SDKQE-3764 FIT: Add support for certificate authentication to Java FIT performer

Change-Id: Ica37d0df38bbb406390373960e1efd8e632d1425
Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/236103
Reviewed-by: Graham Pople <[email protected]>
Tested-by: Build Bot <[email protected]>

Author: dnault

core-fit-performer/pom.xml

@@ -25,6 +25,13 @@
             <scope>compile</scope>
         </dependency>
 
+        <!-- For parsing PEM-encoded client certificate private key -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-debug-lts8on</artifactId>
+            <version>2.73.9</version>
+        </dependency>
+
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>

core-fit-performer/src/main/java/com/couchbase/client/performer/core/util/PemUtil.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2025 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.performer.core.util;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+
+public class PemUtil {
+  private PemUtil() {
+  }
+
+  private static final Provider BOUNCY_CASTLE = new BouncyCastleProvider();
+
+  public static RSAPrivateCrtKey parseRsaPrivateCrtKey(String pem) {
+    try (PemReader pemReader = new PemReader(new StringReader(pem))) {
+      PemObject pemObject = pemReader.readPemObject();
+      byte[] keyBytes = pemObject.getContent();
+      PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
+
+      // The standard RSAKeyFactory refuses to parse our PEM-encoded RSAPrivateCrtKey,
+      // so let Bouncy Castle do the heavy lifting.
+      KeyFactory kf = KeyFactory.getInstance("RSA", BOUNCY_CASTLE);
+
+      PrivateKey result = kf.generatePrivate(keySpec);
+      return (RSAPrivateCrtKey) result;
+
+    } catch (IOException | GeneralSecurityException e) {
+      throw new RuntimeException("Failed to parse RSA private certificate key", e);
+    }
+  }
+}

java-fit-performer/src/main/java/com/couchbase/JavaPerformer.java

@@ -16,6 +16,10 @@
 package com.couchbase;
 
 import com.couchbase.client.core.cnc.RequestSpan;
+import com.couchbase.client.core.env.Authenticator;
+import com.couchbase.client.core.env.CertificateAuthenticator;
+import com.couchbase.client.core.env.PasswordAuthenticator;
+import com.couchbase.client.core.env.SecurityConfig;
 import com.couchbase.client.core.io.CollectionIdentifier;
 import com.couchbase.client.core.logging.LogRedaction;
 import com.couchbase.client.core.logging.RedactionLevel;
@@ -57,6 +61,7 @@
 import com.couchbase.utils.ResultsUtil;
 import com.couchbase.utils.HooksUtil;
 // [end]
+import com.couchbase.client.performer.core.util.PemUtil;
 import com.couchbase.client.performer.core.util.VersionUtil;
 import com.couchbase.client.protocol.observability.SpanCreateRequest;
 import com.couchbase.client.protocol.observability.SpanCreateResponse;
@@ -81,7 +86,6 @@
 import com.couchbase.utils.Capabilities;
 import com.couchbase.utils.ClusterConnection;
 import com.couchbase.utils.OptionsUtil;
-import com.couchbase.utils.UserSchedulerUtil;
 import io.grpc.Server;
 import io.grpc.ServerBuilder;
 import io.grpc.Status;
@@ -94,6 +98,7 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicReference;
@@ -206,6 +211,33 @@ protected void customisePerformerCaps(PerformerCapsFetchResponse.Builder respons
         response.setPerformerUserAgent("java-sdk");
     }
 
+    private Authenticator getSdkAuthenticator(ClusterConnectionCreateRequest request) {
+        if (!request.hasAuthenticator()) {
+            return PasswordAuthenticator.create(
+                request.getClusterUsername(),
+                request.getClusterPassword()
+            );
+        }
+
+        var fitAuth = request.getAuthenticator();
+        if (fitAuth.hasPasswordAuth()) {
+            var fitUsernameAndPassword = fitAuth.getPasswordAuth();
+            return PasswordAuthenticator.create(
+                fitUsernameAndPassword.getUsername(),
+                fitUsernameAndPassword.getPassword()
+            );
+        }
+
+        if (fitAuth.hasCertificateAuth()) {
+            var fitClientCert = fitAuth.getCertificateAuth();
+            var privateKey = PemUtil.parseRsaPrivateCrtKey(fitClientCert.getKey());
+            var certChain = SecurityConfig.decodeCertificates(List.of(fitClientCert.getCert()));
+            return CertificateAuthenticator.fromKey(privateKey, null, certChain);
+        }
+
+        throw new UnsupportedOperationException("Unrecognized authenticator: " + fitAuth);
+    }
+
     @Override
     public void clusterConnectionCreate(ClusterConnectionCreateRequest request,
                                         StreamObserver<ClusterConnectionCreateResponse> responseObserver) {
@@ -231,15 +263,16 @@ public void clusterConnectionCreate(ClusterConnectionCreateRequest request,
                 });
             });
 
+            Authenticator authenticator = getSdkAuthenticator(request);
+
             // [if:3.2.6]
             // 3.2.6 added an easy way for SDK users to configure the SDK without having to take ownership of
             // ClusterEnvironment management.  It also allows passing parameters in the connection string, which
             // is not allowed with those externally owned ClusterEnvironments.
             var clusterEnvironment = OptionsUtil.convertClusterConfigToConsumer(request, getCluster, onClusterConnectionClose);
 
             var connection = new ClusterConnection(request.getClusterHostname(),
-                    request.getClusterUsername(),
-                    request.getClusterPassword(),
+                    authenticator,
                     clusterEnvironment,
                     onClusterConnectionClose);
             // [end]
@@ -249,8 +282,7 @@ public void clusterConnectionCreate(ClusterConnectionCreateRequest request,
             //? var clusterEnvironment = OptionsUtil.convertClusterConfig(request, getCluster, onClusterConnectionClose);
 
             //? var connection = new ClusterConnection(request.getClusterHostname(),
-            //?         request.getClusterUsername(),
-            //?         request.getClusterPassword(),
+            //?         authenticator,
             //?         clusterEnvironment,
             //?         onClusterConnectionClose);
             // [end]
@@ -261,7 +293,7 @@ public void clusterConnectionCreate(ClusterConnectionCreateRequest request,
 
             // Fine to have a default and a per-test connection open, any more suggests a leak
             logger.info("Dumping {} cluster connections for resource leak troubleshooting:", clusterConnections.size());
-            clusterConnections.forEach((key, value) -> logger.info("Cluster connection {} {}", key, value.username));
+            clusterConnections.forEach((key, value) -> logger.info("Cluster connection {} {}", key, value.authenticator));
 
             responseObserver.onNext(ClusterConnectionCreateResponse.newBuilder()
                     .setClusterConnectionCount(clusterConnections.size())
@@ -291,8 +323,8 @@ public void transactionCreate(TransactionCreateRequest request,
         try {
             ClusterConnection connection = getClusterConnection(request.getClusterConnectionId());
 
-            logger.info("Starting transaction on cluster connection {} created for user {}",
-                    request.getClusterConnectionId(), connection.username);
+            logger.info("Starting transaction on cluster connection {} created with authenticator {}",
+                    request.getClusterConnectionId(), connection.authenticator);
 
             TransactionResult response;
             var counters = new Counters();
@@ -478,9 +510,9 @@ public void transactionSingleQuery(TransactionSingleQueryRequest request,
         try {
             var connection = getClusterConnection(request.getClusterConnectionId());
 
-            logger.info("Performing single query transaction on cluster connection {} (user {})",
+            logger.info("Performing single query transaction on cluster connection {} (authenticator {})",
                     request.getClusterConnectionId(),
-                    connection.username);
+                    connection.authenticator);
 
             TransactionSingleQueryResponse ret = SingleQueryTransactionExecutor.execute(request, connection, spans);
 

java-fit-performer/src/main/java/com/couchbase/utils/Capabilities.java

@@ -101,6 +101,8 @@ public static List<Caps> sdkImplementationCaps() {
         out.add(Caps.SDK_PREFILTER_VECTOR_SEARCH);
         // [end]
 
+        out.add(Caps.SUPPORTS_AUTHENTICATOR);
+
         return out;
     }
 }

java-fit-performer/src/main/java/com/couchbase/utils/ClusterConnection.java

@@ -17,6 +17,7 @@
 
 
 import com.couchbase.client.core.Core;
+import com.couchbase.client.core.env.Authenticator;
 import com.couchbase.client.core.io.CollectionIdentifier;
 import com.couchbase.client.java.Cluster;
 import com.couchbase.client.java.ClusterOptions;
@@ -35,20 +36,19 @@
 public class ClusterConnection {
     private final Cluster cluster;
     @Nullable private final ClusterEnvironment environmentOwnedByCaller;
-    public final String username;
+    public final Authenticator authenticator;
     // Commands to run when this ClusterConnection is being closed.  Allows closing other related resources that have
     // the same lifetime.
     private final List<Runnable> onClusterConnectionClose;
 
     public ClusterConnection(String hostname,
-                             String username,
-                             String password,
+                             Authenticator authenticator,
                              @Nullable ClusterEnvironment.Builder config,
                              ArrayList<Runnable> onClusterConnectionClose)  {
-        this.username = username;
-        this.onClusterConnectionClose = onClusterConnectionClose;
+      this.authenticator = authenticator;
+      this.onClusterConnectionClose = onClusterConnectionClose;
 
-        var co = ClusterOptions.clusterOptions(username, password);
+        var co = ClusterOptions.clusterOptions(authenticator);
         if (config != null) {
             this.environmentOwnedByCaller = config.build();
             co.environment(this.environmentOwnedByCaller);
@@ -62,14 +62,13 @@ public ClusterConnection(String hostname,
 
     // [if:3.2.6]
     public ClusterConnection(String hostname,
-                             String username,
-                             String password,
+                             Authenticator authenticator,
                              @Nullable Consumer<ClusterEnvironment.Builder> config,
                              ArrayList<Runnable> onClusterConnectionClose)  {
-        this.username = username;
+        this.authenticator = authenticator;
         this.onClusterConnectionClose = onClusterConnectionClose;
 
-        var co = ClusterOptions.clusterOptions(username, password)
+        var co = ClusterOptions.clusterOptions(authenticator)
                 .environment(env -> {
                     if (config != null) {
                         config.accept(env);