CASSGO-45 ConnectAddress() should not panic and HostInfo should not be created with invalid connect address

[tengu-alt]

Fix for the #1370

Panic from the ConnectAddress() was removed.
HostInfo struct creation was refactored to create via constructor to make sure the address is valid.

[joao-r-reis]

Left some comments. The host selection / load balancing policies need some changes, we shouldn't assume the address is always valid on those implementations.

[joao-r-reis]

maybe this should be t.Fatal so the behavior of this test is consistent after the change?

[tengu-alt]

Agree, fixed

[joao-r-reis]

Usually we add a message for this error before we add the actual error string so something like:
c.session.logger.Printf("gocql: unable to use host for control connection, skipping it: %v\n", err)

[tengu-alt]

Fixed

[joao-r-reis]

same as comment above

[joao-r-reis]

t.Errorf("could not get connect address of host %q to compare with expected: %v", test.addr, err)

[joao-r-reis]

if err != nil I don't think it should be whitelisted, it should just continue

[joao-r-reis]

just return if unable to get conn addr but also need to add a check for this in AddHost so hosts with invalid connect addresses are not added

[joao-r-reis]

same as above, check in AddHost so we don't add hosts with invalid addresses and then we can just return here when unable to get connAddr

[tengu-alt]

done

[joao-r-reis]

we shouldn't really ignore these errors, it's better to handle them than assuming that connAddr is always valid, just continue if unable to get connAddr

[joao-r-reis]

We definitely should not be creating metrics objects for hosts with invalid connect addresses since they won't be used anyway.

[tengu-alt]

Agree, fixed

[joao-r-reis]

Will this print an empty string if err != nil ? Printing empty string on the address part could be fine but we could also print nil instead

[tengu-alt]

As I have checked, it will print a nil

[joao-r-reis]

Also can you create a JIRA for this?

[tengu-alt]

Also can you create a JIRA for this?

Of course, currently working on refactoring.

[joao-r-reis]

I just had a realization that we are probably going about this the wrong way. Instead of changing ConnectAddress() to return an error we should probably ensure that we never create Host objects with invalid addresses in the first place, I think that would result in a clearer API and less intrusive changes to users.

Sorry for not realizing this earlier, I know you already worked a bit on this approach but I really think we should change the approach here.

First step is to find all occurences of straight Host struct initialization and replace them with a newHostInfo(addr net.IP, port int) (*Host, error) so that the ip validation occurs here in this method instead of host.ConnectAddress(). The only place where it will require some more changes is in func (r *ringDescriber) getClusterPeerInfo(localHost *HostInfo) ([]*HostInfo, error) because here the object is created without an IP address since it will be set after reading the columns from system.peers. A possible approach is to move the logic from h.connectAddressLocked() to a function outside of the hostinfo type, use it to compute the connect address and then use the result to create the host info object afterwards. After this change, I think h.ConnectAddress() can always read the value from the h.connectAddress field. After this change, h.SetConnectAddress should be changed to return an error in case the provided address is invalid (this is only in case a user is using this function because the driver itself doesn't use it).

[tengu-alt]

Understood, I will work on it.

[tengu-alt]

A possible approach is to move the logic from h.connectAddressLocked() to a function outside of the hostinfo type, use it to compute the connect address and then use the result to create the host info object afterwards.

I don't clearly understand how we can use the logic from the h.connectAddressLocked() if it computes connectAddress according to the IP's from the host which needs to be filled. As I see those IP's are filled inside of the hostInfoFromMap() method which requires *HostInfo.

I think it is better to create raw structure here as it is now, and add the validation inside of the hostInfoFromMap()
something like this:

	ip, port := s.cfg.translateAddressPort(host.ConnectAddress(), host.port)
	if !validIpAddr(ip) {
		return nil, errors.New("invalid connect address")
	}
	host.connectAddress = ip
	host.port = port

or validate it inside of getClusterPeerInfo()

[joao-r-reis]

I don't clearly understand how we can use the logic from the h.connectAddressLocked() if it computes connectAddress according to the IP's from the host which needs to be filled. As I see those IP's are filled inside of the hostInfoFromMap() method which requires *HostInfo.

You would have those IPs as parameters of the function instead for example.

I think it is better to create raw structure here as it is now, and add the validation inside of the hostInfoFromMap()
something like this:

This can also work, as long as we guarantee that we don't have HostInfo objects going around with invalid IPs then I'm ok with it. I suggested the NewHostInfo function and replacing direct struct initialization with this function call because it would be a guaranteed way to ensure HostInfo objects always have valid IP addresses in the future

[tengu-alt]

@joao-r-reis I've made an update. I decided to add validation into hostInfoFromMap() for cases when we can't provide connectAddress for the constructor func (I have found another place inside of func (r *ringDescriber) getLocalHostInfo() (*HostInfo, error))

[joao-r-reis]

Added a comment about existing HostInfo struct initialization references in the codebase

[joao-r-reis]

hostAddr := host.ConnectAddress()
return nil, fmt.Errorf("invalid connect address after translating %v:%v", hostAddr.String(), host.port)

[joao-r-reis]

c.host.ConnectAdress()

[joao-r-reis]

I honestly think we should just remove this method, what do you think @jameshartig ? Allowing users to just modify the connect address on a host is weird, there's already an AddressTranslator interface for this.

[jameshartig]

Typically I'd like to go through a version or so of it being deprecated but since we're about to cut a major release I think it makes sense to remove it and we can always add it back if there's a reason to.

[joao-r-reis]

Couple of comments

[joao-r-reis]

Just realized this will be called even if there is no address translator so maybe changing this error message to be less confusing:

"invalid host address (before translation: %v:%v, after translation: %v:%v)", host.ConnectAddress(), host.port, ip.String(), port)

[tengu-alt]

Refactored

[joao-r-reis]

We should keep the validIpAddr check on all of these (except the last) so that the "fallback" priority still works otherwise this would be a behavior change and could cause bugs.

Just skip the check on the last one (h.peer), this will be checked either way in hostInfoFromMap before returning the host info object so we're good.

[tengu-alt]

Fixed

[jameshartig]

Overall good, but I agree, let's remove SetConnectAddress

[tengu-alt]

Done.

[jameshartig]

@joao-r-reis want to give your approval?

[tengu-alt]

@joao-r-reis I have updated the changelog and the commit message.