ING-1339: Add mtls support for Data API proxy

Author: Westwooo

.github/workflows/client_cert_auth_test.yml

@@ -16,9 +16,10 @@ jobs:
     strategy:
       matrix:
         server:
-          - 8.0.0-3534
-          - 7.6.5
-          - 7.2.2
+          - 8.1.0-1203
+          - 8.0.0
+          - 7.6.8
+          - 7.2.8
 
     runs-on: ubuntu-latest
     steps:
@@ -53,7 +54,7 @@ jobs:
         env:
           SGTEST_CBCONNSTR: ${{ steps.start-cluster.outputs.node-ip }}
           SGTEST_DINOID: ${{ steps.start-cluster.outputs.dino-id }}
-        run: go test ./gateway/test -run TestGatewayOps -v -testify.m TestClientCertAuth
+        run: go test ./gateway/test -run TestGatewayOps -v -testify.m ClientCertAuth
 
       - name: Collect couchbase logs
         timeout-minutes: 10

gateway/auth/cbauthauthenticator.go

@@ -103,7 +103,7 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS
 			return "", "", ErrInvalidCertificate
 		}
 
-		return "", "", fmt.Errorf("failed to check certificate with cbauth: %s", err.Error())
+		return "", "", fmt.Errorf("failed to check certificate with cbauth: %w", err)
 	}
 
 	return info.User, info.Domain, nil

gateway/dapiimpl/dapiimpl.go

@@ -18,6 +18,9 @@ type NewOptions struct {
 	ProxyServices   []proxy.ServiceType
 	ProxyBlockAdmin bool
 	Debug           bool
+
+	Username string
+	Password string
 }
 
 type Servers struct {
@@ -44,7 +47,11 @@ func New(opts *NewOptions) *Servers {
 			opts.CbClient,
 			opts.ProxyServices,
 			opts.ProxyBlockAdmin,
-			opts.Debug),
+			opts.Debug,
+			v1AuthHandler,
+			opts.Username,
+			opts.Password,
+		),
 		DataApiV1Server: server_v1.NewDataApiServer(
 			opts.Logger.Named("dapi-serverv1"),
 			v1ErrHandler,

gateway/dapiimpl/proxy/proxy.go

@@ -2,6 +2,8 @@ package proxy
 
 import (
 	"context"
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +18,10 @@ import (
 	"go.opentelemetry.io/otel/propagation"
 
 	"github.com/couchbase/gocbcorex"
+	"github.com/couchbase/gocbcorex/cbauthx"
 	"github.com/couchbase/gocbcorex/contrib/buildversion"
+	"github.com/couchbase/stellar-gateway/gateway/auth"
+	"github.com/couchbase/stellar-gateway/gateway/dapiimpl/server_v1"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
@@ -45,12 +50,16 @@ type DataApiProxy struct {
 	cbClient     *gocbcorex.BucketsTrackingAgentManager
 	disableAdmin bool
 	debugMode    bool
-	mux          *http.ServeMux
+	mux          http.Handler
 
 	numFailures    metric.Int64Counter
 	numRequests    metric.Int64Counter
 	ttfbMillis     metric.Int64Histogram
 	durationMillis metric.Int64Histogram
+
+	username   string
+	password   string
+	authHander *server_v1.AuthHandler
 }
 
 func NewDataApiProxy(
@@ -59,6 +68,8 @@ func NewDataApiProxy(
 	services []ServiceType,
 	disableAdmin bool,
 	debugMode bool,
+	authHandler *server_v1.AuthHandler,
+	username, password string,
 ) *DataApiProxy {
 	mux := http.NewServeMux()
 
@@ -92,6 +103,9 @@ func NewDataApiProxy(
 		numRequests:    numRequests,
 		ttfbMillis:     ttfbMillis,
 		durationMillis: durationMillis,
+		username:       username,
+		password:       password,
+		authHander:     authHandler,
 	}
 
 	for _, serviceName := range services {
@@ -127,9 +141,13 @@ func (p *DataApiProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (p *DataApiProxy) writeError(w http.ResponseWriter, err error, msg string) {
+	p.writeErrorWithStatus(w, err, msg, 502)
+}
+
+func (p *DataApiProxy) writeErrorWithStatus(w http.ResponseWriter, err error, msg string, status int) {
 	p.logger.Debug(msg, zap.Error(err))
 
-	w.WriteHeader(502)
+	w.WriteHeader(status)
 
 	if !p.debugMode {
 		_, _ = fmt.Fprintf(w, "%s", msg)
@@ -252,6 +270,33 @@ func (p *DataApiProxy) proxyService(
 	// copy some other details
 	proxyReq.Header = r.Header
 
+	// If no auth header has been given, check for a client cert
+	authHdr := proxyReq.Header.Get("Authorization")
+	if authHdr == "" {
+		oboUser, oboDomain, err := p.authHander.Authenticator.ValidateConnStateForObo(ctx, r.TLS)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				p.writeError(w, err, "failed to validate cetificate")
+				return
+			} else if errors.Is(err, cbauthx.ErrNoCert) {
+				p.writeErrorWithStatus(w, err, "authorization header or client cert are required", 401)
+				return
+			}
+
+			p.writeErrorWithStatus(w, err, "received an unexpected cert authentication error", 401)
+			return
+		}
+
+		// We only set the on behalf of and auth headers if there is a user, if
+		// we set the onbehalf of header to an empty string and use the admin
+		// creds then the server seems to ignore the obo header.
+		if oboUser != "" {
+			oboHdrStr := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", oboUser, oboDomain)))
+			proxyReq.Header.Set("cb-on-behalf-of", oboHdrStr)
+			proxyReq.SetBasicAuth(p.username, p.password)
+		}
+	}
+
 	tr := otelhttp.NewTransport(
 		roundTripper,
 		// By setting the otelhttptrace client in this transport, it can be

gateway/dataimpl/server_v1/authhandler.go

@@ -79,7 +79,7 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st
 
 	switch {
 	case !credsFound && !certFound:
-		return "", "", nil
+		return "", "", a.ErrorHandler.NewNoAuthStatus()
 	case credsFound && certFound:
 		a.Logger.Debug("username/password taking priority over client cert auth as both were given.")
 	case credsFound:
@@ -139,7 +139,7 @@ func (a AuthHandler) GetHttpOboInfoFromContext(ctx context.Context) (*cbhttpx.On
 
 	switch {
 	case !credsFound && !certFound:
-		return nil, nil
+		return nil, a.ErrorHandler.NewNoAuthStatus()
 	case credsFound && certFound:
 		a.Logger.Debug("username/password taking priority over client cert auth as both were given.")
 	case credsFound:

gateway/gateway.go

@@ -400,6 +400,8 @@ func (g *Gateway) Run(ctx context.Context) error {
 			Authenticator:   authenticator,
 			ProxyServices:   proxyServices,
 			ProxyBlockAdmin: config.ProxyBlockAdmin,
+			Username:        config.Username,
+			Password:        config.Password,
 		})
 
 		config.Logger.Info("initializing protostellar system")

gateway/test/dapi_crud_test.go

@@ -95,7 +95,7 @@ func (s *GatewayOpsTestSuite) RunCommonDapiErrorCases(
 		})
 	})
 
-	s.Run("Unauthenticated", func() {
+	s.Run("P%", func() {
 		resp := fn(&commonDapiTestData{
 			BucketName:     s.bucketName,
 			ScopeName:      s.scopeName,
@@ -106,7 +106,7 @@ func (s *GatewayOpsTestSuite) RunCommonDapiErrorCases(
 			DocumentKey: s.randomDocId(),
 		})
 		require.NotNil(s.T(), resp)
-		require.Equal(s.T(), http.StatusBadRequest, resp.StatusCode)
+		require.Equal(s.T(), http.StatusUnauthorized, resp.StatusCode)
 		// Authorization header missing is considered a missing parameter rather
 		// than an authentication specific error.
 	})