Add authentication data capture for CREATE/ALTER USER statements

claude · claude · commit cdf0747aaae4 · 2025-12-31T03:31:40.000Z
- Add AuthenticationValues field to CreateQuery for storing password/hash values
- Update parseCreateUser and parseAlterUser to capture BY 'value' expressions
- Update explain output to show AuthenticationData with literal children
- Use token.BY and token.WITH keywords instead of IDENT checks

Fixes authentication data capture in EXPLAIN AST output for CREATE USER and
ALTER USER statements with IDENTIFIED WITH method BY 'value' syntax.
diff --git a/ast/ast.go b/ast/ast.go
@@ -272,6 +272,7 @@ type CreateQuery struct {
 	CreateUser       bool                 `json:"create_user,omitempty"`
 	AlterUser        bool                 `json:"alter_user,omitempty"`
 	HasAuthenticationData bool            `json:"has_authentication_data,omitempty"`
+	AuthenticationValues []string         `json:"authentication_values,omitempty"` // Password/hash values from IDENTIFIED BY
 	CreateDictionary   bool                              `json:"create_dictionary,omitempty"`
 	DictionaryAttrs    []*DictionaryAttributeDeclaration `json:"dictionary_attrs,omitempty"`
 	DictionaryDef      *DictionaryDefinition             `json:"dictionary_def,omitempty"`
diff --git a/internal/explain/statements.go b/internal/explain/statements.go
@@ -95,7 +95,17 @@ func explainCreateQuery(sb *strings.Builder, n *ast.CreateQuery, indent string,
 	if n.CreateUser || n.AlterUser {
 		if n.HasAuthenticationData {
 			fmt.Fprintf(sb, "%sCreateUserQuery (children 1)\n", indent)
-			fmt.Fprintf(sb, "%s AuthenticationData\n", indent)
+			// AuthenticationData has children if there are auth values
+			if len(n.AuthenticationValues) > 0 {
+				fmt.Fprintf(sb, "%s AuthenticationData (children %d)\n", indent, len(n.AuthenticationValues))
+				for _, val := range n.AuthenticationValues {
+					// Escape the value - strings need \' escaping
+					escaped := escapeStringLiteral(val)
+					fmt.Fprintf(sb, "%s  Literal \\'%s\\'\n", indent, escaped)
+				}
+			} else {
+				fmt.Fprintf(sb, "%s AuthenticationData\n", indent)
+			}
 		} else {
 			fmt.Fprintf(sb, "%sCreateUserQuery\n", indent)
 		}
diff --git a/parser/parser.go b/parser/parser.go
@@ -1895,20 +1895,61 @@ func (p *Parser) parseCreateUser(create *ast.CreateQuery) {
 			p.nextToken()
 			if p.currentIs(token.IDENT) && strings.ToUpper(p.current.Value) == "IDENTIFIED" {
 				create.HasAuthenticationData = true
+				p.nextToken()
 			}
 			continue
 		}
 		// Check for IDENTIFIED (without NOT)
 		if p.currentIs(token.IDENT) && strings.ToUpper(p.current.Value) == "IDENTIFIED" {
 			create.HasAuthenticationData = true
+			p.nextToken()
+			// Parse authentication method and value
+			// Forms: IDENTIFIED BY 'password'
+			//        IDENTIFIED WITH method BY 'password'
+			//        IDENTIFIED WITH method BY 'password', method BY 'password', ...
+			for {
+				// Skip WITH if present (auth method follows)
+				if p.currentIs(token.WITH) {
+					p.nextToken()
+				}
+				// Skip auth method name (plaintext_password, sha256_password, etc.)
+				// Stop at BY (token), comma, or next section keywords
+				for p.currentIs(token.IDENT) {
+					ident := strings.ToUpper(p.current.Value)
+					// Stop at HOST, SETTINGS, DEFAULT, GRANTEES - don't consume these
+					if ident == "HOST" || ident == "SETTINGS" || ident == "DEFAULT" || ident == "GRANTEES" {
+						break
+					}
+					p.nextToken()
+					// Handle REALM/SERVER string values (for kerberos/ldap)
+					if p.currentIs(token.STRING) && (ident == "REALM" || ident == "SERVER") {
+						p.nextToken()
+					}
+				}
+				// Check for BY 'value' (BY is a keyword token, not IDENT)
+				if p.currentIs(token.BY) {
+					p.nextToken()
+					if p.currentIs(token.STRING) {
+						create.AuthenticationValues = append(create.AuthenticationValues, p.current.Value)
+						p.nextToken()
+					}
+				}
+				// Check for comma (multiple auth methods)
+				if p.currentIs(token.COMMA) {
+					p.nextToken()
+					continue
+				}
+				break
+			}
+			continue
 		}
 		p.nextToken()
 	}
 }
 
 func (p *Parser) parseAlterUser() *ast.CreateQuery {
 	create := &ast.CreateQuery{
-		Position:  p.current.Pos,
+		Position:   p.current.Pos,
 		CreateUser: true,
 		AlterUser:  true,
 	}
@@ -1919,8 +1960,55 @@ func (p *Parser) parseAlterUser() *ast.CreateQuery {
 	// Parse user name
 	create.UserName = p.parseIdentifierName()
 
-	// Skip the rest of the user definition (complex syntax)
+	// Scan for authentication data (NOT IDENTIFIED or IDENTIFIED)
 	for !p.currentIs(token.EOF) && !p.currentIs(token.SEMICOLON) {
+		// Check for NOT IDENTIFIED
+		if p.currentIs(token.NOT) {
+			p.nextToken()
+			if p.currentIs(token.IDENT) && strings.ToUpper(p.current.Value) == "IDENTIFIED" {
+				create.HasAuthenticationData = true
+				p.nextToken()
+			}
+			continue
+		}
+		// Check for IDENTIFIED (without NOT)
+		if p.currentIs(token.IDENT) && strings.ToUpper(p.current.Value) == "IDENTIFIED" {
+			create.HasAuthenticationData = true
+			p.nextToken()
+			// Parse authentication method and value
+			for {
+				// Skip WITH if present
+				if p.currentIs(token.WITH) {
+					p.nextToken()
+				}
+				// Skip auth method name
+				for p.currentIs(token.IDENT) {
+					ident := strings.ToUpper(p.current.Value)
+					if ident == "HOST" || ident == "SETTINGS" || ident == "DEFAULT" || ident == "GRANTEES" {
+						break
+					}
+					p.nextToken()
+					if p.currentIs(token.STRING) && (ident == "REALM" || ident == "SERVER") {
+						p.nextToken()
+					}
+				}
+				// Check for BY 'value'
+				if p.currentIs(token.BY) {
+					p.nextToken()
+					if p.currentIs(token.STRING) {
+						create.AuthenticationValues = append(create.AuthenticationValues, p.current.Value)
+						p.nextToken()
+					}
+				}
+				// Check for comma (multiple auth methods)
+				if p.currentIs(token.COMMA) {
+					p.nextToken()
+					continue
+				}
+				break
+			}
+			continue
+		}
 		p.nextToken()
 	}
 
diff --git a/parser/testdata/01292_create_user/metadata.json b/parser/testdata/01292_create_user/metadata.json
@@ -4,29 +4,11 @@
     "stmt158": true,
     "stmt159": true,
     "stmt160": true,
-    "stmt169": true,
-    "stmt171": true,
     "stmt196": true,
     "stmt197": true,
     "stmt200": true,
     "stmt201": true,
-    "stmt205": true,
-    "stmt207": true,
-    "stmt208": true,
-    "stmt22": true,
     "stmt221": true,
-    "stmt23": true,
-    "stmt239": true,
-    "stmt24": true,
-    "stmt25": true,
-    "stmt26": true,
-    "stmt27": true,
-    "stmt28": true,
-    "stmt29": true,
-    "stmt39": true,
-    "stmt40": true,
-    "stmt41": true,
-    "stmt42": true,
-    "stmt43": true
+    "stmt239": true
   }
 }
diff --git a/parser/testdata/01702_system_query_log/metadata.json b/parser/testdata/01702_system_query_log/metadata.json
@@ -1,6 +1,5 @@
 {
   "explain_todo": {
-    "stmt15": true,
     "stmt19": true,
     "stmt24": true,
     "stmt28": true,
diff --git a/parser/testdata/03172_bcrypt_validation/metadata.json b/parser/testdata/03172_bcrypt_validation/metadata.json
@@ -1,5 +1 @@
-{
-  "explain_todo": {
-    "stmt2": true
-  }
-}
+{}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"explain_todo": {`
`3`		`- "stmt15": true,`
`4`	`3`	`"stmt19": true,`
`5`	`4`	`"stmt24": true,`
`6`	`5`	`"stmt28": true,`
-Original file line number
+Diff line change
@@ @@ -1,5 +1 @@ @@
 -{
 -  "explain_todo": {
 -    "stmt2": true
 -  }
 -}
 +{}