proxysql

Commit Graph

Author	SHA1	Message	Date
Rene Cannao	a2e99eed50	perf(mysqlx): only invoke handler() for sessions with real work process_all_sessions previously forced sess->to_process=true on every tick and unconditionally called sess->handler(), burning CPU at large idle session counts (one full state-machine traversal per session per loop iteration, regardless of whether anything had changed). Now only call handler() when at least one of these is true: - a poll event landed on the client or server data stream - the session self-flagged to_process (handler wants to re-run) - a complete frame is already buffered on either stream Also make Mysqlx_Thread::sessions_mutex_ mutable and take it in get_session_count() const. Previously const accessors that needed to lock the mutex couldn't — and the session count was read without the lock at all, racing the writer that appends/removes sessions.	2 months ago
Rene Cannao	bbe8122511	fix(mysqlx): reject auth without credential_lookup and release pooled fd Session auth previously accepted any client when credential_lookup_ was unset — an open-proxy fallback that turned a wiring bug into a silent security hole. Both PLAIN (handle_auth_plain) and MYSQL41 (handler_auth_challenge_response) now hard-reject with 1045 when no lookup is installed. A credential_lookup is always wired from mysqlx_thread.cpp via the config store, so there is no legitimate code path that reaches auth without one. Also tightened the credential check: password_hash must be exactly 20 bytes (MYSQL41 hash length) rather than simply non-empty, which could previously let a short or garbage hash pass CRYPTO_memcmp's min()-clamped comparison. In return_backend_to_pool(), replace the fresh-construct move-assign over server_ds_ with server_ds_.close_and_reset(). The old code constructed a new MysqlxDataStream (fd=-1, no SSL) and moved it in, whose destructor then close()d the fd that had just been returned to the pooled MysqlxConnection — silently corrupting the pool entry. close_and_reset() releases SSL/buffers without touching the fd. Unit test mysqlx_robustness_unit-t.cpp: setup_authenticated_session now installs a real credential_lookup with a known password, drives the server's AuthenticateContinue frame to extract the challenge, and computes the MYSQL41 scramble reply. This matches the new reality that auth requires a valid lookup. The previously-misnamed test_mysql41_no_credential_lookup_ accepts_any is renamed _rejects and asserts that without a lookup the session goes unhealthy and does not reach WAITING_CLIENT_XMSG.	2 months ago
Rene Cannao	6a921514cc	fix(mysqlx): protocol, data-stream and stats robustness fixes mysqlx_connection.cpp: Drain leading NOTICE frames in read_auth_frame() instead of returning nullopt on the first NOTICE. MySQL backends commonly emit a session-state-change notice before AuthenticateContinue or Ok, and returning nullopt caused the auth state machine to spin on try-read for the full 10s handshake timeout before completing. The two callers (step_auth_capabilities_get_sent and step_auth_capabilities_set_sent) now use the shared helper and drop their duplicated NOTICE checks. Also added a frame-size guard before reading the message-type byte. mysqlx_data_stream.{h,cpp}: Add close_and_reset() which tears down SSL/BIO state and clears every read/write buffer and parse flag without close()ing the fd. Required by mysqlx_session.cpp's return_backend_to_pool(), where the fd is owned by the pooled MysqlxConnection and must stay open after the data stream is wiped. Fix SSL_read return handling: a 0-return is a clean TLS shutdown (close_notify) and must surface as a connection close, not as a WANT_IO/retry. The previous code treated 0 and <0 identically and would loop forever on a cleanly-closed TLS peer. mysqlx_protocol.cpp: mysqlx_build_frame now rejects serialized payloads at the uint32 boundary so the +1 for the message-type byte cannot wrap to 0. This mirrors the X_MAX_PAYLOAD_SIZE clamp already applied by the inbound parser in MysqlxDataStream. mysqlx_stats.cpp: Rewrite the stats_mysqlx_routes INSERT builder to use std::string concatenation instead of a fixed 1024-byte snprintf buffer. Long route names plus escaping could overflow the buffer and the row was silently dropped without reaching the statsdb.	2 months ago
Rene Cannao	84e90e5e3c	build(mysqlx): pin protobuf ABI and harden plugin .so flags Detect the installed libprotobuf via pkg-config at configure time and fail fast unless it is 3.x. The vendored .pb.cc/.pb.h were generated with protoc 3.21.12, and the plugin links dynamically against the system libprotobuf — which is ABI-compatible only within the 3.x major version (4.x released with an incompatible ABI and a changed SONAME). Without this check, a .so that linked cleanly would crash the first time a virtual dispatched into the proto runtime. Add -fvisibility=hidden and -fvisibility-inlines-hidden so only the explicitly extern "C"-declared proxysql_plugin_descriptor_v1 entry point is exported. Prevents ODR collisions with the proxysql core when the .so is dlopen'd, and stops template instantiations from leaking across the boundary. Add -fstack-protector-strong unconditionally, and -D_FORTIFY_SOURCE=2 when not building under ASAN and when OPTZ is not -O0 (both conditions are incompatible with FORTIFY_SOURCE). Install the built ProxySQL_MySQLX_Plugin.so to /usr/lib/proxysql/plugins/ from the top-level Makefile install target, with matching cleanup in uninstall. Previously the plugin was built but never staged into a system location, so `make install` produced a proxysql binary that couldn't find it.	2 months ago
Rene Cannao	d0f6d8e4a8	Merge remote-tracking branch 'origin/fix/mysqlx-listener-lifecycle' into HEAD # Conflicts: # plugins/mysqlx/Makefile # plugins/mysqlx/src/mysqlx_plugin.cpp # test/tap/tests/unit/Makefile # test/tap/tests/unit/mysqlx_robustness_unit-t.cpp	2 months ago
Rene Cannao	fb1a0cd706	Merge remote-tracking branch 'origin/fix/mysqlx-backend-tls-post-auth' into HEAD # Conflicts: # test/tap/tests/unit/mysqlx_robustness_unit-t.cpp	2 months ago
René Cannaò	5ed92a7594	Merge pull request #5646 from sysown/fix/mysqlx-check-connect-poll fix(mysqlx): harden check_connect() poll and getsockopt handling	2 months ago
René Cannaò	9bbc0d71a4	Merge pull request #5643 from sysown/fix/mysqlx-stale-row-sync fix(mysqlx): sync empty source tables to overwrite stale rows	2 months ago
Rene Cannao	76aafdac67	fix(mysqlx): harden check_connect() poll and getsockopt handling Addresses the coderabbitai outside-diff finding originally surfaced on PR #5641: the previous check_connect() conflated poll() errors with timeouts, never retried on EINTR, did not check getsockopt()'s return, and accepted POLLNVAL / POLLERR / POLLHUP as though they were normal "not ready" states. The practical failure mode was slow and misleading: a fatal poll error or a bad descriptor was masked as "not ready yet" until the outer connect_timeout_ms_ (default 10s) elapsed, at which point the session reported a generic "connect failed" reason rather than the actual cause. A concurrent signal (EINTR) would extend that masked window further. Meanwhile, a failing getsockopt() with an uninspected return would leave `err` at its initializer value of 0 and optimistically transition the state machine to AUTHENTICATING, so the very next read or write on the invalid fd would fail in a less diagnostic path. What changed: - poll() is now retried on EINTR. - poll() returning -1 sets ERROR_STATE and returns -1 immediately. - POLLNVAL / POLLERR / POLLHUP in revents are treated as hard errors even if POLLOUT is also set, since the underlying socket is already in a terminal async condition. - getsockopt() return is checked; a nonzero return is now a hard error rather than a silent state advance. Testing: three new assertions in mysqlx_robustness_unit-t.cpp exercise the bad-fd error path, the happy-path connect, and the not-ready timeout path. Plan count 33 → 42. Out of scope: other poll() sites in the mysqlx plugin (the unit test helpers at the top of mysqlx_robustness_unit-t.cpp have their own poll() loops but they aren't on the backend-connect critical path); the connect_timeout_ms_ check itself, which is unchanged. Pre-existing ripple: same Makefile link-gap fix as earlier PRs — adds mysqlx_config_store.cpp to the mysqlx_robustness_unit-t link line so MysqlxConfigStore::resolve_identity() resolves when the binary links.	2 months ago
Rene Cannao	7e2f7828ae	fix(mysqlx): make sync transactions atomic on execute() failure sync_disk_to_memory() and copy_to_runtime() in mysqlx_plugin.cpp now check every admindb.execute() return value. On BEGIN / DELETE / INSERT / COMMIT failure the code issues a best-effort ROLLBACK, logs via services->log_message, and skips the current table. Both functions return false if any table's transaction failed, true if every replace succeeded. coderabbitai flagged this on #5642, #5643, and #5644 (outside-diff because the file appears in each PR's surrounding context). Without the return checks, a failed INSERT landing between a successful DELETE and the unconditional COMMIT silently wiped routes / users / endpoints / backend_endpoints — the transaction wrap advertised atomicity it did not deliver. The fix restores that guarantee. The shared BEGIN/DELETE/INSERT/COMMIT body is now a local helper replace_table_atomically() that takes a ProxySQL_PluginServices* so it can log via the existing plugin log_message callback; the two callers reduce to four-line loops over their table lists. mysqlx_start passes ctx.services through; its return values remain advisory (log-and-continue on a false return), intentionally — plugins shouldn't block proxysql startup on one table's sync failure. Upgrading to fail-fast is a future decision. Testing: added test_insert_failure_rolls_back in test/tap/tests/unit/mysqlx_robustness_unit-t.cpp. It seeds a dst table with a CHECK (id %% 2 = 0) constraint plus pre-existing rows, points src at odd ids, runs the atomic replace, and asserts (a) the function returns false, (b) dst still holds its original rows, (c) the row sum matches the pre-transaction state. plan(35) -> plan(39). All 39 assertions pass. Out of scope: the Makefile link-line fix from `82fe27f4b` still applies; no further ripple.	2 months ago
Rene Cannao	c78d7b859c	fix(mysqlx): reconcile bind-address changes, document single-admin-thread assumption The listener reconciler built its desired snapshot keyed only by route name, so editing a route's `bind` column (e.g. from `:33061` to `:33062`) and running LOAD MYSQLX ROUTES TO RUNTIME left the old listener running and never opened the new port — the removal pass saw the name still in the desired set and skipped the route entirely. The removal pass now also compares the currently-bound `host:port` on the owning thread against the desired bind and treats any mismatch as a removal; the subsequent addition pass rebinds under the new spec. To support that comparison, `Mysqlx_Thread` now stores bind ports in a parallel `listener_ports_` vector alongside the existing `listener_addrs_` and exposes `get_listener_addr_for_route()` returning the canonical `"host:port"` form. Also added a comment documenting the pre-existing single-admin-thread invariant that justifies snapshotting the DB outside of `route_to_thread_mutex` (noted in code review, not a behavioral change). Testing: new unit-test assertions exercise a full bind-change reconcile end-to-end — pick two free ports, reconcile at port1, update the runtime row to port2, reconcile again, and assert the listener is now bound at port2 with total listener count still 1. 42 assertions pass (was 38). Out of scope: changing the concurrency model. The single-admin-thread assumption is pre-existing throughout ProxySQL admin execution.	2 months ago
Rene Cannao	dd131b0aa2	fix(mysqlx): reconcile listeners at startup and on LOAD ROUTES TO RUNTIME Startup previously capped listener creation at `pool_size` routes via `ti < ctx.threads.size()` in mysqlx_plugin.cpp's startup loop, so any routes beyond the thread-pool size had no listener. Runtime route changes via `LOAD MYSQLX ROUTES TO RUNTIME` never touched the listener topology at all — adding, removing, or toggling a route's `active` flag had no effect until a full restart. Flagged in the ProtocolX code review as item #4. This commit: - Drops the `ti < pool_size` cap in the startup loop. - Distributes routes across threads round-robin (the original intent) using a shared plugin-scope `route_to_thread` map guarded by a mutex, with a `next_rr_index` cursor. - Adds route-name tracking to Mysqlx_Thread: a new parallel `listener_route_names_` vector alongside `listener_fds_` / `listener_addrs_`, plus a new `remove_listener_for_route(name)` method that closes the fd and prunes all three vectors. Returns true/false so callers can use it idempotently. - Adds a `mysqlx_reconcile_listeners(admindb)` desired-state reconciler. Reads active routes from `runtime_mysqlx_routes`, binds missing listeners round-robin, and removes listeners for routes that are gone or deactivated. Startup and `LOAD MYSQLX ROUTES TO RUNTIME` both go through this single path, so both agree. The reconciler is idempotent: re-running with the same desired set is a no-op. - The reconciliation core lives in a new file `plugins/mysqlx/src/mysqlx_listener_reconcile.cpp` as a pure helper `mysqlx_reconcile_listeners_impl(...)` taking state by parameter, so unit tests can drive it against a minimal fake context. The convenience wrapper that reads `mysqlx_context()` lives in plugin.cpp and is declared weak so tests of admin_schema.cpp that don't link plugin.cpp still link cleanly (admin_schema null-checks the weak pointer). Tests: mysqlx_robustness_unit-t grows from 33 to 38 assertions — four thread-API tests (add_listener with route name on two threads, remove_listener_for_route removes and is idempotent) plus one integration test that builds an in-memory admin DB with one route and asserts `mysqlx_reconcile_listeners_impl` binds exactly one listener and records the mapping. Also fixes the pre-existing unit-test Makefile link gap: four tests that include `mysqlx_thread.cpp` (which references `MysqlxConfigStore::resolve_identity`) now correctly link `mysqlx_config_store.cpp`, and the robustness test link line picks up `mysqlx_config_store.cpp` + `mysqlx_listener_reconcile.cpp` for the new coverage. Out of scope: switching the distribution strategy to SO_REUSEPORT / all-threads-on-all-routes (future design iteration); treating an in-place `active` flag toggle as anything other than remove + add.	2 months ago
Rene Cannao	3e8c3da9de	fix(mysqlx): preserve backend TLS state past auth handshake What: Stop rewrapping the raw backend fd in a fresh session-owned MysqlxDataStream after backend auth completes. Route every data-plane read/write (forward_to_backend, handler_waiting_server_msg, handler_session_reset_waiting, and the cached-conn attach path) through MysqlxConnection::backend_ds() instead. Why: The optional backend TLS handshake runs against the connection's backend_ds_ (see mysqlx_connection.cpp init_ssl_connect) and the resulting SSL* lives there. The prior session code discarded that SSL* by init()-ing a new plain MysqlxDataStream around the same raw fd, then used it for cleartext I/O on a socket where the server expects TLS frames. Flagged in the ProtocolX code review (item #2). Testing: mysqlx_robustness_unit-t picks up five new assertions that pin the invariant: MysqlxSession::server_ds() aliases backend_conn_->backend_ds() whenever a backend is attached, and falls back to a fd == -1 placeholder otherwise. Baseline 33, post-fix 38, all pass. Out of scope: - Connection cache semantics: cached connections keep their SSL state; MysqlxConnection::reset() already leaves backend_ds_ untouched so the invariant extends to pooled reuse. - MysqlxDataStream internals (untouched). - The dormant worker path (different PR). Pre-existing ripple: test/tap/tests/unit/Makefile mysqlx_robustness_unit-t link line was missing mysqlx_config_store.cpp, same gap other mysqlx tests have been closing as they get touched. Added it here so the test links.	2 months ago
Rene Cannao	98aee7db21	chore(mysqlx): retire dormant MysqlxWorker path and its smoke test Deletes the mysqlx worker implementation and the TAP smoke test that was its only caller. Also removes the corresponding entries from the plugin Makefile, the unit-tests Makefile, and the CI groups manifest. Files removed: - plugins/mysqlx/src/mysqlx_worker.cpp - plugins/mysqlx/include/mysqlx_worker.h - test/tap/tests/test_mysqlx_listener_smoke-t.cpp References cleaned: - plugins/mysqlx/Makefile: dropped mysqlx_worker.cpp from SRCS - test/tap/tests/unit/Makefile: dropped test_mysqlx_listener_smoke-t from UNIT_TESTS and deleted its build rule - test/tap/groups/groups.json: removed the smoke-test entry from the unit-tests-g1 group Why: the worker was an earlier parallel implementation of the mysqlx session path (separate accept thread + worker queue + per-listener route tracking + identity.default_route -> pick_endpoint). It never reached any call site in the production proxysql binary. The only consumers of its public API were the smoke test and the worker code itself. The route-identity fix in PR #5641 used the worker's design as a reference and implemented the fix in the active session path (Mysqlx_Thread + MysqlxSession + MysqlxConfigStore::pick_endpoint). With that landed, the dormant code is pure tech debt — reviewers repeatedly mistook its logic for the active path. Why retire the smoke test at the same time: the test exercised mysqlx_start_listeners_from_runtime_routes() which was the worker's only entry function. With the worker gone, the smoke test cannot link; keeping it would produce a broken CI target. Out of scope: no changes to the active session path, no changes to the MysqlxConfigStore or admin-schema tables, no changes to any other tests. Pure deletion + Makefile/groups cleanup.	2 months ago
Rene Cannao	82fe27f4b0	fix(mysqlx): sync empty source tables to overwrite stale rows What: removed `if (cnt == 0) continue;` in `sync_disk_to_memory` and `copy_to_runtime` in `plugins/mysqlx/src/mysqlx_plugin.cpp`. Also removed the now-dead `SELECT COUNT()` + result unpacking that those skip conditions depended on. Why: the original skip was meant as an optimization for "nothing to copy" but it was a correctness bug. If a user emptied a mysqlx table in `main` and saved to disk, on next restart `sync_disk_to_memory` would see disk count == 0, skip the replace, and leave stale rows in `main.`. Same gap for main -> runtime. The BEGIN/DELETE/INSERT/COMMIT sequence is already atomic and correctly no-ops when the source is empty (DELETE dest, INSERT zero rows). Testing: added a unit test at `test/tap/tests/unit/mysqlx_robustness_unit-t.cpp` exercising the "empty source overwrites stale dest" invariant. Also added `mysqlx_config_store.cpp` to the `mysqlx_robustness_unit-t` link line so the test binary resolves `MysqlxConfigStore::resolve_identity` (a latent build gap uncovered while validating the fix). Assertion count 33 -> 35. Out of scope: no refactor of the inline atomic-replace sequence (its atomicity is pre-existing). No changes to the admin-schema `copy_table` path, which was already unconditional.	2 months ago
Rene Cannao	923cbfeadc	fix(mysqlx): resolve critical authentication, TLS, and data integrity bugs - Wire credential_lookup to sessions via config store so frontend auth verification actually runs (was silently bypassed for all users) - Use backend_password (cleartext) instead of password_hash (double-SHA1) for backend MYSQL41 scramble computation - Replace cumulative BIO counter comparison with BIO_ctrl_pending() to fix permanent POLLOUT busy-loop with TLS connections - Add poll(POLLOUT) before getsockopt(SO_ERROR) in check_connect() to correctly detect non-blocking connect completion on Linux - Wrap DELETE+INSERT with BEGIN/COMMIT in sync_disk_to_memory and copy_to_runtime to prevent data loss on crash	2 months ago
Rene Cannao	04f09d6535	fix(mysqlx): address SonarCloud quality gate failures - Replace void* thread_ptr_ with typed Mysqlx_Thread* for type safety - Use RAII (unique_ptr) for SQLite3 result and error cleanup in plugin - Extract handle_auth_mysql41/handle_auth_plain from handler_auth_start to reduce cognitive complexity (37 -> ~10 per method) - Extract step_auth sub-states into individual methods to reduce cognitive complexity in mysqlx_connection.cpp (55 -> ~8 per method) - Add forward_frame_to_client helper to eliminate repeated frame forwarding code - Replace hardcoded password strings in credential verify test with named test constants - Add NOSONAR annotations for const_cast (required by SQLite3DB API) and SSL_VERIFY_NONE (test-only self-signed certs) - Fix Makefile whitespace issue with mysqlx unit test entries	2 months ago
Rene Cannao	04c0303ee9	fix(mysqlx): address critical code review feedback from PR #5593 - PluginManager: don't mark plugin stopped when stop() fails - PluginManager: add mutex to proxysql_get_plugin_manager() access - PluginManager: reject duplicate plugin paths in load() - mysqlx_thread: add listener_mutex_ for listener_fds_ synchronization - mysqlx_config_store: return tls_mode by value, not by reference - Makefile: propagate PROXYSQLGENAI/31/FFTO/TSDB flags to mysqlx builds	2 months ago
Rene Cannao	7957720326	feat(mysqlx): auto-load persisted config from disk on plugin startup Add sync_disk_to_memory() and copy_to_runtime() to mysqlx_start() so the MYSQLX plugin automatically restores its configuration from the persisted config DB when ProxySQL restarts. Startup sequence in mysqlx_start(): 1. sync_disk_to_memory() — copies rows from disk.mysqlx_* tables (config DB, ATTACHed as 'disk') into the admin DB's mysqlx_* tables, but only if the disk tables have data. 2. copy_to_runtime() — copies admin DB mysqlx_* tables into runtime_mysqlx_* tables, mirroring what LOAD MYSQLX * TO RUNTIME does manually. 3. load_from_runtime() — existing code reads runtime tables into the in-memory config store. This ensures routes, users, backend endpoints, and variables survive ProxySQL restarts without requiring manual LOAD commands after reboot. Note: dynamic listener addition (starting X Protocol listeners after the thread event loop is running) is not yet implemented. The listener is only created during start() based on the loaded config. A future change will add hot-reload capability for routes.	2 months ago
Rene Cannao	976d7c2310	feat(mysqlx): add LOAD/SAVE MYSQLX * TO/FROM DISK commands ProxySQL uses a three-tier configuration model: DISK ↔ MEMORY ↔ RUNTIME. The MYSQLX plugin previously only supported the MEMORY ↔ RUNTIME tier (LOAD MYSQLX USERS TO RUNTIME, SAVE MYSQLX USERS TO MEMORY, etc.). Configuration was lost on restart because there was no way to persist it to disk. Add the missing DISK ↔ MEMORY tier commands for all four MYSQLX object types: LOAD MYSQLX USERS FROM DISK (disk → memory) SAVE MYSQLX USERS TO DISK (memory → disk) LOAD MYSQLX ROUTES FROM DISK SAVE MYSQLX ROUTES TO DISK LOAD MYSQLX BACKEND ENDPOINTS FROM DISK SAVE MYSQLX BACKEND ENDPOINTS TO DISK LOAD MYSQLX VARIABLES FROM DISK SAVE MYSQLX VARIABLES TO DISK Implementation: - Add disk_to_memory() and memory_to_disk() helpers in mysqlx_admin_schema.cpp that use qualified SQLite table names (main.<table> and disk.<table>) to copy between the in-memory admin database and the on-disk config database - Register 8 new command handlers in mysqlx_register_admin_schema() - Add alias vectors for all disk commands in Admin_Handler.cpp - Add resolve_admin_alias_to_canonical() calls for disk commands in the MYSQLX dispatch block Tested: Insert → SAVE TO DISK → DELETE → LOAD FROM DISK round-trip confirms data persistence works for all four object types.	2 months ago
Rene Cannao	8c9b7f9d4b	fix(mysqlx): add missing include paths to plugin Makefile Add prometheus-cpp, libconfig, jemalloc, mariadb, and re2 include paths to the plugin build. Without these, mysqlx_thread.cpp fails to compile because it includes proxysql_structs.h which pulls in the full ProxySQL header chain. This was masked previously because the plugin was only built during full releases. Integration testing now requires building the .so independently.	2 months ago
Rene Cannao	30dc111b1d	feat(mysqlx): add TLS passthrough mode for raw TLS forwarding Adds MysqlxTlsMode enum and passthrough mode support: - TLS_OFF: No TLS (default, existing behavior) - TLS_TERMINATE: ProxySQL terminates TLS, decrypts, re-encrypts to backend (existing behavior when TLS is negotiated) - TLS_PASSTHROUGH: Raw encrypted bytes forwarded between client and backend without TLS termination Passthrough behavior: - handler_tls_accept_init(): skips SSL init and handshake entirely, returns to CONNECTING_CLIENT state immediately - handler_connecting_server(): skips backend TLS setup when in passthrough mode (backend_tls_required_ is not set) - X Protocol frames are still parsed at the framing layer since the proxy needs to route and multiplex connections Use cases for passthrough mode: - TLS terminated at an external load balancer - ProxySQL should not have access to TLS certificates - Compliance requirements that forbid TLS inspection set_tls_mode() / get_tls_mode() accessors on MysqlxSession allow runtime configuration of the TLS mode per session.	2 months ago
Rene Cannao	afffad0356	feat(mysqlx): implement backend TLS via CapabilitiesSet negotiation Adds TLS support for backend X Protocol connections. When the client session is encrypted, the backend connection also negotiates TLS with the MySQL X Protocol server. Backend auth state machine changes: - New BACKEND_AUTH_TLS_HANDSHAKE state between CapSet and AuthStart - CapabilitiesSet now includes tls=true when backend_tls_required_ and an SSL_CTX is available - After CapSet Ok, if TLS required: init_ssl_connect() → handshake → send_authenticate_start() → continue normal auth - send_authenticate_start() extracted as a helper method to avoid goto-based flow control MysqlxConnection new members: - backend_tls_required_ flag (set by session when client is on TLS) - backend_ssl_ctx_ pointer (shared global SSL_CTX) - set_backend_tls_required() / is_backend_tls_required() accessors - set_ssl_ctx() to provide the SSL context TLS handshake in step_auth(): - BACKEND_AUTH_TLS_HANDSHAKE state calls backend_ds_.read_from_net() to feed encrypted bytes into the BIO pair - do_ssl_handshake() performs SSL_connect via memory BIOs - flush_ssl_write_buf() sends pending encrypted output - On failure: ssl_handshake_failed() check, returns BACKEND_AUTH_ERROR Session wiring in handler_connecting_server(): - When client_ds_.is_encrypted(), sets backend_tls_required_=true and provides SSL_CTX from Mysqlx_Thread - Backend auth failure detection distinguishes TLS failures (error 3152) from authentication failures (error 1045)	2 months ago
Rene Cannao	da75e13841	feat(mysqlx): per-message response state machines for terminal frame detection Replace the single is_terminal_server_frame() catch-all with per-message-type response tracking. Each client message type now has its own terminal frame set, matching MySQL Router's approach. New MysqlxResponseState enum: - RESP_IDLE: no pending response - RESP_WAITING_STMT_EXECUTE: SQL_STMT_EXECUTE_OK, ERROR, FETCH_DONE - RESP_WAITING_CRUD: OK, ERROR, FETCH_DONE, FETCH_SUSPENDED - RESP_WAITING_PREPARE: OK, ERROR - RESP_WAITING_CURSOR: FETCH_DONE, FETCH_SUSPENDED, ERROR - RESP_WAITING_EXPECT: OK, ERROR - RESP_WAITING_SESS_RESET: OK, ERROR Changes: - dispatch_client_message() sets response_state_ before forward_to_backend() based on message type - handler_waiting_server_msg() uses is_terminal_for_state() instead of is_terminal_server_frame() for terminal detection - is_terminal_for_state() checks the response state to determine which frames are terminal - response_state_ resets to RESP_IDLE when terminal frame received - Generic fallback preserved via is_terminal_server_frame_generic() for unknown response states This is more robust than the single catch-all list and correctly handles cases where OK is terminal for Prepare but not for StmtExecute (which needs SQL_STMT_EXECUTE_OK).	2 months ago
Rene Cannao	d50e48a971	feat(mysqlx): add descriptive TLS error messages with failure detection Adds SSL handshake failure detection and descriptive error messages for both client-side and backend TLS failures. Changes to MysqlxDataStream: - Added ssl_failed_ flag to distinguish WANT_IO (in progress) from actual SSL failure - ssl_handshake_failed() accessor for session to check failure state - ssl_failed_ is set to true in do_ssl_handshake() when get_ssl_status() returns MYSQLX_SSL_FAIL - ssl_failed_ is initialized to false in constructor, init_ssl(), and init_ssl_connect() Changes to MysqlxSession handler_tls_accept_init(): - After do_ssl_handshake() returns false, checks ssl_handshake_failed() - On failure: sends error 3151 ("TLS handshake failed") to client with OpenSSL error details retrieved via ERR_get_error()/ ERR_error_string_n(), then closes session - On WANT_IO: continues waiting (existing behavior) - Error 3150: TLS not configured on server (unchanged) - Error 3151: TLS handshake failed (new) - Error 3152: Reserved for backend TLS failures (Task 3)	2 months ago
Rene Cannao	dc35119813	feat(mysqlx): implement Session Reset passthrough with response tracking SESS_RESET is now properly forwarded to the backend with dedicated response tracking via the new X_SESSION_RESET_WAITING state: 1. Client sends SESS_RESET -> forward_to_backend() sends to server 2. Session transitions to X_SESSION_RESET_WAITING 3. handler_session_reset_waiting() reads backend response: - On NOTICE: forward to client immediately, keep waiting - On OK: clear prepared statement tracking, clear transaction flag, return backend to pool, resume WAITING_CLIENT_XMSG - On ERROR: forward error to client, return backend to pool, resume WAITING_CLIENT_XMSG - On backend disconnect: return to WAITING_CLIENT_XMSG This properly resets session state on both sides, clearing prepared statement and transaction flags so the backend connection can be safely reused from the pool. Previously, SESS_RESET was forwarded but the response was not tracked, potentially leaving the session in an inconsistent state.	2 months ago
Rene Cannao	8fcf8b5808	fix(mysqlx): use correct X Protocol error code for compression rejection Replace generic error code 5001 with the standard MySQL X Protocol error code ER_X_CAPABILITY_COMPRESSION_INVALID_ALGORITHM (5008) when rejecting compression capability requests. Error 5008 is the standard MySQL X Protocol error for invalid compression algorithm negotiation, matching the error code used by MySQL Router and the MySQL X Plugin.	2 months ago
Rene Cannao	85b8d8678c	feat(mysqlx): explicit NOTICE frame forwarding awareness Server NOTICE frames are now explicitly handled in the response forwarding loop in handler_waiting_server_msg(). Notices are forwarded immediately to the client with a continue statement, skipping terminal frame detection. Previously, NOTICE frames fell through to the is_terminal_server_frame() check which correctly returned false for them. The explicit handling makes the intent clear and ensures notices are never accidentally included in terminal frame logic: - Warnings, session state changes, and other server-side notifications are always delivered to the client - NOTICE forwarding does not affect response state or terminal detection - NOTICE frames are still forwarded even while waiting for a terminal response (e.g., during a long-running query result set)	2 months ago
Rene Cannao	437072cf28	feat(mysqlx): add backend connect timeout with configurable threshold Adds a configurable connect timeout (default 10 seconds) for backend X Protocol connections. If the TCP connection does not complete within the timeout, the connection attempt fails with error 2003. Changes to MysqlxConnection: - Added connect_timeout_ms_ (default 10000ms) and connect_start_time_ private members - start_connect() records connect_start_time_ using steady_clock - check_connect() measures elapsed time since start_connect() and returns -1 if timeout exceeded, setting state to ERROR_STATE - Added set_connect_timeout()/get_connect_timeout() accessors Changes to MysqlxSession: - handler_connecting_server() sets connect timeout to 10s before calling start_connect() on new backend connections The timeout is checked on every check_connect() invocation from the event loop, ensuring non-blocking timeout detection without additional timers.	2 months ago
Rene Cannao	e86cfe237f	feat(mysqlx): implement client-side TLS negotiation via CapabilitiesSet Wires TLS into the session state machine following ProxySQL MySQL protocol pattern. When a client sends CapabilitiesSet with tls=true capability, the session initiates SSL_accept on the client data stream. Changes to Mysqlx_Thread: - Added get_ssl_ctx() that returns GloVars.get_SSL_ctx() - Updated rebuild_poll_set() to check has_ssl_pending_write() for POLLOUT on both client and backend data streams Changes to MysqlxSession::handler_capabilities_set(): - Parses CapabilitiesSet protobuf to detect tls capability - If TLS requested and SSL_CTX available: sends Ok, transitions to X_TLS_ACCEPT_INIT state - If SSL_CTX not configured: sends error 3150 and closes session - Without TLS: existing behavior unchanged Changes to MysqlxSession::handler_tls_accept_init(): - Replaced stub with real implementation - Gets SSL_CTX from Mysqlx_Thread - Calls client_ds_.init_ssl(ctx) to create per-session SSL object - Calls do_ssl_handshake() on each handler invocation - When handshake completes, transitions to CONNECTING_CLIENT Changes to MysqlxSession::send_capabilities(): - Advertises tls capability (V_BOOL true) when SSL_CTX is configured - Existing auth capability advertisement unchanged All 10 test suites pass with no regressions.	2 months ago
Rene Cannao	0b555d3899	feat(mysqlx): add TLS infrastructure to MysqlxDataStream Adds SSL support following ProxySQL BIO-based pattern used in MySQL_Data_Stream and PgSQL_Data_Stream. New members in MysqlxDataStream: - ssl_: per-session SSL object from shared SSL_CTX - rbio_ssl_/wbio_ssl_: memory BIO pair for encrypted I/O - ssl_write_buf_/ssl_write_offset_: pending encrypted output - ssl_handshake_done_: handshake completion tracking New public methods: - init_ssl(SSL_CTX): creates SSL object with SSL_set_accept_state - init_ssl_connect(SSL_CTX): creates SSL object with SSL_set_connect_state - do_ssl_handshake(): performs TLS handshake, drains app data on completion - flush_ssl_write_buf(): sends pending encrypted bytes to network - has_ssl_pending_write(): checks BIO pending counts for poll integration - get_ssl()/get_rbio_ssl(): accessors for testing Modified read_from_net(): - SSL handshake phase: recv→BIO_write→do_ssl_handshake - Encrypted phase: recv→BIO_write→SSL_read loop→feed_bytes - Non-TLS path unchanged when ssl_ is null Modified write_to_net(): - SSL handshake phase: flush pending handshake data only - Encrypted phase: SSL_write→BIO_read→flush_ssl_write_buf - write_raw() also uses SSL_write when encrypted - Non-TLS path unchanged when ssl_ is null do_ssl_handshake() drains application data from the SSL object immediately after handshake completes, handling the case where the client sends data in the same TLS record as the Finished message. mysqlx_ssl_status enum maps OpenSSL errors: - MYSQLX_SSL_OK (SSL_ERROR_NONE) - MYSQLX_SSL_WANT_IO (SSL_ERROR_WANT_READ/WRITE) - MYSQLX_SSL_FAIL (all other errors) Tests: 18 assertions covering: - init_ssl with null ctx (no crash, no-op) - Non-TLS read/write unchanged - Full SSL handshake between client and server - Encrypted X Protocol frame read/write - has_ssl_pending_write before SSL init - init_ssl_connect for backend TLS	2 months ago
Rene Cannao	79783a63d7	fix(mysqlx): apply 12 critical/high fixes from four-way review + robustness test suite Addresses all 6 critical and 6 high issues identified by the four-way architecture/protocol/testing/security review. Critical fixes: - C1: Credential verification — MYSQL41 uses mysqlx_mysql41_verify_hash() against stored SHA1(SHA1(password)), PLAIN uses mysqlx_mysql41_hash() + CRYPTO_memcmp for constant-time comparison - C2: Backend X Protocol handshake — 6-state state machine in MysqlxConnection::step_auth() (CapGet→CapSet→AuthStart→AuthContinue→AuthDone) - C3: Backend FD added to poll set in rebuild_poll_set() — checks sds->get_fd() >= 0 && sds->get_status() == XDS_READY - C4: Double frame-pop fixed — removed redundant pop_frame() calls in dispatch_client_message() for handlers that already pop - C5: Backend kept until terminal frame — is_terminal_server_frame() checks 7 terminal types (OK, ERROR, SQL_STMT_EXECUTE_OK, FETCH_DONE, FETCH_SUSPENDED, DONE_MORE_RESULTSETS, DONE_MORE_OUT_PARAMS) - C6: Error severity defaults to ERROR (not FATAL) — added fatal parameter to send_error() High fixes: - H1: Parse errors detected — checks client_ds_.has_parse_error() after read_from_net() - H2: EINTR retry — do { r = recv/send(...) } while (r < 0 && errno == EINTR) - H3: Connection limit — max_sessions_ per thread (default 10000), accept loop breaks when exceeded - H4: Timeouts — 10s handshake timeout, 8h idle timeout in process_all_sessions() - H5: PLAIN auth rejected without TLS — checks client_ds_.is_encrypted() - H6: write_to_net errors propagated — checks return < 0 with errno != EAGAIN New test suites: - mysqlx_backend_auth_unit-t: 34 assertions covering full backend handshake state machine and error paths - mysqlx_credential_verify_unit-t: 24 assertions covering verify_hash, hex encode/decode, hash consistency - mysqlx_robustness_unit-t: 33 assertions covering terminal/non-terminal frame detection, multi-frame pipeline, backend disconnect, client disconnect, parse errors, auth edge cases, frame forwarding Robustness test fixes: - Replaced blocking read_x_frame with poll()-based version (200ms timeout) to prevent test hangs when no more data is available - Fixed double-close bug in test cleanup — session destructor and manual close() both closed same fds, causing next test socketpairs to be prematurely closed. Added detach_session_fds() helper to invalidate session fds before manual cleanup - Fixed drain loop ordering — close write end before draining read end to prevent blocking - Re-enabled test_backend_disconnect_during_query (previously crashed due to double-close fd corruption, not protobuf FATAL) - Fixed test_mysql41_no_credential_lookup_accepts_any to use valid 20-byte scramble format (40 hex chars) - Fixed test_forward_empty_frame to use SQL_STMT_EXECUTE message type instead of unrecognized 0x11 All 9 test suites pass (218+ assertions across backend_auth, credential_verify, data_stream, message_dispatch, session, thread, connection, concurrent, robustness).	2 months ago
Rene Cannao	70e908b9b6	feat(mysqlx): wire event-driven v2 into plugin lifecycle The mysqlx plugin now creates a configurable thread pool (mysqlx_thread_pool_size, default 4, max 64). Each thread runs its own poll() event loop, accepts connections from listeners, manages sessions cooperatively, and maintains a per-thread connection cache. New admin variables in mysqlx_variables: - mysqlx_thread_pool_size (default 4) - mysqlx_connect_timeout (default 10000ms) - mysqlx_tls_mode (default DISABLED) - mysqlx_max_cached_connections_per_thread (default 100) Plugin version bumped to 2.0.0 to reflect the architectural rewrite.	2 months ago
Rene Cannao	eb958585a6	feat(mysqlx): add protocol-aware dispatch, TLS stubs, connection pool, and async connect Implements four tightly-coupled v2 components: Task 5 - Protocol-aware frame forwarding: - dispatch_client_message() handles all 23 X Protocol client message types - CRUD operations (Find/Insert/Update/Delete) forwarded to backend - SQL statement execution forwarded to backend - Prepared statements, cursors, views, expect blocks forwarded - Compression rejected with ER_X_CAPABILITY_COMPRESSION_INVALID_ALGORITHM - Unknown messages get ER_X_BAD_MESSAGE error - forward_to_backend() and handler_waiting_server_msg() for bidirectional frame forwarding between client and server data streams Task 6 - TLS stubs: - MysqlxDataStream gains encrypted_ flag for future TLS support - MysqlxSession gains TLS state machine states (accept/connect init/cont/done) - Stub handlers skip TLS states for now (Phase 3 will add OpenSSL) Task 7 - Connection pool integration: - MysqlxSession has back-pointer to Mysqlx_Thread for pool access - handler_connecting_server() checks thread-local cache first - Connections returned to cache after query completion - Pool matching by hostgroup, user, schema Task 8 - Async backend connect: - MysqlxConnection::start_connect() uses SOCK_NONBLOCK + EINPROGRESS - check_connect() polls SO_ERROR for completion - MysqlxSession::handler_connecting_server() manages async state - Graceful error handling with proper X Protocol error frames	2 months ago
Rene Cannao	ff0070f782	feat(mysqlx): add Mysqlx_Thread event loop with poll()	2 months ago
Rene Cannao	7f8719c8d1	feat(mysqlx): add X Protocol session state machine MysqlxSession implements the X Protocol handshake and authentication as a cooperative state machine compatible with ProxySQL's poll()-based event loop. States: CONNECTING_CLIENT → X_CAPABILITIES_GET → X_CAPABILITIES_SET → X_AUTH_START → X_AUTH_CHALLENGE_SENT → X_AUTH_OK_SENT → WAITING_CLIENT_XMSG → X_SESSION_CLOSING Uses MysqlxDataStream for non-blocking frame I/O. Handler returns immediately when no data is available, allowing poll() to multiplex thousands of sessions per thread.	2 months ago
Rene Cannao	c67705ba8b	feat(mysqlx): add pooled backend connection object MysqlxConnection tracks the state of a backend X Protocol connection for connection pooling. Tracks hostgroup, user, schema, address, and multiplexing eligibility (transactions, prepared statements disable reuse). Will be used by Mysqlx_Thread's per-thread connection cache and the global connection pool.	2 months ago
Rene Cannao	6034a3fba6	fix(mysqlx): replace raw pointer MysqlxFrame with std::vector<uint8_t> Code quality fixes from review: - Replace std::pair<uint8_t*,size_t> with std::vector<uint8_t> for MysqlxFrame, eliminating use-after-free risk and Rule of Five violations - Add read buffer compaction when consumed prefix exceeds 4KB - Return -1 from write_to_net() for invalid fd (was returning 0) - Add parse_error_ flag instead of silently closing on malformed input - Add bounds check in enqueue_frame for oversized payloads	2 months ago
Rene Cannao	401a527186	feat(mysqlx): add non-blocking X Protocol frame I/O data stream Implements MysqlxDataStream with: - Non-blocking frame parsing from raw TCP byte streams - Partial frame buffering (header-first, then body accumulation) - Frame enqueue for writes with proper X Protocol wire format - read_from_net() / write_to_net() using recv()/send() on non-blocking FDs - O_NONBLOCK set automatically on init Foundation for the event-driven v2 rewrite. All future session and thread classes will use MysqlxDataStream for I/O instead of the blocking read()/write() calls from Phase 1. Tests: frame header parsing, partial frames, multiple concatenated frames, write buffer format verification.	2 months ago
Rene Cannao	3d7ebacaf9	fix: call record_conn_used in worker and log config reload errors I6: Add record_conn_used() call in MysqlxWorker::run() after record_conn_ok() so that the ConnUsed stats counter is actually incremented when sessions are established. Log errors from reload_config_store() via the plugin log_message service instead of silently swallowing them. The admin command still returns success (SQLite tables were updated) but the operator can see if the in-memory reload failed.	2 months ago
Rene Cannao	ac7bafc75d	fix: make topology_generation_ atomic to prevent data race UB Replace plain uint64_t read/write with std::atomic<uint64_t> operations for topology_generation_. The field is written by bump_topology_generation() and read concurrently by worker threads in topology_generation(). Plain read/write on a non-atomic is C++ undefined behavior in the presence of concurrent access. Use load() for reads and fetch_add(1) for the increment to ensure well-defined behavior across threads.	2 months ago
Rene Cannao	acb6be4178	fix: load config store into memory on plugin start and after LOAD commands C1: Call config_store->load_from_runtime() in mysqlx_start() so that the in-memory store is populated before listeners begin accepting connections. Without this, resolve_identity() always returned nullopt and no client could authenticate. I8: Add reload_config_store() call at the end of each LOAD admin command callback (load_users_to_runtime, load_routes_to_runtime, load_backend_endpoints_to_runtime) so that the in-memory config store is refreshed immediately after runtime tables are updated.	2 months ago
Rene Cannao	cd94ac2b12	fix: populate destination_hostgroup in route stats and add conn_used counter I5: Pass destination_hostgroup through record_conn_ok and record_conn_err so that MysqlxRouteStats.destination_hostgroup is populated from the actual route configuration instead of remaining 0. I6: Add record_conn_used() method to MysqlxStatsStore that increments the conn_used atomic counter for a route. This counter tracks active session usage of a route and is flushed to stats_mysqlx_routes.	2 months ago
Rene Cannao	8ff8a038b5	fix: add DNS resolution and IPv6 support for backend and listener sockets I2: Replace inet_pton with getaddrinfo in mysqlx_backend_session to support hostname-based backend endpoints (not just dotted-quad IPv4). getaddrinfo handles DNS lookup, numeric IPv4, and IPv6 transparently. I3: Replace AF_INET/sockaddr_in with getaddrinfo in mysqlx_worker listener creation. Parse [IPv6]:port bracket notation in bind addresses. Set AI_PASSIVE flag for listener sockets. Support dual-stack (AF_UNSPEC) so a single listener can accept both IPv4 and IPv6 connections. Also set TCP_NODELAY on both listener-accepted client sockets and backend connection sockets to reduce latency for small X Protocol messages.	2 months ago
Rene Cannao	0143f8a4fb	fix: document plugin ABI constraint and harden PLAIN auth comparison I11: Add a comment to ProxySQL_Plugin.h documenting that ProxySQL_PluginCommandResult contains std::string and that plugins must be compiled with the same C++ standard library as the core. Minor: Simplify PLAIN auth comparison in mysqlx_frontend_session to ensure CRYPTO_memcmp is always called when password sizes match, avoiding a timing distinguisher on password length mismatch.	2 months ago
Rene Cannao	11aca24274	fix: add -pthread to plugin Makefile and error on MYSQLX commands without plugin I9: Add -pthread to CXXFLAGS and LDFLAGS in plugins/mysqlx/Makefile. The plugin uses std::thread, std::mutex, and std::shared_mutex which require -pthread on Linux. Without it, linking fails or causes runtime issues. I10: When a MYSQLX admin command is recognized but no plugin is loaded to handle it, send a clear "MYSQLX plugin is not loaded" error to the client instead of falling through to SQLite query execution which would produce a confusing syntax error.	2 months ago
Rene Cannao	386d4be4b7	fix: address crypto, timing, and signal issues in mysqlx protocol C2: Check sha1_digest/sha1_digest_multi return values in all MYSQL41 auth helpers. Return empty vectors or false on OpenSSL failure instead of using uninitialized stack data. I1: Replace std::vector operator== with CRYPTO_memcmp in mysqlx_mysql41_verify to prevent byte-by-byte timing side-channel attacks on the scramble comparison. I7: Handle EINTR in mysqlx_read_exact and mysqlx_write_all loops. Retry read/write when interrupted by a signal instead of treating EINTR as a fatal error.	2 months ago
Rene Cannao	d880330c17	feat: add SAVE MYSQLX handlers and first-class LOAD/SAVE dispatch Replace the PLUGIN MYSQLX command namespace with canonical ProxySQL admin syntax matching the MYSQL/PGSQL convention. Plugin changes (mysqlx_admin_schema.cpp): - Add three SAVE handlers (save_users_from_runtime, save_routes_from_runtime, save_backend_endpoints_from_runtime) that copy runtime tables back to config tables (reverse of LOAD) - Register 6 commands with canonical names: LOAD MYSQLX USERS/ROUTES/BACKEND ENDPOINTS TO RUNTIME SAVE MYSQLX USERS/ROUTES/BACKEND ENDPOINTS TO MEMORY Admin handler changes (Admin_Handler.cpp): - Add 6 MYSQLX alias vector definitions following the existing LOAD_MYSQL_USERS_FROM_MEMORY pattern (4 aliases each: FROM MEMORY, FROM MEM, TO RUNTIME, TO RUN) - Replace the generic plugin fallback dispatch with MYSQLX-specific alias matching using is_admin_command_or_alias(), matching how MYSQL and PGSQL commands are dispatched - Use 'return false' pattern consistent with other admin commands	2 months ago
Rene Cannao	994d46dfd6	fix: use PRIu64 for portable uint64_t formatting in stats flush	2 months ago
Rene Cannao	31b9e86b59	fix: register mysqlx tests in CI groups and document proto source Register all plugin and mysqlx unit tests in groups.json under unit-tests-g1 so they run in CI: - plugin_manager_unit-t, plugin_config_unit-t, plugin_registry_unit-t - mysqlx_config_store_unit-t, mysqlx_protocol_unit-t, mysqlx_route_store_unit-t, mysqlx_stats_unit-t - test_mysqlx_plugin_load-t, test_mysqlx_admin_tables-t, test_mysqlx_listener_smoke-t Document protobuf source location and regeneration command in plugins/mysqlx/Makefile.	2 months ago

1 2

64 Commits (a2e99eed5096d305366a3ce88c170839790c1921)