Add ability to connect to nodes through proxy

Services deployed in cloud often are hidden behind proxy which
dispatches connections based on Server Name Identifier (SNI)
taken from TLS Client Hello packet.
New method of creating ClusterConfig - NewCloudCluster - allows to
connect to nodes behind SNI proxy based on provided configuration file.

Because each datacenter may have different TLS configurtion (CA, proxy
address etc), more granular method of configuring connection details was
needed. CloudCluster use special HostDialer which connect to nodes using
information taken from HostInfo (datacenter, host_id) to go through SNI
proxy.

Author: zimnx

cloud_cluster_test.go

@@ -0,0 +1,304 @@
+//go:build integration && scylla
+// +build integration,scylla
+
+package gocql_test
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/gocql/gocql/scyllacloud"
+	"sigs.k8s.io/yaml"
+)
+
+func TestCloudConnection(t *testing.T) {
+	if !*gocql.FlagRunSslTest {
+		t.Skip("Skipping because SSL is not enabled on cluster")
+	}
+
+	const (
+		sslPort        = 9142
+		datacenterName = "datacenter1"
+	)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	hosts := map[string]string{}
+
+	cluster := gocql.CreateCluster(func(config *gocql.ClusterConfig) {
+		config.Port = sslPort
+	})
+	session, err := cluster.CreateSession()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var localAddress string
+	var localHostID gocql.UUID
+	scanner := session.Query("SELECT broadcast_address, host_id FROM system.local").Iter().Scanner()
+	if scanner.Next() {
+		if err := scanner.Scan(&localAddress, &localHostID); err != nil {
+			t.Fatal(err)
+		}
+		hosts[localHostID.String()] = net.JoinHostPort(localAddress, fmt.Sprintf("%d", sslPort))
+	}
+
+	var peerAddress string
+	var peerHostID gocql.UUID
+	scanner = session.Query("SELECT peer, host_id FROM system.peers").Iter().Scanner()
+	for scanner.Next() {
+		if err := scanner.Scan(&peerAddress, &peerHostID); err != nil {
+			t.Fatal(err)
+		}
+		hosts[peerHostID.String()] = net.JoinHostPort(peerAddress, fmt.Sprintf("%d", sslPort))
+	}
+
+	session.Close()
+
+	logger := gocql.TestLogger
+	defer func() {
+		if t.Failed() {
+			os.Stdout.WriteString(logger.String())
+		}
+	}()
+
+	proxy := &sniProxy{
+		hosts:          hosts,
+		defaultBackend: net.JoinHostPort(localAddress, fmt.Sprintf("%d", sslPort)),
+		logger:         logger,
+	}
+
+	proxyAddress, err := proxy.Run(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer proxy.Close()
+
+	cc := &scyllacloud.ConnectionConfig{
+		Datacenters: map[string]*scyllacloud.Datacenter{
+			datacenterName: {
+				CertificateAuthorityPath: "testdata/pki/ca.crt",
+				Server:                   proxyAddress,
+				TLSServerName:            "any",
+				NodeDomain:               "cloud.scylladb.com",
+				InsecureSkipTLSVerify:    true,
+			},
+		},
+		AuthInfos: map[string]*scyllacloud.AuthInfo{
+			"ai-1": {
+				Username:              "username",
+				Password:              "password",
+				ClientKeyPath:         "testdata/pki/gocql.key",
+				ClientCertificatePath: "testdata/pki/gocql.crt",
+			},
+		},
+		Contexts: map[string]*scyllacloud.Context{
+			"default-context": {
+				AuthInfoName:   "ai-1",
+				DatacenterName: datacenterName,
+			},
+		},
+		CurrentContext: "default-context",
+	}
+
+	configPath, err := writeYamlToTempFile(cc)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(configPath)
+
+	cluster, err = scyllacloud.NewCloudCluster(configPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Forward connections directed to node domain to our test sni proxy.
+	cluster.Dialer = dialerContextFunc(func(ctx context.Context, network, addr string) (net.Conn, error) {
+		if strings.Contains(addr, cc.Datacenters[datacenterName].NodeDomain) {
+			addr = cc.Datacenters[datacenterName].Server
+		}
+		return net.Dial(network, addr)
+	})
+
+	session, err = cluster.CreateSession()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := gocql.WaitUntilPoolsStopFilling(ctx, session, 10*time.Second); err != nil {
+		t.Fatal(err)
+	}
+
+	ringHosts := gocql.GetRingAllHosts(session)
+	if len(ringHosts) != len(hosts) {
+		t.Errorf("expected %d hosts in ring, got %d", len(hosts), len(ringHosts))
+	}
+
+	snisCount := map[string]int{}
+	events := proxy.GetEvents()
+	for _, event := range events {
+		snisCount[event]++
+	}
+
+	for hostID := range hosts {
+		sni := fmt.Sprintf("%s.%s", hostID, cc.Datacenters[datacenterName].NodeDomain)
+		count, ok := snisCount[sni]
+		if !ok {
+			t.Errorf("not found connection to host %q", hostID)
+		}
+		if count != cluster.NumConns {
+			t.Errorf("expected %d connections to host %q, got %d", cluster.NumConns, sni, count)
+		}
+	}
+}
+
+func writeYamlToTempFile(obj interface{}) (string, error) {
+	f, err := os.CreateTemp(os.TempDir(), "gocql-cloud")
+	if err != nil {
+		return "", fmt.Errorf("create temp file: %w", err)
+	}
+	if err := f.Close(); err != nil {
+		return "", fmt.Errorf("close temp file: %w", err)
+	}
+
+	buf, err := yaml.Marshal(obj)
+	if err != nil {
+		return "", fmt.Errorf("marshal yaml: %w", err)
+	}
+	if err := os.WriteFile(f.Name(), buf, 0600); err != nil {
+		return "", fmt.Errorf("write to file %q: %w", f.Name(), err)
+	}
+
+	return f.Name(), nil
+}
+
+type dialerContextFunc func(ctx context.Context, network, addr string) (net.Conn, error)
+
+func (d dialerContextFunc) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+	return d(ctx, network, addr)
+}
+
+type sniProxy struct {
+	hosts          map[string]string
+	defaultBackend string
+	logger         gocql.StdLogger
+
+	listener net.Listener
+	events   []string
+	mu       sync.Mutex
+}
+
+func (p *sniProxy) Run(ctx context.Context) (string, error) {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		return "", fmt.Errorf("failed to listen: %w", err)
+	}
+
+	p.listener = listener
+
+	go func() {
+		for {
+			conn, err := p.listener.Accept()
+			if err != nil {
+				p.logger.Println("failed to accept connection", err)
+				return
+			}
+
+			go p.handleConnection(conn)
+		}
+
+	}()
+
+	return listener.Addr().String(), nil
+}
+
+func (p *sniProxy) handleConnection(conn net.Conn) {
+	defer conn.Close()
+
+	var hello *tls.ClientHelloInfo
+
+	peekedBytes := &bytes.Buffer{}
+	// Ignore error because TLS library returns it when nil TLSConfig is returned.
+	_ = tls.Server(readOnlyConn{reader: io.TeeReader(conn, peekedBytes)}, &tls.Config{
+		GetConfigForClient: func(argHello *tls.ClientHelloInfo) (*tls.Config, error) {
+			hello = &tls.ClientHelloInfo{}
+			*hello = *argHello
+			return nil, nil
+		},
+	}).Handshake()
+
+	if hello == nil {
+		p.logger.Println("client hello not sent")
+		return
+	}
+
+	p.mu.Lock()
+	p.events = append(p.events, hello.ServerName)
+	p.mu.Unlock()
+
+	backend, ok := p.hosts[hello.ServerName]
+	if !ok {
+		backend = p.defaultBackend
+	}
+
+	p.logger.Println("Dialing backend", backend, "SNI", hello.ServerName)
+	backendConn, err := net.Dial("tcp", backend)
+	if err != nil {
+		p.logger.Println("failed to dial backend", backend, err)
+		return
+	}
+	defer backendConn.Close()
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	go func() {
+		_, _ = io.Copy(conn, backendConn)
+		wg.Done()
+	}()
+	go func() {
+		_, _ = io.Copy(backendConn, peekedBytes)
+		_, _ = io.Copy(backendConn, conn)
+		wg.Done()
+	}()
+
+	wg.Wait()
+}
+
+func (p *sniProxy) Close() error {
+	return p.listener.Close()
+}
+
+func (p *sniProxy) GetEvents() []string {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	events := make([]string, 0, len(p.events))
+	for _, e := range p.events {
+		events = append(events, e)
+	}
+	return events
+}
+
+type readOnlyConn struct {
+	reader io.Reader
+}
+
+var _ net.Conn = readOnlyConn{}
+
+func (conn readOnlyConn) Read(p []byte) (int, error)         { return conn.reader.Read(p) }
+func (conn readOnlyConn) Write(p []byte) (int, error)        { return 0, io.ErrClosedPipe }
+func (conn readOnlyConn) Close() error                       { return nil }
+func (conn readOnlyConn) LocalAddr() net.Addr                { return nil }
+func (conn readOnlyConn) RemoteAddr() net.Addr               { return nil }
+func (conn readOnlyConn) SetDeadline(t time.Time) error      { return nil }
+func (conn readOnlyConn) SetReadDeadline(t time.Time) error  { return nil }
+func (conn readOnlyConn) SetWriteDeadline(t time.Time) error { return nil }

cluster.go

@@ -264,6 +264,7 @@ func NewCluster(hosts ...string) *ClusterConfig {
 		ReconnectionPolicy:     &ConstantReconnectionPolicy{MaxRetries: 3, Interval: 1 * time.Second},
 		WriteCoalesceWaitTime:  200 * time.Microsecond,
 	}
+
 	return cfg
 }
 

conn.go

@@ -1526,9 +1526,8 @@ func (c *Conn) localHostInfo(ctx context.Context) (*HostInfo, error) {
 	}
 
 	port := c.conn.RemoteAddr().(*net.TCPAddr).Port
-
 	// TODO(zariel): avoid doing this here
-	host, err := c.session.hostInfoFromMap(row, &HostInfo{connectAddress: c.host.connectAddress, port: port})
+	host, err := c.session.hostInfoFromMap(row, &HostInfo{hostname: c.host.connectAddress.String(), connectAddress: c.host.connectAddress, port: port})
 	if err != nil {
 		return nil, err
 	}

export_test.go

@@ -0,0 +1,13 @@
+//go:build integration || unit
+// +build integration unit
+
+package gocql
+
+var FlagRunSslTest = flagRunSslTest
+var CreateCluster = createCluster
+var TestLogger = &testLogger{}
+var WaitUntilPoolsStopFilling = waitUntilPoolsStopFilling
+
+func GetRingAllHosts(sess *Session) []*HostInfo {
+	return sess.ring.allHosts()
+}

go.mod

@@ -8,7 +8,9 @@ require (
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/stretchr/testify v1.3.0 // indirect
+	golang.org/x/net v0.0.0-20220526153639-5463443f8c37
 	gopkg.in/inf.v0 v0.9.1
+	sigs.k8s.io/yaml v1.3.0
 )
 
 go 1.13

go.sum

@@ -2,8 +2,9 @@ github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932 h1:mXoPYz/Ul5HYE
 github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932/go.mod h1:NOuUCSz6Q9T7+igc/hlvDOUdtWKryOrtFyIVABv/p7k=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
@@ -20,7 +21,20 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+golang.org/x/net v0.0.0-20220526153639-5463443f8c37 h1:lUkvobShwKsOesNfWWlCS5q7fnbG1MEliIzwu886fn8=
+golang.org/x/net v0.0.0-20220526153639-5463443f8c37/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=