diff --git a/nixos/tests/mysql/mysql.nix b/nixos/tests/mysql/mysql.nix index d236ce94632..50e1c76e9fd 100644 --- a/nixos/tests/mysql/mysql.nix +++ b/nixos/tests/mysql/mysql.nix @@ -5,20 +5,34 @@ import ./../make-test-python.nix ({ pkgs, ...} : { }; nodes = { - mysql = + mysql57 = { pkgs, ... }: { + users.users.testuser = { }; + users.users.testuser2 = { }; services.mysql.enable = true; services.mysql.initialDatabases = [ - { name = "testdb"; schema = ./testdb.sql; } - { name = "empty_testdb"; } + { name = "testdb3"; schema = ./testdb.sql; } ]; # note that using pkgs.writeText here is generally not a good idea, # as it will store the password in world-readable /nix/store ;) services.mysql.initialScript = pkgs.writeText "mysql-init.sql" '' - CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123'; + CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure'; + GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost'; ''; + services.mysql.ensureDatabases = [ "testdb" "testdb2" ]; + services.mysql.ensureUsers = [{ + name = "testuser"; + ensurePermissions = { + "testdb.*" = "ALL PRIVILEGES"; + }; + } { + name = "testuser2"; + ensurePermissions = { + "testdb2.*" = "ALL PRIVILEGES"; + }; + }]; services.mysql.package = pkgs.mysql57; }; @@ -30,16 +44,30 @@ import ./../make-test-python.nix ({ pkgs, ...} : { # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled virtualisation.memorySize = 1024; + users.users.testuser = { }; + users.users.testuser2 = { }; services.mysql.enable = true; services.mysql.initialDatabases = [ - { name = "testdb"; schema = ./testdb.sql; } - { name = "empty_testdb"; } + { name = "testdb3"; schema = ./testdb.sql; } ]; # note that using pkgs.writeText here is generally not a good idea, # as it will store the password in world-readable /nix/store ;) services.mysql.initialScript = pkgs.writeText "mysql-init.sql" '' - CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123'; + CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure'; + GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost'; ''; + services.mysql.ensureDatabases = [ "testdb" "testdb2" ]; + services.mysql.ensureUsers = [{ + name = "testuser"; + ensurePermissions = { + "testdb.*" = "ALL PRIVILEGES"; + }; + } { + name = "testuser2"; + ensurePermissions = { + "testdb2.*" = "ALL PRIVILEGES"; + }; + }]; services.mysql.package = pkgs.mysql80; }; @@ -81,17 +109,49 @@ import ./../make-test-python.nix ({ pkgs, ...} : { testScript = '' start_all() - mysql.wait_for_unit("mysql") - mysql.succeed("echo 'use empty_testdb;' | mysql -u root") - mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4") - # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript - mysql.succeed("echo ';' | mysql -u passworduser --password=password123") + mysql57.wait_for_unit("mysql") + mysql57.succeed( + "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser" + ) + mysql57.succeed( + "echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser" + ) + # Ensure testuser2 is not able to insert into testdb as mysql testuser2 + mysql57.fail( + "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2" + ) + # Ensure testuser2 is not able to authenticate as mysql testuser + mysql57.fail( + "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser" + ) + mysql57.succeed( + "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41" + ) + mysql57.succeed( + "echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4" + ) mysql80.wait_for_unit("mysql") - mysql80.succeed("echo 'use empty_testdb;' | mysql -u root") - mysql80.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4") - # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript - mysql80.succeed("echo ';' | mysql -u passworduser --password=password123") + mysql80.succeed( + "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser" + ) + mysql80.succeed( + "echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser" + ) + # Ensure testuser2 is not able to insert into testdb as mysql testuser2 + mysql80.fail( + "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2" + ) + # Ensure testuser2 is not able to authenticate as mysql testuser + mysql80.fail( + "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser" + ) + mysql80.succeed( + "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41" + ) + mysql80.succeed( + "echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4" + ) mariadb.wait_for_unit("mysql") mariadb.succeed( diff --git a/pkgs/servers/sql/mariadb/cmake-disable-auth-pam-testing.patch b/pkgs/servers/sql/mariadb/cmake-disable-auth-pam-testing.patch deleted file mode 100644 index 864ee818d3c..00000000000 --- a/pkgs/servers/sql/mariadb/cmake-disable-auth-pam-testing.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt -index a556b870..918a26f9 100644 ---- a/plugin/auth_pam/CMakeLists.txt -+++ b/plugin/auth_pam/CMakeLists.txt -@@ -22,7 +22,6 @@ IF(HAVE_PAM_APPL_H) - COMPONENT Server) - ENDIF() - IF(TARGET auth_pam OR TARGET auth_pam_v1) -- ADD_SUBDIRECTORY(testing) - ADD_LIBRARY(pam_user_map MODULE mapper/pam_user_map.c) - TARGET_LINK_LIBRARIES(pam_user_map pam) - SET_TARGET_PROPERTIES (pam_user_map PROPERTIES PREFIX "") diff --git a/pkgs/servers/sql/mariadb/default.nix b/pkgs/servers/sql/mariadb/default.nix index ac9772922ec..9c2134e211f 100644 --- a/pkgs/servers/sql/mariadb/default.nix +++ b/pkgs/servers/sql/mariadb/default.nix @@ -23,14 +23,14 @@ mariadb = server // { }; common = rec { # attributes common to both builds - version = "10.4.12"; + version = "10.4.13"; src = fetchurl { urls = [ "https://downloads.mariadb.org/f/mariadb-${version}/source/mariadb-${version}.tar.gz" "https://downloads.mariadb.com/MariaDB/mariadb-${version}/source/mariadb-${version}.tar.gz" ]; - sha256 = "0252b9rxxz1ljjv6ni0wwgy14j8qmmdd2sq0a65dslx2ib9y3wgy"; + sha256 = "1pwibmm52sc04qxp832pc3ylxw9wq90fjc7nxpcyp3yys49bpfs5"; name = "mariadb-${version}.tar.gz"; }; @@ -72,6 +72,8 @@ common = rec { # attributes common to both builds "-DINSTALL_SUPPORTFILESDIR=share/doc/mysql" "-DINSTALL_MYSQLTESTDIR=OFF" "-DINSTALL_SQLBENCHDIR=OFF" + "-DINSTALL_PAMDIR=share/pam/lib/security" + "-DINSTALL_PAMDATADIR=share/pam/etc/security" "-DWITH_ZLIB=system" "-DWITH_SSL=system" @@ -94,7 +96,7 @@ common = rec { # attributes common to both builds rm "$out"/bin/{mariadb_config,mysql_config} rm -r $out/include rm -r $out/lib/pkgconfig - rm -r $out/share/{aclocal,pkgconfig} + rm -r $out/share/aclocal ''; enableParallelBuilding = true; @@ -160,10 +162,7 @@ server = stdenv.mkDerivation (common // { ++ optional stdenv.hostPlatform.isLinux linux-pam ++ optional (!stdenv.hostPlatform.isDarwin) mytopEnv; - patches = common.patches ++ [ - # Disable build unused plugin pam_mariadb_mtr.so. See https://jira.mariadb.org/browse/MDEV-21654 - ./cmake-disable-auth-pam-testing.patch - ] ++ optionals stdenv.hostPlatform.isDarwin [ + patches = common.patches ++ optionals stdenv.hostPlatform.isDarwin [ ./cmake-without-plugin-auth-pam.patch ]; @@ -202,6 +201,9 @@ server = stdenv.mkDerivation (common // { chmod +x "$out"/bin/wsrep_sst_common rm "$out"/bin/{mariadb-client-test,mariadb-test,mysql_client_test,mysqltest} rm -r "$out"/data # Don't need testing data + mv "$out"/OFF/suite/plugins/pam/pam_mariadb_mtr.so "$out"/share/pam/lib/security + mv "$out"/OFF/suite/plugins/pam/mariadb_mtr "$out"/share/pam/etc/security + rm -r "$out"/OFF '' + optionalString withStorageMroonga '' mv "$out"/share/{groonga,groonga-normalizer-mysql} "$out"/share/doc/mysql '' + optionalString (!stdenv.hostPlatform.isDarwin) '' diff --git a/pkgs/servers/sql/mariadb/galera/default.nix b/pkgs/servers/sql/mariadb/galera/default.nix index 6c3a1af907d..14ab75d159b 100644 --- a/pkgs/servers/sql/mariadb/galera/default.nix +++ b/pkgs/servers/sql/mariadb/galera/default.nix @@ -10,13 +10,13 @@ let in stdenv.mkDerivation rec { pname = "mariadb-galera"; - version = "26.4.3"; + version = "26.4.5"; src = fetchFromGitHub { owner = "codership"; repo = "galera"; rev = "release_${version}"; - sha256 = "1r0b4kxgqrivnwm4hprnpscb16v6l6j8cnvk4i8c64fig1ly8g3j"; + sha256 = "10sir0hxxglw9jsjrclfgrqm8n5zng6rwj2fgff141x9n9l55w7l"; fetchSubmodules = true; }; @@ -48,7 +48,6 @@ in stdenv.mkDerivation rec { install -m 444 "LICENSE" "$out/$GALERA_LICENSE_DIR/GPLv2" install -m 444 "asio/LICENSE_1_0.txt" "$out/$GALERA_LICENSE_DIR/LICENSE.asio" install -m 444 "www.evanjones.ca/LICENSE" "$out/$GALERA_LICENSE_DIR/LICENSE.crc32c" - install -m 444 "chromium/LICENSE" "$out/$GALERA_LICENSE_DIR/LICENSE.chromium" ''; meta = with stdenv.lib; {