# These tests verify that changing a user's password also causes
# further authentications to take the new password into account.

config secure
----


# Prevent auto-converting passwords, so that each sub-test exercises its own hash method.
sql
SET CLUSTER SETTING server.user_login.upgrade_bcrypt_stored_passwords_to_scram.enabled = false;
----
ok

sql
SET CLUSTER SETTING server.user_login.downgrade_scram_stored_passwords_to_bcrypt.enabled = false;
----
ok

subtest regular_user

subtest regular_user/bcrypt

sql
SET CLUSTER SETTING server.user_login.password_encryption = 'crdb-bcrypt';
----
ok

sql
CREATE USER userpw WITH PASSWORD 'pass'
----
ok

# sanity check: without a password, auth is denied.
connect user=userpw
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

# with the proper pass, auth succeeds.
connect user=userpw password=pass
----
ok defaultdb

# Changing the password causes the previous password to fail
# and the new one to succeed.

sql
ALTER USER userpw WITH PASSWORD 'pass2'
----
ok

connect user=userpw password=pass
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

connect user=userpw password=pass2
----
ok defaultdb


subtest end

subtest regular_user/scram

sql
SET CLUSTER SETTING server.user_login.password_encryption = 'scram-sha-256';
----
ok

sql
DROP USER userpw;
----
ok

sql
CREATE USER userpw WITH PASSWORD 'pass'
----
ok

# sanity check: without a password, auth is denied.
connect user=userpw
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

# with the proper pass, auth succeeds.
connect user=userpw password=pass
----
ok defaultdb

# Changing the password causes the previous password to fail
# and the new one to succeed.

sql
ALTER USER userpw WITH PASSWORD 'pass2'
----
ok

connect user=userpw password=pass
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

connect user=userpw password=pass2
----
ok defaultdb


subtest end

subtest regular_user/no_password

# Erasing the password forces cert authentication.

sql
ALTER USER userpw WITH PASSWORD NULL
----
ok

connect user=userpw password=pass2
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

connect user=userpw
----
ERROR: password authentication failed for user userpw (SQLSTATE 28P01)

subtest end

subtest end

subtest precomputed_hash

subtest precomputed_hash/bcrypt

sql
CREATE USER userhpw WITH PASSWORD 'CRDB-BCRYPT$3a$10$vcmoIBvgeHjgScVHWRMWI.Z3v03WMixAw2bBS6qZihljSUuwi88Yq'
----
ERROR: crypto/bcrypt: bcrypt algorithm version '3' requested is newer than current version '2' (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'CRDB-BCRYPT$2a$10$vcmoIBvgeHjgScVHWRMWI.Z3v0'
----
ERROR: crypto/bcrypt: hashedSecret too short to be a bcrypted password (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'CRDB-BCRYPT$2a$01$vcmoIBvgeHjgScVHWRMWI.Z3v03WMixAw2bBS6qZihljSUuwi88Yq'
----
ERROR: crypto/bcrypt: cost 1 is outside allowed range (4,31) (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'CRDB-BCRYPT$2a$10$vcmoIBvgeHjgScVHWRMWI.Z3v03WMixAw2bBS6qZihljSUuwi88Yq'
----
ok

connect user=userhpw password=demo37559
----
ok defaultdb

sql
ALTER USER userhpw WITH PASSWORD 'CRDB-BCRYPT$2a$10$jeDfxx9fI7dDp3p0I3BTGOX2uKjnErlmgf74U0bp9KusDpAVypc1.'
----
ok

connect user=userhpw password=abc
----
ok defaultdb

sql
DROP USER userhpw
----
ok

subtest end

subtest precomputed_hash/scram

sql
CREATE USER userhpw WITH PASSWORD 'SCRAM-SHA-256$9999999999999999999999999999999:Hw/dhibRaBVbObr6bATlqw==$BTFlXuZT2ZNxA3DxogkGgK0wVlOyNtxGoqDI62hyLUo=:3eZMZdAossPInncABj7/N/jkGtRZEUrz7uGkkNibHps='
----
ERROR: invalid scram-sha-256 iteration count: strconv.ParseInt: parsing "9999999999999999999999999999999": value out of range (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'SCRAM-SHA-256$990000000000:Hw/dhibRaBVbObr6bATlqw==$BTFlXuZT2ZNxA3DxogkGgK0wVlOyNtxGoqDI62hyLUo=:3eZMZdAossPInncABj7/N/jkGtRZEUrz7uGkkNibHps='
----
ERROR: scram-sha-256 iteration count not in allowed range (4096,240000000000) (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'SCRAM-SHA-256$3000:Hw/dhibRaBVbObr6bATlqw==$BTFlXuZT2ZNxA3DxogkGgK0wVlOyNtxGoqDI62hyLUo=:3eZMZdAossPInncABj7/N/jkGtRZEUrz7uGkkNibHps='
----
ERROR: scram-sha-256 iteration count not in allowed range (4096,240000000000) (SQLSTATE 42601)

sql
CREATE USER userhpw WITH PASSWORD 'SCRAM-SHA-256$119680:Hw/dhibRaBVbObr6bATlqw==$BTFlXuZT2ZNxA3DxogkGgK0wVlOyNtxGoqDI62hyLUo=:3eZMZdAossPInncABj7/N/jkGtRZEUrz7uGkkNibHps='
----
ok

# For now, the login using SCRAM is not yet recognized.
connect user=userhpw password=abc
----
ok defaultdb

sql
ALTER USER userhpw WITH PASSWORD 'SCRAM-SHA-256$119680:RuTd0cF3mxFD/nUyNmH4bA==$PsNXCu6vNpjJmeAnph5NA5FWUYlkqIdKD/tTvHCMwLI=:sS8xL723JQUDVG4pL3uk17yoBeVE3d6ZuWpV7Mp/eNE='
----
ok

# For now, the login using SCRAM is not yet recognized.
connect user=userhpw password=pass
----
ok defaultdb

subtest end

subtest end

subtest root_pw

# By default root cannot log in with a password.
connect user=root sslmode=require sslcert= sslkey=
----
ERROR: password authentication failed for user root (SQLSTATE 28P01)

connect_unix user=root
----
ERROR: password authentication failed for user root (SQLSTATE 28P01)


# However if we give them a password, they can log in with password.

subtest root_pw/bcrypt

sql
SET CLUSTER SETTING server.user_login.password_encryption = 'crdb-bcrypt';
----
ok

sql
ALTER USER root WITH PASSWORD 'secureabc'
----
ok

# Then they can log in.
connect user=root password=secureabc sslmode=require sslcert= sslkey=
----
ok defaultdb

connect_unix user=root password=secureabc
----
ok defaultdb

subtest end

subtest root_pw/scram

sql
SET CLUSTER SETTING server.user_login.password_encryption = 'scram-sha-256';
----
ok

sql
ALTER USER root WITH PASSWORD 'secureabc'
----
ok

# Then they can log in.
connect user=root password=secureabc sslmode=require sslcert= sslkey=
----
ok defaultdb

connect_unix user=root password=secureabc
----
ok defaultdb

subtest end

subtest end
