WL#12803: SHOW CREATE USER AND CREATE USER TO WORK WITH HEX STRINGS FOR

AUTH DATA
RB#21210

Author: gkodinov

mysql-test/r/all_persisted_variables.result

@@ -37,17 +37,17 @@ include/assert.inc [Expect 500+ variables in the table. Due to open Bugs, we are
 
 # Test SET PERSIST
 
-include/assert.inc [Expect 377 persisted variables in the table.]
+include/assert.inc [Expect 378 persisted variables in the table.]
 
 ************************************************************
 * 3. Restart server, it must preserve the persisted variable
 *    settings. Verify persisted configuration.
 ************************************************************
 # restart
 
-include/assert.inc [Expect 377 persisted variables in persisted_variables table.]
-include/assert.inc [Expect 377 persisted variables shown as PERSISTED in variables_info table.]
-include/assert.inc [Expect 377 persisted variables with matching peristed and global values.]
+include/assert.inc [Expect 378 persisted variables in persisted_variables table.]
+include/assert.inc [Expect 378 persisted variables shown as PERSISTED in variables_info table.]
+include/assert.inc [Expect 378 persisted variables with matching peristed and global values.]
 
 ************************************************************
 * 4. Test RESET PERSIST IF EXISTS. Verify persisted variable

mysql-test/r/mysqld--help-notwin.result

@@ -971,6 +971,9 @@ The following options may be given as the first argument:
  --preload-buffer-size=# 
  The size of the buffer that is allocated when preloading
  indexes
+ --print-identified-with-as-hex 
+ SHOW CREATE USER will print the AS clause as HEX if it
+ contains non-prinable characters
  --profiling-history-size=# 
  Limit of query profiling memory
  --query-alloc-block-size=# 
@@ -1650,6 +1653,7 @@ persisted-globals-load TRUE
 port ####
 port-open-timeout 0
 preload-buffer-size 32768
+print-identified-with-as-hex FALSE
 profiling-history-size 15
 query-alloc-block-size 8192
 query-prealloc-size 8192

mysql-test/r/mysqld--help-win.result

@@ -974,6 +974,9 @@ The following options may be given as the first argument:
  --preload-buffer-size=# 
  The size of the buffer that is allocated when preloading
  indexes
+ --print-identified-with-as-hex 
+ SHOW CREATE USER will print the AS clause as HEX if it
+ contains non-prinable characters
  --profiling-history-size=# 
  Limit of query profiling memory
  --query-alloc-block-size=# 
@@ -1662,6 +1665,7 @@ persisted-globals-load TRUE
 port ####
 port-open-timeout 0
 preload-buffer-size 32768
+print-identified-with-as-hex FALSE
 profiling-history-size 15
 query-alloc-block-size 8192
 query-prealloc-size 8192

mysql-test/suite/binlog/r/print_identified_with_as_hex.result

@@ -0,0 +1,17 @@
+include/master-slave.inc
+Warnings:
+Note	####	Sending passwords in plain text without SSL/TLS is extremely insecure.
+Note	####	Storing MySQL user name or password information in the master info repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START SLAVE; see the 'START SLAVE Syntax' in the MySQL Manual for more information.
+[connection master]
+# This corresponds to CREATE USER foo@localhost IDENTIFIED BY 'bar'
+# But because of the salt we peg the whole hash instead.
+CREATE USER foo@localhost IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035240C4D7A6D25436F2C0A08515310644615383E2A123961484C6276734178425A446172436B58446A582F6178544A692E6F644E4F2F4E596E666276454B563336 PASSWORD HISTORY DEFAULT;
+include/sync_slave_sql_with_master.inc
+[On Slave]
+# The statement should be printed without the hex, according to the default value for the option
+include/show_binlog_events.inc
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+slave-bin.000001	#	Query	#	#	use `test`; CREATE USER 'foo'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$Mzm%Co,\nQSdF8>*9aHLbvsAxBZDarCkXDjX/axTJi.odNO/NYnfbvEKV36' PASSWORD HISTORY DEFAULT
+# cleanup
+DROP USER foo@localhost;
+include/rpl_end.inc

mysql-test/suite/binlog/t/print_identified_with_as_hex.test

@@ -0,0 +1,18 @@
+# Save the initial number of concurrent sessions
+--source include/count_sessions.inc
+--source include/master-slave.inc
+--connection master
+
+--echo # This corresponds to CREATE USER foo@localhost IDENTIFIED BY 'bar'
+--echo # But because of the salt we peg the whole hash instead.
+CREATE USER foo@localhost IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035240C4D7A6D25436F2C0A08515310644615383E2A123961484C6276734178425A446172436B58446A582F6178544A692E6F644E4F2F4E596E666276454B563336 PASSWORD HISTORY DEFAULT;
+
+--source include/sync_slave_sql_with_master.inc
+--echo [On Slave]
+--echo # The statement should be printed without the hex, according to the default value for the option
+--source include/show_binlog_events.inc
+
+--echo # cleanup
+--connection master
+DROP USER foo@localhost;
+--source include/rpl_end.inc

mysql-test/suite/sys_vars/r/print_identified_with_as_hex_basic.result

@@ -0,0 +1,44 @@
+# Should be off by default
+SELECT @@GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+@@GLOBAL.print_identified_with_as_hex	@@SESSION.print_identified_with_as_hex
+0	0
+SET GLOBAL print_identified_with_as_hex=1;
+SELECT @@GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+@@GLOBAL.print_identified_with_as_hex	@@SESSION.print_identified_with_as_hex
+1	0
+SET SESSION print_identified_with_as_hex=1;
+SELECT @GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+@GLOBAL.print_identified_with_as_hex	@@SESSION.print_identified_with_as_hex
+NULL	1
+# This corresponds to CREATE USER foo@localhost IDENTIFIED BY 'bar'
+# But because of the salt we peg the whole hash instead.
+CREATE USER 'foo'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035240C4D7A6D25436F2C0A08515310644615383E2A123961484C6276734178425A446172436B58446A582F6178544A692E6F644E4F2F4E596E666276454B563336 REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
+CREATE USER oldfoo@localhost IDENTIFIED WITH 'mysql_native_password' BY 'bar';
+# Should display hex: unprintable symbols
+SHOW CREATE USER foo@localhost;
+CREATE USER for foo@localhost
+CREATE USER 'foo'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035240C4D7A6D25436F2C0A08515310644615383E2A123961484C6276734178425A446172436B58446A582F6178544A692E6F644E4F2F4E596E666276454B563336 REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+# Should not display hex: native passwords not having non-printable bytes
+SHOW CREATE USER oldfoo@localhost;
+CREATE USER for oldfoo@localhost
+CREATE USER 'oldfoo'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+SET SESSION print_identified_with_as_hex=0;
+# Should not display hex: turned off
+SHOW CREATE USER foo@localhost;
+CREATE USER for foo@localhost
+CREATE USER 'foo'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$Mzm%Co,\nQSdF8>*9aHLbvsAxBZDarCkXDjX/axTJi.odNO/NYnfbvEKV36' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+# Should not display hex: turned off
+SHOW CREATE USER oldfoo@localhost;
+CREATE USER for oldfoo@localhost
+CREATE USER 'oldfoo'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+# Now try to reply the statement produced by SHOW CREATE
+DROP USER foo@localhost;
+# Replaying the collected statement
+# Connecting as foo: should work
+SELECT 1;
+1
+1
+# back to default connection
+# Cleanup
+DROP USER foo@localhost,oldfoo@localhost;
+SET GLOBAL print_identified_with_as_hex=default;

mysql-test/suite/sys_vars/t/print_identified_with_as_hex_basic.test

@@ -0,0 +1,43 @@
+# Save the initial number of concurrent sessions
+--source include/count_sessions.inc
+
+--echo # Should be off by default
+SELECT @@GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+SET GLOBAL print_identified_with_as_hex=1;
+SELECT @@GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+SET SESSION print_identified_with_as_hex=1;
+SELECT @GLOBAL.print_identified_with_as_hex, @@SESSION.print_identified_with_as_hex;
+
+--echo # This corresponds to CREATE USER foo@localhost IDENTIFIED BY 'bar'
+--echo # But because of the salt we peg the whole hash instead.
+CREATE USER 'foo'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035240C4D7A6D25436F2C0A08515310644615383E2A123961484C6276734178425A446172436B58446A582F6178544A692E6F644E4F2F4E596E666276454B563336 REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
+CREATE USER oldfoo@localhost IDENTIFIED WITH 'mysql_native_password' BY 'bar';
+--echo # Should display hex: unprintable symbols
+SHOW CREATE USER foo@localhost;
+--echo # Should not display hex: native passwords not having non-printable bytes
+SHOW CREATE USER oldfoo@localhost;
+SET SESSION print_identified_with_as_hex=0;
+--echo # Should not display hex: turned off
+SHOW CREATE USER foo@localhost;
+--echo # Should not display hex: turned off
+SHOW CREATE USER oldfoo@localhost;
+
+--echo # Now try to reply the statement produced by SHOW CREATE
+--exec $MYSQL -e "SHOW CREATE USER foo@localhost" -s -s -s > $MYSQLTEST_VARDIR/tmp/hex_user.sql
+DROP USER foo@localhost;
+--echo # Replaying the collected statement
+--exec $MYSQL < $MYSQLTEST_VARDIR/tmp/hex_user.sql
+--echo # Connecting as foo: should work
+connect(con1,localhost,foo,bar,test);
+SELECT 1;
+--echo # back to default connection
+connection default;
+disconnect con1;
+
+--echo # Cleanup
+--remove_file $MYSQLTEST_VARDIR/tmp/hex_user.sql
+DROP USER foo@localhost,oldfoo@localhost;
+SET GLOBAL print_identified_with_as_hex=default;
+
+# Wait till all disconnects are completed
+--source include/wait_until_count_sessions.inc

mysql-test/t/all_persisted_variables.test

@@ -39,7 +39,7 @@
 call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
 
 let $total_global_vars=`SELECT COUNT(*) FROM performance_schema.global_variables where variable_name NOT LIKE 'ndb_%'`;
-let $total_persistent_vars=377;
+let $total_persistent_vars=378;
 
 --echo ***************************************************************
 --echo * 0. Verify that variables present in performance_schema.global

sql/auth/sql_user.cc

@@ -330,7 +330,8 @@ bool mysql_show_create_user(THD *thd, LEX_USER *user_name,
   }
   lex->users_list.push_back(user_name);
   {
-    Show_user_params show_user_params(hide_password_hash);
+    Show_user_params show_user_params(
+        hide_password_hash, thd->variables.print_identified_with_as_hex);
     mysql_rewrite_acl_query(thd, Consumer_type::STDOUT, &show_user_params,
                             false);
     sql_text.takeover(thd->rewritten_query);

sql/sql_rewrite.cc

@@ -784,10 +784,8 @@ void Rewriter_alter_user::rewrite_password_reuse(const LEX *lex,
 Rewriter_show_create_user::Rewriter_show_create_user(THD *thd,
                                                      Consumer_type type,
                                                      Rewrite_params *params)
-    : Rewriter_user(thd, type) {
-  Show_user_params *show_params = dynamic_cast<Show_user_params *>(params);
-  if (show_params) m_hide_password_hash = show_params->hide_password_hash;
-}
+    : Rewriter_user(thd, type),
+      show_params_(dynamic_cast<Show_user_params *>(params)) {}
 
 /**
   Rewrite the query for the SHOW CREATE USER statement.
@@ -804,6 +802,36 @@ bool Rewriter_show_create_user::rewrite() const {
   parent::rewrite();
   return true;
 }
+
+/**
+  A special rewriter override to make SHOW CREATE USER convert the string
+  to hex if print_identified_with_as hex is on
+
+  @param [in]       user    LEX_USER to fetch the auth string of it.
+  @param [in, out]  str     The string in which hash value is suffixed
+
+  @sa Rewriter_user::append_auth_str
+*/
+void Rewriter_show_create_user::append_auth_str(LEX_USER *user,
+                                                String *str) const {
+  String from_auth(user->auth.str, user->auth.length, system_charset_info);
+
+  if (show_params_ && show_params_->print_identified_with_as_hex_ &&
+      user->auth.length) {
+    for (const char *c = user->auth.str;
+         static_cast<size_t>(c - user->auth.str) < user->auth.length; c++) {
+      if (!my_isgraph(system_charset_info, *c)) {
+        from_auth.alloc(user->auth.length * 2 + 3);
+        str_to_hex(from_auth.c_ptr_quick(), user->auth.str, user->auth.length);
+        from_auth.length(user->auth.length * 2 + 2);
+        str->append(from_auth);
+
+        return;
+      }
+    }
+  }
+  append_query_string(m_thd, system_charset_info, &from_auth, str);
+}
 /**
   Append the PASSWORD HISTORY clause for users
 
@@ -840,7 +868,7 @@ void Rewriter_show_create_user::append_user_auth_info(LEX_USER *user,
   append_plugin_name(user, str);
   if (user->auth.length > 0) {
     str->append(STRING_WITH_LEN(" AS "));
-    if (m_hide_password_hash) {
+    if (show_params_ && show_params_->hide_password_hash) {
       append_literal_secret(str);
     } else {
       append_auth_str(user, str);

sql/sql_rewrite.h

@@ -67,9 +67,12 @@ class User_params : public Rewrite_params {
 */
 class Show_user_params : public Rewrite_params {
  public:
-  Show_user_params(bool hide_password_hash)
-      : Rewrite_params(), hide_password_hash(hide_password_hash) {}
+  Show_user_params(bool hide_password_hash, bool print_identified_with_as_hex)
+      : Rewrite_params(),
+        hide_password_hash(hide_password_hash),
+        print_identified_with_as_hex_(print_identified_with_as_hex) {}
   bool hide_password_hash;
+  bool print_identified_with_as_hex_;
 };
 
 /**
@@ -147,7 +150,7 @@ class Rewriter_user : public I_rewriter {
   /* Append the literal value <secret> to the str */
   void append_literal_secret(String *str) const;
   /* Append the password hash to the output string */
-  void append_auth_str(LEX_USER *lex, String *str) const;
+  virtual void append_auth_str(LEX_USER *lex, String *str) const;
   /* Append the authentication plugin name for the user */
   void append_plugin_name(const LEX_USER *user, String *str) const;
   /*
@@ -216,14 +219,18 @@ class Rewriter_show_create_user final : public Rewriter_user {
                             Rewrite_params *params);
   bool rewrite() const override;
 
+ protected:
+  /* Append the password hash to the output string */
+  virtual void append_auth_str(LEX_USER *lex, String *str) const override;
+
  private:
   void append_user_auth_info(LEX_USER *user, bool comma,
                              String *str) const override;
   void rewrite_password_history(const LEX *lex, String *str) const override;
   void rewrite_password_reuse(const LEX *lex, String *str) const override;
   /* Append the DEFAULT ROLE OPTIONS clause */
   void rewrite_default_roles(const LEX *lex, String *str) const;
-  bool m_hide_password_hash = false;
+  Show_user_params *show_params_;
 };
 /** Rewrites the SET statement. */
 class Rewriter_set : public I_rewriter {

sql/sql_yacc.yy

@@ -13886,6 +13886,10 @@ TEXT_STRING_password:
 
 TEXT_STRING_hash:
           TEXT_STRING_sys
+        | HEX_NUM
+          {
+            $$= Item_hex_string::make_hex_str($1.str, $1.length);
+          }
         ;
 
 TEXT_STRING_validated:

sql/sys_vars.cc

@@ -6560,3 +6560,10 @@ static Sys_var_bool Sys_table_encryption_privilege_check(
     GLOBAL_VAR(opt_table_encryption_privilege_check), CMD_LINE(OPT_ARG),
     DEFAULT(false), NO_MUTEX_GUARD, NOT_IN_BINLOG,
     ON_CHECK(check_set_table_encryption_privilege_access), ON_UPDATE(0));
+
+static Sys_var_bool Sys_var_print_identified_with_as_hex(
+    "print_identified_with_as_hex",
+    "SHOW CREATE USER will print the AS clause as HEX if it contains "
+    "non-prinable characters",
+    SESSION_VAR(print_identified_with_as_hex), CMD_LINE(OPT_ARG),
+    DEFAULT(false));

sql/system_variables.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -383,6 +383,11 @@ struct System_variables {
     default.
   */
   bool default_table_encryption;
+
+  /**
+    @sa Sys_var_print_identified_with_as_hex
+  */
+  bool print_identified_with_as_hex;
 };
 
 /**