[feature](tls) Support cert based auth for FE https api

Hastyshell · Hastyshell · commit 7a477a757b4b · 2026-01-06T20:58:06.000+08:00
diff --git a/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java b/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java
@@ -30,6 +30,8 @@
 import org.apache.doris.httpv2.HttpAuthManager;
 import org.apache.doris.httpv2.HttpAuthManager.SessionValue;
 import org.apache.doris.httpv2.exception.UnauthorizedException;
+import org.apache.doris.mysql.authenticate.CertificateAuthVerifier;
+import org.apache.doris.mysql.authenticate.CertificateAuthVerifierFactory;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.service.FrontendOptions;
@@ -48,6 +50,7 @@
 import org.apache.logging.log4j.Logger;
 
 import java.nio.ByteBuffer;
+import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.UUID;
 
@@ -70,7 +73,14 @@ public ActionAuthorizationInfo checkWithCookie(HttpServletRequest request,
         if (encodedAuthString != null) {
             // If has Authorization header, check auth info
             ActionAuthorizationInfo authInfo = getAuthorizationInfo(request);
-            UserIdentity currentUser = checkPassword(authInfo);
+
+            // Try certificate-based authentication first
+            UserIdentity currentUser = tryCertificateAuth(authInfo, request);
+
+            if (currentUser == null) {
+                // Certificate auth not applicable or password verification still required
+                currentUser = checkPassword(authInfo);
+            }
 
             if (Config.isCloudMode() && checkAuth) {
                 checkInstanceOverdue(currentUser);
@@ -266,6 +276,88 @@ protected UserIdentity checkPassword(ActionAuthorizationInfo authInfo)
         return currentUser.get(0);
     }
 
+    /**
+     * Extracts client X509 certificate from the HTTPS request.
+     * The certificate is available via Jetty's SecureRequestCustomizer when client auth is enabled.
+     *
+     * @param request the HTTP request
+     * @return the client's X509 certificate, or null if not available
+     */
+    private X509Certificate getClientCertificate(HttpServletRequest request) {
+        // Jetty's SecureRequestCustomizer populates this attribute with client certificates
+        X509Certificate[] certs = (X509Certificate[]) request.getAttribute(
+                "jakarta.servlet.request.X509Certificate");
+        if (certs != null && certs.length > 0) {
+            return certs[0];
+        }
+        return null;
+    }
+
+    /**
+     * Attempts certificate-based authentication for the user.
+     * This method checks if the user has TLS requirements (e.g., REQUIRE SAN) and verifies
+     * the client certificate against those requirements.
+     *
+     * @param authInfo the authorization info containing username and remote IP
+     * @param request the HTTP request containing the client certificate
+     * @return the authenticated UserIdentity if cert auth succeeds and password can be skipped,
+     *         or null if cert auth is not applicable or password verification is still required
+     * @throws UnauthorizedException if cert verification fails for a user with TLS requirements
+     */
+    private UserIdentity tryCertificateAuth(ActionAuthorizationInfo authInfo, HttpServletRequest request)
+            throws UnauthorizedException {
+        CertificateAuthVerifier certVerifier = CertificateAuthVerifierFactory.getInstance();
+        if (!certVerifier.isEnabled()) {
+            return null;
+        }
+
+        X509Certificate clientCert = getClientCertificate(request);
+
+        // Get matching users without checking password
+        List<UserIdentity> matchingUsers = Env.getCurrentEnv().getAuth()
+                .getUserIdentityUncheckPasswd(authInfo.fullUserName, authInfo.remoteIp);
+
+        if (matchingUsers.isEmpty()) {
+            // No matching users found, let password auth handle the error
+            return null;
+        }
+
+        for (UserIdentity userIdentity : matchingUsers) {
+            if (!userIdentity.hasTlsRequirements()) {
+                // No TLS requirements for this user, skip cert verification
+                continue;
+            }
+
+            // User has TLS requirements - must verify certificate
+            CertificateAuthVerifier.VerificationResult result =
+                    certVerifier.verify(userIdentity, clientCert);
+
+            if (!result.isSuccess()) {
+                LOG.warn("TLS certificate verification failed for user {}: {}",
+                        userIdentity, result.getErrorMessage());
+                throw new UnauthorizedException(
+                        "TLS certificate verification failed: " + result.getErrorMessage());
+            }
+
+            // Certificate verification passed
+            if (certVerifier.shouldSkipPasswordVerification()) {
+                LOG.info("Certificate-based authentication succeeded for user {}, skipping password verification",
+                        userIdentity);
+                return userIdentity;
+            }
+
+            // Certificate verified but password verification still required
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Certificate verified for user {}, proceeding with password verification",
+                        userIdentity);
+            }
+            return null;
+        }
+
+        // No user with TLS requirements matched, proceed with normal password auth
+        return null;
+    }
+
     public ActionAuthorizationInfo getAuthorizationInfo(HttpServletRequest request)
             throws UnauthorizedException {
         ActionAuthorizationInfo authInfo = new ActionAuthorizationInfo();
diff --git a/regression-test/suites/cloud_p0/tls/test_tls_cert_san_auth.groovy b/regression-test/suites/cloud_p0/tls/test_tls_cert_san_auth.groovy
@@ -117,13 +117,22 @@ suite("test_tls_cert_san_auth") {
         // === Cleanup function ===
         def cleanup = {
             logger.info("Cleaning up test users and restoring config...")
+            // MySQL protocol test users
             try_sql("DROP USER IF EXISTS '${testUserBase}_1'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_2'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_3'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_4'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_5'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_6'@'%'")
             try_sql("DROP USER IF EXISTS '${testUserBase}_7'@'%'")
+            // HTTPS test users
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http1'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http2'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http3'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http4'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http5'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http6'@'%'")
+            try_sql("DROP USER IF EXISTS '${testUserBase}_http7'@'%'")
             try {
                 sql "ADMIN SET FRONTEND CONFIG ('tls_cert_based_auth_ignore_password' = '${origIgnorePassword}')"
             } catch (Exception e) {
@@ -239,7 +248,187 @@ suite("test_tls_cert_san_auth") {
             assertTrue(result7c, "Test 7c should succeed: URI SAN match")
             logger.info("Test 7c PASSED: URI SAN match works")
             
-            logger.info("=== All TLS SAN authentication tests PASSED ===")
+            logger.info("=== All MySQL protocol TLS SAN authentication tests PASSED ===")
+            
+            // ==================================================================================
+            // HTTPS/HTTP Certificate-Based Authentication Tests
+            // These tests verify that FE's HTTP endpoints also support cert-based auth
+            // ==================================================================================
+            logger.info("=== Starting HTTPS certificate-based auth tests ===")
+            
+            // Get FE HTTP connection info
+            def feHostIp = mysqlHost  // Actual IP to connect to
+            def httpPort = context.config.feHttpPort ?: "8030"
+            def httpEndpoint = "/api/bootstrap"  // Simple endpoint that requires auth
+            
+            logger.info("FE HTTPS host IP: ${feHostIp}, port: ${httpPort}")
+            logger.info("Test endpoint: ${httpEndpoint}")
+            
+            // Helper: Execute curl command and check result
+            def executeCurlCommand = { String command, boolean expectSuccess = true ->
+                def cmds = ["/bin/bash", "-c", command]
+                logger.info("Execute curl: ${command}")
+                Process p = cmds.execute()
+                def errMsg = new StringBuilder()
+                def msg = new StringBuilder()
+                p.waitForProcessOutput(msg, errMsg)
+                
+                def output = msg.toString().trim()
+                def error = errMsg.toString().trim()
+                logger.info("stdout: ${output}")
+                logger.info("stderr: ${error}")
+                logger.info("exitValue: ${p.exitValue()}")
+                
+                // For curl with -w '%{http_code}', success means HTTP 200
+                // Authentication failure typically returns 401
+                if (expectSuccess) {
+                    // Expect HTTP 200 (or 2xx)
+                    return output.startsWith("2") || output == "200"
+                } else {
+                    // Expect non-2xx (typically 401 Unauthorized)
+                    return !output.startsWith("2") && output != "200"
+                }
+            }
+            
+            // Helper: Build curl command with SAN certificate
+            // Use --resolve to map localhost to actual IP, avoiding SNI issues with IP addresses
+            // Use -k to skip server certificate verification (we're testing client cert auth)
+            def buildCurlWithCert = { String user, String password, String endpoint ->
+                return "curl -s -k -o /dev/null -w '%{http_code}' " +
+                       "--resolve 'localhost:${httpPort}:${feHostIp}' " +
+                       "-u '${user}:${password}' " +
+                       "--cert ${sanClientCert} --key ${sanClientKey} " +
+                       "https://localhost:${httpPort}${endpoint} 2>&1"
+            }
+            
+            // Helper: Build curl command without client certificate
+            def buildCurlNoCert = { String user, String password, String endpoint ->
+                return "curl -s -k -o /dev/null -w '%{http_code}' " +
+                       "--resolve 'localhost:${httpPort}:${feHostIp}' " +
+                       "-u '${user}:${password}' " +
+                       "https://localhost:${httpPort}${endpoint} 2>&1"
+            }
+            
+            // Helper: Build curl command with no-SAN certificate
+            def buildCurlWithNoSanCert = { String user, String password, String endpoint ->
+                return "curl -s -k -o /dev/null -w '%{http_code}' " +
+                       "--resolve 'localhost:${httpPort}:${feHostIp}' " +
+                       "-u '${user}:${password}' " +
+                       "--cert ${noSanClientCert} --key ${noSanClientKey} " +
+                       "https://localhost:${httpPort}${endpoint} 2>&1"
+            }
+            
+            // Helper: Build curl command with mismatched SAN certificate (not currently used)
+            def buildCurlWithMismatchCert = { String user, String password, String endpoint ->
+                return "curl -s -k -o /dev/null -w '%{http_code}' " +
+                       "--resolve 'localhost:${httpPort}:${feHostIp}' " +
+                       "-u '${user}:${password}' " +
+                       "--cert ${sanClientCert} --key ${sanClientKey} " +
+                       "https://localhost:${httpPort}${endpoint} 2>&1"
+            }
+            
+            // Reset config for HTTPS tests
+            sql "ADMIN SET FRONTEND CONFIG ('tls_cert_based_auth_ignore_password' = 'false')"
+            
+            // === HTTP Test 1: REQUIRE SAN + matching cert + correct password -> success ===
+            logger.info("=== HTTP Test 1: REQUIRE SAN + matching cert + correct password ===")
+            sql "CREATE USER '${testUserBase}_http1'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanEmail}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http1'@'%'"
+            
+            def httpCmd1 = buildCurlWithCert("${testUserBase}_http1", testPassword, httpEndpoint)
+            def httpResult1 = executeCurlCommand(httpCmd1, true)
+            assertTrue(httpResult1, "HTTP Test 1 should succeed: matching SAN + correct password")
+            logger.info("HTTP Test 1 PASSED: HTTPS request successful with matching SAN and password")
+            
+            // === HTTP Test 2: REQUIRE SAN + matching cert + wrong password -> failure ===
+            logger.info("=== HTTP Test 2: REQUIRE SAN + matching cert + wrong password ===")
+            sql "CREATE USER '${testUserBase}_http2'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanEmail}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http2'@'%'"
+            
+            def httpCmd2 = buildCurlWithCert("${testUserBase}_http2", "wrong_password", httpEndpoint)
+            def httpResult2 = executeCurlCommand(httpCmd2, false)
+            assertTrue(httpResult2, "HTTP Test 2 should fail: wrong password even with matching SAN")
+            logger.info("HTTP Test 2 PASSED: HTTPS request rejected with wrong password")
+            
+            // === HTTP Test 3: REQUIRE SAN + mismatched SAN cert -> failure ===
+            logger.info("=== HTTP Test 3: REQUIRE SAN + mismatched SAN ===")
+            sql "CREATE USER '${testUserBase}_http3'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanMismatch}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http3'@'%'"
+            
+            def httpCmd3 = buildCurlWithCert("${testUserBase}_http3", testPassword, httpEndpoint)
+            def httpResult3 = executeCurlCommand(httpCmd3, false)
+            assertTrue(httpResult3, "HTTP Test 3 should fail: SAN mismatch")
+            logger.info("HTTP Test 3 PASSED: HTTPS request rejected with mismatched SAN")
+            
+            // === HTTP Test 4: REQUIRE SAN + no certificate -> failure ===
+            // Note: This test depends on tls_verify_mode=verify_fail_if_no_peer_cert
+            // If the server requires client cert, curl without --cert will fail at TLS handshake
+            logger.info("=== HTTP Test 4: REQUIRE SAN + no certificate ===")
+            sql "CREATE USER '${testUserBase}_http4'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanEmail}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http4'@'%'"
+            
+            def httpCmd4 = buildCurlNoCert("${testUserBase}_http4", testPassword, httpEndpoint)
+            def httpResult4 = executeCurlCommand(httpCmd4, false)
+            assertTrue(httpResult4, "HTTP Test 4 should fail: no certificate provided for user with REQUIRE SAN")
+            logger.info("HTTP Test 4 PASSED: HTTPS request rejected without client certificate")
+            
+            // === HTTP Test 5: REQUIRE SAN + matching cert + ignore_password=true -> success ===
+            logger.info("=== HTTP Test 5: REQUIRE SAN + ignore_password=true ===")
+            sql "ADMIN SET FRONTEND CONFIG ('tls_cert_based_auth_ignore_password' = 'true')"
+            sql "CREATE USER '${testUserBase}_http5'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanEmail}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http5'@'%'"
+            
+            // Use wrong password - should still succeed because ignore_password=true
+            def httpCmd5 = buildCurlWithCert("${testUserBase}_http5", "any_wrong_password", httpEndpoint)
+            def httpResult5 = executeCurlCommand(httpCmd5, true)
+            assertTrue(httpResult5, "HTTP Test 5 should succeed: ignore_password=true allows login with cert only")
+            logger.info("HTTP Test 5 PASSED: HTTPS request successful with certificate only (password ignored)")
+            
+            // Reset config
+            sql "ADMIN SET FRONTEND CONFIG ('tls_cert_based_auth_ignore_password' = 'false')"
+            
+            // === HTTP Test 6: REQUIRE NONE + no-SAN cert + correct password -> success ===
+            logger.info("=== HTTP Test 6: REQUIRE NONE + no-SAN cert ===")
+            sql "CREATE USER '${testUserBase}_http6'@'%' IDENTIFIED BY '${testPassword}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http6'@'%'"
+            
+            def httpCmd6 = buildCurlWithNoSanCert("${testUserBase}_http6", testPassword, httpEndpoint)
+            def httpResult6 = executeCurlCommand(httpCmd6, true)
+            assertTrue(httpResult6, "HTTP Test 6 should succeed: no TLS requirements, password auth works")
+            logger.info("HTTP Test 6 PASSED: HTTPS request successful for user without TLS requirements")
+            
+            // === HTTP Test 7: ALTER USER add/remove REQUIRE SAN for HTTP ===
+            logger.info("=== HTTP Test 7: ALTER USER add/remove REQUIRE SAN for HTTP ===")
+            sql "CREATE USER '${testUserBase}_http7'@'%' IDENTIFIED BY '${testPassword}' REQUIRE SAN '${sanEmail}'"
+            sql "GRANT ADMIN_PRIV ON *.*.* TO '${testUserBase}_http7'@'%'"
+            
+            // First verify it works with matching cert
+            def httpCmd7a = buildCurlWithCert("${testUserBase}_http7", testPassword, httpEndpoint)
+            def httpResult7a = executeCurlCommand(httpCmd7a, true)
+            assertTrue(httpResult7a, "HTTP Test 7a should succeed: initial REQUIRE SAN with matching cert")
+            logger.info("HTTP Test 7a PASSED: REQUIRE SAN works with matching cert via HTTPS")
+            
+            // Remove REQUIRE SAN
+            sql "ALTER USER '${testUserBase}_http7'@'%' REQUIRE NONE"
+            
+            // Now should work with no-SAN certificate
+            def httpCmd7b = buildCurlWithNoSanCert("${testUserBase}_http7", testPassword, httpEndpoint)
+            def httpResult7b = executeCurlCommand(httpCmd7b, true)
+            assertTrue(httpResult7b, "HTTP Test 7b should succeed: REQUIRE NONE allows any cert")
+            logger.info("HTTP Test 7b PASSED: REQUIRE NONE works with no-SAN certificate via HTTPS")
+            
+            // Add back REQUIRE SAN with different SAN type (DNS)
+            sql "ALTER USER '${testUserBase}_http7'@'%' REQUIRE SAN '${sanDns}'"
+            
+            // Now should work with DNS SAN from the same cert
+            def httpCmd7c = buildCurlWithCert("${testUserBase}_http7", testPassword, httpEndpoint)
+            def httpResult7c = executeCurlCommand(httpCmd7c, true)
+            assertTrue(httpResult7c, "HTTP Test 7c should succeed: DNS SAN match")
+            logger.info("HTTP Test 7c PASSED: REQUIRE SAN (DNS) works via HTTPS")
+            
+            logger.info("=== All HTTPS certificate-based auth tests PASSED ===")
+            
+            logger.info("=== All TLS SAN authentication tests (MySQL + HTTPS) PASSED ===")
             
         } finally {
             cleanup()
