MDEV-11340 Allow multiple alternative authentication methods for the same user

test a multi-auth with a missing auth plugin on the client update (and simplify) plugin_auth.test to match
author: Sergei Golubchik <serg@mariadb.org> 2019-01-29 12:55:33 +0100
committer: Sergei Golubchik <serg@mariadb.org> 2019-02-04 16:07:12 +0100
commit: 7075d7fce626ee915c9ae9308cfb4a8120e83e44 (patch)
tree: 260d681367fbacea0211d9e8bb2de72bc3de5fab /mysql-test
parent: 5b15cc613ec60f44003dd7d2fdb6421d220b6ee9 (diff)
download: mariadb-git-7075d7fce626ee915c9ae9308cfb4a8120e83e44.tar.gz
4 files changed, 60 insertions, 55 deletions
diff --git a/mysql-test/main/plugin_auth.result b/mysql-test/main/plugin_auth.result
index 7c3d029ad7d..d69246f8c7d 100644
--- a/mysql-test/main/plugin_auth.result
+++ b/mysql-test/main/plugin_auth.result
@@ -11,6 +11,8 @@ SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
 plugin	authentication_string
 test_plugin_server	plug_dest
 ## test plugin auth
+connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
+connect plug_con,localhost,plug,plug_dest;
 ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
 GRANT PROXY ON plug_dest TO plug;
 test proxies_priv columns
@@ -32,7 +34,6 @@ proxies_priv	CREATE TABLE `proxies_priv` (
   KEY `Grantor` (`Grantor`)
 ) ENGINE=Aria DEFAULT CHARSET=utf8 COLLATE=utf8_bin PAGE_CHECKSUM=1 TRANSACTIONAL=1 COMMENT='User proxy privileges'
 connect plug_con,localhost,plug,plug_dest;
-connection plug_con;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 plug@localhost	plug_dest@%
@@ -41,11 +42,18 @@ SET PASSWORD = PASSWORD('plug_dest');
 connection default;
 disconnect plug_con;
 ## test bad credentials
+connect(localhost,plug,bad_credentials,test,MYSQL_PORT,MYSQL_SOCK);
+connect plug_con,localhost,plug,bad_credentials;
 ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
-## test bad default plugin : should get CR_AUTH_PLUGIN_CANNOT_LOAD
+## test bad default plugin : nothing bad happens, as that plugin was't required by the server
+connect plug_con_wrongp,localhost,plug,plug_dest,,,,,wrong_plugin_name;
+select USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+plug@localhost	plug_dest@%
+connection default;
+disconnect plug_con_wrongp;
 ## test correct default plugin
 connect plug_con_rightp,localhost,plug,plug_dest,,,,,auth_test_plugin;
-connection plug_con_rightp;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 plug@localhost	plug_dest@%
@@ -60,7 +68,6 @@ DROP USER grant_user;
 CREATE USER `Ÿ` IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
 GRANT PROXY ON plug_dest TO `Ÿ`;
 connect non_ascii,localhost,Ÿ,plug_dest;
-connection non_ascii;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 Ÿ@localhost	plug_dest@%
@@ -74,7 +81,6 @@ GRANT ALL PRIVILEGES ON test_grant_db.* TO new_grant_user
 IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
 GRANT PROXY ON plug_dest TO new_grant_user;
 connect plug_con_grant,localhost,new_grant_user,plug_dest;
-connection plug_con_grant;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 new_grant_user@localhost	plug_dest@%
@@ -91,7 +97,6 @@ connect(localhost,new_grant_user,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
 connect plug_con_grant_deny,localhost,new_grant_user,plug_dest;
 ERROR 28000: Access denied for user 'new_grant_user'@'localhost' (using password: YES)
 connect plug_con_grant,localhost,new_grant_user,new_password;
-connection plug_con_grant;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 new_grant_user@localhost	new_grant_user@%
@@ -133,8 +138,6 @@ ERROR 42000: You have an error in your SQL syntax; check the manual that corresp
 REVOKE PROXY ON grant_plug_dest FROM grant_plug;
 ERROR 42000: There is no such grant defined for user 'grant_plug' on host '%'
 connect grant_plug_dest_con,localhost,grant_plug_dest,grant_plug_dest_passwd;
-connection grant_plug_dest_con;
-in grant_plug_dest_con
 ## testing what an ordinary user can grant 
 this should fail : no rights to grant all
 GRANT PROXY ON ''@'%%' TO grant_plug;
@@ -158,7 +161,6 @@ this should fail : can't create users
 GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
 ERROR 42000: You are not allowed to create a user with GRANT
 connection default;
-in default connection
 disconnect grant_plug_dest_con;
 # test what root can grant
 should work : root has PROXY to all users
@@ -170,12 +172,9 @@ WITH GRANT OPTION;
 need USAGE : PROXY doesn't contain it.
 GRANT USAGE on *.* TO proxy_admin;
 connect  proxy_admin_con,localhost,proxy_admin,test;
-connection proxy_admin_con;
-in proxy_admin_con;
 should work : proxy_admin has proxy to ''@'%%'
 GRANT PROXY ON future_user TO grant_plug;
 connection default;
-in default connection
 disconnect proxy_admin_con;
 SHOW GRANTS FOR grant_plug;
 Grants for grant_plug@%
@@ -221,13 +220,10 @@ SELECT @@LOCAL.proxy_user;
 @@LOCAL.proxy_user
 NULL
 connect plug_con,localhost,plug,plug_dest;
-connection plug_con;
-# in connection plug_con
 SELECT @@LOCAL.proxy_user;
 @@LOCAL.proxy_user
 'plug'@'%'
 connection default;
-# in connection default
 disconnect plug_con;
 ## cleanup
 DROP USER plug;
@@ -253,13 +249,10 @@ SELECT @@LOCAL.external_user;
 @@LOCAL.external_user
 NULL
 connect plug_con,localhost,plug,plug_dest;
-connection plug_con;
-# in connection plug_con
 SELECT @@LOCAL.external_user;
 @@LOCAL.external_user
 plug_dest
 connection default;
-# in connection default
 disconnect plug_con;
 ## cleanup
 DROP USER plug;
@@ -315,7 +308,6 @@ REVOKE PROXY ON u2@localhost FROM u1@localhost;
 ERROR 28000: Access denied for user 'root'@'localhost'
 # go try graning proxy on itself, so that it will need the table
 connect proxy_granter_con,localhost,u2,;
-connection proxy_granter_con;
 GRANT PROXY ON u2@localhost TO u1@localhost;
 ERROR 42S02: Table 'mysql.proxies_priv' doesn't exist
 REVOKE PROXY ON u2@localhost FROM u1@localhost;
@@ -355,7 +347,6 @@ CREATE USER uplain@localhost IDENTIFIED WITH 'cleartext_plugin_server'
 ## test plugin auth
 ERROR 28000: Access denied for user 'uplain'@'localhost' (using password: YES)
 connect cleartext_con,localhost,uplain,cleartext_test;
-connection cleartext_con;
 select USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 uplain@localhost	uplain@localhost
@@ -474,7 +465,6 @@ CREATE USER bug12818542_dest@localhost
 IDENTIFIED BY 'bug12818542_dest_passwd';
 GRANT PROXY ON bug12818542_dest@localhost TO bug12818542@localhost;
 connect bug12818542_con,localhost,bug12818542,bug12818542_dest;
-connection bug12818542_con;
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost
@@ -482,7 +472,6 @@ SET PASSWORD = PASSWORD('bruhaha');
 connection default;
 disconnect bug12818542_con;
 connect bug12818542_con2,localhost,bug12818542,bug12818542_dest;
-connection bug12818542_con2;
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost
diff --git a/mysql-test/main/plugin_auth.test b/mysql-test/main/plugin_auth.test
index 9af8f25d153..30e4fa6e0ad 100644
--- a/mysql-test/main/plugin_auth.test
+++ b/mysql-test/main/plugin_auth.test
@@ -15,10 +15,9 @@ CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
 SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
 
 --echo ## test plugin auth
---disable_query_log
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_ACCESS_DENIED_ERROR : this should fail : no grant
 connect(plug_con,localhost,plug,plug_dest);
---enable_query_log
 
 GRANT PROXY ON plug_dest TO plug;
 --echo test proxies_priv columns
@@ -28,8 +27,6 @@ SELECT * FROM mysql.proxies_priv WHERE user !='root';
 SHOW CREATE TABLE mysql.proxies_priv;
 
 connect(plug_con,localhost,plug,plug_dest);
-
-connection plug_con;
 select USER(),CURRENT_USER();
 
 --echo ## test SET PASSWORD
@@ -40,22 +37,18 @@ connection default;
 disconnect plug_con;
 
 --echo ## test bad credentials
---disable_query_log
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_ACCESS_DENIED_ERROR
 connect(plug_con,localhost,plug,bad_credentials);
---enable_query_log
 
---echo ## test bad default plugin : should get CR_AUTH_PLUGIN_CANNOT_LOAD
---disable_result_log
---disable_query_log
---error 2059
+--echo ## test bad default plugin : nothing bad happens, as that plugin was't required by the server
 connect(plug_con_wrongp,localhost,plug,plug_dest,,,,,wrong_plugin_name);
---enable_query_log
---enable_result_log
+select USER(),CURRENT_USER();
+connection default;
+disconnect plug_con_wrongp;
 
 --echo ## test correct default plugin
 connect(plug_con_rightp,localhost,plug,plug_dest,,,,,auth_test_plugin);
-connection plug_con_rightp;
 select USER(),CURRENT_USER();
 connection default;
 disconnect plug_con_rightp;
@@ -72,7 +65,6 @@ CREATE USER `Ÿ` IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
 GRANT PROXY ON plug_dest TO `Ÿ`;
 
 connect(non_ascii,localhost,Ÿ,plug_dest);
-connection non_ascii;
 select USER(),CURRENT_USER();
 
 connection default;
@@ -90,7 +82,6 @@ GRANT ALL PRIVILEGES ON test_grant_db.* TO new_grant_user
 GRANT PROXY ON plug_dest TO new_grant_user;  
 
 connect(plug_con_grant,localhost,new_grant_user,plug_dest);
-connection plug_con_grant;
 select USER(),CURRENT_USER();
 USE test_grant_db;
 CREATE TABLE t1 (a INT);
@@ -108,7 +99,6 @@ GRANT ALL PRIVILEGES ON test_grant_db.* TO new_grant_user
 connect(plug_con_grant_deny,localhost,new_grant_user,plug_dest);
 
 connect(plug_con_grant,localhost,new_grant_user,new_password);
-connection plug_con_grant;
 select USER(),CURRENT_USER();
 USE test_grant_db;
 CREATE TABLE t1 (a INT);
@@ -166,8 +156,6 @@ GRANT ALL SELECT,PROXY ON grant_plug_dest TO grant_plug;
 REVOKE PROXY ON grant_plug_dest FROM grant_plug;
 
 connect(grant_plug_dest_con,localhost,grant_plug_dest,grant_plug_dest_passwd);
-connection grant_plug_dest_con;
---echo in grant_plug_dest_con
 
 --echo ## testing what an ordinary user can grant 
 --echo this should fail : no rights to grant all
@@ -209,7 +197,6 @@ REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
 GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
 
 connection default;
---echo in default connection
 disconnect grant_plug_dest_con;
 
 --echo # test what root can grant
@@ -226,14 +213,11 @@ GRANT PROXY ON ''@'%%' TO proxy_admin IDENTIFIED BY 'test'
 GRANT USAGE on *.* TO proxy_admin;
 
 connect (proxy_admin_con,localhost,proxy_admin,test);
-connection proxy_admin_con;
---echo in proxy_admin_con;
 
 --echo should work : proxy_admin has proxy to ''@'%%'
 GRANT PROXY ON future_user TO grant_plug;
 
 connection default;
---echo in default connection
 disconnect proxy_admin_con;
 
 SHOW GRANTS FOR grant_plug;
@@ -275,11 +259,8 @@ SET LOCAL proxy_user = 'test';
 SELECT @@LOCAL.proxy_user;
 
 connect(plug_con,localhost,plug,plug_dest);
-connection plug_con;
---echo # in connection plug_con
 SELECT @@LOCAL.proxy_user;
 connection default;
---echo # in connection default
 disconnect plug_con;
 
 --echo ## cleanup
@@ -304,11 +285,8 @@ SET LOCAL external_user = 'test';
 SELECT @@LOCAL.external_user;
 
 connect(plug_con,localhost,plug,plug_dest);
-connection plug_con;
---echo # in connection plug_con
 SELECT @@LOCAL.external_user;
 connection default;
---echo # in connection default
 disconnect plug_con;
 
 --echo ## cleanup
@@ -382,7 +360,6 @@ REVOKE PROXY ON u2@localhost FROM u1@localhost;
 
 --echo # go try graning proxy on itself, so that it will need the table
 connect(proxy_granter_con,localhost,u2,);
-connection proxy_granter_con;
 
 --error ER_NO_SUCH_TABLE
 GRANT PROXY ON u2@localhost TO u1@localhost;
@@ -438,7 +415,6 @@ connect(cleartext_fail_con,localhost,uplain,cleartext_test2);
 --enable_query_log
 
 connect(cleartext_con,localhost,uplain,cleartext_test);
-connection cleartext_con;
 select USER(),CURRENT_USER();
 
 connection default;
@@ -571,7 +547,6 @@ CREATE USER bug12818542_dest@localhost
 GRANT PROXY ON bug12818542_dest@localhost TO bug12818542@localhost;
 
 connect(bug12818542_con,localhost,bug12818542,bug12818542_dest);
-connection bug12818542_con;
 SELECT USER(),CURRENT_USER();
 
 SET PASSWORD = PASSWORD('bruhaha');
@@ -580,7 +555,6 @@ connection default;
 disconnect bug12818542_con;
 
 connect(bug12818542_con2,localhost,bug12818542,bug12818542_dest);
-connection bug12818542_con2;
 SELECT USER(),CURRENT_USER();
 
 connection default;
diff --git a/mysql-test/suite/plugins/r/multiauth.result b/mysql-test/suite/plugins/r/multiauth.result
index 998e6d4dce7..d10744daf89 100644
--- a/mysql-test/suite/plugins/r/multiauth.result
+++ b/mysql-test/suite/plugins/r/multiauth.result
@@ -14,6 +14,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # name does not match, password bad = failure
+mysqltest: Could not open connection 'default': 1045 Access denied for user 'mysqltest1'@'localhost' (using password: YES)
 drop user USER, mysqltest1;
 create user USER         identified via mysql_native_password as password("GOOD") OR unix_socket;
 create user mysqltest1 identified via mysql_native_password as password("good") OR unix_socket;
@@ -29,6 +30,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # name does not match, password bad = failure
+mysqltest: Could not open connection 'default': 1698 Access denied for user 'mysqltest1'@'localhost'
 drop user USER, mysqltest1;
 create user USER         identified via unix_socket OR ed25519 as password("GOOD");
 create user mysqltest1 identified via unix_socket OR ed25519 as password("good");
@@ -44,6 +46,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # name does not match, password bad = failure
+mysqltest: Could not open connection 'default': 1045 Access denied for user 'mysqltest1'@'localhost' (using password: YES)
 drop user USER, mysqltest1;
 create user USER         identified via ed25519 as password("GOOD") OR unix_socket;
 create user mysqltest1 identified via ed25519 as password("good") OR unix_socket;
@@ -59,6 +62,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # name does not match, password bad = failure
+mysqltest: Could not open connection 'default': 1698 Access denied for user 'mysqltest1'@'localhost'
 drop user USER, mysqltest1;
 create user USER         identified via ed25519 as password("GOOD") OR unix_socket OR mysql_native_password as password("works");
 create user mysqltest1 identified via ed25519 as password("good") OR unix_socket OR mysql_native_password as password("works");
@@ -78,6 +82,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # name does not match, password bad = failure
+mysqltest: Could not open connection 'default': 1045 Access denied for user 'mysqltest1'@'localhost' (using password: YES)
 drop user USER, mysqltest1;
 create user mysqltest1 identified via mysql_native_password as password("good") OR mysql_native_password as password("works");
 show create user mysqltest1;
@@ -92,6 +97,7 @@ select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 # password bad = failure
+mysqltest: Could not open connection 'default': 1045 Access denied for user 'mysqltest1'@'localhost' (using password: YES)
 drop user mysqltest1;
 create user mysqltest1 identified via ed25519 as password("good") OR unix_socket OR mysql_native_password as password("works");
 show grants for mysqltest1;
@@ -160,11 +166,29 @@ select user(), current_user(), database();
 user()	current_user()	database()
 USER@localhost	USER@%	test
 # name does not match = failure
+mysqltest: Could not open connection 'default': 1698 Access denied for user 'mysqltest1'@'localhost'
 # SET PASSWORD helps
 set password for mysqltest1 = password('bla');
 select user(), current_user(), database();
 user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 drop user USER, mysqltest1;
+create user mysqltest1 identified via ed25519 as password("good");
+show create user mysqltest1;
+CREATE USER for mysqltest1@%
+CREATE USER 'mysqltest1'@'%' IDENTIFIED VIA ed25519 USING 'F4aF8bw7130VaRbdLCl4f/P/wkjDmgJXwWvpJ5gmsZc'
+# no plugin = failure
+mysqltest: Could not open connection 'default': 1045 Plugin client_ed25519 could not be loaded: <PLUGINDIR>/no/client_ed25519.so: cannot open shared object file: No such file or directory
+alter user mysqltest1 identified via ed25519 as password("good") OR mysql_native_password as password("works");
+show create user mysqltest1;
+CREATE USER for mysqltest1@%
+CREATE USER 'mysqltest1'@'%' IDENTIFIED VIA ed25519 USING 'F4aF8bw7130VaRbdLCl4f/P/wkjDmgJXwWvpJ5gmsZc' OR mysql_native_password USING '*7D8C3DF236D9163B6C274A9D47704BC496988460'
+# no plugin = failure
+mysqltest: Could not open connection 'default': 1045 Access denied for user 'mysqltest1'@'localhost' (using password: YES)
+# no plugin, second password works = ok
+select user(), current_user(), database();
+user()	current_user()	database()
+mysqltest1@localhost	mysqltest1@%	test
+drop user mysqltest1;
 uninstall soname 'auth_socket';
 uninstall soname 'auth_ed25519';
diff --git a/mysql-test/suite/plugins/t/multiauth.test b/mysql-test/suite/plugins/t/multiauth.test
index cb86b4ea2f0..083fefd6756 100644
--- a/mysql-test/suite/plugins/t/multiauth.test
+++ b/mysql-test/suite/plugins/t/multiauth.test
@@ -13,7 +13,7 @@ if (!$AUTH_ED25519_SO) {
 install soname 'auth_socket';
 install soname 'auth_ed25519';
 
---let $try_auth=$MYSQL_TEST < $MYSQLTEST_VARDIR/tmp/peercred_test.txt
+--let $try_auth=$MYSQL_TEST < $MYSQLTEST_VARDIR/tmp/peercred_test.txt 2>&1
 
 --write_file $MYSQLTEST_VARDIR/tmp/peercred_test.txt
 --let $replace1=$USER@localhost
@@ -174,6 +174,24 @@ set password for mysqltest1 = password('bla');
 --replace_result $dreplace "drop user USER"
 eval $dreplace, mysqltest1;
 
+#
+# missing client-side plugin
+#
+create user mysqltest1 identified via ed25519 as password("good");
+show create user mysqltest1;
+--echo # no plugin = failure
+--replace_result $plugindir <PLUGINDIR>
+--error 1
+--exec $try_auth -u mysqltest1 -pgood --plugin-dir=$plugindir/no
+alter user mysqltest1 identified via ed25519 as password("good") OR mysql_native_password as password("works");
+show create user mysqltest1;
+--echo # no plugin = failure
+--error 1
+--exec $try_auth -u mysqltest1 -pgood --plugin-dir=$plugindir/no
+--echo # no plugin, second password works = ok
+--exec $try_auth -u mysqltest1 -pworks --plugin-dir=$plugindir/no
+drop user mysqltest1;
+
 uninstall soname 'auth_socket';
 uninstall soname 'auth_ed25519';
 --remove_file $MYSQLTEST_VARDIR/tmp/peercred_test.txt
author	Sergei Golubchik <serg@mariadb.org>	2019-01-29 12:55:33 +0100
committer	Sergei Golubchik <serg@mariadb.org>	2019-02-04 16:07:12 +0100
commit	7075d7fce626ee915c9ae9308cfb4a8120e83e44 (patch)
tree	260d681367fbacea0211d9e8bb2de72bc3de5fab /mysql-test
parent	5b15cc613ec60f44003dd7d2fdb6421d220b6ee9 (diff)
download	mariadb-git-7075d7fce626ee915c9ae9308cfb4a8120e83e44.tar.gz