identified by 'pwd';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Too short password (< 8)
+Warning	1819	simple_password_check: Not enough upper case letters (< 1)
+Warning	1819	simple_password_check: Not enough digits (< 1)
+Warning	1819	simple_password_check: Not enough special characters (< 1)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 grant select on *.* to `FooBar1!` identified by 'FooBar1!';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: The password equal to the user name
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;
 create user foo1 identified by 'aA.12345';
@@ -100,27 +124,63 @@ create user foo1 identified by '123:qwe:ASD!';
 drop user foo1;
 create user foo1 identified by '-23:qwe:ASD!';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough digits (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 create user foo1 identified by '123:4we:ASD!';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough lower case letters (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 create user foo1 identified by '123:qwe:4SD!';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough upper case letters (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 create user foo1 identified by '123:qwe:ASD4';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough special characters (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo1'@'%'
 create user foo1 identified by '123:qwe:ASD!';
 set password for foo1 = password('qwe:-23:ASD!');
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough digits (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = old_password('4we:123:ASD!');
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = password('qwe:123:4SD!');
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough upper case letters (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = old_password('qwe:123:ASD4');
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: Not enough special characters (< 3)
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = password('qwe:123:ASD!');
 select @@strict_password_validation;
 @@strict_password_validation
 1
 set password for foo1 = '';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: The password equal to the user name
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = '2222222222222222';
 ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
 set password for foo1 = '11111111111111111111111111111111111111111';
@@ -135,12 +195,21 @@ grant select on *.* to foo2 identified with mysql_old_password using '2222222222
 ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
 create user foo2 identified with mysql_native_password using '';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: The password equal to the user name
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
+Error	1396	Operation CREATE USER failed for 'foo2'@'%'
 grant select on *.* to foo2 identified with mysql_old_password;
 ERROR 28000: Can't find any matching row in the user table
 update mysql.user set password='xxx' where user='foo1';
 set global strict_password_validation=0;
 set password for foo1 = '';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
+show warnings;
+Level	Code	Message
+Warning	1819	simple_password_check: The password equal to the user name
+Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 set password for foo1 = '2222222222222222';
 set password for foo1 = '11111111111111111111111111111111111111111';
 create user foo2 identified by password '11111111111111111111111111111111111111111';

diff --git a/mysql-test/suite/plugins/r/two_password_validations.result b/mysql-test/suite/plugins/r/two_password_validations.result
@@ -14,6 +14,8 @@ grant select on *.* to foobar identified by 'q-%^&*rty';
 ERROR HY000: Your password does not satisfy the current policy requirements (simple_password_check)
 show warnings;
 Level	Code	Message
+Warning	1819	simple_password_check: Not enough upper case letters (< 1)
+Warning	1819	simple_password_check: Not enough digits (< 1)
 Error	1819	Your password does not satisfy the current policy requirements (simple_password_check)
 uninstall plugin simple_password_check;
 grant select on *.* to foobar identified by 'q-%^&*rty';

diff --git a/mysql-test/suite/plugins/t/simple_password_check.test b/mysql-test/suite/plugins/t/simple_password_check.test
@@ -15,16 +15,20 @@ select * from information_schema.system_variables where variable_name like 'simp
 
 --error ER_NOT_VALID_PASSWORD
 create user foo1 identified by 'pwd';
+show warnings;
 
 # Create user with no password.
 --error ER_NOT_VALID_PASSWORD
 create user foo1;
+show warnings;
 
 --error ER_NOT_VALID_PASSWORD
 grant select on *.* to foo1 identified by 'pwd';
+show warnings;
 
 --error ER_NOT_VALID_PASSWORD
 grant select on *.* to `FooBar1!` identified by 'FooBar1!';
+show warnings;
 
 grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;
@@ -43,32 +47,40 @@ drop user foo1;
 
 --error ER_NOT_VALID_PASSWORD
 create user foo1 identified by '-23:qwe:ASD!';
+show warnings;
 
 --error ER_NOT_VALID_PASSWORD
 create user foo1 identified by '123:4we:ASD!';
+show warnings;
 
 --error ER_NOT_VALID_PASSWORD
 create user foo1 identified by '123:qwe:4SD!';
+show warnings;
 
 --error ER_NOT_VALID_PASSWORD
 create user foo1 identified by '123:qwe:ASD4';
+show warnings;
 
 create user foo1 identified by '123:qwe:ASD!';
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = password('qwe:-23:ASD!');
+show warnings;
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = old_password('4we:123:ASD!');
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = password('qwe:123:4SD!');
+show warnings;
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = old_password('qwe:123:ASD4');
+show warnings;
 set password for foo1 = password('qwe:123:ASD!');
 
 # now, strict_password_validation
 select @@strict_password_validation;
 
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = '';
+show warnings;
 --error ER_OPTION_PREVENTS_STATEMENT
 set password for foo1 = '2222222222222222';
 --error ER_OPTION_PREVENTS_STATEMENT
@@ -83,6 +95,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
 grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
 --error ER_NOT_VALID_PASSWORD
 create user foo2 identified with mysql_native_password using '';
+show warnings;
 --error ER_PASSWORD_NO_MATCH
 grant select on *.* to foo2 identified with mysql_old_password;
 
@@ -93,6 +106,7 @@ set global strict_password_validation=0;
 
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = '';
+show warnings;
 set password for foo1 = '2222222222222222';
 set password for foo1 = '11111111111111111111111111111111111111111';
 create user foo2 identified by password '11111111111111111111111111111111111111111';

diff --git a/plugin/simple_password_check/simple_password_check.c b/plugin/simple_password_check/simple_password_check.c
@@ -29,7 +29,13 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
   const char *ptr= password->str, *end= ptr + length;
 
   if (strncmp(password->str, username->str, length) == 0)
+  {
+    // warning used to do not change error code
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: The password equal to the user name",
+                    ME_WARNING);
     return 1;
+  }
 
   /* everything non-ascii is the "other" character and is good for the password */
   for(; ptr < end; ptr++)
@@ -43,6 +49,28 @@ static int validate(MYSQL_CONST_LEX_STRING *username,
     else
       others++;
   }
+
+  // warnings used to do not change error code
+  if (length < min_length)
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: Too short password (< %u)",
+                    ME_WARNING, min_length);
+  if (uppers < min_letters)
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: Not enough upper case "
+                    "letters (< %u)",ME_WARNING,  min_letters);
+  if (lowers < min_letters)
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: Not enough lower case "
+                    "letters (< %u)",ME_WARNING,  min_letters);
+  if (digits < min_digits)
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: Not enough digits (< %u)",
+                    ME_WARNING, min_digits);
+  if (others < min_others)
+    my_printf_error(ER_NOT_VALID_PASSWORD,
+                    "simple_password_check: Not enough special "
+                    "characters (< %u)",ME_WARNING,  min_others);
   /* remember TRUE means the password failed the validation */
   return length < min_length  ||
          uppers < min_letters ||