CASSGO-45 Return error instead of panic when host address is invalid

[tengu-alt]

Fix for the #1370

ConnectAddress() was refactored and returns an error instead of panic.

[joao-r-reis]

Left some comments. The host selection / load balancing policies need some changes, we shouldn't assume the address is always valid on those implementations.

[joao-r-reis]

maybe this should be t.Fatal so the behavior of this test is consistent after the change?

[tengu-alt]

Agree, fixed

[joao-r-reis]

Usually we add a message for this error before we add the actual error string so something like:
c.session.logger.Printf("gocql: unable to use host for control connection, skipping it: %v\n", err)

[tengu-alt]

Fixed

[joao-r-reis]

same as comment above

[joao-r-reis]

t.Errorf("could not get connect address of host %q to compare with expected: %v", test.addr, err)

[joao-r-reis]

if err != nil I don't think it should be whitelisted, it should just continue

[joao-r-reis]

just return if unable to get conn addr but also need to add a check for this in AddHost so hosts with invalid connect addresses are not added

[joao-r-reis]

same as above, check in AddHost so we don't add hosts with invalid addresses and then we can just return here when unable to get connAddr

[tengu-alt]

done

[joao-r-reis]

we shouldn't really ignore these errors, it's better to handle them than assuming that connAddr is always valid, just continue if unable to get connAddr

[joao-r-reis]

We definitely should not be creating metrics objects for hosts with invalid connect addresses since they won't be used anyway.

[tengu-alt]

Agree, fixed

[joao-r-reis]

Will this print an empty string if err != nil ? Printing empty string on the address part could be fine but we could also print nil instead

[tengu-alt]

As I have checked, it will print a nil

[joao-r-reis]

Also can you create a JIRA for this?

[tengu-alt]

Also can you create a JIRA for this?

Of course, currently working on refactoring.

[joao-r-reis]

I just had a realization that we are probably going about this the wrong way. Instead of changing ConnectAddress() to return an error we should probably ensure that we never create Host objects with invalid addresses in the first place, I think that would result in a clearer API and less intrusive changes to users.

Sorry for not realizing this earlier, I know you already worked a bit on this approach but I really think we should change the approach here.

First step is to find all occurences of straight Host struct initialization and replace them with a newHostInfo(addr net.IP, port int) (*Host, error) so that the ip validation occurs here in this method instead of host.ConnectAddress(). The only place where it will require some more changes is in func (r *ringDescriber) getClusterPeerInfo(localHost *HostInfo) ([]*HostInfo, error) because here the object is created without an IP address since it will be set after reading the columns from system.peers. A possible approach is to move the logic from h.connectAddressLocked() to a function outside of the hostinfo type, use it to compute the connect address and then use the result to create the host info object afterwards. After this change, I think h.ConnectAddress() can always read the value from the h.connectAddress field. After this change, h.SetConnectAddress should be changed to return an error in case the provided address is invalid (this is only in case a user is using this function because the driver itself doesn't use it).

[tengu-alt]

Understood, I will work on it.

[tengu-alt]

A possible approach is to move the logic from h.connectAddressLocked() to a function outside of the hostinfo type, use it to compute the connect address and then use the result to create the host info object afterwards.

I don't clearly understand how we can use the logic from the h.connectAddressLocked() if it computes connectAddress according to the IP's from the host which needs to be filled. As I see those IP's are filled inside of the hostInfoFromMap() method which requires *HostInfo.

I think it is better to create raw structure here as it is now, and add the validation inside of the hostInfoFromMap()
something like this:

	ip, port := s.cfg.translateAddressPort(host.ConnectAddress(), host.port)
	if !validIpAddr(ip) {
		return nil, errors.New("invalid connect address")
	}
	host.connectAddress = ip
	host.port = port

or validate it inside of getClusterPeerInfo()

[joao-r-reis]

I don't clearly understand how we can use the logic from the h.connectAddressLocked() if it computes connectAddress according to the IP's from the host which needs to be filled. As I see those IP's are filled inside of the hostInfoFromMap() method which requires *HostInfo.

You would have those IPs as parameters of the function instead for example.

I think it is better to create raw structure here as it is now, and add the validation inside of the hostInfoFromMap()
something like this:

This can also work, as long as we guarantee that we don't have HostInfo objects going around with invalid IPs then I'm ok with it. I suggested the NewHostInfo function and replacing direct struct initialization with this function call because it would be a guaranteed way to ensure HostInfo objects always have valid IP addresses in the future

[tengu-alt]

@joao-r-reis I've made an update. I decided to add validation into hostInfoFromMap() for cases when we can't provide connectAddress for the constructor func (I have found another place inside of func (r *ringDescriber) getLocalHostInfo() (*HostInfo, error))

[joao-r-reis]

Added a comment about existing HostInfo struct initialization references in the codebase

[joao-r-reis]

move this check to the top

[joao-r-reis]

hostAddr := host.ConnectAddress()
return nil, fmt.Errorf("invalid connect address after translating %v:%v", hostAddr.String(), host.port)

[joao-r-reis]

There's no case where the connectAddressLocked() function should ever return a non nil err now so it can be changed to just return the address (basically remove the validation).

[joao-r-reis]

c.host.ConnectAdress()

[joao-r-reis]

my suggestion to use newHostInfo was so that we could standardize every creation of a host info object to use this function so we ensure there is no host info object with an invalid connect address but as it stands in this PR we still have a few places where the host info struct is being created and initialized directly.

E.g. in hostInfoFromIter the host info can be created with a nil connect address but it is provided immediately to hostInfoFromMap which will fix it. This is fine with me but we should make it a bit more consistent.

As I see it, there's currently 3 different ways to create a host info object:

1. create an "empty" host info object with a nil connect address + default port and call hostInfoFromMap to "fill" it
2. create a host info object from a contact point
3. update existing host info object with new values from system.peers/system.local (also done with hostInfoFromMap) - this is usually done on a host info created by 2)

For 1) I think we can add a new method session.newHostInfoFromMap(addr net.IP, port int, row map[string]interface{}) that just wraps around hostInfoFromMap:

func (s *Session) newHostInfoFromMap(addr net.IP, port int, row map[string]interface{}) (*HostInfo, error) {
	return s.hostInfoFromMap(row, &HostInfo{connectAddress: addr , port: port})
}

For 2. we can use the new newHostInfo function you created.

For 3) we can use hostInfoFromMap or we can use session.newHostInfoFromMap just like in 1)

In summary we will have hostInfo struct being created in 2 places only: session.newHostInfoFromMap() and newHostInfo() and in both of these 2 places we are ensuring that the object being returned has a valid address. Any host info struct initialization in the codebase should be replaced by a call to either session.newHostInfoFromMap or newHostInfo()