ING-1363: Ensure client cert auth fails when disabled

Author: Westwooo

cmd/gateway/main.go

@@ -446,19 +446,13 @@ func startGateway() {
 
 	var selfSignedCert *tls.Certificate
 	if config.selfSign {
-		generatedCert, generatedKey, err := selfsignedcert.GenerateCertificate()
+		generatedCert, err := selfsignedcert.GenerateCertificate()
 		if err != nil {
 			logger.Error("failed to generate a self-signed certificate")
 			os.Exit(1)
 		}
 
-		tlsCert, err := selfsignedcert.ConstructTlsCert(generatedCert, generatedKey)
-		if err != nil {
-			logger.Error("failed to generate a self-signed certificate")
-			os.Exit(1)
-		}
-
-		selfSignedCert = tlsCert
+		selfSignedCert = generatedCert
 	}
 
 	var grpcCertificate tls.Certificate

gateway/auth/cbauthauthenticator.go

@@ -14,6 +14,7 @@ import (
 var (
 	ErrInvalidCredentials = errors.New("invalid credentials")
 	ErrInvalidCertificate = errors.New("invalid certificate")
+	ErrCertAuthDisabled   = errors.New("client cert auth disabled")
 )
 
 type CbAuthAuthenticator struct {
@@ -101,6 +102,8 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS
 	if err != nil {
 		if errors.Is(err, cbauthx.ErrInvalidAuth) {
 			return "", "", ErrInvalidCertificate
+		} else if errors.Is(err, cbauthx.ErrCertAuthDisabled) {
+			return "", "", ErrCertAuthDisabled
 		}
 
 		return "", "", fmt.Errorf("failed to check certificate with cbauth: %s", err.Error())

gateway/dataimpl/server_v1/authhandler.go

@@ -88,6 +88,8 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st
 		if err != nil {
 			if errors.Is(err, auth.ErrInvalidCertificate) {
 				return "", "", a.ErrorHandler.NewInvalidCertificateStatus()
+			} else if errors.Is(err, auth.ErrCertAuthDisabled) {
+				return "", "", a.ErrorHandler.NewCertAuthDisabledStatus()
 			}
 
 			a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))

gateway/dataimpl/server_v1/errorhandler.go

@@ -937,6 +937,16 @@ func (e ErrorHandler) NewInvalidCertificateStatus() *status.Status {
 	return st
 }
 
+func (e ErrorHandler) NewCertAuthDisabledStatus() *status.Status {
+	st := status.New(codes.Unauthenticated, "Client cert auth disabled on the cluster.")
+	st = e.tryAttachStatusDetails(st, &epb.ResourceInfo{
+		ResourceType: "user",
+		ResourceName: "",
+		Description:  "",
+	})
+	return st
+}
+
 func (e ErrorHandler) NewUnexpectedAuthTypeStatus() *status.Status {
 	st := status.New(codes.InvalidArgument, "Unexpected auth type.")
 	return st

gateway/test/dapi_graceful_shutdown_test.go

@@ -19,16 +19,11 @@ import (
 func (s *GatewayOpsTestSuite) TestGracefulShutdown() {
 	s.T().Logf("setting up new instance of stellar gateway...")
 
-	cert, key, err := selfsignedcert.GenerateCertificate()
+	gwCert, err := selfsignedcert.GenerateCertificate()
 	if err != nil {
 		s.T().Fatalf("failed to create testing certificate: %s", err)
 	}
 
-	gwCert, err := selfsignedcert.ConstructTlsCert(cert, key)
-	if err != nil {
-		s.T().Fatalf("failed to construct testing certificate: %s", err)
-	}
-
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		s.T().Fatalf("failed to initialize test logging: %s", err)

gateway/test/mtls_test.go

@@ -3,8 +3,11 @@ package test
 import (
 	"context"
 	"crypto/tls"
+	"net/http"
 	"time"
 
+	"github.com/couchbase/gocbcorex/cbhttpx"
+	"github.com/couchbase/gocbcorex/cbmgmtx"
 	"github.com/couchbase/goprotostellar/genproto/kv_v1"
 	"github.com/couchbase/stellar-gateway/testutils"
 	"github.com/stretchr/testify/assert"
@@ -17,6 +20,8 @@ func (s *GatewayOpsTestSuite) TestClientCertAuth() {
 	testutils.SkipIfNoDinoCluster(s.T())
 
 	s.Run("KvService", s.KvService)
+
+	s.Run("ClientCertAuthDisabled", s.ClientCertConfiguration)
 }
 
 func (s *GatewayOpsTestSuite) KvService() {
@@ -96,6 +101,107 @@ func (s *GatewayOpsTestSuite) KvService() {
 	})
 }
 
+func (s *GatewayOpsTestSuite) ClientCertConfiguration() {
+	dino := testutils.StartDinoTesting(s.T(), false)
+	username := "certConfig"
+	conn := s.newClientCertConn(dino, username)
+	kvClient := kv_v1.NewKvServiceClient(conn)
+
+	getFn := func() (*kv_v1.GetResponse, error) {
+		return kvClient.Get(context.Background(), &kv_v1.GetRequest{
+			BucketName:     s.bucketName,
+			ScopeName:      s.scopeName,
+			CollectionName: s.collectionName,
+			Key:            s.testDocId(),
+		})
+	}
+
+	enableReq := &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "enable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "san.email",
+				Prefix:    "",
+				Delimiter: "@",
+			},
+		},
+	}
+
+	dino.AddWriteUser(username)
+	time.Sleep(time.Second * 5)
+
+	// Check that client cert auth is working as expected.
+	s.Run("InitialSuccess", func() {
+		resp, err := getFn()
+		requireRpcSuccess(s.T(), resp, err)
+	})
+
+	testConfig := testutils.GetTestConfig(s.T())
+	mgmt := cbmgmtx.Management{
+		Transport: http.DefaultTransport,
+		UserAgent: "useragent",
+		Endpoint:  "http://" + testConfig.CbConnStr + ":8091",
+		Auth: &cbhttpx.BasicAuth{
+			Username: testConfig.CbUser,
+			Password: testConfig.CbPass,
+		},
+	}
+
+	// Change the path that cbauth will try and get the name from and check
+	// that the old cert fails
+	err := mgmt.ConfigureClientCertAuth(context.Background(), &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "enable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "subject.cn",
+				Prefix:    "",
+				Delimiter: "",
+			},
+		},
+	})
+	time.Sleep(time.Second * 5)
+
+	// Check that client cert auth is working as expected.
+	s.Run("IncorrectUsernamePath", func() {
+		_, err := getFn()
+		assertRpcStatus(s.T(), err, codes.PermissionDenied)
+		assert.Contains(s.T(), err.Error(), "Your certificate is invalid")
+	})
+
+	// Restore intial settings and check that the original cert works again.
+	err = mgmt.ConfigureClientCertAuth(context.Background(), enableReq)
+	assert.NoError(s.T(), err)
+	time.Sleep(time.Second * 5)
+
+	s.Run("SuccessAfterSettingsReset", func() {
+		resp, err := getFn()
+		requireRpcSuccess(s.T(), resp, err)
+	})
+
+	// Disable client cert auth on the cluster and make sure op fails.
+	err = mgmt.ConfigureClientCertAuth(context.Background(), &cbmgmtx.ConfigureClientCertAuthRequest{
+		State: "disable",
+		Prefixes: []cbmgmtx.Prefix{
+			{
+				Path:      "san.email",
+				Prefix:    "",
+				Delimiter: "@",
+			},
+		},
+	})
+	assert.NoError(s.T(), err)
+	time.Sleep(time.Second * 5)
+
+	s.Run("CertAuthDisabled", func() {
+		_, err := getFn()
+		assertRpcStatus(s.T(), err, codes.Unauthenticated)
+		assert.Contains(s.T(), err.Error(), "Client cert auth disabled on the cluster")
+	})
+
+	err = mgmt.ConfigureClientCertAuth(context.Background(), enableReq)
+	assert.NoError(s.T(), err)
+}
+
 func (s *GatewayOpsTestSuite) newClientCertConn(dino *testutils.DinoController, username string) *grpc.ClientConn {
 	res := dino.GetClientCert(username)
 

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/aws/aws-sdk-go-v2/config v1.28.8
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.9
-	github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2
+	github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e
 	github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d
 	github.com/couchbaselabs/gocbconnstr v1.0.5
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0-20240607131231-fb385523de28

go.sum

@@ -67,8 +67,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2 h1:Cbw1gJs5V2z/SHPmiqVo7nlr7RWtMAusEoxIDpsPm+s=
-github.com/couchbase/gocbcorex v0.0.0-20251111022038-67fa47c27da2/go.mod h1:tlLBmDl/J9iUCImvGvzIr1sLhHm8+KWaSfkofmErCMQ=
+github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e h1:3H82a+phltYGRicpdKogxt9mvDAe7kD66t9086vXh9k=
+github.com/couchbase/gocbcorex v0.0.0-20251118081240-3f26da0f471e/go.mod h1:tlLBmDl/J9iUCImvGvzIr1sLhHm8+KWaSfkofmErCMQ=
 github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d h1:FZZcOTRLIaK3VGX0eVGmvCqc6teJ+BSuS3VYJMAjejs=
 github.com/couchbase/goprotostellar v1.0.3-0.20251106001300-b09286f4d53d/go.mod h1:X58ot5FRqlBTBkwG/oI4klunpu4MApjGktheqeRWQw0=
 github.com/couchbaselabs/gocbconnstr v1.0.5 h1:e0JokB5qbcz7rfnxEhNRTKz8q1svoRvDoZihsiwNigA=

utils/certificates/certificates.go

@@ -15,16 +15,21 @@ import (
 	"github.com/pkg/errors"
 )
 
-func GenerateCertificate() (*x509.Certificate, *ecdsa.PrivateKey, error) {
+func GenerateCertificate() (*tls.Certificate, error) {
 	priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	if err != nil {
-		return nil, nil, errors.New("failed to generate private key")
+		return nil, errors.Wrap(err, "failed to generate private key")
+	}
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to marshal private key")
 	}
 
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to generate serial number")
+		return nil, errors.Wrap(err, "failed to generate serial number")
 	}
 
 	template := x509.Certificate{
@@ -36,49 +41,32 @@ func GenerateCertificate() (*x509.Certificate, *ecdsa.PrivateKey, error) {
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(7 * 24 * time.Hour),
 
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
-		IsCA:                  true,
 	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to create certificate")
-	}
-
-	cert, err := x509.ParseCertificate(derBytes)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to parse cert from bytes")
-	}
-
-	return cert, priv, nil
-}
-
-func ConstructTlsCert(cert *x509.Certificate, key *ecdsa.PrivateKey) (*tls.Certificate, error) {
-	keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
-	if err != nil {
-		return nil, errors.Wrap(err, "unable to marshal private key")
+		return nil, errors.Wrap(err, "failed to create certificate")
 	}
 
 	keyBuf := bytes.NewBuffer(nil)
-	err = pem.Encode(keyBuf, &pem.Block{
-		Type:  "EC PRIVATE KEY",
-		Bytes: keyBytes,
-	})
+	err = pem.Encode(keyBuf, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to write key pem data")
 	}
 
 	certBuf := bytes.NewBuffer(nil)
-	err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to write cert pem data")
 	}
 
-	tlsCert, err := tls.X509KeyPair(certBuf.Bytes(), keyBuf.Bytes())
+	cert, err := tls.X509KeyPair(certBuf.Bytes(), keyBuf.Bytes())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to produce tls certificate")
 	}
 
-	return &tlsCert, nil
+	return &cert, nil
 }