Skip to content

Commit

Permalink
This is an automated cherry-pick of pingcap#47677
Browse files Browse the repository at this point in the history
Signed-off-by: ti-chi-bot <[email protected]>
  • Loading branch information
tiancaiamao authored and ti-chi-bot committed Feb 20, 2024
1 parent 18a02ae commit 9e7920a
Show file tree
Hide file tree
Showing 3 changed files with 116 additions and 1 deletion.
2 changes: 1 addition & 1 deletion sessionctx/sessionstates/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ go_test(
],
embed = [":sessionstates"],
flaky = True,
shard_count = 15,
shard_count = 16,
deps = [
"//config",
"//errno",
Expand Down
112 changes: 112 additions & 0 deletions sessionctx/sessionstates/session_states_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,118 @@ func TestSystemVars(t *testing.T) {
}
}

<<<<<<< HEAD:sessionctx/sessionstates/session_states_test.go
=======
func TestInvisibleVars(t *testing.T) {
tests := []struct {
hasPriv bool
stmt string
cleanStmt string
varName string
expectedValue string
showErr int
}{
{
// Make sure the session can be migrated in normal cases.
hasPriv: false,
},
{
// The value is set but the same with before.
hasPriv: false,
stmt: "set tidb_opt_write_row_id=false",
},
{
// The value is changed but the privilege is revoked.
hasPriv: false,
stmt: "set tidb_opt_write_row_id=true",
showErr: errno.ErrCannotMigrateSession,
},
{
// The value is changed and the user has the privilege.
hasPriv: true,
stmt: "set tidb_opt_write_row_id=true",
varName: variable.TiDBOptWriteRowID,
expectedValue: "1",
},
{
// The value has a global scope.
hasPriv: true,
stmt: "set tidb_row_format_version=1",
varName: variable.TiDBRowFormatVersion,
expectedValue: "1",
},
{
// The global value is changed, so the session value is still different with global.
hasPriv: true,
stmt: "set global tidb_row_format_version=1",
varName: variable.TiDBRowFormatVersion,
cleanStmt: "set global tidb_row_format_version=2",
expectedValue: "2",
},
{
// The global value is changed, so the session value is still different with global.
hasPriv: false,
stmt: "set global tidb_row_format_version=1",
showErr: errno.ErrCannotMigrateSession,
cleanStmt: "set global tidb_row_format_version=2",
},
}

sessionstates.SetupSigningCertForTest(t)
store := testkit.CreateMockStore(t)
if !sem.IsEnabled() {
sem.Enable()
defer sem.Disable()
}
tk := testkit.NewTestKit(t, store)
tk.MustExec("CREATE USER u1, u2")
tk.MustExec("GRANT RESTRICTED_VARIABLES_ADMIN ON *.* to u1")

for _, tt := range tests {
tk1 := testkit.NewTestKit(t, store)
if len(tt.stmt) > 0 {
tk1.MustExec(tt.stmt)
}

username := "u2"
if tt.hasPriv {
username = "u1"
}
err := tk1.Session().Auth(&auth.UserIdentity{Username: username, Hostname: "%"}, nil, nil, nil)
require.NoError(t, err)

if tt.showErr == 0 {
tk2 := testkit.NewTestKit(t, store)
err = tk2.Session().Auth(&auth.UserIdentity{Username: username, Hostname: "%"}, nil, nil, nil)
require.NoError(t, err)
showSessionStatesAndSet(t, tk1, tk2)
if len(tt.expectedValue) > 0 {
checkStmt := fmt.Sprintf("select @@%s", tt.varName)
tk2.MustQuery(checkStmt).Check(testkit.Rows(tt.expectedValue))
}
} else {
err := tk1.QueryToErr("show session_states")
errEqualsCode(t, err, tt.showErr)
}
if len(tt.cleanStmt) > 0 {
tk.MustExec(tt.cleanStmt)
}
}
}

func TestIssue47665(t *testing.T) {
store := testkit.CreateMockStore(t)
tk := testkit.NewTestKit(t, store)
tk.Session().GetSessionVars().TLSConnectionState = &tls.ConnectionState{} // unrelated mock for the test.
originSEM := config.GetGlobalConfig().Security.EnableSEM
config.GetGlobalConfig().Security.EnableSEM = true
tk.MustGetErrMsg("set @@global.require_secure_transport = on", "require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled")
config.GetGlobalConfig().Security.EnableSEM = originSEM
tk.MustExec("set @@global.require_secure_transport = on")
tk.MustExec("set @@global.require_secure_transport = off") // recover to default value
}

>>>>>>> 05450665c39 (session/variable: forbid changing @@global.require_secure_transport to 'on' with SEM enabled (#47677)):pkg/sessionctx/sessionstates/session_states_test.go
func TestSessionCtx(t *testing.T) {
store := testkit.CreateMockStore(t)
tk := testkit.NewTestKit(t, store)
Expand Down
3 changes: 3 additions & 0 deletions sessionctx/variable/sysvar.go
Original file line number Diff line number Diff line change
Expand Up @@ -1041,7 +1041,10 @@ var defaultSysVars = []*SysVar{
if cfg.Security.EnableSEM {
return "", errors.New("require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled")
}
<<<<<<< HEAD:sessionctx/variable/sysvar.go

=======
>>>>>>> 05450665c39 (session/variable: forbid changing @@global.require_secure_transport to 'on' with SEM enabled (#47677)):pkg/sessionctx/variable/sysvar.go
// Refuse to set RequireSecureTransport to ON if the connection
// issuing the change is not secure. This helps reduce the chance of users being locked out.
if vars.TLSConnectionState == nil {
Expand Down

0 comments on commit 9e7920a

Please sign in to comment.