fix: Refresh client cert when it is rejected by the server.

Author: hessjcg

dialer.go

@@ -419,9 +419,11 @@ func (d *Dialer) Dial(ctx context.Context, icn string, opts ...DialOption) (conn
 	tlsConn := tls.Client(conn, ci.TLSConfig())
 	err = tlsConn.HandshakeContext(ctx)
 	if err != nil {
+		// TLS handshake errors are fatal and require a refresh. Remove the instance
+		// from the cache so that future calls to Dial() will block until the
+		// certificate is refreshed successfully.
 		d.logger.Debugf(ctx, "[%v] TLS handshake failed: %v", cn.String(), err)
-		// refresh the instance info in case it caused the handshake failure
-		c.ForceRefresh()
+		d.removeCached(ctx, cn, c, err)
 		_ = tlsConn.Close() // best effort close attempt
 		return nil, errtype.NewDialError("handshake failed", cn.String(), err)
 	}
@@ -433,10 +435,26 @@ func (d *Dialer) Dial(ctx context.Context, icn string, opts ...DialOption) (conn
 		trace.RecordDialLatency(ctx, icn, d.dialerID, latency)
 	}()
 
-	iConn := newInstrumentedConn(tlsConn, func() {
+	closeFunc := func() {
 		n := atomic.AddUint64(c.openConnsCount, ^uint64(0)) // c.openConnsCount = c.openConnsCount - 1
 		trace.RecordOpenConnections(context.Background(), int64(n), d.dialerID, cn.String())
-	}, d.dialerID, cn.String())
+	}
+	errFunc := func(err error) {
+		// io.EOF occurs when the server closes the connection. This is safe to
+		// ignore.
+		if err == io.EOF {
+			return
+		}
+		d.logger.Debugf(ctx, "[%v] IO Error on Read or Write: %v", cn.String(), err)
+		if d.isTLSError(err) {
+			// TLS handshake errors are fatal. Remove the instance from the cache
+			// so that future calls to Dial() will block until the certificate
+			// is refreshed successfully.
+			d.removeCached(ctx, cn, c, err)
+			_ = tlsConn.Close() // best effort close attempt
+		}
+	}
+	iConn := newInstrumentedConn(tlsConn, closeFunc, errFunc, d.dialerID, cn.String())
 
 	// If this connection was opened using a Domain Name, then store it for later
 	// in case it needs to be forcibly closed.
@@ -447,23 +465,39 @@ func (d *Dialer) Dial(ctx context.Context, icn string, opts ...DialOption) (conn
 	}
 	return iConn, nil
 }
+func (d *Dialer) isTLSError(err error) bool {
+	if nErr, ok := err.(net.Error); ok {
+		return !nErr.Timeout() && // it's a permanent net error
+			strings.Contains(nErr.Error(), "tls") // it's a TLS-related error
+	}
+	return false
+}
 
-// removeCached stops all background refreshes and deletes the connection
-// info cache from the map of caches.
+// removeCached stops all background refreshes, closes open sockets, and deletes
+// the cache entry.
 func (d *Dialer) removeCached(
 	ctx context.Context,
-	i instance.ConnName, c connectionInfoCache, err error,
+	i instance.ConnName, c *monitoredCache, err error,
 ) {
 	d.logger.Debugf(
 		ctx,
 		"[%v] Removing connection info from cache: %v",
 		i.String(),
 		err,
 	)
+
+	// If this instance of monitoredCache is still in the cache, remove it.
+	// If this instance was already removed from the cache or
+	// if *a separate goroutine* replaced it with a new instance, do nothing.
+	key := createKey(i)
 	d.lock.Lock()
-	defer d.lock.Unlock()
+	if cachedC, ok := d.cache[key]; ok && cachedC == c {
+		delete(d.cache, key)
+	}
+	d.lock.Unlock()
+
+	// Close the monitoredCache, this call is idempotent.
 	c.Close()
-	delete(d.cache, createKey(i))
 }
 
 // validClientCert checks that the ephemeral client certificate retrieved from
@@ -505,7 +539,7 @@ func (d *Dialer) EngineVersion(ctx context.Context, icn string) (string, error)
 	}
 	ci, err := c.ConnectionInfo(ctx)
 	if err != nil {
-		d.removeCached(ctx, cn, c.connectionInfoCache, err)
+		d.removeCached(ctx, cn, c, err)
 		return "", err
 	}
 	return ci.DBVersion, nil
@@ -529,17 +563,18 @@ func (d *Dialer) Warmup(ctx context.Context, icn string, opts ...DialOption) err
 	}
 	_, err = c.ConnectionInfo(ctx)
 	if err != nil {
-		d.removeCached(ctx, cn, c.connectionInfoCache, err)
+		d.removeCached(ctx, cn, c, err)
 	}
 	return err
 }
 
 // newInstrumentedConn initializes an instrumentedConn that on closing will
 // decrement the number of open connects and record the result.
-func newInstrumentedConn(conn net.Conn, closeFunc func(), dialerID, connName string) *instrumentedConn {
+func newInstrumentedConn(conn net.Conn, closeFunc func(), errFunc func(error), dialerID, connName string) *instrumentedConn {
 	return &instrumentedConn{
 		Conn:      conn,
 		closeFunc: closeFunc,
+		errFunc:   errFunc,
 		dialerID:  dialerID,
 		connName:  connName,
 	}
@@ -550,6 +585,7 @@ func newInstrumentedConn(conn net.Conn, closeFunc func(), dialerID, connName str
 type instrumentedConn struct {
 	net.Conn
 	closeFunc func()
+	errFunc   func(error)
 	mu        sync.RWMutex
 	closed    bool
 	dialerID  string
@@ -562,6 +598,8 @@ func (i *instrumentedConn) Read(b []byte) (int, error) {
 	bytesRead, err := i.Conn.Read(b)
 	if err == nil {
 		go trace.RecordBytesReceived(context.Background(), int64(bytesRead), i.connName, i.dialerID)
+	} else {
+		i.errFunc(err)
 	}
 	return bytesRead, err
 }
@@ -572,6 +610,8 @@ func (i *instrumentedConn) Write(b []byte) (int, error) {
 	bytesWritten, err := i.Conn.Write(b)
 	if err == nil {
 		go trace.RecordBytesSent(context.Background(), int64(bytesWritten), i.connName, i.dialerID)
+	} else {
+		i.errFunc(err)
 	}
 	return bytesWritten, err
 }

dialer_test.go

@@ -1175,127 +1175,120 @@ func TestDialerChecksSubjectAlternativeNameAndFails(t *testing.T) {
 	}
 }
 
-func TestDialerRefreshesAfterRotateClientCA(t *testing.T) {
-	inst := mock.NewFakeCSQLInstanceWithSan(
-		"my-project", "my-region", "my-instance", []string{"db.example.com"},
-		mock.WithDNS("db.example.com"),
-		mock.WithServerCAMode("GOOGLE_MANAGED_CAS_CA"),
-	)
-
-	d := setupDialer(t, setupConfig{
-		skipServer:   true,
-		testInstance: inst,
-		reqs: []*mock.Request{
-			mock.InstanceGetSuccess(inst, 2),
-			mock.CreateEphemeralSuccess(inst, 2),
+func TestDialerRefreshesAfterRotateCACerts(t *testing.T) {
+	tcs := []struct {
+		desc            string
+		rotateClientCA  bool
+		wantErrorOnDial bool
+		wantErrorOnRead bool
+		useLazyRefresh  bool
+	}{
+		{
+			desc:            "Rotating Client CA causes error on read, then refresh",
+			rotateClientCA:  true,
+			wantErrorOnRead: true,
 		},
-		dialerOptions: []Option{
-			WithTokenSource(mock.EmptyTokenSource{}),
-			WithDebugLogger(&dialerTestLogger{t: t}),
-			//WithLazyRefresh(),
-			// Note: this succeeds with lazy refresh, but fails with lazy.
-			// because dialer.ForceRefresh does not block connections while the
-			// refresh is in progress.
+		{
+			desc:            "Rotating all CAs causes error on dial, then refresh",
+			wantErrorOnDial: true,
+			wantErrorOnRead: false,
+		},
+		{
+			desc:            "Rotating Client CA with lazy refresh causes error on read",
+			rotateClientCA:  true,
+			wantErrorOnRead: true,
+			useLazyRefresh:  true,
+		},
+		{
+			desc:            "Rotating all CAs with lazy refresh causes error on dial",
+			wantErrorOnDial: true,
+			useLazyRefresh:  true,
 		},
-	})
-	cancel1 := mock.StartServerProxy(t, inst)
-	t.Log("First attempt...")
-	testSuccessfulDial(
-		context.Background(), t, d,
-		"my-project:my-region:my-instance",
-	)
-	t.Log("First attempt OK. Resetting client cert.")
-
-	// Close the server
-	cancel1()
-
-	mock.RotateClientCA(inst)
-
-	// Start the server with new certificates
-	cancel2 := mock.StartServerProxy(t, inst)
-	defer cancel2()
-
-	// Dial a second time. We expect no error on dial, but TLS error on read.
-	t.Log("Second attempt should fail...")
-	conn, err := d.Dial(context.Background(), "my-project:my-region:my-instance")
-	if err != nil {
-		t.Fatal("Should be no certificate error after, got ", err)
 	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			inst := mock.NewFakeCSQLInstanceWithSan(
+				"my-project", "my-region", "my-instance", []string{"db.example.com"},
+				mock.WithDNS("db.example.com"),
+				mock.WithServerCAMode("GOOGLE_MANAGED_CAS_CA"),
+			)
 
-	// Expect an error on read. This should trigger the dialer to refresh.
-	_, err = io.ReadAll(conn)
-	if err != nil {
-		t.Log("Got error on read as expected.", err)
-	} else {
-		t.Fatal("Want read error, got no error")
-	}
-	t.Log("Second attempt done")
+			opts := []Option{
+				WithTokenSource(mock.EmptyTokenSource{}),
+				WithDebugLogger(&dialerTestLogger{t: t}),
+			}
+			if tc.useLazyRefresh {
+				opts = append(opts, WithLazyRefresh())
+			}
 
-	// Dial again. This should complete after the refresh.
-	t.Log("Third attempt...")
-	testSuccessfulDial(
-		context.Background(), t, d,
-		"my-project:my-region:my-instance",
-	)
-	t.Log("Third attempt OK.")
-}
+			d := setupDialer(t, setupConfig{
+				skipServer:   true,
+				testInstance: inst,
+				reqs: []*mock.Request{
+					mock.InstanceGetSuccess(inst, 2),
+					mock.CreateEphemeralSuccess(inst, 2),
+				},
+				dialerOptions: opts,
+			})
+			cancel1 := mock.StartServerProxy(t, inst)
+			t.Log("First attempt...")
+			testSuccessfulDial(
+				context.Background(), t, d,
+				"my-project:my-region:my-instance",
+			)
+			t.Log("First attempt OK. Resetting client cert.")
 
-func TestDialerRefreshesAfterRotateServerCA(t *testing.T) {
-	inst := mock.NewFakeCSQLInstanceWithSan(
-		"my-project", "my-region", "my-instance", []string{"db.example.com"},
-		mock.WithDNS("db.example.com"),
-		mock.WithServerCAMode("GOOGLE_MANAGED_CAS_CA"),
-	)
+			// Close the server
+			cancel1()
 
-	d := setupDialer(t, setupConfig{
-		skipServer:   true,
-		testInstance: inst,
-		reqs: []*mock.Request{
-			mock.InstanceGetSuccess(inst, 2),
-			mock.CreateEphemeralSuccess(inst, 2),
-		},
-		dialerOptions: []Option{
-			WithTokenSource(mock.EmptyTokenSource{}),
-			WithDebugLogger(&dialerTestLogger{t: t}),
-			WithLazyRefresh(),
-			// Note: this succeeds with lazy refresh, but fails with lazy.
-			// because dialer.ForceRefresh does not block connections while the
-			// refresh is in progress.
-		},
-	})
-	cancel1 := mock.StartServerProxy(t, inst)
-	t.Log("First attempt...")
-	testSuccessfulDial(
-		context.Background(), t, d,
-		"my-project:my-region:my-instance",
-	)
-	t.Log("First attempt OK. Resetting client cert.")
+			if tc.rotateClientCA {
+				mock.RotateClientCA(inst)
+			} else {
+				mock.RotateCA(inst)
+			}
 
-	// Close the server
-	cancel1()
+			// Start the server with new certificates
+			cancel2 := mock.StartServerProxy(t, inst)
+			defer cancel2()
 
-	mock.RotateCA(inst)
+			// Dial a second time.
+			t.Log("Second attempt should fail...")
+			conn, err := d.Dial(context.Background(), "my-project:my-region:my-instance")
+			if err != nil {
+				if tc.wantErrorOnDial {
+					t.Logf("got error on dial as expected: %v", err)
+				} else {
+					t.Fatalf("want no dial error, got: %v", err)
+				}
+			} else if tc.wantErrorOnDial {
+				t.Fatal("want dial error, got no error")
+			}
 
-	// Start the server with new certificates
-	cancel2 := mock.StartServerProxy(t, inst)
-	defer cancel2()
+			// If no error expected on dial, then attempt to read.
+			if !tc.wantErrorOnDial {
+				_, err = io.ReadAll(conn)
+				if err != nil {
+					if tc.wantErrorOnRead {
+						t.Logf("got error on read as expected: %v", err)
+					} else {
+						t.Fatalf("want no read error, got: %v", err)
+					}
+				} else if tc.wantErrorOnRead {
+					t.Fatal("want read error, got no error")
+				}
+			}
+			t.Log("Second attempt done")
 
-	// Dial a second time. We expect no error on dial, but TLS error on read.
-	t.Log("Second attempt should fail...")
-	_, err := d.Dial(context.Background(), "my-project:my-region:my-instance")
-	if err != nil {
-		t.Log("Got error on dial as expected.", err)
-	} else {
-		t.Fatal("Want dial error, got no error")
+			// Dial again. This should complete after the refresh.
+			t.Log("Third attempt...")
+			testSuccessfulDial(
+				context.Background(), t, d,
+				"my-project:my-region:my-instance",
+			)
+			t.Log("Third attempt OK.")
+		})
 	}
 
-	// Dial again. This should occur after the refresh has completed.
-	t.Log("Third attempt...")
-	testSuccessfulDial(
-		context.Background(), t, d,
-		"my-project:my-region:my-instance",
-	)
-	t.Log("Third attempt OK.")
 }
 
 type dialerTestLogger struct {