proxysql

Commit Graph

Author	SHA1	Message	Date
Rene Cannao	aef01ef0be	feat(mysqlx): compress outbound server frames (Phase 3) Phase 3 of three-phase X Protocol compression support: server→client compression on outbound frames. Wraps up the MVP — CapabilitiesSet negotiation (Phase 1), inbound decompression (Phase 2), and now outbound compression all roundtrip. What this commit does ===================== forward_frame_to_client() — the chokepoint for backend→client frame forwarding — now routes through send_to_client_compressed(), which: 1. Returns early to plain client_ds_.enqueue_frame() when compression is not negotiated OR the body is below COMPRESSION_MIN_OUTPUT_BYTES (50 bytes — same threshold the upstream MySQL X plugin uses; per- message envelope + framing overhead would otherwise dwarf savings). 2. With combine_mixed_messages = false: emits one Compression frame per body. The protobuf has server_messages set to the original frame's msg_type and uncompressed_size set to the original body length, so a spec-compliant client can decompress in place. 3. With combine_mixed_messages = true: appends a fully-framed copy of the body to compress_batch_framed_ and bumps compress_batch_count_. Once the count reaches max_combine_messages (defaulting to 64 if the client didn't supply one), or flush_compression_batch() is invoked at a natural boundary, all buffered frames are emitted as one Compression message with NEITHER server_messages nor client_messages set — payload is the concatenated stream of framed X messages, matching the spec's third payload shape. The flush points are: - handler_waiting_server_msg() when it sees a terminal frame (end of a result set / final OK / etc.) — the response is "done" so anything still buffered must reach the wire before we go back to WAITING_CLIENT_XMSG. - handler_session_reset_waiting() on the ERROR path before write_to_net(), same reasoning. Mid-response we deliberately do NOT flush — that would defeat the combine_mixed_messages benefit by emitting a Compression message per batch hit, which is exactly what we're trying to avoid for streaming result sets. The count cap bounds how long a single batch can grow. Compressor selection mirrors Phase 2: - zstd_stream uses ZSTD_compressCCtx() with a per-session ZSTD_CCtx that's lazily allocated and freed in reset_compression_state(). - lz4_message uses LZ4_compress_default() one-shot. On compressor failure (ZSTD_isError or lz4 returning <= 0) the helper falls back to enqueueing the body uncompressed — losing compression benefit beats dropping the message. The session itself stays healthy. Tests ===== mysqlx_compression_unit-t now plans 64 sub-tests, all passing: - Phase 1: 22 sub-tests for capability negotiation - Phase 2: 17 sub-tests for inbound decompression - Phase 3 (new, 25 sub-tests): - zstd round-trip: frame on the wire is COMPRESSION with server_messages = NOTICE; payload decompresses back to the exact original 200-byte body - lz4 round-trip, same shape - below-threshold passthrough: 20-byte body emitted as plain NOTICE, not COMPRESSION (verifies the fast path) - combine_mixed_messages with max_combine_messages=3: three successive sends produce ONE Compression frame whose decompressed payload contains all three NOTICE bodies in order, with neither server_messages nor client_messages set - compression-disabled passthrough: when no negotiation, the helper acts as a plain enqueue_frame() (proves a client that never opts in is unaffected) A few new test-only accessors expose the batch state and send_to_client_compressed() entry point so tests can exercise the output path without wiring a fake backend (which would block on connect() in the dispatcher anyway). Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly. mysqlx_compression_unit-t passes 64/64. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34 (auth flow), unrelated to compression and present on this branch before the Phase 1 commit.	1 month ago
Rene Cannao	b1fd6b31fc	feat(mysqlx): decompress incoming Compression messages (Phase 2) Phase 2 of three-phase X Protocol compression support: client→server decompression. Compression on the server→client path (Phase 3) still goes out uncompressed; CapabilitiesSet stores the negotiation in Phase 1 and this commit consumes it. What this commit does ===================== When the client sends a Mysqlx.Connection.Compression message AND compression has been negotiated, we now: 1. Parse the Compression protobuf — payload bytes, optional uncompressed_size hint, optional client_messages tag. 2. Decompress the payload using the negotiated algorithm: - zstd_stream: streaming decompression via a ZSTD_DCtx that persists across messages on the same session (per spec — successive Compression frames may continue a single zstd stream, so we cannot recreate the context per frame). - lz4_message: one-shot LZ4_decompress_safe. The X spec defines lz4_message as one independent frame per message, so no persistent context is needed. 3. Feed the decompressed bytes back into client_ds_.feed_bytes() so the existing frame parser picks them up. Two payload shapes per spec are handled: - client_messages set: payload is one decompressed body of that type — we re-frame with a 5-byte X header in front. - neither set: payload is already a sequence of fully-framed X messages — fed verbatim. 4. The dispatch loop re-enters on the same handler tick (to_process set), so a Compression-wrapped StmtExecute runs end-to-end without an extra network roundtrip. If client_messages is unset and server_messages IS set, the message is rejected (5008): server_messages on the c→s path is always wrong. Anti-bomb / bounds ================== COMPRESSION_MAX_DECOMPRESSED_BYTES = 16 MiB caps how much output a single Compression message can produce, mirroring MysqlxDataStream's existing on-the-wire X_MAX_PAYLOAD_SIZE so a Compression frame never expands beyond what the rest of the data plane can handle anyway. If the client provides an uncompressed_size hint smaller than 16 MiB we honor that as the tighter bound. Hint of 0 with non-empty payload is treated as malformed. For zstd, the decompression loop re-checks the cap before each ZSTD_decompressStream call and bails (with 5008) the moment the output buffer would exceed it. A no-progress condition (zout.pos == 0 with input remaining) also bails — that catches malformed streams that would otherwise spin forever. For lz4, LZ4_decompress_safe(dstCapacity = cap) naturally enforces the limit: the decompressor refuses to write past dstCapacity and returns an error code we map to 5008. Linkage / build =============== The plugin .so is dlopen'd with RTLD_LOCAL, so symbols from libzstd / liblz4 that the proxysql binary may already pull in are NOT visible to the plugin. This commit links the static deps/zstd/zstd/lib/libzstd.a + deps/lz4/lz4/lib/liblz4.a archives directly into the .so so the plugin is self-contained. The session header forward-declares ZSTD_DCtx / ZSTD_CCtx so the zstd headers don't leak through include/mysqlx_session.h into other translation units. Tests ===== mysqlx_compression_unit-t now covers Phase 2 end-to-end (39 sub- tests total, all passing): - Phase 1: capability negotiation (22 sub-tests, unchanged) - decompress zstd_stream client_messages=SQL_STMT_EXECUTE, inner StmtExecute reaches dispatch (no 5008, session moves past WAITING_CLIENT_XMSG) - same for lz4_message - oversize bomb attempt: lie about uncompressed_size, send a 1 MiB-of-zeros payload — rejected with 5008 - garbage compressed payload: rejected with 5008 - sanity: COMPRESSION before negotiation still 5008 Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly; the plugin .so links against the static zstd + lz4 archives. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34, identical to behavior before this commit (verified by stashing only the Phase 2 edits to plugins/mysqlx/{src,include}/* + Makefile and rebuilding). The mysqlx_thread_unit-t / mysqlx_concurrent_unit-t hangs are also pre-existing and reproduce on the unmodified branch.	1 month ago
Rene Cannao	f19be5f3a0	feat(mysqlx): negotiate X Protocol compression capability (Phase 1) Phase 1 of three-phase X Protocol compression support: capability negotiation only. The COMPRESSION message itself is still rejected with error 5008 in dispatch_client_message(); Phase 2 wires up decompression on input and Phase 3 wires up compression on output. What this commit does ===================== - send_capabilities() now advertises a `compression` capability listing the algorithms the plugin can support: zstd_stream and lz4_message. Both libraries (libzstd, liblz4) are already statically linked into libproxysql.a / pulled into the unit-test link line, so this does not introduce any new runtime dependency. - handler_capabilities_set() detects when a client sets the `compression` capability and parses the OBJECT value's sub-keys: - `algorithm` (required string) — must match an advertised value; anything else is rejected with X-Protocol error 5052 (the capability-prepare-failed code per the spec). - `server_combine_mixed_messages` / `combine_mixed_messages` (bool) - `server_max_combine_messages` / `max_combine_messages` (uint) Both spelling variants are accepted because mysql-connector-python emits the short form while libmysqlclient emits the spec form, and the upstream MySQL server tolerates both. - Negotiation outcome is stored on MysqlxSession via three new members (compression_algo_, compression_combine_mixed_messages_, compression_max_combine_messages_). Phase 2 / Phase 3 will read these to drive (de)compression. They are reset by both init() and reset() so a session reuse does not inherit stale negotiation. - Unsupported algorithms (e.g. deflate_stream) and structurally malformed values (wrong protobuf type, missing algorithm field) are rejected with a non-fatal X-Protocol Error frame — the session remains healthy so the client can either retry CapabilitiesSet or proceed without compression. Why 5052 (non-fatal) and not 5008 --------------------------------- 5008 is the runtime "compression message arrived but compression is disabled" error and stays in dispatch_client_message() for now. 5052 is the spec-defined "capability prepare failed" status used during the CapabilitiesSet handshake; treating an unknown algorithm as a capability error matches the upstream MySQL X plugin's behavior and lets compliant clients downgrade to no-compression on the same connection. Tests ===== New unit test: test/tap/tests/unit/mysqlx_compression_unit-t.cpp (22 sub-tests, all passing). Covers: - CapGet response advertises `compression` with both algorithms - CapSet zstd_stream + combine hints accepted, stored on session - CapSet lz4_message accepted, stored on session - CapSet deflate_stream rejected with 5052 (non-fatal), session remains healthy with no algorithm set - CapSet with wrong-shape compression value (scalar instead of object) rejected with 5052 Existing mysqlx_session_unit-t / plugin_lifecycle_unit-t still pass (the two pre-existing failures in mysqlx_session_unit-t at sub-tests 33-34, "auth succeeded for correct password" and "session in WAITING_CLIENT_XMSG after auth", are present on this branch before this commit and unrelated to compression — verified by stashing only the mysqlx_session.{cpp,h} edits and re-running). Build infra fix piggy-backed on this commit ------------------------------------------- test/tap/tests/unit/Makefile referenced $(SQLITE3_LDIR)/../libsqlite_rembed.a in the GenAI-tier link line, but that .a is no longer produced on this branch (it was the artifact of the now-removed sqlite-rembed Rust extension). Without removing this stale reference, no plugin/mysqlx unit test can link, which blocks verifying the new compression test alongside the existing mysqlx tests required by the task. Mirrors the upstream fix that already landed on sibling branches as commit `44a6c9d58` ("build(test): drop libsqlite_rembed.a from TAP and rag test link order"). Phase 2 (decompression) and Phase 3 (compression on output) will follow as separate commits; the COMPRESSION dispatch handler still emits 5008 until Phase 2 lands.	1 month ago
Rene Cannao	79cac4c976	chore(mysqlx): retire MysqlxFrontendSession, MysqlxBackendSession, X_FAST_FORWARD Three pieces of dead code that survived the MysqlxWorker retirement (commit `98aee7db2`) and the v2 event-driven rewrite: * `MysqlxFrontendSession` and `MysqlxBackendSession` (plugins/mysqlx/ include/* + src/): an alternative session implementation from the pre-event-driven days. Compiled into the .so but not instantiated anywhere — `Mysqlx_Thread::accept_new_connection` creates a `MysqlxSession` directly. The Phase-1 placeholder in `MysqlxFrontendSession::handler_capabilities_set` (returning "TLS capability not supported by mysqlx plugin in Phase 1") was particularly misleading on review since the real, TLS-aware `MysqlxSession::handler_capabilities_set` in mysqlx_session.cpp:202 has full TLS negotiation wired up. `X_FAST_FORWARD` enum value, `handler_fast_forward()` declaration, dispatch case, and empty body (plugins/mysqlx/src/mysqlx_session.cpp): state was declared but no code path ever set `status_ = X_FAST_FORWARD`, so the dispatch case was unreachable and the handler body was empty. Drop the four files from `plugins/mysqlx/Makefile`'s SRCS list and delete them. Plugin .so size drops from ~9.3 MB to ~8.5 MB (approximately 800 KB of dead code eliminated). Build clean under PROXYSQLGENAI=1.	1 month ago
Rene Cannao	c723ede0cf	Merge remote-tracking branch 'origin/plugin-chassis' into ProtocolX-rebased # Conflicts: # lib/ProxySQL_PluginManager.cpp # plugins/mysqlx/Makefile # plugins/mysqlx/include/mysqlx_plugin.h # plugins/mysqlx/include/mysqlx_session.h # test/tap/groups/groups.json # test/tap/tests/test_mysqlx_listener_smoke-t.cpp # test/tap/tests/unit/Makefile	1 month ago
Rene Cannao	e462bb0cb4	fix: address PR review feedback Resolves in-scope review items on PR #5651. Items deemed out of scope for this PR (O(N) admin dispatch lookup, per-plugin mutex, worker backpressure, runtime-reload DDL semantics, E2E tests going through ProxySQL rather than directly to MySQL) are tracked elsewhere; items that were already fixed in earlier commits on this branch (Admin_Handler MYSQLX alias vectors, Admin_Bootstrap PROXYSQL40 gating) are acknowledged as stale. Changes: * .github/workflows/CI-mysqlx.yml: add `include/` and `src/proxysql_global.cpp` to both `sparse-checkout` blocks. The plugin Makefile discovers the repo root via `src/proxysql_global.cpp` and includes headers from `include/`; without these, `make` inside `plugins/mysqlx` climbs up to `/` or fails on missing includes. (coderabbit: "Checkout the files required by the plugin Makefile.") * .github/workflows/CI-mysqlx.yml: `fail-on-cache-miss` now depends on `github.event_name == 'workflow_run'`. Strict behavior is retained for the cache-driven pipeline that CI-trigger populates; manual `workflow_dispatch` runs no longer fail when the SHA-specific cache doesn't exist yet. (coderabbit: "Don't make manual runs depend on a pre-existing build cache.") * plugins/mysqlx/Makefile: replace the unbounded `while [ ! -f ./src/proxysql_global.cpp ]; do cd ..; done` with a bounded upward walk (up to 12 levels) that fails fast with a clear error message when the marker file is missing — e.g. on a sparse checkout that omits `src/proxysql_global.cpp`. Build output no longer appears to hang indefinitely. (coderabbit: "Prevent root discovery from hanging on sparse or invalid checkouts.") * doc/PLUGIN_API.md: update startup sequence from the old three-phase (load → init → start) description to the four-phase chassis lifecycle (load → register_schemas → admin materialize → init → start). Document the `register_schemas` descriptor field and the `abi_version` / `PROXYSQL_PLUGIN_ABI_VERSION` contract. Clarify that `stop()` pairs with `init()` (not `start()`) for teardown symmetry. (coderabbit: "Update plugin lifecycle documentation to reflect four-phase model and ABI versioning.") * plugins/mysqlx/include/mysqlx_session.h: default-initialize every field in `MysqlxCredentials`. `bool x_enabled` was indeterminate for a default-constructed instance, which would let a lookup miss produce a value that silently authenticates. In-class initializers give every field a deterministic default. (coderabbit: "Default- initialize credential fields used by auth decisions.") * plugins/mysqlx/src/mysqlx_backend_session.cpp: close `backend_fd_` when `authenticate_backend()` returns false. Previously `connect()` stored the newly-opened fd in `backend_fd_` and returned the auth result; a retry on the same `MysqlxBackendSession` would then overwrite `backend_fd_` and leak the previous socket. (coderabbit: "Close/reset `backend_fd_` when authentication fails.") * lib/Admin_Bootstrap.cpp: `materialize_plugin_tables()` now runs DDL only for the subset of plugin-declared tables that were freshly inserted into `tables_defs_` (the rest are already materialized). DDL failures are startup-fatal: on `execute()` returning false, log the plugin kind + table name + SQL and `exit(EXIT_FAILURE)`. A partially materialized schema produces opaque runtime errors from the plugin later on, so aborting startup is the right default. (gemini + coderabbit: "Execute DDL only for newly materialized plugin tables" / "add error checking".) Not changed in this commit (deferred / out of scope / stale): CI-mysqlx E2E tests going through ProxySQL (requires plumbing listener + admin config in the CI workflow). * O(N) admin dispatch scan → hash map. * Descriptor build-id hash for libstdc++ compat detection. * Per-plugin mutex on mutable plugin context. * Worker client-fd enqueue backpressure. * Stale plan-doc feedback on docs/superpowers/plans/.md. Verification (clean tree): `unset PROXYSQL; make cleanall && make debug -j$(nproc) && make build_tap_test_debug -j$(nproc)` -- 0 errors. `PROXYSQLGENAI=1 make cleanall && PROXYSQLGENAI=1 make debug -j$(nproc) && PROXYSQLGENAI=1 make build_tap_test_debug -j$(nproc)` -- 0 errors. * Plugin unit tests (PROXYSQL40): 48 + 52 + 26 + 46 + 10 = 182 pass.	1 month ago
Rene Cannao	6fe50376d5	Merge remote-tracking branch 'origin/feature/mysqlx-route-identity' into HEAD # Conflicts: # plugins/mysqlx/src/mysqlx_session.cpp # test/tap/tests/unit/Makefile # test/tap/tests/unit/mysqlx_robustness_unit-t.cpp	1 month ago
Rene Cannao	a2e99eed50	perf(mysqlx): only invoke handler() for sessions with real work process_all_sessions previously forced sess->to_process=true on every tick and unconditionally called sess->handler(), burning CPU at large idle session counts (one full state-machine traversal per session per loop iteration, regardless of whether anything had changed). Now only call handler() when at least one of these is true: - a poll event landed on the client or server data stream - the session self-flagged to_process (handler wants to re-run) - a complete frame is already buffered on either stream Also make Mysqlx_Thread::sessions_mutex_ mutable and take it in get_session_count() const. Previously const accessors that needed to lock the mutex couldn't — and the session count was read without the lock at all, racing the writer that appends/removes sessions.	1 month ago
Rene Cannao	6a921514cc	fix(mysqlx): protocol, data-stream and stats robustness fixes mysqlx_connection.cpp: Drain leading NOTICE frames in read_auth_frame() instead of returning nullopt on the first NOTICE. MySQL backends commonly emit a session-state-change notice before AuthenticateContinue or Ok, and returning nullopt caused the auth state machine to spin on try-read for the full 10s handshake timeout before completing. The two callers (step_auth_capabilities_get_sent and step_auth_capabilities_set_sent) now use the shared helper and drop their duplicated NOTICE checks. Also added a frame-size guard before reading the message-type byte. mysqlx_data_stream.{h,cpp}: Add close_and_reset() which tears down SSL/BIO state and clears every read/write buffer and parse flag without close()ing the fd. Required by mysqlx_session.cpp's return_backend_to_pool(), where the fd is owned by the pooled MysqlxConnection and must stay open after the data stream is wiped. Fix SSL_read return handling: a 0-return is a clean TLS shutdown (close_notify) and must surface as a connection close, not as a WANT_IO/retry. The previous code treated 0 and <0 identically and would loop forever on a cleanly-closed TLS peer. mysqlx_protocol.cpp: mysqlx_build_frame now rejects serialized payloads at the uint32 boundary so the +1 for the message-type byte cannot wrap to 0. This mirrors the X_MAX_PAYLOAD_SIZE clamp already applied by the inbound parser in MysqlxDataStream. mysqlx_stats.cpp: Rewrite the stats_mysqlx_routes INSERT builder to use std::string concatenation instead of a fixed 1024-byte snprintf buffer. Long route names plus escaping could overflow the buffer and the row was silently dropped without reaching the statsdb.	1 month ago
Rene Cannao	d0f6d8e4a8	Merge remote-tracking branch 'origin/fix/mysqlx-listener-lifecycle' into HEAD # Conflicts: # plugins/mysqlx/Makefile # plugins/mysqlx/src/mysqlx_plugin.cpp # test/tap/tests/unit/Makefile # test/tap/tests/unit/mysqlx_robustness_unit-t.cpp	1 month ago
Rene Cannao	fb1a0cd706	Merge remote-tracking branch 'origin/fix/mysqlx-backend-tls-post-auth' into HEAD # Conflicts: # test/tap/tests/unit/mysqlx_robustness_unit-t.cpp	1 month ago
Rene Cannao	3d107c3bed	chore: commit pre-existing plugin manager improvements Improvements left uncommitted at the end of Step 0: - atomic g_active_plugin_manager pointer - reject plugin descriptors with null/empty name - assert single-threaded init phase - debug-log dispatched plugin commands - propagate mysqlx_register_admin_schema failure into init - additional plugin manager unit tests (init/start/stop fail, double load) - updated ABI doc/comments for table copy semantics, command context lifetime, services availability, and status_json storage	1 month ago
Rene Cannao	2ffa38bc6c	fix(mysqlx): use resolved backend_username when setting up the backend connection The session's backend-connection setup site in handler_connecting_server now falls back to identity_->backend_username when that field is non-empty, and only reuses the frontend username_ when it is empty (the mapped-mode / default case). coderabbitai flagged on PR #5645 (outside-diff; the code originates in PR #5641): the pre-fix setup call always passed the frontend username_ to set_backend_user() while pairing it with the resolved password from identity_->backend_password. For mysqlx_users rows whose backend_auth_mode is `service_account` and whose backend_username differs from the frontend username, this mismatch paired userA's password with userB's name — backend auth failed with access-denied even though both columns were internally consistent. The route-identity refactor (earlier commits on this branch) widened the user lookup to return the full MysqlxResolvedIdentity struct, which already carries backend_username. This commit wires that existing field through at the backend-setup site; no store-side changes are required. See MysqlxBackendAuthMode in mysqlx_config_store.h for the full set of modes and their semantics. Testing: two new unit assertions covering both branches of the selector — mapped mode (empty backend_username falls back to frontend username_) and service_account mode (distinct backend_username is used verbatim). Assertion count moves from 46 to 48. A test-only getter MysqlxConnection::get_backend_user_for_test() was added so the test can observe the string that was ultimately passed to set_backend_user. Out of scope: enforcement of MysqlxBackendAuthMode semantics (for example, rejecting service_account rows that omit backend_username at load time). That validation belongs with the config-store loader and is tracked separately.	1 month ago
Rene Cannao	c78d7b859c	fix(mysqlx): reconcile bind-address changes, document single-admin-thread assumption The listener reconciler built its desired snapshot keyed only by route name, so editing a route's `bind` column (e.g. from `:33061` to `:33062`) and running LOAD MYSQLX ROUTES TO RUNTIME left the old listener running and never opened the new port — the removal pass saw the name still in the desired set and skipped the route entirely. The removal pass now also compares the currently-bound `host:port` on the owning thread against the desired bind and treats any mismatch as a removal; the subsequent addition pass rebinds under the new spec. To support that comparison, `Mysqlx_Thread` now stores bind ports in a parallel `listener_ports_` vector alongside the existing `listener_addrs_` and exposes `get_listener_addr_for_route()` returning the canonical `"host:port"` form. Also added a comment documenting the pre-existing single-admin-thread invariant that justifies snapshotting the DB outside of `route_to_thread_mutex` (noted in code review, not a behavioral change). Testing: new unit-test assertions exercise a full bind-change reconcile end-to-end — pick two free ports, reconcile at port1, update the runtime row to port2, reconcile again, and assert the listener is now bound at port2 with total listener count still 1. 42 assertions pass (was 38). Out of scope: changing the concurrency model. The single-admin-thread assumption is pre-existing throughout ProxySQL admin execution.	1 month ago
Rene Cannao	dd131b0aa2	fix(mysqlx): reconcile listeners at startup and on LOAD ROUTES TO RUNTIME Startup previously capped listener creation at `pool_size` routes via `ti < ctx.threads.size()` in mysqlx_plugin.cpp's startup loop, so any routes beyond the thread-pool size had no listener. Runtime route changes via `LOAD MYSQLX ROUTES TO RUNTIME` never touched the listener topology at all — adding, removing, or toggling a route's `active` flag had no effect until a full restart. Flagged in the ProtocolX code review as item #4. This commit: - Drops the `ti < pool_size` cap in the startup loop. - Distributes routes across threads round-robin (the original intent) using a shared plugin-scope `route_to_thread` map guarded by a mutex, with a `next_rr_index` cursor. - Adds route-name tracking to Mysqlx_Thread: a new parallel `listener_route_names_` vector alongside `listener_fds_` / `listener_addrs_`, plus a new `remove_listener_for_route(name)` method that closes the fd and prunes all three vectors. Returns true/false so callers can use it idempotently. - Adds a `mysqlx_reconcile_listeners(admindb)` desired-state reconciler. Reads active routes from `runtime_mysqlx_routes`, binds missing listeners round-robin, and removes listeners for routes that are gone or deactivated. Startup and `LOAD MYSQLX ROUTES TO RUNTIME` both go through this single path, so both agree. The reconciler is idempotent: re-running with the same desired set is a no-op. - The reconciliation core lives in a new file `plugins/mysqlx/src/mysqlx_listener_reconcile.cpp` as a pure helper `mysqlx_reconcile_listeners_impl(...)` taking state by parameter, so unit tests can drive it against a minimal fake context. The convenience wrapper that reads `mysqlx_context()` lives in plugin.cpp and is declared weak so tests of admin_schema.cpp that don't link plugin.cpp still link cleanly (admin_schema null-checks the weak pointer). Tests: mysqlx_robustness_unit-t grows from 33 to 38 assertions — four thread-API tests (add_listener with route name on two threads, remove_listener_for_route removes and is idempotent) plus one integration test that builds an in-memory admin DB with one route and asserts `mysqlx_reconcile_listeners_impl` binds exactly one listener and records the mapping. Also fixes the pre-existing unit-test Makefile link gap: four tests that include `mysqlx_thread.cpp` (which references `MysqlxConfigStore::resolve_identity`) now correctly link `mysqlx_config_store.cpp`, and the robustness test link line picks up `mysqlx_config_store.cpp` + `mysqlx_listener_reconcile.cpp` for the new coverage. Out of scope: switching the distribution strategy to SO_REUSEPORT / all-threads-on-all-routes (future design iteration); treating an in-place `active` flag toggle as anything other than remove + add.	1 month ago
Rene Cannao	3e8c3da9de	fix(mysqlx): preserve backend TLS state past auth handshake What: Stop rewrapping the raw backend fd in a fresh session-owned MysqlxDataStream after backend auth completes. Route every data-plane read/write (forward_to_backend, handler_waiting_server_msg, handler_session_reset_waiting, and the cached-conn attach path) through MysqlxConnection::backend_ds() instead. Why: The optional backend TLS handshake runs against the connection's backend_ds_ (see mysqlx_connection.cpp init_ssl_connect) and the resulting SSL* lives there. The prior session code discarded that SSL* by init()-ing a new plain MysqlxDataStream around the same raw fd, then used it for cleartext I/O on a socket where the server expects TLS frames. Flagged in the ProtocolX code review (item #2). Testing: mysqlx_robustness_unit-t picks up five new assertions that pin the invariant: MysqlxSession::server_ds() aliases backend_conn_->backend_ds() whenever a backend is attached, and falls back to a fd == -1 placeholder otherwise. Baseline 33, post-fix 38, all pass. Out of scope: - Connection cache semantics: cached connections keep their SSL state; MysqlxConnection::reset() already leaves backend_ds_ untouched so the invariant extends to pooled reuse. - MysqlxDataStream internals (untouched). - The dormant worker path (different PR). Pre-existing ripple: test/tap/tests/unit/Makefile mysqlx_robustness_unit-t link line was missing mysqlx_config_store.cpp, same gap other mysqlx tests have been closing as they get touched. Added it here so the test links.	1 month ago
Rene Cannao	98aee7db21	chore(mysqlx): retire dormant MysqlxWorker path and its smoke test Deletes the mysqlx worker implementation and the TAP smoke test that was its only caller. Also removes the corresponding entries from the plugin Makefile, the unit-tests Makefile, and the CI groups manifest. Files removed: - plugins/mysqlx/src/mysqlx_worker.cpp - plugins/mysqlx/include/mysqlx_worker.h - test/tap/tests/test_mysqlx_listener_smoke-t.cpp References cleaned: - plugins/mysqlx/Makefile: dropped mysqlx_worker.cpp from SRCS - test/tap/tests/unit/Makefile: dropped test_mysqlx_listener_smoke-t from UNIT_TESTS and deleted its build rule - test/tap/groups/groups.json: removed the smoke-test entry from the unit-tests-g1 group Why: the worker was an earlier parallel implementation of the mysqlx session path (separate accept thread + worker queue + per-listener route tracking + identity.default_route -> pick_endpoint). It never reached any call site in the production proxysql binary. The only consumers of its public API were the smoke test and the worker code itself. The route-identity fix in PR #5641 used the worker's design as a reference and implemented the fix in the active session path (Mysqlx_Thread + MysqlxSession + MysqlxConfigStore::pick_endpoint). With that landed, the dormant code is pure tech debt — reviewers repeatedly mistook its logic for the active path. Why retire the smoke test at the same time: the test exercised mysqlx_start_listeners_from_runtime_routes() which was the worker's only entry function. With the worker gone, the smoke test cannot link; keeping it would produce a broken CI target. Out of scope: no changes to the active session path, no changes to the MysqlxConfigStore or admin-schema tables, no changes to any other tests. Pure deletion + Makefile/groups cleanup.	1 month ago
Rene Cannao	e099081796	fix(mysqlx): record stats on unreachable guard, update stale comment What: - resolve_backend_target()'s !identity_ guard now calls mysqlx_stats().record_conn_err("", 0) so the missing-identity path does not silently drop observability. - Stale "Not yet wired" comment in mysqlx_session.h replaced with a current-state doc reflecting that resolve_backend_target() is called from the auth handlers before send_auth_ok(). Why: - Final review flagged that the spec's "all failure modes record stats" contract wasn't held on the programming-error guard. Tuple ("", 0) matches the empty-route 4000 case, which is acceptable aliasing since both legitimately lack route context. - Comment update prevents future confusion about whether resolve is integrated (Task 4 is merged). Out of scope: no behavior change, no test change. Assertion count remains 46.	1 month ago
Rene Cannao	14c5d68260	feat(mysqlx): add resolve_backend_target() method on session Introduces MysqlxSession::resolve_backend_target(), a private method that translates the authenticated user's identity_->default_route into the concrete (target_hostgroup_, target_address_, target_port_) triple that handler_connecting_server needs to reach the backend. The method reads identity_->default_route, looks up the hostgroup + endpoint via the thread's MysqlxConfigStore, and returns 0 on success; on failure it returns 4000/4001/4002 (empty default_route / unknown route / no-backend respectively), emits an X-Protocol Error frame, records a stats miss via mysqlx_stats().record_conn_err(), and marks the session unhealthy. Why: fixes the design gap where sessions populated target_* fields only from a pool cache lookup and otherwise connected to "" on port 0 (see docs/superpowers/specs/2026-04-17-mysqlx-route-identity-design.md). The pre-Ok timing is deliberate — once the X-Protocol Ok frame is on the wire, a routing failure cannot be cleanly reported, so resolution must run before send_auth_ok(). Invariants preserved: resolve_backend_target() is not yet wired into the auth flow. Task 4 owns that step. This commit is therefore a pure addition — no production call site touches the new method; only the new unit tests exercise it, via test-only public accessors (inject_identity_for_test / resolve_backend_target_for_test / target_*_for_test). Mysqlx_Thread gains get_config_store() so the session can reach the store; MysqlxStatsStore gains reset_for_test() and get_last_conn_err_for_test() so the stats-recording contract can be asserted without a live SQLite stats DB. Out of scope: wiring resolve_backend_target() into handle_auth_plain and handler_auth_challenge_response (Task 4); removing the dormant worker path (Task 5); reconciling error codes 4000/4001/4002 with the project-wide ProxySQL error-code policy (follow-up commit). Test coverage (plan bumped +7, now 43 assertions): - test_routing_happy_path — rc=0, target fields populated - test_routing_no_default_route — rc=4000 - test_routing_unknown_route — rc=4001 - test_routing_no_backend — rc=4002 (route exists, 0 endpoints) - test_routing_stats_on_failure — (route,hg) tuples for all 3 modes - test_routing_unknown_user — identity_lookup nullopt => unhealthy Also updates mysqlx_session_unit-t / mysqlx_thread_unit-t / mysqlx_message_dispatch_unit-t / mysqlx_concurrent_unit-t Makefile rules to link mysqlx_config_store.cpp + mysqlx_stats.cpp, which were already required transitively by mysqlx_thread.cpp::resolve_identity() since Task 2 but had not been wired into the unit-test link set.	1 month ago
Rene Cannao	f0a8655be3	refactor(mysqlx): replace MysqlxCredentials with MysqlxResolvedIdentity The session's identity-lookup callback now returns the full MysqlxResolvedIdentity struct from the config store rather than a stripped-down MysqlxCredentials. Password-hash derivation moves into the session via a private derive_stored_hash helper (handles both "*HEX40" and cleartext forms). No behavior change; the existing credential-lookup guard semantics are preserved so sessions without a lookup still follow the open-proxy path exercised by the robustness tests. mysqlx_robustness_unit-t passes unchanged (36/36).	1 month ago
Rene Cannao	ca6ddb860c	feat(mysqlx): add route_exists() predicate to MysqlxConfigStore Needed to distinguish unknown-route from route-with-no-backend when resolving a session's backend target. route_hostgroup() returns 0 in both cases and can't be used for disambiguation.	1 month ago
Rene Cannao	4b353ba0b1	test(mysqlx): add MysqlxConfigStore::install_for_test helper Adds a test-only seam on MysqlxConfigStore so unit tests can populate the store's private routes_ and hostgroup_endpoints_ maps directly, without building a runtime SQLite3DB fixture. This unblocks the upcoming route-identity unit tests that need to exercise route lookups in isolation. Also wires plugins/mysqlx/src/mysqlx_config_store.cpp into the mysqlx_robustness_unit-t link line. The file is already listed in the plugin's own Makefile but was missing from the unit-test target, so since MysqlxConfigStore::resolve_identity became a runtime dependency of Mysqlx_Thread the link had been broken.	1 month ago
Rene Cannao	923cbfeadc	fix(mysqlx): resolve critical authentication, TLS, and data integrity bugs - Wire credential_lookup to sessions via config store so frontend auth verification actually runs (was silently bypassed for all users) - Use backend_password (cleartext) instead of password_hash (double-SHA1) for backend MYSQL41 scramble computation - Replace cumulative BIO counter comparison with BIO_ctrl_pending() to fix permanent POLLOUT busy-loop with TLS connections - Add poll(POLLOUT) before getsockopt(SO_ERROR) in check_connect() to correctly detect non-blocking connect completion on Linux - Wrap DELETE+INSERT with BEGIN/COMMIT in sync_disk_to_memory and copy_to_runtime to prevent data loss on crash	1 month ago
Rene Cannao	04f09d6535	fix(mysqlx): address SonarCloud quality gate failures - Replace void* thread_ptr_ with typed Mysqlx_Thread* for type safety - Use RAII (unique_ptr) for SQLite3 result and error cleanup in plugin - Extract handle_auth_mysql41/handle_auth_plain from handler_auth_start to reduce cognitive complexity (37 -> ~10 per method) - Extract step_auth sub-states into individual methods to reduce cognitive complexity in mysqlx_connection.cpp (55 -> ~8 per method) - Add forward_frame_to_client helper to eliminate repeated frame forwarding code - Replace hardcoded password strings in credential verify test with named test constants - Add NOSONAR annotations for const_cast (required by SQLite3DB API) and SSL_VERIFY_NONE (test-only self-signed certs) - Fix Makefile whitespace issue with mysqlx unit test entries	1 month ago
Rene Cannao	04c0303ee9	fix(mysqlx): address critical code review feedback from PR #5593 - PluginManager: don't mark plugin stopped when stop() fails - PluginManager: add mutex to proxysql_get_plugin_manager() access - PluginManager: reject duplicate plugin paths in load() - mysqlx_thread: add listener_mutex_ for listener_fds_ synchronization - mysqlx_config_store: return tls_mode by value, not by reference - Makefile: propagate PROXYSQLGENAI/31/FFTO/TSDB flags to mysqlx builds	1 month ago
Rene Cannao	30dc111b1d	feat(mysqlx): add TLS passthrough mode for raw TLS forwarding Adds MysqlxTlsMode enum and passthrough mode support: - TLS_OFF: No TLS (default, existing behavior) - TLS_TERMINATE: ProxySQL terminates TLS, decrypts, re-encrypts to backend (existing behavior when TLS is negotiated) - TLS_PASSTHROUGH: Raw encrypted bytes forwarded between client and backend without TLS termination Passthrough behavior: - handler_tls_accept_init(): skips SSL init and handshake entirely, returns to CONNECTING_CLIENT state immediately - handler_connecting_server(): skips backend TLS setup when in passthrough mode (backend_tls_required_ is not set) - X Protocol frames are still parsed at the framing layer since the proxy needs to route and multiplex connections Use cases for passthrough mode: - TLS terminated at an external load balancer - ProxySQL should not have access to TLS certificates - Compliance requirements that forbid TLS inspection set_tls_mode() / get_tls_mode() accessors on MysqlxSession allow runtime configuration of the TLS mode per session.	2 months ago
Rene Cannao	afffad0356	feat(mysqlx): implement backend TLS via CapabilitiesSet negotiation Adds TLS support for backend X Protocol connections. When the client session is encrypted, the backend connection also negotiates TLS with the MySQL X Protocol server. Backend auth state machine changes: - New BACKEND_AUTH_TLS_HANDSHAKE state between CapSet and AuthStart - CapabilitiesSet now includes tls=true when backend_tls_required_ and an SSL_CTX is available - After CapSet Ok, if TLS required: init_ssl_connect() → handshake → send_authenticate_start() → continue normal auth - send_authenticate_start() extracted as a helper method to avoid goto-based flow control MysqlxConnection new members: - backend_tls_required_ flag (set by session when client is on TLS) - backend_ssl_ctx_ pointer (shared global SSL_CTX) - set_backend_tls_required() / is_backend_tls_required() accessors - set_ssl_ctx() to provide the SSL context TLS handshake in step_auth(): - BACKEND_AUTH_TLS_HANDSHAKE state calls backend_ds_.read_from_net() to feed encrypted bytes into the BIO pair - do_ssl_handshake() performs SSL_connect via memory BIOs - flush_ssl_write_buf() sends pending encrypted output - On failure: ssl_handshake_failed() check, returns BACKEND_AUTH_ERROR Session wiring in handler_connecting_server(): - When client_ds_.is_encrypted(), sets backend_tls_required_=true and provides SSL_CTX from Mysqlx_Thread - Backend auth failure detection distinguishes TLS failures (error 3152) from authentication failures (error 1045)	2 months ago
Rene Cannao	da75e13841	feat(mysqlx): per-message response state machines for terminal frame detection Replace the single is_terminal_server_frame() catch-all with per-message-type response tracking. Each client message type now has its own terminal frame set, matching MySQL Router's approach. New MysqlxResponseState enum: - RESP_IDLE: no pending response - RESP_WAITING_STMT_EXECUTE: SQL_STMT_EXECUTE_OK, ERROR, FETCH_DONE - RESP_WAITING_CRUD: OK, ERROR, FETCH_DONE, FETCH_SUSPENDED - RESP_WAITING_PREPARE: OK, ERROR - RESP_WAITING_CURSOR: FETCH_DONE, FETCH_SUSPENDED, ERROR - RESP_WAITING_EXPECT: OK, ERROR - RESP_WAITING_SESS_RESET: OK, ERROR Changes: - dispatch_client_message() sets response_state_ before forward_to_backend() based on message type - handler_waiting_server_msg() uses is_terminal_for_state() instead of is_terminal_server_frame() for terminal detection - is_terminal_for_state() checks the response state to determine which frames are terminal - response_state_ resets to RESP_IDLE when terminal frame received - Generic fallback preserved via is_terminal_server_frame_generic() for unknown response states This is more robust than the single catch-all list and correctly handles cases where OK is terminal for Prepare but not for StmtExecute (which needs SQL_STMT_EXECUTE_OK).	2 months ago
Rene Cannao	d50e48a971	feat(mysqlx): add descriptive TLS error messages with failure detection Adds SSL handshake failure detection and descriptive error messages for both client-side and backend TLS failures. Changes to MysqlxDataStream: - Added ssl_failed_ flag to distinguish WANT_IO (in progress) from actual SSL failure - ssl_handshake_failed() accessor for session to check failure state - ssl_failed_ is set to true in do_ssl_handshake() when get_ssl_status() returns MYSQLX_SSL_FAIL - ssl_failed_ is initialized to false in constructor, init_ssl(), and init_ssl_connect() Changes to MysqlxSession handler_tls_accept_init(): - After do_ssl_handshake() returns false, checks ssl_handshake_failed() - On failure: sends error 3151 ("TLS handshake failed") to client with OpenSSL error details retrieved via ERR_get_error()/ ERR_error_string_n(), then closes session - On WANT_IO: continues waiting (existing behavior) - Error 3150: TLS not configured on server (unchanged) - Error 3151: TLS handshake failed (new) - Error 3152: Reserved for backend TLS failures (Task 3)	2 months ago
Rene Cannao	dc35119813	feat(mysqlx): implement Session Reset passthrough with response tracking SESS_RESET is now properly forwarded to the backend with dedicated response tracking via the new X_SESSION_RESET_WAITING state: 1. Client sends SESS_RESET -> forward_to_backend() sends to server 2. Session transitions to X_SESSION_RESET_WAITING 3. handler_session_reset_waiting() reads backend response: - On NOTICE: forward to client immediately, keep waiting - On OK: clear prepared statement tracking, clear transaction flag, return backend to pool, resume WAITING_CLIENT_XMSG - On ERROR: forward error to client, return backend to pool, resume WAITING_CLIENT_XMSG - On backend disconnect: return to WAITING_CLIENT_XMSG This properly resets session state on both sides, clearing prepared statement and transaction flags so the backend connection can be safely reused from the pool. Previously, SESS_RESET was forwarded but the response was not tracked, potentially leaving the session in an inconsistent state.	2 months ago
Rene Cannao	437072cf28	feat(mysqlx): add backend connect timeout with configurable threshold Adds a configurable connect timeout (default 10 seconds) for backend X Protocol connections. If the TCP connection does not complete within the timeout, the connection attempt fails with error 2003. Changes to MysqlxConnection: - Added connect_timeout_ms_ (default 10000ms) and connect_start_time_ private members - start_connect() records connect_start_time_ using steady_clock - check_connect() measures elapsed time since start_connect() and returns -1 if timeout exceeded, setting state to ERROR_STATE - Added set_connect_timeout()/get_connect_timeout() accessors Changes to MysqlxSession: - handler_connecting_server() sets connect timeout to 10s before calling start_connect() on new backend connections The timeout is checked on every check_connect() invocation from the event loop, ensuring non-blocking timeout detection without additional timers.	2 months ago
Rene Cannao	e86cfe237f	feat(mysqlx): implement client-side TLS negotiation via CapabilitiesSet Wires TLS into the session state machine following ProxySQL MySQL protocol pattern. When a client sends CapabilitiesSet with tls=true capability, the session initiates SSL_accept on the client data stream. Changes to Mysqlx_Thread: - Added get_ssl_ctx() that returns GloVars.get_SSL_ctx() - Updated rebuild_poll_set() to check has_ssl_pending_write() for POLLOUT on both client and backend data streams Changes to MysqlxSession::handler_capabilities_set(): - Parses CapabilitiesSet protobuf to detect tls capability - If TLS requested and SSL_CTX available: sends Ok, transitions to X_TLS_ACCEPT_INIT state - If SSL_CTX not configured: sends error 3150 and closes session - Without TLS: existing behavior unchanged Changes to MysqlxSession::handler_tls_accept_init(): - Replaced stub with real implementation - Gets SSL_CTX from Mysqlx_Thread - Calls client_ds_.init_ssl(ctx) to create per-session SSL object - Calls do_ssl_handshake() on each handler invocation - When handshake completes, transitions to CONNECTING_CLIENT Changes to MysqlxSession::send_capabilities(): - Advertises tls capability (V_BOOL true) when SSL_CTX is configured - Existing auth capability advertisement unchanged All 10 test suites pass with no regressions.	2 months ago
Rene Cannao	0b555d3899	feat(mysqlx): add TLS infrastructure to MysqlxDataStream Adds SSL support following ProxySQL BIO-based pattern used in MySQL_Data_Stream and PgSQL_Data_Stream. New members in MysqlxDataStream: - ssl_: per-session SSL object from shared SSL_CTX - rbio_ssl_/wbio_ssl_: memory BIO pair for encrypted I/O - ssl_write_buf_/ssl_write_offset_: pending encrypted output - ssl_handshake_done_: handshake completion tracking New public methods: - init_ssl(SSL_CTX): creates SSL object with SSL_set_accept_state - init_ssl_connect(SSL_CTX): creates SSL object with SSL_set_connect_state - do_ssl_handshake(): performs TLS handshake, drains app data on completion - flush_ssl_write_buf(): sends pending encrypted bytes to network - has_ssl_pending_write(): checks BIO pending counts for poll integration - get_ssl()/get_rbio_ssl(): accessors for testing Modified read_from_net(): - SSL handshake phase: recv→BIO_write→do_ssl_handshake - Encrypted phase: recv→BIO_write→SSL_read loop→feed_bytes - Non-TLS path unchanged when ssl_ is null Modified write_to_net(): - SSL handshake phase: flush pending handshake data only - Encrypted phase: SSL_write→BIO_read→flush_ssl_write_buf - write_raw() also uses SSL_write when encrypted - Non-TLS path unchanged when ssl_ is null do_ssl_handshake() drains application data from the SSL object immediately after handshake completes, handling the case where the client sends data in the same TLS record as the Finished message. mysqlx_ssl_status enum maps OpenSSL errors: - MYSQLX_SSL_OK (SSL_ERROR_NONE) - MYSQLX_SSL_WANT_IO (SSL_ERROR_WANT_READ/WRITE) - MYSQLX_SSL_FAIL (all other errors) Tests: 18 assertions covering: - init_ssl with null ctx (no crash, no-op) - Non-TLS read/write unchanged - Full SSL handshake between client and server - Encrypted X Protocol frame read/write - has_ssl_pending_write before SSL init - init_ssl_connect for backend TLS	2 months ago
Rene Cannao	79783a63d7	fix(mysqlx): apply 12 critical/high fixes from four-way review + robustness test suite Addresses all 6 critical and 6 high issues identified by the four-way architecture/protocol/testing/security review. Critical fixes: - C1: Credential verification — MYSQL41 uses mysqlx_mysql41_verify_hash() against stored SHA1(SHA1(password)), PLAIN uses mysqlx_mysql41_hash() + CRYPTO_memcmp for constant-time comparison - C2: Backend X Protocol handshake — 6-state state machine in MysqlxConnection::step_auth() (CapGet→CapSet→AuthStart→AuthContinue→AuthDone) - C3: Backend FD added to poll set in rebuild_poll_set() — checks sds->get_fd() >= 0 && sds->get_status() == XDS_READY - C4: Double frame-pop fixed — removed redundant pop_frame() calls in dispatch_client_message() for handlers that already pop - C5: Backend kept until terminal frame — is_terminal_server_frame() checks 7 terminal types (OK, ERROR, SQL_STMT_EXECUTE_OK, FETCH_DONE, FETCH_SUSPENDED, DONE_MORE_RESULTSETS, DONE_MORE_OUT_PARAMS) - C6: Error severity defaults to ERROR (not FATAL) — added fatal parameter to send_error() High fixes: - H1: Parse errors detected — checks client_ds_.has_parse_error() after read_from_net() - H2: EINTR retry — do { r = recv/send(...) } while (r < 0 && errno == EINTR) - H3: Connection limit — max_sessions_ per thread (default 10000), accept loop breaks when exceeded - H4: Timeouts — 10s handshake timeout, 8h idle timeout in process_all_sessions() - H5: PLAIN auth rejected without TLS — checks client_ds_.is_encrypted() - H6: write_to_net errors propagated — checks return < 0 with errno != EAGAIN New test suites: - mysqlx_backend_auth_unit-t: 34 assertions covering full backend handshake state machine and error paths - mysqlx_credential_verify_unit-t: 24 assertions covering verify_hash, hex encode/decode, hash consistency - mysqlx_robustness_unit-t: 33 assertions covering terminal/non-terminal frame detection, multi-frame pipeline, backend disconnect, client disconnect, parse errors, auth edge cases, frame forwarding Robustness test fixes: - Replaced blocking read_x_frame with poll()-based version (200ms timeout) to prevent test hangs when no more data is available - Fixed double-close bug in test cleanup — session destructor and manual close() both closed same fds, causing next test socketpairs to be prematurely closed. Added detach_session_fds() helper to invalidate session fds before manual cleanup - Fixed drain loop ordering — close write end before draining read end to prevent blocking - Re-enabled test_backend_disconnect_during_query (previously crashed due to double-close fd corruption, not protobuf FATAL) - Fixed test_mysql41_no_credential_lookup_accepts_any to use valid 20-byte scramble format (40 hex chars) - Fixed test_forward_empty_frame to use SQL_STMT_EXECUTE message type instead of unrecognized 0x11 All 9 test suites pass (218+ assertions across backend_auth, credential_verify, data_stream, message_dispatch, session, thread, connection, concurrent, robustness).	2 months ago
Rene Cannao	70e908b9b6	feat(mysqlx): wire event-driven v2 into plugin lifecycle The mysqlx plugin now creates a configurable thread pool (mysqlx_thread_pool_size, default 4, max 64). Each thread runs its own poll() event loop, accepts connections from listeners, manages sessions cooperatively, and maintains a per-thread connection cache. New admin variables in mysqlx_variables: - mysqlx_thread_pool_size (default 4) - mysqlx_connect_timeout (default 10000ms) - mysqlx_tls_mode (default DISABLED) - mysqlx_max_cached_connections_per_thread (default 100) Plugin version bumped to 2.0.0 to reflect the architectural rewrite.	2 months ago
Rene Cannao	eb958585a6	feat(mysqlx): add protocol-aware dispatch, TLS stubs, connection pool, and async connect Implements four tightly-coupled v2 components: Task 5 - Protocol-aware frame forwarding: - dispatch_client_message() handles all 23 X Protocol client message types - CRUD operations (Find/Insert/Update/Delete) forwarded to backend - SQL statement execution forwarded to backend - Prepared statements, cursors, views, expect blocks forwarded - Compression rejected with ER_X_CAPABILITY_COMPRESSION_INVALID_ALGORITHM - Unknown messages get ER_X_BAD_MESSAGE error - forward_to_backend() and handler_waiting_server_msg() for bidirectional frame forwarding between client and server data streams Task 6 - TLS stubs: - MysqlxDataStream gains encrypted_ flag for future TLS support - MysqlxSession gains TLS state machine states (accept/connect init/cont/done) - Stub handlers skip TLS states for now (Phase 3 will add OpenSSL) Task 7 - Connection pool integration: - MysqlxSession has back-pointer to Mysqlx_Thread for pool access - handler_connecting_server() checks thread-local cache first - Connections returned to cache after query completion - Pool matching by hostgroup, user, schema Task 8 - Async backend connect: - MysqlxConnection::start_connect() uses SOCK_NONBLOCK + EINPROGRESS - check_connect() polls SO_ERROR for completion - MysqlxSession::handler_connecting_server() manages async state - Graceful error handling with proper X Protocol error frames	2 months ago
Rene Cannao	ff0070f782	feat(mysqlx): add Mysqlx_Thread event loop with poll()	2 months ago
Rene Cannao	7f8719c8d1	feat(mysqlx): add X Protocol session state machine MysqlxSession implements the X Protocol handshake and authentication as a cooperative state machine compatible with ProxySQL's poll()-based event loop. States: CONNECTING_CLIENT → X_CAPABILITIES_GET → X_CAPABILITIES_SET → X_AUTH_START → X_AUTH_CHALLENGE_SENT → X_AUTH_OK_SENT → WAITING_CLIENT_XMSG → X_SESSION_CLOSING Uses MysqlxDataStream for non-blocking frame I/O. Handler returns immediately when no data is available, allowing poll() to multiplex thousands of sessions per thread.	2 months ago
Rene Cannao	c67705ba8b	feat(mysqlx): add pooled backend connection object MysqlxConnection tracks the state of a backend X Protocol connection for connection pooling. Tracks hostgroup, user, schema, address, and multiplexing eligibility (transactions, prepared statements disable reuse). Will be used by Mysqlx_Thread's per-thread connection cache and the global connection pool.	2 months ago
Rene Cannao	6034a3fba6	fix(mysqlx): replace raw pointer MysqlxFrame with std::vector<uint8_t> Code quality fixes from review: - Replace std::pair<uint8_t*,size_t> with std::vector<uint8_t> for MysqlxFrame, eliminating use-after-free risk and Rule of Five violations - Add read buffer compaction when consumed prefix exceeds 4KB - Return -1 from write_to_net() for invalid fd (was returning 0) - Add parse_error_ flag instead of silently closing on malformed input - Add bounds check in enqueue_frame for oversized payloads	2 months ago
Rene Cannao	401a527186	feat(mysqlx): add non-blocking X Protocol frame I/O data stream Implements MysqlxDataStream with: - Non-blocking frame parsing from raw TCP byte streams - Partial frame buffering (header-first, then body accumulation) - Frame enqueue for writes with proper X Protocol wire format - read_from_net() / write_to_net() using recv()/send() on non-blocking FDs - O_NONBLOCK set automatically on init Foundation for the event-driven v2 rewrite. All future session and thread classes will use MysqlxDataStream for I/O instead of the blocking read()/write() calls from Phase 1. Tests: frame header parsing, partial frames, multiple concatenated frames, write buffer format verification.	2 months ago
Rene Cannao	cd94ac2b12	fix: populate destination_hostgroup in route stats and add conn_used counter I5: Pass destination_hostgroup through record_conn_ok and record_conn_err so that MysqlxRouteStats.destination_hostgroup is populated from the actual route configuration instead of remaining 0. I6: Add record_conn_used() method to MysqlxStatsStore that increments the conn_used atomic counter for a route. This counter tracks active session usage of a route and is flushed to stats_mysqlx_routes.	2 months ago
Rene Cannao	1900db9e57	fix: correct MYSQL41 auth wire format for real MySQL 8.x The MySQL X Protocol MYSQL41 AuthenticateContinue auth_data must be formatted as schema\0username\0UPPERCASE_HEX(scramble), not raw binary. Backend: AuthenticateContinue now sends \0user\0HEX(scramble) instead of raw 20-byte binary. This matches what MySQL 8.x X Plugin expects. Frontend: handle_authenticate now parses \0user\0*HEX(scramble) from the client's AuthenticateContinue, hex-decodes the scramble, then verifies. This matches what mysqlsh and other conforming clients send. Backend: Add Notice-skipping loops before reading CONN_CAPABILITIES and SESS_AUTHENTICATE_CONTINUE from MySQL 8.x, which may send Notice frames at any point during the handshake sequence. Add mysqlx_hex_encode/mysqlx_hex_decode helpers.	2 months ago
Rene Cannao	9a3b399eb0	fix: address critical code review findings 1. SQL injection in stats flush: escape route names with sqlite_escape() 2. Timing attack in PLAIN auth: use CRYPTO_memcmp for constant-time password comparison 3. OOM via oversized frame: add MYSQLX_MAX_PAYLOAD_SIZE (16MB) check in mysqlx_read_frame before allocating payload buffer 4. Thread safety: add shared_mutex to MysqlxConfigStore, shared_lock for readers (resolve_identity, pick_endpoint), unique_lock for writer (load_from_runtime), separate rr_mutex_ for round-robin counter mutation	2 months ago
Rene Cannao	c2e90d3696	feat: add mysqlx stats tables and topology invalidation seam Add MysqlxStatsStore with atomic route counters (conn_ok, conn_err, bytes_sent, bytes_recv) and flush_to_sqlite() for stats_mysqlx_routes. Register stats_mysqlx_routes and stats_mysqlx_processlist tables in the plugin admin schema. Wire stats recording into the worker: record_conn_ok on successful backend connect, record_conn_err on failure. Add topology generation capture at session bind time as the Phase 2 seam for GR notification-driven route invalidation.	2 months ago
Rene Cannao	e087fdda4c	feat: add backend X sessions and hostgroup-based routing Add MysqlxBackendSession with TCP connect, X Protocol MYSQL41 auth to backend, and bidirectional byte-level relay via select(). Implement round_robin and round_robin_with_fallback endpoint selection strategies in MysqlxConfigStore::pick_endpoint(). Workers now connect to the backend after frontend auth and relay traffic until close. Phase 1 is one frontend = one backend, no pooling.	2 months ago
Rene Cannao	05ca510f2d	feat: implement frontend X Protocol handshake and auth Add mysqlx_protocol.h/cpp with frame encode/decode, MYSQL41 scramble auth using EVP SHA1, and protobuf message helpers for X Protocol Error/Ok/Capabilities/Auth frames. Add mysqlx_frontend_session.h/cpp implementing the full handshake state machine: CapabilitiesGet→Capabilities, CapabilitiesSet→Ok, AuthenticateStart→challenge→AuthenticateContinue→AuthenticateOk. Supports MYSQL41 and PLAIN auth methods. Enforces x_enabled flag, rejects pass_through backend auth mode. Workers now run the frontend session instead of immediately closing connections.	2 months ago
Rene Cannao	5b5bbfbcaf	feat: add mysqlx listener sockets and worker threads Plugin start now opens TCP listeners for each active route in runtime_mysqlx_routes. An accept thread dispatches incoming connections to worker threads round-robin. Phase 1 workers accept-then-close; Tasks 7-8 will add X Protocol handshake and backend relay.	2 months ago
Rene Cannao	0b11bce37e	feat: add mysqlx runtime config store and load commands	2 months ago
Rene Cannao	8e7a99d36a	fix: align mysqlx plugin schema and smoke test	2 months ago

1 2

51 Commits (31d7ae9ecbfcce4062dde20dfd67ff60dd0db29c)