JVMCBC-1687 DelegatingAuthenticator does not work with Protostellar

dnault · dnault · commit cf17ae2decee · 2025-09-23T21:44:32.000Z
Motivation ---------- Every time the CallCredentials authenticates a gRPC connection, it should get a fresh Authorization header value from the authenticator. Modifications ------------- Add Authenticator.getAuthHeaderValue(), which returns a value to use for an `Authorization` header for simple HTTP requests as well as gRPC requests. Add a default implementation for Authenticator.authHttpRequest(), so this code can be shared by PasswordAuthenticator and the forthcoming JwtAuthenticator. Remove Authenticator.protostellarCallCredentials(). Instead, ProtostellarEndpoint builds the CallCredentials using an `Authorization` header value dynamically fetched from the new Authenticator.getAuthHeaderValue() method. Change-Id: I34d9c02bf00f80418b001a94ab93b5483bf1bf05 Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/233963 Reviewed-by: Michael Reiche <michael.reiche@couchbase.com> Tested-by: Build Bot <build@couchbase.com>
diff --git a/core-io/src/main/java/com/couchbase/client/core/endpoint/ProtostellarEndpoint.java b/core-io/src/main/java/com/couchbase/client/core/endpoint/ProtostellarEndpoint.java
@@ -38,7 +38,6 @@
 import com.couchbase.client.core.deps.io.grpc.netty.GrpcSslContexts;
 import com.couchbase.client.core.deps.io.grpc.netty.NettyChannelBuilder;
 import com.couchbase.client.core.deps.io.netty.channel.ChannelOption;
-import com.couchbase.client.core.diagnostics.AuthenticationStatus;
 import com.couchbase.client.core.deps.io.netty.handler.ssl.SslContext;
 import com.couchbase.client.core.diagnostics.ClusterState;
 import com.couchbase.client.core.diagnostics.EndpointDiagnostics;
@@ -73,9 +72,12 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Executor;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.function.Supplier;
 
+import static com.couchbase.client.core.deps.io.grpc.Metadata.ASCII_STRING_MARSHALLER;
 import static java.util.Objects.requireNonNull;
 
 /**
@@ -121,7 +123,7 @@ public ProtostellarEndpoint(ProtostellarContext ctx, HostAndPort remote) {
     ConnectivityState now = this.managedChannel.getState(false);
     notifyOnChannelStateChange(now);
 
-    CallCredentials creds = ctx.authenticator().protostellarCallCredentials();
+    CallCredentials creds = callCredentials(() -> ctx.authenticator().getAuthHeaderValue());
 
     // JVMCBC-1187: Temporary code to provide some insight on GRPC internals, will likely be removed pre-GA.
     ClientStreamTracer.Factory factory = new ClientStreamTracer.Factory() {
@@ -203,6 +205,27 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT
     searchAdminStub = SearchAdminServiceGrpc.newFutureStub(managedChannel).withCallCredentials(creds);
   }
 
+  private static CallCredentials callCredentials(Supplier<String> authHeaderValue) {
+    return new CallCredentials() {
+      @Override
+      public void applyRequestMetadata(RequestInfo requestInfo, Executor executor, MetadataApplier applier) {
+        executor.execute(() -> {
+          try {
+            Metadata headers = new Metadata();
+            String value = authHeaderValue.get();
+            if (value == null) {
+              throw new FeatureNotAvailableException("This Authenticator is not compatible with couchbase2");
+            }
+            headers.put(Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER), value);
+            applier.apply(headers);
+          } catch (Throwable e) {
+            applier.fail(Status.UNAUTHENTICATED.withCause(e));
+          }
+        });
+      }
+    };
+  }
+
   private ManagedChannel channel(ProtostellarContext ctx) {
     SecurityConfig securityConfig = ctx.environment().securityConfig();
 
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/Authenticator.java b/core-io/src/main/java/com/couchbase/client/core/env/Authenticator.java
@@ -17,8 +17,8 @@
 package com.couchbase.client.core.env;
 
 import com.couchbase.client.core.annotation.Stability;
-import com.couchbase.client.core.deps.io.grpc.CallCredentials;
 import com.couchbase.client.core.deps.io.netty.channel.ChannelPipeline;
+import com.couchbase.client.core.deps.io.netty.handler.codec.http.HttpHeaderNames;
 import com.couchbase.client.core.deps.io.netty.handler.codec.http.HttpRequest;
 import com.couchbase.client.core.deps.io.netty.handler.ssl.SslContextBuilder;
 import com.couchbase.client.core.endpoint.EndpointContext;
@@ -56,11 +56,21 @@ default void authKeyValueConnection(final EndpointContext endpointContext, final
    * @param request the http request.
    */
   @Stability.Internal
-  default void authHttpRequest(final ServiceType serviceType, final HttpRequest request) { }
+  default void authHttpRequest(final ServiceType serviceType, final HttpRequest request) {
+    String authHeaderValue = getAuthHeaderValue();
+    if (authHeaderValue != null) {
+      request.headers().add(HttpHeaderNames.AUTHORIZATION, authHeaderValue);
+    }
+  }
 
-  @Nullable
+  /**
+   * Returns the value of the Authorization header to apply to HTTP requests,
+   * or null if no header should be applied.
+   */
   @Stability.Internal
-  CallCredentials protostellarCallCredentials();
+  default @Nullable String getAuthHeaderValue() {
+    return null;
+  }
 
   /**
    * The authenticator gets the chance to attach the client certificate to the ssl context if needed.
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/AuthenticatorWrapper.java b/core-io/src/main/java/com/couchbase/client/core/env/AuthenticatorWrapper.java
@@ -17,7 +17,6 @@
 package com.couchbase.client.core.env;
 
 import com.couchbase.client.core.annotation.Stability;
-import com.couchbase.client.core.deps.io.grpc.CallCredentials;
 import com.couchbase.client.core.deps.io.netty.channel.ChannelPipeline;
 import com.couchbase.client.core.deps.io.netty.handler.codec.http.HttpRequest;
 import com.couchbase.client.core.deps.io.netty.handler.ssl.SslContextBuilder;
@@ -43,8 +42,8 @@ public void authHttpRequest(final ServiceType serviceType, final HttpRequest req
   }
 
   @Override
-  public @Nullable CallCredentials protostellarCallCredentials() {
-    return wrapped().protostellarCallCredentials();
+  public @Nullable String getAuthHeaderValue() {
+    return wrapped().getAuthHeaderValue();
   }
 
   @Override
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/CertificateAuthenticator.java b/core-io/src/main/java/com/couchbase/client/core/env/CertificateAuthenticator.java
@@ -16,12 +16,8 @@
 
 package com.couchbase.client.core.env;
 
-import com.couchbase.client.core.annotation.Stability;
-import com.couchbase.client.core.deps.io.grpc.CallCredentials;
 import com.couchbase.client.core.deps.io.netty.handler.ssl.SslContextBuilder;
-import com.couchbase.client.core.error.FeatureNotAvailableException;
 import com.couchbase.client.core.error.InvalidArgumentException;
-import reactor.util.annotation.Nullable;
 
 import javax.net.ssl.KeyManagerFactory;
 import java.io.InputStream;
@@ -134,14 +130,6 @@ private CertificateAuthenticator(final PrivateKey key, final String keyPassword,
     }
   }
 
-  @Override
-  @Nullable
-  @Stability.Internal
-  public CallCredentials protostellarCallCredentials() {
-    // To be added under JVMCBC-1195
-    throw new FeatureNotAvailableException("CertificateAuthenticator is not supported with couchbase2");
-  }
-
   @Override
   public void applyTlsProperties(final SslContextBuilder context) {
     if (keyManagerFactory != null) {
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/PasswordAuthenticator.java b/core-io/src/main/java/com/couchbase/client/core/env/PasswordAuthenticator.java
@@ -16,26 +16,18 @@
 package com.couchbase.client.core.env;
 
 import com.couchbase.client.core.annotation.Stability;
-import com.couchbase.client.core.deps.io.grpc.CallCredentials;
-import com.couchbase.client.core.deps.io.grpc.Metadata;
-import com.couchbase.client.core.deps.io.grpc.Status;
 import com.couchbase.client.core.deps.io.netty.channel.ChannelPipeline;
-import com.couchbase.client.core.deps.io.netty.handler.codec.http.HttpHeaderNames;
-import com.couchbase.client.core.deps.io.netty.handler.codec.http.HttpRequest;
 import com.couchbase.client.core.endpoint.EndpointContext;
 import com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler;
 import com.couchbase.client.core.io.netty.kv.SaslListMechanismsHandler;
 import com.couchbase.client.core.io.netty.kv.sasl.SaslHelper;
-import com.couchbase.client.core.service.ServiceType;
 import reactor.util.annotation.Nullable;
 
 import java.util.Base64;
 import java.util.EnumSet;
 import java.util.Set;
-import java.util.concurrent.Executor;
 import java.util.function.Supplier;
 
-import static com.couchbase.client.core.deps.io.grpc.Metadata.ASCII_STRING_MARSHALLER;
 import static com.couchbase.client.core.io.netty.kv.sasl.SaslHelper.platformHasSaslPlain;
 import static com.couchbase.client.core.util.CbCollections.setCopyOf;
 import static com.couchbase.client.core.util.CbCollections.setOf;
@@ -142,8 +134,8 @@ private PasswordAuthenticator(final Builder builder) {
     cachedHttpAuthHeader = builder.dynamicCredentials ? null : encodeAuthHttpHeader(this.usernameAndPassword.get());
   }
 
-  // Visible for testing
-  String getAuthHeaderValue() {
+  @Override
+  public String getAuthHeaderValue() {
     return cachedHttpAuthHeader != null
       ? cachedHttpAuthHeader
       : encodeAuthHttpHeader(this.usernameAndPassword.get());
@@ -170,36 +162,6 @@ public void authKeyValueConnection(final EndpointContext ctx, final ChannelPipel
     ));
   }
 
-  @Override
-  public void authHttpRequest(final ServiceType serviceType, final HttpRequest request) {
-    request.headers().add(
-      HttpHeaderNames.AUTHORIZATION,
-      getAuthHeaderValue()
-    );
-  }
-
-  @Override
-  public CallCredentials protostellarCallCredentials() {
-    return new CallCredentials() {
-      @Override
-      public void applyRequestMetadata(RequestInfo requestInfo, Executor executor, MetadataApplier applier) {
-        executor.execute(() -> {
-          try {
-            Metadata headers = new Metadata();
-            headers.put(Metadata.Key.of("Authorization", ASCII_STRING_MARSHALLER), getAuthHeaderValue());
-            applier.apply(headers);
-          } catch (Throwable e) {
-            applier.fail(Status.UNAUTHENTICATED.withCause(e));
-          }
-        });
-      }
-
-      @Override
-      public void thisUsesUnstableApi() {
-      }
-    };
-  }
-
   @Override
   public boolean requiresTls() {
     return false;
