JVMCBC-1679 (followup) Cluster.setAuthenticator should require a compatible authenticator

dnault · dnault · commit 74ccdecc4238 · 2025-10-09T21:32:16.000Z
Motivation ---------- A user can switch from an authenticator that does not require TLS to one that does. In this case, setAuthenticator() should reject the new authenticator if it has an unmet requirement. Modifications ------------- Move the authenticator compatibility check from Core/ProtostellarContext into DelegatingAuthenticator.setDelegate(). Add a `tls` parameter to DelegatingAuthenticator.create() so it can reject incompatible delegates. Change-Id: I6217c047d23163b0af1876dddbc5494fa72b4112 Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/235014 Reviewed-by: Michael Reiche <michael.reiche@couchbase.com> Tested-by: Build Bot <build@couchbase.com>
diff --git a/core-io/src/main/java/com/couchbase/client/core/Core.java b/core-io/src/main/java/com/couchbase/client/core/Core.java
@@ -282,10 +282,6 @@ protected Core(
     final Authenticator authenticator,
     final ConnectionString connectionString
   ) {
-    if (authenticator.requiresTls() && !environment.securityConfig().tlsEnabled()) {
-      throw new InvalidArgumentException("TLS not enabled but the Authenticator requires TLS!", null, null);
-    }
-
     checkConnectionStringScheme(connectionString, ConnectionString.Scheme.COUCHBASE, ConnectionString.Scheme.COUCHBASES);
     sanityCheckPorts(connectionString);
 
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/DelegatingAuthenticator.java b/core-io/src/main/java/com/couchbase/client/core/env/DelegatingAuthenticator.java
@@ -27,27 +27,34 @@
  * The other authenticator can be swapped at runtime
  * to support credential rotation.
  *
- * @see #create(Authenticator)
+ * @see #create(boolean, Authenticator)
  */
 @NullMarked
 @Stability.Internal
 public class DelegatingAuthenticator extends AuthenticatorWrapper {
   private volatile Authenticator delegate;
+  private final boolean tls;
 
   /**
    * Returns a new authenticator that delegates to the given authenticator.
    * <p>
    * The delegate may be updated later by calling {@link #setDelegate(Authenticator)}.
+   *
+   * @param tls true if the connection is secured by TLS, otherwise false.
    */
-  public static DelegatingAuthenticator create(Authenticator delegate) {
-    return new DelegatingAuthenticator(delegate);
+  public static DelegatingAuthenticator create(boolean tls, Authenticator delegate) {
+    return new DelegatingAuthenticator(tls, delegate);
   }
 
   public void setDelegate(Authenticator delegate) {
+    if (delegate.requiresTls() && !tls) {
+      throw new IllegalArgumentException("The specified authenticator requires TLS, but TLS is not enabled.");
+    }
     this.delegate = requireNonNull(delegate);
   }
 
-  DelegatingAuthenticator(Authenticator delegate) {
+  DelegatingAuthenticator(boolean tls, Authenticator delegate) {
+    this.tls = tls;
     setDelegate(delegate);
   }
 
diff --git a/core-io/src/main/java/com/couchbase/client/core/protostellar/ProtostellarContext.java b/core-io/src/main/java/com/couchbase/client/core/protostellar/ProtostellarContext.java
@@ -21,7 +21,6 @@
 import com.couchbase.client.core.cnc.AbstractContext;
 import com.couchbase.client.core.env.Authenticator;
 import com.couchbase.client.core.env.CoreEnvironment;
-import com.couchbase.client.core.error.InvalidArgumentException;
 import com.couchbase.client.core.util.CoreIdGenerator;
 
 import java.util.Map;
@@ -41,10 +40,6 @@ public ProtostellarContext(final CoreEnvironment env, final Authenticator authen
     this.env = requireNonNull(env);
     this.authenticator = requireNonNull(authenticator);
     this.coreResources = requireNonNull(coreResources);
-
-    if (authenticator.requiresTls() && !env.securityConfig().tlsEnabled()) {
-      throw InvalidArgumentException.fromMessage("TLS not enabled but the Authenticator requires TLS!");
-    }
   }
 
   public long id() {
diff --git a/java-client/src/main/java/com/couchbase/client/java/AsyncCluster.java b/java-client/src/main/java/com/couchbase/client/java/AsyncCluster.java
@@ -250,7 +250,7 @@ String clusterToStringHelper(Class clusterClass) {
   ) {
     this.environment = environment;
     this.connectionString = connectionString;
-    this.authenticator = DelegatingAuthenticator.create(initialAuthenticator);
+    this.authenticator = DelegatingAuthenticator.create(environment.get().securityConfig().tlsEnabled(), initialAuthenticator);
     this.couchbaseOps = CoreCouchbaseOps.create(environment.get(), this.authenticator, connectionString);
     this.queryOps = couchbaseOps.queryOps();
     this.searchOps = couchbaseOps.searchOps(null);
diff --git a/kotlin-client/src/main/kotlin/com/couchbase/client/kotlin/Cluster.kt b/kotlin-client/src/main/kotlin/com/couchbase/client/kotlin/Cluster.kt
@@ -121,7 +121,10 @@ public class Cluster internal constructor(
     initialAuthenticator: Authenticator,
     connectionString: ConnectionString,
 ) {
-    private val delegatingAuthenticator: DelegatingAuthenticator = DelegatingAuthenticator.create(initialAuthenticator)
+    private val delegatingAuthenticator: DelegatingAuthenticator = DelegatingAuthenticator.create(
+        env.securityConfig().tlsEnabled(),
+        initialAuthenticator,
+    )
 
     private val couchbaseOps = CoreCouchbaseOps.create(env, delegatingAuthenticator, connectionString)
     private val searchOps = couchbaseOps.searchOps(null)
