Bug#14588145: NEED ABILITY TO FLUSH PASSWORD VALIDATION DICTIONARY FILE

PROBLEM: Once validate_password plugin is loaded
any change made to dictionary file was
not accepted. File content is cached and
it cannot be flushed without re-loading
the plugin.

SOLUTION: Dictionary file can be flushed.
Changing the validate_password_dictionary_file
variable from a readonly to a dynamic variable.
We can specify the new dictionary file name by
setting validate_password_dictionary_file. It
will flush the previous dictionary file and
load the new one.

Also added 2 new status variables:
* validate_password_dictionary_file_last_parsed :
  a YYYY-MM-DD HH:MM:SS OS local time string on when
  the last password file update took place.

* validate_password_dictionary_file_words_count
  an integer containing the exact number of words
  in the dictionary.

Both status variables are updated when
a password file is parsed.

Test cases added.
Also updated the existing test to not restart the
server to change the dictionary file.

Author: gkodinov

mysql-test/r/validate_password_plugin.result

@@ -96,10 +96,7 @@ SET @@global.validate_password_special_char_count= 1;
 SET @@global.validate_password_policy=STRONG;
 SET PASSWORD FOR 'base_user'@'localhost'= PASSWORD('password1A#');
 UPDATE mysql.user SET PASSWORD= PASSWORD('password1A#') WHERE user='base_user';
-UNINSTALL PLUGIN validate_password;
-# restarting the server with dictionary file.
-# Restart server.
-INSTALL PLUGIN validate_password SONAME 'validate_password.so';
+SET @@global.validate_password_dictionary_file="MYSQL_ERRMSG_BASEDIR/dictionary.txt";
 # password policy strong
 # default_file : dictionary.txt
 SET @@global.validate_password_policy=STRONG;
@@ -161,4 +158,70 @@ DROP USER 'user2'@'localhost';
 DROP USER 'base_user'@'localhost';
 DROP USER 'user1'@'localhost';
 DROP USER 'user'@'localhost';
+SET @@global.validate_password_length=default;
+SET @@global.validate_password_number_count=default;
+SET @@global.validate_password_mixed_case_count=default;
+SET @@global.validate_password_special_char_count=default;
+SET @@global.validate_password_policy=default;
+SET @@global.validate_password_dictionary_file=default;
+SELECT @@validate_password_length,
+@@validate_password_number_count,
+@@validate_password_mixed_case_count,
+@@validate_password_special_char_count,
+@@validate_password_policy,
+@@validate_password_dictionary_file;
+@@validate_password_length	@@validate_password_number_count	@@validate_password_mixed_case_count	@@validate_password_special_char_count	@@validate_password_policy	@@validate_password_dictionary_file
+8	1	1	1	MEDIUM	NULL
+#
+# Bug#14588145 -	NEED ABILITY TO FLUSH PASSWORD VALIDATION DICTIONARY FILE
+#
+SET @@global.validate_password_policy=STRONG;
+# No dictionary file, password is accepted
+CREATE USER 'user1'@'localhost' IDENTIFIED BY 'passWORD123#';
+SET @@global.validate_password_dictionary_file="MYSQLTEST_VARDIR/tmp/dictionary2.txt";
+# must return 3
+SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+WHERE VARIABLE_NAME = 'validate_password_dictionary_file_words_count';
+VARIABLE_VALUE
+3
+SELECT VARIABLE_VALUE into @ts1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+WHERE VARIABLE_NAME = "validate_password_dictionary_file_last_parsed";
+# check format of the TS
+SELECT @ts1;
+@ts1
+0000-00-00 00:00:00
+# must return 19
+SELECT LENGTH(@ts1);
+LENGTH(@ts1)
+19
+# must sleep for at least 1 sec so that the timestamps differ
+SET @@global.validate_password_dictionary_file="MYSQLTEST_VARDIR/tmp/dictionary.txt";
+# must return 2
+SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+WHERE VARIABLE_NAME = 'validate_password_dictionary_file_words_count';
+VARIABLE_VALUE
+2
+SELECT VARIABLE_VALUE into @ts2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+WHERE VARIABLE_NAME = "validate_password_dictionary_file_last_parsed";
+# must return 1
+SELECT @ts1 <> @ts2;
+@ts1 <> @ts2
+1
+CREATE USER 'user2'@'localhost' IDENTIFIED BY 'passWORD123#';
+ERROR HY000: Your password does not satisfy the current policy requirements
+SET @@global.validate_password_dictionary_file=NULL;
+# Cache flushed and no dictionary file is loaded
+CREATE USER 'user2'@'localhost' IDENTIFIED BY 'passWORD123#';
+# Select commands to show that the validate_password lock is instrumented
+SELECT NAME FROM performance_schema.setup_instruments WHERE NAME LIKE '%validate%';
+NAME
+wait/synch/rwlock/validate/LOCK_dict_file
+SELECT NAME FROM performance_schema.rwlock_instances WHERE NAME LIKE '%validate%';
+NAME
+wait/synch/rwlock/validate/LOCK_dict_file
+# cleanup
+DROP USER 'user1'@'localhost', 'user2'@'localhost';
+SET @@global.validate_password_policy=DEFAULT;
+# clean up after the test
 UNINSTALL PLUGIN validate_password;
+End of tests

mysql-test/t/validate_password_plugin.test

@@ -109,34 +109,8 @@ SET @@global.validate_password_policy=STRONG;
 SET PASSWORD FOR 'base_user'@'localhost'= PASSWORD('password1A#');
 UPDATE mysql.user SET PASSWORD= PASSWORD('password1A#') WHERE user='base_user';
 
-UNINSTALL PLUGIN validate_password;
-
---echo # restarting the server with dictionary file.
-
-# Write file to make mysql-test-run.pl wait for the server to stop
---exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
-
-# Request shutdown
--- send_shutdown
-
-# Call script that will poll the server waiting for it to disapear
--- source include/wait_until_disconnected.inc
-
---echo # Restart server.
-
---exec echo "restart:--loose-validate_password_dictionary_file=$MYSQL_ERRMSG_BASEDIR/dictionary.txt" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
-
-# Turn on reconnect
---enable_reconnect
-
-# Call script that will poll the server waiting for it to be back online again
---source include/wait_until_connected_again.inc
-
-# Turn off reconnect again
---disable_reconnect
-
---replace_regex /\.dll/.so/
-eval INSTALL PLUGIN validate_password SONAME '$VALIDATE_PASSWORD';
+--replace_result $MYSQL_ERRMSG_BASEDIR MYSQL_ERRMSG_BASEDIR
+eval SET @@global.validate_password_dictionary_file="$MYSQL_ERRMSG_BASEDIR/dictionary.txt";
 
 --echo # password policy strong
 --echo # default_file : dictionary.txt
@@ -189,7 +163,7 @@ SET @@global.validate_password_special_char_count= 0;
 --error ER_SPECIFIC_ACCESS_DENIED_ERROR
 SET @@global.validate_password_mixed_case_count= 0;
 # user has the update/create privilege but needs to satisfy password policy
-# to update/create new account 
+# to update/create new account
 --error ER_NOT_VALID_PASSWORD
 CREATE USER 'user2'@'localhost' IDENTIFIED BY 'password';
 CREATE USER 'user2'@'localhost' IDENTIFIED BY 'PA00wrd!#';
@@ -204,4 +178,94 @@ connection default;
 DROP USER 'base_user'@'localhost';
 DROP USER 'user1'@'localhost';
 DROP USER 'user'@'localhost';
+SET @@global.validate_password_length=default;
+SET @@global.validate_password_number_count=default;
+SET @@global.validate_password_mixed_case_count=default;
+SET @@global.validate_password_special_char_count=default;
+SET @@global.validate_password_policy=default;
+SET @@global.validate_password_dictionary_file=default;
+
+SELECT @@validate_password_length,
+       @@validate_password_number_count,
+       @@validate_password_mixed_case_count,
+       @@validate_password_special_char_count,
+       @@validate_password_policy,
+       @@validate_password_dictionary_file;
+
+
+--echo #
+--echo # Bug#14588145 -	NEED ABILITY TO FLUSH PASSWORD VALIDATION DICTIONARY FILE
+--echo #
+
+SET @@global.validate_password_policy=STRONG;
+
+--write_file $MYSQLTEST_VARDIR/tmp/dictionary.txt
+password
+validate
+EOF
+
+--write_file $MYSQLTEST_VARDIR/tmp/dictionary2.txt
+password
+validate
+monkey
+EOF
+
+--echo # No dictionary file, password is accepted
+CREATE USER 'user1'@'localhost' IDENTIFIED BY 'passWORD123#';
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+eval SET @@global.validate_password_dictionary_file="$MYSQLTEST_VARDIR/tmp/dictionary2.txt";
+# Dictionary file loaded
+
+--echo # must return 3
+SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+  WHERE VARIABLE_NAME = 'validate_password_dictionary_file_words_count';
+
+SELECT VARIABLE_VALUE into @ts1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+  WHERE VARIABLE_NAME = "validate_password_dictionary_file_last_parsed";
+
+--echo # check format of the TS
+--replace_regex /[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]/0000-00-00 00:00:00/
+SELECT @ts1;
+
+--echo # must return 19
+SELECT LENGTH(@ts1);
+
+--echo # must sleep for at least 1 sec so that the timestamps differ
+--sleep 1
+
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+eval SET @@global.validate_password_dictionary_file="$MYSQLTEST_VARDIR/tmp/dictionary.txt";
+
+--echo # must return 2
+SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+  WHERE VARIABLE_NAME = 'validate_password_dictionary_file_words_count';
+
+SELECT VARIABLE_VALUE into @ts2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS
+  WHERE VARIABLE_NAME = "validate_password_dictionary_file_last_parsed";
+
+--echo # must return 1
+SELECT @ts1 <> @ts2;
+
+--error ER_NOT_VALID_PASSWORD
+CREATE USER 'user2'@'localhost' IDENTIFIED BY 'passWORD123#';
+
+SET @@global.validate_password_dictionary_file=NULL;
+
+--echo # Cache flushed and no dictionary file is loaded
+CREATE USER 'user2'@'localhost' IDENTIFIED BY 'passWORD123#';
+
+--echo # Select commands to show that the validate_password lock is instrumented
+SELECT NAME FROM performance_schema.setup_instruments WHERE NAME LIKE '%validate%';
+SELECT NAME FROM performance_schema.rwlock_instances WHERE NAME LIKE '%validate%';
+
+--echo # cleanup
+DROP USER 'user1'@'localhost', 'user2'@'localhost';
+SET @@global.validate_password_policy=DEFAULT;
+remove_file $MYSQLTEST_VARDIR/tmp/dictionary.txt;
+remove_file $MYSQLTEST_VARDIR/tmp/dictionary2.txt;
+
+--echo # clean up after the test
 UNINSTALL PLUGIN validate_password;
+
+
+--echo End of tests