CCBC-1652: allow to force SASL when client certificate is being used

Change-Id: Ic6ea76f4c843aa29694e3f9be8984b190e89dde4
Reviewed-on: https://review.couchbase.org/c/libcouchbase/+/219911
Reviewed-by: Rishit Chaudhary <rishit.chaudhary@couchbase.com>
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Hiren <hiren.bavaskar@couchbase.com>

Author: avsej

include/libcouchbase/cntl-private.h

@@ -298,4 +298,12 @@ struct lcb_cntl_rdballocfactory {
  */
 #define LCB_CNTL_QUERY_GRACE_PERIOD 0x64
 
+/**
+ * @brief Allow using SASL and BasicAuth with client certificate (assumes username/password provided and valid).
+ *
+ * @cntl_arg_both{lcb_U32*}
+ * @volatile
+ */
+#define LCB_CNTL_USE_CREDENTIALS_WITH_CLIENT_CERTIFICATE 0x69
+
 /**@}*/

include/libcouchbase/cntl.h

@@ -1346,7 +1346,7 @@ typedef enum {
  * This is not a command, but rather an indicator of the last item.
  * @internal
  */
-#define LCB_CNTL__MAX 0x69
+#define LCB_CNTL__MAX 0x6a
 /**@}*/
 
 #ifdef __cplusplus

src/bucketconfig/bc_http.cc

@@ -255,7 +255,7 @@ lcb_STATUS HttpProvider::setup_request_header(const lcb_host_t &host)
     }
 
     request_buf.append(" HTTP/1.1\r\n");
-    if (!settings().keypath) {
+    if (!settings().keypath || settings().use_credentials_with_client_certificate) {
         // not using SSL client certificate to authenticate
         auto creds = settings().auth->credentials_for(LCBAUTH_SERVICE_MANAGEMENT, LCBAUTH_REASON_NEW_OPERATION,
                                                       host.host, host.port, settings().bucket);

src/cntl.cc

@@ -770,6 +770,11 @@ HANDLER(unordered_execution_handler)
     RETURN_GET_SET(int, LCBT_SETTING(instance, enable_unordered_execution))
 }
 
+HANDLER(use_credentials_with_client_certificate)
+{
+    RETURN_GET_SET(int, LCBT_SETTING(instance, use_credentials_with_client_certificate))
+}
+
 /* clang-format off */
 static ctl_handler handlers[] = {
     timeout_common,                       /* LCB_CNTL_OP_TIMEOUT */
@@ -877,6 +882,7 @@ static ctl_handler handlers[] = {
     timeout_common,                       /* LCB_CNTL_OP_METRICS_FLUSH_INTERVAL */
     enable_op_metrics_handler,            /* LCB_CNTL_ENABLE_OP_METRICS */
     preferred_server_group_handler,       /* LCB_CNTL_PREFERRED_SERVER_GROUP */
+    use_credentials_with_client_certificate, /* LCB_CNTL_USE_CREDENTIALS_WITH_CLIENT_CERTIFICATE */
     nullptr
 };
 /* clang-format on */
@@ -1119,6 +1125,7 @@ static cntl_OPCODESTRS stropcode_map[] = {
     {"operation_metrics_flush_interval", LCB_CNTL_OP_METRICS_FLUSH_INTERVAL, convert_timevalue},
     {"enable_operation_metrics", LCB_CNTL_ENABLE_OP_METRICS, convert_intbool},
     {"preferred_server_group", LCB_CNTL_PREFERRED_SERVER_GROUP, convert_passthru},
+    {"use_credentials_with_client_certificate", LCB_CNTL_USE_CREDENTIALS_WITH_CLIENT_CERTIFICATE, convert_intbool},
     {nullptr, -1}};
 
 #define CNTL_NUM_HANDLERS (sizeof(handlers) / sizeof(handlers[0]))

src/http/http.cc

@@ -230,8 +230,7 @@ void Request::finish_or_retry(lcb_STATUS rc)
         finish(rc);
         return;
     }
-    struct http_parser_url next_info {
-    };
+    struct http_parser_url next_info{};
     if (_lcb_http_parser_parse_url(nextnode, strlen(nextnode), 0, &next_info)) {
         lcb_log(LOGARGS(this, WARN), LOGFMT "Not retrying. Invalid API endpoint", LOGID(this));
         finish(LCB_ERR_INVALID_ARGUMENT);
@@ -646,9 +645,10 @@ lcb_STATUS Request::setup_inputs(const lcb_CMDHTTP *cmd)
             }
         }
 
-        if ((cmd->cmdflags & LCB_CMDHTTP_F_NOUPASS) || instance->settings->keypath) {
+        if ((cmd->cmdflags & LCB_CMDHTTP_F_NOUPASS) ||
+            (instance->settings->keypath && !instance->settings->use_credentials_with_client_certificate)) {
             // explicitly asked to skip Authorization header,
-            // or using SSL client certificate to authenticate
+            // or using SSL client certificate to authenticate with use_credentials_with_client_certificate=false
             username.clear();
             password.clear();
         } else if (username.empty() && password.empty()) {

src/instance.cc

@@ -129,7 +129,7 @@ const void *lcb_get_cookie(lcb_INSTANCE *instance)
 LIBCOUCHBASE_API
 void lcb_set_auth(lcb_INSTANCE *instance, lcb_AUTHENTICATOR *auth)
 {
-    if (LCBT_SETTING(instance, keypath)) {
+    if (LCBT_SETTING(instance, keypath) && !LCBT_SETTING(instance, use_credentials_with_client_certificate)) {
         lcb_log(LOGARGS(instance, WARN),
                 "Custom authenticator ignored when SSL client certificate authentication in use");
         return;

src/mcserver/negotiate.cc

@@ -270,7 +270,7 @@ SessionRequestImpl::MechStatus SessionRequestImpl::set_chosen_mech(std::string &
     cbsasl_error_t saslerr;
 
     if (mechlist.empty()) {
-        lcb_log(LOGARGS(this, WARN), LOGFMT "Server does not support SASL (no mechanisms supported)", LOGID(this));
+        lcb_log(LOGARGS(this, WARN), LOGFMT "Server does not support SASL (no mechanisms supported, empty list)", LOGID(this));
         return MECH_NOT_NEEDED;
     }
 
@@ -329,7 +329,7 @@ SessionRequestImpl::MechStatus SessionRequestImpl::set_chosen_mech(std::string &
             info->mech.assign(chosenmech);
             return MECH_OK;
         case SASL_NOMECH:
-            lcb_log(LOGARGS(this, WARN), LOGFMT "Server does not support SASL (no mechanisms supported)", LOGID(this));
+            lcb_log(LOGARGS(this, WARN), LOGFMT "Server does not support SASL (no mechanisms supported, SASL_NOMECH)", LOGID(this));
             return MECH_UNAVAILABLE;
         default:
             lcb_log(LOGARGS(this, ERROR), LOGFMT "cbsasl_client_start returned %d", LOGID(this), saslerr);
@@ -710,7 +710,7 @@ void SessionRequestImpl::handle_read(lcbio_CTX *ioctx)
                 lcb_log(LOGARGS(this, TRACE), LOGFMT "GET_ERRORMAP unsupported/disabled", LOGID(this));
             }
 
-            if (settings->keypath) {
+            if (settings->keypath && !settings->use_credentials_with_client_certificate) {
                 completed = !expecting_error_map && !maybe_select_bucket();
             }
             break;
@@ -727,7 +727,7 @@ void SessionRequestImpl::handle_read(lcbio_CTX *ioctx)
                         status);
                 set_error(LCB_ERR_PROTOCOL_ERROR, "GET_ERRMAP response unexpected", &resp);
             }
-            if (settings->keypath) {
+            if (settings->keypath && !settings->use_credentials_with_client_certificate) {
                 completed = !maybe_select_bucket();
             }
             // Note, there is no explicit state transition here. LIST_MECHS is
@@ -838,7 +838,7 @@ void SessionRequestImpl::start(lcbio_SOCKET *sock)
     } else {
         lcb_log(LOGARGS(this, TRACE), LOGFMT "GET_ERRORMAP disabled", LOGID(this));
     }
-    if (!settings->keypath) {
+    if (!settings->keypath || settings->use_credentials_with_client_certificate) {
         send_list_mechs();
     }
     LCBIO_CTX_RSCHEDULE(ctx, 24);

src/settings.cc

@@ -86,6 +86,7 @@ void lcb_default_settings(lcb_settings *settings)
     settings->op_metrics_flush_interval = LCB_DEFAULT_OP_METRICS_FLUSH_INTERVAL;
     settings->op_metrics_enabled = 1;
     settings->preferred_server_group = nullptr;
+    settings->use_credentials_with_client_certificate = 0;
 }
 
 LCB_INTERNAL_API

src/settings.h

@@ -237,6 +237,7 @@ typedef struct lcb_settings_st {
     char *network; /** network resolution, AKA "Multi Network Configurations" */
     lcb_U32 op_metrics_flush_interval;
     unsigned op_metrics_enabled : 1;
+    unsigned use_credentials_with_client_certificate : 1;
     char *preferred_server_group;
 } lcb_settings;