Merge branch 'github/10.4' into 10.4

4 files changed, 42 insertions, 8 deletions

diff --git a/mysql-test/main/lock_user.result b/mysql-test/main/lock_user.result
index 7d9aeebb7aa..560ae6ce425 100644
--- a/mysql-test/main/lock_user.result
+++ b/mysql-test/main/lock_user.result
@@ -156,6 +156,7 @@ alter user user1@localhost  PASSWORD EXPIRE NEVER ACCOUNT UNLOCK ;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE NEVER
 alter user user1@localhost  ACCOUNT LOCK PASSWORD EXPIRE DEFAULT;
 show create user user1@localhost;
 CREATE USER for user1@localhost
@@ -167,5 +168,6 @@ localhost	user1	{"access":0,"plugin":"mysql_native_password","authentication_str
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE INTERVAL 60 DAY
 drop user user1@localhost;
 drop user user2@localhost;
diff --git a/mysql-test/main/password_expiration.result b/mysql-test/main/password_expiration.result
index d05f6b3b5d0..897811bb4ad 100644
--- a/mysql-test/main/password_expiration.result
+++ b/mysql-test/main/password_expiration.result
@@ -125,6 +125,7 @@ alter user user1@localhost password expire;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE INTERVAL 123 DAY
 set password for user1@localhost= password('');
 show create user user1@localhost;
 CREATE USER for user1@localhost
@@ -151,10 +152,12 @@ alter user user1@localhost password expire;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE NEVER
 flush privileges;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE NEVER
 set password for user1@localhost= password('');
 alter user user1@localhost password expire default;
 show create user user1@localhost;
@@ -184,10 +187,12 @@ alter user user1@localhost password expire;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE NEVER
 flush privileges;
 show create user user1@localhost;
 CREATE USER for user1@localhost
 CREATE USER `user1`@`localhost` PASSWORD EXPIRE
+ALTER USER `user1`@`localhost` PASSWORD EXPIRE NEVER
 set global disconnect_on_expired_password=ON;
 connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
 connect con1,localhost,user1;
diff --git a/mysql-test/main/system_mysql_db_507.result b/mysql-test/main/system_mysql_db_507.result
index 2d68dc82529..8069405aa3a 100644
--- a/mysql-test/main/system_mysql_db_507.result
+++ b/mysql-test/main/system_mysql_db_507.result
@@ -214,6 +214,7 @@ alter user user@localhost password expire;
 show create user user@localhost;
 CREATE USER for user@localhost
 CREATE USER `user`@`localhost` PASSWORD EXPIRE
+ALTER USER `user`@`localhost` PASSWORD EXPIRE INTERVAL 123 DAY
 set password for user@localhost= password('');
 show create user user@localhost;
 CREATE USER for user@localhost
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index e56361bc424..85f4b178b36 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8902,6 +8902,16 @@ static bool print_grants_for_role(THD *thd, ACL_ROLE * role)
 
 }
 
+static void append_auto_expiration_policy(ACL_USER *acl_user, String *r) {
+    if (!acl_user->password_lifetime)
+      r->append(STRING_WITH_LEN(" PASSWORD EXPIRE NEVER"));
+    else if (acl_user->password_lifetime > 0)
+    {
+      r->append(STRING_WITH_LEN(" PASSWORD EXPIRE INTERVAL "));
+      r->append_longlong(acl_user->password_lifetime);
+      r->append(STRING_WITH_LEN(" DAY"));
+    }
+}
 
 bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
 {
@@ -8961,14 +8971,8 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
 
   if (acl_user->password_expired)
     result.append(STRING_WITH_LEN(" PASSWORD EXPIRE"));
-  else if (!acl_user->password_lifetime)
-    result.append(STRING_WITH_LEN(" PASSWORD EXPIRE NEVER"));
-  else if (acl_user->password_lifetime > 0)
-  {
-    result.append(STRING_WITH_LEN(" PASSWORD EXPIRE INTERVAL "));
-    result.append_longlong(acl_user->password_lifetime);
-    result.append(STRING_WITH_LEN(" DAY"));
-  }
+  else
+    append_auto_expiration_policy(acl_user, &result);
 
   protocol->prepare_for_resend();
   protocol->store(result.ptr(), result.length(), result.charset());
@@ -8976,6 +8980,28 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
   {
     error= true;
   }
+
+  /* MDEV-24114 - PASSWORD EXPIRE and PASSWORD EXPIRE [NEVER | INTERVAL X DAY]
+   are two different mechanisms. To make sure a tool can restore the state
+   of a user account, including both the manual expiration state of the
+   account and the automatic expiration policy attached to it, we should
+   print two statements here, a CREATE USER (printed above) and an ALTER USER */
+  if (acl_user->password_expired && acl_user->password_lifetime > -1) {
+    result.length(0);
+    result.append("ALTER USER ");
+    append_identifier(thd, &result, username, strlen(username));
+    result.append('@');
+    append_identifier(thd, &result, acl_user->host.hostname,
+                      acl_user->hostname_length);
+    append_auto_expiration_policy(acl_user, &result);
+    protocol->prepare_for_resend();
+    protocol->store(result.ptr(), result.length(), result.charset());
+    if (protocol->write())
+    {
+      error= true;
+    }
+  }
+
   my_eof(thd);
 
 end: