ING-1363: Make client cert checks failed when disabled on cluster

Author: Westwooo

cbauthx/cbauth.go

@@ -452,6 +452,8 @@ func (a *CbAuth) handleAuthCheckErr(
 ) (UserInfo, error) {
 	if errors.Is(err, ErrInvalidAuth) {
 		return UserInfo{}, ErrInvalidAuth
+	} else if errors.Is(err, ErrCertAuthDisabled) {
+		return UserInfo{}, ErrCertAuthDisabled
 	}
 
 	a.logger.Debug("failed to check user with cbauth", zap.Error(err))

cbauthx/cbauthclient.go

@@ -32,11 +32,12 @@ type CbAuthClient struct {
 	lastCommTs     atomic.Int64
 	heartbeatTimer *time.Timer
 
-	lock                  sync.Mutex
-	nodeUuid              string
-	clusterUuid           string
-	authVersion           string
-	clientCertAuthVersion string
+	lock                   sync.Mutex
+	nodeUuid               string
+	clusterUuid            string
+	authVersion            string
+	clientCertAuthDisabled bool
+	clientCertAuthVersion  string
 
 	initOpts    *UpdateDBExtOptions
 	initSigCh   chan struct{}
@@ -294,6 +295,8 @@ func (c *CbAuthClient) rpcUpdateDBExt(opts *UpdateDBExtOptions) (bool, error) {
 		}
 	}
 
+	c.clientCertAuthDisabled = opts.ClientCertAuthState == "disable"
+
 	// If the client wasn't marked as initialized yet.  Lets signal that.
 	if c.initOpts == nil {
 		c.initOpts = opts
@@ -364,6 +367,13 @@ func (a *CbAuthClient) getCertCache(_ context.Context) (*CertCheckCached, error)
 }
 
 func (a *CbAuthClient) CheckCertificate(ctx context.Context, clientCert *x509.Certificate) (UserInfo, error) {
+	// The endpoint we use to extract the user from the cert still works when
+	// client cert auth has been disabled so we need to explicitly fail the
+	// cert check.
+	if a.clientCertAuthDisabled {
+		return UserInfo{}, ErrCertAuthDisabled
+	}
+
 	certCache, err := a.getCertCache(ctx)
 	if err != nil {
 		return UserInfo{}, err

cbauthx/errors.go

@@ -7,10 +7,11 @@ import (
 )
 
 var (
-	ErrNoCert          = errors.New("no cert specified")
-	ErrInvalidAuth     = errors.New("invalid auth")
-	ErrClosed          = errors.New("already closed")
-	ErrLivenessTimeout = errors.New("cache is stale")
+	ErrNoCert           = errors.New("no cert specified")
+	ErrCertAuthDisabled = errors.New("cert auth disabled")
+	ErrInvalidAuth      = errors.New("invalid auth")
+	ErrClosed           = errors.New("already closed")
+	ErrLivenessTimeout  = errors.New("cache is stale")
 )
 
 type contextualError struct {

cbmgmtx/mgmt.go

@@ -1161,6 +1161,41 @@ func (h Management) ConfigureAutoFailover(ctx context.Context, req *ConfigureAut
 	return nil
 }
 
+type Prefix struct {
+	Path      string `json:"path"`
+	Prefix    string `json:"prefix"`
+	Delimiter string `json:"delimiter"`
+}
+
+type ConfigureClientCertAuthRequest struct {
+	State    string   `json:"state"`
+	Prefixes []Prefix `json:"prefixes"`
+}
+
+func (h Management) ConfigureClientCertAuth(ctx context.Context, req *ConfigureClientCertAuthRequest) error {
+	jsonBytes, err := json.Marshal(req)
+	if err != nil {
+		return err
+	}
+
+	resp, err := h.Execute(
+		ctx,
+		"POST",
+		"/settings/clientCertAuth",
+		"application/json", nil, bytes.NewReader(jsonBytes))
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != 202 {
+		return h.DecodeCommonError(resp)
+	}
+
+	_ = resp.Body.Close()
+
+	return nil
+}
+
 // AuthDomain specifies the user domain of a specific user
 type AuthDomain string