Bug#24670738 SHOW CREATE USER DOESN'T SHOW DEFAULT ROLE

This patch introduce a new syntax for CREATE USER for
setting the preferred default roles.
SHOW CREATE USER is changed to include default roles
in the result set.

Author: Kristofer Pettersson

mysql-test/r/roles.result

@@ -1177,3 +1177,51 @@ baseuser@%
 DROP USER baseuser, admin1, admin2, r1, r2;
 SET @@global.check_proxy_users = OFF;
 SET @@global.mysql_native_password_proxy_users = OFF;
+#
+# SHOW CREATE USER DOESN'T SHOW DEFAULT ROLE
+#
+CREATE USER u1 IDENTIFIED BY 'foo' DEFAULT ROLE a,a@localhost,`b`,`b`@local,`c c`,`aaa`, `a`@`a`;
+SHOW CREATE USER u1;
+CREATE USER for u1@%
+CREATE USER 'u1'@'%' IDENTIFIED WITH 'mysql_native_password' AS '<hash>' DEFAULT ROLE `a`@`%`,`a`@`a`,`a`@`localhost`,`aaa`@`%`,`b`@`%`,`b`@`local`,`c c`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+CREATE USER u1;
+ERROR HY000: Operation CREATE USER failed for 'u1'@'%'
+# Same as before and don't crash.
+SHOW CREATE USER u1;
+CREATE USER for u1@%
+CREATE USER 'u1'@'%' IDENTIFIED WITH 'mysql_native_password' AS '<hash>' DEFAULT ROLE `a`@`%`,`a`@`a`,`a`@`localhost`,`aaa`@`%`,`b`@`%`,`b`@`local`,`c c`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+# check that we can combine different properties with default roles.
+CREATE USER u2 DEFAULT ROLE r1 REQUIRE SSL ACCOUNT LOCK;
+SHOW CREATE USER u2;
+CREATE USER for u2@%
+CREATE USER 'u2'@'%' IDENTIFIED WITH 'mysql_native_password' DEFAULT ROLE `r1`@`%` REQUIRE SSL PASSWORD EXPIRE DEFAULT ACCOUNT LOCK
+SELECT user,host FROM mysql.user;
+user	host
+u1	%
+u2	%
+mysql.session	localhost
+mysql.sys	localhost
+root	localhost
+SELECT * FROM mysql.default_roles;
+HOST	USER	DEFAULT_ROLE_HOST	DEFAULT_ROLE_USER
+%	u1	%	a
+%	u1	%	aaa
+%	u1	%	b
+%	u1	%	c c
+%	u1	a	a
+%	u1	local	b
+%	u1	localhost	a
+%	u2	%	r1
+DROP USER u1,u2;
+CREATE USER u1;
+# If I alter user this will show up in show create user
+ALTER USER u1 DEFAULT ROLE r1;
+SHOW CREATE USER u1;
+CREATE USER for u1@%
+CREATE USER 'u1'@'%' IDENTIFIED WITH 'mysql_native_password' DEFAULT ROLE `r1`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+SELECT * FROM mysql.default_roles;
+HOST	USER	DEFAULT_ROLE_HOST	DEFAULT_ROLE_USER
+%	u1	%	r1
+DROP USER u1;
+SELECT * FROM mysql.default_roles;
+HOST	USER	DEFAULT_ROLE_HOST	DEFAULT_ROLE_USER

mysql-test/t/roles.test

@@ -932,3 +932,30 @@ CONNECTION default;
 DROP USER baseuser, admin1, admin2, r1, r2;
 SET @@global.check_proxy_users = OFF;
 SET @@global.mysql_native_password_proxy_users = OFF;
+
+--echo #
+--echo # SHOW CREATE USER DOESN'T SHOW DEFAULT ROLE
+--echo #
+CREATE USER u1 IDENTIFIED BY 'foo' DEFAULT ROLE a,a@localhost,`b`,`b`@local,`c c`,`aaa`, `a`@`a`;
+--replace_regex /AS '(.*)'/AS '<hash>'/
+SHOW CREATE USER u1;
+--error ER_CANNOT_USER
+CREATE USER u1;
+--echo # Same as before and don't crash.
+--replace_regex /AS '(.*)'/AS '<hash>'/
+SHOW CREATE USER u1;
+--echo # check that we can combine different properties with default roles.
+CREATE USER u2 DEFAULT ROLE r1 REQUIRE SSL ACCOUNT LOCK;
+SHOW CREATE USER u2;
+SELECT user,host FROM mysql.user;
+SELECT * FROM mysql.default_roles;
+DROP USER u1,u2;
+CREATE USER u1;
+--echo # If I alter user this will show up in show create user
+ALTER USER u1 DEFAULT ROLE r1;
+SHOW CREATE USER u1;
+SELECT * FROM mysql.default_roles;
+DROP USER u1;
+SELECT * FROM mysql.default_roles;
+
+

sql/auth/auth_internal.h

@@ -362,4 +362,6 @@ void create_role_vertex(ACL_USER *role_acl_user);
 void activate_all_granted_and_mandatory_roles(const ACL_USER *acl_user,
                                               Security_context *sctx);
 extern std::vector<std::string> builtin_auth_plugins; 
+bool alter_user_set_default_roles(THD *thd, TABLE *table, LEX_USER *user,
+                                  const List_of_auth_id_refs &new_auth_ids);
 #endif /* AUTH_INTERNAL_INCLUDED */

sql/auth/sql_authorization.cc

@@ -6587,6 +6587,19 @@ bool mysql_alter_user_set_default_roles_all(THD *thd, LEX_USER *user)
   return errors;
 }
 
+
+/**
+  Set the default roles for a particular user.
+
+  @param thd           Thread handle
+  @param table         Table handle to an open table
+  @param user          AST component for the user for which we set def roles
+  @param new_auth_ids  Default roles to set
+  @return
+   @retval true  Operation failed
+   @retval false Operation was successful.
+*/
+
 bool alter_user_set_default_roles(THD *thd, TABLE *table, LEX_USER *user,
                                   const List_of_auth_id_refs &new_auth_ids)
 {

sql/auth/sql_user.cc

@@ -302,6 +302,8 @@ bool mysql_show_create_user(THD *thd, LEX_USER *user_name)
   List<Item> field_list;
   String sql_text(buff,sizeof(buff),system_charset_info);
   LEX_ALTER alter_info;
+  List_of_auth_id_refs default_roles;
+  List<LEX_USER> *old_default_roles= lex->default_roles;
 
   DBUG_ENTER("mysql_show_create_user");
   Acl_cache_lock_guard acl_cache_lock(thd, Acl_cache_lock_mode::READ_MODE);
@@ -384,6 +386,44 @@ bool mysql_show_create_user(THD *thd, LEX_USER *user_name)
     goto err;
   }
   sql_text.length(0);
+  if (lex->sql_command == SQLCOM_SHOW_CREATE_USER ||
+      lex->sql_command == SQLCOM_CREATE_USER)
+  {
+    /*
+      Recreate LEX for default roles given an ACL_USER. This will later be used
+      by rewrite_default_roles() called from mysql_rewrite_create_alter_user()
+      below.
+    */
+    get_default_roles(create_authid_from(acl_user), &default_roles);
+    if (default_roles.size() > 0)
+    {
+      LEX_STRING *tmp_user;
+      LEX_STRING *tmp_host;
+      /*
+        Make sure we reallocate the default_roles list when using it outside of
+        parser code so it has the same mem root as its items.
+      */
+      lex->default_roles= new (thd->mem_root) List<LEX_USER>;
+      for (auto &&role : default_roles)
+      {
+        if (!(tmp_user= thd->make_lex_string(tmp_user, role.first.str,
+                                  role.first.length, true)) ||
+            !(tmp_host= thd->make_lex_string(tmp_host, role.second.str,
+                                  role.second.length, true)))
+        {
+          error= 1;
+          goto err;
+        }
+        LEX_USER *lex_role= LEX_USER::alloc(thd, tmp_user, tmp_host);
+        if (lex_role == 0)
+        {
+          error= 1;
+          goto err;
+        }
+        lex->default_roles->push_back(lex_role);
+      }
+    }
+  }
   lex->users_list.push_back(user_name);
   mysql_rewrite_create_alter_user(thd, &sql_text);
   /* send the result row to client */
@@ -396,6 +436,7 @@ bool mysql_show_create_user(THD *thd, LEX_USER *user_name)
   }
 
 err:
+  lex->default_roles= old_default_roles;
   /* restore user resources, ssl and password expire attributes */
   lex->mqh= tmp_user_resource;
   lex->ssl_type= ssl_type;
@@ -2045,6 +2086,27 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool if_not_exists, bool
 
       continue;
     }
+
+    /*
+      Update default roles if any were specified. The roles don't have to
+      exist and won't be granted to the user.
+    */
+    if (thd->lex->default_roles != 0 &&
+        thd->lex->sql_command == SQLCOM_CREATE_USER)
+    {
+      List_of_auth_id_refs default_roles;
+      List_iterator<LEX_USER> role_it(*(thd->lex->default_roles));
+      LEX_USER *role;
+      while ((role= role_it++))
+      {
+        default_roles.push_back(create_authid_from(role));
+      }
+      alter_user_set_default_roles(thd,
+                                   tables[ACL_TABLES::TABLE_DEFAULT_ROLES].table,
+                                   tmp_user_name,
+                                   default_roles);
+    }
+
   } // END while tmp_user_name= user_lists++
   /* In case of SE error, we would have raised error before reaching here. */
   if (result && !thd->is_error())

sql/sql_lex.cc

@@ -3498,6 +3498,7 @@ void LEX::clear_privileges()
   alter_password.cleanup();
   memset(&mqh, 0, sizeof(mqh));
   dynamic_privileges.empty();
+  default_roles= 0;
 }
 
 

sql/sql_lex.h

@@ -3526,6 +3526,7 @@ struct LEX: public Query_tables_list
   List<LEX_USER>      users_list;
   List<LEX_COLUMN>    columns;
   List<LEX_CSTRING>   dynamic_privileges;
+  List<LEX_USER>      *default_roles;
 
   ulonglong           bulk_insert_row_cnt;
 

sql/sql_rewrite.cc

@@ -94,6 +94,7 @@
 #include "sql/table.h"
 #include "sql_string.h"     // String
 #include "violite.h"
+#include "auth_internal.h"
 
 #ifndef DBUG_OFF
 #define HASH_STRING_WITH_QUOTE \
@@ -174,6 +175,56 @@ static bool append_str(String *str, bool comma, const char *key,
   return comma;
 }
 
+/**
+  Used with List<>::sort for alphabetic sorting of LEX_USER records
+  using user,host as keys.
+
+  @param n1 A LEX_USER element
+  @param n2 A LEX_USER element
+  @param arg Not used
+
+  @return
+    @retval 1 if n1 &gt; n2
+    @retval 0 if n1 &lt;= n2
+*/
+static int lex_user_comp(void *n1, void *n2, void *arg MY_ATTRIBUTE((unused)))
+{
+  LEX_USER *l1= (LEX_USER *)n1;
+  LEX_USER *l2= (LEX_USER *)n2;
+  size_t length= std::min(l1->user.length,l2->user.length);
+  int key= memcmp(l1->user.str, l2->user.str, length);
+  if (key == 0 && l1->user.length == l2->user.length)
+  {
+    length= std::min(l1->host.length,l2->host.length);
+    key= memcmp(l1->host.str, l2->host.str, length);
+    if (key == 0 && l1->host.length == l2->host.length)
+      return 0;
+  }
+  if (key == 0)
+    return (l1->user.length > l2->user.length ? 1 : 0);
+  else
+    return (key > 0 ? 1 : 0);
+}
+
+static void rewrite_default_roles(LEX *lex, String *rlb)
+{
+  bool comma= false;
+  if (lex->default_roles && lex->default_roles->elements > 0)
+  {
+    rlb->append(" DEFAULT ROLE ");
+    lex->default_roles->sort(&lex_user_comp, 0);
+    List_iterator<LEX_USER> role_it(*(lex->default_roles));
+    LEX_USER *role;
+    while ((role= role_it++))
+    {
+      if (comma)
+        rlb->append(',');
+      rlb->append(create_authid_str_from(role).c_str());
+      comma= true;
+    }
+  }
+}
+
 static void rewrite_ssl_properties(LEX *lex, String *rlb)
 {
   if (lex->ssl_type != SSL_TYPE_NOT_SPECIFIED)
@@ -546,6 +597,8 @@ void mysql_rewrite_create_alter_user(THD *thd, String *rlb,
     }
   }
 
+  if (thd->lex->sql_command == SQLCOM_SHOW_CREATE_USER)
+    rewrite_default_roles(lex, rlb);
   rewrite_ssl_properties(lex, rlb);
   rewrite_user_resources(lex, rlb);
 

sql/sql_yacc.yy

@@ -1590,7 +1590,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, YYLTYPE **c, ulong *yystacksize);
 
 %type <join_type> outer_join_type natural_join_type inner_join_type
 
-%type <user_list> user_list role_list opt_except_role_list
+%type <user_list> user_list role_list default_role_clause opt_except_role_list
 
 %type <alter_instance_action> alter_instance_action
 
@@ -2553,11 +2553,13 @@ create:
           }
           view_or_trigger_or_sp_or_event
           {}
-        | CREATE USER opt_if_not_exists grant_list require_clause
-                      connect_options opt_account_lock_password_expire_options
+        | CREATE USER opt_if_not_exists grant_list default_role_clause
+                      require_clause connect_options
+                      opt_account_lock_password_expire_options
           {
             LEX *lex=Lex;
             lex->sql_command = SQLCOM_CREATE_USER;
+            lex->default_roles= $5;
             Lex->create_info= YYTHD->alloc_typed<HA_CREATE_INFO>();
             if (Lex->create_info == NULL)
               MYSQL_YYABORT; // OOM
@@ -2592,6 +2594,18 @@ create:
           }
         ;
 
+default_role_clause:
+          /* empty */
+          {
+            $$= 0;
+          }
+        |
+          DEFAULT_SYM ROLE_SYM role_list
+          {
+            $$= $3;
+          }
+        ;
+
 create_index_stmt:
           CREATE opt_unique INDEX_SYM opt_index_name_and_type
           ON_SYM table_ident '(' key_list ')' opt_index_options