CONCPP-75 Introducing the option to restrict the list of auth plugins

lawrinn · lawrinn · commit 218e3ec856c6 · 2025-09-29T14:17:21.000+02:00
The name of the option is restrictedAuth

Application has to provide comma separated list of allowed plugins.
Empty list means everything is allowed.
The full list of available plugins is mysql_native_password, client_ed25519,
auth_gssapi_client, caching_sha2_password, dialog and mysql_clear_password
diff --git a/README b/README
@@ -119,6 +119,10 @@ useBulkStmts             Use dedicated COM_STMT_BULK_EXECUTE protocol for
 connectionAttributes     If performance_schema is enabled, permits to send server
                          some client information in a key:value pair format
                          (example: connectionAttributes=key1:value1,key2,value2)      string
+restrictedAuth           A comma separated list of allowed to use client-side plugins.
+                         The full list of available plugins is mysql_native_password,
+                         client_ed25519, auth_gssapi_client, caching_sha2_password,
+                         dialog and mysql_clear_password                              string
 
 
 Properties is map of strings, and is another way to pass optional parameters.
diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ The list of supported options:
 | **`rewriteBatchedStatements`** |For insert queries, rewrites batchedStatement to execute in a single executeQuery. Example: insert into ab (i) values (?) with first batch values = 1, second = 2 will be rewritten as INSERT INTO ab (i) VALUES (1), (2).  If query cannot be rewriten in "multi-values", rewrite will use multi-queries : INSERT INTO TABLE(col1) VALUES (?) ON DUPLICATE KEY UPDATE col2=? with values [1,2] and [2,3]\" will be rewritten as INSERT INTO TABLE(col1) VALUES (1) ON DUPLICATE KEY UPDATE col2=2;INSERT INTO TABLE(col1) VALUES (3) ON DUPLICATE KEY UPDATE col2=4 If active, the useServerPrepStmts option is set to false.|*bool* |false||
 | **`useBulkStmts`** |Use dedicated COM_STMT_BULK_EXECUTE protocol for executeBatch if possible. Can be significanlty faster. (works only with server MariaDB >= 10.2.7).|*bool* |false||
 | **`connectionAttributes`** |If performance_schema is enabled, permits to send server some client information in a key:value pair format (example: connectionAttributes=key1:value1,key2,value2) This information can be retrieved on server within tables performance_schema.session_connect_attrs and performance_schema.session_account_connect_attrs. This allows an identification of client/application on server|*string* |||
+| **`restrictedAuth`** |A comma separated list of allowed to use client-side plugins. The full list of available plugins is mysql_native_password, client_ed25519, auth_gssapi_client, caching_sha2_password, dialog and mysql_clear_password|*string* |||
 
 
 Properties is map of strings, and is another way to pass optional parameters.
diff --git a/src/options/DefaultOptions.cpp b/src/options/DefaultOptions.cpp
@@ -1,5 +1,5 @@
 /************************************************************************************
-   Copyright (C) 2020, 2023 MariaDB Corporation AB
+   Copyright (C) 2020, 2025 MariaDB Corporation plc
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
@@ -704,6 +704,14 @@ namespace sql
         "Default authentication client-side plugin to use",
         false,
         ""}
+      },
+      {
+        "restrictedAuth", {"restrictedAuth",
+        "1.0.6",
+        "A comma separated list of allowed to use client-side plugins. The full list of available plugins is"
+        " mysql_native_password, client_ed25519, auth_gssapi_client, caching_sha2_password, dialog and mysql_clear_password",
+        false,
+        ""}
       }
     };
 
diff --git a/src/options/Options.cpp b/src/options/Options.cpp
@@ -1,5 +1,5 @@
 /************************************************************************************
-   Copyright (C) 2020 MariaDB Corporation AB
+   Copyright (C) 2020,2025 MariaDB Corporation plc
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
@@ -139,7 +139,8 @@ namespace mariadb
     OPTIONS_FIELD(useResetConnection),
     OPTIONS_FIELD(useReadAheadInput),
     OPTIONS_FIELD(serverRsaPublicKeyFile),
-    OPTIONS_FIELD(tlsPeerFP)
+    OPTIONS_FIELD(tlsPeerFP),
+    OPTIONS_FIELD(restrictedAuth)
   };
 
 
@@ -519,6 +520,9 @@ namespace mariadb
     if (!(tlsPeerFPList.compare(opt->tlsPeerFPList) == 0)) {
       return false;
     }
+    if (!(restrictedAuth.compare(opt->restrictedAuth) == 0)) {
+      return false;
+    }
     return minPoolSize == opt->minPoolSize;
   }
 
@@ -612,9 +616,11 @@ namespace mariadb
     result= 31 *result + (autocommit ? 1 : 0);
     result= 31 *result + (!credentialType.empty() ? credentialType.hashCode() : 0);
 
-    result= 31 *result + (!nonMappedOptions.empty() ? hashProps(nonMappedOptions) : 0);
+    result= 31*result + (!nonMappedOptions.empty() ? hashProps(nonMappedOptions) : 0);
+
+    result= 31*result + (!tlsPeerFPList.empty() ? tlsPeerFPList.hashCode() : 0);
+    result= 31*result + (!restrictedAuth.empty() ? restrictedAuth.hashCode() : 0);
 
-    result= 31 *result + (!tlsPeerFPList.empty() ? tlsPeerFPList.hashCode() : 0);
     return result;
   }
 
diff --git a/src/options/Options.h b/src/options/Options.h
@@ -1,5 +1,5 @@
 /************************************************************************************
-   Copyright (C) 2020,2023 MariaDB Corporation AB
+   Copyright (C) 2020,2025 MariaDB Corporation plc
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
@@ -137,6 +137,7 @@ struct Options
   bool      useReadAheadInput= true;
   SQLString serverRsaPublicKeyFile;
   SQLString tlsPeerFP;
+  SQLString restrictedAuth;
 
   SQLString toString() const;
   bool      equals(Options* obj);
diff --git a/src/protocol/capi/ConnectProtocol.cpp b/src/protocol/capi/ConnectProtocol.cpp
@@ -452,6 +452,9 @@ namespace capi
     mysql_optionsv(connection.get(), MYSQL_REPORT_DATA_TRUNCATION, &uintOptionSelected);
     mysql_optionsv(connection.get(), MYSQL_OPT_LOCAL_INFILE, (options->allowLocalInfile ? &uintOptionSelected : &uintOptionNotSelected));
 
+    if (!options.get()->restrictedAuth.empty()) {
+      mysql_optionsv(connection.get(), MARIADB_OPT_RESTRICTED_AUTH, options.get()->restrictedAuth.c_str());
+    }
     if (mysql_real_connect(connection.get(), NULL, NULL, NULL, NULL, 0, NULL, CLIENT_MULTI_STATEMENTS) == nullptr)
     {
       throw SQLException(mysql_error(connection.get()), mysql_sqlstate(connection.get()), mysql_errno(connection.get()));

Original file line number	Diff line number	Diff line change
`@@ -452,6 +452,9 @@ namespace capi`
`452`	`452`	`mysql_optionsv(connection.get(), MYSQL_REPORT_DATA_TRUNCATION, &uintOptionSelected);`
`453`	`453`	`mysql_optionsv(connection.get(), MYSQL_OPT_LOCAL_INFILE, (options->allowLocalInfile ? &uintOptionSelected : &uintOptionNotSelected));`
`454`	`454`
	`455`	`+ if (!options.get()->restrictedAuth.empty()) {`
	`456`	`+ mysql_optionsv(connection.get(), MARIADB_OPT_RESTRICTED_AUTH, options.get()->restrictedAuth.c_str());`
	`457`	`+ }`
`455`	`458`	`if (mysql_real_connect(connection.get(), NULL, NULL, NULL, NULL, 0, NULL, CLIENT_MULTI_STATEMENTS) == nullptr)`
`456`	`459`	`{`
`457`	`460`	`throw SQLException(mysql_error(connection.get()), mysql_sqlstate(connection.get()), mysql_errno(connection.get()));`