*: Support Failed-Login Tracking and Temporary Account Locking

errno/errcode.go

@@ -918,6 +918,7 @@ const (
 	ErrFunctionalIndexDataIsTooLong                          = 3907
 	ErrFunctionalIndexNotApplicable                          = 3909
 	ErrDynamicPrivilegeNotRegistered                         = 3929
+	ErUserAccessDeniedForUserAccountBlockedByPasswordLock    = 3955
 	ErrTableWithoutPrimaryKey                                = 3750
 	// MariaDB errors.
 	ErrOnlyOneDefaultPartionAllowed         = 4030

errno/errname.go

@@ -836,6 +836,7 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
 	ErrDependentByGeneratedColumn:                            mysql.Message("Column '%s' has a generated column dependency.", nil),
 	ErrGeneratedColumnRefAutoInc:                             mysql.Message("Generated column '%s' cannot refer to auto-increment column.", nil),
 	ErrAccountHasBeenLocked:                                  mysql.Message("Access denied for user '%s'@'%s'. Account is locked.", nil),
+	ErUserAccessDeniedForUserAccountBlockedByPasswordLock:    mysql.Message("Access denied for user '%s'@'%s'. Account is blocked for %s day(s) (%s day(s) remaining) due to %d consecutive failed logins.", nil),
 	ErrWarnConflictingHint:                                   mysql.Message("Hint %s is ignored as conflicting/duplicated.", nil),
 	ErrUnresolvedHintName:                                    mysql.Message("Unresolved name '%s' for %s hint", nil),
 	ErrForeignKeyCascadeDepthExceeded:                        mysql.Message("Foreign key cascade delete/update exceeds max depth of %v.", nil),

executor/show.go

@@ -1512,7 +1512,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 
 	exec := e.ctx.(sqlexec.RestrictedSQLExecutor)
 
-	rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata')), Token_issuer
+	rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata')), Token_issuer,
+        JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.Password_locking.failed_login_attempts')), JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.Password_locking.password_lock_time_days'))
 		FROM %n.%n WHERE User=%? AND Host=%?`,
 		mysql.SystemDB, mysql.UserTable, userName, strings.ToLower(hostName))
 	if err != nil {
@@ -1546,6 +1547,20 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 		tokenIssuer = " token_issuer " + tokenIssuer
 	}
 
+	failedLoginAttempts := rows[0].GetString(4)
+	if len(failedLoginAttempts) > 0 {
+		failedLoginAttempts = " FAILED_LOGIN_ATTEMPTS " + failedLoginAttempts
+	}
+
+	passwordLockTimeDays := rows[0].GetString(5)
+	if len(passwordLockTimeDays) > 0 {
+		if passwordLockTimeDays == "-1" {
+			passwordLockTimeDays = " PASSWORD_LOCK_TIME UNBOUNDED"
+		} else {
+			passwordLockTimeDays = " PASSWORD_LOCK_TIME " + passwordLockTimeDays
+		}
+	}
+
 	rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`, mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
 	if err != nil {
 		return errors.Trace(err)
@@ -1569,8 +1584,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 	}
 
 	// FIXME: the returned string is not escaped safely
-	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s",
-		e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, accountLocked, userAttributes)
+	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s%s%s",
+		e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, accountLocked, userAttributes, failedLoginAttempts, passwordLockTimeDays)
 	e.appendRow([]interface{}{showStr})
 	return nil
 }

executor/simple.go

@@ -19,7 +19,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"math"
 	"os"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -51,6 +53,7 @@ import (
 	"github.com/pingcap/tidb/util/collate"
 	"github.com/pingcap/tidb/util/hack"
 	"github.com/pingcap/tidb/util/logutil"
+	"github.com/pingcap/tidb/util/mathutil"
 	pwdValidator "github.com/pingcap/tidb/util/password-validation"
 	"github.com/pingcap/tidb/util/sem"
 	"github.com/pingcap/tidb/util/sqlexec"
@@ -801,6 +804,152 @@ func (e *SimpleExec) isValidatePasswordEnabled() bool {
 	return variable.TiDBOptOn(validatePwdEnable)
 }
 
+type passwordOrLockOptionsInfo struct {
+	LockAccount               string
+	FailedLoginAttempts       int64
+	PasswordLockTime          int64
+	FailedLoginAttemptsChange bool
+	PasswordLockTimeChange    bool
+}
+
+type alterUserPasswordLocking struct {
+	FailedLoginAttempts            int64
+	PasswordLockTime               int64
+	FailedLoginAttemptsNotFound    bool
+	PasswordLockTimeChangeNotFound bool
+	commentIsNull                  bool
+}
+
+func (info *passwordOrLockOptionsInfo) passwordOrLockOptionsInfoParser(plOption []*ast.PasswordOrLockOption) {
+	// If "ACCOUNT LOCK" or "ACCOUNT UNLOCK" appears many times,
+	// the last declaration takes effect.
+	for _, option := range plOption {
+		switch option.Type {
+		case ast.Lock:
+			info.LockAccount = "Y"
+		case ast.Unlock:
+			info.LockAccount = "N"
+		case ast.FailedLoginAttempts:
+			info.FailedLoginAttempts = mathutil.Min(option.Count, math.MaxInt16)
+			info.FailedLoginAttemptsChange = true
+		case ast.PasswordLockTime:
+			info.PasswordLockTime = mathutil.Min(option.Count, math.MaxInt16)
+			info.PasswordLockTimeChange = true
+		case ast.PasswordLockTimeUnbounded:
+			info.PasswordLockTime = -1
+			info.PasswordLockTimeChange = true
+		}
+	}
+}
+
+func createUserFailedLoginJSON(info *passwordOrLockOptionsInfo) string {
+	if (info.FailedLoginAttemptsChange || info.PasswordLockTimeChange) && (info.FailedLoginAttempts != 0 || info.PasswordLockTime != 0) {
+		return fmt.Sprintf("{\"Password_locking\": {\"failed_login_attempts\": %d,\"password_lock_time_days\": %d}}",
+			info.FailedLoginAttempts, info.PasswordLockTime)
+	}
+	return ""
+}
+
+func alterUserFailedLoginJSON(info *alterUserPasswordLocking, lockAccount string) string {
+	passwordLockingArray := []string{}
+	if lockAccount == "N" && (info.FailedLoginAttempts != 0 || info.PasswordLockTime != 0) {
+		passwordLockingArray = append(passwordLockingArray, fmt.Sprintf("\"auto_account_locked\": \"%s\"", lockAccount))
+		passwordLockingArray = append(passwordLockingArray, fmt.Sprintf("\"auto_locked_last_changed\": \"%s\"", time.Now().Format(time.UnixDate)))
+		passwordLockingArray = append(passwordLockingArray, fmt.Sprintf("\"failed_login_count\": %d", 0))
+	}
+	if info.FailedLoginAttempts != 0 || info.PasswordLockTime != 0 {
+		passwordLockingArray = append(passwordLockingArray, fmt.Sprintf("\"failed_login_attempts\": %d", info.FailedLoginAttempts))
+		passwordLockingArray = append(passwordLockingArray, fmt.Sprintf("\"password_lock_time_days\": %d", info.PasswordLockTime))
+	}
+	if len(passwordLockingArray) > 0 {
+		return fmt.Sprintf("\"Password_locking\": {%s}", strings.Join(passwordLockingArray, ","))
+	}
+	return ""
+}
+
+func readUserAttributes(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name string, host string, pLO *passwordOrLockOptionsInfo) (*alterUserPasswordLocking, error) {
+	alterUserInfo := &alterUserPasswordLocking{0, 0, false, false, false}
+	sql := new(strings.Builder)
+	sqlexec.MustFormatSQL(sql, `SELECT  JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.Password_locking.failed_login_attempts')), JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.Password_locking.password_lock_time_days')),
+	JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata'))          FROM %n.%n WHERE User=%? AND Host=%?;`, mysql.SystemDB, mysql.UserTable, name, strings.ToLower(host))
+	recordSet, err := sqlExecutor.ExecuteInternal(ctx, sql.String())
+	if err != nil {
+		return nil, err
+	}
+	rows, err := sqlexec.DrainRecordSet(ctx, recordSet, 3)
+	if err != nil {
+		return nil, err
+	}
+
+	if pLO.FailedLoginAttemptsChange {
+		alterUserInfo.FailedLoginAttempts = pLO.FailedLoginAttempts
+	} else {
+		FailedLoginAttempts := rows[0].GetString(0)
+		if len(FailedLoginAttempts) > 0 {
+			alterUserInfo.FailedLoginAttempts, err = strconv.ParseInt(FailedLoginAttempts, 10, 64)
+			if err != nil {
+				return nil, err
+			}
+			if alterUserInfo.FailedLoginAttempts < 0 {
+				alterUserInfo.FailedLoginAttempts = 0
+			} else {
+				alterUserInfo.FailedLoginAttempts = mathutil.Min(alterUserInfo.FailedLoginAttempts, math.MaxInt16)
+			}
+		} else {
+			alterUserInfo.FailedLoginAttempts = 0
+			alterUserInfo.FailedLoginAttemptsNotFound = true
+		}
+	}
+
+	if pLO.PasswordLockTimeChange {
+		alterUserInfo.PasswordLockTime = pLO.PasswordLockTime
+	} else {
+		PasswordLockTime := rows[0].GetString(1)
+		if len(PasswordLockTime) > 0 {
+			alterUserInfo.PasswordLockTime, err = strconv.ParseInt(PasswordLockTime, 10, 64)
+			if err != nil {
+				return nil, err
+			}
+			if alterUserInfo.PasswordLockTime < -1 {
+				alterUserInfo.PasswordLockTime = -1
+			} else {
+				alterUserInfo.PasswordLockTime = mathutil.Min(alterUserInfo.PasswordLockTime, math.MaxInt16)
+			}
+		} else {
+			alterUserInfo.PasswordLockTime = 0
+			alterUserInfo.PasswordLockTimeChangeNotFound = true
+		}
+	}
+	if len(rows[0].GetString(2)) > 0 {
+		alterUserInfo.commentIsNull = false
+	} else {
+		alterUserInfo.commentIsNull = true
+	}
+	return alterUserInfo, nil
+}
+
+// If FailedLoginAttempts = 0 and PasswordLockTime = 0 delete Password_locking info
+func deleteFailedLogin(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name string, host string, alterUser *alterUserPasswordLocking) error {
+	if alterUser.FailedLoginAttemptsNotFound && alterUser.PasswordLockTimeChangeNotFound {
+		return nil
+	}
+	if alterUser.FailedLoginAttempts != 0 || alterUser.PasswordLockTime != 0 {
+		return nil
+	}
+	sql := new(strings.Builder)
+	if alterUser.commentIsNull {
+		sqlexec.MustFormatSQL(sql, `UPDATE %n.%n SET user_attributes=NULL `, mysql.SystemDB, mysql.UserTable)
+	} else {
+		sqlexec.MustFormatSQL(sql, `UPDATE %n.%n SET user_attributes=JSON_REMOVE(user_attributes, '$.Password_locking') `, mysql.SystemDB, mysql.UserTable)
+	}
+	sqlexec.MustFormatSQL(sql, " WHERE Host=%? and User=%?;", host, name)
+	_, err := sqlExecutor.ExecuteInternal(ctx, sql.String())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStmt) error {
 	internalCtx := kv.WithInternalSourceType(context.Background(), kv.InternalTxnPrivilege)
 	// Check `CREATE USER` privilege.
@@ -822,46 +971,42 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 			}
 		}
 	}
-
 	privData, err := tlsOption2GlobalPriv(s.AuthTokenOrTLSOptions)
 	if err != nil {
 		return err
 	}
-
 	lockAccount := "N"
-	if length := len(s.PasswordOrLockOptions); length > 0 {
-		// If "ACCOUNT LOCK" or "ACCOUNT UNLOCK" appears many times,
-		// the last declaration takes effect.
-		for i := length - 1; i >= 0; i-- {
-			if s.PasswordOrLockOptions[i].Type == ast.Lock {
-				lockAccount = "Y"
-				break
-			} else if s.PasswordOrLockOptions[i].Type == ast.Unlock {
-				break
-			}
-		}
+	plInfo := &passwordOrLockOptionsInfo{LockAccount: lockAccount, FailedLoginAttemptsChange: false, PasswordLockTimeChange: false}
+	plInfo.passwordOrLockOptionsInfoParser(s.PasswordOrLockOptions)
+	PasswordLocking := createUserFailedLoginJSON(plInfo)
+	if plInfo.LockAccount != "" {
+		lockAccount = plInfo.LockAccount
 	}
 	if s.IsCreateRole {
 		lockAccount = "Y"
 	}
-
 	var userAttributes any = nil
 	if s.CommentOrAttributeOption != nil {
 		if s.CommentOrAttributeOption.Type == ast.UserCommentType {
 			userAttributes = fmt.Sprintf("{\"metadata\": {\"comment\": \"%s\"}}", s.CommentOrAttributeOption.Value)
 		} else if s.CommentOrAttributeOption.Type == ast.UserAttributeType {
 			userAttributes = fmt.Sprintf("{\"metadata\": %s}", s.CommentOrAttributeOption.Value)
 		}
+		if plInfo.FailedLoginAttemptsChange || plInfo.PasswordLockTimeChange {
+			userAttributes = fmt.Sprintf("{%s,%s}", userAttributes, PasswordLocking)
+		}
+	} else {
+		if plInfo.FailedLoginAttemptsChange || plInfo.PasswordLockTimeChange {
+			userAttributes = PasswordLocking
+		}
 	}
-
 	tokenIssuer := ""
 	for _, authTokenOption := range s.AuthTokenOrTLSOptions {
 		switch authTokenOption.Type {
 		case ast.TokenIssuer:
 			tokenIssuer = authTokenOption.Value
 		}
 	}
-
 	sql := new(strings.Builder)
 	sqlexec.MustFormatSQL(sql, `INSERT INTO %n.%n (Host, User, authentication_string, plugin, user_attributes, Account_locked, Token_issuer) VALUES `, mysql.SystemDB, mysql.UserTable)
 
@@ -917,7 +1062,6 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		default:
 			return ErrPluginIsNotLoaded.GenWithStackByArgs(spec.AuthOpt.AuthPlugin)
 		}
-
 		recordTokenIssuer := tokenIssuer
 		if len(recordTokenIssuer) > 0 && authPlugin != mysql.AuthTiDBAuthToken {
 			err := fmt.Errorf("TOKEN_ISSUER is not needed for '%s' user", authPlugin)
@@ -927,7 +1071,6 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 			err := fmt.Errorf("TOKEN_ISSUER is needed for 'tidb_auth_token' user, please use 'alter user' to declare it")
 			e.ctx.GetSessionVars().StmtCtx.AppendWarning(err)
 		}
-
 		hostName := strings.ToLower(spec.User.Hostname)
 		sqlexec.MustFormatSQL(sql, `(%?, %?, %?, %?, %?, %?, %?)`, hostName, spec.User.Username, pwd, authPlugin, userAttributes, lockAccount, recordTokenIssuer)
 		users = append(users, spec.User)
@@ -992,22 +1135,12 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 		}
 		s.Specs = []*ast.UserSpec{spec}
 	}
-
 	lockAccount := ""
-	if len(s.PasswordOrLockOptions) > 0 {
-		// If "ACCOUNT LOCK" or "ACCOUNT UNLOCK" appears many times,
-		// the last declaration takes effect.
-		for i := len(s.PasswordOrLockOptions) - 1; i >= 0; i-- {
-			if s.PasswordOrLockOptions[i].Type == ast.Lock {
-				lockAccount = "Y"
-				break
-			} else if s.PasswordOrLockOptions[i].Type == ast.Unlock {
-				lockAccount = "N"
-				break
-			}
-		}
+	plOptions := passwordOrLockOptionsInfo{LockAccount: lockAccount}
+	plOptions.passwordOrLockOptionsInfoParser(s.PasswordOrLockOptions)
+	if plOptions.LockAccount != "" {
+		lockAccount = plOptions.LockAccount
 	}
-
 	privData, err := tlsOption2GlobalPriv(s.AuthTokenOrTLSOptions)
 	if err != nil {
 		return err
@@ -1031,6 +1164,13 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 		}
 	}
 
+	restrictedCtx, err := e.getSysSession()
+	if err != nil {
+		return err
+	}
+	defer e.releaseSysSession(ctx, restrictedCtx)
+	sqlExecutor := restrictedCtx.(sqlexec.SQLExecutor)
+	exec := e.ctx.(sqlexec.RestrictedSQLExecutor)
 	for _, spec := range s.Specs {
 		user := e.ctx.GetSessionVars().User
 		if spec.User.CurrentUser || ((user != nil) && (user.Username == spec.User.Username) && (user.AuthHostname == spec.User.Hostname)) {
@@ -1091,7 +1231,6 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			authTokenOptionHandler = OptionalAuthTokenOptions
 		}
 
-		exec := e.ctx.(sqlexec.RestrictedSQLExecutor)
 		type alterField struct {
 			expr  string
 			value string
@@ -1134,14 +1273,31 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			fields = append(fields, alterField{"account_locked=%?", lockAccount})
 		}
 
+		alterUserPassword, err := readUserAttributes(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname, &plOptions)
+		if err != nil {
+			return err
+		}
+		AlterPasswordLocking := alterUserFailedLoginJSON(alterUserPassword, lockAccount)
+
 		if s.CommentOrAttributeOption != nil {
+			alterUserPassword.commentIsNull = false
 			newAttributesStr := ""
 			if s.CommentOrAttributeOption.Type == ast.UserCommentType {
-				newAttributesStr = fmt.Sprintf(`{"metadata": {"comment": "%s"}}`, s.CommentOrAttributeOption.Value)
+				newAttributesStr = fmt.Sprintf(`"metadata": {"comment": "%s"}`, s.CommentOrAttributeOption.Value)
+			} else {
+				newAttributesStr = fmt.Sprintf(`"metadata": %s`, s.CommentOrAttributeOption.Value)
+			}
+			if AlterPasswordLocking != "" {
+				newAttributesStr = fmt.Sprintf("{%s,%s}", newAttributesStr, AlterPasswordLocking)
 			} else {
-				newAttributesStr = fmt.Sprintf(`{"metadata": %s}`, s.CommentOrAttributeOption.Value)
+				newAttributesStr = fmt.Sprintf("{%s}", newAttributesStr)
 			}
 			fields = append(fields, alterField{"user_attributes=json_merge_patch(coalesce(user_attributes, '{}'), %?)", newAttributesStr})
+		} else {
+			if AlterPasswordLocking != "" {
+				newAttributesStr := fmt.Sprintf("{%s}", AlterPasswordLocking)
+				fields = append(fields, alterField{"user_attributes=json_merge_patch(coalesce(user_attributes, '{}'), %?)", newAttributesStr})
+			}
 		}
 
 		switch authTokenOptionHandler {
@@ -1183,7 +1339,11 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 				continue
 			}
 		}
-
+		err = deleteFailedLogin(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname, alterUserPassword)
+		if err != nil {
+			failedUsers = append(failedUsers, spec.User.String())
+			continue
+		}
 		if len(privData) > 0 {
 			_, _, err := exec.ExecRestrictedSQL(ctx, nil, "INSERT INTO %n.%n (Host, User, Priv) VALUES (%?,%?,%?) ON DUPLICATE KEY UPDATE Priv = values(Priv)", mysql.SystemDB, mysql.GlobalPrivTable, spec.User.Hostname, spec.User.Username, string(hack.String(privData)))
 			if err != nil {