Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

*: support password reuse policy #39162

Merged
merged 109 commits into from
Dec 2, 2022
Merged
Show file tree
Hide file tree
Changes from 103 commits
Commits
Show all changes
109 commits
Select commit Hold shift + click to select a range
7d7c24f
Support Password Reuse Policy
keeplearning20221 Nov 12, 2022
5cb28df
modified: errno/errcode.go
keeplearning20221 Nov 12, 2022
724c6d8
drop user support
bob34007 Nov 14, 2022
fc719ca
modified: executor/simple.go
keeplearning20221 Nov 15, 2022
4ce6866
modified: infoschema_cluster_table_test.go
keeplearning20221 Nov 15, 2022
20ebf62
Support Password Reuse Policy
keeplearning20221 Nov 12, 2022
34140ab
modified: errno/errcode.go
keeplearning20221 Nov 12, 2022
5a7dd17
drop user support
bob34007 Nov 14, 2022
d169f11
modified: executor/simple.go
keeplearning20221 Nov 15, 2022
af730b5
modified: infoschema_cluster_table_test.go
keeplearning20221 Nov 15, 2022
a988ee6
modified: executor/simple.go
keeplearning20221 Nov 15, 2022
da04920
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 15, 2022
69d01a4
modified: executor/infoschema_cluster_table_test.go
keeplearning20221 Nov 15, 2022
bf1d0cd
modified: executor/simple_test.go
keeplearning20221 Nov 15, 2022
d3961d6
modified: errors.toml
keeplearning20221 Nov 15, 2022
f15de2f
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 16, 2022
bcc4937
modified: simple.go
keeplearning20221 Nov 16, 2022
ba1a3b7
modified: ../sessionctx/variable/sysvar.go
keeplearning20221 Nov 16, 2022
d50099a
modified: simple.go
keeplearning20221 Nov 16, 2022
49b3946
modified: simple.go
keeplearning20221 Nov 17, 2022
3db40d5
modified: simple.go
keeplearning20221 Nov 17, 2022
a2b1525
add alter multi user fail test
bob34007 Nov 17, 2022
1387ad0
modified: simple_test.go
bob34007 Nov 17, 2022
00f6566
password reuse resolve conflicts
keeplearning20221 Nov 18, 2022
f8a5825
modified: session/bootstrap.go
keeplearning20221 Nov 18, 2022
86da639
modified: server/http_handler_serial_test.go
keeplearning20221 Nov 18, 2022
d0b70af
modified: executor/simple.go
keeplearning20221 Nov 22, 2022
6611473
modified: simple.go
keeplearning20221 Nov 22, 2022
e482177
modified: executor/simple.go
keeplearning20221 Nov 22, 2022
3093520
modified: executor/simple.go
keeplearning20221 Nov 22, 2022
7631916
modified: simple.go
keeplearning20221 Nov 22, 2022
5868d96
Merge https://github.com/pingcap/tidb into enhance_passwd
keeplearning20221 Nov 22, 2022
81bf030
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 22, 2022
8223492
modified: simple.go
keeplearning20221 Nov 22, 2022
2b29b75
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 22, 2022
180c405
modified: show.go
keeplearning20221 Nov 23, 2022
99cab07
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 23, 2022
fdbd8c9
modified: grant_test.go
keeplearning20221 Nov 23, 2022
a502b3b
password reuse resolve conflicts
keeplearning20221 Nov 25, 2022
1a1ee7b
modified: ../sessionctx/variable/tidb_vars.go
keeplearning20221 Nov 25, 2022
fc64ce4
Update executor/simple.go
keeplearning20221 Nov 25, 2022
d1a7668
Update executor/simple.go
keeplearning20221 Nov 25, 2022
c0a1bde
Apply suggestions from code review
keeplearning20221 Nov 25, 2022
e3c4b3e
modified: simple.go
keeplearning20221 Nov 25, 2022
5248a31
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 25, 2022
409f85d
modified: simple.go
keeplearning20221 Nov 25, 2022
5253b65
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 25, 2022
43249a8
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 25, 2022
1210a05
Apply suggestions from code review
keeplearning20221 Nov 26, 2022
ed64326
Update session/bootstrap.go
keeplearning20221 Nov 26, 2022
af5679c
modified: executor/simple.go
keeplearning20221 Nov 26, 2022
969d4b1
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 26, 2022
d1facde
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 26, 2022
6a469c2
password reuse resolve conflicts
keeplearning20221 Nov 28, 2022
ff9830c
session isolation level changed to read committed
keeplearning20221 Nov 28, 2022
2a10631
modified: simple.go
keeplearning20221 Nov 28, 2022
c7d6ece
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 28, 2022
2cf8050
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 28, 2022
f70601f
modified: simple.go
keeplearning20221 Nov 28, 2022
831e04d
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 28, 2022
98d58b3
modified: executor/simple.go
keeplearning20221 Nov 28, 2022
cca0b6e
modified: executor/simple.go
keeplearning20221 Nov 28, 2022
403e8b5
modified: simple.go
keeplearning20221 Nov 29, 2022
1152787
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 29, 2022
5010061
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 29, 2022
5b13f49
Merge branch 'master' into enhance_passwd
hawkingrei Nov 29, 2022
8ad2ac0
modified: executor/simple_test.go
keeplearning20221 Nov 29, 2022
335a3f3
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 29, 2022
2785512
modified: simple_test.go
bob34007 Nov 29, 2022
f8119a7
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 29, 2022
a145b53
Apply suggestions from code review
keeplearning20221 Nov 30, 2022
3530297
Modified according to the comment
keeplearning20221 Nov 30, 2022
f007aa6
modified: Makefile
keeplearning20221 Nov 30, 2022
d732cbf
modified: Makefile
keeplearning20221 Nov 30, 2022
7a5a2ed
modified: Makefile
keeplearning20221 Nov 30, 2022
314b1cf
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
08c6e12
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
bc61ad7
modified: Makefile
keeplearning20221 Nov 30, 2022
53d539d
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 30, 2022
6549253
modified: Makefile
keeplearning20221 Nov 30, 2022
f717cdb
Merge branch 'master' into enhance_passwd
hawkingrei Nov 30, 2022
1b82662
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
22f278f
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
61f0e43
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
1f6fb52
modified: executor/simple.go
keeplearning20221 Nov 30, 2022
9221e7c
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 30, 2022
9324762
modified: executor/simple.go
keeplearning20221 Nov 30, 2022
66c9a4c
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
b97e2a0
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
beddf8d
resolve conflicts
keeplearning20221 Nov 30, 2022
7984eac
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Nov 30, 2022
4279e90
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
2196883
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
c23cbd0
Merge branch 'master' into enhance_passwd
keeplearning20221 Nov 30, 2022
92d7de2
Merge branch 'master' into enhance_passwd
keeplearning20221 Dec 1, 2022
85325a4
Merge https://github.com/pingcap/tidb into enhance_passwd
keeplearning20221 Dec 1, 2022
3d105f2
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Dec 1, 2022
8fae3f5
Merge branch 'master' into enhance_passwd
keeplearning20221 Dec 1, 2022
8e2936c
Merge branch 'master' into enhance_passwd
keeplearning20221 Dec 1, 2022
419c317
Merge https://github.com/pingcap/tidb into enhance_passwd
keeplearning20221 Dec 1, 2022
77a8dee
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Dec 1, 2022
bf5161c
Merge https://github.com/pingcap/tidb into enhance_passwd
keeplearning20221 Dec 1, 2022
b2b1c98
Merge branch 'master' into enhance_passwd
keeplearning20221 Dec 1, 2022
e8c99a5
Apply suggestions from code review
keeplearning20221 Dec 2, 2022
2e0755b
modified: executor/simple.go
keeplearning20221 Dec 2, 2022
fe71bff
Merge branch 'enhance_passwd' of https://github.com/bob34007/tidb int…
keeplearning20221 Dec 2, 2022
caf6063
modified: executor/simple.go
keeplearning20221 Dec 2, 2022
6f10ebf
resolve conflicts
keeplearning20221 Dec 2, 2022
53eac1e
modified: executor/showtest/show_test.go
keeplearning20221 Dec 2, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions errno/errcode.go
Original file line number Diff line number Diff line change
Expand Up @@ -892,6 +892,7 @@ const (
ErrIllegalPrivilegeLevel = 3619
ErrCTEMaxRecursionDepth = 3636
ErrNotHintUpdatable = 3637
ErrExistsInHistoryPassword = 3638
ErrForeignKeyCannotDropParent = 3730
ErrForeignKeyCannotUseVirtualColumn = 3733
ErrForeignKeyNoColumnInParent = 3734
Expand Down
1 change: 1 addition & 0 deletions errno/errname.go
Original file line number Diff line number Diff line change
Expand Up @@ -887,6 +887,7 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
ErrMaxExecTimeExceeded: mysql.Message("Query execution was interrupted, max_execution_time exceeded.", nil),
ErrLockAcquireFailAndNoWaitSet: mysql.Message("Statement aborted because lock(s) could not be acquired immediately and NOWAIT is set.", nil),
ErrNotHintUpdatable: mysql.Message("Variable '%s' cannot be set using SET_VAR hint.", nil),
ErrExistsInHistoryPassword: mysql.Message("Cannot use these credentials for '%s@%s' because they contradict the password history policy.", nil),
ErrForeignKeyCannotDropParent: mysql.Message("Cannot drop table '%s' referenced by a foreign key constraint '%s' on table '%s'.", nil),
ErrForeignKeyCannotUseVirtualColumn: mysql.Message("Foreign key '%s' uses virtual column '%s' which is not supported.", nil),
ErrForeignKeyNoColumnInParent: mysql.Message("Failed to add the foreign key constraint. Missing column '%s' for constraint '%s' in the referenced table '%s'", nil),
Expand Down
5 changes: 5 additions & 0 deletions errors.toml
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,11 @@ error = '''
Recursive query aborted after %d iterations. Try increasing @@cte_max_recursion_depth to a larger value
'''

["executor:3638"]
error = '''
Cannot use these credentials for '%s@%s' because they contradict the password history policy.
'''

["executor:3929"]
error = '''
Dynamic privilege '%s' is not registered with the server.
Expand Down
1 change: 1 addition & 0 deletions executor/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,5 @@ var (
ErrWrongStringLength = dbterror.ClassDDL.NewStd(mysql.ErrWrongStringLength)
errUnsupportedFlashbackTmpTable = dbterror.ClassDDL.NewStdErr(mysql.ErrUnsupportedDDLOperation, parser_mysql.Message("Recover/flashback table is not supported on temporary tables", nil))
errTruncateWrongInsertValue = dbterror.ClassTable.NewStdErr(mysql.ErrTruncatedWrongValue, parser_mysql.Message("Incorrect %-.32s value: '%-.128s' for column '%.192s' at row %d", nil))
ErrExistsInHistoryPassword = dbterror.ClassExecutor.NewStd(mysql.ErrExistsInHistoryPassword)
)
2 changes: 1 addition & 1 deletion executor/grant_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ func TestMaintainRequire(t *testing.T) {

// test show create user
tk.MustExec(`CREATE USER 'u3'@'%' require issuer '/CN=TiDB admin/OU=TiDB/O=PingCAP/L=San Francisco/ST=California/C=US' subject '/CN=tester1/OU=TiDB/O=PingCAP.Inc/L=Haidian/ST=Beijing/C=ZH' cipher 'AES128-GCM-SHA256'`)
tk.MustQuery("show create user 'u3'").Check(testkit.Rows("CREATE USER 'u3'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE CIPHER 'AES128-GCM-SHA256' ISSUER '/CN=TiDB admin/OU=TiDB/O=PingCAP/L=San Francisco/ST=California/C=US' SUBJECT '/CN=tester1/OU=TiDB/O=PingCAP.Inc/L=Haidian/ST=Beijing/C=ZH' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))
tk.MustQuery("show create user 'u3'").Check(testkit.Rows("CREATE USER 'u3'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE CIPHER 'AES128-GCM-SHA256' ISSUER '/CN=TiDB admin/OU=TiDB/O=PingCAP/L=San Francisco/ST=California/C=US' SUBJECT '/CN=tester1/OU=TiDB/O=PingCAP.Inc/L=Haidian/ST=Beijing/C=ZH' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT"))

// check issuer/subject/cipher value
err := tk.ExecToErr(`CREATE USER 'u4'@'%' require issuer 'CN=TiDB,OU=PingCAP'`)
Expand Down
2 changes: 1 addition & 1 deletion executor/infoschema_cluster_table_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ func TestTableStorageStats(t *testing.T) {
"test 2",
))
rows := tk.MustQuery("select TABLE_NAME from information_schema.TABLE_STORAGE_STATS where TABLE_SCHEMA = 'mysql';").Rows()
result := 40
result := 41
require.Len(t, rows, result)

// More tests about the privileges.
Expand Down
22 changes: 18 additions & 4 deletions executor/show.go
Original file line number Diff line number Diff line change
Expand Up @@ -1512,8 +1512,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {

exec := e.ctx.(sqlexec.RestrictedSQLExecutor)

rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata')), Token_issuer
FROM %n.%n WHERE User=%? AND Host=%?`,
rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata')), Token_issuer,
Password_reuse_history, Password_reuse_time FROM %n.%n WHERE User=%? AND Host=%?`,
mysql.SystemDB, mysql.UserTable, userName, strings.ToLower(hostName))
if err != nil {
return errors.Trace(err)
Expand Down Expand Up @@ -1546,6 +1546,20 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
tokenIssuer = " token_issuer " + tokenIssuer
}

var passwordHistory string
if rows[0].IsNull(4) {
passwordHistory = "DEFALUT"
} else {
passwordHistory = strconv.FormatUint(rows[0].GetUint64(4), 10)
}

var passwordReuseInterval string
if rows[0].IsNull(5) {
passwordReuseInterval = "DEFALUT"
} else {
passwordReuseInterval = strconv.FormatUint(rows[0].GetUint64(5), 10) + " DAY"
}

rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`, mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
if err != nil {
return errors.Trace(err)
Expand All @@ -1569,8 +1583,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
}

// FIXME: the returned string is not escaped safely
showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s",
e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, accountLocked, userAttributes)
showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s PASSWORD HISTORY %s PASSWORD REUSE INTERVAL %s",
e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, accountLocked, userAttributes, passwordHistory, passwordReuseInterval)
e.appendRow([]interface{}{showStr})
return nil
}
Expand Down
32 changes: 20 additions & 12 deletions executor/showtest/show_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1058,11 +1058,11 @@ func TestShowCreateUser(t *testing.T) {
// Create a new user.
tk.MustExec(`CREATE USER 'test_show_create_user'@'%' IDENTIFIED BY 'root';`)
tk.MustQuery("show create user 'test_show_create_user'@'%'").
Check(testkit.Rows(`CREATE USER 'test_show_create_user'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK`))
Check(testkit.Rows(`CREATE USER 'test_show_create_user'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))

tk.MustExec(`CREATE USER 'test_show_create_user'@'localhost' IDENTIFIED BY 'test';`)
tk.MustQuery("show create user 'test_show_create_user'@'localhost';").
Check(testkit.Rows(`CREATE USER 'test_show_create_user'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK`))
Check(testkit.Rows(`CREATE USER 'test_show_create_user'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))

// Case: the user exists but the host portion doesn't match
err := tk.QueryToErr("show create user 'test_show_create_user'@'asdf';")
Expand All @@ -1074,10 +1074,10 @@ func TestShowCreateUser(t *testing.T) {

tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "127.0.0.1", AuthUsername: "root", AuthHostname: "%"}, nil, nil)
tk.MustQuery("show create user current_user").
Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))
Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT"))

tk.MustQuery("show create user current_user()").
Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))
Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT"))

tk.MustExec("create user 'check_priv'")

Expand All @@ -1090,7 +1090,7 @@ func TestShowCreateUser(t *testing.T) {

// "show create user" for current user doesn't check privileges.
tk1.MustQuery("show create user current_user").
Check(testkit.Rows("CREATE USER 'check_priv'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))
Check(testkit.Rows("CREATE USER 'check_priv'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT"))

// Creating users with `IDENTIFIED WITH 'caching_sha2_password'`
tk.MustExec("CREATE USER 'sha_test'@'%' IDENTIFIED WITH 'caching_sha2_password' BY 'temp_passwd'")
Expand All @@ -1103,29 +1103,37 @@ func TestShowCreateUser(t *testing.T) {

// Compare only the start of the output as the salt changes every time.
rows = tk.MustQuery("SHOW CREATE USER 'sock'@'%'")
require.Equal(t, "CREATE USER 'sock'@'%' IDENTIFIED WITH 'auth_socket' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK", rows.Rows()[0][0].(string))
require.Equal(t, "CREATE USER 'sock'@'%' IDENTIFIED WITH 'auth_socket' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT", rows.Rows()[0][0].(string))
tk.MustExec("CREATE USER 'sock2'@'%' IDENTIFIED WITH 'auth_socket' AS 'sock3'")

// Compare only the start of the output as the salt changes every time.
rows = tk.MustQuery("SHOW CREATE USER 'sock2'@'%'")
require.Equal(t, "CREATE USER 'sock2'@'%' IDENTIFIED WITH 'auth_socket' AS 'sock3' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK", rows.Rows()[0][0].(string))
require.Equal(t, "CREATE USER 'sock2'@'%' IDENTIFIED WITH 'auth_socket' AS 'sock3' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT", rows.Rows()[0][0].(string))

// Test ACCOUNT LOCK/UNLOCK
tk.MustExec("CREATE USER 'lockness'@'%' IDENTIFIED BY 'monster' ACCOUNT LOCK")
rows = tk.MustQuery("SHOW CREATE USER 'lockness'@'%'")
require.Equal(t, "CREATE USER 'lockness'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*BC05309E7FE12AFD4EBB9FFE7E488A6320F12FF3' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT LOCK", rows.Rows()[0][0].(string))
require.Equal(t, "CREATE USER 'lockness'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*BC05309E7FE12AFD4EBB9FFE7E488A6320F12FF3' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT LOCK PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT", rows.Rows()[0][0].(string))

// Test COMMENT and ATTRIBUTE
tk.MustExec("CREATE USER commentUser COMMENT '1234'")
tk.MustQuery("SHOW CREATE USER commentUser").Check(testkit.Rows(`CREATE USER 'commentUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"comment": "1234"}`))
tk.MustQuery("SHOW CREATE USER commentUser").Check(testkit.Rows(`CREATE USER 'commentUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"comment": "1234"} PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))
tk.MustExec(`CREATE USER attributeUser attribute '{"name": "Tom", "age": 19}'`)
tk.MustQuery("SHOW CREATE USER attributeUser").Check(testkit.Rows(`CREATE USER 'attributeUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"age": 19, "name": "Tom"}`))
tk.MustQuery("SHOW CREATE USER attributeUser").Check(testkit.Rows(`CREATE USER 'attributeUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"age": 19, "name": "Tom"} PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))

// Creating users with 'IDENTIFIED WITH 'tidb_auth_token''
tk.MustExec(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' ATTRIBUTE '{"email": "[email protected]"}'`)
tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "[email protected]"}`))
tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "[email protected]"} PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))
tk.MustExec(`ALTER USER 'token_user'@'%' REQUIRE token_issuer 'issuer-ABC'`)
tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE token_issuer issuer-ABC PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "[email protected]"}`))
tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE token_issuer issuer-ABC PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "[email protected]"} PASSWORD HISTORY DEFALUT PASSWORD REUSE INTERVAL DEFALUT`))

// create users with password reuse
tk.MustExec(`CREATE USER 'reuse_user'@'%' IDENTIFIED WITH 'tidb_auth_token' PASSWORD HISTORY 5 PASSWORD REUSE INTERVAL 3 DAY`)
tk.MustQuery("SHOW CREATE USER reuse_user").Check(testkit.Rows(`CREATE USER 'reuse_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY 5 PASSWORD REUSE INTERVAL 3 DAY`))
tk.MustExec(`ALTER USER 'reuse_user'@'%' PASSWORD HISTORY 50`)
tk.MustQuery("SHOW CREATE USER reuse_user").Check(testkit.Rows(`CREATE USER 'reuse_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY 50 PASSWORD REUSE INTERVAL 3 DAY`))
tk.MustExec(`ALTER USER 'reuse_user'@'%' PASSWORD REUSE INTERVAL 31 DAY`)
tk.MustQuery("SHOW CREATE USER reuse_user").Check(testkit.Rows(`CREATE USER 'reuse_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY 50 PASSWORD REUSE INTERVAL 31 DAY`))
}

func TestUnprivilegedShow(t *testing.T) {
Expand Down
Loading