Bump mysql_common to 0.30, add cleartext plugin support

Author: blackbeam

Cargo.toml

@@ -13,7 +13,7 @@ edition = "2018"
 categories = ["asynchronous", "database"]
 
 [dependencies]
-bytes = "1.0"
+bytes = "1.4"
 crossbeam = "0.8.1"
 flate2 = { version = "1.0", default-features = false }
 futures-core = "0.3"
@@ -22,7 +22,9 @@ futures-sink = "0.3"
 lazy_static = "1"
 lru = "0.8.1"
 mio = { version = "0.8.0", features = ["os-poll", "net"] }
-mysql_common = { version = "0.29.2", default-features = false }
+mysql_common = { version = "0.30", default-features = false, features = [
+    "derive",
+] }
 once_cell = "1.7.2"
 pem = "1.0.1"
 percent-encoding = "2.1.0"
@@ -34,7 +36,9 @@ socket2 = "0.4.2"
 thiserror = "1.0.4"
 tokio = { version = "1.0", features = ["io-util", "fs", "net", "time", "rt"] }
 tokio-util = { version = "0.7.2", features = ["codec", "io"] }
-tracing = { version = "0.1.37", default-features = false, features = ["attributes"], optional = true }
+tracing = { version = "0.1.37", default-features = false, features = [
+    "attributes",
+], optional = true }
 twox-hash = "1"
 url = "2.1"
 
@@ -76,20 +80,20 @@ rand = "0.8.0"
 [features]
 default = [
     "flate2/zlib",
-    "mysql_common/bigdecimal03",
+    "mysql_common/bigdecimal",
     "mysql_common/rust_decimal",
-    "mysql_common/time03",
-    "mysql_common/uuid",
+    "mysql_common/time",
     "mysql_common/frunk",
+    "derive",
     "native-tls-tls",
 ]
 default-rustls = [
     "flate2/zlib",
-    "mysql_common/bigdecimal03",
+    "mysql_common/bigdecimal",
     "mysql_common/rust_decimal",
-    "mysql_common/time03",
-    "mysql_common/uuid",
+    "mysql_common/time",
     "mysql_common/frunk",
+    "derive",
     "rustls-tls",
 ]
 minimal = ["flate2/zlib"]
@@ -102,6 +106,7 @@ rustls-tls = [
     "rustls-pemfile",
 ]
 tracing = ["dep:tracing"]
+derive = ["mysql_common/derive"]
 nightly = []
 
 [lib]

src/conn/mod.rs

@@ -473,17 +473,15 @@ impl Conn {
             .unwrap_or((0, 0, 0));
         self.inner.id = handshake.connection_id();
         self.inner.status = handshake.status_flags();
+
+        // Allow only CachingSha2Password and MysqlNativePassword here
+        // because sha256_password is deprecated and other plugins won't
+        // appear here.
         self.inner.auth_plugin = match handshake.auth_plugin() {
-            Some(AuthPlugin::MysqlNativePassword | AuthPlugin::MysqlOldPassword) => {
-                AuthPlugin::MysqlNativePassword
-            }
             Some(AuthPlugin::CachingSha2Password) => AuthPlugin::CachingSha2Password,
-            Some(AuthPlugin::Other(ref name)) => {
-                let name = String::from_utf8_lossy(name).into();
-                return Err(DriverError::UnknownAuthPlugin { name }.into());
-            }
-            None => AuthPlugin::MysqlNativePassword,
+            _ => AuthPlugin::MysqlNativePassword,
         };
+
         Ok(())
     }
 
@@ -567,13 +565,32 @@ impl Conn {
 
             self.inner.auth_plugin = auth_switch_request.auth_plugin().clone().into_owned();
 
-            let plugin_data = self
-                .inner
-                .auth_plugin
-                .gen_data(self.inner.opts.pass(), &*self.inner.nonce);
+            let plugin_data = match &self.inner.auth_plugin {
+                x @ AuthPlugin::CachingSha2Password => {
+                    x.gen_data(self.inner.opts.pass(), &self.inner.nonce)
+                }
+                x @ AuthPlugin::MysqlNativePassword => {
+                    x.gen_data(self.inner.opts.pass(), &self.inner.nonce)
+                }
+                x @ AuthPlugin::MysqlOldPassword => {
+                    if self.inner.opts.secure_auth() {
+                        return Err(DriverError::MysqlOldPasswordDisabled.into());
+                    } else {
+                        x.gen_data(self.inner.opts.pass(), &self.inner.nonce)
+                    }
+                }
+                x @ AuthPlugin::MysqlClearPassword => {
+                    if self.inner.opts.enable_cleartext_plugin() {
+                        x.gen_data(self.inner.opts.pass(), &self.inner.nonce)
+                    } else {
+                        return Err(DriverError::CleartextPluginDisabled.into());
+                    }
+                }
+                x @ AuthPlugin::Other(_) => x.gen_data(self.inner.opts.pass(), &self.inner.nonce),
+            };
 
             if let Some(plugin_data) = plugin_data {
-                self.write_struct(&plugin_data).await?;
+                self.write_struct(&plugin_data.into_owned()).await?;
             } else {
                 self.write_packet(crate::BUFFER_POOL.get()).await?;
             }
@@ -599,6 +616,14 @@ impl Conn {
                     self.continue_caching_sha2_password_auth().await?;
                     Ok(())
                 }
+                AuthPlugin::MysqlClearPassword => {
+                    if self.inner.opts.enable_cleartext_plugin() {
+                        self.continue_mysql_native_password_auth().await?;
+                        Ok(())
+                    } else {
+                        Err(DriverError::CleartextPluginDisabled.into())
+                    }
+                }
                 AuthPlugin::Other(ref name) => Err(DriverError::UnknownAuthPlugin {
                     name: String::from_utf8_lossy(name.as_ref()).to_string(),
                 }

src/conn/pool/mod.rs

@@ -461,7 +461,7 @@ mod test {
 
     #[tokio::test]
     async fn should_connect() -> super::Result<()> {
-        let pool = Pool::new(get_opts());
+        let pool = Pool::new(crate::Opts::from(get_opts()));
         pool.get_conn().await?.ping().await?;
         pool.disconnect().await?;
         Ok(())

src/error/mod.rs

@@ -163,6 +163,9 @@ pub enum DriverError {
 
     #[error("Client asked for SSL but server does not have this capability")]
     NoClientSslFlagFromServer,
+
+    #[error("mysql_clear_password must be enabled on the client side")]
+    CleartextPluginDisabled,
 }
 
 #[derive(Debug, Error)]

src/lib.rs

@@ -418,6 +418,9 @@
 #[cfg(feature = "nightly")]
 extern crate test;
 
+#[cfg(feature = "derive")]
+extern crate mysql_common;
+
 pub use mysql_common::{constants as consts, params};
 
 use std::sync::Arc;
@@ -481,7 +484,7 @@ pub use mysql_common::packets::{
         Gtids, Schema, SessionStateChange, SystemVariable, TransactionCharacteristics,
         TransactionState, Unsupported,
     },
-    BinlogDumpFlags, Column, Interval, OkPacket, SessionStateInfo, Sid,
+    BinlogDumpFlags, Column, GnoInterval, OkPacket, SessionStateInfo, Sid,
 };
 
 pub mod binlog {
@@ -541,9 +544,9 @@ pub mod prelude {
     #[doc(inline)]
     pub use crate::queryable::Queryable;
     #[doc(inline)]
-    pub use mysql_common::row::convert::FromRow;
+    pub use mysql_common::prelude::FromRow;
     #[doc(inline)]
-    pub use mysql_common::value::convert::{ConvIr, FromValue, ToValue};
+    pub use mysql_common::prelude::{FromValue, ToValue};
 
     /// Everything that is a statement.
     ///

src/opts/mod.rs

@@ -410,6 +410,17 @@ pub(crate) struct MysqlOpts {
     /// Changes the behavior of the affected count returned for writes (UPDATE/INSERT etc).
     /// It makes MySQL return the FOUND rows instead of the AFFECTED rows.
     client_found_rows: bool,
+
+    /// Enables Client-Side Cleartext Pluggable Authentication (defaults to `false`).
+    ///
+    /// Enables client to send passwords to the server as cleartext, without hashing or encryption
+    /// (consult MySql documentation for more info).
+    ///
+    /// # Security Notes
+    ///
+    /// Sending passwords as cleartext may be a security problem in some configurations. Please
+    /// consider using TLS or encrypted tunnels for server connection.
+    enable_cleartext_plugin: bool,
 }
 
 /// Mysql connection options.
@@ -747,6 +758,31 @@ impl Opts {
         self.inner.mysql_opts.client_found_rows
     }
 
+    /// Returns `true` if `mysql_clear_password` plugin support is enabled (defaults to `false`).
+    ///
+    /// `mysql_clear_password` enables client to send passwords to the server as cleartext, without
+    /// hashing or encryption (consult MySql documentation for more info).
+    ///
+    /// # Security Notes
+    ///
+    /// Sending passwords as cleartext may be a security problem in some configurations. Please
+    /// consider using TLS or encrypted tunnels for server connection.
+    ///
+    /// # Connection URL
+    ///
+    /// Use `enable_cleartext_plugin` URL parameter to set this value. E.g.
+    ///
+    /// ```
+    /// # use mysql_async::*;
+    /// # fn main() -> Result<()> {
+    /// let opts = Opts::from_url("mysql://localhost/db?enable_cleartext_plugin=true")?;
+    /// assert!(opts.enable_cleartext_plugin());
+    /// # Ok(()) }
+    /// ```
+    pub fn enable_cleartext_plugin(&self) -> bool {
+        self.inner.mysql_opts.enable_cleartext_plugin
+    }
+
     pub(crate) fn get_capabilities(&self) -> CapabilityFlags {
         let mut out = CapabilityFlags::CLIENT_PROTOCOL_41
             | CapabilityFlags::CLIENT_SECURE_CONNECTION
@@ -797,6 +833,7 @@ impl Default for MysqlOpts {
             wait_timeout: None,
             secure_auth: true,
             client_found_rows: false,
+            enable_cleartext_plugin: false,
         }
     }
 }
@@ -1053,6 +1090,32 @@ impl OptsBuilder {
         self.opts.client_found_rows = client_found_rows;
         self
     }
+
+    /// Enables Client-Side Cleartext Pluggable Authentication (defaults to `false`).
+    ///
+    /// Enables client to send passwords to the server as cleartext, without hashing or encryption
+    /// (consult MySql documentation for more info).
+    ///
+    /// # Security Notes
+    ///
+    /// Sending passwords as cleartext may be a security problem in some configurations. Please
+    /// consider using TLS or encrypted tunnels for server connection.
+    ///
+    /// # Connection URL
+    ///
+    /// Use `enable_cleartext_plugin` URL parameter to set this value. E.g.
+    ///
+    /// ```
+    /// # use mysql_async::*;
+    /// # fn main() -> Result<()> {
+    /// let opts = Opts::from_url("mysql://localhost/db?enable_cleartext_plugin=true")?;
+    /// assert!(opts.enable_cleartext_plugin());
+    /// # Ok(()) }
+    /// ```
+    pub fn enable_cleartext_plugin(mut self, enable_cleartext_plugin: bool) -> Self {
+        self.opts.enable_cleartext_plugin = enable_cleartext_plugin;
+        self
+    }
 }
 
 impl From<OptsBuilder> for Opts {
@@ -1235,6 +1298,16 @@ fn mysqlopts_from_url(url: &Url) -> std::result::Result<MysqlOpts, UrlError> {
                     });
                 }
             }
+        } else if key == "enable_cleartext_plugin" {
+            match bool::from_str(&*value) {
+                Ok(parsed) => opts.enable_cleartext_plugin = parsed,
+                Err(_) => {
+                    return Err(UrlError::InvalidParamValue {
+                        param: key.to_string(),
+                        value,
+                    });
+                }
+            }
         } else if key == "tcp_nodelay" {
             match bool::from_str(&*value) {
                 Ok(value) => opts.tcp_nodelay = value,

tests/exports.rs

@@ -4,12 +4,14 @@ use mysql_async::{
     futures::{DisconnectPool, GetConn},
     params,
     prelude::{
-        BatchQuery, ConvIr, FromRow, FromValue, GlobalHandler, Protocol, Query, Queryable,
-        StatementLike, ToValue,
+        BatchQuery, FromRow, FromValue, GlobalHandler, Protocol, Query, Queryable, StatementLike,
+        ToValue,
     },
-    BinaryProtocol, Column, Conn, Deserialized, DriverError, Error, FromRowError, FromValueError,
-    IoError, IsolationLevel, Opts, OptsBuilder, Params, ParseError, Pool, PoolConstraints,
-    PoolOpts, QueryResult, Result, Row, Serialized, ServerError, SslOpts, Statement, TextProtocol,
-    Transaction, TxOpts, UrlError, Value, WhiteListFsHandler, DEFAULT_INACTIVE_CONNECTION_TTL,
+    BinaryProtocol, BinlogDumpFlags, BinlogRequest, Column, Conn, Deserialized, DriverError, Error,
+    FromRowError, FromValueError, GnoInterval, Gtids, IoError, IsolationLevel, OkPacket, Opts,
+    OptsBuilder, Params, ParseError, Pool, PoolConstraints, PoolOpts, QueryResult, Result, Row,
+    Schema, Serialized, ServerError, SessionStateChange, SessionStateInfo, Sid, SslOpts, Statement,
+    SystemVariable, TextProtocol, Transaction, TransactionCharacteristics, TransactionState,
+    TxOpts, Unsupported, UrlError, Value, WhiteListFsHandler, DEFAULT_INACTIVE_CONNECTION_TTL,
     DEFAULT_TTL_CHECK_INTERVAL,
 };