WL#7131:Add timestamp in mysql.user on the last time the

        password was changed and implement password rotation

We need to track when the password was last changed 
and implement password rotation.

Put a TIMESTAMP column inside mysql.user table and 
update it when the password is updated.

Put another column in mysql.user, holding the number
of days after which the password must expire.

Introduce extension of query ALTER USER as:

ALTER USER foo PASSWORD EXPIRE EVERY <day> DAY;
ALTER USER foo PASSWORD EXPIRE NEVER;
ALTER USER foo PASSWORD EXPIRE DEFAULT;

Author: Atanu Ghosh

libmysqld/lib_sql.cc

@@ -1304,6 +1304,9 @@ void Protocol_text::prepare_for_resend()
 
 bool Protocol_text::store_null()
 {
+  if (!thd->mysql)            // bootstrap file handling
+    return false;
+
   *(next_field++)= NULL;
   ++next_mysql_field;
   return false;

mysql-test/extra/rpl_tests/rpl_sp.test

@@ -72,6 +72,9 @@ call foo2();
 # check that this is allowed (it's not for functions):
 alter procedure foo2 contains sql;
 
+# Change the timestamp back to current
+set timestamp = DEFAULT;
+
 # SP with definer's right
 
 drop table t1;

mysql-test/include/mtr_system_tables_data.sql

@@ -35,10 +35,10 @@ DROP TABLE tmp_db;
 -- Fill "user" table with default users allowing root access
 -- from local machine if "user" table didn't exist before
 CREATE TEMPORARY TABLE tmp_user LIKE user;
-INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N');
-REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N' FROM dual WHERE @current_hostname != 'localhost';
-REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N');
-REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N');
+INSERT INTO tmp_user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N',CURRENT_TIMESTAMP,NULL);
+REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N',CURRENT_TIMESTAMP, NULL FROM dual WHERE @current_hostname != 'localhost';
+REPLACE INTO tmp_user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N',CURRENT_TIMESTAMP,NULL);
+REPLACE INTO tmp_user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,@@default_authentication_plugin,'','N',CURRENT_TIMESTAMP,NULL);
 INSERT INTO tmp_user (host,user) SELECT @current_hostname,'' FROM dual WHERE @current_hostname != 'localhost';
 INSERT INTO user SELECT * FROM tmp_user WHERE @had_user_table=0;
 DROP TABLE tmp_user;

mysql-test/r/grant.result

@@ -57,6 +57,8 @@ max_user_connections	0
 plugin	mysql_native_password
 authentication_string	
 password_expired	N
+password_last_changed	DTVALUE
+password_lifetime	NULL
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA'
@@ -129,6 +131,8 @@ max_user_connections	0
 plugin	mysql_native_password
 authentication_string	
 password_expired	N
+password_last_changed	DTVALUE
+password_lifetime	NULL
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10
@@ -177,6 +181,8 @@ max_user_connections	0
 plugin	mysql_native_password
 authentication_string	
 password_expired	N
+password_last_changed	DTVALUE
+password_lifetime	NULL
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10 MAX_UPDATES_PER_HOUR 20 MAX_CONNECTIONS_PER_HOUR 30
@@ -2615,3 +2621,106 @@ foo@localhost	foo@127.0.0.1
 # Clean-up
 DROP USER foo@'127.0.0.1';
 # End of Bug#12766319
+#
+# WL#7131: Add timestamp in mysql.user on the last time the
+#          password was changed and implement password rotation.
+#
+SET @saved_value = @@global.default_password_lifetime;
+SET GLOBAL default_password_lifetime = 2;
+SHOW VARIABLES LIKE 'default_password_lifetime';
+Variable_name	Value
+default_password_lifetime	2
+CREATE USER 'wl7131' IDENTIFIED BY 'wl7131';
+# This should report 1.
+SELECT (SELECT now()-(SELECT password_last_changed from mysql.user where user='wl7131')) <= 2;
+(SELECT now()-(SELECT password_last_changed from mysql.user where user='wl7131')) <= 2
+1
+UPDATE mysql.user SET password_last_changed = (now() - INTERVAL 3 DAY) where user='wl7131';
+FLUSH PRIVILEGES;
+# Attempt to execute query should fail
+mysql: [Warning] Using a password on the command line interface can be insecure.
+ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords.
+# Doing something should fail
+SELECT 1;
+ERROR HY000: You must SET PASSWORD before executing this statement
+# Setting variables should work
+SET old_passwords=0;
+# Setting password should work
+SET PASSWORD = PASSWORD('new_wl7131');
+# Doing something should pass
+SELECT 1;
+1
+1
+# Reconnecting with same user should pass now
+SELECT 1;
+1
+1
+DROP USER 'wl7131';
+CREATE USER 'wl7131' IDENTIFIED BY 'wl7131';
+# Issue alter user and check the value of
+# password_lifetime column
+ALTER USER 'wl7131' PASSWORD EXPIRE NEVER;
+# This should report 0
+SELECT password_lifetime FROM mysql.user where user='wl7131';
+password_lifetime
+0
+UPDATE mysql.user SET password_last_changed = (now() - INTERVAL 5 DAY) where user='wl7131';
+FLUSH PRIVILEGES;
+# This should pass as password is never expired.
+mysql: [Warning] Using a password on the command line interface can be insecure.
+ALTER USER 'wl7131' PASSWORD EXPIRE DEFAULT;
+# This should report NULL
+SELECT password_lifetime FROM mysql.user where user='wl7131';
+password_lifetime
+NULL
+# This should not pass as default_password_lifetime
+# (which is 2 now) is being used.
+mysql: [Warning] Using a password on the command line interface can be insecure.
+ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords.
+SET GLOBAL default_password_lifetime = 0;
+ALTER USER 'wl7131' PASSWORD EXPIRE INTERVAL 4 DAY;
+# Should report 4
+SELECT password_lifetime FROM mysql.user where user='wl7131';
+password_lifetime
+4
+# This should not pass.
+mysql: [Warning] Using a password on the command line interface can be insecure.
+ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords.
+SET GLOBAL default_password_lifetime = @saved_value;
+ALTER USER 'wl7131' PASSWORD EXPIRE INTERVAL 6 DAY;
+# Should report 6
+select password_lifetime from mysql.user where user='wl7131';
+password_lifetime
+6
+# This should pass.
+mysql: [Warning] Using a password on the command line interface can be insecure.
+DROP USER 'wl7131';
+CREATE USER 'wl7131';
+# This should not report NULL
+'DTVALUE' IS NOT NULL
+1
+GRANT USAGE ON *.* TO 'wl7131' REQUIRE SSL;
+# This should report 0 as it must have the same value as above
+TIMESTAMPDIFF(SECOND,'DTVALUE','DTVALUE') <> 0
+0
+# Should report errors
+ALTER USER 'wl7131' PASSWORD EXPIRE INTERVAL -2 DAY;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-2 DAY' at line 1
+ALTER USER 'wl7131' PASSWORD EXPIRE INTERVAL 0 DAY;
+ERROR HY000: Incorrect DAY value: '0'
+ALTER USER 'wl7131' PASSWORD EXPIRE INTERVAL 65536 DAY;
+ERROR HY000: Incorrect DAY value: '65536'
+# Setting an empty password. It should update the timestamp column.
+SET PASSWORD FOR 'wl7131' = PASSWORD('');
+# This should report 1.
+SELECT (SELECT now()-(SELECT password_last_changed from mysql.user where user='wl7131')) <= 2;
+(SELECT now()-(SELECT password_last_changed from mysql.user where user='wl7131')) <= 2
+1
+DROP USER 'wl7131';
+GRANT USAGE ON *.* TO 'wl7131'@'localhost' IDENTIFIED BY 'wl7131';
+# Must report 1
+SELECT (SELECT password_last_changed FROM mysql.user where user='wl7131') IS NOT NULL;
+(SELECT password_last_changed FROM mysql.user where user='wl7131') IS NOT NULL
+1
+DROP USER 'wl7131'@'localhost';
+# mysql.user table restored to original values.

mysql-test/r/grant2.result

@@ -847,3 +847,4 @@ DROP USER mysqltest_u2@localhost;
 DROP USER mysqltest_u3@localhost;
 DROP USER mysqltest_u4@localhost;
 DROP USER mysqltest_u5@localhost;
+# mysql.user table restored to original values.

mysql-test/r/information_schema.result

@@ -706,6 +706,8 @@ max_connections	select,insert,update,references
 max_user_connections	select,insert,update,references
 authentication_string	select,insert,update,references
 password_expired	select,insert,update,references
+password_last_changed	select,insert,update,references
+password_lifetime	select,insert,update,references
 use test;
 create function sub1(i int) returns int
 return i+1;

mysql-test/r/mysqlbinlog.result

@@ -653,6 +653,7 @@ DROP TABLE t1;
 1
 DROP TABLE t1;
 shell> mysqlbinlog std_data/corrupt-relay-bin.000624 > var/tmp/bug31793.sql
+set timestamp= default;
 FLUSH LOGS;
 Bug#31611 Security risk with BINLOG statement
 SET BINLOG_FORMAT=ROW;

mysql-test/r/mysqld--help-notwin.result

@@ -140,6 +140,8 @@ The following options may be given as the first argument:
  --default-authentication-plugin=name 
  The default authentication plugin used by the server to
  hash the password.
+ --default-password-lifetime=# 
+ The number of days after which the password will expire.
  --default-storage-engine=name 
  The default storage engine for new tables
  --default-time-zone=name 
@@ -1063,6 +1065,7 @@ console FALSE
 date-format %Y-%m-%d
 datetime-format %Y-%m-%d %H:%i:%s
 default-authentication-plugin mysql_native_password
+default-password-lifetime 360
 default-storage-engine InnoDB
 default-time-zone (No default value)
 default-tmp-storage-engine InnoDB

mysql-test/r/mysqld--help-win.result

@@ -140,6 +140,8 @@ The following options may be given as the first argument:
  --default-authentication-plugin=name 
  The default authentication plugin used by the server to
  hash the password.
+ --default-password-lifetime=# 
+ The number of days after which the password will expire.
  --default-storage-engine=name 
  The default storage engine for new tables
  --default-time-zone=name 
@@ -1071,6 +1073,7 @@ console FALSE
 date-format %Y-%m-%d
 datetime-format %Y-%m-%d %H:%i:%s
 default-authentication-plugin mysql_native_password
+default-password-lifetime 360
 default-storage-engine InnoDB
 default-time-zone (No default value)
 default-tmp-storage-engine InnoDB

mysql-test/r/ps.result

@@ -1226,13 +1226,13 @@ SET @aux= "SELECT COUNT(*)
 prepare my_stmt from @aux;
 execute my_stmt;
 COUNT(*)
-43
+45
 execute my_stmt;
 COUNT(*)
-43
+45
 execute my_stmt;
 COUNT(*)
-43
+45
 deallocate prepare my_stmt;
 drop procedure if exists p1|
 drop table if exists t1|

mysql-test/r/system_mysql_db.result

@@ -102,6 +102,8 @@ user	CREATE TABLE `user` (
   `plugin` char(64) COLLATE utf8_bin NOT NULL DEFAULT 'mysql_native_password',
   `authentication_string` text COLLATE utf8_bin,
   `password_expired` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
+  `password_last_changed` timestamp NULL DEFAULT NULL,
+  `password_lifetime` smallint(5) unsigned DEFAULT NULL,
   PRIMARY KEY (`Host`,`User`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Users and global privileges'
 show create table func;