set system.clients empty columns

ptrsmrn · ptrsmrn · commit 8b27b760650b · 2025-02-21T14:19:42.000+01:00
Depends on scylladb/seastar#2651 Missing columns have been present since probably forever - they were added to the schema but never assigned any value: ``` cqlsh> select * from system.clients; ------------------+------------------------ ... hostname | null ... ssl_cipher_suite | null ssl_enabled | null ssl_protocol | null ... ``` This patch sets values of these columns: - `hostname` is always filled in, - with TLS connection, remaining 3 TSL-related fields are filled in, - without TLS, `ssl_enabled` is set to `false` and other columns are `null`. Fixes: scylladb#9216
diff --git a/generic_server.hh b/generic_server.hh
@@ -43,7 +43,7 @@ public:
     execute_under_tenant_type _execute_under_current_tenant = no_tenant();
 protected:
     server& _server;
-    connected_socket _fd;
+    mutable connected_socket _fd;
     input_stream<char> _read_buf;
     output_stream<char> _write_buf;
     future<> _ready_to_respond = make_ready_future<>();
diff --git a/test/cqlpy/test_ssl.py b/test/cqlpy/test_ssl.py
@@ -12,6 +12,22 @@
 
 import ssl
 import cassandra.cluster
+import re
+
+
+# This function normalizes the SSL cipher suite name, which we need because:
+# - python's library, which tests' driver uses,
+# - C's library, which scylla server uses,
+# namings conventions are different, and we cannot simply compare them for equality.
+def normalize_cipher(cipher_name: str) -> str:
+    if cipher_name.startswith("TLS_"):
+        cipher_name = cipher_name[len("TLS_"):] # Remove leading "TLS_" if present.
+    cipher_name = cipher_name.replace("_WITH_", "-")
+    cipher_name = cipher_name.replace("_", "-")
+    # Remove hyphen between letters and digits: e.g. convert "AES-256" to "AES256"
+    cipher_name = re.sub(r'([A-Z]+)-(\d+)', r'\1\2', cipher_name)
+    return cipher_name
+
 
 # Test that TLS 1.2 is supported (because this is what "cqlsh --ssl" uses
 # by default), and that other TLS version are either supported - or if
@@ -27,8 +43,8 @@ def test_tls_versions(cql):
     # TLS v1.2 must be supported, because this is the default version that
     # "cqlsh --ssl" uses. If this fact changes in the future, we may need
     # to reconsider this test.
-    try_connect(cql.cluster, ssl.TLSVersion.TLSv1_2)
-    print(f"{ssl.TLSVersion.TLSv1_2} supported")
+    with try_connect(cql.cluster, ssl.TLSVersion.TLSv1_2):
+        print(f"{ssl.TLSVersion.TLSv1_2} supported")
 
     # All other protocol versions should either work (if Scylla is configured
     # to allow them) or fail with the expected error message.
@@ -37,15 +53,31 @@ def test_tls_versions(cql):
                         ssl.TLSVersion.TLSv1,
                         ssl.TLSVersion.SSLv3]:
         try:
-            try_connect(cql.cluster, ssl_version)
-            print(f"{ssl_version} supported")
+            with try_connect(cql.cluster, ssl_version) as session:
+                print(f"{ssl_version} supported")
+                table_result = session.execute(f"SELECT * FROM system.clients")
+                for row in table_result:
+                    assert row.ssl_enabled == True     # ' == True` is redundant, but makes it clear
+                    assert row.hostname == '127.0.0.1' # is that always the case?
+                    # Even if we request to connect with a specific SSL version,
+                    # the connection may end up negotiating a different version,
+                    # thus we can't assert for a specific match.
+                    assert row.ssl_protocol in ["TLS1", "TLS1.0", "TLS1.1", "TLS1.2", "TLS1.3", "SSL3"]
+                    # The session object returned by the Cassandra driver's connect() method
+                    # does not expose the low‑level TLS session details, such as the negotiated cipher suite,
+                    # so we need to, again, assert that it matches one of the expected values.
+                    expected_ciphers = [normalize_cipher(cipher['name']) for cipher in ssl.create_default_context().get_ciphers()]
+                    actual_cipher = normalize_cipher(row.ssl_cipher_suite)
+                    assert actual_cipher in expected_ciphers
         except cassandra.cluster.NoHostAvailable as e:
             # For the various TLS versions, we get the new TLS alert
             # "protocol version". But for SSL, we get the older
             # "no protocols available" error.
             assert 'protocol version' in str(e) or 'no protocols available' in str(e)
             print(f"{ssl_version} not supported")
 
+
+@contextmanager
 def try_connect(orig_cluster, ssl_version):
     ssl_context=ssl.SSLContext(ssl.PROTOCOL_TLS)
     ssl_context.minimum_version = ssl_version
@@ -63,8 +95,11 @@ def try_connect(orig_cluster, ssl_version):
         # so let's increase them to 60 seconds. See issue #11289.
         connect_timeout = 60,
         control_connection_timeout = 60)
-    cluster.connect()
-    cluster.shutdown()
+    try:
+        session = cluster.connect()
+        yield session
+    finally:
+        cluster.shutdown()
 
 # Test that if we try to connect to an SSL port with *unencrypted* CQL,
 # it doesn't work.
diff --git a/test/cqlpy/test_system.py b/test/cqlpy/test_system.py
@@ -0,0 +1,20 @@
+# Copyright 2025-present ScyllaDB
+#
+# SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
+
+#############################################################################
+# Tests asserting correct values are kept in system keyspaces
+#############################################################################
+
+import pytest
+
+# By default, tests run CQL over unencrypted sockets,
+# so no extra SSL config is required in this testcase.
+# The opposite testcase is test_ssl.py::test_tls_versions
+def test_system_clients_keeps_correct_tls_entries_when_tls_disabled(cql):
+    table_result = cql.execute("SELECT * FROM system.clients")
+    for row in table_result:
+        assert row.hostname == '127.0.0.1' # is that always the case?
+        assert row.ssl_enabled == False
+        assert row.ssl_protocol is None
+        assert row.ssl_cipher_suite is None
diff --git a/transport/server.cc b/transport/server.cc
@@ -650,6 +650,16 @@ client_data cql_server::connection::make_client_data() const {
         cd.connection_stage = client_connection_stage::authenticating;
     }
     cd.scheduling_group_name = _current_scheduling_group.name();
+    std::stringstream ss;
+    ss << _client_state.get_remote_address().addr().as_ipv4_address();
+    cd.hostname = ss.str();
+    try {
+        cd.ssl_enabled = tls::is_operational(_fd);
+        cd.ssl_protocol = tls::get_protocol_version(_fd);
+        cd.ssl_cipher_suite = tls::get_cipher_suite(_fd);
+    } catch (const std::invalid_argument&) {
+        cd.ssl_enabled = false;
+    }
     return cd;
 }
 
