Merge branch 'mysql-8.0' into mysql-trunk

Author: lkotula

mysql-test/suite/x/r/connection_default_schema.result

@@ -17,6 +17,36 @@ GRANT SELECT ON ydb.* TO 'user_with_access_to_ydb'@'%';
 #
 ## Test group 1.
 ##
+## Authenticate using plain X Protocol flows to schema that:
+##
+## * account has permissions
+## * account has not permissions
+## * account has permissions still db-doesn't exist
+#
+connecting...
+active session is now 'non_root_user'
+Login OK
+closing session non_root_user
+Mysqlx.Ok {
+  msg: "bye!"
+}
+switched to session default
+connecting...
+active session is now 'non_root_user'
+Got expected error: Access denied for user 'user_with_access_to_ydb'@'%' to database 'xdb' (code 1044)
+aborting session non_root_user
+switched to session default
+connecting...
+active session is now 'root_user'
+Got expected error: Unknown database 'non_existing_schema' (code 1049)
+aborting session root_user
+switched to session default
+Mysqlx.Ok {
+  msg: "bye!"
+}
+#
+## Test group 2.
+##
 ## Authenticate using an account which has permissions
 ## to selected schema.
 #
@@ -37,7 +67,7 @@ Mysqlx.Ok {
 }
 ok
 #
-## Test group 2.
+## Test group 3.
 ##
 ## Authenticate using an account which has not permissions
 ## to selected schema.
@@ -52,29 +82,20 @@ EXPECTED_ERROR_CODE(42000): Access denied for user 'user_with_access_to_xdb'@'%'
 in main, line 0:ERROR: Access denied for user 'user_with_access_to_xdb'@'%' to database 'ydb' (EXPECTED_ERROR_CODE)
 not ok
 #
-## Test group 3.
-##
-## Authenticate using plain X Protocol flows to schame that:
+## Test group 4.
 ##
-## * account has permissions
-## * account has not permissions
+## Authenticate using an valid account to non existing
+## schema.
 #
-connecting...
-active session is now 'non_roo_user'
-Login OK
-closing session non_roo_user
-Mysqlx.Ok {
-  msg: "bye!"
-}
-switched to session default
-connecting...
-active session is now 'non_roo_user'
-Got expected error: Access denied for user 'user_with_access_to_ydb'@'%' to database 'xdb' (code 1044)
-aborting session non_roo_user
-switched to session default
-Mysqlx.Ok {
-  msg: "bye!"
-}
+
+# Using MySQL client
+# Checking if requested schema was selected.
+EXPECTED_ERROR_CODE(42000): Unknown database 'non_existing_schema'
+
+# Using mysqlxtest
+# Checking if requested schema was selected.
+in main, line 0:ERROR: Unknown database 'non_existing_schema' (EXPECTED_ERROR_CODE)
+not ok
 #
 ## Cleanup
 #

mysql-test/suite/x/t/connection_default_schema.test

@@ -9,15 +9,20 @@
 
 --write_file $MYSQL_TMP_DIR/connection_default_schema_manual.tmp
 
--->newsession non_roo_user	-
+-->newsession non_root_user	-
 -->login user_with_access_to_ydb		ydb
 -->closesession
 
--->newsession non_roo_user	-
+-->newsession non_root_user	-
 -->expecterror ER_DBACCESS_DENIED_ERROR
 -->login user_with_access_to_ydb		xdb
 -->closesession abort
 
+-->newsession root_user	-
+-->expecterror ER_BAD_DB_ERROR
+-->login root		non_existing_schema	sha256_memory
+-->closesession abort
+
 EOF
 
 call mtr.add_suppression("Plugin mysqlx reported: '.*: Unsuccessful login attempt");
@@ -36,9 +41,26 @@ GRANT SELECT ON ydb.* TO 'user_with_access_to_ydb'@'%';
 --echo ## Testcase execute
 --echo #
 
+
 --echo #
 --echo ## Test group 1.
 --echo ##
+--echo ## Authenticate using plain X Protocol flows to schema that:
+--echo ##
+--echo ## * account has permissions
+--echo ## * account has not permissions
+--echo ## * account has permissions still db-doesn't exist
+--echo #
+
+exec $MYSQLXTEST
+  -uroot
+  --ssl-mode=REQUIRED
+  -f $MYSQL_TMP_DIR/connection_default_schema_manual.tmp;
+
+
+--echo #
+--echo ## Test group 2.
+--echo ##
 --echo ## Authenticate using an account which has permissions
 --echo ## to selected schema.
 --echo #
@@ -58,7 +80,7 @@ let $schema=xdb;
 
 
 --echo #
---echo ## Test group 2.
+--echo ## Test group 3.
 --echo ##
 --echo ## Authenticate using an account which has not permissions
 --echo ## to selected schema.
@@ -82,18 +104,28 @@ let $expect_error=code 1044;
 
 
 --echo #
---echo ## Test group 3.
---echo ##
---echo ## Authenticate using plain X Protocol flows to schame that:
+--echo ## Test group 4.
 --echo ##
---echo ## * account has permissions
---echo ## * account has not permissions
+--echo ## Authenticate using an valid account to non existing
+--echo ## schema.
 --echo #
 
-exec $MYSQLXTEST
-  -uroot
-  --ssl-mode=REQUIRED
-  -f $MYSQL_TMP_DIR/connection_default_schema_manual.tmp;
+
+--echo
+--echo # Using MySQL client
+let $execute_command=$MYSQL;
+let $user=root;
+let $schema=non_existing_schema;
+let $expect_error=ERROR 1049 ;
+--source ../include/connection_default_schema.inc
+
+--echo
+--echo # Using mysqlxtest
+let $execute_command=$MYSQLXTEST;
+let $user=root;
+let $schema=non_existing_schema;
+let $expect_error=code 1049;
+--source ../include/connection_default_schema.inc
 
 
 --echo #

plugin/x/client/xprotocol_impl.cc

@@ -372,8 +372,9 @@ XError Protocol_impl::send(const Client_message_type_id mid,
     return XError{CR_MALFORMED_PACKET, ER_TEXT_PB_SERIALIZATION_FAILED};
   }
 
-  std::uint32_t *buf_ptr = reinterpret_cast<std::uint32_t *>(&msg_buffer[0]);
-  *buf_ptr = static_cast<std::uint32_t>(msg_size + 1);
+  const auto msg_size_to_buffer = static_cast<std::uint32_t>(msg_size + 1);
+
+  memcpy(&msg_buffer[0], &msg_size_to_buffer, sizeof(std::uint32_t));
 #ifdef WORDS_BIGENDIAN
   std::swap(msg_buffer[0], msg_buffer[3]);
   std::swap(msg_buffer[1], msg_buffer[2]);

plugin/x/client/xsession_impl.cc

@@ -699,11 +699,12 @@ XError Session_impl::authenticate(const char *user, const char *pass,
   if (error) return error;
 
   bool has_sha256_memory = false;
-  XError auth_error;
-  XError reported_error =
-      XError{ER_ACCESS_DENIED_ERROR, "Invalid user or password"};
+  bool fatal_error_received = false;
+  XError reported_error;
+
   for (const auto &auth_method : optional_auth_methods.second) {
     const bool is_last = &auth_method == &optional_auth_methods.second.back();
+
     if (auth_method == "PLAIN" && !is_secure_connection) {
       // If this is not the last authentication mechanism then do not report
       // error but try those other methods instead.
@@ -712,42 +713,70 @@ XError Session_impl::authenticate(const char *user, const char *pass,
             CR_X_INVALID_AUTH_METHOD,
             "Invalid authentication method: PLAIN over unsecure channel"};
       }
-    } else {
-      auth_error = protocol.execute_authenticate(
-          details::value_or_empty_string(user),
-          details::value_or_empty_string(pass),
-          details::value_or_empty_string(schema), auth_method);
-
-      const auto current_error_code = auth_error.error();
-
-      // In case of 'broken pipe', 'peer disconnected' and timeouts we should
-      // break the authentication sequence and return an error.
-      if (current_error_code == CR_SERVER_GONE_ERROR ||
-          current_error_code == CR_X_WRITE_TIMEOUT ||
-          current_error_code == CR_X_READ_TIMEOUT ||
-          current_error_code == CR_UNKNOWN_ERROR)
-        return auth_error;
-
-      if (current_error_code != ER_ACCESS_DENIED_ERROR ||
-          reported_error.error() == ER_ACCESS_DENIED_ERROR) {
-        reported_error = auth_error;
-      }
 
-      // Also we should stop the authentication sequence on any fatal error.
-      if (auth_error.is_fatal()) return reported_error;
-
-      if (auth_method == "SHA256_MEMORY") has_sha256_memory = true;
+      continue;
     }
 
+    XError current_error = protocol.execute_authenticate(
+        details::value_or_empty_string(user),
+        details::value_or_empty_string(pass),
+        details::value_or_empty_string(schema), auth_method);
+
     // Authentication successful, otherwise try to use different auth method
-    if (!auth_error) return {};
+    if (!current_error) return {};
+
+    const auto current_error_code = current_error.error();
+
+    // In case of connection errors ('broken pipe', 'peer disconnected',
+    // timeouts...) we should break the authentication sequence and return
+    // an error.
+    if (current_error_code == CR_SERVER_GONE_ERROR ||
+        current_error_code == CR_X_WRITE_TIMEOUT ||
+        current_error_code == CR_X_READ_TIMEOUT ||
+        current_error_code == CR_UNKNOWN_ERROR) {
+      // Expected disconnection
+      if (fatal_error_received) return reported_error;
+
+      // Unexpected disconnection
+      return current_error;
+    }
+
+    // Try to choose most important error:
+    //
+    // |Priority |Action                        |
+    // |---------|------------------------------|
+    // |1        |No error was set              |
+    // |2        |Last other than access denied |
+    // |3        |Last access denied            |
+    if (!reported_error || current_error_code != ER_ACCESS_DENIED_ERROR ||
+        reported_error.error() == ER_ACCESS_DENIED_ERROR) {
+      reported_error = current_error;
+    }
+
+    // Also we should stop the authentication sequence on fatal error.
+    // Still it would break compatibility with servers that wrongly mark
+    // Mysqlx::Error message with fatal flag.
+    //
+    // To workaround the problem of backward compatibility, we should
+    // remember that fatal error was received and try to continue the
+    // sequence. After reception of fatal error, following connection
+    // errors are expected (CR_SERVER_GONE_ERROR, CR_X_WRITE_TIMEOUT....)
+    // and must be ignored.
+    if (current_error.is_fatal()) fatal_error_received = true;
+
+    if (auth_method == "SHA256_MEMORY") has_sha256_memory = true;
   }
 
+  // In case when SHA256_MEMORY was used and no PLAIN (because of not using
+  // secure connection) and all errors where ER_ACCESS_DENIED, there is
+  // possibility that password cache on the server side is empty.
+  // We need overwrite the error to give the user a hint that
+  // secure connection can be used.
   if (has_sha256_memory && !is_secure_connection &&
       reported_error.error() == ER_ACCESS_DENIED_ERROR) {
     reported_error = XError{CR_X_AUTH_PLUGIN_ERROR,
-                            "Authentication failed, check username and \
-password or try a secure connection"};
+                            "Authentication failed, check username and "
+                            "password or try a secure connection"};
   }
 
   return reported_error;

plugin/x/ngs/src/client_session.cc

@@ -237,9 +237,9 @@ bool Session::can_forward_error_code_to_client(const int error_code) {
   // return general authentication problem. It may have not too
   // accurate error message.
   const static std::set<int> allowed_error_codes{
-      ER_DBACCESS_DENIED_ERROR, ER_MUST_CHANGE_PASSWORD_LOGIN,
+      ER_DBACCESS_DENIED_ERROR,   ER_MUST_CHANGE_PASSWORD_LOGIN,
       ER_ACCOUNT_HAS_BEEN_LOCKED, ER_SECURE_TRANSPORT_REQUIRED,
-      ER_SERVER_OFFLINE_MODE};
+      ER_SERVER_OFFLINE_MODE,     ER_BAD_DB_ERROR};
 
   return 0 < allowed_error_codes.count(error_code);
 }