[CLIENT-3510] Add support for adding a PKI user without a password (#787)

- CI/CD: Enable mutual TLS authentication for running the create_pki_user test. Create client certificate and private signing key for the "superuser" user

Extra changes:

- Add missing documentation for aerospike.AUTH_PKI constant
- Docs: Fix incorrect parameter name "username" by changing it to "user" for Client.admin_{create_user,drop_user,change_password,set_password,grant_roles,revoke_roles}()
- Fix invalid usage of nullcontext in tests
- Replace metadata section in dynamic config with version field
- Tend interval must be at least 250 ms now
- [CLIENT-3500] Fix seg fault when we run a paginated query with a partition filter and then re-run the same query object with another partition filter that has different "begin" and "count" values
- [CLIENT-3543] Support client identifier user agent

Author: juliannguyen4

.github/actions/run-ee-server/action.yml

@@ -125,6 +125,9 @@ runs:
       crudini --set config.conf tls enable true
       # Cannot use abs path because config.conf is copied into Docker container during cibuildwheel tests
       crudini --set config.conf tls cafile ../.github/workflows/docker-build-context/${{ env.CA_CERT_FILE_NAME }}
+      crudini --set config.conf tls keyfile ../.github/workflows/docker-build-context/client.pem
+      crudini --set config.conf tls certfile ../.github/workflows/docker-build-context/client.cer
+
     working-directory: test
     shell: bash
 

.github/workflows/build-wheels.yml

@@ -420,7 +420,7 @@ jobs:
         working-directory: test
         shell: bash
 
-      - run: python3 -m pytest -vv new_tests/${{ inputs.test-file }}
+      - run: python3 -m pytest -vvs --full-trace new_tests/${{ inputs.test-file }}
         working-directory: test
         shell: bash
 

.github/workflows/docker-build-context/Dockerfile

@@ -66,9 +66,11 @@ ARG SSL_WORKING_DIR=/etc/ssl
 WORKDIR $SSL_WORKING_DIR
 ARG SERVER_KEY_INSTALL_PATH=$SSL_WORKING_DIR/private/$SERVER_KEY_FILE_NAME
 ARG SERVER_CERT_INSTALL_PATH=$SSL_WORKING_DIR/certs/$SERVER_CERT_FILE_NAME
+ARG CA_CERT_INSTALL_PATH=$SSL_WORKING_DIR/certs/$CA_CERT_FILE_NAME
 
 COPY --from=generate-server-cert-for-tls $SERVER_KEY_FILE_NAME $SERVER_KEY_INSTALL_PATH
 COPY --from=generate-server-cert-for-tls $SERVER_CERT_FILE_NAME $SERVER_CERT_INSTALL_PATH
+COPY --from=generate-server-cert-for-tls $CA_CERT_FILE_NAME $CA_CERT_INSTALL_PATH
 
 # User can set their own TLS port if they want
 ARG TLS_PORT=4333

.github/workflows/docker-build-context/README.md

@@ -3,7 +3,7 @@
 This Docker image deploys an Aerospike server with these features enabled by default:
 - Strong consistency
 - Security
-- TLS standard authentication
+- TLS mutual authentication
 
 To disable any of the above features, start up the Docker container with any combination of these environment variables set:
 ```sh

.github/workflows/docker-build-context/aerospike-dev.conf.jinja

@@ -26,12 +26,13 @@ network {
 	tls docker {
 		key-file /etc/ssl/private/server.pem
 		cert-file /etc/ssl/certs/server.cer
+		ca-file /etc/ssl/certs/ca.cer
 	}
 	{% endif %}
 	service {
 		{% if tls is true %}
 		tls-port 4333
-		tls-authenticate-client false
+		tls-authenticate-client any
 		tls-name docker
 		{% endif %}
 		address any
@@ -84,5 +85,8 @@ namespace test {
 {% if security is true %}
 security {
 	enable-quotas true
+	log {
+		report-violation true
+	}
 }
 {% endif %}

.github/workflows/docker-build-context/client.cer

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyDCCA7CgAwIBAgIUIETHVXivRIYcjdTxPSoh3RtC4ogwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRlTmFtZTERMA8GA1UEBwwI
+Q2l0eU5hbWUxFDASBgNVBAoMC0NvbXBhbnlOYW1lMRswGQYDVQQLDBJDb21wYW55
+U2VjdGlvbk5hbWUxEjAQBgNVBAMMCW15ZHVtbXljYTAgFw0yNTA2MTYxNjEwNTNa
+GA85OTk5MTIzMTIzNTk1OVowezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRl
+TmFtZTERMA8GA1UEBwwIQ2l0eU5hbWUxFDASBgNVBAoMC0NvbXBhbnlOYW1lMRsw
+GQYDVQQLDBJDb21wYW55U2VjdGlvbk5hbWUxEjAQBgNVBAMMCXN1cGVydXNlcjCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALfGbEi8S6LpivbttTJSrFEb
+TN7rjk7hjbxlF9BTWKmVjhdrOxQQmVEJMy6PMgR0HgWtn3aGW6LONYhpx01K2l9w
+ZjB3BoJzNSXK3pRliIJofTUOhCdkwfHDwECWvPgaVmFgtxIexXMX2Kj/70fdncGk
+ucjeYQFolFfRcKCKPV5E4UceH2blU427e/PH3vFE8VRmYAIK/yTy31e1ES1IbG3H
+zcGDREWvA1RAqWcPeII65/vb++2xb8mW0JVQlE1mXIuLMtt3p7QVbK84ApgqxKxj
+2qjcq4O4RMmMgmUXU1k5/PLkgPwct3JmzZzkbv8fXe5LuYokUMIlpsJH0gNfPjCo
+sSZO34g1uf9HX/gszxA//27/O4yEgw9056+/bIAkMlLxP2VIyJB1WMjS6npv0A9D
+D+mDhdub2Y7fjxlz9geR3xrceRZWh8kn0QSgfio3kEVQEQXwi27AVoJB8Xg3GUYN
+F0eLsV57wrKFm/a2HmvVUzxL/aJOznaa8jsPNVGE845es4PMIYEHesTjeTn7umos
+/XILme0iRqzB1KsCbjrUbar2JOo0gFYWtpUOOEG2VXvVdpBYTDZ48XyFqUeybhUV
+XH3uQ7nemssYgdCqYpjHSS7jTEQrkkbofGd058XsmAon+bOexEJxZ0Fr4KlgRiUb
+SUUpTBqyiSKItzUzO1ehAgMBAAGjQjBAMB0GA1UdDgQWBBRwXiTq3ZMAkXifcUKi
+X9mkalOtWDAfBgNVHSMEGDAWgBRcG7rWKxU2uHJz9ZEMwStZi4oY5DANBgkqhkiG
+9w0BAQsFAAOCAQEApptwoi388Qtypv3/ArFEmGfaiL5Dne0NbT003NHyRpI6WkZf
+qnrZlrs8e46hqaqiEE8B8bIYX7ANZW8ZUCz+NAqvsY9QFlDytOVK3B/shEDCWAz6
+28edGAjeBXgJBX1yVQWQO882vux7Cgwut/ziBYQX9A5WNDkhj6PsvsGXqCq20C0B
+E8xa5BitGNaVwSXqdSUipt3DofCZQzTRYBXgvQXPrzVOWpye/5ls/xux9oIVwIiO
+P5WSNTj0J1vFUGlj8YSWLah9Lo52W94T00oQeRt5yAdkIaYzufwYYVzbcmlH5v23
+iRtOk9ZTxN/1VdT+3KGjj92ukH2McLrR1A1fWg==
+-----END CERTIFICATE-----

.github/workflows/docker-build-context/client.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC3xmxIvEui6Yr2
+7bUyUqxRG0ze645O4Y28ZRfQU1iplY4XazsUEJlRCTMujzIEdB4FrZ92hluizjWI
+acdNStpfcGYwdwaCczUlyt6UZYiCaH01DoQnZMHxw8BAlrz4GlZhYLcSHsVzF9io
+/+9H3Z3BpLnI3mEBaJRX0XCgij1eROFHHh9m5VONu3vzx97xRPFUZmACCv8k8t9X
+tREtSGxtx83Bg0RFrwNUQKlnD3iCOuf72/vtsW/JltCVUJRNZlyLizLbd6e0FWyv
+OAKYKsSsY9qo3KuDuETJjIJlF1NZOfzy5ID8HLdyZs2c5G7/H13uS7mKJFDCJabC
+R9IDXz4wqLEmTt+INbn/R1/4LM8QP/9u/zuMhIMPdOevv2yAJDJS8T9lSMiQdVjI
+0up6b9APQw/pg4Xbm9mO348Zc/YHkd8a3HkWVofJJ9EEoH4qN5BFUBEF8ItuwFaC
+QfF4NxlGDRdHi7Fee8KyhZv2th5r1VM8S/2iTs52mvI7DzVRhPOOXrODzCGBB3rE
+43k5+7pqLP1yC5ntIkaswdSrAm461G2q9iTqNIBWFraVDjhBtlV71XaQWEw2ePF8
+halHsm4VFVx97kO53prLGIHQqmKYx0ku40xEK5JG6HxndOfF7JgKJ/mznsRCcWdB
+a+CpYEYlG0lFKUwasokiiLc1MztXoQIDAQABAoICAAD6rtBG55Nv8Y3TXQODrFfM
+y1CwmjbPox2UP3zx0BTBlMr0Ecck4lTrwCubofljLyyaJ5xo3B4OlvtZzpuZ84wD
+ZBoBQltpgX3zb32Z2mZmfTdOMzRSCD9cFYnKkSnJxc4kRv7ILka+GL6SyYu9RwZK
+1PNt7ZVQNo0kEwNvT83RKbmjKT6XPXtxeq2P0goV/dVfK8cLAl/IJwTsvzFkc8Z0
+ec38ikg28I+5/fpsJc5c1xMGRwNV2RSECBW+7YwJiKKfjIxzPg/6tr7qxPHFCudS
+a2N6XzQXGY+7iXoq1lv7pVOb1decuroCc/lFwCp+GGt+WLgJ7ZURQLWY5B9g5NVj
+eLToZFjhNUm6vWJkRWkZkR69qRveDsRj73gR9Rd8OQLjPgjP96gCiubzODZC45Eh
+/OTj6IGJ9e6JSq814SJ4ICPmoxLi2bSaWhKzrTbblvPcNAdwsjJ/dYyR8gCxM7cU
+HalGfWAovDsQjzqioyn2gTbgKNqYgkmHm954T82TqbnAGVeXkAbgtrDRtRBKqU//
+WFhZ6ODcAYpql2Xbt4AJe8xog8xNFpDqdDz50szDDeidYyYINQc/WTOYuAWOG/aP
+zAJvJmQMkl/v+7+ga1rVKPzDQL/fSwx2RPNZpcsVln5LSCTD3NGiKuO2Sut1sd7s
+yVu8gl7ZeRWF+yfLnoFhAoIBAQDsvNhXNZXfcwZZVZTAJD422+BzvBON26mawNr/
+/Jb4JwMquJqGaY+yAaf3YXFM/HdZvEDOAbq7gIRX+Zkw+5P5Ur8qbgDyKYDDV57t
+BAoGh7aixuoBC0QYoW780S2zjBWoanbaRr+xHJyEPmdYgiGR9rTr0Av425PyjAnr
+Zp6SsT68T6plq4L7ByBc4F9fcBEWbVZzEwdadBpuhMym/I1F1YLO7fvmN6M/oK9H
+Ni+KpXzk0xAF3w4/l5L+vdzoNQbkul3JV8tZIGe8a7lK4xlpJXwhKcDDQm55LT44
+BHGgsjBU8GWcoQuzGOpMiNJponu2x13iuItVCNVE1pcwAutxAoIBAQDGumM3OZXO
+KqwOu3RipAMELpo4paoE8SwYYkSgxfAW0Vjvumdstu3NJhP4SCQYOygTVmAQhoTn
+8czgzDS8yMYPiJTq2HP8O71ekndTcWz5LtY4z1WIGIGn01rPqB3jznjwpBkQ+T/O
+XUpca2Bc3zPPlkk3gbxP/JIIic+hBrWJexjfgR/Q2sY/1vuAe3hdWhWmm5IzGd4T
+hqG+4DtgCbrDtgSNVDS8KTvposM/H7LLAkCjxua5Udo1yMVUAWw4oXTA8CbuOJtv
+Y3jv4XkGgK/0T0/7ZfUJAeuwhsHsPCM8egVdDhizyddcRPWkHlI4plKubuMwI4/3
+/J+wjHISBzcxAoIBAFURrzP3X3nCHZ/wbtl0rJ6N+GPeS7CIJLQlZQzjuWRGsI6j
+c3OlbytqCO+OJmahukmWqjrcyDskfWoXmQLPBGdtYqBekxxx6YFIdSV6dBfQoMJx
+dBkX8UpgiD9081U3m3i/eSIKlkuQmnWy7vQRHvsSigTK5+JvFQTtaYsbfxP7eS21
++uc58IFAGFMHlX34CUvj0lLbnaLVYcIhGmFPE3zqsmylfAVILPNqTFHsmLzbprub
+VICnnLkhQIMlusH+fBGpHpaBY+MND/nXQ+gzHyh3fdl05X3E22nT5i2++w3huhhr
+ojfcbxXWeCs0Z1fqOUZ+8a/M3NSbrfdknUN1aSECggEAFfHdJOsJ/OM/br0KhB4C
+a0LOKvU4SiVrriGj3HEfKxXhEU/vPdURe3b5+4/T1I0rxr7iCtEf+hD8g9Jo/HPb
+UznM4AYZAMCED95yqNc8pmOiqlFS651xK9wuCgJRkqdpOYGVdwdfIWWx4XTGBltr
+eD/rQ+LirZ6BbcnyEKESCOV8AKpcng6al9Ago7Z+uyhIfcZuJZB0solKcS6Hv/oz
+EouWAxlKXYDcKdecYesZLkvIYY2ESvCb/RZ3m+gwUCycHPYoBmRf3bQJVcv7Nlmd
+lIfxmBxRK7Z3lV28Kl8VsQb0cqss1SWzz2+aBI6Im9LaDIMYOWej7UmLRM6thgof
+8QKCAQEAoTd/lynH1+DnoDNRWLvXTkyTiZ8T9DJT632K94J2cHcXJ+uhdhDGrLPq
+5kahYb8Ji/O+i/ti75D6rF8FkJoYwNbmwDzftD98pdoX+vEZRhLWi6BeU8vEvVWK
+Wq/6U7n7RFNJBRmr4TLNHoIdDnfuIpxjbCdAG4Hd/kL7ULs30SuXTb+tYKZzw+4G
+XpONoWCP17Or9ZV4/PftYdk3XJaEc4nLEIfL2BZErpNSV8Jm62Xj8JCsheAPDN1L
+2kWSf4wYySstpc+qvejdn0kWiaVB6A6sqXrHMWUE5pdWLECURC2l/Wd/9e13ll12
+bTJcNI/1lR7ZONcgBG7vh43FD3Yk8w==
+-----END PRIVATE KEY-----

.github/workflows/tests.yml

@@ -401,7 +401,9 @@ jobs:
         registry-password: ${{ env.REGISTRY_NAME == 'docker.io' && secrets.DOCKER_HUB_BOT_PW || secrets.QE_DOCKER_REGISTRY_PASSWORD }}
 
     - name: Run tests
-      run: python -m pytest ./new_tests/test_{mrt_functionality,admin_*,compress}.py -W error::pytest.PytestUnraisableExceptionWarning
+      # -s: we want to check that the test_create_pki_user test case passes or raises an exception as expected
+      # There's no way to tell unless we see the logs
+      run: python -m pytest -s ./new_tests/test_{mrt_functionality,admin_*,compress}.py -W error::pytest.PytestUnraisableExceptionWarning
       working-directory: test
 
     - name: Show logs if failed

aerospike-client-c

@@ -334,6 +334,7 @@ class Client:
     def __init__(self, *args, **kwargs) -> None: ...
     def admin_change_password(self, username: str, password: str, policy: dict = ...) -> None: ...
     def admin_create_role(self, role: str, privileges: list, policy: dict = ..., whitelist: list = ..., read_quota: int = ..., write_quota: int = ...) -> None: ...
+    def admin_create_pki_user(self, username: str, roles: list, policy: dict = ...) -> None: ...
     def admin_create_user(self, username: str, password: str, roles: list, policy: dict = ...) -> None: ...
     def admin_drop_role(self, role: str, policy: dict = ...) -> None: ...
     def admin_drop_user(self, username: str, policy: dict = ...) -> None: ...