fix(discov): revalidate lease after watch re-put

wencheng · wencheng · commit 7d6bf281e7d7 · 2026-04-26T16:44:35.000+08:00
diff --git a/core/discov/publisher.go b/core/discov/publisher.go
@@ -152,18 +152,11 @@ func (p *Publisher) keepAliveAsync(cli internal.EtcdClient) error {
 						logc.Infof(cli.Ctx(), "etcd publisher watch: %s, event: %v",
 							evt.Kv.Key, evt.Type)
 
-						// Make sure the lease is still valid before re-putting the key.
-						// Otherwise the Put may happen with an already-expired or zero
-						// LeaseID (e.g. when the DELETE event is caused by lease expiry
-						// and races with KeepAlive channel close), which makes the key
-						// permanent in etcd (no TTL) and leaks forever.
-						ttlResp, ttlErr := cli.TimeToLive(cli.Ctx(), p.lease)
-						if ttlErr != nil || ttlResp == nil || ttlResp.TTL <= 0 {
-							logc.Errorf(cli.Ctx(),
-								"etcd publisher lease expired, skip re-put and restart keepalive: leaseID=%d, err=%v",
-								p.lease, ttlErr)
-							p.revoke(cli)
-							if err := p.doKeepAlive(); err != nil {
+						// Keep the fast path for manually deleted keys, but revalidate both
+						// before and after the re-put so an already-expired lease can't leave
+						// a permanent orphaned key behind.
+						if !p.leaseAlive(cli) {
+							if err := p.restartKeepAlive(cli); err != nil {
 								logc.Errorf(cli.Ctx(), "etcd publisher KeepAlive: %v", err)
 							}
 							return
@@ -172,10 +165,18 @@ func (p *Publisher) keepAliveAsync(cli internal.EtcdClient) error {
 						_, err := cli.Put(cli.Ctx(), p.fullKey, p.value, clientv3.WithLease(p.lease))
 						if err != nil {
 							logc.Errorf(cli.Ctx(), "etcd publisher re-put key: %v", err)
-						} else {
-							logc.Infof(cli.Ctx(), "etcd publisher re-put key: %s, value: %s",
-								p.fullKey, p.value)
+							continue
 						}
+
+						if !p.keyBoundToLease(cli) {
+							if err := p.restartKeepAlive(cli); err != nil {
+								logc.Errorf(cli.Ctx(), "etcd publisher KeepAlive: %v", err)
+							}
+							return
+						}
+
+						logc.Infof(cli.Ctx(), "etcd publisher re-put key: %s, value: %s",
+							p.fullKey, p.value)
 					}
 				}
 			case <-p.pauseChan:
@@ -223,6 +224,45 @@ func (p *Publisher) revoke(cli internal.EtcdClient) {
 	}
 }
 
+func (p *Publisher) keyBoundToLease(cli internal.EtcdClient) bool {
+	resp, err := cli.Get(cli.Ctx(), p.fullKey)
+	if err != nil {
+		logc.Errorf(cli.Ctx(), "etcd publisher verify re-put lease: %v", err)
+		return false
+	}
+
+	if len(resp.Kvs) == 0 {
+		logc.Errorf(cli.Ctx(), "etcd publisher verify re-put lease: key missing after put, key=%s", p.fullKey)
+		return false
+	}
+
+	if resp.Kvs[0].Lease != int64(p.lease) {
+		logc.Errorf(cli.Ctx(),
+			"etcd publisher verify re-put lease: unexpected lease, key=%s, want=%d, got=%d",
+			p.fullKey, p.lease, resp.Kvs[0].Lease)
+		return false
+	}
+
+	return true
+}
+
+func (p *Publisher) leaseAlive(cli internal.EtcdClient) bool {
+	resp, err := cli.TimeToLive(cli.Ctx(), p.lease)
+	if err != nil || resp == nil || resp.TTL <= 0 {
+		logc.Errorf(cli.Ctx(),
+			"etcd publisher lease expired, skip re-put and restart keepalive: leaseID=%d, err=%v",
+			p.lease, err)
+		return false
+	}
+
+	return true
+}
+
+func (p *Publisher) restartKeepAlive(cli internal.EtcdClient) error {
+	p.revoke(cli)
+	return p.doKeepAlive()
+}
+
 // WithId customizes a Publisher with the id.
 func WithId(id int64) PubOption {
 	return func(publisher *Publisher) {
diff --git a/core/discov/publisher_test.go b/core/discov/publisher_test.go
@@ -252,8 +252,7 @@ func TestPublisher_keepAliveAsyncPause(t *testing.T) {
 	wg.Wait()
 }
 
-// Test case for key deletion and re-registration (covers lines 148-155)
-func TestPublisher_keepAliveAsyncKeyDeletion(t *testing.T) {
+func TestPublisher_keepAliveAsyncDeleteRePutsWhenLeaseAlive(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	const id clientv3.LeaseID = 1
@@ -262,33 +261,24 @@ func TestPublisher_keepAliveAsyncKeyDeletion(t *testing.T) {
 	defer restore()
 	cli.EXPECT().Ctx().AnyTimes()
 	cli.EXPECT().KeepAlive(gomock.Any(), id)
-
-	// Create a watch channel that will send a delete event
-	watchChan := make(chan clientv3.WatchResponse, 1)
-	watchResp := clientv3.WatchResponse{
-		Events: []*clientv3.Event{{
-			Type: clientv3.EventTypeDelete,
-			Kv: &mvccpb.KeyValue{
-				Key: []byte("thekey"),
-			},
-		}},
-	}
-	watchChan <- watchResp
-
-	cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return((<-chan clientv3.WatchResponse)(watchChan))
+	cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return(newDeleteWatchChan("thekey"))
+	cli.EXPECT().TimeToLive(gomock.Any(), id).Return(&clientv3.LeaseTimeToLiveResponse{
+		TTL: 1,
+	}, nil)
 
 	var wg sync.WaitGroup
-	wg.Add(1) // Only wait for Revoke call
-
-	// Use a channel to signal when Put has been called
+	wg.Add(1)
 	putCalled := make(chan struct{})
-
-	// Expect the re-put operation when key is deleted
 	cli.EXPECT().Put(gomock.Any(), "thekey", "thevalue", gomock.Any()).Do(func(_, _, _, _ any) {
-		close(putCalled) // Signal that Put has been called
+		close(putCalled)
 	}).Return(nil, nil)
-
-	// Expect revoke when Stop is called
+	cli.EXPECT().Get(gomock.Any(), "thekey").Return(&clientv3.GetResponse{
+		Kvs: []*mvccpb.KeyValue{{
+			Key:   []byte("thekey"),
+			Value: []byte("thevalue"),
+			Lease: int64(id),
+		}},
+	}, nil)
 	cli.EXPECT().Revoke(gomock.Any(), id).Do(func(_, _ any) {
 		wg.Done()
 	})
@@ -305,8 +295,7 @@ func TestPublisher_keepAliveAsyncKeyDeletion(t *testing.T) {
 	wg.Wait()
 }
 
-// Test case for key deletion with re-put error (covers error branch in lines 151-152)
-func TestPublisher_keepAliveAsyncKeyDeletionPutError(t *testing.T) {
+func TestPublisher_keepAliveAsyncDeleteSkipsPutAndRestartsWhenLeaseExpired(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	const id clientv3.LeaseID = 1
@@ -315,47 +304,108 @@ func TestPublisher_keepAliveAsyncKeyDeletionPutError(t *testing.T) {
 	defer restore()
 	cli.EXPECT().Ctx().AnyTimes()
 	cli.EXPECT().KeepAlive(gomock.Any(), id)
+	cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return(newDeleteWatchChan("thekey"))
+	cli.EXPECT().TimeToLive(gomock.Any(), id).Return(&clientv3.LeaseTimeToLiveResponse{
+		TTL: 0,
+	}, nil)
 
-	// Create a watch channel that will send a delete event
-	watchChan := make(chan clientv3.WatchResponse, 1)
-	watchResp := clientv3.WatchResponse{
-		Events: []*clientv3.Event{{
-			Type: clientv3.EventTypeDelete,
-			Kv: &mvccpb.KeyValue{
-				Key: []byte("thekey"),
-			},
-		}},
-	}
-	watchChan <- watchResp
+	restarted := make(chan struct{})
+	cli.EXPECT().Revoke(gomock.Any(), id).Do(func(_, _ any) {
+		close(restarted)
+	})
 
-	cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return((<-chan clientv3.WatchResponse)(watchChan))
+	pub := NewPublisher(nil, "thekey", "thevalue")
+	pub.lease = id
+	pub.fullKey = "thekey"
 
-	var wg sync.WaitGroup
-	wg.Add(1) // Only wait for Revoke call
+	assert.Nil(t, pub.keepAliveAsync(cli))
+	waitForSignal(t, restarted)
+	pub.Stop()
+}
 
-	// Use a channel to signal when Put has been called
-	putCalled := make(chan struct{})
+func TestPublisher_keepAliveAsyncDeleteSkipsPutWhenTTLUnavailable(t *testing.T) {
+	tests := []struct {
+		name    string
+		resp    *clientv3.LeaseTimeToLiveResponse
+		err     error
+		leaseID clientv3.LeaseID
+	}{
+		{
+			name:    "ttl error",
+			err:     errors.New("ttl error"),
+			leaseID: 1,
+		},
+		{
+			name:    "ttl nil response",
+			resp:    nil,
+			leaseID: 2,
+		},
+	}
 
-	// Expect the re-put operation to fail
-	cli.EXPECT().Put(gomock.Any(), "thekey", "thevalue", gomock.Any()).Do(func(_, _, _, _ any) {
-		close(putCalled) // Signal that Put has been called
-	}).Return(nil, errors.New("put error"))
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			cli := internal.NewMockEtcdClient(ctrl)
+			restore := setMockClient(cli)
+			defer restore()
+
+			cli.EXPECT().Ctx().AnyTimes()
+			cli.EXPECT().KeepAlive(gomock.Any(), tt.leaseID)
+			cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return(newDeleteWatchChan("thekey"))
+			cli.EXPECT().TimeToLive(gomock.Any(), tt.leaseID).Return(tt.resp, tt.err)
+
+			restarted := make(chan struct{})
+			cli.EXPECT().Revoke(gomock.Any(), tt.leaseID).Do(func(_, _ any) {
+				close(restarted)
+			})
+
+			pub := NewPublisher(nil, "thekey", "thevalue")
+			pub.lease = tt.leaseID
+			pub.fullKey = "thekey"
+
+			assert.Nil(t, pub.keepAliveAsync(cli))
+			waitForSignal(t, restarted)
+			pub.Stop()
+		})
+	}
+}
+
+func TestPublisher_keepAliveAsyncDeleteRestartsWhenRePutLosesLease(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	const id clientv3.LeaseID = 1
+	cli := internal.NewMockEtcdClient(ctrl)
+	restore := setMockClient(cli)
+	defer restore()
+	cli.EXPECT().Ctx().AnyTimes()
+	cli.EXPECT().KeepAlive(gomock.Any(), id)
+	cli.EXPECT().Watch(gomock.Any(), gomock.Any(), gomock.Any()).Return(newDeleteWatchChan("thekey"))
+	cli.EXPECT().TimeToLive(gomock.Any(), id).Return(&clientv3.LeaseTimeToLiveResponse{
+		TTL: 1,
+	}, nil)
+	cli.EXPECT().Put(gomock.Any(), "thekey", "thevalue", gomock.Any()).Return(nil, nil)
+	cli.EXPECT().Get(gomock.Any(), "thekey").Return(&clientv3.GetResponse{
+		Kvs: []*mvccpb.KeyValue{{
+			Key:   []byte("thekey"),
+			Value: []byte("thevalue"),
+			Lease: 0,
+		}},
+	}, nil)
 
-	// Expect revoke when Stop is called
+	restarted := make(chan struct{})
 	cli.EXPECT().Revoke(gomock.Any(), id).Do(func(_, _ any) {
-		wg.Done()
+		close(restarted)
 	})
 
 	pub := NewPublisher(nil, "thekey", "thevalue")
 	pub.lease = id
 	pub.fullKey = "thekey"
 
 	assert.Nil(t, pub.keepAliveAsync(cli))
-
-	// Wait for Put to be called, then stop
-	<-putCalled
+	waitForSignal(t, restarted)
 	pub.Stop()
-	wg.Wait()
 }
 
 func TestPublisher_Resume(t *testing.T) {
@@ -462,3 +512,27 @@ func createTempFile(t *testing.T, body []byte) string {
 
 	return tmpFile.Name()
 }
+
+func newDeleteWatchChan(key string) <-chan clientv3.WatchResponse {
+	watchChan := make(chan clientv3.WatchResponse, 1)
+	watchChan <- clientv3.WatchResponse{
+		Events: []*clientv3.Event{{
+			Type: clientv3.EventTypeDelete,
+			Kv: &mvccpb.KeyValue{
+				Key: []byte(key),
+			},
+		}},
+	}
+
+	return watchChan
+}
+
+func waitForSignal(t *testing.T, ch <-chan struct{}) {
+	t.Helper()
+
+	select {
+	case <-ch:
+	case <-time.After(time.Second):
+		t.Fatal("timed out waiting for signal")
+	}
+}
