fix: invalidated config should retain error (#1068)

When a TLS handshake fails, the client would invalidate the configuration without recording the associated error. When the liveness check runs, it would panic when trying to print the invalidated configuration's error because the error was nil. This commit ensures that when the proxy invalidates a configuration, it includes the error. Fixes #1065.
GoogleCloudPlatform · Jan 20, 2022 · 49d3003 · 49d3003
1 parent 4c63ec3
commit 49d3003
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/proxy/proxy/client.go b/proxy/proxy/client.go
@@ -526,7 +526,7 @@ func (c *Client) selectDialer() func(context.Context, string, string) (net.Conn,
 	}
 }
 
-func (c *Client) invalidateCfg(cfg *tls.Config, instance string) {
+func (c *Client) invalidateCfg(cfg *tls.Config, instance string, err error) {
 	c.cacheL.RLock()
 	e := c.cfgCache[instance]
 	c.cacheL.RUnlock()
@@ -540,7 +540,9 @@ func (c *Client) invalidateCfg(cfg *tls.Config, instance string) {
 	if e.cfg != cfg {
 		return
 	}
+	err = fmt.Errorf("config invalidated after TLS handshake failed, error = %w", err)
 	c.cfgCache[instance] = cacheEntry{
+		err:           err,
 		done:          e.done,
 		lastRefreshed: e.lastRefreshed,
 	}

diff --git a/proxy/proxy/client_test.go b/proxy/proxy/client_test.go
@@ -513,7 +513,29 @@ func TestClientHandshakeCanceled(t *testing.T) {
 			_, err := c.DialContext(ctx, instance)
 			validateError(t, err)
 		})
+	})
+
+	t.Run("when liveness check is called on invalidated config", func(t *testing.T) {
+		withTestHarness(t, func(port int) {
+			c := newClient(port)
+
+			ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+			defer cancel()
 
+			_, err := c.DialContext(ctx, instance)
+			if err == nil {
+				t.Fatal("expected DialContext to fail, got no error")
+			}
+
+			invalid := c.InvalidInstances()
+			if gotLen := len(invalid); gotLen != 1 {
+				t.Fatalf("invalid instance want = 1, got = %v", gotLen)
+			}
+			got := invalid[0]
+			if got.err == nil {
+				t.Fatal("want invalid instance error, got nil")
+			}
+		})
 	})
 
 	// Makes it to Handshake.

diff --git a/proxy/proxy/connect_tls_117.go b/proxy/proxy/connect_tls_117.go
@@ -38,7 +38,7 @@ func (c *Client) connectTLS(
 	// this file is conditionally compiled on only Go versions >= 1.17.
 	if err := ret.HandshakeContext(ctx); err != nil {
 		_ = ret.Close()
-		c.invalidateCfg(cfg, instance)
+		c.invalidateCfg(cfg, instance, err)
 		return nil, err
 	}
 	return ret, nil

diff --git a/proxy/proxy/connect_tls_other.go b/proxy/proxy/connect_tls_other.go
@@ -106,7 +106,7 @@ func (c *Client) connectTLS(
 	ret := tls.Client(conn, cfg)
 	if err := ret.Handshake(); err != nil {
 		_ = ret.Close()
-		c.invalidateCfg(cfg, instance)
+		c.invalidateCfg(cfg, instance, err)
 		return nil, err
 	}
 	return ret, nil