Bug #22551523: ALTER USER IDENTIFIED WITH AUTH_PAM DISABLES USER ACCOUNT

ALTER USER <foo> IDENTIFIED WITH <bar> was always marking the password
as expired regardless of whether the underlying plugin supports password
expiration or not.

Fixed by adding a check if the plugin does support that and not marking
the password as expired in this case.

Test case added.

Author: gkodinov

mysql-test/r/plugin_auth_expire.result

@@ -0,0 +1,19 @@
+#
+# Bug #22551523: ALTER USER IDENTIFIED WITH AUTH_PAM DISABLES USER ACCOUNT
+#
+CREATE USER b22551523@localhost;
+# Must be N
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+password_expired
+N
+ALTER USER b22551523@localhost IDENTIFIED with 'test_plugin_server';
+# Must still be N
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+password_expired
+N
+ALTER USER b22551523@localhost IDENTIFIED with 'mysql_native_password';
+# Must be Y
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+password_expired
+Y
+DROP USER b22551523@localhost;

mysql-test/t/plugin_auth_expire-master.opt

@@ -0,0 +1,2 @@
+$PLUGIN_AUTH_OPT
+$PLUGIN_AUTH_LOAD

mysql-test/t/plugin_auth_expire.test

@@ -0,0 +1,20 @@
+--source include/have_plugin_auth.inc
+--source include/not_embedded.inc
+
+--echo #
+--echo # Bug #22551523: ALTER USER IDENTIFIED WITH AUTH_PAM DISABLES USER ACCOUNT
+--echo #
+
+CREATE USER b22551523@localhost;
+--echo # Must be N
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+
+ALTER USER b22551523@localhost IDENTIFIED with 'test_plugin_server';
+--echo # Must still be N
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+
+ALTER USER b22551523@localhost IDENTIFIED with 'mysql_native_password';
+--echo # Must be Y
+SELECT password_expired from mysql.user where user='b22551523' and host = 'localhost';
+
+DROP USER b22551523@localhost;

sql/auth/sql_user.cc

@@ -445,12 +445,13 @@ bool set_and_validate_user_attributes(THD *thd,
       }
     }
     /*
-      if there is a plugin specified with no auth string, then set
-      the account as expired.
+      if there is a plugin specified with no auth string, and that
+      plugin supports password expiration then set the account as expired.
     */
     if (Str->uses_identified_with_clause &&
         !(Str->uses_identified_by_clause ||
-        Str->uses_authentication_string_clause))
+        Str->uses_authentication_string_clause) &&
+        auth_plugin_supports_expiration(Str->plugin.str))
     {
       Str->alter_status.update_password_expired_column= true;
       what_to_set|= PASSWORD_EXPIRE_ATTR;
@@ -1746,6 +1747,9 @@ bool mysql_alter_user(THD *thd, List <LEX_USER> &list, bool if_exists)
       continue;
     }
 
+    if (user_from && user_from->plugin.str)
+      optimize_plugin_compare_by_pointer(&user_from->plugin);
+
     /* copy password expire attributes to individual lex user */
     user_from->alter_status= thd->lex->alter_password;