From c84732a0cdb9e5312082778674069412baabb4a7 Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Mon, 18 Nov 2019 10:48:31 +0100 Subject: [PATCH] fix issue when adding new database users with already-hashed passwords, refs #758 Signed-off-by: Michael Kaufmann --- .../Database/Manager/DbManagerMySQL.php | 30 ++++++++++++++----- tests/Mysqls/MysqlsTest.php | 14 +++++++++ 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/lib/Froxlor/Database/Manager/DbManagerMySQL.php b/lib/Froxlor/Database/Manager/DbManagerMySQL.php index fa1b2a5c..b194631f 100644 --- a/lib/Froxlor/Database/Manager/DbManagerMySQL.php +++ b/lib/Froxlor/Database/Manager/DbManagerMySQL.php @@ -81,9 +81,15 @@ class DbManagerMySQL // mysql8 compatibility if (version_compare(Database::getAttribute(\PDO::ATTR_SERVER_VERSION), '8.0.11', '>=')) { // create user - $stmt = Database::prepare(" - CREATE USER '" . $username . "'@'" . $access_host . "' IDENTIFIED BY :password - "); + if ($p_encrypted) { + $stmt = Database::prepare(" + CREATE USER '" . $username . "'@'" . $access_host . "' IDENTIFIED WITH mysql_native_password AS :password + "); + } else { + $stmt = Database::prepare(" + CREATE USER '" . $username . "'@'" . $access_host . "' IDENTIFIED BY :password + "); + } Database::pexecute($stmt, array( "password" => $password )); @@ -97,9 +103,15 @@ class DbManagerMySQL )); } else { // grant privileges - $stmt = Database::prepare(" - GRANT ALL PRIVILEGES ON `" . $username . "`.* TO :username@:host IDENTIFIED BY :password - "); + if ($p_encrypted) { + $stmt = Database::prepare(" + GRANT ALL PRIVILEGES ON `" . $username . "`.* TO :username@:host IDENTIFIED WITH mysql_native_password AS :password + "); + } else { + $stmt = Database::prepare(" + GRANT ALL PRIVILEGES ON `" . $username . "`.* TO :username@:host IDENTIFIED BY :password + "); + } Database::pexecute($stmt, array( "username" => $username, "host" => $access_host, @@ -115,7 +127,11 @@ class DbManagerMySQL $stmt = Database::prepare("SET PASSWORD FOR :username@:host = PASSWORD(:password)"); } } else { - $stmt = Database::prepare("ALTER USER :username@:host IDENTIFIED BY :password"); + if ($p_encrypted) { + $stmt = Database::prepare("ALTER USER :username@:host IDENTIFIED WITH mysql_native_password AS :password"); + } else { + $stmt = Database::prepare("ALTER USER :username@:host IDENTIFIED BY :password"); + } } Database::pexecute($stmt, array( "username" => $username, diff --git a/tests/Mysqls/MysqlsTest.php b/tests/Mysqls/MysqlsTest.php index 45989ec9..6bd4d300 100644 --- a/tests/Mysqls/MysqlsTest.php +++ b/tests/Mysqls/MysqlsTest.php @@ -4,6 +4,7 @@ use PHPUnit\Framework\TestCase; use Froxlor\Api\Commands\Admins; use Froxlor\Api\Commands\Customers; use Froxlor\Api\Commands\Mysqls; +use Froxlor\Database\Database; /** * @@ -181,5 +182,18 @@ class MysqlsTest extends TestCase foreach ($users as $user => $data) { $this->assertNotEmpty($data['password'], 'No password for user "' . $user . '"'); } + + // grant privileges to another host + $testdata = $users['froxlor010']; + $dbm->getManager()->grantPrivilegesTo('froxlor010', $testdata['password'], '10.0.0.10', true); + + // select all entries from mysql.user for froxlor010 to compare password-hashes + $sel_stmt = Database::prepare("SELECT * FROM mysql.user WHERE `User` = :usr"); + Database::pexecute($sel_stmt, ['usr' => 'froxlor010']); + $results = $sel_stmt->fetchAll(\PDO::FETCH_ASSOC); + foreach ($results as $user) { + $passwd = $user['Password'] ?? $user['authentication_string']; + $this->assertEquals($testdata['password'], $passwd); + } } }