WL#6587 : Protocol support for password expiration

gkodinov · gkodinov · commit 5f0077269107 · 2012-12-06T17:04:49.000+05:30
Initial implementation.
* added a new capabilities flag CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS
* Added a new server option (and a read only global variable)
disconnect-on-expired-password. Defailt is on. When off it will cause
old clients to get a connection against an expired password account and
get an error for every query that they try to execute that's not 
SET PASSWORD.
* server will check for expired passwords at login and will refuse the 
login if the client didn't set CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS in 
the client hello packet and if the disconnect_on_expired_password 
server side option is set. A detailed error 
(ER_MUST_CHANGE_PASSWORD) will be sent in this case.
* server always sets CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS in
the server hello packet. libmysql never checks for it.
* new mysql_options() option MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
to set the CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS flag.
* mysql binary sets MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
   if run in interactive mode
* mysqladmin sets MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
   if the first command is 'password' or 'old_password'
* mysqltest sets MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
* test cases added (both mtr tests and some C test code)
* existing test case results updated to reflect the new server command
line option.
 * fixed the linux compilation problems and test failures
diff --git a/client/mysql.cc b/client/mysql.cc
@@ -4846,6 +4846,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
 static void
 init_connection_options(MYSQL *mysql)
 {
+  my_bool interactive= status.batch ? FALSE : TRUE;
+
   if (opt_init_command)
     mysql_options(mysql, MYSQL_INIT_COMMAND, opt_init_command);
 
@@ -4915,7 +4917,8 @@ init_connection_options(MYSQL *mysql)
 
   mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, "program_name", "mysql");
-  return;
+
+  mysql_options(mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, &interactive);
 }
 
 
diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc
@@ -310,6 +310,8 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
 int main(int argc,char *argv[])
 {
   int error= 0, ho_error;
+  int first_command;
+  my_bool can_handle_passwords;
   MYSQL mysql;
   char **commands, **save_argv;
 
@@ -385,6 +387,13 @@ int main(int argc,char *argv[])
     mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, 
                   (char*) &opt_enable_cleartext_plugin);
 
+  first_command= find_type(argv[0], &command_typelib, FIND_TYPE_BASIC);
+  can_handle_passwords= 
+    (first_command == ADMIN_PASSWORD || first_command == ADMIN_OLD_PASSWORD) ?
+    TRUE : FALSE;
+  mysql_options(&mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
+                &can_handle_passwords);
+
   if (sql_connect(&mysql, option_wait))
   {
     /*
diff --git a/client/mysqltest.cc b/client/mysqltest.cc
@@ -130,6 +130,7 @@ static char line_buffer[MAX_DELIMITER_LENGTH], *line_buffer_pos= line_buffer;
 #if !defined(HAVE_YASSL)
 static const char *opt_server_public_key= 0;
 #endif
+static my_bool can_handle_expired_passwords= TRUE;
 
 /* Info on properties that can be set with --enable_X and --disable_X */
 
@@ -5314,6 +5315,8 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
   mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysqltest");
+  mysql_options(mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
+                &can_handle_expired_passwords);
   while(!mysql_real_connect(mysql, host,user, pass, db, port, sock,
                             CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS))
   {
@@ -5417,6 +5420,8 @@ int connect_n_handle_errors(struct st_command *command,
   
   mysql_options(con, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "program_name", "mysqltest");
+  mysql_options(con, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
+                &can_handle_expired_passwords);
   while (!mysql_real_connect(con, host, user, pass, db, port, sock ? sock: 0,
                           CLIENT_MULTI_STATEMENTS))
   {
diff --git a/include/mysql.h b/include/mysql.h
@@ -174,7 +174,8 @@ enum mysql_option
   MYSQL_OPT_CONNECT_ATTR_RESET, MYSQL_OPT_CONNECT_ATTR_ADD,
   MYSQL_OPT_CONNECT_ATTR_DELETE,
   MYSQL_SERVER_PUBLIC_KEY,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN,
+  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
 };
 
 /**
diff --git a/include/mysql.h.pp b/include/mysql.h.pp
@@ -271,7 +271,8 @@
   MYSQL_OPT_CONNECT_ATTR_RESET, MYSQL_OPT_CONNECT_ATTR_ADD,
   MYSQL_OPT_CONNECT_ATTR_DELETE,
   MYSQL_SERVER_PUBLIC_KEY,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN,
+  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
 };
 struct st_mysql_options_extention;
 struct st_mysql_options {
diff --git a/include/mysql_com.h b/include/mysql_com.h
@@ -180,6 +180,9 @@ enum enum_server_command
 /* Enable authentication response packet to be larger than 255 bytes. */
 #define CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA (1UL << 21)
 
+/* Don't close the connection for a connection with expired password. */
+#define CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS (1UL << 22)
+
 #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
 #define CLIENT_REMEMBER_OPTIONS (1UL << 31)
 
@@ -190,30 +193,32 @@ enum enum_server_command
 #endif
 
 /* Gather all possible capabilites (flags) supported by the server */
-#define CLIENT_ALL_FLAGS  (CLIENT_LONG_PASSWORD | \
-                           CLIENT_FOUND_ROWS | \
-                           CLIENT_LONG_FLAG | \
-                           CLIENT_CONNECT_WITH_DB | \
-                           CLIENT_NO_SCHEMA | \
-                           CLIENT_COMPRESS | \
-                           CLIENT_ODBC | \
-                           CLIENT_LOCAL_FILES | \
-                           CLIENT_IGNORE_SPACE | \
-                           CLIENT_PROTOCOL_41 | \
-                           CLIENT_INTERACTIVE | \
-                           CLIENT_SSL | \
-                           CLIENT_IGNORE_SIGPIPE | \
-                           CLIENT_TRANSACTIONS | \
-                           CLIENT_RESERVED | \
-                           CLIENT_SECURE_CONNECTION | \
-                           CLIENT_MULTI_STATEMENTS | \
-                           CLIENT_MULTI_RESULTS | \
-                           CLIENT_PS_MULTI_RESULTS | \
-                           CLIENT_SSL_VERIFY_SERVER_CERT | \
-                           CLIENT_REMEMBER_OPTIONS | \
-                           CLIENT_PLUGIN_AUTH | \
-                           CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA | \
-                           CLIENT_CONNECT_ATTRS)
+#define CLIENT_ALL_FLAGS  (CLIENT_LONG_PASSWORD \
+                           | CLIENT_FOUND_ROWS \
+                           | CLIENT_LONG_FLAG \
+                           | CLIENT_CONNECT_WITH_DB \
+                           | CLIENT_NO_SCHEMA \
+                           | CLIENT_COMPRESS \
+                           | CLIENT_ODBC \
+                           | CLIENT_LOCAL_FILES \
+                           | CLIENT_IGNORE_SPACE \
+                           | CLIENT_PROTOCOL_41 \
+                           | CLIENT_INTERACTIVE \
+                           | CLIENT_SSL \
+                           | CLIENT_IGNORE_SIGPIPE \
+                           | CLIENT_TRANSACTIONS \
+                           | CLIENT_RESERVED \
+                           | CLIENT_SECURE_CONNECTION \
+                           | CLIENT_MULTI_STATEMENTS \
+                           | CLIENT_MULTI_RESULTS \
+                           | CLIENT_PS_MULTI_RESULTS \
+                           | CLIENT_SSL_VERIFY_SERVER_CERT \
+                           | CLIENT_REMEMBER_OPTIONS \
+                           | CLIENT_PLUGIN_AUTH \
+                           | CLIENT_CONNECT_ATTRS \
+                           | CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA \
+                           | CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS \
+)
 
 /*
   Switch off the flags that are optional and depending on build flags
diff --git a/mysql-test/r/connect.result b/mysql-test/r/connect.result
@@ -393,6 +393,21 @@ DROP PROCEDURE test_t1;
 DROP FUNCTION last_t1;
 DROP TABLE t1;
 DROP USER must_change@localhost;
+#
+# WL#6587:  Protocol support for password expiration
+#
+CREATE USER wl6587@localhost IDENTIFIED BY 'wl6587';
+ALTER USER wl6587@localhost PASSWORD EXPIRE;
+# non-interactive mysql should fail
+Warning: Using a password on the command line interface can be insecure.
+ERROR 1820 (HY000): You must SET PASSWORD before executing this statement
+# mysqladmin non-password should fail
+Warning: Using a password on the command line interface can be insecure.
+mysqladmin: connect to server at 'localhost' failed
+error: 'You must SET PASSWORD before executing this statement'
+# mysqladmin password should work
+Warning: Using a password on the command line interface can be insecure.
+DROP USER wl6587@localhost;
 # ------------------------------------------------------------------
 # -- End of 5.6 tests
 # ------------------------------------------------------------------
diff --git a/mysql-test/r/mysqld--help-notwin.result b/mysql-test/r/mysqld--help-notwin.result
@@ -165,6 +165,11 @@ The following options may be given as the first argument:
  client that does INSERT DELAYED will wait until there is
  room in the queue again. This variable is deprecated
  along with INSERT DELAYED.
+ --disconnect-on-expired-password 
+ Give clients that don't signal password expiration
+ support execution time error(s) instead of connection
+ error
+ (Defaults to on; use --skip-disconnect-on-expired-password to disable.)
  --disconnect-slave-event-count=# 
  Option used by mysql-test for debugging and testing of
  replication.
@@ -1007,6 +1012,7 @@ delay-key-write ON
 delayed-insert-limit 100
 delayed-insert-timeout 300
 delayed-queue-size 1000
+disconnect-on-expired-password TRUE
 disconnect-slave-event-count 0
 div-precision-increment 4
 end-markers-in-json FALSE
diff --git a/mysql-test/r/mysqld--help-win.result b/mysql-test/r/mysqld--help-win.result
@@ -165,6 +165,11 @@ The following options may be given as the first argument:
  client that does INSERT DELAYED will wait until there is
  room in the queue again. This variable is deprecated
  along with INSERT DELAYED.
+ --disconnect-on-expired-password 
+ Give clients that don't signal password expiration
+ support execution time error(s) instead of connection
+ error
+ (Defaults to on; use --skip-disconnect-on-expired-password to disable.)
  --disconnect-slave-event-count=# 
  Option used by mysql-test for debugging and testing of
  replication.
@@ -1015,6 +1020,7 @@ delay-key-write ON
 delayed-insert-limit 100
 delayed-insert-timeout 300
 delayed-queue-size 1000
+disconnect-on-expired-password TRUE
 disconnect-slave-event-count 0
 div-precision-increment 4
 end-markers-in-json FALSE
diff --git a/mysql-test/suite/sys_vars/r/disconnect_on_expired_password_basic.result b/mysql-test/suite/sys_vars/r/disconnect_on_expired_password_basic.result
@@ -0,0 +1,25 @@
+SELECT @@GLOBAL.disconnect_on_expired_password;
+@@GLOBAL.disconnect_on_expired_password
+1
+1 Expected
+SET @@GLOBAL.disconnect_on_expired_password=0;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a read only variable
+Expected error 'Read only variable'
+SELECT @@GLOBAL.disconnect_on_expired_password;
+@@GLOBAL.disconnect_on_expired_password
+1
+1 Expected
+SELECT @@disconnect_on_expired_password = @@GLOBAL.disconnect_on_expired_password;
+@@disconnect_on_expired_password = @@GLOBAL.disconnect_on_expired_password
+1
+1 Expected
+SELECT COUNT(@@local.disconnect_on_expired_password);
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable
+Expected error 'Variable is a GLOBAL variable'
+SELECT COUNT(@@SESSION.disconnect_on_expired_password);
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable
+Expected error 'Variable is a GLOBAL variable'
+SELECT @@GLOBAL.disconnect_on_expired_password;
+@@GLOBAL.disconnect_on_expired_password
+1
+1 Expected
diff --git a/mysql-test/suite/sys_vars/t/disconnect_on_expired_password_basic.test b/mysql-test/suite/sys_vars/t/disconnect_on_expired_password_basic.test
@@ -0,0 +1,17 @@
+SELECT @@GLOBAL.disconnect_on_expired_password;
+--echo 1 Expected
+--error ER_INCORRECT_GLOBAL_LOCAL_VAR
+SET @@GLOBAL.disconnect_on_expired_password=0;
+--echo Expected error 'Read only variable'
+SELECT @@GLOBAL.disconnect_on_expired_password;
+--echo 1 Expected
+SELECT @@disconnect_on_expired_password = @@GLOBAL.disconnect_on_expired_password;
+--echo 1 Expected
+--Error ER_INCORRECT_GLOBAL_LOCAL_VAR
+SELECT COUNT(@@local.disconnect_on_expired_password);
+--echo Expected error 'Variable is a GLOBAL variable'
+--Error ER_INCORRECT_GLOBAL_LOCAL_VAR
+SELECT COUNT(@@SESSION.disconnect_on_expired_password);
+--echo Expected error 'Variable is a GLOBAL variable'
+SELECT @@GLOBAL.disconnect_on_expired_password;
+--echo 1 Expected
diff --git a/mysql-test/t/connect.test b/mysql-test/t/connect.test
@@ -465,6 +465,29 @@ DROP FUNCTION last_t1;
 DROP TABLE t1;
 DROP USER must_change@localhost;
 
+
+--echo #
+--echo # WL#6587:  Protocol support for password expiration
+--echo #
+
+CREATE USER wl6587@localhost IDENTIFIED BY 'wl6587';
+ALTER USER wl6587@localhost PASSWORD EXPIRE;
+
+--echo # non-interactive mysql should fail
+--error 1
+--exec $MYSQL -uwl6587 --password=wl6587 test -e "SELECT USER()" 2>&1
+
+--echo # mysqladmin non-password should fail
+--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/
+--error 1
+--exec $MYSQLADMIN -S $MASTER_MYSOCK -P $MASTER_MYPORT -uwl6587 --password=wl6587 status 2>&1
+
+--echo # mysqladmin password should work
+--exec $MYSQLADMIN -S $MASTER_MYSOCK -P $MASTER_MYPORT -uwl6587 --password=wl6587 password wl6587-2 2>&1
+
+DROP USER wl6587@localhost;
+
+
 --echo # ------------------------------------------------------------------
 --echo # -- End of 5.6 tests
 --echo # ------------------------------------------------------------------
diff --git a/sql-common/client.c b/sql-common/client.c
@@ -4420,7 +4420,12 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
     mysql->options.extension->enable_cleartext_plugin= 
       (*(my_bool*) arg) ? TRUE : FALSE;
     break;
-
+  case MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS:
+    if (*(my_bool*) arg)
+      mysql->options.client_flag|= CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
+    else
+      mysql->options.client_flag&= ~CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
+    break;
 
   default:
     DBUG_RETURN(1);
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -64,6 +64,7 @@ using std::min;
 using std::max;
 
 bool mysql_user_table_is_in_short_password_format= false;
+my_bool disconnect_on_expired_password= TRUE;
 bool auth_plugin_is_built_in(const char *plugin_name);
 bool auth_plugin_supports_expiration(const char *plugin_name);
 void optimize_plugin_compare_by_pointer(LEX_STRING *plugin_name);
@@ -10851,6 +10852,24 @@ acl_authenticate(THD *thd, uint com_change_user_pkt_len)
                         mpvio.db.str ? mpvio.db.str : (char*) "");
   }
 
+  if (unlikely(acl_user && acl_user->password_expired
+               && !(mpvio.client_capabilities &
+                    CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)
+               && disconnect_on_expired_password))
+  {
+    /*
+      Clients that don't signal password expiration support
+      get a connect error.
+    */
+    res= CR_ERROR;
+    mpvio.status= MPVIO_EXT::FAILURE;
+
+    my_error(ER_MUST_CHANGE_PASSWORD, MYF(0));
+    general_log_print(thd, COM_CONNECT, ER(ER_MUST_CHANGE_PASSWORD));
+    if (log_warnings > 1)
+      sql_print_warning("%s", ER(ER_MUST_CHANGE_PASSWORD));
+  }
+
   if (res > CR_OK && mpvio.status != MPVIO_EXT::SUCCESS)
   {
     Host_errors errors;
diff --git a/sql/sql_acl.h b/sql/sql_acl.h
@@ -228,6 +228,7 @@ enum mysql_user_table_field
 
 extern const TABLE_FIELD_DEF mysql_db_table_def;
 extern bool mysql_user_table_is_in_short_password_format;
+extern my_bool disconnect_on_expired_password;
 extern const char *command_array[];
 extern uint        command_lengths[];
 
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
@@ -51,6 +51,7 @@
 #include "sql_time.h"                       // known_date_time_formats
 #include "sql_acl.h" // SUPER_ACL,
                      // mysql_user_table_is_in_short_password_format
+                     // disconnect_on_expired_password
 #include "derror.h"  // read_texts
 #include "sql_base.h"                           // close_cached_tables
 #include "debug_sync.h"                         // DEBUG_SYNC
@@ -4551,3 +4552,10 @@ static Sys_var_enum Sys_gtid_mode(
 #endif
 
 #endif // HAVE_REPLICATION
+
+
+static Sys_var_mybool Sys_disconnect_on_expired_password(
+       "disconnect_on_expired_password",
+       "Give clients that don't signal password expiration support execution time error(s) instead of connection error",
+       READ_ONLY GLOBAL_VAR(disconnect_on_expired_password),
+       CMD_LINE(OPT_ARG), DEFAULT(TRUE));
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c

Original file line number	Diff line number	Diff line change
`@@ -4846,6 +4846,8 @@ sql_real_connect(char host,char database,char user,char password,`
`4846`	`4846`	`static void`
`4847`	`4847`	`init_connection_options(MYSQL *mysql)`
`4848`	`4848`	`{`
	`4849`	`+ my_bool interactive= status.batch ? FALSE : TRUE;`
	`4850`	`+`
`4849`	`4851`	`if (opt_init_command)`
`4850`	`4852`	`mysql_options(mysql, MYSQL_INIT_COMMAND, opt_init_command);`
`4851`	`4853`
`@@ -4915,7 +4917,8 @@ init_connection_options(MYSQL *mysql)`
`4915`	`4917`
`4916`	`4918`	`mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);`
`4917`	`4919`	`mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD, "program_name", "mysql");`
`4918`		`- return;`
	`4920`	`+`
	`4921`	`+ mysql_options(mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, &interactive);`
`4919`	`4922`	`}`
`4920`	`4923`
`4921`	`4924`