Skip to main content

mz_adapter/
client.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10use std::borrow::Cow;
11use std::collections::BTreeMap;
12use std::fmt::{Debug, Display, Formatter};
13use std::future::Future;
14use std::pin::{self, Pin};
15use std::sync::Arc;
16use std::time::{Duration, Instant};
17
18use anyhow::bail;
19use chrono::{DateTime, Utc};
20use derivative::Derivative;
21use futures::{Stream, StreamExt};
22use itertools::Itertools;
23use mz_adapter_types::connection::{ConnectionId, ConnectionIdType};
24use mz_auth::password::Password;
25use mz_auth::{Authenticated, AuthenticatorKind};
26use mz_build_info::BuildInfo;
27use mz_compute_types::ComputeInstanceId;
28use mz_ore::channel::OneshotReceiverExt;
29use mz_ore::collections::CollectionExt;
30use mz_ore::id_gen::{IdAllocator, IdAllocatorInnerBitSet, MAX_ORG_ID, org_id_conn_bits};
31use mz_ore::instrument;
32use mz_ore::now::{EpochMillis, NowFn, to_datetime};
33use mz_ore::str::StrExt;
34use mz_ore::task::AbortOnDropHandle;
35use mz_ore::thread::JoinOnDropHandle;
36use mz_ore::tracing::OpenTelemetryContext;
37use mz_repr::user::InternalUserMetadata;
38use mz_repr::{CatalogItemId, ColumnIndex, SqlScalarType};
39use mz_sql::ast::{Raw, Statement};
40use mz_sql::catalog::{EnvironmentId, SessionCatalog};
41use mz_sql::session::hint::ApplicationNameHint;
42use mz_sql::session::metadata::SessionMetadata;
43use mz_sql::session::user::SUPPORT_USER;
44use mz_sql::session::vars::{
45    CLUSTER, ENABLE_FRONTEND_PEEK_SEQUENCING, OwnedVarInput, SystemVars, Var,
46};
47use mz_sql_parser::ast::display::AstDisplay;
48use mz_sql_parser::parser::{ParserStatementError, StatementParseResult};
49use prometheus::Histogram;
50use serde_json::json;
51use tokio::sync::{mpsc, oneshot};
52use tracing::{debug, error};
53use uuid::Uuid;
54
55use crate::catalog::Catalog;
56use crate::command::{
57    CatalogDump, CatalogSnapshot, Command, CopyFromStdinWriter, ExecuteResponse, Response,
58    SASLChallengeResponse, SASLVerifyProofResponse, SuperuserAttribute,
59};
60use crate::config::{ScopedParameters, ScopedParametersScope, SystemParameterFrontend};
61use crate::coord::{Coordinator, ExecuteContextGuard};
62use crate::error::AdapterError;
63use crate::metrics::{self, Metrics};
64use crate::session::{
65    EndTransactionAction, PreparedStatement, Session, SessionConfig, StateRevision, TransactionId,
66};
67use crate::statement_logging::{StatementEndedExecutionReason, StatementExecutionStrategy};
68use crate::telemetry::{self, EventDetails, SegmentClientExt, StatementFailureType};
69use crate::webhook::AppendWebhookResponse;
70use crate::{AdapterNotice, AppendWebhookError, PeekClient, PeekResponseUnary, StartupResponse};
71
72/// A handle to a running coordinator.
73///
74/// The coordinator runs on its own thread. Dropping the handle will wait for
75/// the coordinator's thread to exit, which will only occur after all
76/// outstanding [`Client`]s for the coordinator have dropped.
77pub struct Handle {
78    pub(crate) session_id: Uuid,
79    pub(crate) start_instant: Instant,
80    pub(crate) _thread: JoinOnDropHandle<()>,
81}
82
83impl Handle {
84    /// Returns the session ID associated with this coordinator.
85    ///
86    /// The session ID is generated on coordinator boot. It lasts for the
87    /// lifetime of the coordinator. Restarting the coordinator will result
88    /// in a new session ID.
89    pub fn session_id(&self) -> Uuid {
90        self.session_id
91    }
92
93    /// Returns the instant at which the coordinator booted.
94    pub fn start_instant(&self) -> Instant {
95        self.start_instant
96    }
97}
98
99/// A coordinator client.
100///
101/// A coordinator client is a simple handle to a communication channel with the
102/// coordinator. It can be cheaply cloned.
103///
104/// Clients keep the coordinator alive. The coordinator will not exit until all
105/// outstanding clients have dropped.
106#[derive(Debug, Clone)]
107pub struct Client {
108    build_info: &'static BuildInfo,
109    inner_cmd_tx: mpsc::UnboundedSender<(OpenTelemetryContext, Command)>,
110    id_alloc: IdAllocator<IdAllocatorInnerBitSet>,
111    now: NowFn,
112    metrics: Metrics,
113    environment_id: EnvironmentId,
114    segment_client: Option<mz_segment::Client>,
115}
116
117impl Client {
118    pub(crate) fn new(
119        build_info: &'static BuildInfo,
120        cmd_tx: mpsc::UnboundedSender<(OpenTelemetryContext, Command)>,
121        metrics: Metrics,
122        now: NowFn,
123        environment_id: EnvironmentId,
124        segment_client: Option<mz_segment::Client>,
125    ) -> Client {
126        // Connection ids are 32 bits and have 3 parts.
127        // 1. MSB bit is always 0 because these are interpreted as an i32, and it is possible some
128        //    driver will not handle a negative id since postgres has never produced one because it
129        //    uses process ids.
130        // 2. Next 12 bits are the lower 12 bits of the org id. This allows balancerd to route
131        //    incoming cancel messages to a subset of the environments.
132        // 3. Last 19 bits are random.
133        let env_lower = org_id_conn_bits(&environment_id.organization_id());
134        Client {
135            build_info,
136            inner_cmd_tx: cmd_tx,
137            id_alloc: IdAllocator::new(1, MAX_ORG_ID, env_lower),
138            now,
139            metrics,
140            environment_id,
141            segment_client,
142        }
143    }
144
145    /// Allocates a client for an incoming connection.
146    pub fn new_conn_id(&self) -> Result<ConnectionId, AdapterError> {
147        self.id_alloc.alloc().ok_or(AdapterError::IdExhaustionError)
148    }
149
150    /// Creates a new session associated with this client for the given user.
151    ///
152    /// It is the caller's responsibility to have authenticated the user.
153    /// We pass in an Authenticated marker as a guardrail to ensure the
154    /// user has authenticated with an authenticator before creating a session.
155    pub fn new_session(&self, config: SessionConfig, _authenticated: Authenticated) -> Session {
156        // We use the system clock to determine when a session connected to Materialize. This is not
157        // intended to be 100% accurate and correct, so we don't burden the timestamp oracle with
158        // generating a more correct timestamp.
159        Session::new(self.build_info, config, self.metrics().session_metrics())
160    }
161
162    /// Used by [mz_auth::AuthenticatorKind::Password]
163    /// to verify the provided user's password against the
164    /// stored credentials in the catalog.
165    pub async fn authenticate(
166        &self,
167        user: &String,
168        password: &Password,
169    ) -> Result<Authenticated, AdapterError> {
170        let (tx, rx) = oneshot::channel();
171        self.send(Command::AuthenticatePassword {
172            role_name: user.to_string(),
173            password: Some(password.clone()),
174            tx,
175        });
176        rx.await.expect("sender dropped")?;
177        Ok(Authenticated)
178    }
179
180    /// Used by [mz_auth::AuthenticatorKind::Sasl] for SASL-SCRAM authentication.
181    /// This is used prior to [Client::verify_sasl_proof].
182    pub async fn generate_sasl_challenge(
183        &self,
184        user: &String,
185        client_nonce: &String,
186    ) -> Result<SASLChallengeResponse, AdapterError> {
187        let (tx, rx) = oneshot::channel();
188        self.send(Command::AuthenticateGetSASLChallenge {
189            role_name: user.to_string(),
190            nonce: client_nonce.to_string(),
191            tx,
192        });
193        let response = rx.await.expect("sender dropped")?;
194        Ok(response)
195    }
196
197    /// Used by [mz_auth::AuthenticatorKind::Sasl] for SASL-SCRAM authentication.
198    /// This is used after [Client::generate_sasl_challenge].
199    pub async fn verify_sasl_proof(
200        &self,
201        user: &String,
202        proof: &String,
203        nonce: &String,
204        mock_hash: &String,
205    ) -> Result<(SASLVerifyProofResponse, Authenticated), AdapterError> {
206        let (tx, rx) = oneshot::channel();
207        self.send(Command::AuthenticateVerifySASLProof {
208            role_name: user.to_string(),
209            proof: proof.to_string(),
210            auth_message: nonce.to_string(),
211            mock_hash: mock_hash.to_string(),
212            tx,
213        });
214        let response = rx.await.expect("sender dropped")?;
215        Ok((response, Authenticated))
216    }
217
218    /// Checks if a role exists and has the `LOGIN` attribute.
219    pub async fn role_can_login(&self, role_name: &str) -> Result<(), AdapterError> {
220        let (tx, rx) = oneshot::channel();
221        self.send(Command::CheckRoleCanLogin {
222            role_name: role_name.to_string(),
223            tx,
224        });
225        rx.await.expect("sender dropped")
226    }
227
228    /// Upgrades this client to a session client.
229    ///
230    /// A session is a connection that has successfully negotiated parameters,
231    /// like the user. Most coordinator operations are available only after
232    /// upgrading a connection to a session.
233    ///
234    /// Returns a new client that is bound to the session and a response
235    /// containing various details about the startup.
236    #[mz_ore::instrument(level = "debug")]
237    pub async fn startup(&self, session: Session) -> Result<SessionClient, AdapterError> {
238        let user = session.user().clone();
239        let conn_id = session.conn_id().clone();
240        let secret_key = session.secret_key();
241        let uuid = session.uuid();
242        let client_ip = session.client_ip();
243        let application_name = session.application_name().into();
244        let notice_tx = session.retain_notice_transmitter();
245
246        let (tx, rx) = oneshot::channel();
247
248        // ~~SPOOKY ZONE~~
249        //
250        // This guard prevents a race where the startup command finishes, but the Future returned
251        // by this function is concurrently dropped, so we never create a `SessionClient` and thus
252        // never cleanup the initialized Session.
253        let rx = rx.with_guard(|_| {
254            self.send(Command::Terminate {
255                conn_id: conn_id.clone(),
256                tx: None,
257            });
258        });
259
260        self.send(Command::Startup {
261            tx,
262            user,
263            conn_id: conn_id.clone(),
264            secret_key,
265            uuid,
266            client_ip: client_ip.copied(),
267            application_name,
268            notice_tx,
269        });
270
271        // When startup fails, no need to call terminate (handle_startup does this). Delay creating
272        // the client until after startup to sidestep the panic in its `Drop` implementation.
273        let response = rx.await.expect("sender dropped")?;
274
275        // Create the client as soon as startup succeeds (before any await points) so its `Drop` can
276        // handle termination.
277        // Build the PeekClient with controller handles returned from startup.
278        let StartupResponse {
279            role_id,
280            write_notify,
281            session_defaults,
282            catalog,
283            storage_collections,
284            transient_id_gen,
285            optimizer_metrics,
286            persist_client,
287            statement_logging_frontend,
288            superuser_attribute,
289        } = response;
290
291        let peek_client = PeekClient::new(
292            self.clone(),
293            &catalog,
294            storage_collections,
295            transient_id_gen,
296            optimizer_metrics,
297            persist_client,
298            statement_logging_frontend,
299        );
300
301        let mut client = SessionClient {
302            inner: Some(self.clone()),
303            session: Some(session),
304            timeouts: Timeout::new(),
305            environment_id: self.environment_id.clone(),
306            segment_client: self.segment_client.clone(),
307            peek_client,
308            enable_frontend_peek_sequencing: false, // initialized below, once we have a ConnCatalog
309        };
310
311        let session = client.session();
312
313        // Apply the superuser attribute to the session's user if
314        // it exists.
315        if let SuperuserAttribute(Some(superuser)) = superuser_attribute {
316            session.apply_internal_user_metadata(InternalUserMetadata { superuser });
317        }
318
319        session.initialize_role_metadata(role_id);
320        let vars_mut = session.vars_mut();
321        for (name, val) in session_defaults {
322            if let Err(err) = vars_mut.set_default(&name, val.borrow()) {
323                // Note: erroring here is unexpected, but we don't want to panic if somehow our
324                // assumptions are wrong.
325                tracing::error!("failed to set peristed default, {err:?}");
326            }
327        }
328        session
329            .vars_mut()
330            .end_transaction(EndTransactionAction::Commit);
331
332        // Stash the future that notifies us of builtin table writes completing, we'll block on
333        // this future before allowing queries from this session against relevant relations.
334        //
335        // Note: We stash the future as opposed to waiting on it here to prevent blocking session
336        // creation on builtin table updates. This improves the latency for session creation and
337        // reduces scheduling load on any dataflows that read from these builtin relations, since
338        // it allows updates to be batched.
339        session.set_builtin_table_updates(write_notify);
340
341        let catalog = catalog.for_session(session);
342
343        let cluster_active = session.vars().cluster().to_string();
344        if session.vars().welcome_message() {
345            let cluster_info = if catalog.resolve_cluster(Some(&cluster_active)).is_err() {
346                format!("{cluster_active} (does not exist)")
347            } else {
348                cluster_active.to_string()
349            };
350
351            // Emit a welcome message, optimized for readability by humans using
352            // interactive tools. If you change the message, make sure that it
353            // formats nicely in both `psql` and the console's SQL shell.
354            session.add_notice(AdapterNotice::Welcome(format!(
355                "connected to Materialize v{}
356  Environment ID: {}
357  Region: {}
358  User: {}
359  Cluster: {}
360  Database: {}
361  {}
362  Session UUID: {}
363
364Issue a SQL query to get started. Need help?
365  View documentation: https://materialize.com/s/docs
366  Join our Slack community: https://materialize.com/s/chat
367    ",
368                session.vars().build_info().semver_version(),
369                self.environment_id,
370                self.environment_id.region(),
371                session.vars().user().name,
372                cluster_info,
373                session.vars().database(),
374                match session.vars().search_path() {
375                    [schema] => format!("Schema: {}", schema),
376                    schemas => format!(
377                        "Search path: {}",
378                        schemas.iter().map(|id| id.to_string()).join(", ")
379                    ),
380                },
381                session.uuid(),
382            )));
383        }
384
385        if session.vars().current_object_missing_warnings() {
386            if catalog.active_database().is_none() {
387                let db = session.vars().database().into();
388                session.add_notice(AdapterNotice::UnknownSessionDatabase(db));
389            }
390        }
391
392        // Users stub their toe on their default cluster not existing, so we provide a notice to
393        // help guide them on what do to.
394        let cluster_var = session
395            .vars()
396            .inspect(CLUSTER.name())
397            .expect("cluster should exist");
398        if session.vars().current_object_missing_warnings()
399            && catalog.resolve_cluster(Some(&cluster_active)).is_err()
400        {
401            let cluster_notice = 'notice: {
402                if cluster_var.inspect_session_value().is_some() {
403                    break 'notice Some(AdapterNotice::DefaultClusterDoesNotExist {
404                        name: cluster_active,
405                        kind: "session",
406                        suggested_action: "Pick an extant cluster with SET CLUSTER = name. Run SHOW CLUSTERS to see available clusters.".into(),
407                    });
408                }
409
410                let role_default = catalog.get_role(catalog.active_role_id());
411                let role_cluster = match role_default.vars().get(CLUSTER.name()) {
412                    Some(OwnedVarInput::Flat(name)) => Some(name),
413                    None => None,
414                    // This is unexpected!
415                    Some(v @ OwnedVarInput::SqlSet(_)) => {
416                        tracing::warn!(?v, "SqlSet found for cluster Role Default");
417                        break 'notice None;
418                    }
419                };
420
421                let alter_role = "with `ALTER ROLE <role> SET cluster TO <cluster>;`";
422                match role_cluster {
423                    // If there is no default, suggest a Role default.
424                    None => Some(AdapterNotice::DefaultClusterDoesNotExist {
425                        name: cluster_active,
426                        kind: "system",
427                        suggested_action: format!(
428                            "Set a default cluster for the current role {alter_role}."
429                        ),
430                    }),
431                    // If the default does not exist, suggest to change it.
432                    Some(_) => Some(AdapterNotice::DefaultClusterDoesNotExist {
433                        name: cluster_active,
434                        kind: "role",
435                        suggested_action: format!(
436                            "Change the default cluster for the current role {alter_role}."
437                        ),
438                    }),
439                }
440            };
441
442            if let Some(notice) = cluster_notice {
443                session.add_notice(notice);
444            }
445        }
446
447        client.enable_frontend_peek_sequencing = ENABLE_FRONTEND_PEEK_SEQUENCING
448            .require(catalog.system_vars())
449            .is_ok();
450
451        Ok(client)
452    }
453
454    /// Cancels the query currently running on the specified connection.
455    pub fn cancel_request(&self, conn_id: ConnectionIdType, secret_key: u32) {
456        self.send(Command::CancelRequest {
457            conn_id,
458            secret_key,
459        });
460    }
461
462    /// Executes a single SQL statement that returns rows as the
463    /// `mz_support` user.
464    pub async fn support_execute_one(
465        &self,
466        sql: &str,
467    ) -> Result<Pin<Box<dyn Stream<Item = PeekResponseUnary> + Send>>, anyhow::Error> {
468        // Connect to the coordinator.
469        let conn_id = self.new_conn_id()?;
470        let session = self.new_session(
471            SessionConfig {
472                conn_id,
473                uuid: Uuid::new_v4(),
474                user: SUPPORT_USER.name.clone(),
475                client_ip: None,
476                external_metadata_rx: None,
477                helm_chart_version: None,
478                authenticator_kind: AuthenticatorKind::None,
479                groups: None,
480            },
481            Authenticated,
482        );
483        let mut session_client = self.startup(session).await?;
484
485        // Parse the SQL statement.
486        let stmts = mz_sql::parse::parse(sql)?;
487        if stmts.len() != 1 {
488            bail!("must supply exactly one query");
489        }
490        let StatementParseResult { ast: stmt, sql } = stmts.into_element();
491
492        const EMPTY_PORTAL: &str = "";
493        session_client.start_transaction(Some(1))?;
494        session_client
495            .declare(EMPTY_PORTAL.into(), stmt, sql.to_string())
496            .await?;
497
498        let execute_result = session_client
499            .execute(EMPTY_PORTAL.into(), futures::future::pending(), None)
500            .await?;
501        match execute_result {
502            (ExecuteResponse::SendingRowsStreaming { mut rows, .. }, _) => {
503                // We have to only drop the session client _after_ we read the
504                // result. Otherwise the peek will get cancelled right when we
505                // drop the session client. So we wrap it up in an extra stream
506                // like this, which owns the client and can return it.
507                let owning_response_stream = async_stream::stream! {
508                    while let Some(rows) = rows.next().await {
509                        yield rows;
510                    }
511                    drop(session_client);
512                };
513                Ok(Box::pin(owning_response_stream))
514            }
515            r => bail!("unsupported response type: {r:?}"),
516        }
517    }
518
519    /// Returns the metrics associated with the adapter layer.
520    pub fn metrics(&self) -> &Metrics {
521        &self.metrics
522    }
523
524    /// The current time according to the [`Client`].
525    pub fn now(&self) -> DateTime<Utc> {
526        to_datetime((self.now)())
527    }
528
529    /// Get a metadata and a channel that can be used to append to a webhook source.
530    pub async fn get_webhook_appender(
531        &self,
532        database: String,
533        schema: String,
534        name: String,
535    ) -> Result<AppendWebhookResponse, AppendWebhookError> {
536        let (tx, rx) = oneshot::channel();
537
538        // Send our request.
539        self.send(Command::GetWebhook {
540            database,
541            schema,
542            name,
543            tx,
544        });
545
546        // Using our one shot channel to get the result, returning an error if the sender dropped.
547        let response = rx
548            .await
549            .map_err(|_| anyhow::anyhow!("failed to receive webhook response"))?;
550
551        response
552    }
553
554    /// Gets the current value of all system variables.
555    pub async fn get_system_vars(&self) -> SystemVars {
556        let (tx, rx) = oneshot::channel();
557        self.send(Command::GetSystemVars { tx });
558        rx.await.expect("coordinator unexpectedly gone")
559    }
560
561    /// Returns a snapshot of the catalog.
562    ///
563    /// Does a Coordinator round-trip. Session-bound callers should
564    /// prefer [`SessionClient::catalog_snapshot`], which serves from the
565    /// session's snapshot cache.
566    pub async fn catalog_snapshot_expensive(&self) -> Arc<Catalog> {
567        let (tx, rx) = oneshot::channel();
568        self.send(Command::CatalogSnapshot { tx });
569        let CatalogSnapshot { catalog } = rx.await.expect("coordinator unexpectedly gone");
570        catalog
571    }
572
573    /// Reconciles the coordinator's scoped feature-flag working copy towards
574    /// `overrides`. Used by the system-parameter sync loop from continuous
575    /// LaunchDarkly evaluation.
576    ///
577    /// `prune_scope` bounds which objects' rows the reconcile may remove (the
578    /// objects `overrides` was evaluated for). The sync loop passes the live
579    /// objects from its snapshot; `None` is a full replace, used by the
580    /// disabled-feature clear path. See
581    /// [`crate::catalog::Op::UpdateScopedSystemParameters`].
582    pub async fn update_scoped_system_parameters(
583        &self,
584        overrides: ScopedParameters,
585        prune_scope: Option<ScopedParametersScope>,
586    ) {
587        let (tx, rx) = oneshot::channel();
588        self.send(Command::UpdateScopedSystemParameters {
589            overrides,
590            prune_scope,
591            tx,
592        });
593        let _ = rx.await;
594    }
595
596    /// Installs (or replaces) the shared system-parameter frontend on the
597    /// coordinator, letting the create-cluster / create-replica paths resolve a
598    /// new object's scoped overrides synchronously. Sent by the sync loop each
599    /// time it (re)initializes the frontend. Fire-and-forget.
600    pub fn install_scoped_system_parameter_frontend(&self, frontend: Arc<SystemParameterFrontend>) {
601        self.send(Command::InstallScopedSystemParameterFrontend { frontend });
602    }
603
604    #[instrument(level = "debug")]
605    pub(crate) fn send(&self, cmd: Command) {
606        self.inner_cmd_tx
607            .send((OpenTelemetryContext::obtain(), cmd))
608            .expect("coordinator unexpectedly gone");
609    }
610}
611
612/// A coordinator client that is bound to a connection.
613///
614/// See also [`Client`].
615pub struct SessionClient {
616    // Invariant: inner may only be `None` after the session has been terminated.
617    // Once the session is terminated, no communication to the Coordinator
618    // should be attempted.
619    inner: Option<Client>,
620    // Invariant: session may only be `None` during a method call. Every public
621    // method must ensure that `Session` is `Some` before it returns.
622    session: Option<Session>,
623    timeouts: Timeout,
624    segment_client: Option<mz_segment::Client>,
625    environment_id: EnvironmentId,
626    /// Client for frontend peek sequencing; populated at connection startup.
627    peek_client: PeekClient,
628    /// Whether frontend peek sequencing is enabled; initialized at connection startup.
629    // TODO(peek-seq): Currently, this is initialized only at session startup. We'll be able to
630    // check the actual feature flag value at every peek (without a Coordinator call) once we'll
631    // always have a catalog snapshot at hand.
632    pub enable_frontend_peek_sequencing: bool,
633}
634
635impl SessionClient {
636    /// Parses a SQL expression, reporting failures as a telemetry event if
637    /// possible.
638    pub fn parse<'a>(
639        &self,
640        sql: &'a str,
641    ) -> Result<Result<Vec<StatementParseResult<'a>>, ParserStatementError>, String> {
642        match mz_sql::parse::parse_with_limit(sql) {
643            Ok(Err(e)) => {
644                self.track_statement_parse_failure(&e);
645                Ok(Err(e))
646            }
647            r => r,
648        }
649    }
650
651    fn track_statement_parse_failure(&self, parse_error: &ParserStatementError) {
652        let session = self.session.as_ref().expect("session invariant violated");
653        let Some(user_id) = session.user().external_metadata.as_ref().map(|m| m.user_id) else {
654            return;
655        };
656        let Some(segment_client) = &self.segment_client else {
657            return;
658        };
659        let Some(statement_kind) = parse_error.statement else {
660            return;
661        };
662        let Some((action, object_type)) = telemetry::analyze_audited_statement(statement_kind)
663        else {
664            return;
665        };
666        let event_type = StatementFailureType::ParseFailure;
667        let event_name = format!(
668            "{} {} {}",
669            object_type.as_title_case(),
670            action.as_title_case(),
671            event_type.as_title_case(),
672        );
673        segment_client.environment_track(
674            &self.environment_id,
675            event_name,
676            json!({
677                "statement_kind": statement_kind,
678                "error": &parse_error.error,
679            }),
680            EventDetails {
681                user_id: Some(user_id),
682                application_name: Some(session.application_name()),
683                ..Default::default()
684            },
685        );
686    }
687
688    // Verify and return the named prepared statement. We need to verify each use
689    // to make sure the prepared statement is still safe to use.
690    pub async fn get_prepared_statement(
691        &mut self,
692        name: &str,
693    ) -> Result<&PreparedStatement, AdapterError> {
694        let catalog = self.catalog_snapshot("get_prepared_statement").await;
695        Coordinator::verify_prepared_statement(&catalog, self.session(), name)?;
696        Ok(self
697            .session()
698            .get_prepared_statement_unverified(name)
699            .expect("must exist"))
700    }
701
702    /// Saves the parsed statement as a prepared statement.
703    ///
704    /// The prepared statement is saved in the connection's [`crate::session::Session`]
705    /// under the specified name.
706    pub async fn prepare(
707        &mut self,
708        name: String,
709        stmt: Option<Statement<Raw>>,
710        sql: String,
711        param_types: Vec<Option<SqlScalarType>>,
712    ) -> Result<(), AdapterError> {
713        let catalog = self.catalog_snapshot("prepare").await;
714
715        // Note: This failpoint is used to simulate a request outliving the external connection
716        // that made it.
717        let mut async_pause = false;
718        (|| {
719            fail::fail_point!("async_prepare", |val| {
720                async_pause = val.map_or(false, |val| val.parse().unwrap_or(false))
721            });
722        })();
723        if async_pause {
724            tokio::time::sleep(Duration::from_secs(1)).await;
725        };
726
727        let desc = Coordinator::describe(&catalog, self.session(), stmt.clone(), param_types)?;
728        let now = self.now();
729        let state_revision = StateRevision {
730            catalog_revision: catalog.transient_revision(),
731            session_state_revision: self.session().state_revision(),
732        };
733        self.session()
734            .set_prepared_statement(name, stmt, sql, desc, state_revision, now);
735        Ok(())
736    }
737
738    /// Binds a statement to a portal.
739    #[mz_ore::instrument(level = "debug")]
740    pub async fn declare(
741        &mut self,
742        name: String,
743        stmt: Statement<Raw>,
744        sql: String,
745    ) -> Result<(), AdapterError> {
746        let catalog = self.catalog_snapshot("declare").await;
747        let param_types = vec![];
748        let desc =
749            Coordinator::describe(&catalog, self.session(), Some(stmt.clone()), param_types)?;
750        let params = vec![];
751        let result_formats = vec![mz_pgwire_common::Format::Text; desc.arity()];
752        let now = self.now();
753        let logging = self.session().mint_logging(sql, Some(&stmt), now);
754        let state_revision = StateRevision {
755            catalog_revision: catalog.transient_revision(),
756            session_state_revision: self.session().state_revision(),
757        };
758        self.session().set_portal(
759            name,
760            desc,
761            Some(stmt),
762            logging,
763            params,
764            result_formats,
765            state_revision,
766        )?;
767        Ok(())
768    }
769
770    /// Executes a previously-bound portal.
771    ///
772    /// Note: the provided `cancel_future` must be cancel-safe as it's polled in a `select!` loop.
773    ///
774    /// `outer_ctx_extra` is Some when we are executing as part of an outer statement, e.g., a FETCH
775    /// triggering the execution of the underlying query.
776    #[mz_ore::instrument(level = "debug")]
777    pub async fn execute(
778        &mut self,
779        portal_name: String,
780        cancel_future: impl Future<Output = std::io::Error> + Send,
781        outer_ctx_extra: Option<ExecuteContextGuard>,
782    ) -> Result<(ExecuteResponse, Instant), AdapterError> {
783        let execute_started = Instant::now();
784
785        let mut outer_ctx_extra = outer_ctx_extra;
786
787        // Unroll SQL `EXECUTE <prepared> (...)` so the inner statement
788        // flows through `try_frontend_peek` below, rather than being
789        // re-dispatched via `Command::Execute` from the coordinator's
790        // `Plan::Execute` handler. Without this, a prepared statement
791        // would route differently from the same statement issued
792        // directly.
793        //
794        // On a successful unroll, `unroll_sql_execute` also begins
795        // EXECUTE-level statement logging on the outer portal, so that
796        // `mz_statement_execution_history` records `EXECUTE foo (...)`
797        // rather than the inner SQL, and installs the resulting
798        // `ExecuteContextGuard` into `outer_ctx_extra`.
799        let portal_name = self
800            .unroll_sql_execute(portal_name, &mut outer_ctx_extra)
801            .await?;
802
803        // Attempt peek sequencing in the session task.
804        // If unsupported, fall back to the Coordinator path.
805        // TODO(peek-seq): wire up cancel_future
806        let peek_result = self
807            .try_frontend_peek(&portal_name, &mut outer_ctx_extra)
808            .await?;
809        if let Some(resp) = peek_result {
810            debug!("frontend peek succeeded");
811            // Frontend peek handled the execution and retired outer_ctx_extra if it existed.
812            // No additional work needed here.
813            return Ok((resp, execute_started));
814        } else {
815            debug!("frontend peek did not happen, falling back to `Command::Execute`");
816            // If we bailed out, outer_ctx_extra is still present (if it was originally).
817            // `Command::Execute` will handle it.
818            // (This is not true if we bailed out _after_ the frontend peek sequencing has already
819            // begun its own statement logging. That case would be a bug.)
820        }
821
822        let response = self
823            .send_with_cancel(
824                |tx, session| Command::Execute {
825                    portal_name,
826                    session,
827                    tx,
828                    outer_ctx_extra,
829                },
830                cancel_future,
831            )
832            .await?;
833        Ok((response, execute_started))
834    }
835
836    /// If the named portal binds a SQL `EXECUTE <prepared>`, resolve the
837    /// prepared statement, install a fresh portal for the inner statement
838    /// (carrying the EXECUTE's actual parameter values), and return that
839    /// portal's name so the caller can run `try_frontend_peek` against it.
840    ///
841    /// Only ever unrolls one level: the parser rejects
842    /// `PREPARE foo AS EXECUTE bar` (matching Postgres), so the inner
843    /// statement is guaranteed not to be another `EXECUTE`. A failsafe below
844    /// surfaces an internal error if that invariant is ever violated.
845    ///
846    /// When the portal does not bind an `EXECUTE` — the common case —
847    /// returns the original portal name, costing only a portal lookup.
848    async fn unroll_sql_execute(
849        &mut self,
850        portal_name: String,
851        outer_ctx_extra: &mut Option<ExecuteContextGuard>,
852    ) -> Result<String, AdapterError> {
853        let (stmt, params, outer_logging, outer_lifecycle_timestamps) = {
854            let session = self.session.as_ref().expect("SessionClient invariant");
855            let portal = match session.get_portal_unverified(&portal_name) {
856                Some(p) => p,
857                // No portal: let `try_frontend_peek` surface the
858                // standard "missing portal" error.
859                None => return Ok(portal_name),
860            };
861            match &portal.stmt {
862                Some(stmt) => (
863                    Arc::clone(stmt),
864                    portal.parameters.clone(),
865                    Arc::clone(&portal.logging),
866                    portal.lifecycle_timestamps.clone(),
867                ),
868                None => return Ok(portal_name),
869            }
870        };
871
872        // Only EXECUTE statements need unrolling. Bail out before taking a
873        // catalog snapshot in the (overwhelmingly common) non-EXECUTE case.
874        if !matches!(&*stmt, Statement::Execute(_)) {
875            return Ok(portal_name);
876        }
877
878        let catalog = self.catalog_snapshot("unroll_sql_execute").await;
879
880        // Validate the outer EXECUTE portal against the (possibly newer)
881        // catalog: ensures the recorded portal description still matches
882        // what describing the EXECUTE would produce now.
883        {
884            let session = self.session.as_mut().expect("SessionClient invariant");
885            Coordinator::verify_portal(&catalog, session, &portal_name)?;
886        }
887
888        // Bump query_total for the outer EXECUTE itself. The inner
889        // statement gets its own increment inside `try_frontend_peek_inner`
890        // (or, on bailout, in the coordinator's `handle_execute`).
891        {
892            let session = self.session.as_ref().expect("SessionClient invariant");
893            session
894                .metrics()
895                .query_total(&[
896                    metrics::session_type_label_value(session.user()),
897                    metrics::statement_type_label_value(&stmt),
898                ])
899                .inc();
900        }
901
902        // Begin EXECUTE-level statement logging up front, so that planning
903        // errors below produce an `Errored` end-event in
904        // `mz_statement_execution_history` rather than no entry at all.
905        //
906        // We pass the *outer* portal's `logging` and pgwire-bound `params`
907        // so the recorded entry shows the user-visible `EXECUTE foo (...)`,
908        // not the inner SQL. The id (if any) moves into `outer_ctx_extra`
909        // below for `try_frontend_peek` to retire; on planning error we
910        // explicitly emit an `Errored` end-event below.
911        let began_outer_logging = outer_ctx_extra.is_none();
912        let logging_id: Option<crate::statement_logging::StatementLoggingId> =
913            if began_outer_logging {
914                let session = self.session.as_mut().expect("SessionClient invariant");
915                let result = self
916                    .peek_client
917                    .statement_logging_frontend
918                    .begin_statement_execution(
919                        session,
920                        &params,
921                        &outer_logging,
922                        catalog.system_config(),
923                        outer_lifecycle_timestamps,
924                    );
925                if let Some((id, began_execution, mseh_update, prepared_statement)) = result {
926                    self.peek_client.log_began_execution(
927                        began_execution,
928                        mseh_update,
929                        prepared_statement,
930                    );
931                    Some(id)
932                } else {
933                    None
934                }
935            } else {
936                None
937            };
938
939        let new_portal_name = match self.install_inner_portal_for_execute(&catalog, &stmt, &params)
940        {
941            Ok(name) => name,
942            Err(err) => {
943                if let Some(id) = logging_id {
944                    self.peek_client.log_ended_execution(
945                        id,
946                        StatementEndedExecutionReason::Errored {
947                            error: err.to_string(),
948                        },
949                    );
950                }
951                return Err(err);
952            }
953        };
954
955        // Hand off to `outer_ctx_extra` whenever we entered the begin path
956        // for the outer EXECUTE — even if `begin_statement_execution`
957        // returned `None` (sampling decided not to sample, or logging is
958        // disabled for the user). This mirrors the original coord path,
959        // which always installs a guard via
960        // `ExecuteContextGuard::new(maybe_uuid, ...)`. Without this, the
961        // inner portal would be treated as a fresh statement by
962        // `try_frontend_peek` (or the fallback `Command::Execute` path)
963        // and re-account its bytes against
964        // `mz_statement_logging_unsampled_bytes`, double-counting the
965        // inner SQL.
966        if began_outer_logging {
967            // Soft invariant: `try_frontend_peek` takes ownership of
968            // `outer_ctx_extra` immediately, so this guard's `Drop` is
969            // unreachable on the normal flow and the dummy channel is
970            // never used. If a panic does fire `Drop` between here and
971            // that takeover, the `Aborted` end-event is silently lost
972            // — an acceptable trade given the panic implies the
973            // connection is going down anyway.
974            let (dummy_tx, _dummy_rx) = mpsc::unbounded_channel();
975            *outer_ctx_extra = Some(ExecuteContextGuard::new(logging_id, dummy_tx));
976        }
977
978        Ok(new_portal_name)
979    }
980
981    /// Helper for [`Self::unroll_sql_execute`]: plans the outer
982    /// `Statement::Execute`, verifies the referenced prepared statement, and
983    /// installs a fresh portal carrying the inner statement plus the
984    /// EXECUTE's bound parameter values. Returns the new portal's name.
985    ///
986    /// Split out so [`Self::unroll_sql_execute`] can wrap the fallible work
987    /// in a single error-handling site that emits an `Errored` end-event
988    /// for the EXECUTE-level statement-logging entry.
989    fn install_inner_portal_for_execute(
990        &mut self,
991        catalog: &Arc<Catalog>,
992        stmt: &Arc<Statement<Raw>>,
993        params: &mz_sql::plan::Params,
994    ) -> Result<String, AdapterError> {
995        use mz_sql::plan::Plan;
996
997        let execute_plan = {
998            let session = self.session.as_mut().expect("SessionClient invariant");
999            let conn_catalog = catalog.for_session(session);
1000            let (resolved_stmt, resolved_ids) =
1001                mz_sql::names::resolve(&conn_catalog, (**stmt).clone())?;
1002            let pcx = session.pcx();
1003            let (plan, _sql_impl_ids) = mz_sql::plan::plan(
1004                Some(pcx),
1005                &conn_catalog,
1006                resolved_stmt,
1007                params,
1008                &resolved_ids,
1009            )?;
1010            match plan {
1011                Plan::Execute(plan) => plan,
1012                other => {
1013                    // Planning a `Statement::Execute` must yield
1014                    // `Plan::Execute`. If it doesn't, the planner
1015                    // contract is broken.
1016                    return Err(AdapterError::Internal(format!(
1017                        "planning Statement::Execute yielded unexpected plan: {:?}",
1018                        mz_sql::plan::PlanKind::from(&other),
1019                    )));
1020                }
1021            }
1022        };
1023
1024        // Verify and install the inner portal. Mirrors
1025        // `Coordinator::sequence_execute`. The new portal carries the inner
1026        // prepared statement's `logging`, but `try_frontend_peek` will see
1027        // `outer_ctx_extra=Some(...)` and inherit the EXECUTE-level logging
1028        // instead of starting fresh from this portal.
1029        let session = self.session.as_mut().expect("SessionClient invariant");
1030        Coordinator::verify_prepared_statement(catalog, session, &execute_plan.name)?;
1031        let ps = session
1032            .get_prepared_statement_unverified(&execute_plan.name)
1033            .expect("verified above");
1034        let inner_stmt = ps.stmt().cloned();
1035        let inner_desc = ps.desc().clone();
1036        let state_revision = ps.state_revision;
1037        let inner_logging = Arc::clone(ps.logging());
1038
1039        // Failsafe: `PREPARE foo AS EXECUTE bar` is rejected by the parser,
1040        // so the resolved inner statement must not be another `EXECUTE`. If
1041        // that ever changes, we'd silently skip frontend sequencing for the
1042        // deeper EXECUTEs — surface it as an internal error instead.
1043        if let Some(inner) = inner_stmt.as_ref() {
1044            if matches!(inner, Statement::Execute(_)) {
1045                return Err(AdapterError::Internal(format!(
1046                    "nested EXECUTE: prepared statement {} resolves to another EXECUTE; \
1047                     parser should reject `PREPARE ... AS EXECUTE ...`",
1048                    execute_plan.name.quoted(),
1049                )));
1050            }
1051        }
1052
1053        session.create_new_portal(
1054            inner_stmt,
1055            inner_logging,
1056            inner_desc,
1057            execute_plan.params,
1058            Vec::new(),
1059            state_revision,
1060        )
1061    }
1062
1063    fn now(&self) -> EpochMillis {
1064        (self.inner().now)()
1065    }
1066
1067    fn now_datetime(&self) -> DateTime<Utc> {
1068        to_datetime(self.now())
1069    }
1070
1071    /// Starts a transaction based on implicit:
1072    /// - `None`: InTransaction
1073    /// - `Some(1)`: Started
1074    /// - `Some(n > 1)`: InTransactionImplicit
1075    /// - `Some(0)`: no change
1076    pub fn start_transaction(&mut self, implicit: Option<usize>) -> Result<(), AdapterError> {
1077        let now = self.now_datetime();
1078        let session = self.session.as_mut().expect("session invariant violated");
1079        let result = match implicit {
1080            None => session.start_transaction(now, None, None),
1081            Some(stmts) => {
1082                session.start_transaction_implicit(now, stmts);
1083                Ok(())
1084            }
1085        };
1086        result
1087    }
1088
1089    /// Ends a transaction. Even if an error is returned, guarantees that the transaction in the
1090    /// session and Coordinator has cleared its state.
1091    #[instrument(level = "debug")]
1092    pub async fn end_transaction(
1093        &mut self,
1094        action: EndTransactionAction,
1095    ) -> Result<ExecuteResponse, AdapterError> {
1096        let res = self
1097            .send(|tx, session| Command::Commit {
1098                action,
1099                session,
1100                tx,
1101            })
1102            .await;
1103        // Commit isn't guaranteed to set the session's state to anything specific, so clear it
1104        // here. It's safe to ignore the returned `TransactionStatus` because that doesn't contain
1105        // any data that the Coordinator must act on for correctness.
1106        let _ = self.session().clear_transaction();
1107        res
1108    }
1109
1110    /// Fails a transaction.
1111    pub fn fail_transaction(&mut self) {
1112        let session = self.session.take().expect("session invariant violated");
1113        let session = session.fail_transaction();
1114        self.session = Some(session);
1115    }
1116
1117    /// Fetches the catalog, served from the session-side snapshot cache when
1118    /// the catalog is unchanged since the cached snapshot was taken. See
1119    /// [`PeekClient::catalog_snapshot`].
1120    #[instrument(level = "debug")]
1121    pub async fn catalog_snapshot(&mut self, context: &str) -> Arc<Catalog> {
1122        self.peek_client.catalog_snapshot(context).await
1123    }
1124
1125    /// Reports whether `enable_statement_arrival_logging` is on.
1126    pub async fn statement_arrival_logging_enabled(&mut self) -> bool {
1127        let catalog = self.catalog_snapshot("statement_arrival_logging").await;
1128        catalog.system_config().enable_statement_arrival_logging()
1129    }
1130
1131    /// Dumps the catalog to a JSON string.
1132    ///
1133    /// No authorization is performed, so access to this function must be limited to internal
1134    /// servers or superusers.
1135    pub async fn dump_catalog(&mut self) -> Result<CatalogDump, AdapterError> {
1136        let catalog = self.catalog_snapshot("dump_catalog").await;
1137        catalog.dump().map_err(AdapterError::from)
1138    }
1139
1140    /// Checks the catalog for internal consistency, returning a JSON object describing the
1141    /// inconsistencies, if there are any.
1142    ///
1143    /// No authorization is performed, so access to this function must be limited to internal
1144    /// servers or superusers.
1145    pub async fn check_catalog(&mut self) -> Result<(), serde_json::Value> {
1146        let catalog = self.catalog_snapshot("check_catalog").await;
1147        catalog.check_consistency()
1148    }
1149
1150    /// Checks the coordinator for internal consistency, returning a JSON object describing the
1151    /// inconsistencies, if there are any. This is a superset of checks that check_catalog performs,
1152    ///
1153    /// No authorization is performed, so access to this function must be limited to internal
1154    /// servers or superusers.
1155    pub async fn check_coordinator(&self) -> Result<(), serde_json::Value> {
1156        self.send_without_session(|tx| Command::CheckConsistency { tx })
1157            .await
1158            .map_err(|inconsistencies| {
1159                serde_json::to_value(inconsistencies).unwrap_or_else(|_| {
1160                    serde_json::Value::String("failed to serialize inconsistencies".to_string())
1161                })
1162            })
1163    }
1164
1165    pub async fn dump_coordinator_state(&self) -> Result<serde_json::Value, anyhow::Error> {
1166        self.send_without_session(|tx| Command::Dump { tx }).await
1167    }
1168
1169    /// Tells the coordinator a statement has finished execution, in the cases
1170    /// where we have no other reason to communicate with the coordinator.
1171    pub fn retire_execute(
1172        &self,
1173        guard: ExecuteContextGuard,
1174        reason: StatementEndedExecutionReason,
1175    ) {
1176        if !guard.is_trivial() {
1177            let data = guard.defuse();
1178            let cmd = Command::RetireExecute { data, reason };
1179            self.inner().send(cmd);
1180        }
1181    }
1182
1183    /// Sets up a streaming COPY FROM STDIN operation.
1184    ///
1185    /// Sends a command to the coordinator to create a background batch
1186    /// builder task. Returns a [`CopyFromStdinWriter`] that pgwire uses
1187    /// to stream decoded rows.
1188    pub async fn start_copy_from_stdin(
1189        &mut self,
1190        target_id: CatalogItemId,
1191        target_name: String,
1192        columns: Vec<ColumnIndex>,
1193        row_desc: mz_repr::RelationDesc,
1194        params: mz_pgcopy::CopyFormatParams<'static>,
1195    ) -> Result<CopyFromStdinWriter, AdapterError> {
1196        self.send(|tx, session| Command::StartCopyFromStdin {
1197            target_id,
1198            target_name,
1199            columns,
1200            row_desc,
1201            params,
1202            session,
1203            tx,
1204        })
1205        .await
1206    }
1207
1208    /// Commits staged COPY FROM STDIN batches to a table.
1209    ///
1210    /// Adds the pre-built persist batches to the session's transaction
1211    /// operations. The actual commit happens when the transaction ends.
1212    pub fn stage_copy_from_stdin_batches(
1213        &mut self,
1214        target_id: CatalogItemId,
1215        batches: Vec<mz_persist_client::batch::ProtoBatch>,
1216    ) -> Result<(), AdapterError> {
1217        use crate::session::{TransactionOps, WriteOp};
1218        use mz_storage_client::client::TableData;
1219
1220        self.session()
1221            .add_transaction_ops(TransactionOps::Writes(vec![WriteOp {
1222                id: target_id,
1223                rows: TableData::Batches(batches.into()),
1224            }]))?;
1225        Ok(())
1226    }
1227
1228    /// Gets the current value of all system variables.
1229    pub async fn get_system_vars(&self) -> SystemVars {
1230        self.inner().get_system_vars().await
1231    }
1232
1233    /// Updates the specified system variables to the specified values.
1234    pub async fn set_system_vars(
1235        &mut self,
1236        vars: BTreeMap<String, String>,
1237    ) -> Result<(), AdapterError> {
1238        let conn_id = self.session().conn_id().clone();
1239        self.send_without_session(|tx| Command::SetSystemVars { vars, conn_id, tx })
1240            .await
1241    }
1242
1243    /// Injects audit events into the catalog via the coordinator.
1244    ///
1245    /// No authorization is performed, so access to this function must be limited to internal
1246    /// servers or superusers.
1247    pub async fn inject_audit_events(
1248        &mut self,
1249        events: Vec<crate::catalog::InjectedAuditEvent>,
1250    ) -> Result<(), AdapterError> {
1251        let conn_id = self.session().conn_id().clone();
1252        self.send_without_session(|tx| Command::InjectAuditEvents {
1253            events,
1254            conn_id,
1255            tx,
1256        })
1257        .await
1258    }
1259
1260    /// Terminates the client session.
1261    pub async fn terminate(&mut self) {
1262        let conn_id = self.session().conn_id().clone();
1263        let res = self
1264            .send_without_session(|tx| Command::Terminate {
1265                conn_id,
1266                tx: Some(tx),
1267            })
1268            .await;
1269        if let Err(e) = res {
1270            // Nothing we can do to handle a failed terminate so we just log and ignore it.
1271            error!("Unable to terminate session: {e:?}");
1272        }
1273        // Prevent any communication with Coordinator after session is terminated.
1274        self.inner = None;
1275    }
1276
1277    /// Returns a mutable reference to the session bound to this client.
1278    pub fn session(&mut self) -> &mut Session {
1279        self.session.as_mut().expect("session invariant violated")
1280    }
1281
1282    /// Returns a reference to the inner client.
1283    pub fn inner(&self) -> &Client {
1284        self.inner.as_ref().expect("inner invariant violated")
1285    }
1286
1287    async fn send_without_session<T, F>(&self, f: F) -> T
1288    where
1289        F: FnOnce(oneshot::Sender<T>) -> Command,
1290    {
1291        let (tx, rx) = oneshot::channel();
1292        self.inner().send(f(tx));
1293        rx.await.expect("sender dropped")
1294    }
1295
1296    #[instrument(level = "debug")]
1297    async fn send<T, F>(&mut self, f: F) -> Result<T, AdapterError>
1298    where
1299        F: FnOnce(oneshot::Sender<Response<T>>, Session) -> Command,
1300    {
1301        self.send_with_cancel(f, futures::future::pending()).await
1302    }
1303
1304    /// Send a [`Command`] to the Coordinator, with the ability to cancel the command.
1305    ///
1306    /// Note: the provided `cancel_future` must be cancel-safe as it's polled in a `select!` loop.
1307    #[instrument(level = "debug")]
1308    async fn send_with_cancel<T, F>(
1309        &mut self,
1310        f: F,
1311        cancel_future: impl Future<Output = std::io::Error> + Send,
1312    ) -> Result<T, AdapterError>
1313    where
1314        F: FnOnce(oneshot::Sender<Response<T>>, Session) -> Command,
1315    {
1316        let session = self.session.take().expect("session invariant violated");
1317        let mut typ = None;
1318        let application_name = session.application_name();
1319        let name_hint = ApplicationNameHint::from_str(application_name);
1320        let conn_id = session.conn_id().clone();
1321        let (tx, rx) = oneshot::channel();
1322
1323        // Destructure self so we can hold a mutable reference to the inner client and session at
1324        // the same time.
1325        let Self {
1326            inner: inner_client,
1327            session: client_session,
1328            ..
1329        } = self;
1330
1331        // TODO(parkmycar): Leaking this invariant here doesn't feel great, but calling
1332        // `self.client()` doesn't work because then Rust takes a borrow on the entirity of self.
1333        let inner_client = inner_client.as_ref().expect("inner invariant violated");
1334
1335        // ~~SPOOKY ZONE~~
1336        //
1337        // This guard prevents a race where a `Session` is returned on `rx` but never placed
1338        // back in `self` because the Future returned by this function is concurrently dropped
1339        // with the Coordinator sending a response.
1340        let mut guarded_rx = rx.with_guard(|response: Response<_>| {
1341            *client_session = Some(response.session);
1342        });
1343
1344        inner_client.send({
1345            let cmd = f(tx, session);
1346            // Measure the success and error rate of certain commands:
1347            // - declare reports success of SQL statement planning
1348            // - execute reports success of dataflow execution
1349            match cmd {
1350                Command::Execute { .. } => typ = Some("execute"),
1351                Command::GetWebhook { .. } => typ = Some("webhook"),
1352                Command::StartCopyFromStdin { .. }
1353                | Command::Startup { .. }
1354                | Command::AuthenticatePassword { .. }
1355                | Command::AuthenticateGetSASLChallenge { .. }
1356                | Command::AuthenticateVerifySASLProof { .. }
1357                | Command::CheckRoleCanLogin { .. }
1358                | Command::CatalogSnapshot { .. }
1359                | Command::Commit { .. }
1360                | Command::CancelRequest { .. }
1361                | Command::PrivilegedCancelRequest { .. }
1362                | Command::GetSystemVars { .. }
1363                | Command::SetSystemVars { .. }
1364                | Command::UpdateScopedSystemParameters { .. }
1365                | Command::InstallScopedSystemParameterFrontend { .. }
1366                | Command::Terminate { .. }
1367                | Command::RetireExecute { .. }
1368                | Command::CheckConsistency { .. }
1369                | Command::Dump { .. }
1370                | Command::GetComputeInstanceClient { .. }
1371                | Command::GetOracle { .. }
1372                | Command::DetermineRealTimeRecentTimestamp { .. }
1373                | Command::GetTransactionReadHoldsBundle { .. }
1374                | Command::StoreTransactionReadHolds { .. }
1375                | Command::ExecuteSlowPathPeek { .. }
1376                | Command::ExecuteSubscribe { .. }
1377                | Command::CopyToPreflight { .. }
1378                | Command::ExecuteCopyTo { .. }
1379                | Command::ExecuteSideEffectingFunc { .. }
1380                | Command::LookupConnection { .. }
1381                | Command::RegisterFrontendPeek { .. }
1382                | Command::UnregisterFrontendPeek { .. }
1383                | Command::ExplainTimestamp { .. }
1384                | Command::FrontendStatementLogging(..)
1385                | Command::InjectAuditEvents { .. } => {}
1386            };
1387            cmd
1388        });
1389
1390        let mut cancel_future = pin::pin!(cancel_future);
1391        let mut cancelled = false;
1392        loop {
1393            tokio::select! {
1394                res = &mut guarded_rx => {
1395                    // We received a result, so drop our guard to drop our borrows.
1396                    drop(guarded_rx);
1397
1398                    let res = res.expect("sender dropped");
1399                    let status = res.result.is_ok().then_some("success").unwrap_or("error");
1400                    if let Err(err) = res.result.as_ref() {
1401                        if name_hint.should_trace_errors() {
1402                            tracing::warn!(?err, ?name_hint, "adapter response error");
1403                        }
1404                    }
1405
1406                    if let Some(typ) = typ {
1407                        inner_client
1408                            .metrics
1409                            .commands
1410                            .with_label_values(&[typ, status, name_hint.as_str()])
1411                            .inc();
1412                    }
1413                    *client_session = Some(res.session);
1414                    return res.result;
1415                },
1416                _err = &mut cancel_future, if !cancelled => {
1417                    cancelled = true;
1418                    inner_client.send(Command::PrivilegedCancelRequest {
1419                        conn_id: conn_id.clone(),
1420                    });
1421                }
1422            };
1423        }
1424    }
1425
1426    pub fn add_idle_in_transaction_session_timeout(&mut self) {
1427        let session = self.session();
1428        let timeout_dur = session.vars().idle_in_transaction_session_timeout();
1429        if !timeout_dur.is_zero() {
1430            let timeout_dur = timeout_dur.clone();
1431            if let Some(txn) = session.transaction().inner() {
1432                let txn_id = txn.id.clone();
1433                let timeout = TimeoutType::IdleInTransactionSession(txn_id);
1434                self.timeouts.add_timeout(timeout, timeout_dur);
1435            }
1436        }
1437    }
1438
1439    pub fn remove_idle_in_transaction_session_timeout(&mut self) {
1440        let session = self.session();
1441        if let Some(txn) = session.transaction().inner() {
1442            let txn_id = txn.id.clone();
1443            self.timeouts
1444                .remove_timeout(&TimeoutType::IdleInTransactionSession(txn_id));
1445        }
1446    }
1447
1448    /// # Cancel safety
1449    ///
1450    /// This method is cancel safe. If `recv` is used as the event in a
1451    /// `tokio::select!` statement and some other branch
1452    /// completes first, it is guaranteed that no messages were received on this
1453    /// channel.
1454    pub async fn recv_timeout(&mut self) -> Option<TimeoutType> {
1455        self.timeouts.recv().await
1456    }
1457
1458    /// Attempt to sequence a peek from the session task.
1459    ///
1460    /// Returns `Ok(Some(response))` if we handled the peek, or `Ok(None)` to fall back to the
1461    /// Coordinator's sequencing. If it returns an error, it should be returned to the user.
1462    ///
1463    /// `outer_ctx_extra` is Some when we are executing as part of an outer statement, e.g., a FETCH
1464    /// triggering the execution of the underlying query.
1465    pub(crate) async fn try_frontend_peek(
1466        &mut self,
1467        portal_name: &str,
1468        outer_ctx_extra: &mut Option<ExecuteContextGuard>,
1469    ) -> Result<Option<ExecuteResponse>, AdapterError> {
1470        if self.enable_frontend_peek_sequencing {
1471            let session = self.session.as_mut().expect("SessionClient invariant");
1472            self.peek_client
1473                .try_frontend_peek(portal_name, session, outer_ctx_extra)
1474                .await
1475        } else {
1476            Ok(None)
1477        }
1478    }
1479}
1480
1481impl Drop for SessionClient {
1482    fn drop(&mut self) {
1483        // We may not have a session if this client was dropped while awaiting
1484        // a response. In this case, it is the coordinator's responsibility to
1485        // terminate the session.
1486        if let Some(session) = self.session.take() {
1487            // We may not have a connection to the Coordinator if the session was
1488            // prematurely terminated, for example due to a timeout.
1489            if let Some(inner) = &self.inner {
1490                inner.send(Command::Terminate {
1491                    conn_id: session.conn_id().clone(),
1492                    tx: None,
1493                })
1494            }
1495        }
1496    }
1497}
1498
1499/// Renders SQL for statement arrival logging: parsed and displayed with its
1500/// literals redacted, which is the same redaction the statement log applies.
1501/// When the text does not parse or exceeds the statement batch size limit, a
1502/// placeholder with the byte length is returned. Raw text is never returned,
1503/// so a statement that crashes the parser is not captured, an accepted
1504/// limitation.
1505pub fn redact_sql_for_logging(sql: &str) -> String {
1506    match mz_sql_parser::parser::parse_statements_with_limit(sql) {
1507        Ok(Ok(stmts)) => stmts
1508            .into_iter()
1509            .map(|stmt| stmt.ast.to_ast_string_redacted())
1510            .join("; "),
1511        Ok(Err(_)) => format!("<unparseable ({} bytes)>", sql.len()),
1512        Err(_) => format!("<too large ({} bytes)>", sql.len()),
1513    }
1514}
1515
1516#[derive(Hash, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
1517pub enum TimeoutType {
1518    IdleInTransactionSession(TransactionId),
1519}
1520
1521impl Display for TimeoutType {
1522    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
1523        match self {
1524            TimeoutType::IdleInTransactionSession(txn_id) => {
1525                writeln!(f, "Idle in transaction session for transaction '{txn_id}'")
1526            }
1527        }
1528    }
1529}
1530
1531impl From<TimeoutType> for AdapterError {
1532    fn from(timeout: TimeoutType) -> Self {
1533        match timeout {
1534            TimeoutType::IdleInTransactionSession(_) => {
1535                AdapterError::IdleInTransactionSessionTimeout
1536            }
1537        }
1538    }
1539}
1540
1541struct Timeout {
1542    tx: mpsc::UnboundedSender<TimeoutType>,
1543    rx: mpsc::UnboundedReceiver<TimeoutType>,
1544    active_timeouts: BTreeMap<TimeoutType, AbortOnDropHandle<()>>,
1545}
1546
1547impl Timeout {
1548    fn new() -> Self {
1549        let (tx, rx) = mpsc::unbounded_channel();
1550        Timeout {
1551            tx,
1552            rx,
1553            active_timeouts: BTreeMap::new(),
1554        }
1555    }
1556
1557    /// # Cancel safety
1558    ///
1559    /// This method is cancel safe. If `recv` is used as the event in a
1560    /// `tokio::select!` statement and some other branch
1561    /// completes first, it is guaranteed that no messages were received on this
1562    /// channel.
1563    ///
1564    /// <https://docs.rs/tokio/latest/tokio/sync/mpsc/struct.UnboundedReceiver.html#cancel-safety>
1565    async fn recv(&mut self) -> Option<TimeoutType> {
1566        self.rx.recv().await
1567    }
1568
1569    fn add_timeout(&mut self, timeout: TimeoutType, duration: Duration) {
1570        let tx = self.tx.clone();
1571        let timeout_key = timeout.clone();
1572        let handle = mz_ore::task::spawn(|| format!("{timeout_key}"), async move {
1573            tokio::time::sleep(duration).await;
1574            let _ = tx.send(timeout);
1575        })
1576        .abort_on_drop();
1577        self.active_timeouts.insert(timeout_key, handle);
1578    }
1579
1580    fn remove_timeout(&mut self, timeout: &TimeoutType) {
1581        self.active_timeouts.remove(timeout);
1582
1583        // Remove the timeout from the rx queue if it exists.
1584        let mut timeouts = Vec::new();
1585        while let Ok(pending_timeout) = self.rx.try_recv() {
1586            if timeout != &pending_timeout {
1587                timeouts.push(pending_timeout);
1588            }
1589        }
1590        for pending_timeout in timeouts {
1591            self.tx.send(pending_timeout).expect("rx is in this struct");
1592        }
1593    }
1594}
1595
1596/// A wrapper around a Stream of PeekResponseUnary that records when it sees the
1597/// first row data in the given histogram. It also keeps track of whether we have already observed
1598/// the end of the underlying stream.
1599#[derive(Derivative)]
1600#[derivative(Debug)]
1601pub struct RecordFirstRowStream {
1602    /// The underlying stream of rows.
1603    #[derivative(Debug = "ignore")]
1604    pub rows: Box<dyn Stream<Item = PeekResponseUnary> + Unpin + Send + Sync>,
1605    /// The Instant when execution started.
1606    pub execute_started: Instant,
1607    /// The histogram where the time since `execute_started` will be recorded when we see the first
1608    /// row.
1609    pub time_to_first_row_seconds: Histogram,
1610    /// Whether we've seen any rows.
1611    pub saw_rows: bool,
1612    /// The Instant when we saw the first row.
1613    pub recorded_first_row_instant: Option<Instant>,
1614    /// Whether we have already observed the end of the underlying stream.
1615    pub no_more_rows: bool,
1616    /// Whether the first-to-last-byte metric has already been recorded for this stream.
1617    pub metric_recorded: bool,
1618}
1619
1620impl RecordFirstRowStream {
1621    /// Create a new [`RecordFirstRowStream`]
1622    pub fn new(
1623        rows: Box<dyn Stream<Item = PeekResponseUnary> + Unpin + Send + Sync>,
1624        execute_started: Instant,
1625        client: &SessionClient,
1626        instance_id: Option<ComputeInstanceId>,
1627        strategy: Option<StatementExecutionStrategy>,
1628    ) -> Self {
1629        let histogram = Self::histogram(client, instance_id, strategy);
1630        Self {
1631            rows,
1632            execute_started,
1633            time_to_first_row_seconds: histogram,
1634            saw_rows: false,
1635            recorded_first_row_instant: None,
1636            no_more_rows: false,
1637            metric_recorded: false,
1638        }
1639    }
1640
1641    fn histogram(
1642        client: &SessionClient,
1643        instance_id: Option<ComputeInstanceId>,
1644        strategy: Option<StatementExecutionStrategy>,
1645    ) -> Histogram {
1646        let session = client.session.as_ref().expect("session invariant");
1647        let isolation_level = *session.vars().transaction_isolation();
1648        let name_hint = ApplicationNameHint::from_str(session.application_name());
1649        let instance = match instance_id {
1650            Some(i) => Cow::Owned(i.to_string()),
1651            None => Cow::Borrowed("none"),
1652        };
1653        let strategy = match strategy {
1654            Some(s) => s.name(),
1655            None => "none",
1656        };
1657
1658        client
1659            .inner()
1660            .metrics()
1661            .time_to_first_row_seconds
1662            .with_label_values(&[
1663                instance.as_ref(),
1664                isolation_level.as_variant_str(),
1665                strategy,
1666                name_hint.as_str(),
1667            ])
1668    }
1669
1670    /// If you want to match [`RecordFirstRowStream`]'s logic but don't need
1671    /// a UnboundedReceiver, you can tell it when to record an observation.
1672    pub fn record(
1673        execute_started: Instant,
1674        client: &SessionClient,
1675        instance_id: Option<ComputeInstanceId>,
1676        strategy: Option<StatementExecutionStrategy>,
1677    ) {
1678        Self::histogram(client, instance_id, strategy)
1679            .observe(execute_started.elapsed().as_secs_f64());
1680    }
1681
1682    pub async fn recv(&mut self) -> Option<PeekResponseUnary> {
1683        let msg = self.rows.next().await;
1684        if !self.saw_rows && matches!(msg, Some(PeekResponseUnary::Rows(_))) {
1685            self.saw_rows = true;
1686            self.time_to_first_row_seconds
1687                .observe(self.execute_started.elapsed().as_secs_f64());
1688            self.recorded_first_row_instant = Some(Instant::now());
1689        }
1690        if msg.is_none() {
1691            self.no_more_rows = true;
1692        }
1693        msg
1694    }
1695}