Skip to content

Commit

Permalink
Raise error if not using TLS or unix socket
Browse files Browse the repository at this point in the history
We aren't supporting `caching_sha2_password` in Trilogy unless mysql is
running with TLS or a unix socket, so raise an error if using
`caching_sha2_password` in that case.
  • Loading branch information
eileencodes committed Mar 21, 2024
1 parent 1a3da44 commit f95e12d
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 1 deletion.
11 changes: 10 additions & 1 deletion contrib/ruby/ext/trilogy-ruby/cext.c
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,10 @@ static void handle_trilogy_error(struct trilogy_ctx *ctx, int rc, const char *ms
rb_raise(Trilogy_EOFError, "%" PRIsVALUE ": TRILOGY_CLOSED_CONNECTION", rbmsg);
}

case TRILOGY_UNSUPPORTED: {
rb_raise(Trilogy_BaseConnectionError, "%" PRIsVALUE ": TRILOGY_UNSUPPORTED", rbmsg);
}

default:
rb_raise(Trilogy_QueryError, "%" PRIsVALUE ": %s", rbmsg, trilogy_error(rc));
}
Expand Down Expand Up @@ -419,7 +423,12 @@ static void authenticate(struct trilogy_ctx *ctx, trilogy_handshake_t *handshake
}

if (rc != TRILOGY_AGAIN) {
handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
if (rc == TRILOGY_UNSUPPORTED) {
handle_trilogy_error(ctx, rc, "trilogy_auth_recv: caching_sha2_password requires either TCP with TLS or a unix socket");
}
else {
handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
}
}

rc = trilogy_sock_wait_read(ctx->conn.socket);
Expand Down
39 changes: 39 additions & 0 deletions contrib/ruby/test/client_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,45 @@ def test_connect_caching_sha2
ensure_closed client
end

def test_connect_with_unix_and_caching_sha2_works
return skip unless has_caching_sha2?
return skip unless ["127.0.0.1", "localhost"].include?(DEFAULT_HOST)

socket = new_tcp_client.query("SHOW VARIABLES LIKE 'socket'").to_a[0][1]

if !File.exist?(socket)
skip "cound not find socket at #{socket}"
end

client = new_unix_client(socket, username: "caching_sha2", password: "password")
refute_nil client
ensure
ensure_closed client
end

def test_connect_without_ssl_or_unix_socket_caching_sha2_raises
return skip unless has_caching_sha2?

# Ensure correct setup
assert_equal [["caching_sha2_password"]], new_tcp_client.query("SELECT plugin FROM mysql.user WHERE user = 'caching_sha2'").rows

options = {
host: DEFAULT_HOST,
port: DEFAULT_PORT,
username: "caching_sha2",
password: "password",
ssl: false,
ssl_mode: 0
}

err = assert_raises Trilogy::ConnectionError do
new_tcp_client options
end

assert_includes err.message, "TRILOGY_UNSUPPORTED"
assert_includes err.message, "caching_sha2_password requires either TCP with TLS or a unix socket"
end

def test_connection_error_native
err = assert_raises Trilogy::ConnectionError do
new_tcp_client(username: "native", password: "incorrect")
Expand Down
7 changes: 7 additions & 0 deletions src/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -420,6 +420,13 @@ int trilogy_auth_recv(trilogy_conn_t *conn, trilogy_handshake_t *handshake)

switch (current_packet_type(conn)) {
case TRILOGY_PACKET_AUTH_MORE_DATA: {
bool use_ssl = (conn->socket->opts.flags & TRILOGY_CAPABILITIES_SSL) != 0;
bool has_unix_socket = (conn->socket->opts.path != NULL);

if (!use_ssl && !has_unix_socket) {
return TRILOGY_UNSUPPORTED;
}

uint8_t byte = conn->packet_buffer.buff[1];
switch (byte) {
case FAST_AUTH_OK:
Expand Down

0 comments on commit f95e12d

Please sign in to comment.