WL#8885: Introduce a delay in authentication process

         based on successive failed login attempts

Description: This patch introduces a new audit plugin named
             connection_control. Using this plugin, it is
             possible to introduce an incremental delay in
             server response if consecutive failed login
             attempts for a given user account crosses user
             defined threshold value.

             It is possible to configure threshold value
             to trigger delay, minimum/maximum amount of
             delay through system variables introduced by
             connection_control plugin.

             This patch also introduces a new information
             schema view through an information schema plugin,
             connection_control_failed_attempts_view. This view
             provides information about consecutive failed
             attempts for various user account.

Author: harinvadodaria

mysql-test/include/plugin.defs

@@ -47,3 +47,4 @@ innodb_engine      plugin/innodb_memcached/innodb_memcache INNODB_ENGINE
 validate_password  plugin/password_validation VALIDATE_PASSWORD validate_password
 mysql_no_login     plugin/mysql_no_login      MYSQL_NO_LOGIN    mysql_no_login
 test_udf_services  plugin/udf_services TESTUDFSERVICES
+connection_control  plugin/connection_control   CONNECTION_CONTROL_PLUGIN    connection_control

mysql-test/mysql-test-run.pl

@@ -163,7 +163,7 @@ END
 
 # If you add a new suite, please check TEST_DIRS in Makefile.am.
 #
-my $DEFAULT_SUITES= "main,sys_vars,binlog,federated,rpl,innodb,innodb_fts,innodb_zip,perfschema,funcs_1,opt_trace,parts,auth_sec";
+my $DEFAULT_SUITES= "main,sys_vars,binlog,federated,rpl,innodb,innodb_fts,innodb_zip,perfschema,funcs_1,opt_trace,parts,auth_sec,connection_control";
 my $opt_suites;
 
 our $opt_verbose= 0;  # Verbose output, enable with --verbose

mysql-test/suite/connection_control/inc/check_connection_delay.inc

@@ -0,0 +1,44 @@
+# Following variables should be set:
+# $USER                 Name of the user
+# $PASSWORD             Password to be supplied
+# $SUCCESS              Whether a successful connection is expected or not
+# $DELAY_STATS           Expected value of Connection_control_delay_generated
+# $USE_AUTH_PLUGIN      Whether an authentication plugin is to be used or not
+# $CLIENT_AUTH_PLUGIN   Authentication plugin
+
+connection default;
+disable_query_log;
+disable_result_log;
+
+if ($SUCCESS == 0)
+{
+  --echo # Connection attempt should fail.
+  if ($USE_AUTH_PLUGIN == 0)
+  {
+    --error 1
+    --exec $MYSQL -u$USER -p$PASSWORD -e "SELECT 1;" 2>&1
+  }
+  if ($USE_AUTH_PLUGIN == 1)
+  {
+    --error 1
+    --exec $MYSQL -u$USER $CLIENT_AUTH_PLUGIN -p$PASSWORD -e "SELECT 1;" 2>&1
+  }
+}
+
+if ($SUCCESS != 0)
+{
+  --echo # Connection attempt should succeed.
+    if ($USE_AUTH_PLUGIN == 0)
+  {
+    --exec $MYSQL -u$USER -p$PASSWORD -e "SELECT 1;" 2>&1
+  }
+  if ($USE_AUTH_PLUGIN == 1)
+  {
+    --exec $MYSQL -u$USER $CLIENT_AUTH_PLUGIN -p$PASSWORD -e "SELECT 1;" 2>&1
+  }
+}
+
+enable_result_log;
+--echo Connection_control_delay_generated should be $DELAY_STATS
+SHOW STATUS LIKE 'Connection_control_delay_generated';
+enable_query_log;

mysql-test/suite/connection_control/inc/cleanup_proxy_accounts.inc

@@ -0,0 +1,24 @@
+disable_query_log;
+disable_result_log;
+# Revoke proxy grants
+REVOKE PROXY ON proxied@localhost FROM u1@localhost, u2@localhost, u3@localhost;
+
+# Drop proxy users
+DROP USER u1@localhost, u2@localhost, u3@localhost;
+
+# Drop proxied user
+DROP USER proxied@localhost;
+
+# Uninstall test_plugin_server
+UNINSTALL PLUGIN test_plugin_server;
+
+# Remove plugin library
+let $auth_plugin_path= `SELECT SUBSTR('$PLUGIN_AUTH_OPT/$PLUGIN_AUTH', 14)`;
+let $connection_control_plugin_path= `SELECT SUBSTR('$CONNECTION_CONTROL_PLUGIN_OPT/$PLUGIN_AUTH', 14)`;
+
+if ($auth_plugin_path != $connection_control_plugin_path)
+{
+  --remove_file $connection_control_plugin_path
+}
+enable_result_log;
+enable_query_log;

mysql-test/suite/connection_control/inc/have_connection_control_plugin.inc

@@ -0,0 +1,22 @@
+disable_query_log;
+#
+# Check if server has support for loading plugin
+#
+if (`SELECT @@have_dynamic_loading != 'YES'`) {
+  --skip The connection_control plugin requires dynamic loading
+}
+
+#
+# Check if the variable CONNECTION_CONTROL_PLUGIN is set
+#
+if (!$CONNECTION_CONTROL_PLUGIN) {
+  --skip The connection_control plugin requires the environment variable \$CONNECTION_CONTROL_PLUGIN to be set (normally done by mtr)
+}
+
+#
+# Check if --plugin-dir was setup for null_audit_db
+#
+if (`SELECT CONCAT('--plugin-dir=', REPLACE(@@plugin_dir, '\\\\', '/')) != '$CONNECTION_CONTROL_PLUGIN_OPT/'`) {
+  --skip The connection_control plugin requires that --plugin-dir is set to the connection_control plugin dir (either the .opt file does not contain \$CONNECTION_CONTROL_PLUGIN_OPT or another plugin is in use)
+}
+enable_query_log;

mysql-test/suite/connection_control/inc/have_test_plugin.inc

@@ -0,0 +1,16 @@
+disable_query_log;
+#
+# Check if server has support for loading plugin
+#
+if (`SELECT @@have_dynamic_loading != 'YES'`) {
+  --skip The connection_control plugin requires dynamic loading
+}
+
+#
+# Check if the variable PLUGIN_AUTH is set
+#
+if (!$PLUGIN_AUTH) {
+  --skip The connection_control plugin requires the environment variable \$PLUGIN_AUTH to be set (normally done by mtr)
+}
+
+enable_query_log;

mysql-test/suite/connection_control/inc/install_connection_control_plugin.inc

@@ -0,0 +1,5 @@
+# Install connection_control plugin
+--replace_result $CONNECTION_CONTROL_PLUGIN CONNECTION_CONTROL_LIB
+eval INSTALL PLUGIN connection_control SONAME '$CONNECTION_CONTROL_PLUGIN';
+--replace_result $CONNECTION_CONTROL_PLUGIN CONNECTION_CONTROL_LIB
+eval INSTALL PLUGIN connection_control_failed_login_attempts SONAME '$CONNECTION_CONTROL_PLUGIN'; 

mysql-test/suite/connection_control/inc/set_after_marker.inc

@@ -0,0 +1,10 @@
+# set after marker
+# $SERVER_RESPONSE_TIME [IN] Expected delay
+disable_query_log;
+disable_result_log;
+SET @after= TIMESTAMP(current_time());
+SET @server_response_time= TIMESTAMPDIFF(SECOND, @before, @after);
+enable_result_log;
+
+--eval SELECT @server_response_time >= $SERVER_RESPONSE_TIME
+enable_query_log;

mysql-test/suite/connection_control/inc/set_before_marker.inc

@@ -0,0 +1,6 @@
+# Set before marker
+disable_query_log;
+disable_result_log;
+SET @before= TIMESTAMP(current_time());
+enable_result_log;
+enable_query_log;

mysql-test/suite/connection_control/inc/setup_proxy_accounts.inc

@@ -0,0 +1,26 @@
+disable_query_log;
+disable_result_log;
+# Copy PLUGIN_AUTH library to CONNECTION_CONTROL_OPT location
+let $auth_plugin_path= `SELECT SUBSTR('$PLUGIN_AUTH_OPT/$PLUGIN_AUTH', 14)`;
+let $connection_control_plugin_path= `SELECT SUBSTR('$CONNECTION_CONTROL_PLUGIN_OPT/$PLUGIN_AUTH', 14)`;
+
+if ($auth_plugin_path != $connection_control_plugin_path)
+{
+  --error 0, 1
+  --remove_file $connection_control_plugin_path
+  --copy_file $auth_plugin_path $connection_control_plugin_path
+}
+# Install test_plugin_server
+eval INSTALL PLUGIN test_plugin_server SONAME '$PLUGIN_AUTH';
+
+# Create proxied@localhost
+CREATE USER proxied@localhost IDENTIFIED BY 'proxied_password';
+
+# Create u1@localhost, u2@localhost, u3@localhst
+CREATE USER u1@localhost IDENTIFIED WITH test_plugin_server AS 'proxied';
+CREATE USER u2@localhost IDENTIFIED WITH test_plugin_server AS 'proxied';
+CREATE USER u3@localhost IDENTIFIED WITH test_plugin_server AS 'proxied';
+
+GRANT PROXY ON proxied@localhost TO u1@localhost, u2@localhost, u3@localhost;
+enable_result_log;
+enable_query_log;