strict_password_validation

mysql-test/r/mysqld--help.result

@@ -987,6 +987,11 @@ The following options may be given as the first argument:
  --stored-program-cache=# 
  The soft upper limit for number of cached stored routines
  for one connection.
+ --strict-password-validation 
+ When password validation plugins are enabled, reject
+ passwords that cannot be validated (passwords specified
+ as a hash)
+ (Defaults to on; use --skip-strict-password-validation to disable.)
  -s, --symbolic-links 
  Enable symbolic link support.
  --sync-binlog=#     Synchronously flush binary log to disk after every #th
@@ -1348,6 +1353,7 @@ sort-buffer-size 2097152
 sql-mode 
 stack-trace TRUE
 stored-program-cache 256
+strict-password-validation TRUE
 symbolic-links FALSE
 sync-binlog 0
 sync-frm FALSE

mysql-test/suite/plugins/r/simple_password_check.result

@@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements
 set password for foo1 = old_password('qwe:123:ASD4');
 ERROR HY000: Your password does not satisfy the current policy requirements
 set password for foo1 = password('qwe:123:ASD!');
+select @@strict_password_validation;
+@@strict_password_validation
+1
+set password for foo1 = '';
+ERROR HY000: Your password does not satisfy the current policy requirements
+set password for foo1 = '2222222222222222';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+set password for foo1 = '11111111111111111111111111111111111111111';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+create user foo2 identified by password '11111111111111111111111111111111111111111';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+grant select on *.* to foo2 identified by password '2222222222222222';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
+ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
+create user foo2 identified with mysql_native_password using '';
+ERROR HY000: Your password does not satisfy the current policy requirements
+grant select on *.* to foo2 identified with mysql_old_password;
+ERROR HY000: Your password does not satisfy the current policy requirements
+update mysql.user set password='xxx' where user='foo1';
+set global strict_password_validation=0;
+set password for foo1 = '';
+ERROR HY000: Your password does not satisfy the current policy requirements
+set password for foo1 = '2222222222222222';
+set password for foo1 = '11111111111111111111111111111111111111111';
+create user foo2 identified by password '11111111111111111111111111111111111111111';
+drop user foo2;
+grant select on *.* to foo2 identified by password '2222222222222222';
+drop user foo2;
+create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
+drop user foo2;
+grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
+drop user foo2;
+set global strict_password_validation=1;
 drop user foo1;
 uninstall plugin simple_password_check;
 create user foo1 identified by 'pwd';

mysql-test/suite/plugins/t/simple_password_check.test

@@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!');
 --error ER_NOT_VALID_PASSWORD
 set password for foo1 = old_password('qwe:123:ASD4');
 set password for foo1 = password('qwe:123:ASD!');
+
+# now, strict_password_validation
+select @@strict_password_validation;
+
+--error ER_NOT_VALID_PASSWORD
+set password for foo1 = '';
+--error ER_OPTION_PREVENTS_STATEMENT
+set password for foo1 = '2222222222222222';
+--error ER_OPTION_PREVENTS_STATEMENT
+set password for foo1 = '11111111111111111111111111111111111111111';
+--error ER_OPTION_PREVENTS_STATEMENT
+create user foo2 identified by password '11111111111111111111111111111111111111111';
+--error ER_OPTION_PREVENTS_STATEMENT
+grant select on *.* to foo2 identified by password '2222222222222222';
+--error ER_OPTION_PREVENTS_STATEMENT
+create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
+--error ER_OPTION_PREVENTS_STATEMENT
+grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
+--error ER_NOT_VALID_PASSWORD
+create user foo2 identified with mysql_native_password using '';
+--error ER_NOT_VALID_PASSWORD
+grant select on *.* to foo2 identified with mysql_old_password;
+
+# direct updates are not protected
+update mysql.user set password='xxx' where user='foo1';
+
+set global strict_password_validation=0;
+
+--error ER_NOT_VALID_PASSWORD
+set password for foo1 = '';
+set password for foo1 = '2222222222222222';
+set password for foo1 = '11111111111111111111111111111111111111111';
+create user foo2 identified by password '11111111111111111111111111111111111111111';
+drop user foo2;
+grant select on *.* to foo2 identified by password '2222222222222222';
+drop user foo2;
+create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
+drop user foo2;
+grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
+drop user foo2;
+
+set global strict_password_validation=1;
 drop user foo1;
 
 uninstall plugin simple_password_check;

mysql-test/suite/sys_vars/r/all_vars.result

@@ -10,5 +10,6 @@ there should be *no* long test name listed below:
 select distinct variable_name as `there should be *no* variables listed below:` from t2
 left join t1 on variable_name=test_name where test_name is null;
 there should be *no* variables listed below:
+strict_password_validation
 drop table t1;
 drop table t2;

mysql-test/suite/sys_vars/r/sysvars_server_embedded.result

@@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+VARIABLE_NAME	STRICT_PASSWORD_VALIDATION
+SESSION_VALUE	NULL
+GLOBAL_VALUE	ON
+GLOBAL_VALUE_ORIGIN	COMPILE-TIME
+DEFAULT_VALUE	ON
+VARIABLE_SCOPE	GLOBAL
+VARIABLE_TYPE	BOOLEAN
+VARIABLE_COMMENT	When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
+NUMERIC_MIN_VALUE	NULL
+NUMERIC_MAX_VALUE	NULL
+NUMERIC_BLOCK_SIZE	NULL
+ENUM_VALUE_LIST	OFF,ON
+READ_ONLY	NO
+COMMAND_LINE_ARGUMENT	OPTIONAL
 VARIABLE_NAME	SYNC_BINLOG
 SESSION_VALUE	NULL
 GLOBAL_VALUE	0

mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result

@@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+VARIABLE_NAME	STRICT_PASSWORD_VALIDATION
+SESSION_VALUE	NULL
+GLOBAL_VALUE	ON
+GLOBAL_VALUE_ORIGIN	COMPILE-TIME
+DEFAULT_VALUE	ON
+VARIABLE_SCOPE	GLOBAL
+VARIABLE_TYPE	BOOLEAN
+VARIABLE_COMMENT	When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
+NUMERIC_MIN_VALUE	NULL
+NUMERIC_MAX_VALUE	NULL
+NUMERIC_BLOCK_SIZE	NULL
+ENUM_VALUE_LIST	OFF,ON
+READ_ONLY	NO
+COMMAND_LINE_ARGUMENT	OPTIONAL
 VARIABLE_NAME	SYNC_BINLOG
 SESSION_VALUE	NULL
 GLOBAL_VALUE	0

sql/mysqld.cc

@@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0;
 my_bool opt_show_slave_auth_info;
 my_bool opt_log_slave_updates= 0;
 my_bool opt_replicate_annotate_row_events= 0;
-my_bool opt_mysql56_temporal_format= 0;
+my_bool opt_mysql56_temporal_format=0, strict_password_validation= 1;
 char *opt_slave_skip_errors;
 
 /*

sql/mysqld.h

@@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum;
 extern my_bool opt_stack_trace;
 extern my_bool opt_expect_abort;
 extern my_bool opt_slave_sql_verify_checksum;
-extern my_bool opt_mysql56_temporal_format;
+extern my_bool opt_mysql56_temporal_format, strict_password_validation;
 extern ulong binlog_checksum_options;
 extern bool max_user_connections_checking;
 extern ulong opt_binlog_dbug_fsync_sleep;

sql/sql_acl.cc

@@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password)
                         MariaDB_PASSWORD_VALIDATION_PLUGIN, &data);
 }
 
+static my_bool check_if_exists(THD *, plugin_ref, void *)
+{
+  return TRUE;
+}
+
+static bool has_validation_plugins()
+{
+  return plugin_foreach(NULL, check_if_exists,
+                        MariaDB_PASSWORD_VALIDATION_PLUGIN, NULL);
+}
+
 /**
   Convert scrambled password to binary form, according to scramble type,
   Binary form is stored in user.salt.
@@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
       return true;
     }
   }
+  else
+  {
+    if (strict_password_validation && has_validation_plugins())
+    {
+      my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--strict-password-validation");
+      return true;
+    }
+  }
 
   if (user->password.length && !user->auth.length)
   {

sql/sys_vars.cc

@@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format(
        "Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns.",
        GLOBAL_VAR(opt_mysql56_temporal_format),
        CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG);
+
+static Sys_var_mybool Sys_strict_password_validation(
+       "strict_password_validation",
+       "When password validation plugins are enabled, reject passwords "
+       "that cannot be validated (passwords specified as a hash)",
+       GLOBAL_VAR(strict_password_validation),
+       CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG);