router: protect replicasets from modification

The function `vshard.router.routeall` is not marked as internal API, but
it returns `router.replicasets` table, which is used by the router itself.
And also `vshard.router.route` returns a replicaset object that is used
internally. If user modifies the returned from `routeall` or `route`
table, then router is broken and cannot continue to work properly after
that.

Now `routeall` returns a new copy of the replicaset array to user on
each call. So user can do whatever he wants with this array, without
affecting the internal behavior of the router.
Also, each of the replicasets that are returned from `routeall` or `route`
is a wrapper over the internal replicaset table. This wrapper contains the
private field `_replicaset`, the value of which is the internal replicaset
table. User should not touch this field. This wrapper only gives user
access to the public replicaset methods: `call`, `callrw`, `callro`,
`callbro`, `callre`, `callbre`.

Closes #502

NO_DOC=<undocumented part>

Author: Astronomax

test/failover/failover.result

@@ -120,15 +120,15 @@ priority_order()
   - - 1
     - unknown zone
 ...
-vshard.router.route(1).uuid == rs_uuid[1]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
 ---
 - true
 ...
-vshard.router.route(31).uuid == rs_uuid[2]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
 ---
 - true
 ...
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 ---
 - true
 ...
@@ -371,15 +371,15 @@ priority_order()
   - - 1
     - unknown zone
 ...
-vshard.router.route(1).uuid == rs_uuid[1]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
 ---
 - true
 ...
-vshard.router.route(31).uuid == rs_uuid[2]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
 ---
 - true
 ...
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 ---
 - true
 ...
@@ -409,15 +409,15 @@ priority_order()
   - - 1
     - unknown zone
 ...
-vshard.router.route(1).uuid == rs_uuid[1]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
 ---
 - true
 ...
-vshard.router.route(31).uuid == rs_uuid[2]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
 ---
 - true
 ...
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 ---
 - true
 ...
@@ -447,15 +447,15 @@ priority_order()
   - - unknown zone
     - 1
 ...
-vshard.router.route(1).uuid == rs_uuid[1]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
 ---
 - true
 ...
-vshard.router.route(31).uuid == rs_uuid[2]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
 ---
 - true
 ...
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 ---
 - true
 ...
@@ -482,7 +482,7 @@ while not test_run:grep_log('router_1', 'Ping error from', 1000) do fiber.sleep(
 t = string.rep('a', 1024 * 1024 * 500)
 ---
 ...
-rs = vshard.router.route(31)
+rs = vshard.router.route(31)._replicaset
 ---
 ...
 while rs.master ~= rs.replica do fiber.sleep(0.01) end

test/failover/failover.test.lua

@@ -55,9 +55,9 @@ test_run:switch('router_1')
 vshard.router.cfg(cfg)
 while not test_run:grep_log('router_1', 'New replica box_1_d%(storage%@') do fiber.sleep(0.1) end
 priority_order()
-vshard.router.route(1).uuid == rs_uuid[1]
-vshard.router.route(31).uuid == rs_uuid[2]
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 vshard.router.call(1, 'read', 'echo', {123})
 test_run:switch('box_1_d')
 -- Not 0 - 'read' echo was called here.
@@ -145,27 +145,27 @@ create_router('router_2')
 test_run:switch('router_2')
 vshard.router.cfg(cfg)
 priority_order()
-vshard.router.route(1).uuid == rs_uuid[1]
-vshard.router.route(31).uuid == rs_uuid[2]
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 test_run:switch('default')
 
 create_router('router_3')
 test_run:switch('router_3')
 vshard.router.cfg(cfg)
 priority_order()
-vshard.router.route(1).uuid == rs_uuid[1]
-vshard.router.route(31).uuid == rs_uuid[2]
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 test_run:switch('default')
 
 create_router('router_4')
 test_run:switch('router_4')
 vshard.router.cfg(cfg)
 priority_order()
-vshard.router.route(1).uuid == rs_uuid[1]
-vshard.router.route(31).uuid == rs_uuid[2]
-vshard.router.route(61).uuid == rs_uuid[3]
+vshard.router.route(1)._replicaset.uuid == rs_uuid[1]
+vshard.router.route(31)._replicaset.uuid == rs_uuid[2]
+vshard.router.route(61)._replicaset.uuid == rs_uuid[3]
 
 --
 -- gh-169: do not close connections on too long ping when this is
@@ -178,7 +178,7 @@ vshard.router.cfg(cfg)
 while not test_run:grep_log('router_1', 'Ping error from', 1000) do fiber.sleep(0.01) end
 
 t = string.rep('a', 1024 * 1024 * 500)
-rs = vshard.router.route(31)
+rs = vshard.router.route(31)._replicaset
 while rs.master ~= rs.replica do fiber.sleep(0.01) end
 future = nil
 -- Create strong reference to prevent Lua GC from closing the

test/misc/check_uuid_on_connect.result

@@ -199,7 +199,7 @@ vshard.router.route(1)
   bucket_id: 1
 ...
 -- Ok to work with correct replicasets.
-vshard.router.route(2).uuid
+vshard.router.route(2)._replicaset.uuid
 ---
 - cbf06940-0790-498b-948d-042b62cf3d29
 ...

test/misc/check_uuid_on_connect.test.lua

@@ -74,7 +74,7 @@ test_run:switch('bad_uuid_router')
 vshard.router.static.route_map[1] = nil
 vshard.router.route(1)
 -- Ok to work with correct replicasets.
-vshard.router.route(2).uuid
+vshard.router.route(2)._replicaset.uuid
 
 _ = test_run:cmd("switch default")
 test_run:cmd('stop server bad_uuid_router')

test/multiple_routers/multiple_routers.result

@@ -79,11 +79,6 @@ vshard.router.call(1, 'read', 'do_select', {1})
 ---
 - [[1, 1]]
 ...
--- Test that static router is just a router object under the hood.
-vshard.router.static:route(1) == vshard.router.route(1)
----
-- true
-...
 -- Configure extra router.
 router_2 = vshard.router.new('router_2', configs.cfg_2)
 ---

test/multiple_routers/multiple_routers.test.lua

@@ -30,9 +30,6 @@ _ = test_run:cmd("switch router_1")
 vshard.router.call(1, 'write', 'do_replace', {{1, 1}})
 vshard.router.call(1, 'read', 'do_select', {1})
 
--- Test that static router is just a router object under the hood.
-vshard.router.static:route(1) == vshard.router.route(1)
-
 -- Configure extra router.
 router_2 = vshard.router.new('router_2', configs.cfg_2)
 router_2:bootstrap()

test/router-luatest/map_callrw_test.lua

@@ -212,6 +212,7 @@ g.test_map_part_double_ref = function(cg)
         -- Make sure the location of the bucket is known.
         local rs, err = ivshard.router.route(bid)
         ilt.assert_equals(err, nil)
+        rs = rs._replicaset
         ilt.assert_equals(rs.uuid, uuid)
     end, {bid1, cg.rs1_uuid})
     -- Then, move the bucket form rs1 to rs2. Now the router has an outdated
@@ -251,7 +252,7 @@ g.test_map_part_double_ref = function(cg)
             ivshard.router.discovery_wakeup()
             local rs, err = ivshard.router.route(bid)
             ilt.assert_equals(err, nil)
-            ilt.assert_equals(rs.uuid, uuid)
+            ilt.assert_equals(rs._replicaset.uuid, uuid)
         end)
     end, {bid1, cg.rs1_uuid})
 end
@@ -273,7 +274,7 @@ g.test_map_part_ref_timeout = function(cg)
             for _, bid in ipairs(bids) do
                 local rs, err = ivshard.router.route(bid)
                 ilt.assert_equals(err, nil)
-                ilt.assert_equals(rs.uuid, uuid)
+                ilt.assert_equals(rs._replicaset.uuid, uuid)
             end
         end
     end, {{[cg.rs1_uuid] = {bid1, bid2}, [cg.rs2_uuid] = {bid3, bid4}}})
@@ -379,7 +380,7 @@ g.test_map_part_ref_timeout = function(cg)
             ivshard.router.discovery_wakeup()
             local rs, err = ivshard.router.route(bid)
             ilt.assert_equals(err, nil)
-            ilt.assert_equals(rs.uuid, uuid)
+            ilt.assert_equals(rs._replicaset.uuid, uuid)
         end)
     end, {bid2, cg.rs1_uuid})
 end

test/router-luatest/router_2_2_test.lua

@@ -122,6 +122,65 @@ g.test_msgpack_args = function(g)
     t.assert_equals(res, 100, 'good result')
 end
 
+local function router_check_replicaset_protection_init()
+    g.router:exec(function()
+        rawset(_G, "check_replicaset_protection",
+            function(rs)
+                t.assert_not_equals(rs._replicaset, nil)
+                t.assert_equals(next(rs, next(rs)), nil)
+                t.assert_not_equals(rs.call, nil)
+                t.assert_not_equals(rs.callrw, nil)
+                t.assert_not_equals(rs.callro, nil)
+                t.assert_not_equals(rs.callbro, nil)
+                t.assert_not_equals(rs.callre, nil)
+                t.assert_not_equals(rs.callbre, nil)
+                local err_msg =
+                    "Modification of replicaset table is not allowed"
+                -- Adding a field is prohibited.
+                t.assert_error_msg_contains(
+                    err_msg, function(t) t.new_field = 1 end, rs)
+                err_msg = "cannot change a protected metatable"
+                t.assert_error_msg_equals(err_msg, setmetatable, rs, {})
+            end)
+    end)
+end
+
+local function router_check_replicaset_protection_clear()
+    g.router:exec(function()
+        rawset(_G, "check_replicaset_protection", nil)
+    end)
+end
+
+g.test_router_route_return_value_protection = function(g)
+    router_check_replicaset_protection_init()
+    g.router:exec(function()
+        _G.check_replicaset_protection(ivshard.router.route(1))
+    end)
+    router_check_replicaset_protection_clear()
+end
+
+g.test_router_routeall_return_value_protection = function(g)
+    router_check_replicaset_protection_init()
+    g.router:exec(function()
+        local replicasets = ivshard.router.routeall()
+        for _, rs in pairs(replicasets) do
+            _G.check_replicaset_protection(rs)
+        end
+        -- Adding a field.
+        replicasets.new_field = 1
+        t.assert_equals(replicasets.new_field, 1)
+        replicasets = ivshard.router.routeall()
+        t.assert_equals(replicasets.new_field, nil)
+        -- Deleting a field.
+        local id, _ = next(replicasets)
+        replicasets[id] = nil
+        t.assert_equals(replicasets[id], nil)
+        replicasets = ivshard.router.routeall()
+        t.assert_not_equals(replicasets[id], nil)
+    end)
+    router_check_replicaset_protection_clear()
+end
+
 local function test_return_raw_template(g, mode)
     --
     -- Normal call.
@@ -1083,7 +1142,7 @@ g.test_retryable_transfer_in_progress = function(g)
     end)
     g.router:exec(function(bid, uuid)
         local rs = ivshard.router.route(bid)
-        ilt.assert_equals(rs.uuid, uuid)
+        ilt.assert_equals(rs._replicaset.uuid, uuid)
     end, {bid, g.replica_2_a:replicaset_uuid()})
 
     -- Block bucket receive.

test/router-luatest/router_election_auto_master_test.lua

@@ -67,7 +67,8 @@ end)
 local function router_wait_for_leader(bid, uuid)
     ilt.helpers.retrying({timeout = ivtest.wait_timeout}, function()
         ivshard.router.master_search_wakeup()
-        ilt.assert_equals(ivshard.router.route(bid).master.uuid, uuid)
+        ilt.assert_equals(
+            ivshard.router.route(bid)._replicaset.master.uuid, uuid)
     end)
 end
 

test/router/reload.result

@@ -203,7 +203,7 @@ check_reloaded()
 --
 -- Outdate old replicaset and replica objects.
 --
-rs = vshard.router.route(1)
+rs = vshard.router.route(1)._replicaset
 ---
 ...
 rs:callro('echo', {'some_data'})
@@ -233,7 +233,7 @@ rs.callro(rs, 'echo', {'some_data'})
 vshard.router = require('vshard.router')
 ---
 ...
-rs = vshard.router.route(1)
+rs = vshard.router.route(1)._replicaset
 ---
 ...
 rs:callro('echo', {'some_data'})
@@ -258,7 +258,7 @@ cfg.connection_outdate_delay = old_connection_delay
 vshard.router.static.connection_outdate_delay = nil
 ---
 ...
-rs_new = vshard.router.route(1)
+rs_new = vshard.router.route(1)._replicaset
 ---
 ...
 rs_old = rs