CXXCBC-739: Support mTLS Cert Refresh (without restart)

Matt-Woz · Matt-Woz · commit efddfed6896d · 2025-10-28T11:15:29.000Z
diff --git a/core/cluster.cxx b/core/cluster.cxx
@@ -24,6 +24,7 @@
 #include "core/app_telemetry_meter.hxx"
 #include "core/app_telemetry_reporter.hxx"
 #include "core/diagnostics.hxx"
+#include "core/error.hxx"
 #include "core/impl/get_replica.hxx"
 #include "core/impl/lookup_in_replica.hxx"
 #include "core/impl/observe_seqno.hxx"
@@ -521,6 +522,21 @@ class cluster_impl : public std::enable_shared_from_this<cluster_impl>
     return handler({});
   }
 
+  auto update_credentials(cluster_credentials auth) -> core::error
+  {
+    if (stopped_) {
+      return { errc::network::cluster_closed, {} };
+    }
+
+    if (auth.requires_tls() && !origin_.options().enable_tls) {
+      return { errc::common::invalid_argument,
+               "TLS not enabled but the provided authenticator requires TLS" };
+    }
+
+    origin_.update_credentials(std::move(auth));
+    return {};
+  }
+
   auto origin() const -> std::pair<std::error_code, couchbase::core::origin>
   {
     if (stopped_) {
@@ -1437,6 +1453,15 @@ cluster::origin() const -> std::pair<std::error_code, couchbase::core::origin>
   return { errc::network::cluster_closed, {} };
 }
 
+auto
+cluster::update_credentials(core::cluster_credentials auth) -> core::error
+{
+  if (impl_) {
+    return impl_->update_credentials(std::move(auth));
+  }
+  return { errc::network::cluster_closed, {} };
+}
+
 auto
 cluster::io_context() const -> asio::io_context&
 {
diff --git a/core/cluster.hxx b/core/cluster.hxx
@@ -18,6 +18,7 @@
 #pragma once
 
 #include "diagnostics.hxx"
+#include "error.hxx"
 #include "operations_fwd.hxx"
 #include "origin.hxx"
 #include "topology/configuration.hxx"
@@ -85,6 +86,8 @@ public:
     utils::movable_function<void(std::error_code, std::shared_ptr<topology::configuration>)>&&
       handler) const;
 
+  [[nodiscard]] auto update_credentials(core::cluster_credentials auth) -> core::error;
+
   void execute(o::analytics_request request, mf<void(o::analytics_response)>&& handler) const;
   void execute(o::append_request request, mf<void(o::append_response)>&& handler) const;
   void execute(o::decrement_request request, mf<void(o::decrement_response)>&& handler) const;
diff --git a/core/cluster_credentials.cxx b/core/cluster_credentials.cxx
@@ -24,4 +24,11 @@ cluster_credentials::uses_certificate() const -> bool
 {
   return !certificate_path.empty();
 }
+
+auto
+cluster_credentials::requires_tls() const -> bool
+{
+  return !certificate_path.empty() && !key_path.empty();
+}
+
 } // namespace couchbase::core
diff --git a/core/cluster_credentials.hxx b/core/cluster_credentials.hxx
@@ -31,6 +31,7 @@ struct cluster_credentials {
   std::optional<std::vector<std::string>> allowed_sasl_mechanisms{};
 
   [[nodiscard]] auto uses_certificate() const -> bool;
+  [[nodiscard]] auto requires_tls() const -> bool;
 };
 
 } // namespace couchbase::core
diff --git a/core/impl/public_cluster.cxx b/core/impl/public_cluster.cxx
@@ -416,6 +416,15 @@ class cluster_impl : public std::enable_shared_from_this<cluster_impl>
       });
   }
 
+  auto set_authenticator(core::cluster_credentials auth) -> error
+  {
+    auto e = core_.update_credentials(std::move(auth));
+    if (e.ec) {
+      return core::impl::make_error(e);
+    }
+    return {};
+  }
+
   void notify_fork(fork_event event)
   {
     if (event == fork_event::prepare) {
@@ -700,6 +709,29 @@ cluster::close() -> std::future<void>
   return future;
 }
 
+auto
+cluster::set_authenticator(const password_authenticator& authenticator) -> couchbase::error
+{
+  core::cluster_credentials auth;
+  auth.username = authenticator.username_;
+  auth.password = authenticator.password_;
+  if (authenticator.ldap_compatible_) {
+    auth.allowed_sasl_mechanisms = { { "PLAIN" } };
+  }
+
+  return impl_->set_authenticator(std::move(auth));
+}
+
+auto
+cluster::set_authenticator(const certificate_authenticator& authenticator) -> couchbase::error
+{
+  core::cluster_credentials auth;
+  auth.certificate_path = authenticator.certificate_path_;
+  auth.key_path = authenticator.key_path_;
+
+  return impl_->set_authenticator(std::move(auth));
+}
+
 auto
 cluster::query_indexes() const -> query_index_manager
 {
diff --git a/core/origin.cxx b/core/origin.cxx
@@ -468,6 +468,11 @@ couchbase::core::origin::set_nodes_from_config(const topology::configuration& co
   }
   next_node_ = nodes_.begin();
 }
+void
+couchbase::core::origin::update_credentials(cluster_credentials auth)
+{
+  credentials_ = std::move(auth);
+}
 auto
 couchbase::core::origin::next_address() -> std::pair<std::string, std::string>
 {
diff --git a/core/origin.hxx b/core/origin.hxx
@@ -71,6 +71,8 @@ struct origin {
   void set_nodes(node_list nodes);
   void set_nodes_from_config(const topology::configuration& config);
 
+  void update_credentials(cluster_credentials auth);
+
   [[nodiscard]] auto next_address() -> std::pair<std::string, std::string>;
 
   [[nodiscard]] auto exhausted() const -> bool;
diff --git a/couchbase/certificate_authenticator.hxx b/couchbase/certificate_authenticator.hxx
@@ -35,5 +35,6 @@ private:
   std::string key_path_;
 
   friend class cluster_options;
+  friend class cluster;
 };
 } // namespace couchbase
diff --git a/couchbase/cluster.hxx b/couchbase/cluster.hxx
@@ -102,6 +102,38 @@ public:
   void close(std::function<void()>&& handler);
   [[nodiscard]] auto close() -> std::future<void>;
 
+  /**
+   * Replaces the current authenticator used by this cluster.
+   *
+   * NOTE: Setting a new authenticator does not change the authentication status of existing
+   * connections.
+   *
+   * @param authenticator the authenticator to replace
+   *
+   * @return error
+   *
+   * @since 1.3.0
+   * @committed
+   */
+  auto set_authenticator(const password_authenticator& authenticator) -> error;
+
+  /**
+   * Replaces the current authenticator used by this cluster.
+   *
+   * NOTE: Setting a new authenticator does not change the authentication status of existing
+   connections.
+   *
+   * @param authenticator the authenticator to replace
+
+   * @exception errc::common::invalid_argument if TLS is not enabled.
+   *
+   * @return error
+   *
+   * @since 1.3.0
+   * @committed
+   */
+  auto set_authenticator(const certificate_authenticator& authenticator) -> error;
+
   /**
    * Opens a {@link bucket} with the given name.
    *
diff --git a/couchbase/password_authenticator.hxx b/couchbase/password_authenticator.hxx
@@ -43,5 +43,6 @@ private:
   bool ldap_compatible_{ false };
 
   friend class cluster_options;
+  friend class cluster;
 };
 } // namespace couchbase
diff --git a/test/test_integration_connect.cxx b/test/test_integration_connect.cxx
@@ -15,6 +15,8 @@
  *   limitations under the License.
  */
 
+#include "core/io/http_session_manager.hxx"
+
 #include "test_helper_integration.hxx"
 
 #include "test/utils/logger.hxx"
@@ -221,3 +223,55 @@ TEST_CASE("integration: connecting with a custom transactions metadata collectio
 
   REQUIRE(err.ec() == couchbase::errc::common::bucket_not_found);
 }
+
+TEST_CASE("integration: reopen bucket after changing to incorrect credentials", "[integration]")
+{
+  SKIP("Remove once CXXCBC-749 is fixed");
+
+  test::utils::integration_test_guard integration;
+  test::utils::open_bucket(integration.cluster, integration.ctx.bucket);
+
+  {
+    auto err = integration.cluster.update_credentials(
+      couchbase::core::cluster_credentials{ "invalid-username", "invalid-password" });
+    REQUIRE_SUCCESS(err.ec);
+  }
+
+  test::utils::close_bucket(integration.cluster, integration.ctx.bucket);
+
+  auto barrier = std::make_shared<std::promise<std::error_code>>();
+  auto f = barrier->get_future();
+  integration.cluster.open_bucket(integration.ctx.bucket, [barrier](std::error_code ec) {
+    barrier->set_value(ec);
+  });
+  auto rc = f.get();
+
+  REQUIRE(rc == couchbase::errc::common::authentication_failure);
+}
+
+TEST_CASE("integration: query after changing to incorrect credentials", "[integration]")
+{
+  test::utils::integration_test_guard integration;
+
+  if (!integration.cluster_version().is_7_6()) {
+    SKIP(
+      "Query versions without MB-39484 do not authenticate if RBAC is not required in the query");
+  }
+
+  couchbase::core::operations::query_request req{ R"(SELECT 1=1)" };
+  {
+    auto resp = test::utils::execute(integration.cluster, req);
+    REQUIRE_SUCCESS(resp.ctx.ec);
+  }
+  {
+    auto err = integration.cluster.update_credentials(
+      couchbase::core::cluster_credentials{ "invalid-username", "invalid-password" });
+    REQUIRE_SUCCESS(err.ec);
+  }
+  auto [mgr_ec, session_mgr] = integration.cluster.http_session_manager();
+
+  session_mgr->close();
+  auto resp = test::utils::execute(integration.cluster, req);
+
+  REQUIRE(resp.ctx.ec == couchbase::errc::common::internal_server_failure);
+}
diff --git a/test/utils/server_version.hxx b/test/utils/server_version.hxx
@@ -310,6 +310,11 @@ struct server_version {
     return (major == 7 && minor == 1) || (major == 7 && minor > 1) || major > 7;
   }
 
+  [[nodiscard]] auto is_7_6() const -> bool
+  {
+    return (major > 7 || (major == 7 && minor >= 6));
+  }
+
   [[nodiscard]] auto supports_eventing_mb_67773_errors() const -> bool
   {
     // See MB-67773. A few errors have changed in eventing, most notably, many specific errors were

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,11 @@ cluster_credentials::uses_certificate() const -> bool`
`24`	`24`	`{`
`25`	`25`	`return !certificate_path.empty();`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+auto`
	`29`	`+cluster_credentials::requires_tls() const -> bool`
	`30`	`+{`
	`31`	`+ return !certificate_path.empty() && !key_path.empty();`
	`32`	`+}`
	`33`	`+`
`27`	`34`	`} // namespace couchbase::core`
Original file line number	Diff line number	Diff line change
`@@ -468,6 +468,11 @@ couchbase::core::origin::set_nodes_from_config(const topology::configuration& co`
`468`	`468`	`}`
`469`	`469`	`next_node_ = nodes_.begin();`
`470`	`470`	`}`
	`471`	`+void`
	`472`	`+couchbase::core::origin::update_credentials(cluster_credentials auth)`
	`473`	`+{`
	`474`	`+ credentials_ = std::move(auth);`
	`475`	`+}`
`471`	`476`	`auto`
`472`	`477`	`couchbase::core::origin::next_address() -> std::pair<std::string, std::string>`
`473`	`478`	`{`