Implement mysql_clear_password

sqlx-mysql/src/connection/auth.rs

@@ -27,6 +27,12 @@ impl AuthPlugin {
 
             // https://mariadb.com/kb/en/sha256_password-plugin/
             AuthPlugin::Sha256Password => encrypt_rsa(stream, 0x01, password, nonce).await,
+
+            AuthPlugin::MySqlClearPassword => {
+                let mut pw_bytes = password.as_bytes().to_owned();
+                pw_bytes.push(0); // null terminate
+                Ok(pw_bytes)
+            },
         }
     }
 

sqlx-mysql/src/protocol/auth.rs

@@ -7,6 +7,7 @@ pub enum AuthPlugin {
     MySqlNativePassword,
     CachingSha2Password,
     Sha256Password,
+    MySqlClearPassword,
 }
 
 impl AuthPlugin {
@@ -15,6 +16,7 @@ impl AuthPlugin {
             AuthPlugin::MySqlNativePassword => "mysql_native_password",
             AuthPlugin::CachingSha2Password => "caching_sha2_password",
             AuthPlugin::Sha256Password => "sha256_password",
+            AuthPlugin::MySqlClearPassword => "mysql_clear_password",
         }
     }
 }
@@ -27,6 +29,7 @@ impl FromStr for AuthPlugin {
             "mysql_native_password" => Ok(AuthPlugin::MySqlNativePassword),
             "caching_sha2_password" => Ok(AuthPlugin::CachingSha2Password),
             "sha256_password" => Ok(AuthPlugin::Sha256Password),
+            "mysql_clear_password" => Ok(AuthPlugin::MySqlClearPassword),
 
             _ => Err(err_protocol!("unknown authentication plugin: {}", s)),
         }

sqlx-mysql/src/protocol/connect/auth_switch.rs

@@ -26,6 +26,17 @@ impl Decode<'_> for AuthSwitchRequest {
 
         let plugin = buf.get_str_nul()?.parse()?;
 
+        if matches!(plugin, AuthPlugin::MySqlClearPassword) && buf.is_empty() {
+            // Contrary to the MySQL protocol, AWS Aurora with IAM sends
+            // no data. That is fine because the mysql_clear_password says to
+            // ignore any data sent.
+            // See: https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_authentication_methods_clear_text_password.html
+            return Ok(Self {
+                plugin,
+                data: Bytes::new(),
+            });
+        }
+
         // See: https://github.com/mysql/mysql-server/blob/ea7d2e2d16ac03afdd9cb72a972a95981107bf51/sql/auth/sha2_password.cc#L942
         if buf.len() != 21 {
             return Err(err_protocol!(
@@ -48,3 +59,23 @@ impl Encode<'_, Capabilities> for AuthSwitchResponse {
         buf.extend_from_slice(&self.0);
     }
 }
+
+#[test]
+fn test_decode_auth_switch_packet_data() {
+    const AUTH_SWITCH_NO_DATA: &[u8] = b"\xfecaching_sha2_password\x00abcdefghijabcdefghij\x00";
+
+    let p = AuthSwitchRequest::decode_with(AUTH_SWITCH_NO_DATA.into(), ()).unwrap();
+
+    assert!(matches!(p.plugin, AuthPlugin::CachingSha2Password));
+    assert_eq!(p.data, &b"abcdefghijabcdefghij"[..]);
+}
+
+#[test]
+fn test_decode_auth_switch_packet_no_data() {
+    const AUTH_SWITCH_NO_DATA: &[u8] = b"\xfemysql_clear_password\x00";
+
+    let p = AuthSwitchRequest::decode_with(AUTH_SWITCH_NO_DATA.into(), ()).unwrap();
+
+    assert!(matches!(p.plugin, AuthPlugin::MySqlClearPassword));
+    assert_eq!(p.data, Bytes::new());
+}