From 6545628c6fe96f73f2acbe1292fa92d226ff8cee Mon Sep 17 00:00:00 2001
From: robot-clickhouse <robot-clickhouse@users.noreply.github.com>
Date: Tue, 1 Oct 2024 17:07:57 +0000
Subject: [PATCH] Backport #70148 to 24.9: Fix bcrypt password being displayed
 in system.query_log

---
 src/Parsers/Access/ASTAuthenticationData.cpp        |  3 ++-
 .../queries/0_stateless/01292_create_user.reference |  1 +
 tests/queries/0_stateless/01292_create_user.sql     | 13 ++++++++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/Parsers/Access/ASTAuthenticationData.cpp b/src/Parsers/Access/ASTAuthenticationData.cpp
index 75082041161..7a1091d8a1a 100644
--- a/src/Parsers/Access/ASTAuthenticationData.cpp
+++ b/src/Parsers/Access/ASTAuthenticationData.cpp
@@ -216,7 +216,8 @@ bool ASTAuthenticationData::hasSecretParts() const
     auto auth_type = *type;
     if ((auth_type == AuthenticationType::PLAINTEXT_PASSWORD)
         || (auth_type == AuthenticationType::SHA256_PASSWORD)
-        || (auth_type == AuthenticationType::DOUBLE_SHA1_PASSWORD))
+        || (auth_type == AuthenticationType::DOUBLE_SHA1_PASSWORD)
+        || (auth_type == AuthenticationType::BCRYPT_PASSWORD))
         return true;
 
     return childrenHaveSecretParts();
diff --git a/tests/queries/0_stateless/01292_create_user.reference b/tests/queries/0_stateless/01292_create_user.reference
index 3df69ae2669..186e4c8d75b 100644
--- a/tests/queries/0_stateless/01292_create_user.reference
+++ b/tests/queries/0_stateless/01292_create_user.reference
@@ -119,3 +119,4 @@ u4_01292	local_directory	['double_sha1_password']	['{}']	['::/0']	[]	[]	[]	1	[]
 \N	u4_01292	\N	2	readonly	1	\N	\N	\N	\N
 -- multiple authentication methods
 u1_01292	['plaintext_password','kerberos','bcrypt_password','ldap']	['{}','{"realm":"qwerty10"}','{}','{"server":"abc"}']
+-- no passwords or hashes in query_log
diff --git a/tests/queries/0_stateless/01292_create_user.sql b/tests/queries/0_stateless/01292_create_user.sql
index 41633b3d423..92eb139d06f 100644
--- a/tests/queries/0_stateless/01292_create_user.sql
+++ b/tests/queries/0_stateless/01292_create_user.sql
@@ -235,6 +235,17 @@ DROP USER u1_01292, u2_01292, u3_01292, u4_01292, u5_01292;
 DROP ROLE r1_01292, r2_01292;
 
 SELECT '-- multiple authentication methods';
-CREATE USER u1_01292 IDENTIFIED WITH plaintext_password by '1', kerberos REALM 'qwerty10', bcrypt_password by '3', ldap SERVER 'abc';
+CREATE USER u1_01292 IDENTIFIED WITH plaintext_password by 'qwe123', kerberos REALM 'qwerty10', bcrypt_password by '123qwe', ldap SERVER 'abc';
 SELECT name, auth_type, auth_params FROM system.users WHERE name = 'u1_01292' ORDER BY name;
 DROP USER u1_01292;
+
+SELECT '-- no passwords or hashes in query_log';
+SYSTEM FLUSH LOGS;
+SELECT query
+FROM system.query_log
+WHERE
+    query NOT LIKE '%query_log%' AND event_date >= yesterday() AND current_database = currentDatabase() AND
+    (query LIKE '%qwe123%' OR query LIKE '%123qwe%' OR
+    query LIKE '%18138372FAD4B94533CD4881F03DC6C69296DD897234E0CEE83F727E2E6B1F63%' OR
+    query LIKE '%8DCDD69CE7D121DE8013062AEAEB2A148910D50E%' OR
+    query like '%$2a$12$rz5iy2LhuwBezsM88ZzWiemOVUeJ94xHTzwAlLMDhTzwUxOHaY64q%');