mariadb/mysql-test/main/failed_auth_3909.test

source include/not_embedded.inc;

#
# MDEV-3909 remote user enumeration
#
# verify that for some failed login attemps (with wrong user names)
# the server requests a plugin
#
create user foo identified via mysql_old_password;
create user bar identified via mysql_old_password;
create user baz identified via mysql_old_password;

--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (fail,localhost,u1);

--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_SERVER_IS_IN_SECURE_AUTH_MODE
connect (fail,localhost,uu2);

--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_SERVER_IS_IN_SECURE_AUTH_MODE
connect (fail,localhost,uu2,password);

--error ER_ACCESS_DENIED_ERROR
change_user u1;

--error ER_SERVER_IS_IN_SECURE_AUTH_MODE
change_user uu2;

--error ER_SERVER_IS_IN_SECURE_AUTH_MODE
change_user uu2,password;

delete from mysql.user where plugin = 'mysql_old_password';
flush privileges;
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00			`source include/not_embedded.inc;`

			`#`
			`# MDEV-3909 remote user enumeration`
			`#`
			`# verify that for some failed login attemps (with wrong user names)`
			`# the server requests a plugin`
			`#`
MDEV-17658 change the structure of mysql.user table Implement User_table_json. Fix scripts to use mysql.global_priv. Fix tests. 2018-11-24 14:13:41 +01:00			`create user foo identified via mysql_old_password;`
			`create user bar identified via mysql_old_password;`
			`create user baz identified via mysql_old_password;`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00
			`--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT`
MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_ACCESS_DENIED_ERROR`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00			`connect (fail,localhost,u1);`

			`--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT`
MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_SERVER_IS_IN_SECURE_AUTH_MODE`
MDEV-19650: Privilege bug on MariaDB 10.4 Also fixes: MDEV-21487: Implement option for mysql_upgrade that allows root@localhost to be replaced MDEV-21486: Implement option for mysql_install_db that allows root@localhost to be replaced Add user mariadb.sys to be definer of user view (and has right on underlying table global_priv for required operation over global_priv (SELECT,UPDATE,DELETE)) Also changed definer of gis functions in case of creation, but they work with any definer so upgrade script do not try to push this change. 2020-02-19 17:50:30 +01:00			`connect (fail,localhost,uu2);`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00
			`--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT`
MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_SERVER_IS_IN_SECURE_AUTH_MODE`
MDEV-19650: Privilege bug on MariaDB 10.4 Also fixes: MDEV-21487: Implement option for mysql_upgrade that allows root@localhost to be replaced MDEV-21486: Implement option for mysql_install_db that allows root@localhost to be replaced Add user mariadb.sys to be definer of user view (and has right on underlying table global_priv for required operation over global_priv (SELECT,UPDATE,DELETE)) Also changed definer of gis functions in case of creation, but they work with any definer so upgrade script do not try to push this change. 2020-02-19 17:50:30 +01:00			`connect (fail,localhost,uu2,password);`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00
MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_ACCESS_DENIED_ERROR`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00			`change_user u1;`

MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_SERVER_IS_IN_SECURE_AUTH_MODE`
MDEV-19650: Privilege bug on MariaDB 10.4 Also fixes: MDEV-21487: Implement option for mysql_upgrade that allows root@localhost to be replaced MDEV-21486: Implement option for mysql_install_db that allows root@localhost to be replaced Add user mariadb.sys to be definer of user view (and has right on underlying table global_priv for required operation over global_priv (SELECT,UPDATE,DELETE)) Also changed definer of gis functions in case of creation, but they work with any definer so upgrade script do not try to push this change. 2020-02-19 17:50:30 +01:00			`change_user uu2;`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00
MDEV-15649 Speedup search in acl_users and acl_dbs array, sorting them by usernames first, and then by get_sort() value. Search functions now use binary search to find the the first entry with given name. Then, linear search is done, until the first match. 2018-11-26 21:24:05 +01:00			`--error ER_SERVER_IS_IN_SECURE_AUTH_MODE`
MDEV-19650: Privilege bug on MariaDB 10.4 Also fixes: MDEV-21487: Implement option for mysql_upgrade that allows root@localhost to be replaced MDEV-21486: Implement option for mysql_install_db that allows root@localhost to be replaced Add user mariadb.sys to be definer of user view (and has right on underlying table global_priv for required operation over global_priv (SELECT,UPDATE,DELETE)) Also changed definer of gis functions in case of creation, but they work with any definer so upgrade script do not try to push this change. 2020-02-19 17:50:30 +01:00			`change_user uu2,password;`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00
MDEV-12321 authentication plugin: SET PASSWORD support Support SET PASSWORD for authentication plugins. Authentication plugin API is extended with two optional methods: * hash_password() is used to compute a password hash (or digest) from the plain-text password. This digest will be stored in mysql.user table * preprocess_hash() is used to convert this digest into some memory representation that can be later used to authenticate a user. Build-in plugins convert the hash from hexadecimal or base64 to binary, to avoid doing it on every authentication attempt. Note a change in behavior: when loading privileges (on startup or on FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a warning (e.g. "Plugin 'foo' is not loaded"). But such an account could not be used for authentication until the plugin is installed. Now an account like that will not be loaded at all (with a warning, still). Indeed, without plugin's preprocess_hash() method the server cannot know how to load an account. Thus, if a new authentication plugin is installed run-time, one might need FLUSH PRIVILEGES to activate all existing accounts that were using this new plugin. 2018-10-17 12:48:13 +02:00			`delete from mysql.user where plugin = 'mysql_old_password';`
MDEV-3909 remote user enumeration instead of returning Access denied on the incorrect user name, emulate the complete failed logic procedure, possibly with the change plugin packet. 2013-01-25 09:41:26 +01:00			`flush privileges;`