ING-1363: Ensure client cert auth fails when disabled

Westwooo · Westwooo · commit b64f7926eadc · 2025-12-02T10:21:52.000Z
diff --git a/.github/actions/install-cbdinocluster/action.yml b/.github/actions/install-cbdinocluster/action.yml
@@ -11,7 +11,7 @@ runs:
       shell: bash
       run: |
         mkdir -p "$HOME/bin"
-        wget -nv -O $HOME/bin/cbdinocluster https://github.com/couchbaselabs/cbdinocluster/releases/download/v0.0.96/cbdinocluster-linux-amd64
+        wget -nv -O $HOME/bin/cbdinocluster https://github.com/couchbaselabs/cbdinocluster/releases/download/v0.0.98/cbdinocluster-linux-amd64
         chmod +x $HOME/bin/cbdinocluster
         echo "$HOME/bin" >> $GITHUB_PATH
     - name: Initialize cbdinocluster
diff --git a/gateway/auth/cbauthauthenticator.go b/gateway/auth/cbauthauthenticator.go
@@ -14,6 +14,7 @@ import (
 var (
 	ErrInvalidCredentials = errors.New("invalid credentials")
 	ErrInvalidCertificate = errors.New("invalid certificate")
+	ErrCertAuthDisabled   = errors.New("client cert auth disabled")
 )
 
 type CbAuthAuthenticator struct {
@@ -101,6 +102,8 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS
 	if err != nil {
 		if errors.Is(err, cbauthx.ErrInvalidAuth) {
 			return "", "", ErrInvalidCertificate
+		} else if errors.Is(err, cbauthx.ErrCertAuthDisabled) {
+			return "", "", ErrCertAuthDisabled
 		}
 
 		return "", "", fmt.Errorf("failed to check certificate with cbauth: %w", err)
diff --git a/gateway/dataimpl/server_v1/authhandler.go b/gateway/dataimpl/server_v1/authhandler.go
@@ -88,6 +88,8 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st
 		if err != nil {
 			if errors.Is(err, auth.ErrInvalidCertificate) {
 				return "", "", a.ErrorHandler.NewInvalidCertificateStatus()
+			} else if errors.Is(err, auth.ErrCertAuthDisabled) {
+				return "", "", a.ErrorHandler.NewCertAuthDisabledStatus()
 			}
 
 			a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))
diff --git a/gateway/dataimpl/server_v1/errorhandler.go b/gateway/dataimpl/server_v1/errorhandler.go
@@ -937,6 +937,16 @@ func (e ErrorHandler) NewInvalidCertificateStatus() *status.Status {
 	return st
 }
 
+func (e ErrorHandler) NewCertAuthDisabledStatus() *status.Status {
+	st := status.New(codes.Unauthenticated, "Client cert auth disabled on the cluster.")
+	st = e.tryAttachStatusDetails(st, &epb.ResourceInfo{
+		ResourceType: "user",
+		ResourceName: "",
+		Description:  "",
+	})
+	return st
+}
+
 func (e ErrorHandler) NewUnexpectedAuthTypeStatus() *status.Status {
 	st := status.New(codes.InvalidArgument, "Unexpected auth type.")
 	return st
diff --git a/gateway/test/mtls_test.go b/gateway/test/mtls_test.go
@@ -5,6 +5,8 @@ import (
 	"crypto/tls"
 	"time"
 
+	"github.com/couchbase/gocbcorex/cbhttpx"
+	"github.com/couchbase/gocbcorex/cbmgmtx"
 	"github.com/couchbase/goprotostellar/genproto/admin_query_v1"
 	"github.com/couchbase/goprotostellar/genproto/admin_search_v1"
 	"github.com/couchbase/goprotostellar/genproto/kv_v1"
@@ -20,6 +22,13 @@ import (
 
 func (s *GatewayOpsTestSuite) TestClientCertAuth() {
 	testutils.SkipIfNoDinoCluster(s.T())
+
+	s.Run("KvService", s.KvService)
+
+	s.Run("ClientCertAuthDisabled", s.ClientCertConfiguration)
+}
+
+func (s *GatewayOpsTestSuite) KvService() {
 	dino := testutils.StartDinoTesting(s.T(), false)
 
 	indexClient := admin_search_v1.NewSearchAdminServiceClient(s.gatewayConn)
@@ -169,12 +178,129 @@ func (s *GatewayOpsTestSuite) TestClientCertAuth() {
 					}
 					requireRpcSuccess(s.T(), resp, err)
 					return true
-				}, time.Second*30, time.Second)
+				}, time.Second*30, time.Second*5)
 			})
 		})
 	}
 }
 
+func (s *GatewayOpsTestSuite) ClientCertConfiguration() {
+	dino := testutils.StartDinoTesting(s.T(), false)
+	username := "certConfig"
+	conn := s.newClientCertConn(dino, username)
+	kvClient := kv_v1.NewKvServiceClient(conn)
+
+	getFn := func() (*kv_v1.GetResponse, error) {
+		return kvClient.Get(context.Background(), &kv_v1.GetRequest{
+			BucketName:     s.bucketName,
+			ScopeName:      s.scopeName,
+			CollectionName: s.collectionName,
+			Key:            s.testDocId(),
+		})
+	}
+
+	enableReq := &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "enable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "san.email",
+				Prefix:    "",
+				Delimiter: "@",
+			},
+		},
+	}
+
+	dino.AddWriteUser(username)
+
+	// Check that client cert auth is working as expected.
+	s.Run("InitialSuccess", func() {
+		resp, err := getFn()
+		requireRpcSuccess(s.T(), resp, err)
+	})
+
+	ep, err := s.testClusterInfo.AdminClient.GetMgmtEndpoint(context.Background())
+	require.NoError(s.T(), err)
+	mgmt := cbmgmtx.Management{
+		Transport: ep.RoundTripper,
+		UserAgent: "useragent",
+		Endpoint:  ep.Endpoint,
+		Auth: &cbhttpx.BasicAuth{
+			Username: ep.Username,
+			Password: ep.Password,
+		},
+	}
+
+	// Change the path that cbauth will try and get the name from and check
+	// that the old cert fails
+	err = mgmt.ConfigureClientCertAuth(context.Background(), &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "enable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "subject.cn",
+				Prefix:    "",
+				Delimiter: "",
+			},
+		},
+	})
+	assert.NoError(s.T(), err)
+
+	s.Run("IncorrectUsernamePath", func() {
+		require.Eventually(s.T(), func() bool {
+			_, err := getFn()
+			if err == nil {
+				return false
+			}
+
+			assertRpcStatus(s.T(), err, codes.PermissionDenied)
+			return assert.Contains(s.T(), err.Error(), "Your certificate is invalid")
+		}, time.Second*30, time.Second*5)
+	})
+
+	// Restore intial settings and check that the original cert works again.
+	err = mgmt.ConfigureClientCertAuth(context.Background(), enableReq)
+	assert.NoError(s.T(), err)
+
+	s.Run("SuccessAfterSettingsReset", func() {
+		require.Eventually(s.T(), func() bool {
+			resp, err := getFn()
+			if err != nil {
+				return false
+			}
+
+			requireRpcSuccess(s.T(), resp, err)
+			return true
+		}, time.Second*30, time.Second*5)
+	})
+
+	// Disable client cert auth on the cluster and make sure op fails.
+	err = mgmt.ConfigureClientCertAuth(context.Background(), &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "disable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "san.email",
+				Prefix:    "",
+				Delimiter: "@",
+			},
+		},
+	})
+	assert.NoError(s.T(), err)
+
+	s.Run("CertAuthDisabled", func() {
+		require.Eventually(s.T(), func() bool {
+			_, err := getFn()
+			if err == nil {
+				return false
+			}
+
+			assertRpcStatus(s.T(), err, codes.Unauthenticated)
+			return assert.Contains(s.T(), err.Error(), "Client cert auth disabled on the cluster")
+		}, time.Second*30, time.Second*5)
+	})
+
+	err = mgmt.ConfigureClientCertAuth(context.Background(), enableReq)
+	assert.NoError(s.T(), err)
+}
+
 func (s *GatewayOpsTestSuite) newClientCertConn(dino *testutils.DinoController, username string) *grpc.ClientConn {
 	res := dino.GetClientCert(username)
 
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/aws/aws-sdk-go-v2/config v1.28.8
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.9
-	github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2
+	github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e
 	github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d
 	github.com/couchbaselabs/gocbconnstr v1.0.5
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0-20240607131231-fb385523de28
diff --git a/go.sum b/go.sum
@@ -67,8 +67,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2 h1:Cbw1gJs5V2z/SHPmiqVo7nlr7RWtMAusEoxIDpsPm+s=
-github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2/go.mod h1:tlLBmDl/J9iUCImvGvzIr1sLhHm8+KWaSfkofmErCMQ=
+github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e h1:3H82a+phltYGRicpdKogxt9mvDAe7kD66t9086vXh9k=
+github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e/go.mod h1:tlLBmDl/J9iUCImvGvzIr1sLhHm8+KWaSfkofmErCMQ=
 github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d h1:FZZcOTRLIaK3VGX0eVGmvCqc6teJ+BSuS3VYJMAjejs=
 github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d/go.mod h1:X58ot5FRqlBTBkwG/oI4klunpu4MApjGktheqeRWQw0=
 github.com/couchbaselabs/gocbconnstr v1.0.5 h1:e0JokB5qbcz7rfnxEhNRTKz8q1svoRvDoZihsiwNigA=

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`	`var (`
`15`	`15`	`ErrInvalidCredentials = errors.New("invalid credentials")`
`16`	`16`	`ErrInvalidCertificate = errors.New("invalid certificate")`
	`17`	`+ ErrCertAuthDisabled = errors.New("client cert auth disabled")`
`17`	`18`	`)`
`18`	`19`
`19`	`20`	`type CbAuthAuthenticator struct {`
`@@ -101,6 +102,8 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS`
`101`	`102`	`if err != nil {`
`102`	`103`	`if errors.Is(err, cbauthx.ErrInvalidAuth) {`
`103`	`104`	`return "", "", ErrInvalidCertificate`
	`105`	`+ } else if errors.Is(err, cbauthx.ErrCertAuthDisabled) {`
	`106`	`+ return "", "", ErrCertAuthDisabled`
`104`	`107`	`}`
`105`	`108`
`106`	`109`	`return "", "", fmt.Errorf("failed to check certificate with cbauth: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,8 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st`
`88`	`88`	`if err != nil {`
`89`	`89`	`if errors.Is(err, auth.ErrInvalidCertificate) {`
`90`	`90`	`return "", "", a.ErrorHandler.NewInvalidCertificateStatus()`
	`91`	`+ } else if errors.Is(err, auth.ErrCertAuthDisabled) {`
	`92`	`+ return "", "", a.ErrorHandler.NewCertAuthDisabledStatus()`
`91`	`93`	`}`
`92`	`94`
`93`	`95`	`a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))`