password validation function in sql_acl.cc

MariaDB · Dec 4, 2014 · 8934794 · 8934794
1 parent c98b2b3
commit 8934794
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 0 deletions.
diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result
@@ -70,4 +70,35 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+create user foo1 identified by 'pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to foo1 identified by 'pwd';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to `FooBar1!` identified by 'FooBar1!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
+drop user `BarFoo1!`;
+create user foo1 identified by 'aA.12345';
+drop user foo1;
+set global simple_password_check_digits=3;
+set global simple_password_check_letters_same_case=3;
+set global simple_password_check_other_characters=3;
+show variables like 'simple_password_check_%';
+Variable_name	Value
+simple_password_check_digits	3
+simple_password_check_letters_same_case	3
+simple_password_check_minimal_length	12
+simple_password_check_other_characters	3
+create user foo1 identified by '123:qwe:ASD!';
+drop user foo1;
+create user foo1 identified by '-23:qwe:ASD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:4we:ASD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:qwe:4SD!';
+ERROR HY000: Your password does not satisfy the current policy requirements
+create user foo1 identified by '123:qwe:ASD4';
+ERROR HY000: Your password does not satisfy the current policy requirements
 uninstall plugin simple_password_check;
+create user foo1 identified by 'pwd';
+drop user foo1;
diff --git a/mysql-test/suite/plugins/t/simple_password_check.test b/mysql-test/suite/plugins/t/simple_password_check.test
@@ -13,4 +13,43 @@ select * from information_schema.plugins where plugin_name='simple_password_chec
 select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1;
 --horizontal_results
 
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by 'pwd';
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to foo1 identified by 'pwd';
+
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to `FooBar1!` identified by 'FooBar1!';
+
+grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
+drop user `BarFoo1!`;
+
+create user foo1 identified by 'aA.12345';
+drop user foo1;
+
+set global simple_password_check_digits=3;
+set global simple_password_check_letters_same_case=3;
+set global simple_password_check_other_characters=3;
+show variables like 'simple_password_check_%';
+
+create user foo1 identified by '123:qwe:ASD!';
+drop user foo1;
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '-23:qwe:ASD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:4we:ASD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:qwe:4SD!';
+
+--error ER_NOT_VALID_PASSWORD
+create user foo1 identified by '123:qwe:ASD4';
+
 uninstall plugin simple_password_check;
+
+create user foo1 identified by 'pwd';
+drop user foo1;
+
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -47,6 +47,7 @@
 #include "lock.h"                               // MYSQL_LOCK_IGNORE_TIMEOUT
 #include <sql_common.h>
 #include <mysql/plugin_auth.h>
+#include <mysql/plugin_password_validation.h>
 #include "sql_connect.h"
 #include "hostname.h"
 #include "sql_db.h"
@@ -872,6 +873,24 @@ static void free_acl_role(ACL_ROLE *role)
   delete_dynamic(&(role->parent_grantee));
 }
 
+struct validation_data { LEX_STRING *user, *password; };
+
+static my_bool do_validate(THD *, plugin_ref plugin, void *arg)
+{
+  struct validation_data *data= (struct validation_data *)arg;
+  struct st_mysql_password_validation *handler=
+    (st_mysql_password_validation *)plugin_decl(plugin)->info;
+  return handler->validate_password(data->user, data->password);
+}
+
+
+static bool validate_password(LEX_STRING *user, LEX_STRING *password)
+{
+  struct validation_data data= { user, password };
+  return plugin_foreach(NULL, do_validate,
+                        MariaDB_PASSWORD_VALIDATION_PLUGIN, &data);
+}
+
 /**
   Convert scrambled password to binary form, according to scramble type,
   Binary form is stored in user.salt.
@@ -977,6 +996,15 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
     return true;
   }
 
+  if (user->password.length || !user->auth.length)
+  {
+    if (validate_password(&user->user, &user->password))
+    {
+      my_error(ER_NOT_VALID_PASSWORD, MYF(0));
+      return true;
+    }
+  }
+
   if (user->password.length)
   {
     size_t scramble_length;