*: Support more PASSWORD REQUIRE CURRENT options | tidb-test=pr/2363

br/pkg/restore/snap_client/systable_restore_test.go

@@ -116,5 +116,5 @@ func TestCheckSysTableCompatibility(t *testing.T) {
 //
 // The above variables are in the file br/pkg/restore/systable_restore.go
 func TestMonitorTheSystemTableIncremental(t *testing.T) {
-	require.Equal(t, int64(217), session.CurrentBootstrapVersion)
+	require.Equal(t, int64(218), session.CurrentBootstrapVersion)
 }

errors.toml

@@ -1756,6 +1756,11 @@ error = '''
 Cannot use these credentials for '%s@%s' because they contradict the password history policy.
 '''
 
+["executor:3893"]
+error = '''
+Do not specify the current password while changing it for other users.
+'''
+
 ["executor:3929"]
 error = '''
 Dynamic privilege '%s' is not registered with the server.
@@ -2696,6 +2701,16 @@ error = '''
 %s is not granted to %s
 '''
 
+["privilege:3891"]
+error = '''
+Incorrect current password. Specify the correct password which has to be replaced.
+'''
+
+["privilege:3892"]
+error = '''
+Current password needs to be specified in the REPLACE clause in order to change it.
+'''
+
 ["schema:1007"]
 error = '''
 Can't create database '%-.192s'; database exists

pkg/errno/errcode.go

@@ -933,6 +933,9 @@ const (
 	ErrInvalidJSONType                                       = 3853
 	ErrCannotConvertString                                   = 3854
 	ErrDependentByPartitionFunctional                        = 3855
+	ErrIncorrectCurrentPassword                              = 3891
+	ErrMissingCurrentPassword                                = 3892
+	ErrCurrentPasswordNotRequired                            = 3893
 	ErrInvalidJSONValueForFuncIndex                          = 3903
 	ErrJSONValueOutOfRangeForFuncIndex                       = 3904
 	ErrFunctionalIndexDataIsTooLong                          = 3907

pkg/errno/errname.go

@@ -927,6 +927,9 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
 	ErrDependentByPartitionFunctional:                        mysql.Message("Column '%s' has a partitioning function dependency and cannot be dropped or renamed", nil),
 	ErrCannotConvertString:                                   mysql.Message("Cannot convert string '%.64s' from %s to %s", nil),
 	ErrInvalidJSONType:                                       mysql.Message("Invalid JSON type in argument %d to function %s; an %s is required.", nil),
+	ErrIncorrectCurrentPassword:                              mysql.Message("Incorrect current password. Specify the correct password which has to be replaced.", nil),
+	ErrMissingCurrentPassword:                                mysql.Message("Current password needs to be specified in the REPLACE clause in order to change it.", nil),
+	ErrCurrentPasswordNotRequired:                            mysql.Message("Do not specify the current password while changing it for other users.", nil),
 	ErrInvalidJSONValueForFuncIndex:                          mysql.Message("Invalid JSON value for CAST for expression index '%s'", nil),
 	ErrJSONValueOutOfRangeForFuncIndex:                       mysql.Message("Out of range JSON value for CAST for expression index '%s'", nil),
 	ErrFunctionalIndexDataIsTooLong:                          mysql.Message("Data too long for expression index '%s'", nil),

pkg/executor/infoschema_reader_test.go

@@ -607,7 +607,7 @@ func TestColumnTable(t *testing.T) {
 		testkit.RowsWithSep("|",
 			"test|tbl1|col_2"))
 	tk.MustQuery(`select count(*) from information_schema.columns;`).Check(
-		testkit.RowsWithSep("|", "4983"))
+		testkit.RowsWithSep("|", "4984"))
 }
 
 func TestIndexUsageTable(t *testing.T) {

pkg/executor/show.go

@@ -1745,11 +1745,20 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 	exec := e.Ctx().GetRestrictedSQLExecutor()
 
 	rows, _, err := exec.ExecRestrictedSQL(ctx, nil,
-		`SELECT plugin, Account_locked, user_attributes->>'$.metadata', Token_issuer,
-        Password_reuse_history, Password_reuse_time, Password_expired, Password_lifetime,
-        user_attributes->>'$.Password_locking.failed_login_attempts',
-        user_attributes->>'$.Password_locking.password_lock_time_days'
-		FROM %n.%n WHERE User=%? AND Host=%?`,
+		`SELECT
+			plugin,
+			Account_locked,
+			user_attributes->>'$.metadata',
+			Token_issuer,
+        	Password_reuse_history,
+			Password_reuse_time,
+			Password_expired,
+			Password_lifetime,
+			Password_require_current,
+        	user_attributes->>'$.Password_locking.failed_login_attempts',
+        	user_attributes->>'$.Password_locking.password_lock_time_days'
+		FROM %n.%n
+		WHERE User=%? AND Host=%?`,
 		mysql.SystemDB, mysql.UserTable, userName, strings.ToLower(hostName))
 	if err != nil {
 		return errors.Trace(err)
@@ -1813,20 +1822,33 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 		passwordExpiredStr = fmt.Sprintf("PASSWORD EXPIRE INTERVAL %d DAY", passwordLifetime)
 	}
 
-	failedLoginAttempts := rows[0].GetString(8)
+	// Password_require_current
+	passwordRequireCurrent := rows[0].GetEnum(8).String()
+	var passwordRequireCurrentStr string
+	switch passwordRequireCurrent {
+	case "Y":
+		passwordRequireCurrentStr = "PASSWORD REQUIRE CURRENT"
+	case "N":
+		passwordRequireCurrentStr = "PASSWORD REQUIRE CURRENT OPTIONAL"
+	default:
+		passwordRequireCurrentStr = "PASSWORD REQUIRE CURRENT DEFAULT"
+	}
+
+	failedLoginAttempts := rows[0].GetString(9)
 	if len(failedLoginAttempts) > 0 {
 		failedLoginAttempts = " FAILED_LOGIN_ATTEMPTS " + failedLoginAttempts
 	}
 
-	passwordLockTimeDays := rows[0].GetString(9)
+	passwordLockTimeDays := rows[0].GetString(10)
 	if len(passwordLockTimeDays) > 0 {
 		if passwordLockTimeDays == "-1" {
 			passwordLockTimeDays = " PASSWORD_LOCK_TIME UNBOUNDED"
 		} else {
 			passwordLockTimeDays = " PASSWORD_LOCK_TIME " + passwordLockTimeDays
 		}
 	}
-	rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`, mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
+	rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`,
+		mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
 	if err != nil {
 		return errors.Trace(err)
 	}
@@ -1849,8 +1871,10 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 	}
 
 	// FIXME: the returned string is not escaped safely
-	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s %s ACCOUNT %s PASSWORD HISTORY %s PASSWORD REUSE INTERVAL %s%s%s%s",
-		e.User.Username, e.User.Hostname, authPlugin, authStr, require, tokenIssuer, passwordExpiredStr, accountLocked, passwordHistory, passwordReuseInterval, failedLoginAttempts, passwordLockTimeDays, userAttributes)
+	showStr := fmt.Sprintf(
+		"CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s %s ACCOUNT %s PASSWORD HISTORY %s PASSWORD REUSE INTERVAL %s %s%s%s%s",
+		e.User.Username, e.User.Hostname, authPlugin, authStr, require, tokenIssuer, passwordExpiredStr, accountLocked,
+		passwordHistory, passwordReuseInterval, passwordRequireCurrentStr, failedLoginAttempts, passwordLockTimeDays, userAttributes)
 	e.appendRow([]any{showStr})
 	return nil
 }

pkg/executor/simple.go

@@ -97,17 +97,19 @@ type SimpleExec struct {
 }
 
 type passwordOrLockOptionsInfo struct {
-	lockAccount                 string
-	passwordExpired             string
-	passwordLifetime            any
-	passwordHistory             int64
-	passwordHistoryChange       bool
-	passwordReuseInterval       int64
-	passwordReuseIntervalChange bool
-	failedLoginAttempts         int64
-	passwordLockTime            int64
-	failedLoginAttemptsChange   bool
-	passwordLockTimeChange      bool
+	lockAccount                  string
+	passwordExpired              string
+	passwordLifetime             any
+	passwordHistory              int64
+	passwordHistoryChange        bool
+	passwordReuseInterval        int64
+	passwordReuseIntervalChange  bool
+	failedLoginAttempts          int64
+	passwordLockTime             int64
+	failedLoginAttemptsChange    bool
+	passwordLockTimeChange       bool
+	passwordRequireCurrent       string
+	passwordRequireCurrentChange bool
 }
 
 type passwordReuseInfo struct {
@@ -884,6 +886,15 @@ func (info *passwordOrLockOptionsInfo) loadOptions(plOption []*ast.PasswordOrLoc
 		case ast.PasswordReuseDefault:
 			info.passwordReuseInterval = notSpecified
 			info.passwordReuseIntervalChange = true
+		case ast.PasswordRequireCurrent:
+			info.passwordRequireCurrent = "Y"
+			info.passwordRequireCurrentChange = true
+		case ast.PasswordRequireCurrentOptional:
+			info.passwordRequireCurrent = "N"
+			info.passwordRequireCurrentChange = true
+		case ast.PasswordRequireCurrentDefault:
+			info.passwordRequireCurrent = ""
+			info.passwordRequireCurrentChange = true
 		}
 	}
 	return nil
@@ -1045,6 +1056,7 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		passwordLockTimeChange:      false,
 		passwordHistoryChange:       false,
 		passwordReuseIntervalChange: false,
+		passwordRequireCurrent:      "",
 	}
 	err = plOptions.loadOptions(s.PasswordOrLockOptions)
 	if err != nil {
@@ -1103,7 +1115,7 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 	passwordInit := true
 	// Get changed user password reuse info.
 	savePasswdHistory := whetherSavePasswordHistory(plOptions)
-	sqlTemplate := "INSERT INTO %n.%n (Host, User, authentication_string, plugin, user_attributes, Account_locked, Token_issuer, Password_expired, Password_lifetime,  Password_reuse_time, Password_reuse_history) VALUES "
+	sqlTemplate := "INSERT INTO %n.%n (Host, User, authentication_string, plugin, user_attributes, Account_locked, Token_issuer, Password_expired, Password_lifetime,  Password_reuse_time, Password_reuse_history, Password_require_current) VALUES "
 	valueTemplate := "(%?, %?, %?, %?, %?, %?, %?, %?, %?"
 
 	sqlescape.MustFormatSQL(sql, sqlTemplate, mysql.SystemDB, mysql.UserTable)
@@ -1202,6 +1214,12 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		} else {
 			sqlescape.MustFormatSQL(sql, `, %?`, nil)
 		}
+		// Current password requirement per-user policy
+		if plOptions.passwordRequireCurrentChange {
+			sqlescape.MustFormatSQL(sql, `, %?`, plOptions.passwordRequireCurrent)
+		} else {
+			sqlescape.MustFormatSQL(sql, `, %?`, nil)
+		}
 		sqlescape.MustFormatSQL(sql, `)`)
 		// The empty password does not count in the password history and is subject to reuse at any time.
 		// AuthTiDBAuthToken is the token login method on the cloud,
@@ -1795,7 +1813,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			RequireAuthTokenOptions
 		)
 		authTokenOptionHandler := noNeedAuthTokenOptions
-		currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname)
+		currentAuthPlugin, err := checker.GetAuthPlugin(spec.User.Username, spec.User.Hostname)
 		if err != nil {
 			return err
 		}
@@ -1808,7 +1826,20 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			value any
 		}
 		var fields []alterField
+
 		if spec.AuthOpt != nil {
+			// Only use `REPLACE <pwd>` when changing the current user
+			if user != nil &&
+				(spec.User.Username == user.AuthUsername &&
+					spec.User.Hostname == user.AuthHostname) {
+				err = checker.CheckCurrentPassword(spec.User.Username, spec.User.Hostname, spec.AuthOpt.ReplaceString, e.Ctx().GetSessionVars())
+				if err != nil {
+					return err
+				}
+			} else if spec.AuthOpt.ReplaceString != "" {
+				return exeerrors.ErrCurrentPasswordNotRequired
+			}
+
 			fields = append(fields, alterField{"password_last_changed=current_timestamp()", nil})
 			if spec.AuthOpt.AuthPlugin == "" {
 				spec.AuthOpt.AuthPlugin = currentAuthPlugin
@@ -1899,6 +1930,17 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			}
 		}
 
+		if plOptions.passwordRequireCurrentChange {
+			switch plOptions.passwordRequireCurrent {
+			case "Y":
+				fields = append(fields, alterField{"Password_require_current = 'Y'", ""})
+			case "N":
+				fields = append(fields, alterField{"Password_require_current = 'N'", ""})
+			case "":
+				fields = append(fields, alterField{"Password_require_current = NULL", ""})
+			}
+		}
+
 		passwordLockingInfo, err := readPasswordLockingInfo(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname, &plOptions)
 		if err != nil {
 			return err
@@ -2008,7 +2050,8 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 
 		if len(privData) > 0 {
 			sql := new(strings.Builder)
-			sqlescape.MustFormatSQL(sql, "INSERT INTO %n.%n (Host, User, Priv) VALUES (%?,%?,%?) ON DUPLICATE KEY UPDATE Priv = values(Priv)", mysql.SystemDB, mysql.GlobalPrivTable, spec.User.Hostname, spec.User.Username, string(hack.String(privData)))
+			sqlescape.MustFormatSQL(sql, "INSERT INTO %n.%n (Host, User, Priv) VALUES (%?,%?,%?) ON DUPLICATE KEY UPDATE Priv = values(Priv)",
+				mysql.SystemDB, mysql.GlobalPrivTable, spec.User.Hostname, spec.User.Username, string(hack.String(privData)))
 			_, err := sqlExecutor.ExecuteInternal(ctx, sql.String())
 			if err != nil {
 				failedUsers = append(failedUsers, spec.User.String())
@@ -2474,6 +2517,7 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
 
 	var u, h string
 	disableSandboxMode := false
+	checker := privilege.GetPrivilegeManager(e.Ctx())
 	if s.User == nil || s.User.CurrentUser {
 		if e.Ctx().GetSessionVars().User == nil {
 			return errors.New("Session error is empty")
@@ -2484,7 +2528,6 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
 		u = s.User.Username
 		h = s.User.Hostname
 
-		checker := privilege.GetPrivilegeManager(e.Ctx())
 		activeRoles := e.Ctx().GetSessionVars().ActiveRoles
 		if checker != nil && !checker.RequestVerification(activeRoles, "", "", "", mysql.SuperPriv) {
 			currUser := e.Ctx().GetSessionVars().User
@@ -2506,7 +2549,20 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
 		disableSandboxMode = true
 	}
 
-	authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h)
+	// Check the current passsword against the policy if the user tries to change its own password
+	if e.Ctx().GetSessionVars().User != nil &&
+		(u == e.Ctx().GetSessionVars().User.AuthUsername) &&
+		(h == e.Ctx().GetSessionVars().User.AuthHostname) {
+		err = checker.CheckCurrentPassword(u, h, s.ReplaceString, e.Ctx().GetSessionVars())
+		if err != nil {
+			return err
+		}
+	} else if s.ReplaceString != "" {
+		// Don't allow the current password when changing another users password
+		return exeerrors.ErrCurrentPasswordNotRequired
+	}
+
+	authplugin, err := checker.GetAuthPlugin(u, h)
 	if err != nil {
 		return err
 	}

pkg/executor/test/passwordtest/password_management_test.go

@@ -318,15 +318,15 @@ func TestFailedLoginTrackingBasic(t *testing.T) {
 
 	tk.MustExec("CREATE USER 'u6'@'localhost' IDENTIFIED BY 'password' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 3;")
 	tk.MustQuery(" SHOW CREATE USER 'u6'@'localhost';").Check(
-		testkit.Rows("CREATE USER 'u6'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 3"))
+		testkit.Rows("CREATE USER 'u6'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 3"))
 
 	tk.MustExec("CREATE USER 'u7'@'localhost' IDENTIFIED BY 'password';")
 	tk.MustQuery(" SHOW CREATE USER 'u7'@'localhost';").Check(
-		testkit.Rows("CREATE USER 'u7'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT"))
+		testkit.Rows("CREATE USER 'u7'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT"))
 
 	tk.MustExec("CREATE USER 'u8'@'localhost' IDENTIFIED BY 'password' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME UNBOUNDED;")
 	tk.MustQuery(" SHOW CREATE USER 'u8'@'localhost';").Check(
-		testkit.Rows("CREATE USER 'u8'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME UNBOUNDED"))
+		testkit.Rows("CREATE USER 'u8'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME UNBOUNDED"))
 
 	tk.MustExec("ALTER USER 'u4'@'localhost' PASSWORD_LOCK_TIME 0 FAILED_LOGIN_ATTEMPTS 0")
 	tk.MustQuery("select user_attributes from mysql.user where user = 'u4' and host = 'localhost'").Check(testkit.Rows(`<nil>`))