proxysql

Commit Graph

Author	SHA1	Message	Date
Rene Cannao	3e80983ab1	fix(mysqlx): align backend CapSet gate with TLS posture; sync unit test step_auth_capabilities_get_sent: gate the CapabilitiesSet branch on backend_tls_required_ alone, not (required && ssl_ctx). In `preferred` mode without an SSL_CTX the proxy must still emit CapabilitiesSet(tls= true) so the backend's Error response can drive the plaintext fallback in step_auth_capabilities_set_sent — the contract exercised by mysqlx_backend_auth_unit-t's three preferred-mode tests. ssl_ctx is still required to actually negotiate TLS in the post-OK branch, so behaviour with ctx absent silently downgrades just as before. mysqlx_backend_auth_unit-t (test_backend_auth_state_transitions): update the no-TLS happy-path test to match the new flow — the proxy goes straight from CapGet→AuthenticateStart, skipping CapabilitiesSet, and the AuthenticateContinue response is now `schema\0user\0hex_scramble` instead of bare `hex_scramble`. Validated locally in docker: all 29 mysqlx_/plugin_*_unit-t binaries pass. test_mysqlx_e2e_handshake-t (10/10), test_mysqlx_admin_tables-t, and test_mysqlx_plugin_load-t still pass.	2 weeks ago
Rene Cannao	a497166792	fix(mysqlx): correct X Protocol backend auth + e2e tests + workflow Plugin (mysqlx_connection.cpp): - step_auth_capabilities_get_sent no longer tries to CapabilitiesSet authentication.mechanisms — that capability is read-only on the upstream X plugin and returns ER_X_CAPABILITIES_PREPARE_FAILED (5001). The auth method is chosen via AuthenticateStart.mech_name. When backend TLS isn't desired, jump straight to AuthenticateStart; only emit CapabilitiesSet for tls upgrade. - step_auth_authenticate_start_sent now sends MYSQL41 AuthenticateContinue with the full `schema\0user\0hex_scramble` payload, matching what the upstream X plugin expects. The prior bare `hex_scramble` form is what ProxySQL accepts on the FRONTEND but the X plugin treats the leading byte as schema and rejects with 1045. Tests (test_mysqlx_e2e_handshake-t.cpp, test_mysqlx_e2e_routing-t.cpp): - X Protocol does not send an unsolicited Capabilities frame on TCP connect — drop the initial mysqlx_read_frame from every sub-test and from full_handshake. Send CapabilitiesGet first. - AuthenticateContinue.auth_data from the server is the raw 20-byte challenge, not hex; assign directly instead of mysqlx_hex_decode. - Rewrite test 3 of the handshake test to verify the X plugin's actual rejection of CapabilitiesSet(authentication.mechanisms) (error 5001), since that's the real protocol behaviour. - AuthenticateStart for MYSQL41 carries an empty auth_data against the MySQL X server (handshake test); the routing test against ProxySQL puts `\0schema\0user` there and sends `*hex` on AuthenticateContinue, matching the plugin's own parser. Workflow (.github/workflows/CI-mysqlx.yml): - Run mysqlx integration + handshake tests explicitly (no glob), so the e2e job no longer accidentally invokes soak / route_drop / routing binaries that need their own infrastructure or further plugin fixes. - Defer test_mysqlx_e2e_routing-t: the handshake stage now passes through ProxySQL with these plugin fixes, but the SQL-forwarding path after auth still hangs (server_ds never reaches XDS_READY and the plugin's direct SQLite queries against runtime_mysql_users/ runtime_mysql_servers miss admin's lazy-refresh). Tracked in a follow-up comment in the workflow.	2 weeks ago
Rene Cannao	2b245c8ab4	fix(build): declare PROTOBUF_LIB as prereq of plugin .o rule plugins/mysqlx/Makefile's regular .o rule lacked $(PROTOBUF_LIB) as a prerequisite even though several plugin sources transitively include <google/protobuf/...> headers (mysqlx_protocol.cpp, mysqlx_connection.cpp, mysqlx_session.cpp all #include "mysqlx.pb.h" which #includes <google/protobuf/port_def.inc> and <google/protobuf/generated_message_bases.h>). The .pb.o rule already had the prereq, but that wasn't enough: parallel make can schedule .o compiles in the slot before the .pb.o rule's chain has fired its deps protobuf build, and the .o compile sees an empty $(PROTOBUF_INSTALL_DIR)/include and fails: plugins/mysqlx/proto/mysqlx.pb.h:10:10: fatal error: google/protobuf/port_def.inc: No such file or directory make: *** [Makefile:116: .../plugins/mysqlx/obj/mysqlx_protocol.o] Error 1 The bug stayed hidden on hosts with system libprotobuf-dev 3.21.x already installed (Ubuntu 24.04, or Ubuntu 22.04 with the ubuntu-toolchain backports). On those systems gcc finds the protobuf headers under /usr/include/ via the standard search path and the .o compile succeeds against the system install, masking the missing Makefile dependency. CI runs on a stock ubuntu-22.04 GitHub-hosted runner with no system libprotobuf installed, so the bug is exposed the moment the .o compile fires before the vendored install exists. Verified locally: with the vendored install deleted, `make -n` now shows the deps protobuf build as the first action in the chain, and a clean `make -j4` from scratch succeeds (FINAL RC=0).	2 weeks ago
René Cannaò	08cc2dbaa5	Merge commit from fork fix(security): MCP run_sql_readonly multi-statement bypass (CVE-2026-48774 / GHSA-7wh6-2vcc-gcm4)	1 month ago
Rene Cannao	e32b7fd50c	fix(security): harden MySQL_Tool_Handler parallel class (GHSA-7wh6-2vcc-gcm4) MySQL_Tool_Handler is a sibling of Query_Tool_Handler with the same shape: it opens a backend MySQL connection pool and exposes run_sql_readonly() and explain_sql() methods. It was not touched by the original GHSA-7wh6-2vcc-gcm4 fix because no MCP endpoint registration currently dispatches through it (mysql_tool_handler is declared in MCP_Thread but never assigned), but the class is allocated and destructed by MCP_Thread and referenced by MySQL_FTS / catalog code. Any future wire-up — MCP endpoint, new tool, accidental rebind — would reintroduce CVE-2026-48774 verbatim, because: * the connection pool was opened with CLIENT_MULTI_STATEMENTS; * validate_readonly_query had no contains_multi_statement check; * is_dangerous_query missed RENAME, FLUSH, RESET, LOCK/UNLOCK, KILL, OPTIMIZE, REPAIR, HANDLER, INSTALL/UNINSTALL, CHANGE, PURGE, BEGIN/START/COMMIT/ROLLBACK, XA, SHUTDOWN, INTO DUMPFILE, ANALYZE; * explain_sql performed ZERO validation before prepending "EXPLAIN ". Mirror the Query_Tool_Handler hardening here: * Drop CLIENT_MULTI_STATEMENTS in init_connection_pool(). * Expand the dangerous-keyword list to match the sibling class, plus ANALYZE so that obfuscated EXPLAIN ANALYZE forms ("EXPLAIN/*/ ANALYZE", "EXPLAIN (ANALYZE)", etc.) and standalone "ANALYZE TABLE x" are caught. Add a contains_multi_statement() lexer that ignores ';' inside string literals, identifier-quoted names, and comments; call it at the start of validate_readonly_query(). * Add the same read-only validation to explain_sql(). The contains_multi_statement implementation is duplicated from Query_Tool_Handler intentionally for the short-term security fix; a follow-up should deduplicate into a shared utility so the two validators cannot drift.	1 month ago
Rene Cannao	f4fd5e4c06	fix(security): require non-empty auth token on every MCP endpoint (GHSA-7wh6-2vcc-gcm4) Previously only /mcp/query refused empty tokens. /mcp/admin, /mcp/cache, /mcp/config, /mcp/stats, /mcp/ai, and /mcp/rag still fell through to the permissive "no token = allow anyone" branch. Each of those endpoints either executes SQL on configured backends (admin, query, ai, rag), exposes proxy configuration including credentials (config), or surfaces internal runtime state (cache, stats). The original GHSA-7wh6-2vcc-gcm4 fix justified the /mcp/query change on grounds that "an unauthenticated attacker reaching the MCP listener can still read arbitrary data from any configured target using the documented read-only tools" — the same argument applies in equal or greater force to /mcp/admin (which exposes admin_kill_query, admin_flush_cache, admin_reload). Generalize the empty-token rejection to all endpoints. Operators must set the corresponding mcp-<endpoint>_endpoint_auth variable to a non-empty bearer token before that endpoint will respond. The permissive "empty = open" default is removed. Update doc/MCP/VARIABLES.md to flag every endpoint-auth variable as required.	1 month ago
Rene Cannao	d9124436bd	fix(security): close EXPLAIN ANALYZE bypass via comment/whitespace/PG syntax (GHSA-7wh6-2vcc-gcm4) The literal `upper.find("EXPLAIN ANALYZE")` check missed several backend-accepted forms of the same construct: EXPLAIN/**/ANALYZE SELECT ... (block comment between tokens) EXPLAIN ANALYZE SELECT ... (double space) EXPLAIN\nANALYZE SELECT ... (newline between tokens) EXPLAIN (ANALYZE) SELECT ... (PostgreSQL canonical option syntax) EXPLAIN (VERBOSE, ANALYZE) SELECT (PostgreSQL with additional options) On PostgreSQL, EXPLAIN (ANALYZE) actually executes the wrapped statement and any volatile/side-effecting functions it invokes, so the gap is reachable through the supposedly read-only `run_sql_readonly` and `explain_sql` MCP tools. Add ANALYZE to the substring blacklist used by validate_readonly_query. This catches every obfuscated EXPLAIN ANALYZE form (the substring is present regardless of whitespace/comment shape) and also catches the standalone `ANALYZE TABLE x` / `ANALYZE foo` statements, which write to system catalogs and were not previously covered by any guard. The narrower `find("EXPLAIN ANALYZE")` check is removed because the new blacklist entry strictly supersedes it. Extends the regression test with the six bypass payloads plus the standalone-ANALYZE case to lock the new behaviour in.	1 month ago
Rene Cannao	a2779c0792	fix(security): require non-empty mcp-query_endpoint_auth for /mcp/query (GHSA-7wh6-2vcc-gcm4) Even after the run_sql_readonly multi-statement bypass is closed, the /mcp/query endpoint executes SQL against configured MCP target backends using the documented read-only tools (run_sql_readonly, explain_sql, list_, sample_, etc). Exposing this endpoint without authentication lets any network attacker who can reach the MCP listener read arbitrary data from any configured target. The variable mcp-query_endpoint_auth defaults to an empty string. The pre-fix authenticate_request() treated an empty token as "no auth configured, allow the request", which means the secure-default expectation is reversed: by default, /mcp/query is wide open whenever mcp-enabled=true. Refuse all /mcp/query requests when mcp-query_endpoint_auth is empty. An operator must set the variable to a chosen non-empty bearer token before the endpoint will serve requests. This is intentionally restricted to /mcp/query for now; the other endpoints retain their existing behavior pending a broader review. Document the requirement in doc/MCP/VARIABLES.md.	2 months ago
Rene Cannao	9d8c6b77b3	fix(security): close MCP run_sql_readonly multi-statement bypass (GHSA-7wh6-2vcc-gcm4) The MCP /mcp/query endpoint advertised a read-only contract for the run_sql_readonly tool, but enforcement was a substring-only validator on the first keyword while the backend MySQL connection was opened with CLIENT_MULTI_STATEMENTS. A payload like SELECT 1; RENAME TABLE testdb.x TO testdb.y passed validation (starts with SELECT) and executed both statements, renaming the backend table. The pre-fix substring blacklist also omitted several side-effecting MySQL keywords (RENAME, SET, RESET, LOCK, UNLOCK, KILL, FLUSH, OPTIMIZE, REPAIR, HANDLER, ...) so the bypass also worked as a single statement when those keywords appeared at the start. Fixes applied in defense-in-depth order: 1. Drop CLIENT_MULTI_STATEMENTS from the MCP backend mysql_real_connect calls in Query_Tool_Handler.cpp:init_connection_pool and backend_client.cpp:dial_mysql. This alone closes the demonstrated PoC end-to-end: the server-side parser will reject the trailing statement as a syntax error. 2. Add Query_Tool_Handler::contains_multi_statement() which tracks lexical state (single/double-quoted strings, backtick-quoted identifiers, '--' line comments, '/* */' block comments) and rejects any ';' followed by non-whitespace. Call it at the top of validate_readonly_query so multi-statement payloads are rejected before they ever reach the backend. 3. Expand the dangerous-keyword denylist to cover RENAME, RESET, LOCK, UNLOCK, KILL, FLUSH, GRANT, REVOKE, OPTIMIZE, REPAIR, HANDLER, INSTALL/UNINSTALL, CHANGE, PURGE, SAVEPOINT/RELEASE, transaction control (BEGIN, START, COMMIT, ROLLBACK, XA), SHUTDOWN, INTO OUTFILE/DUMPFILE. Reject 'SET ' and 'USE ' as standalone leading keywords (they appear legitimately as substrings inside SELECT, but never as the first token of a read-only query). 4. Reject 'EXPLAIN ANALYZE' explicitly: PostgreSQL EXPLAIN ANALYZE actually executes the wrapped statement, and the same applies to some MySQL configurations. 5. Apply the same validation in the explain_sql handler, which previously did no read-only validation at all. An MCP caller could send "SELECT 1; RENAME TABLE ..." through explain_sql, the handler would prepend "EXPLAIN " and execute the multi-statement payload. Operator note: this only closes the bypass. /mcp/query authentication defaults to mcp-query_endpoint_auth="" (no auth) when MCP is enabled, which makes any deployment exposing /mcp/query reachable to an unauthenticated network attacker. Hardening that default is tracked separately.	2 months ago
Rene Cannao	9aee6d639e	Implement real RAG source fetch Replace the rag.fetch_from_source stub with a real backend read path for MySQL and PostgreSQL sources. The handler now looks up document metadata from the RAG vector database, resolves the configured source backend, validates identifiers, builds a safe source query, and returns a per-document result row that includes either the authoritative source row or a fetch error. Unsupported backend types are rejected explicitly, and the source query is capped to a single-row result. Add a focused unit test that seeds the RAG metadata tables, exercises the tool entry point, and verifies backend failure propagation plus missing-document handling without requiring a live external database. Also document /mcp/rag and the fetch semantics in the MCP architecture guide.	2 months ago
René Cannaò	8ddefba7eb	Fix macOS plugin links	2 months ago
Rene Cannao	e8286b47e8	Vendor protobuf 3 for mysqlx	2 months ago
Rene Cannao	f85b5d0917	Fix genai config handler build includes	2 months ago
René Cannaò	0c798fabbb	Add config query tool	2 months ago
Rene Cannao	5916ef4d43	docs(genai): update plugin README for new features, add implementation plan Update plugins/genai/README.md to reflect the current state after Features A, C, D, E: - Replace all PROXYSQLGENAI references with PROXYSQL40 (flag was removed in PR #5741) - Document stats_genai_global table and its 21 SQL status variables in the Observability section - Document MCP query digest persistence in Observability - List all stats tables in the Configuration section (6 stats tables including the new stats_genai_global) - Remove stale 'Known gaps' about stats_mcp_* tables (now registered) and LLM Bridge cache TODO (now implemented) Also track the implementation plan used for this batch: docs/superpowers/plans/2026-05-03-genai-features-batch.md	2 months ago
Rene Cannao	1fe9c3a805	feat(genai): implement LLM Bridge semantic cache with vector similarity (Feature A) Complete the 4 TODO stubs in LLM_Bridge to make semantic caching functional, reducing LLM API costs for repeated similar queries. Config changes: - Add cache_enabled bool to LLM_Bridge config struct (default: true) - Update update_config() signature to accept cache_enabled parameter - Wire genai_llm_cache_enabled through AI_Features_Manager::init_llm_bridge() check_cache(): - Generate embedding for the prompt via GloGATH->embed_documents() - KNN search against llm_cache_vec (sqlite-vec) joined with llm_cache - Compute cosine similarity = 1 - distance; compare against threshold - On hit: update hit_count/last_hit, increment GloAI cache_hits counter - On miss: increment GloAI cache_misses counter - Track lookup timing via GloAI->add_llm_cache_lookup_time_ms() store_in_cache(): - Generate embedding, INSERT into llm_cache, INSERT into llm_cache_vec - Track store timing via GloAI->add_llm_cache_store_time_ms() clear_cache(): - DELETE FROM llm_cache_vec, DELETE FROM llm_cache get_cache_stats(): - SELECT COUNT(*), SUM(hit_count) FROM llm_cache - Read misses/lookups/stores from AI_Features_Manager::collect_status_variables() - Return JSON: {entries, hits, misses, lookups, stores}	2 months ago
Rene Cannao	827f292f2f	feat(genai): register stats_genai_global status table (Feature C) Add a new stats_db runtime view that aggregates all 21 GenAI/MCP/AI status variables into a single queryable admin table. New table: stats_genai_global (Variable_name VARCHAR, Value VARCHAR) Registered as a stats_db runtime view with refresh callback that: 1. Collects status variables from GloGATH, genai_context().mcp, GloAI 2. Wipes and repopulates the table within BEGIN/COMMIT Usage: SELECT * FROM stats_genai_global ORDER BY Variable_name; Includes GenAI_Thread.h and AI_Features_Manager.h includes for access to the extern GloGATH and GloAI globals from the refresh callback.	2 months ago
Rene Cannao	b4ff986f10	feat(genai): add collect_status_variables() to genai/mcp/ai handlers (Feature C) Expose internal counters from all three handler classes so operators can monitor plugin health from the admin interface. Each handler gets a collect_status_variables() method returning std::vector<std::pair<std::string, std::string>>: - GenAI_Threads_Handler: 4 counters (threads_initialized, active_requests, completed_requests, failed_requests) - MCP_Threads_Handler: 3 counters (total_requests, failed_requests, active_connections) - AI_Features_Manager: 14 counters (llm_total_requests, llm_cache_hits/misses/lookups/stores, llm_local/cloud_model_calls, llm_total_response_time_ms, llm_cache_total_lookup/store_time_ms, anomaly_total_checks/blocked_queries/flagged_queries, daily_cloud_spend_usd) Total: 21 status variables queryable via stats_genai_global table.	2 months ago
Rene Cannao	dca155aa97	feat(genai): persist MCP query digest stats to SQLite (Feature E) Add restart resilience for MCP query digest statistics by persisting the in-memory digest map to the catalog's own SQLite database. New methods on Discovery_Schema: - create_digest_persist_table(): creates mcp_query_digest_persist table in the catalog DB (idempotent, called during init_schema()) - flush_digest_to_sqlite(): serialises the in-memory digest map to SQLite under BEGIN IMMEDIATE / COMMIT, called every 100 updates via update_mcp_query_digest() - load_persisted_digests(): restores persisted digest stats from SQLite back into the in-memory map, called during init_schema() Reset handling: get_mcp_query_digest(reset=true) now also clears the persist table so reset stats don't reappear after restart. Thread safety: flush uses rdlock (read-only traversal), load uses wrlock (populates the map). Reset uses the existing wrlock path.	2 months ago
Rene Cannao	a9f2eaaa13	feat: remove PROXYSQLGENAI flag, genai now builds under PROXYSQL40 (issue #5722 ) PROXYSQLGENAI flag eliminated entirely. PROXYSQL40=1 now unconditionally builds the genai plugin alongside core. All #ifdef PROXYSQLGENAI replaced with #ifdef PROXYSQL40 in source, Makefiles, and 61 CI workflows.	2 months ago
Rene Cannao	a25e11cb75	fix: replace non-existent next_row() with rows[]->fields API (issue #5722 ) SQLite3_result has no next_row() method. The correct iteration API is: for (int i = 0; i < result->rows_count; i++) { char** row = result->rows[i]->fields; } This was the root cause of TSAN/genai-gcov CI failures — the genai plugin failed to compile inside Docker, producing no test binaries.	2 months ago
Rene Cannao	5fea82e617	fix: resolve remaining SonarCloud warnings for PR #5741 - Replace #define with constexpr for ABI version constants - Replace strdup/free with std::string in AI_Features_Manager - Change mkdir permissions from 0755 to 0700 - Reduce nesting from 4 to 3 levels via early continue	2 months ago
Rene Cannao	da089147ca	fix: set result=nullptr after delete to satisfy SonarCloud (issue #5741 ) - All 20 delete result; statements now followed by result = nullptr; - Eliminates 17 SonarCloud security hotspot warnings about delete without null - Part of SonarCloud quality gate fix for PR #5741	2 months ago
Rene Cannao	88db9fd10f	fix: resolve PR #5741 review findings (issue #5729 ) - Fix groups.json sort order (CI lint failure) - Add sqlite3_mprintf null check in Anomaly_Detector (Gemini high) - Add ROLLBACK on DELETE/COMMIT error in 5 plugin_tables.cpp callbacks - Fix TAP plan count in test_stats_mcp_tables-t (12→11) - Fix TAP plan count in genai_plugin_anomaly_unit-t (24→25) - Fix ABI.md: register_runtime_view is ABI 3+, not ABI 4 - Update plan/spec docs: db_kind at struct tail (ABI backward compat) - Add Darwin -force_load fallback in src/Makefile - Add mkdir() error handling in AI_Features_Manager Verified: build clean, 30/30 unit tests pass, lint passes.	2 months ago
Rene Cannao	b8cfa32c63	fix: address all critical and important code review findings (issue #5729 ) Critical fixes: - Move db_kind to end of ProxySQL_PluginRuntimeView (tail-append = free ABI-3 compat) - Add mutex to protect Anomaly_Detector::user_statistics from concurrent session threads - Replace system(mkdir -p) with pure mkdir() loop (command injection fix) - Replace 77 std::stoi/stoll with non-throwing parse_int_or_zero/parse_ll_or_zero - Fix proxysql.cnf filename: Mysqlx -> MySQLX - Add --whole-archive to non-ClickHouse link path (plugin symbol resolution) Important fixes: - Add default: case with warning to db_kind switch in ProxySQL_PluginManager.cpp - Add config_db dispatch and null-handle tests to plugin_runtime_views_unit-t (6 new tests) - Update CLAUDE.md with sqlite-vec PROXYSQLGENAI exception - Remove stale anomaly_detection-t Makefile target - Replace fixed 1024-byte buffer with dynamic sqlite3_mprintf in Anomaly_Detector Minor: update ABI.md, PLUGIN_API.md, stale comments, unit test plan counts	2 months ago
Rene Cannao	0d53c57db7	feat(genai): register stats_mcp_* tables with db_kind=stats_db and refresh callbacks (issue #5729 )	2 months ago
Rene Cannao	7c4c9e81e0	feat(mysqlx): set db_kind on runtime views, drop statsdb back-channel (issue #5729 )	2 months ago
René Cannaò	54844df0bb	Merge branch 'v3.0' into v3.0-genai-plugin	2 months ago
Rene Cannao	960eeab8d2	feat(mysqlx): wire per-route tls_mode through handler_capabilities_set entry path PR #5709 landed the splice mechanics for tls_mode='passthrough' plus the per-route tls_mode column on mysqlx_routes, but no code consulted the route's tls_mode to actually drive the session into X_PASSTHROUGH_FORWARD from real client traffic — a route configured as `tls_mode='passthrough'` behaved identically to `'inherit'`. This commit closes the gap (issue #5710): (1) Advertise gating in send_capabilities() ----------------------------------------- A new helper, MysqlxSession::effective_route_tls_mode(), reads listener_route_name_ + the thread's MysqlxConfigStore and returns the per-route tls_mode (or `inherit` when listener route is empty / config store is unwired — preserving historical behaviour for tests and unconfigured deployments). send_capabilities() now suppresses the `tls` capability from the advertised set when route_tls_mode == disabled. Other modes (inherit / preferred / required / passthrough) advertise TLS the same way as before — passthrough MUST advertise so the client even thinks to upgrade. (2) Symmetric refusal in handler_capabilities_set() ------------------------------------------------ A client that sends CapabilitiesSet(tls=true) on a disabled-mode route is refused with X-Protocol error 5052 ("TLS is not enabled on this route"). Symmetric with the advertise gate; we never told the client TLS was available, so accepting it would be a silent policy bypass. (3) Passthrough entry from handler_capabilities_set() -------------------------------------------------- When CapabilitiesSet(tls=true) lands on a passthrough-mode route: a. resolve_passthrough_backend_target() picks the endpoint from the route's destination_hostgroup (no identity_ — passthrough authenticates end-to-end); b. the original CapabilitiesSet frame bytes are buffered in passthrough_pending_capset_frame_ for verbatim forwarding; c. tls_mode_ flips to TLS_PASSTHROUGH and status_ to the new X_PASSTHROUGH_BACKEND_CONNECTING state. (4) X_PASSTHROUGH_BACKEND_CONNECTING handler ----------------------------------------- handler_passthrough_backend_connecting() drives the four-step sequence: 1. allocate / pick up backend_conn_, start non-blocking TCP connect; 2. poll check_connect() to completion; 3. write the buffered CapabilitiesSet bytes verbatim to the backend (with EAGAIN/partial-write retries); 4. read exactly one X-Protocol frame from the backend (the LAST X-Protocol parse this session does); on Ok forward to the client and transition to X_PASSTHROUGH_FORWARD; on Error propagate to the client and close. The handler is registered both in the early fast-path branch of MysqlxSession::handler() (so the X-Protocol read on client_ds_ is skipped — the client's next bytes are the TLS ClientHello which is not parseable as an X frame) and in the main dispatch switch. Tests (test/tap/tests/unit/mysqlx_session_unit-t.cpp, +11 ok()s): * test_route_tls_mode_disabled_no_tls_in_advertise: drives CapabilitiesGet on a tls_mode='disabled' route, parses the response, asserts the advertised set has no `tls` capability. * test_capabilities_set_tls_refused_on_disabled_route: drives CapabilitiesSet(tls=true) on the same route, asserts session becomes unhealthy and the client receives a Mysqlx::Error. * test_route_passthrough_full_entry_path: end-to-end exercise. Stands up a loopback TCP listener as the "backend"; configures a passthrough route pointing at the listener; drives CapabilitiesGet -> CapabilitiesSet(tls=true); asserts the proxy forwards the CapabilitiesSet bytes verbatim, transitions through X_PASSTHROUGH_BACKEND_CONNECTING into X_PASSTHROUGH_FORWARD on the backend's Ok response, and stays healthy. Plan count: 87 -> 98 (after Fix B) -> 109. Closes #5710.	2 months ago
Rene Cannao	b7c5a08b96	feat(mysqlx): backlog and resume EAGAIN'd writes in passthrough splice Previously, the passthrough splice loop's pump_one_direction helper treated EAGAIN/EWOULDBLOCK on write() as fatal — the session transitioned to X_SESSION_CLOSING and the connection was dropped. In practice this turned any transient destination back-pressure (slow client, slow backend, kernel send-buffer drained more slowly than the proxy reads from the source side) into a connection drop. End-to-end encrypted sessions (the whole point of tls_mode='passthrough') would RST mid-stream under bursty load. Fix: per-direction write backlog, drained before the next read. * Add MysqlxSession::passthrough_c2b_backlog_ and passthrough_b2c_backlog_ — std::vector<uint8_t> buffers for bytes that read() from the source side could not be immediately flushed to the destination side. Cleared on init() / reset(). * handler_passthrough_forward() now runs a drain pass over the backlog BEFORE the read pass. drain_backlog() loops on write(), EAGAIN means "not now, leave it for the next tick"; any other write error fails the session. * On a partial-write inside the read pass, the unwritten tail is appended to the backlog (append_to_backlog) and the read pass yields. A future pump tick (driven by either the libev EV_READ wakeup on the source or the buffered-work re-arm via `to_process = true`) drains the backlog and resumes reading. * Backlog cap: 1 MiB per direction (PASSTHROUGH_BACKLOG_CAP). Above the cap, append_to_backlog refuses and the session is killed (X_SESSION_CLOSING) — slow- consumer DoS protection. The drain-first contract limits the backlog organically to BURST_BYTES (64 KiB), so the cap is purely defensive against a future logic bug or a larger burst. * to_process = true on a non-empty backlog so the outer dispatch loop re-enters us on the next tick rather than waiting for a new fd-readable event on the source — without this, a long stall on the destination side could let the backlog grow on each new source byte before the previous backlog was drained. Tests (test/tap/tests/unit/mysqlx_session_unit-t.cpp): * test_passthrough_eagain_backlog_drains_across_ticks: drives 256 KiB through a backend leg with SO_SNDBUF/RCVBUF shrunk to 4 KiB so write() returns EAGAIN early and often. Asserts session stays healthy in X_PASSTHROUGH_FORWARD across the repeated EAGAIN events; all 256 KiB are eventually delivered; no byte-level corruption. * test_passthrough_backlog_cap_kills_session: uses the MYSQLX_TEST_BUILD-only seed_passthrough_c2b_backlog_for_test + try_append_to_passthrough_c2b_backlog_for_test helpers to drive the cap branch directly. Asserts within-cap append is accepted, over-cap append is refused, and the session transitions to X_SESSION_CLOSING with healthy=false. Plan count moves from 87 to 98.	2 months ago
Rene Cannao	e855ba37c8	fix(mysqlx): decode backend TLS error code before falling back to plaintext (preferred mode) Previously, when a session was in `preferred` TLS mode (try TLS, fall back to plaintext on Error) and the backend responded with ANY Mysqlx::Error to the client's CapabilitiesSet(tls=true), the code silently dropped TLS and proceeded plaintext. Non-TLS errors ("internal server error", "out of memory", "permission denied", etc.) were therefore swallowed and the auth flow proceeded against a backend that just told us it was unhealthy — masking real failures and encouraging brittle deployments. The upstream MySQL X client at plugin/x/client/xsession_impl.cc gates the same fallback exactly on `ER_X_CAPABILITIES_PREPARE_FAILED` (5001), which is the only code that the X plugin's `Capability_tls::set_impl` emits when the server has no SSL context (see plugin/x/src/capabilities/handler_tls.cc — code 5001 is what `ngs::Error(ER_X_CAPABILITIES_PREPARE_FAILED, ...)` produces). Mirror that policy here: * Parse the Mysqlx::Error body's `code` field. * Fall back to plaintext only when the code is exactly 5001. * Any other code (or a code-less / unparseable Error body) is fatal — transition to BACKEND_AUTH_ERROR and return -1. The existing `preferred-mode fallback` unit test (which already injects code 5001) still passes. Two new tests cover the new gate: * preferred-mode + non-TLS error code 1045 (Access denied): no fallback, auth_state=ER, rc=-1. * preferred-mode + Error frame with no decodable code (empty body): no fallback, auth_state=ER, rc=-1. The pre-existing required-mode test (no fallback regardless of code) is unchanged.	2 months ago
Rene Cannao	e4908a1df6	fix(mysqlx): address reviewer feedback (transaction safety, fail-closed TLS, hostgroup refresh, status string) Four reviewer-flagged issues from CodeRabbit + Gemini on the consolidated mysqlx stack (originally raised on PRs #5704, #5707, #5709), all addressed in one place since this is the consolidation branch: 1. SQLite transaction safety in stats projections. `MysqlxStatsStore::flush_to_sqlite` and `mysqlx_populate_stats_processlist` previously did a bare DELETE followed by a per-row INSERT loop. A transient SQLite error in any INSERT left the projection table empty, which is far more misleading to operators than stale-but-recent rows. Wrap both in BEGIN/DELETE/INSERT/COMMIT with explicit ROLLBACK on any failure; on rollback, the previous projection stays in place. 2. Fail-closed when backend TLS is required but no SSL_CTX is available. The earlier code in handler_connecting_server had `if (desired_backend_tls) { if (ctx) { /* set up TLS */ } }` — the inner `if (ctx)` was a guard with no else-branch, so a missing SSL_CTX silently produced a plaintext backend connection in TLS-required and AsClient-on-TLS-frontend scenarios. Reject the connect with X-Protocol error 2026 ("Backend TLS required but no SSL context configured on this worker") instead. Caught by CodeRabbit on PR #5707. 3. Stale destination_hostgroup in stats rows. `MysqlxStatsStore:: get_or_create` only set `destination_hostgroup` on first insert. If a route was rebound to a different hostgroup via LOAD MYSQLX ROUTES TO RUNTIME, subsequent traffic continued reporting the first-seen hostgroup forever. Refresh the hostgroup field on every lookup; counters are not reset (only metadata is updated). 4. session_status_to_string missing X_PASSTHROUGH_FORWARD case. `Mysqlx_Thread::session_status_to_string` enumerated every MysqlxSession::Status except the new X_PASSTHROUGH_FORWARD, which fell through to the "UNKNOWN" default. The new state was added in the TLS passthrough work (commit `4d8af5a02`) but the stringifier was not updated. Add the explicit case. All four are local fixes with no test changes required — existing unit tests still pass under ASAN (mysqlx_session 87/87, mysqlx_message_dispatch 114/114, mysqlx_stats 26/26, mysqlx_thread 25/25, mysqlx_concurrent 6/6, mysqlx_admin_schema 25/25, mysqlx_backend_auth 58/58, mysqlx_tls 44/44, mysqlx_config_store 33/33). The pre-existing mysqlx_admin_commands_unit-t test 24 failure ("mysqlx_variables has 4 rows after save") predates this branch.	2 months ago
Rene Cannao	0ccf3615f1	fix(mysqlx): classify backend TLS handshake failures into specific error codes Closes #5698 (P3 — meaningful TLS error messages on backend failures). Background: prior to this commit, backend TLS handshake failures all emitted a single generic "Backend TLS handshake failed" with code 3152; frontend TLS failures all emitted "TLS handshake failed" code 3151. Operators debugging TLS issues had to attach with `openssl s_client` or run the proxy under SSL_TRACE / SSLKEYLOGFILE to figure out whether the underlying cause was an expired cert, a hostname mismatch, an untrusted CA, or a protocol-version mismatch. MySQL Router translates each of these into a distinct X-Protocol error code and shortcuts the debug session. Implementation: 1. New MysqlxTlsErrorClass enum (HANDSHAKE_FAILED, CERT_VERIFY_FAILED, CERT_EXPIRED, HOSTNAME_MISMATCH, PROTOCOL_MISMATCH, UNKNOWN_CA, NO_SSL_CTX, UNKNOWN). Lives in mysqlx_protocol.h alongside the per-class X-Protocol error code constants. 2. New mysqlx_classify_tls_error(SSL, peek_err_queue) helper. Classification logic in order: a. SSL == nullptr -> NO_SSL_CTX b. SSL_get_verify_result() != X509_V_OK -> chain class (CERT_EXPIRED for expired/not-yet-valid; HOSTNAME_MISMATCH; UNKNOWN_CA for self-signed-in-chain or unable-to-get-issuer; CERT_VERIFY_FAILED for everything else cert-chain) c. ERR_get_error() walked for SSL_R_UNSUPPORTED_PROTOCOL / TLSV1_ALERT_PROTOCOL_VERSION / WRONG_VERSION_NUMBER / UNKNOWN_PROTOCOL -> PROTOCOL_MISMATCH d. Fallback -> HANDSHAKE_FAILED Cert-chain reasons take precedence because the OpenSSL queue sometimes carries both, and the chain reason is more actionable. 3. Backend codes (5+ distinct, 3152-3157): 3152 BACKEND_TLS_ERR_HANDSHAKE_FAILED (was: only existing code) 3153 BACKEND_TLS_ERR_CERT_VERIFY_FAILED (NEW) 3154 BACKEND_TLS_ERR_CERT_EXPIRED (NEW) 3155 BACKEND_TLS_ERR_HOSTNAME_MISMATCH (NEW) 3156 BACKEND_TLS_ERR_PROTOCOL_MISMATCH (NEW) 3157 BACKEND_TLS_ERR_UNKNOWN_CA (NEW) Backend messages name the OpenSSL reason in operationally-useful terms ("certificate hostname mismatch") but do NOT include the raw OpenSSL queue string in the wire frame — that is logged to stderr separately for the operator's benefit. 4. Frontend codes (3 distinct): 3150 FRONTEND_TLS_ERR_NOT_CONFIGURED (existing — NO_SSL_CTX) 3151 FRONTEND_TLS_ERR_HANDSHAKE_FAILED (existing — every other class) 3158 FRONTEND_TLS_ERR_PROTOCOL_MISMATCH (NEW — operationally useful for legitimate clients hitting a too-old/too-new TLS version) Frontend collapses CERT_/HOSTNAME_MISMATCH/UNKNOWN_CA onto HANDSHAKE_FAILED specifically to avoid leaking attacker-supplied cert info into the response (asymmetric threat model — the frontend client may be the attacker). 5. New MysqlxConnection::tls_error_class_ member + accessors. Set by step_auth_tls_handshake() at the failure site (the OpenSSL error queue is thread-local FIFO and must be drained while fresh; we can't defer the classification to the session). Read by the session's BACKEND_AUTH_ERROR branch in handler_connecting_server when emitting send_error(). 6. Frontend handler_tls_accept_init() also runs the classifier and emits via the frontend code/message helpers. Logs the OpenSSL queue to stderr (operator-side only). Tests (in mysqlx_tls_unit-t): - test_classify_null_ssl: nullptr -> NO_SSL_CTX (1 ok) - test_classify_cert_expired_via_verify_result (1 ok) - test_classify_hostname_mismatch_via_verify_result (1 ok) - test_classify_unknown_ca_via_verify_result: 2 sub-cases (UNABLE_TO_GET_ISSUER + SELF_SIGNED_IN_CHAIN) (2 ok) - test_classify_generic_cert_verify_failed: SIGNATURE_FAILURE -> generic (1 ok) - test_classify_handshake_failed_default (1 ok) - test_classify_code_message_round_trip_backend: 7 classes * 2 (msg + code-range) + 1 distinct-codes assertion (15 ok) - test_classify_code_message_round_trip_frontend: collapse + 3 distinct-code asserts (4 ok) The cert-fixture-driven tests (real expired/hostname-mismatched/ self-signed cert chains) are explicitly punted per the issue's "don't generate cert fixtures in this PR" guidance. The classifier accepts SSL_set_verify_result-staged synthetic state, which exercises the same code paths as a real cert failure (since the only thing the classifier reads off SSL is the verify_result long); a follow-up issue covers wiring an end-to-end TAP test against a fixture-driven backend. Build: NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1 plugin .so + build_tap_test_debug all green. Pre-existing RSA_new deprecation warnings unchanged. Tests: mysqlx_tls_unit-t (44/44, was 18 — +26 from 8 new tests). Other suites unchanged. ASAN-clean.	2 months ago
Rene Cannao	767f808309	fix(mysqlx): mark post-Session::Reset connections non-cacheable Closes #5697 (P3 — Session Reset pool invalidation). Background: X-Protocol's Session::Reset frame asks the server to wipe session state (current schema, isolation level, charset, prepared statements, session vars) without reauthenticating. ProxySQL forwards the frame and dispatches the backend Ok response correctly — but until this commit, the connection was returned to the per-thread cache as a regular IDLE entry afterwards. The cache key (hostgroup, user, schema, tls_active) doesn't capture session-state-version, so a subsequent reuse from the same identity could pick up the post-reset connection and silently inherit blank state instead of the per-identity defaults. The pool-leak scenario in practice: - Client A issues Session::Reset on backend B. - Backend B is returned to the per-thread cache as IDLE. - Client A2 (same user/schema/hostgroup/tls posture) next request pulls B from the cache. - Client A2 sees blank session state, even though it expected the per-identity defaults a fresh-auth connection would provide. MySQL Router treats Session::Reset as pool-terminating; this commit brings ProxySQL in line. Implementation: - New MysqlxConnection::needs_post_reset_rehandshake_ bool member + accessor pair (set/get). Default false. - is_reusable() returns false when the flag is set, so Mysqlx_Thread::return_connection_to_cache deletes the connection instead of pooling it. - reset() defensively clears the flag too. Production path doesn't rely on this (the cache deletes non-reusable conns instead of resetting them), but the invariant matters for any future code path that calls reset() directly (e.g. retry-on-error). - handler_session_reset_waiting() sets the flag on the Mysqlx.Ok branch — the only path where Session::Reset succeeded. The Error branch already marks the connection non-reusable for unrelated reasons (the Reset itself failed), so no change needed there. We do NOT implement the rehandshake path itself in this commit; the simpler "drop on reset" semantic matches Router's behaviour and is strictly safer than the pre-fix "silently pool blank state". Tests: - mysqlx_connection_unit-t::test_connection_post_reset_rehandshake_flag asserts the flag's defaults, set/get round-trip, is_reusable() interaction, and reset() defensive-clear behaviour (6 ok()). - mysqlx_message_dispatch_unit-t::test_dispatch_sess_reset_marks_non_cacheable drives the full SESS_RESET → backend-Ok → return-to-pool flow with a fake backend and asserts the connection is non-cacheable afterwards. Strengthens the existing test_dispatch_sess_reset which only proved the dispatch reached the backend (5 ok() — pre-flag/state, post-dispatch status, post-condition observed via backend_conn being deleted on the non-reusable path). - mysqlx_connection_unit-t plan switched to plan(0) so future additions don't require re-counting. Build: NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1 plugin .so + build_tap_test_debug all green, no compile warnings. Tests: mysqlx_connection_unit-t (16/16, was 10), mysqlx_message_dispatch_unit-t (114/114, was 109). Other suites unchanged. ASAN-clean.	2 months ago
Rene Cannao	31a3934014	fix(mysqlx): explicit auth-phase notice forwarding policy in step_auth Closes #5695 part 2 (P2 — explicit per-state policy for backend NOTICE frames during the backend auth handshake; data-plane validation landed in the previous commit). Background: prior to this commit, MysqlxConnection::read_auth_frame() silently drained ALL backend NOTICE frames during the BACKEND_AUTH_* state machine. The drain was needed (MySQL backends commonly emit a SESSION_STATE_CHANGED notice before AuthenticateContinue / Ok, and returning nullopt on a NOTICE caused auth to spin until the 10s handshake timeout) but it was indiscriminate — a malformed/unknown-type NOTICE would be drained as silently as a legitimate one. This commit adds an explicit per-state policy: - New helper auth_phase_notice_is_drainable(body, body_len). Parses the NOTICE as a Mysqlx::Notice::Frame and applies a per-type decision: WARNING / SESSION_VARIABLE_CHANGED / SESSION_STATE_CHANGED / GROUP_REPLICATION_STATE_CHANGED / SERVER_HELLO -> drain malformed / empty / unknown enum value -> fail auth WARNING and GROUP_REPLICATION_STATE_CHANGED are also logged on the drain path: WARNING during auth typically signals a server-side misconfig (deprecated auth method, etc.); GROUP_REPLICATION_* during auth is operationally out-of-place (cluster-membership notices belong on data-plane connections, not handshakes). Both are drained to preserve compatibility with over-eager backends but surfaced for operator triage. - Wired into read_auth_frame() between the MAX_LEADING_NOTICES cap and the type==NOTICE branch. On a fail-auth result, the helper has already set auth_state_=BACKEND_AUTH_ERROR and logged; the caller propagates std::nullopt and step_auth fails the connection. - Frontend forwarding during auth: explicitly NEVER allowed. The frontend client has no context to interpret a backend NOTICE before it sees AuthenticateOk; surfacing them would also leak server-side state mid-handshake (the load-bearing concern in issue #5695). The proxy terminates ALL backend NOTICEs on the backend leg during the backend auth phase — even legitimate ones. - Test-only hooks under MYSQLX_TEST_BUILD: a public auth_phase_notice_is_drainable_for_test() and a set_auth_state_for_test() so unit tests can drive the per-type decision matrix directly without running the full step_auth state machine. Tests (in mysqlx_backend_auth_unit-t): - test_auth_phase_notice_known_types_drained: all five spec types are drainable and don't perturb auth_state_ (5*2=10 ok()). - test_auth_phase_notice_unknown_type_fails_auth: type=99 fails auth and sets BACKEND_AUTH_ERROR (2 ok()). - test_auth_phase_notice_malformed_fails_auth: garbage protobuf bytes fail auth (2 ok()). - test_auth_phase_notice_empty_fails_auth: empty body fails auth (2 ok()). - Switched the existing plan(42) to plan(0) so future additions don't require re-counting; existing test_backend_auth_notice_skip (which uses Frame_Type_WARNING) continues to pass under the new policy because WARNING is still on the drainable list. Build: NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1 plugin .so + build_tap_test_debug all green, no compile warnings. Tests: mysqlx_backend_auth_unit-t (58/58, was 42 — +16 from the 4 new tests), other suites unchanged. ASAN-clean.	2 months ago
Rene Cannao	6ef8cf3f1f	fix(mysqlx): validate Mysqlx::Notice::Frame::type before forwarding Closes #5695 part 1 (P2 — explicit notice forwarding awareness; auth-phase per-state policy is the next commit; per-notice metric remains under #5691 follow-up scope). Background: X-Protocol NOTICE frames are non-terminal informational messages a backend can emit at essentially any state transition (warnings, session-state changes, generated-doc-id notifications, group-replication membership changes, etc.). Prior to this commit the proxy forwarded NOTICE frames uncritically; a buggy or hostile backend (or an MITM that bypassed TLS) could ship a NOTICE frame with an unknown `type` enum value and confuse a strict client. The risk is bounded — info disclosure, no auth bypass — but it's unhardened territory MySQL Router handles explicitly. This commit adds a per-frame validation hook on the data plane: - New MysqlxSession::is_notice_frame_valid(body, body_len). Pure query — no session-state mutation. Parses the body as a Mysqlx::Notice::Frame and verifies the outer `type` field is in the spec range (1..5: WARNING, SESSION_VARIABLE_CHANGED, SESSION_STATE_CHANGED, GROUP_REPLICATION_STATE_CHANGED, SERVER_HELLO) using the protoc-generated Frame_Type_IsValid(). Empty body, malformed protobuf, missing required `type` field, and out-of-range enum values all return false. - Wired into handler_waiting_server_msg() and handler_session_reset_waiting() before forwarding NOTICE to the client. Invalid notices are dropped with a stderr log line tagged with route+hostgroup+body_len for operator triage; the response sequence continues (NOTICE is non-terminal in every state). - Test-only hook is_notice_frame_valid_for_test() exposed under MYSQLX_TEST_BUILD so unit tests can drive the predicate directly with synthetic bodies without setting up a fake backend. Tests (in mysqlx_message_dispatch_unit-t): - test_notice_validation_known_types_accepted: all five spec types pass (5 ok()). - test_notice_validation_unknown_type_rejected: types 0, 99, and 100000 are rejected (3 ok()). - test_notice_validation_empty_body_rejected: nullptr body and zero-length body both rejected (2 ok()). - test_notice_validation_malformed_protobuf_rejected: garbage bytes that fail ParseFromArray are rejected (1 ok()). We deliberately do NOT validate the inner `payload` bytes — that's a type-specific protobuf the client parses, and the proxy has no business reaching into it. The outer `type` is the load-bearing field for client-side branching, so that's where we focus. Build: NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1 make build_lib + plugin .so + build_tap_test_debug all green. Tests: mysqlx_session_unit-t (87/87), mysqlx_message_dispatch_unit-t (109/109, was 98 — +11 from the 4 new tests), mysqlx_compression_unit-t (64/64), mysqlx_tls_unit-t (18/18), mysqlx_thread_unit-t (25/25), mysqlx_concurrent_unit-t (6/6). All ASAN-clean.	2 months ago
Rene Cannao	9ea2b31bf5	fix(mysqlx): match upstream X-Protocol error code for compression-without-algorithm Closes #5696 (P2 — MySQL Router parity gap, compression error code). Before this change the mysqlx plugin emitted error code 5008 for every compression-related failure ("Compression frame received without negotiated algorithm", parse failures, decompression failures, etc.). That code does not match upstream MySQL X plugin: 5008 in plugin/x/src/xpl_error.h is ER_X_BAD_CONNECTION_SESSION_ATTRIBUTE_TYPE — a totally unrelated session-attribute error. A client written specifically against the upstream X-Protocol error contract would see the wrong error class entirely. Authoritative source for the canonical codes: plugin/x/src/xpl_error.h in the MySQL 8.4 source tree (deps/mysql-connector-c-8.4.0/.../xpl_error.h in this repo). Mapping: - 5170 ER_X_FRAME_COMPRESSION_DISABLED — compression frame received when the client did not negotiate compression. Upstream message: "Client didn't enable the compression." Reproduced verbatim. - 5174 ER_X_BAD_COMPRESSED_FRAME — structural problem with the Compression envelope (empty body, malformed protobuf, bogus uncompressed_size hint, decompressed payload that doesn't reframe into valid X messages). - 5171 ER_X_DECOMPRESSION_FAILED — algorithm-side failure (lz4/zstd error, OOM, stall, decompressed payload exceeds cap). - 5000 ER_X_BAD_MESSAGE — server-direction compression on the client→server path; treated as a wrong-direction message rather than a compression-specific failure. The pre-auth capability replay-cap error (also previously emitting 5008) is a ProxySQL-specific guardrail with no upstream analogue and is left untouched in this commit — the parity fix is scoped to the genuine compression error sites. Test updates: - mysqlx_message_dispatch_unit-t::test_dispatch_compression_rejected: asserts 5170 (was 5008). - mysqlx_compression_unit-t: oversize/garbage rejections assert 5171, no-negotiation rejection asserts 5170, "no error frame" tests accept any of 5170/5171/5174 (renamed got_5008 → got_compression_err). - test_compression_without_negotiation_still_5008 → test_compression_without_negotiation_still_5170. Build: NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1 make build_lib + plugin .so + build_tap_test_debug all green. Tests: mysqlx_session_unit-t (87/87), mysqlx_message_dispatch_unit-t (98/98), mysqlx_compression_unit-t (64/64), mysqlx_tls_unit-t (18/18), mysqlx_thread_unit-t (25/25), mysqlx_concurrent_unit-t (6/6) — all ASAN-clean.	2 months ago
Rene Cannao	2e7e532050	feat(mysqlx): X_PASSTHROUGH_FORWARD session state — raw byte splice Implements the data-plane half of the per-route TLS passthrough mode (issue #5692). Once a session enters this state the proxy stops parsing X-Protocol frames; bytes are read from one side and written to the other verbatim using read(2)/write(2). Used cases: end-to-end TLS where operator policy forbids proxy MITM (compliance, original cert/SNI/ALPN preservation). Session machine additions: * `MysqlxSession::Status::X_PASSTHROUGH_FORWARD` — terminal state for passthrough sessions. Once entered, the session never returns to any X-Protocol parsing state. handler() short-circuits past client_ds_.read_from_net()/parse so the bytes are not interpreted as frames. * `MysqlxTlsMode::TLS_PASSTHROUGH` — added back to the per-session TLS posture enum. The previous prototype carried the value without a real implementation; that was removed in the asymmetric-TLS series and is now reintroduced as a real feature. * `handler_passthrough_forward()` — pumps both directions per call up to a 64 KiB burst, then yields so other sessions on the thread are not starved. EAGAIN/EWOULDBLOCK is the normal "no more bytes right now" exit. EOF on either side or any other I/O error transitions to X_SESSION_CLOSING. Listener-route propagation: * New `MysqlxSession::init(fd, thread, listener_route)` overload. The base init(fd, thread) overload calls it with an empty route name, preserving existing test harnesses that construct sessions directly. * `Mysqlx_Thread::accept_new_connection()` looks up the listener fd in the parallel `listener_route_names_` vector and propagates the route name to the new session at accept time. This is the hook that lets per-route policies fire before any X-Protocol message is received — most importantly, before any local handshake decision so a passthrough route can splice from the very first byte. Test-only entry path: * `enter_passthrough_for_test(int backend_fd)` (gated behind MYSQLX_TEST_BUILD) drops a session straight into the splice state with a caller-supplied backend fd. Bypasses CapabilitiesSet / auth / resolve_backend_target so the splice mechanics can be asserted in isolation. set_reusable(false) is set on the stub backend connection to mirror the production-side invariant that a passthrough connection never returns to the pool. Tests (mysqlx_session_unit-t, +22 assertions, plan 65 -> 87): * listener_route_propagation: init() captures, reset() clears * forward_client_to_backend / forward_backend_to_client: bytes survive the splice unchanged in both directions * close_on_client_eof / close_on_backend_eof: peer half-close transitions to X_SESSION_CLOSING and marks the session unhealthy * disables_backend_reuse: backend_conn() exists but is_reusable()=false, and tls_mode_ reports TLS_PASSTHROUGH * handler_dispatch_skips_xprotocol: bytes that would parse as a fake X frame in a non-passthrough state survive the splice unconsumed — proves handler() takes the fast path before the X frame parser sees the buffer Production wiring of the entry path (CapabilitiesSet on a passthrough route -> connect to backend, splice the TLS handshake) lands in a follow-up. This commit is intentionally limited to the splice mechanics plus the listener-route plumbing the entry path will need.	2 months ago
Rene Cannao	09c42d4fba	feat(mysqlx): add per-route tls_mode column with passthrough enum value Adds the schema and config-store plumbing needed to express MySQL Router's TLS-Passthrough mode as a per-route attribute on `mysqlx_routes`. The actual data-plane forwarding is implemented in a follow-up commit; this commit only wires the config so the operator can set / round-trip / project the value. Schema additions: * `mysqlx_routes.tls_mode VARCHAR NOT NULL DEFAULT 'inherit'` plus a CHECK constraint on the canonical lowercase spellings ('inherit', 'disabled', 'preferred', 'required', 'passthrough'). Same column added to `runtime_mysqlx_routes`. * Default 'inherit' means "use the deployment-wide `mysqlx_tls_mode`", preserving existing behaviour for every row that was loaded before this commit. Operators wanting compliance-pinned passthrough can override one route at a time without flipping the global mode. Config store additions: * `MysqlxRouteTlsMode` enum class (inherit / disabled / preferred / required / passthrough) plus matching `mysqlx_route_tls_mode_from_string` (case- insensitive, empty/NULL -> inherit, unknown -> nullopt) and `_to_string` helpers — same shape as the existing `mysqlx_backend_tls_mode_` family. `MysqlxRoute::tls_mode` field with a default of `inherit`. * `MysqlxConfigStore::route_tls_mode(name)` accessor; unknown routes report `inherit` (matching how `route_hostgroup` returns 0 for unknown routes). LOAD / SAVE / project paths: * `install_routes_from_admin` first PRAGMA-probes for the `tls_mode` column so a pre-upgrade admin DB without it loads cleanly (column treated as NULL -> inherit). A malformed value (e.g. operator typo) fails the install with a descriptive `err` rather than silently coercing. * `save_routes_to_admin_table` and `project_routes_to_runtime_view` write the column using `mysqlx_route_tls_mode_to_string`. Tests: * mysqlx_config_store_unit-t gains nine assertions covering parser case-insensitivity, the empty-string / unknown-value contract, the canonical render, the legacy-schema fallback path, and a full install / parse-failure round-trip against a schema that has the column. * All previously-passing unit tests remain green. This commit is intentionally behaviour-preserving: passthrough is parsed and stored but not yet enforced. Resolving a route with tls_mode=passthrough still goes through the proxy-terminated path until the follow-up commit adds the X_PASSTHROUGH_FORWARD session state.	2 months ago
Rene Cannao	744fb0bf36	feat(mysqlx): preferred-mode backend TLS fallback to plaintext + docs Closes the loop on issue #5693 (P1: asymmetric TLS / AsClient mode). The previous two commits added the runtime variable and the per- session decision; this commit wires the actual `preferred`-mode fallback path in the backend auth state machine and updates the operator-facing documentation to describe the full four-mode model. What changes: * MysqlxConnection::step_auth_capabilities_set_sent now treats a Mysqlx::Error response from CapabilitiesSet(tls=true) as a fall-back trigger when backend_tls_fallback_allowed_ is set (set by the session for mode=preferred). The connection silently downgrades on the same TCP socket — backend_tls_required_ is cleared so subsequent steps don't re-attempt TLS, tls_active_ stays false (which keeps the connection out of the encrypted half of the per-thread pool), and step_auth proceeds straight into AuthenticateStart on plaintext. Under mode=required (and AsClient + frontend-TLS), the same Error is still fatal — the operator's policy demands encryption. The pre-existing `Frame is not OK` rejection branch is preserved for malformed / unexpected response types. * doc/mysqlx/README.md §8 rewritten: * §8.1 frontend TLS modes (mysqlx_tls_mode, unchanged behaviour). * §8.2 backend TLS modes (mysqlx_tls_backend_mode, full table of the four documented values, migration notes from MySQL Router AsClient, and a connection-pool partitioning note explaining that the cache key now includes tls_active. * §8.3 configuration example showing the asymmetric pattern (frontend REQUIRED + backend preferred). The §3.1 variables table gains the new variable. * doc/mysqlx/MYSQL_ROUTER_PARITY.md updated: * Feature comparison row 4 (TLS modes) now lists 4-frontend x 4-backend with explicit mention of mysqlx_tls_backend_mode and issue #5693. * Asymmetric TLS row marked implemented. * Architecture section §TLS rewritten to describe both the frontend mysqlx_tls_mode and backend mysqlx_tls_backend_mode models; identifies passthrough as the remaining gap. * Feature gaps table marks "Asymmetric TLS / AsClient" and "Per-message response state machines" as implemented. * Summary updated. Tests: test/tap/tests/unit/mysqlx_backend_auth_unit-t (was 34): adds 7 new ok lines covering both branches of the fallback decision: * test_backend_auth_preferred_mode_fallback_to_plaintext: 5 assertions across the wire-level transition (state on entry, rc=1 on Error, AUTHENTICATE_START_SENT after fallback, backend_tls_required_ cleared, tls_active false, AuthStart frame on the wire). * test_backend_auth_required_mode_no_fallback_on_error: 2 assertions confirming the same Error is fatal when fallback_allowed=false. Total 42. All 8 (mode x frontend_tls) acceptance combinations from the issue are now covered: 6 by the decision-function tests in mysqlx_message_dispatch_unit-t (commit 2), and the remaining 2 mode=preferred + backend Error cases by the wire-level fallback tests added here. Tested under NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1. Closes #5693. Stacks on #5706 / #5704.	2 months ago
Rene Cannao	167a896c16	feat(mysqlx): mode-driven backend TLS decision + tls_active conn-cache key Implements the per-session decision side of issue #5693 (P1: asymmetric TLS / AsClient mode parity gap with MySQL Router 8.0). The previous commit added the runtime variable; this commit wires it through to the actual backend-connect path and partitions the connection pool by encryption posture so AsClient/required-TLS sessions never reuse plaintext-pooled backends (and vice versa). What changes: * Lifts the per-session decision out of an inline switch in MysqlxSession::handler_connecting_server() into a pure helper `mysqlx_resolve_backend_tls_decision(mode, endpoint_override, frontend_is_encrypted) -> {require_tls, fallback_allowed}`. The helper lives at file scope (not in the anonymous namespace) so the unit test can exercise the 8 (mode x frontend_tls) combinations called out in the issue acceptance criteria directly, without driving the full session state machine. The decision itself replaces the legacy `target_use_ssl_ \|\| client_ds_.is_encrypted()` expression. * Adds two fields on MysqlxConnection: * tls_active_ -- set true by step_auth_tls_handshake() once the OpenSSL handshake completes successfully on the backend leg. Read by the connection cache to partition encrypted-pooled connections from plaintext-pooled ones. * backend_tls_fallback_allowed_ -- carries the `preferred` mode's "downgrade-to-plaintext-on-error" intent through to the auth state machine. Read-only metadata in this commit; the actual fallback path lands in the next commit. * Mysqlx_Thread::get_connection_from_cache now takes a `bool tls_active` parameter and matches on it. Without this, an AsClient TLS session pulling a pooled connection could land on a plaintext backend (or vice versa), corrupting the wire protocol when the next dispatched frame goes out over a socket in the wrong encryption posture. * Endpoint-override semantics (mysqlx_backend_endpoints.use_ssl=1) preserved exactly: it can promote plaintext to TLS regardless of mode, but cannot demote a TLS-required mode to plaintext. Under mode=preferred, the override leaves fallback_allowed=true so the operator's best-effort "preferred" intent isn't silently upgraded to "required". Tests: test/tap/tests/unit/mysqlx_message_dispatch_unit-t (was 86): adds 8 combinations (mode x frontend_tls) + 4 endpoint-override cases = 12 new ok lines, total 98. test/tap/tests/unit/mysqlx_thread_unit-t (was 22): adds test_connection_cache_tls_partition with 3 ok lines exercising the (plaintext, encrypted) hard partition, total 25. Known limitation (TODO addressed in next commit): mode=preferred currently fails the backend connect on Mysqlx::Error from CapabilitiesSet(tls=true) because the fallback-to-plaintext branch isn't wired in step_auth_capabilities_set_sent yet. The metadata (`backend_tls_fallback_allowed_` on the connection) is in place; only the state machine branch is missing. Two of the 8 documented test combinations (mode=preferred + Error from backend) are validated against the metadata only in this commit; the end-to-end fallback behaviour follows. Tested under NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1. Refs #5693. Stacks on #5706 / #5704.	2 months ago
Rene Cannao	0246237426	feat(mysqlx): add MysqlxBackendTlsMode enum + mysqlx_tls_backend_mode runtime variable Wires up the configuration plumbing for issue #5693 (P1: asymmetric TLS / AsClient mode parity gap with MySQL Router 8.0). This commit is behaviour-neutral: the new variable is parsed, validated, persisted and exposed via MysqlxConfigStore::get_backend_tls_mode(), but the per- session backend-TLS decision still uses the legacy target_use_ssl_ \|\| client_ds_.is_encrypted() expression. The decision site is rewritten in the next commit. What this adds: * MysqlxBackendTlsMode enum with four values matching MySQL Router's client_ssl_mode / server_ssl_mode taxonomy: disabled, preferred, required, as_client. Default is as_client because that most closely matches the legacy implicit behaviour where the backend leg encryption was tied to the frontend leg's encryption. * mysqlx_backend_tls_mode_from_string() / mysqlx_backend_tls_mode_to_string() for case-insensitive parsing and canonical lower-case rendering. The parser returns std::optional so the install path can surface a useful error to the operator on a typo instead of silently coercing to a default. * MysqlxConfigStore now reads the mysqlx_tls_backend_mode key from mysqlx_variables in install_variables_from_admin(), persists it via save_variables_to_admin_table(), and projects it in project_variables_to_runtime_view(). install fails atomically with a descriptive error when the value is unrecognised; an absent row leaves the cached mode untouched (matches how the other tunables already behave). * MysqlxBackendEndpoint.use_ssl=1 remains an operator-controlled override that forces TLS regardless of the mode (per existing comment at handler_connecting_server). The mode interacts with that flag in the next commit. Tests: test/tap/tests/unit/mysqlx_config_store_unit-t: 16 -> 24 assertions. New coverage: parser accepts all four documented values case-insensitively, parser rejects unknown values, default mode is as_client, LOAD round-trip caches the parsed mode, invalid value fails install with descriptive error, store retains last-good mode after rejected install, absent row leaves cached mode untouched. Tested under NOJEMALLOC=1 WITHASAN=1 PROXYSQLGENAI=1. Stacks on PR #5706 (mysqlx response state machines), which itself stacks on PR #5704 (mysqlx observability P0). Refs #5693.	2 months ago
Rene Cannao	170ead7ad6	fix(mysqlx): reject backend frames disallowed in current response state Tightens MysqlxSession::is_frame_allowed: a backend frame outside the per-state allowed set now closes the session with X-Protocol Error 4006 ("Backend sent an unexpected message in the current response state") instead of being forwarded blindly to the client. This guards against a buggy or hostile backend pushing a frame whose shape the client cannot parse, which would silently desync the wire and (in the worst case) amplify a backend protocol bug into a client-side fault. Adds a new private sub-state field MysqlxSession::seen_column_metadata_ that gates RESULTSET_ROW frames in the four response states where the X-Protocol requires ColumnMetaData to precede any Row: - RESP_WAITING_STMT_EXECUTE - RESP_WAITING_CRUD - RESP_WAITING_PREPARE_EXECUTE - RESP_WAITING_CURSOR_OPEN The flag is set when ColumnMetaData is forwarded in the validation loop, cleared at every transition into a state that begins a new column- metadata sequence (in dispatch_client_message), at terminal-frame flush in handler_waiting_server_msg, and at init() / reset(). It is deliberately NOT cleared on transition into RESP_WAITING_CURSOR_FETCH — per the X-Protocol spec, ColumnMetaData is sent at Cursor::Open and not re-sent at Cursor::Fetch, so CURSOR_FETCH's allowed-set unconditionally accepts RESULTSET_ROW. The dispatch handler skips the clear at CURSOR_FETCH entry to make this carry-across explicit. The rejection action in handler_waiting_server_msg pops the offending frame from the backend queue (does not forward), emits a fatal error frame to the client, marks backend_conn_ non-reusable so return_backend_to_pool deletes it instead of caching a poisoned connection, sets healthy=false and status_=X_SESSION_CLOSING, and short-circuits before the bytes_recv accounting (so the disallowed frame is not double-counted as forwarded traffic). Tests in mysqlx_message_dispatch_unit-t (20 new assertions across 8 cases) cover: 1. StmtExecute → Row-without-metadata (canonical hostile-backend case the issue called out): expect Error frame, !healthy, X_SESSION_CLOSING. 2. StmtExecute → ColumnMetaData → Row → SQL_STMT_EXECUTE_OK: happy path, terminal flushes seen_column_metadata_. 3. CursorOpen → ColumnMetaData → Row → FETCH_SUSPENDED: terminal, response_state_ resets, flag cleared at boundary (Cursor::Fetch does not consult it). 4. CursorOpen → ColumnMetaData → FETCH_DONE: terminal, clean exit. 5. PreparePrepare → SQL_STMT_EXECUTE_OK (allowed-set is OK-only): expect rejection, X_SESSION_CLOSING. 6. PreparePrepare → OK: happy path. 7. STMT_EXECUTE → ColumnMetaData → NOTICE → Row → SQL_STMT_EXECUTE_OK: NOTICE is universal-allowed, non-terminal, doesn't consume the response. 8. CURSOR_FETCH → Row (with seen_column_metadata_=false): forwarded, NOT rejected (the per-state-pair carve-out for Cursor::Fetch). Tests use a new setup_session_for_validation helper that drives the auth flow, attaches a fake backend over a socketpair, parks the session in WAITING_SERVER_XMSG with the desired response_state_ via the test-only set_response_state_for_test (gated behind MYSQLX_TEST_BUILD), and lets the test write synthetic server frames to the backend half of the pair. Drains pending client-side bytes via a non-blocking helper so the validation hook's output is unambiguous. Closes the rejection-side acceptance criterion of #5694. Refs: #5694.	2 months ago
Rene Cannao	34968e08d4	fix(mysqlx): split CURSOR/PREPARE response states for accurate terminal detection CURSOR_OPEN's terminal set was conflated with CURSOR_FETCH's, and PREPARE_PREPARE/DEALLOCATE were lumped with PREPARE_EXECUTE which has a wider terminal set. Adds RESP_WAITING_CURSOR_{OPEN,FETCH,CLOSE} and RESP_WAITING_PREPARE_{PREPARE,EXECUTE,DEALLOCATE} so each X-Protocol response shape gets its own per-state contract. The two old conflated states accepted the union of all terminal frames that any sub-shape could legitimately emit, so the proxy would advance to RESP_IDLE on the first such frame regardless of whether the backend's response was actually shaped right. With the split: - PREPARE_PREPARE / PREPARE_DEALLOCATE / CURSOR_CLOSE accept Mysqlx.Ok only - PREPARE_EXECUTE accepts Ok / SQL_STMT_EXECUTE_OK / FETCH_DONE / FETCH_SUSPENDED (it inherits the response shape of whichever request was prepared) - CURSOR_OPEN / CURSOR_FETCH accept FETCH_DONE / FETCH_SUSPENDED This is purely a tightening of is_terminal_frame; the validation hook that uses these per-state contracts to actively reject out-of-shape backend frames is added in the next commit. No behaviour change for well-behaved backends; existing dispatch tests (66 assertions in mysqlx_message_dispatch_unit-t, 65 in mysqlx_session_unit-t) continue to pass unmodified. Refs: #5694.	2 months ago
Rene Cannao	b812045e11	refactor(mysqlx): split is_terminal_for_state into is_frame_allowed + is_terminal_frame No behavior change. Permissive is_frame_allowed (allows everything the existing code implicitly allows by forwarding) sets up the validation hook for the follow-on commits. Removes the now-unused is_terminal_server_frame_generic helper since every state has an explicit case. The new is_terminal_frame variant centralises the universal-NOTICE rule: NOTICE is never terminal in any state, ERROR always is. Previously the caller in handler_waiting_server_msg() short-circuited NOTICE at the call site; folding that into the predicate keeps the validation hook (added in the next commits) from having to know about NOTICE separately. Refs: #5694.	2 months ago
Rene Cannao	ff9a41871d	feat(mysqlx): project per-session state into stats_mysqlx_processlist stats_mysqlx_processlist had its DDL registered (mysqlx_admin_schema.cpp: kStatsMysqlxProcesslistTable) since the plugin-chassis merge but no writer ever existed. Operators querying the table got nothing back, no matter how many concurrent X-Protocol clients were connected. Issue #5691 caught this as the second of the two fully-empty stats surfaces. Wires the projection through the chassis ABI 3 register_runtime_view hook landed in PR #5688 — same pattern as the four runtime_mysqlx_<X> views, mirroring how core's stats___mysql_processlist re-projects on every admin SELECT. Three new pieces: 1. MysqlxSessionSnapshot struct (plugins/mysqlx/include/mysqlx_thread.h) captures one row's worth of session state: username, route name, worker_id, backend host:port, auth_mode, connection_state, and session_age_ms. bytes_in/bytes_out are reserved at 0; the per-route counters in MysqlxStatsStore aggregate by route, not by session, so filling these is P1 work. 2. Mysqlx_Thread::snapshot_sessions_for_stats(out, now_ms) walks sessions_ under sessions_mutex_ and appends one snapshot per active session. Lock scope is bounded (string copy + a few struct field reads); no I/O under the mutex; no cross-thread lock is held. Safe to call from any thread and intended for the chassis runtime-view refresh callback path. 3. mysqlx_populate_stats_processlist(SQLite3DB&) iterates over mysqlx_context().threads, gathers all snapshots into a flat vector under each thread's lock, then DELETEs and re-INSERTs the rows on statsdb. DELETE always runs (empty thread pool / empty session list both mean "no active sessions" — operators must see that, not stale state from the previous refresh). Wires three small read-only state observers on MysqlxSession (username_for_stats, route_name_for_stats, identity_for_stats, start_time_for_stats) so the snapshotter can read what it needs without needing friend-of-thread or exposing the session's mutable fields. These getters return values a debugger could already observe and cannot mutate the session. The refresh callback (refresh_stats_processlist_view in mysqlx_admin_schema.cpp) follows the same get_statsdb-via-services pattern as refresh_stats_routes_view, with one extra null-pointer guard: mysqlx_populate_stats_processlist is __attribute__((weak)) so the admin-schema unit test (which compiles mysqlx_admin_schema.cpp but doesn't link mysqlx_plugin.cpp) still links — the runtime null check is the safety net for that test build. Tests: relies on the existing fixture coverage in mysqlx_thread_unit-t and mysqlx_concurrent_unit-t to exercise the session-walk path without regression. A standalone snapshotter test would need to construct fake Mysqlx_Thread + MysqlxSession instances, which was scope-creep for P0 — defer to integration TAP coverage as the issue body recommends. All 9 affected unit suites stay green (255 assertions, no leaks introduced under ASAN). Known limitation, same as the runtime-view callback in the previous commit: SELECTs against the stats port (port 6032 with stats credentials) bypass the chassis dispatcher and return whatever's in the table since last refresh. Filing as a separate chassis-side follow-up. Refs: #5691.	2 months ago
Rene Cannao	796f336cb0	feat(mysqlx): expose stats_mysqlx_routes via runtime-view refresh stats_mysqlx_routes was previously declared (DDL registered in mysqlx_admin_schema.cpp:466) but had no writer — the MysqlxStatsStore::flush_to_sqlite() projection method was implemented months ago and has never been called. Issue #5691 caught that "no caller" gap; admin SELECTs against the table return whatever's left from previous test fixture data, which is empty in normal operation. Wires the projection through the chassis ABI 3 register_runtime_view hook landed in PR #5688. Identical shape to the four runtime_mysqlx_<X> projections already in place for users / routes / endpoints / variables: chassis fires the refresh callback before any admin SELECT references the registered table name, callback rebuilds the projected rows from the canonical in-memory state. The wrinkle vs the existing four: stats data lives in statsdb, not admindb. The chassis-supplied admindb argument is ignored; refresh_stats_routes_view fetches the statsdb handle through the plugin's cached services pointer (mysqlx_context().services-> get_statsdb()) and hands that to flush_to_sqlite. flush_to_sqlite writes a bare table name, so reaching stats_mysqlx_routes via the admindb-attached `stats.` schema would work but adds an unnecessary detour and forces a write through the wrong handle. Mirrors how core's stats___mysql_processlist() writes statsdb directly (lib/ProxySQL_Admin_Stats.cpp:885). Known limitation, flagged in the issue: the chassis only fires plugin runtime views on admin-session SELECTs (gated on `if (admin)` in lib/ProxySQL_Admin.cpp). SELECTs against the stats port (port 6032 with stats credentials) bypass the dispatcher entirely → return the table contents at last refresh. Filing as a separate chassis- side follow-up. Plumbing additions: - mysqlx_admin_schema.cpp pulls in mysqlx_stats.h and defines refresh_stats_routes_view (~10 lines). - The single-line register_runtime_view call goes inside the existing tail-extension guard (`if (services.register_runtime_view != nullptr)`) — same pattern as the other four. - test/tap/tests/unit/Makefile: three test build rules (mysqlx_admin_schema_unit-t, mysqlx_admin_commands_unit-t, mysqlx_admin_disk_commands_unit-t) now also need to compile mysqlx_stats.cpp into the test binary, since mysqlx_admin_schema.cpp now depends on it. Single-line addition per rule. Refs: #5691.	2 months ago
Rene Cannao	04f771d2a3	feat(mysqlx): account per-route bytes_sent / bytes_recv on the data plane The MysqlxRouteStats struct already had bytes_sent / bytes_recv atomic fields, but no setter and no caller — issue #5691 caught the third and fourth dead counters on the same dead-code list as conn_ok / conn_used. Adds two setters to MysqlxStatsStore: - record_bytes_sent(route, hg, n) - record_bytes_recv(route, hg, n) Both fetch_add(n, relaxed) under the existing mutex, with a 0-arg fast path that skips the lock entirely (frame.size() == 5 means a header- only frame and is the natural early-out — no underflow guard needed on `size - 5` because the call sites only fire when size > 5). Wires them at the two natural data-plane sites: - MysqlxSession::forward_to_backend — bytes_sent is "X-Protocol payload bytes the proxy forwarded from client to backend", measured as `frame.size() - 5` (strip the 5-byte X-Protocol frame header so the counter tracks operator-meaningful query/CRUD bytes rather than wire-level total). - MysqlxSession::handler_waiting_server_msg — bytes_recv is the same payload-only measure for the backend → proxy → client leg. NOTICE frames are counted (they're part of the data plane the operator paid for forwarding); the OK / EXECUTE_OK / FETCH_DONE family contributes 0 because their payloads are typically empty. Both counters need the route name available at the I/O site without re-reading identity_->default_route per frame. Caches that string into MysqlxSession::route_name_ at the resolve_backend_target() success tail and clears it in init() and reset(). The dataplane sites read route_name_ directly. (identity_ would not be null at those sites in practice — resolve_backend_target() is gated on a populated identity — but route_name_ avoids the optional-deref entirely and side-steps any future code path that nulls identity_ in-flight without a corresponding state transition.) Tests: extends mysqlx_stats_unit-t.cpp to plan(26), adding 4 assertions covering the new bytes_sent / bytes_recv accumulation through flush_to_sqlite, including the 0-arg no-op invariant and that destination_hostgroup is carried through. Refs: #5691.	2 months ago
Rene Cannao	b1f973b163	feat(mysqlx): record conn_ok and conn_used in handler_connecting_server The mysqlx plugin's MysqlxStatsStore declares five per-route counters (conn_ok, conn_err, conn_used, bytes_sent, bytes_recv) but issue #5691 caught that, of those five, only conn_err is incremented from production code (from the failure modes of resolve_backend_target). The other four are dead. Wires the two connection-success counters at their natural sites in MysqlxSession::handler_connecting_server: - record_conn_used at the cache-hit early-return branch (took an existing pre-warmed backend connection out of the per-thread pool in Mysqlx_Thread::get_connection_from_cache; no fresh TCP, no fresh TLS, no fresh backend auth performed). - record_conn_ok at the fresh-connection success tail (TCP connect, optional TLS handshake, and step_auth() all returned non-error, no early return fired). This is the "established a brand new backend connection from scratch" counter — strictly disjoint from conn_used. Both call sites already have target_hostgroup_ in scope (set by resolve_backend_target before this state is reachable) and identity_ (set during the frontend auth flow). The route-name argument falls back to the empty string when identity_ is null, defensively — in practice it cannot be null past resolve_backend_target's success path, but the ternary avoids a crash if the state machine ever ends up here without one and reads identity_->default_route via the dot operator on a moved-from optional. The bytes_sent/bytes_recv counters and the runtime-view projection that surfaces these in stats_mysqlx_routes are wired in follow-on commits per the P0 plan on #5691. Refs: #5691.	2 months ago
Rene Cannao	29402b4a42	docs(plugins/genai): close 3 small gaps from review # 1. Real prepared statement in local_proxy_endpoint.cpp read_global_variable's comment claimed "Parameterised lookup via prepared statement" but the implementation did string concatenation: "SELECT variable_value FROM main.global_variables WHERE variable_name='" + std::string(var_name) + "'" Today's only callers pass hardcoded "mysql-interfaces" / "pgsql-interfaces", so the SQL injection surface is zero — but the comment is a footgun for the next caller and we have a working prepare_v2 / bind_text pattern right next door in plugin_main.cpp. Replace with the proper prepared-statement form using proxy_sqlite3_step + proxy_sqlite3_column_text; semantics (empty-string on miss / error) are unchanged. # 2. Concurrency contract on genai_refresh_runtime_components The function (introduced in `9e4244321`) tears down and reinitialises GloGATH and GloAI in place — with no rwlock around either global. Today it's called from: 1. genai_start (single-threaded, no traffic) — always safe 2. LOAD GENAI VARIABLES TO RUNTIME admin command — racy with active MCP listener / tool-handler threads 3. LOAD GENAI VARIABLES FROM CONFIG — same as (2) Document the contract honestly in the header: caller must guarantee no concurrent dereference of GloGATH/GloAI; today the practical mitigation is operator-side (quiesce traffic before issuing the LOAD). A proper rwlock around all GloGATH/GloAI consumers is a follow-up — too large for this PR's scope, requires audit of every listener/tool-handler reader. # 3. New plugins/genai/README.md The plugin is now ~30 source files spanning the MCP listener, GenAI worker pool, AI features manager, anomaly detector, schema discovery cache, FTS index, vector storage, LLM bridge, and 9 tool handlers — with no single doc explaining what it owns or how to operate it. Mirror the plugins/mysqlx pattern: a one-page README covering scope, building, loading, lifecycle, admin SQL surface, configuration pointer, observability, concurrency contract, testing, and known gaps. Cross-references doc/MCP/ and doc/LLM_Bridge/ for the deeper subsystem-internal documentation that already exists.	2 months ago

1 2 3 4

171 Commits (2001c429f830ba2d93fe6ea90715afff65eec08a)