ING-1339: Support client cert auth for non-kv ops

ING-1339: Add support for client cert auth to data api

ING-1339: Add mtls support for Data API proxy

Author: Westwooo

.github/actions/install-cbdinocluster/action.yml

@@ -11,7 +11,7 @@ runs:
       shell: bash
       run: |
         mkdir -p "$HOME/bin"
-        wget -nv -O $HOME/bin/cbdinocluster https://github.com/couchbaselabs/cbdinocluster/releases/download/v0.0.95/cbdinocluster-linux-amd64
+        wget -nv -O $HOME/bin/cbdinocluster https://github.com/couchbaselabs/cbdinocluster/releases/download/v0.0.96/cbdinocluster-linux-amd64
         chmod +x $HOME/bin/cbdinocluster
         echo "$HOME/bin" >> $GITHUB_PATH
     - name: Initialize cbdinocluster

.github/workflows/client_cert_auth_test.yml

@@ -54,7 +54,7 @@ jobs:
         env:
           SGTEST_CBCONNSTR: ${{ steps.start-cluster.outputs.node-ip }}
           SGTEST_DINOID: ${{ steps.start-cluster.outputs.dino-id }}
-        run: go test ./gateway/test -run TestGatewayOps -v -testify.m TestClientCertAuth
+        run: go test ./gateway/test -run TestGatewayOps -v -testify.m ClientCertAuth
 
       - name: Collect couchbase logs
         timeout-minutes: 10

dataapiv1/spec.yaml

@@ -1222,7 +1222,6 @@ components:
       description: Header for authentication.
       schema:
         type: string
-      required: true
     AcceptEncodingHeader:
       in: header
       name: Accept-Encoding

gateway/auth/cbauthauthenticator.go

@@ -103,7 +103,7 @@ func (a *CbAuthAuthenticator) ValidateConnStateForObo(ctx context.Context, connS
 			return "", "", ErrInvalidCertificate
 		}
 
-		return "", "", fmt.Errorf("failed to check certificate with cbauth: %s", err.Error())
+		return "", "", fmt.Errorf("failed to check certificate with cbauth: %w", err)
 	}
 
 	return info.User, info.Domain, nil

gateway/dapiimpl/dapiimpl.go

@@ -18,6 +18,9 @@ type NewOptions struct {
 	ProxyServices   []proxy.ServiceType
 	ProxyBlockAdmin bool
 	Debug           bool
+
+	Username string
+	Password string
 }
 
 type Servers struct {
@@ -44,7 +47,11 @@ func New(opts *NewOptions) *Servers {
 			opts.CbClient,
 			opts.ProxyServices,
 			opts.ProxyBlockAdmin,
-			opts.Debug),
+			opts.Debug,
+			v1AuthHandler,
+			opts.Username,
+			opts.Password,
+		),
 		DataApiV1Server: server_v1.NewDataApiServer(
 			opts.Logger.Named("dapi-serverv1"),
 			v1ErrHandler,

gateway/dapiimpl/proxy/proxy.go

@@ -2,6 +2,8 @@ package proxy
 
 import (
 	"context"
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +18,10 @@ import (
 	"go.opentelemetry.io/otel/propagation"
 
 	"github.com/couchbase/gocbcorex"
+	"github.com/couchbase/gocbcorex/cbauthx"
 	"github.com/couchbase/gocbcorex/contrib/buildversion"
+	"github.com/couchbase/stellar-gateway/gateway/auth"
+	"github.com/couchbase/stellar-gateway/gateway/dapiimpl/server_v1"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
@@ -51,6 +56,10 @@ type DataApiProxy struct {
 	numRequests    metric.Int64Counter
 	ttfbMillis     metric.Int64Histogram
 	durationMillis metric.Int64Histogram
+
+	adminUsername string
+	adminPassword string
+	authHander    *server_v1.AuthHandler
 }
 
 func NewDataApiProxy(
@@ -59,6 +68,8 @@ func NewDataApiProxy(
 	services []ServiceType,
 	disableAdmin bool,
 	debugMode bool,
+	authHandler *server_v1.AuthHandler,
+	username, password string,
 ) *DataApiProxy {
 	mux := http.NewServeMux()
 
@@ -92,6 +103,9 @@ func NewDataApiProxy(
 		numRequests:    numRequests,
 		ttfbMillis:     ttfbMillis,
 		durationMillis: durationMillis,
+		adminUsername:  username,
+		adminPassword:  password,
+		authHander:     authHandler,
 	}
 
 	for _, serviceName := range services {
@@ -127,9 +141,13 @@ func (p *DataApiProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (p *DataApiProxy) writeError(w http.ResponseWriter, err error, msg string) {
+	p.writeErrorWithStatus(w, err, msg, 502)
+}
+
+func (p *DataApiProxy) writeErrorWithStatus(w http.ResponseWriter, err error, msg string, status int) {
 	p.logger.Debug(msg, zap.Error(err))
 
-	w.WriteHeader(502)
+	w.WriteHeader(status)
 
 	if !p.debugMode {
 		_, _ = fmt.Fprintf(w, "%s", msg)
@@ -252,6 +270,34 @@ func (p *DataApiProxy) proxyService(
 	// copy some other details
 	proxyReq.Header = r.Header
 
+	// If no auth header has been given, check for a client cert
+	authHdr := proxyReq.Header.Get("Authorization")
+	if authHdr == "" {
+		oboUser, oboDomain, err := p.authHander.Authenticator.ValidateConnStateForObo(ctx, r.TLS)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				p.writeError(w, err, "failed to validate certificate")
+				return
+			} else if errors.Is(err, cbauthx.ErrNoCert) {
+				p.writeErrorWithStatus(w, err, "authorization header or client cert are required", 401)
+				return
+			}
+
+			p.writeErrorWithStatus(w, err, "received an unexpected cert authentication error", 401)
+			return
+		}
+
+		// We only set the on behalf of and auth headers if there is a user, if
+		// we set the onbehalf of header to an empty string and use the admin
+		// creds then the server seems to ignore the obo header.
+		if oboUser != "" {
+			// ING-1371 (support CNG -> cluster mtls)
+			oboHdrStr := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", oboUser, oboDomain)))
+			proxyReq.Header.Set("cb-on-behalf-of", oboHdrStr)
+			proxyReq.SetBasicAuth(p.adminUsername, p.adminPassword)
+		}
+	}
+
 	tr := otelhttp.NewTransport(
 		roundTripper,
 		// By setting the otelhttptrace client in this transport, it can be

gateway/dapiimpl/server_v1/authhandler.go

@@ -2,6 +2,7 @@ package server_v1
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"net/http"
 
@@ -19,6 +20,8 @@ type AuthHandler struct {
 	CbClient      *gocbcorex.BucketsTrackingAgentManager
 }
 
+type CtxKeyTlsConnState struct{}
+
 func (a AuthHandler) getUserPassFromRequest(authHdr string) (string, string, error) {
 	// we reuse the Basic auth parsing built into the go net library
 	r := http.Request{
@@ -35,23 +38,60 @@ func (a AuthHandler) getUserPassFromRequest(authHdr string) (string, string, err
 	return username, password, nil
 }
 
-func (a AuthHandler) MaybeGetUserPassFromRequest(authHdr string) (string, string, *Status) {
-	username, password, err := a.getUserPassFromRequest(authHdr)
+func (a AuthHandler) MaybeGetUserPassFromRequest(authHdr *string) (string, string, *Status) {
+	if authHdr == nil {
+		return "", "", nil
+	}
+
+	username, password, err := a.getUserPassFromRequest(*authHdr)
 	if err != nil {
 		return "", "", a.ErrorHandler.NewInvalidAuthHeaderStatus(err)
 	}
 
 	return username, password, nil
 }
 
-func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context, authHdr string) (string, string, *Status) {
+func (a AuthHandler) MaybeGetConnStateFromContext(ctx context.Context) (*tls.ConnectionState, *Status) {
+	connState, ok := ctx.Value(CtxKeyTlsConnState{}).(*tls.ConnectionState)
+	if connState == nil || !ok {
+		return nil, nil
+	}
+
+	return connState, nil
+}
+
+func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context, authHdr *string) (string, string, *Status) {
 	username, password, errHe := a.MaybeGetUserPassFromRequest(authHdr)
 	if errHe != nil {
 		return "", "", errHe
 	}
 
-	if username == "" && password == "" {
-		return "", "", nil
+	connState, errSt := a.MaybeGetConnStateFromContext(ctx)
+	if errSt != nil {
+		return "", "", errSt
+	}
+
+	credsFound := username != "" && password != ""
+	certFound := connState != nil && len(connState.PeerCertificates) != 0
+
+	switch {
+	case !credsFound && !certFound:
+		return "", "", a.ErrorHandler.NewNoAuthStatus()
+	case credsFound && certFound:
+		a.Logger.Debug("username/password taking priority over client cert auth as both were given.")
+	case credsFound:
+	case certFound:
+		oboUser, oboDomain, err := a.Authenticator.ValidateConnStateForObo(ctx, connState)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				return "", "", a.ErrorHandler.NewInvalidCertificateStatus()
+			}
+
+			a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))
+			return "", "", a.ErrorHandler.NewInternalStatus()
+		}
+
+		return oboUser, oboDomain, nil
 	}
 
 	oboUser, oboDomain, err := a.Authenticator.ValidateUserForObo(ctx, username, password)
@@ -67,7 +107,7 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context, authHdr str
 	return oboUser, oboDomain, nil
 }
 
-func (a AuthHandler) GetOboUserFromRequest(ctx context.Context, authHdr string) (string, string, *Status) {
+func (a AuthHandler) GetOboUserFromRequest(ctx context.Context, authHdr *string) (string, string, *Status) {
 	user, domain, st := a.MaybeGetOboUserFromContext(ctx, authHdr)
 	if st != nil {
 		return "", "", st
@@ -81,7 +121,7 @@ func (a AuthHandler) GetOboUserFromRequest(ctx context.Context, authHdr string)
 }
 
 func (a AuthHandler) GetHttpOboInfoFromContext(ctx context.Context, authHdr string) (*cbhttpx.OnBehalfOfInfo, *Status) {
-	username, password, errHe := a.MaybeGetUserPassFromRequest(authHdr)
+	username, password, errHe := a.MaybeGetUserPassFromRequest(&authHdr)
 	if errHe != nil {
 		return nil, errHe
 	}
@@ -119,7 +159,7 @@ func (a AuthHandler) getBucketAgent(ctx context.Context, bucketName string) (*go
 }
 
 func (a AuthHandler) GetMemdOboAgent(
-	ctx context.Context, authHdr string, bucketName string,
+	ctx context.Context, authHdr *string, bucketName string,
 ) (*gocbcorex.Agent, string, *Status) {
 	oboUser, _, errHe := a.GetOboUserFromRequest(ctx, authHdr)
 	if errHe != nil {

gateway/dapiimpl/server_v1/errorhandler.go

@@ -121,6 +121,24 @@ func (e ErrorHandler) NewInvalidCredentialsStatus() *Status {
 	return st
 }
 
+func (e ErrorHandler) NewUnexpectedAuthTypeStatus() *Status {
+	st := &Status{
+		StatusCode: http.StatusBadRequest,
+		Code:       dataapiv1.ErrorCodeInvalidArgument,
+		Message:    "Unexpected auth type.",
+	}
+	return st
+}
+
+func (e ErrorHandler) NewInvalidCertificateStatus() *Status {
+	st := &Status{
+		StatusCode: http.StatusForbidden,
+		Code:       dataapiv1.ErrorCodeInvalidAuth,
+		Message:    "Your certificate is invalid.",
+	}
+	return st
+}
+
 func (e ErrorHandler) NewInternalStatus() *Status {
 	st := &Status{
 		StatusCode: http.StatusInternalServerError,

gateway/dapiimpl/tlsconnstate.go

@@ -0,0 +1,18 @@
+package dapiimpl
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/couchbase/stellar-gateway/gateway/dapiimpl/server_v1"
+	"github.com/oapi-codegen/runtime/strictmiddleware/nethttp"
+)
+
+func NewTlsConnStateHandler() func(f nethttp.StrictHTTPHandlerFunc, operationID string) nethttp.StrictHTTPHandlerFunc {
+	return func(f nethttp.StrictHTTPHandlerFunc, operationID string) nethttp.StrictHTTPHandlerFunc {
+		return func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (response interface{}, err error) {
+			ctx = context.WithValue(ctx, server_v1.CtxKeyTlsConnState{}, r.TLS)
+			return f(ctx, w, r, request)
+		}
+	}
+}

gateway/dataimpl/server_v1/authhandler.go

@@ -79,7 +79,7 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st
 
 	switch {
 	case !credsFound && !certFound:
-		return "", "", nil
+		return "", "", a.ErrorHandler.NewNoAuthStatus()
 	case credsFound && certFound:
 		a.Logger.Debug("username/password taking priority over client cert auth as both were given.")
 	case credsFound:
@@ -129,8 +129,35 @@ func (a AuthHandler) GetHttpOboInfoFromContext(ctx context.Context) (*cbhttpx.On
 		return nil, errSt
 	}
 
-	if username == "" {
+	connState, errHe := a.MaybeGetConnStateFromContext(ctx)
+	if errHe != nil {
+		return nil, errHe
+	}
+
+	credsFound := username != "" && password != ""
+	certFound := connState != nil && len(connState.PeerCertificates) != 0
+
+	switch {
+	case !credsFound && !certFound:
 		return nil, a.ErrorHandler.NewNoAuthStatus()
+	case credsFound && certFound:
+		a.Logger.Debug("username/password taking priority over client cert auth as both were given.")
+	case credsFound:
+	case certFound:
+		oboUser, oboDomain, err := a.Authenticator.ValidateConnStateForObo(ctx, connState)
+		if err != nil {
+			if errors.Is(err, auth.ErrInvalidCertificate) {
+				return nil, a.ErrorHandler.NewInvalidCertificateStatus()
+			}
+
+			a.Logger.Error("received an unexpected cert authentication error", zap.Error(err))
+			return nil, a.ErrorHandler.NewInternalStatus()
+		}
+
+		return &cbhttpx.OnBehalfOfInfo{
+			Username: oboUser,
+			Domain:   oboDomain,
+		}, nil
 	}
 
 	return &cbhttpx.OnBehalfOfInfo{