Bug#23291841: PASSWORD NOT EXPIRING WHEN IT SHOULD

Description:- User password is not expiring even after
exceeding the "password_lifetime" limit.

Analysis:- Password is not expiring because of the attribute
"use_default_password_lifetime" which is set inside
"acl_update_user()". This is making the user's account
accessible even after the password exceeds the password
lifetime.

Fix:- The function, "change_password()" is modified to
set "update_password_expired_fields" field to false.
A check is introduced inside "acl_update_user()" before
updating the password expired fields.

Author: Arun Kuruvila

mysql-test/r/grant_user_lock_qa.result

@@ -430,7 +430,7 @@ account_locked	N
 
 SHOW CREATE USER u6@localhost;
 CREATE USER for u6@localhost
-CREATE USER 'u6'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '<non-deterministic-password-hash>' REQUIRE X509 PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+CREATE USER 'u6'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '<non-deterministic-password-hash>' REQUIRE X509 PASSWORD EXPIRE NEVER ACCOUNT UNLOCK
 SELECT USER();
 USER()
 u6@localhost
@@ -548,7 +548,7 @@ account_locked	N
 
 SHOW CREATE USER u9@localhost;
 CREATE USER for u9@localhost
-CREATE USER 'u9'@'localhost' IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+CREATE USER 'u9'@'localhost' IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' PASSWORD EXPIRE NEVER ACCOUNT UNLOCK
 SELECT USER();
 USER()
 u9@localhost

sql/auth/sql_auth_cache.cc

@@ -2702,7 +2702,8 @@ void acl_update_user(const char *user, const char *host,
         if (password_life.update_password_expired_column ||
             what_is_set & PLUGIN_ATTR)
           acl_user->password_expired= password_life.update_password_expired_column;
-        if (!password_life.update_password_expired_column)
+        if (!password_life.update_password_expired_column &&
+            password_life.update_password_expired_fields)
         {
           if (!password_life.use_default_password_lifetime)
           {

sql/auth/sql_authentication.cc

@@ -2029,6 +2029,12 @@ check_password_lifetime(THD *thd, const ACL_USER *acl_user)
       }
     }
   }
+  DBUG_EXECUTE_IF("force_password_interval_expire",
+                  {
+                    if (!acl_user->use_default_password_lifetime &&
+                        acl_user->password_lifetime)
+                      password_time_expired= true;
+                  });
   return password_time_expired;
 }
 

sql/auth/sql_user.cc

@@ -708,6 +708,7 @@ bool change_password(THD *thd, const char *host, const char *user,
   thd->lex->alter_password.expire_after_days= 0;
   thd->lex->alter_password.update_account_locked_column= false;
   thd->lex->alter_password.account_locked= false;
+  thd->lex->alter_password.update_password_expired_fields= false;
 
   /*
     When @@log-backward-compatible-user-definitions variable is ON