ING-1339: Add mtls support for Data API proxy

Author: Westwooo

.github/workflows/client_cert_auth_test.yml

@@ -16,9 +16,10 @@ jobs:
     strategy:
       matrix:
         server:
-          - 8.0.0-3534
-          - 7.6.5
-          - 7.2.2
+          - 8.1.0-1203
+          - 8.0.0
+          - 7.6.8
+          - 7.2.8
 
     runs-on: ubuntu-latest
     steps:
@@ -53,7 +54,7 @@ jobs:
         env:
           SGTEST_CBCONNSTR: ${{ steps.start-cluster.outputs.node-ip }}
           SGTEST_DINOID: ${{ steps.start-cluster.outputs.dino-id }}
-        run: go test ./gateway/test -run TestGatewayOps -v -testify.m TestClientCertAuth
+        run: go test ./gateway/test -run TestGatewayOps -v -testify.m ClientCertAuth
 
       - name: Collect couchbase logs
         timeout-minutes: 10

gateway/auth/cbauthauthenticator.go

@@ -103,7 +103,7 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS
 			return "", "", ErrInvalidCertificate
 		}
 
-		return "", "", fmt.Errorf("failed to check certificate with cbauth: %s", err.Error())
+		return "", "", fmt.Errorf("failed to check certificate with cbauth: %w", err)
 	}
 
 	return info.User, info.Domain, nil

gateway/dapiimpl/dapiimpl.go

@@ -18,6 +18,9 @@ type NewOptions struct {
 	ProxyServices   []proxy.ServiceType
 	ProxyBlockAdmin bool
 	Debug           bool
+
+	Username string
+	Password string
 }
 
 type Servers struct {
@@ -44,7 +47,11 @@ func New(opts *NewOptions) *Servers {
 			opts.CbClient,
 			opts.ProxyServices,
 			opts.ProxyBlockAdmin,
-			opts.Debug),
+			opts.Debug,
+			v1AuthHandler,
+			opts.Username,
+			opts.Password,
+		),
 		DataApiV1Server: server_v1.NewDataApiServer(
 			opts.Logger.Named("dapi-serverv1"),
 			v1ErrHandler,

gateway/dapiimpl/proxy/proxy.go

@@ -2,6 +2,8 @@ package proxy
 
 import (
 	"context"
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +18,10 @@ import (
 	"go.opentelemetry.io/otel/propagation"
 
 	"github.com/couchbase/gocbcorex"
+	"github.com/couchbase/gocbcorex/cbauthx"
 	"github.com/couchbase/gocbcorex/contrib/buildversion"
+	"github.com/couchbase/stellar-gateway/gateway/auth"
+	"github.com/couchbase/stellar-gateway/gateway/dapiimpl/server_v1"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
@@ -45,12 +50,16 @@ type DataApiProxy struct {
 	cbClient     *gocbcorex.BucketsTrackingAgentManager
 	disableAdmin bool
 	debugMode    bool
-	mux          *http.ServeMux
+	mux          http.Handler
 
 	numFailures    metric.Int64Counter
 	numRequests    metric.Int64Counter
 	ttfbMillis     metric.Int64Histogram
 	durationMillis metric.Int64Histogram
+
+	username   string
+	password   string
+	authHander *server_v1.AuthHandler
 }
 
 func NewDataApiProxy(
@@ -59,6 +68,8 @@ func NewDataApiProxy(
 	services []ServiceType,
 	disableAdmin bool,
 	debugMode bool,
+	authHandler *server_v1.AuthHandler,
+	username, password string,
 ) *DataApiProxy {
 	mux := http.NewServeMux()
 
@@ -92,6 +103,9 @@ func NewDataApiProxy(
 		numRequests:    numRequests,
 		ttfbMillis:     ttfbMillis,
 		durationMillis: durationMillis,
+		username:       username,
+		password:       password,
+		authHander:     authHandler,
 	}
 
 	for _, serviceName := range services {
@@ -127,9 +141,13 @@ func (p *DataApiProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (p *DataApiProxy) writeError(w http.ResponseWriter, err error, msg string) {
+	p.writeErrorWithStatus(w, err, msg, 502)
+}
+
+func (p *DataApiProxy) writeErrorWithStatus(w http.ResponseWriter, err error, msg string, status int) {
 	p.logger.Debug(msg, zap.Error(err))
 
-	w.WriteHeader(502)
+	w.WriteHeader(status)
 
 	if !p.debugMode {
 		_, _ = fmt.Fprintf(w, "%s", msg)
@@ -252,6 +270,33 @@ func (p *DataApiProxy) proxyService(
 	// copy some other details
 	proxyReq.Header = r.Header
 
+	// If no auth header has been given, check for a client cert
+	authHdr := proxyReq.Header.Get("Authorization")
+	if authHdr == "" {
+		oboUser, oboDomain, err := p.authHander.Authenticator.ValidateConnStateForObo(ctx, r.TLS)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				p.writeError(w, err, "failed to validate cetificate")
+				return
+			} else if errors.Is(err, cbauthx.ErrNoCert) {
+				p.writeErrorWithStatus(w, err, "authorization header or client cert are required", 401)
+				return
+			}
+
+			p.writeErrorWithStatus(w, err, "received an unexpected cert authentication error", 401)
+			return
+		}
+
+		// We only set the on behalf of and auth headers if there is a user, if
+		// we set the onbehalf of header to an empty string and use the admin
+		// creds then the server seems to ignore the obo header.
+		if oboUser != "" {
+			oboHdrStr := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", oboUser, oboDomain)))
+			proxyReq.Header.Set("cb-on-behalf-of", oboHdrStr)
+			proxyReq.SetBasicAuth(p.username, p.password)
+		}
+	}
+
 	tr := otelhttp.NewTransport(
 		roundTripper,
 		// By setting the otelhttptrace client in this transport, it can be

gateway/gateway.go

@@ -400,6 +400,8 @@ func (g *Gateway) Run(ctx context.Context) error {
 			Authenticator:   authenticator,
 			ProxyServices:   proxyServices,
 			ProxyBlockAdmin: config.ProxyBlockAdmin,
+			Username:        config.Username,
+			Password:        config.Password,
 		})
 
 		config.Logger.Info("initializing protostellar system")

gateway/test/dapi_crud_test.go

@@ -95,7 +95,7 @@ func (s *GatewayOpsTestSuite) RunCommonDapiErrorCases(
 		})
 	})
 
-	s.Run("Unauthenticated", func() {
+	s.Run("P%", func() {
 		resp := fn(&commonDapiTestData{
 			BucketName:     s.bucketName,
 			ScopeName:      s.scopeName,
@@ -106,7 +106,7 @@ func (s *GatewayOpsTestSuite) RunCommonDapiErrorCases(
 			DocumentKey: s.randomDocId(),
 		})
 		require.NotNil(s.T(), resp)
-		require.Equal(s.T(), http.StatusBadRequest, resp.StatusCode)
+		require.Equal(s.T(), http.StatusUnauthorized, resp.StatusCode)
 		// Authorization header missing is considered a missing parameter rather
 		// than an authentication specific error.
 	})

gateway/test/dapi_mtls_test.go

@@ -0,0 +1,211 @@
+package test
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/couchbase/stellar-gateway/testutils"
+	"github.com/couchbase/stellar-gateway/utils/certificates"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func (s *GatewayOpsTestSuite) TestDapiClientCertAuth() {
+	testutils.SkipIfNoDinoCluster(s.T())
+
+	s.Run("Tools", s.Tools)
+
+	s.Run("Proxy", s.Proxy)
+
+	s.Run("Crud", s.Crud)
+}
+
+func (s *GatewayOpsTestSuite) Tools() {
+	dino := testutils.StartDinoTesting(s.T(), false)
+	username := "dapiUser"
+	client := s.createMtlsClient(username)
+
+	s.Run("NonExistentUser", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodGet,
+			Path:   "/v1/callerIdentity",
+		}, client)
+		require.Equal(s.T(), http.StatusForbidden, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "Your certificate is invalid")
+
+	})
+
+	dino.AddUnprivilegedUser(username)
+	time.Sleep(time.Second * 5)
+	s.T().Cleanup(func() {
+		dino.RemoveUser(username)
+	})
+
+	s.Run("Success", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodGet,
+			Path:   "/v1/callerIdentity",
+		}, client)
+		requireRestSuccess(s.T(), resp)
+		assert.JSONEq(s.T(), fmt.Sprintf(`{"user":"%s"}`, username), string(resp.Body))
+	})
+}
+
+func (s *GatewayOpsTestSuite) Proxy() {
+	if !s.SupportsFeature(TestFeatureQuery) {
+		s.T().Skip()
+	}
+
+	dino := testutils.StartDinoTesting(s.T(), false)
+	username := "proxyUser"
+	client := s.createMtlsClient(username)
+
+	s.Run("NonExistentUser", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodPost,
+			Path:   "/_p/query/query/service",
+			Headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			Body: []byte(`{"statement": "UPSERT INTO default (KEY, VALUE) VALUES ('query-insert', { 'hello': 'world' })"}`),
+		}, client)
+		require.Equal(s.T(), http.StatusBadGateway, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "failed to validate cetificate")
+	})
+
+	dino.AddUnprivilegedUser(username)
+	time.Sleep(time.Second * 5)
+	s.T().Cleanup(func() {
+		dino.RemoveUser(username)
+	})
+
+	s.Run("InsufficientPermissions", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodPost,
+			Path:   "/_p/query/query/service",
+			Headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			Body: []byte(`{"statement": "UPSERT INTO default (KEY, VALUE) VALUES ('query-insert', { 'hello': 'world' })"}`),
+		}, client)
+		require.Equal(s.T(), http.StatusUnauthorized, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "User does not have credentials to run INSERT queries")
+	})
+
+	dino.AddWriteUser(username)
+	time.Sleep(time.Second * 5)
+
+	s.Run("Success", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodPost,
+			Path:   "/_p/query/query/service",
+			Headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			Body: []byte(`{"statement": "UPSERT INTO default (KEY, VALUE) VALUES ('query-insert', { 'hello': 'world' })"}`),
+		}, client)
+		requireRestSuccess(s.T(), resp)
+	})
+}
+
+func (s *GatewayOpsTestSuite) Crud() {
+	dino := testutils.StartDinoTesting(s.T(), false)
+	username := "crudUser"
+	client := s.createMtlsClient(username)
+
+	s.Run("NonExistentUser", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodGet,
+			Path: fmt.Sprintf(
+				"/v1/buckets/%s/scopes/%s/collections/%s/documents/%s",
+				s.bucketName, s.scopeName, s.collectionName, s.testDocId(),
+			),
+		}, client)
+		require.Equal(s.T(), http.StatusForbidden, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "Your certificate is invalid")
+	})
+
+	dino.AddUnprivilegedUser(username)
+	time.Sleep(time.Second * 5)
+	s.T().Cleanup(func() {
+		dino.RemoveUser(username)
+	})
+
+	s.Run("InsufficientReadPermissions", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodGet,
+			Path: fmt.Sprintf(
+				"/v1/buckets/%s/scopes/%s/collections/%s/documents/%s",
+				s.bucketName, s.scopeName, s.collectionName, s.testDocId(),
+			),
+		}, client)
+		require.Equal(s.T(), http.StatusForbidden, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "access error")
+	})
+
+	dino.AddReadOnlyUser(username)
+	time.Sleep(time.Second * 5)
+
+	s.Run("ReadSuccess", func() {
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodGet,
+			Path: fmt.Sprintf(
+				"/v1/buckets/%s/scopes/%s/collections/%s/documents/%s",
+				s.bucketName, s.scopeName, s.collectionName, s.testDocId(),
+			),
+		}, client)
+		requireRestSuccess(s.T(), resp)
+	})
+
+	s.Run("InsufficientWritePermissions", func() {
+		docId := s.randomDocId()
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodPost,
+			Path: fmt.Sprintf(
+				"/v1/buckets/%s/scopes/%s/collections/%s/documents/%s",
+				s.bucketName, s.scopeName, s.collectionName, docId,
+			),
+			Headers: map[string]string{
+				"X-CB-Flags": fmt.Sprintf("%d", TEST_CONTENT_FLAGS),
+			},
+			Body: TEST_CONTENT,
+		}, client)
+		require.Equal(s.T(), http.StatusForbidden, resp.StatusCode)
+		require.Contains(s.T(), string(resp.Body), "access error")
+	})
+
+	dino.AddWriteUser(username)
+	time.Sleep(time.Second * 5)
+
+	s.Run("WriteSuccess", func() {
+		docId := s.randomDocId()
+		resp := s.sendTestHttpRequestWithClient(&testHttpRequest{
+			Method: http.MethodPost,
+			Path: fmt.Sprintf(
+				"/v1/buckets/%s/scopes/%s/collections/%s/documents/%s",
+				s.bucketName, s.scopeName, s.collectionName, docId,
+			),
+			Headers: map[string]string{
+				"X-CB-Flags": fmt.Sprintf("%d", TEST_CONTENT_FLAGS),
+			},
+			Body: TEST_CONTENT,
+		}, client)
+		requireRestSuccess(s.T(), resp)
+	})
+}
+
+func (s *GatewayOpsTestSuite) createMtlsClient(username string) *http.Client {
+	cert, err := certificates.GenerateSignedClientCert(s.caCert, s.caKey, username)
+	assert.NoError(s.T(), err)
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs:      s.clientCaCertPool,
+				Certificates: []tls.Certificate{*cert},
+			},
+		},
+	}
+}