[testapp] Get test passwords from test env

Don't spread the test passwords all over the files, but look
them up from the test environment instead.

Change-Id: Ib6e4dfdccaddbb7f46cc952ecd765e79f82c6e02
Reviewed-on: https://review.couchbase.org/c/kv_engine/+/203178
Reviewed-by: Jim Walker <[email protected]>
Tested-by: Build Bot <[email protected]>

Author: trondn

cluster_framework/auth_provider_service.cc

@@ -165,6 +165,19 @@ void AuthProviderService::upsertUser(UserEntry entry) {
     }
 }
 
+std::optional<UserEntry> AuthProviderService::lookupUser(
+        const std::string& user) {
+    return users.withWLock([&user](auto& db) -> std::optional<UserEntry> {
+        // check to see if we're replacing an entry
+        for (auto& e : db) {
+            if (e.username == user) {
+                return e;
+            }
+        }
+        return {};
+    });
+}
+
 void AuthProviderService::onRequest(bufferevent* bev,
                                     const mcbp::Request& req) {
     switch (req.getMagic()) {

cluster_framework/auth_provider_service.h

@@ -53,6 +53,8 @@ class AuthProviderService {
     void upsertUser(UserEntry entry);
     void removeUser(const std::string& user);
 
+    std::optional<UserEntry> lookupUser(const std::string& user);
+
 protected:
     /// Handle the authenticate request and send the reply
     void onAuthenticate(bufferevent* bev, const cb::mcbp::Request& req);

cluster_framework/cluster.cc

@@ -107,7 +107,7 @@ ClusterImpl::ClusterImpl(std::vector<std::unique_ptr<Node>>& nod,
     forAllNodes([this, &globalmap](const auto& node) {
         auto connection = node.getConnection();
         connection->connect();
-        connection->authenticate("@admin", "password", "plain");
+        connection->authenticate("@admin");
         connection->setAgentName("cluster_testapp");
         connection->setFeatures({cb::mcbp::Feature::MUTATION_SEQNO,
                                  cb::mcbp::Feature::XATTR,
@@ -160,7 +160,7 @@ void ClusterImpl::createBucketOnNode(const Node& node,
                                      std::string_view config) {
     auto connection = node.getConnection();
     connection->connect();
-    connection->authenticate("@admin", "password", "plain");
+    connection->authenticate("@admin");
     connection->setAgentName("cluster_testapp");
     connection->setFeatures({cb::mcbp::Feature::MUTATION_SEQNO,
                              cb::mcbp::Feature::XATTR,
@@ -306,7 +306,7 @@ std::shared_ptr<Bucket> ClusterImpl::createBucket(
         forAllNodes([&name](const auto& node) {
             auto connection = node.getConnection();
             connection->connect();
-            connection->authenticate("@admin", "password", "plain");
+            connection->authenticate("@admin");
             try {
                 connection->deleteBucket(name);
             } catch (const std::exception&) {
@@ -342,7 +342,7 @@ void ClusterImpl::deleteBucket(const std::string& name) {
     forAllNodes([name](const auto& node) {
         auto connection = node.getConnection();
         connection->connect();
-        connection->authenticate("@admin", "password", "plain");
+        connection->authenticate("@admin");
         connection->deleteBucket(name);
         // And nuke the files for the database on that node.
         removeWithRetry(node.directory / name);

protocol/connection/client_connection.cc

@@ -43,6 +43,13 @@
 
 static const bool packet_dump = getenv("COUCHBASE_PACKET_DUMP") != nullptr;
 
+folly::Synchronized<std::function<std::string(const std::string&)>, std::mutex>
+        MemcachedConnection::lookupPasswordCallback;
+void MemcachedConnection::setLookupUserPasswordFunction(
+        std::function<std::string(const std::string&)> func) {
+    *lookupPasswordCallback.lock() = std::move(func);
+}
+
 /// Helper function to check if we're running in unit test mode or not
 static bool is_unit_test_mode() {
     return getenv("MEMCACHED_UNIT_TESTS") != nullptr;
@@ -1198,9 +1205,28 @@ void MemcachedConnection::recvResponse(BinprotResponse& response,
     traceData = response.getTracingData();
 }
 
-void MemcachedConnection::authenticate(const std::string& username,
-                                       const std::string& password,
-                                       const std::string& mech) {
+void MemcachedConnection::authenticate(
+        const std::string& user,
+        const std::optional<std::string>& password,
+        const std::string& mech) {
+    std::string pw;
+    if (password) {
+        pw = *password;
+    } else {
+        pw = lookupPasswordCallback.withLock([&user](auto& cb) -> std::string {
+            if (cb) {
+                return cb(user);
+            }
+            return {};
+        });
+    }
+
+    return doSaslAuthenticate(user, pw, mech);
+}
+
+void MemcachedConnection::doSaslAuthenticate(const std::string& username,
+                                             const std::string& password,
+                                             const std::string& mech) {
     cb::sasl::client::ClientContext client(
             [username]() -> std::string { return username; },
             [password]() -> std::string { return password; },

protocol/connection/client_connection.h

@@ -10,6 +10,7 @@
 #pragma once
 
 #include <engines/ewouldblock_engine/ewouldblock_engine.h>
+#include <folly/Synchronized.h>
 #include <folly/io/async/DelayedDestruction.h>
 #include <memcached/bucket_type.h>
 #include <memcached/engine_error.h>
@@ -407,14 +408,13 @@ class MemcachedConnection {
     }
 
     /**
-     * Perform a SASL authentication to memcached
+     * Perform SASL authentication to memcached for the provided user
+     * (looking up the password by using the callback function).
      *
-     * @param username the username to use in authentication
-     * @param password the password to use in authentication
-     * @param mech the SASL mech to use
+     * @param user The user to authenticate
      */
-    void authenticate(const std::string& username,
-                      const std::string& password,
+    void authenticate(const std::string& user,
+                      const std::optional<std::string>& password = {},
                       const std::string& mech = "PLAIN");
 
     /**
@@ -1088,7 +1088,21 @@ class MemcachedConnection {
         userValidateReceivedFrameCallback = std::move(callback);
     }
 
+    static void setLookupUserPasswordFunction(
+            std::function<std::string(const std::string&)> func);
+
 protected:
+    /**
+     * Perform a SASL authentication to memcached
+     *
+     * @param username the username to use in authentication
+     * @param password the password to use in authentication
+     * @param mech the SASL mech to use
+     */
+    void doSaslAuthenticate(const std::string& username,
+                            const std::string& password,
+                            const std::string& mech);
+
     void sendBuffer(const std::vector<iovec>& buf);
     void sendBuffer(cb::const_byte_buffer buf);
 
@@ -1165,6 +1179,10 @@ class MemcachedConnection {
     std::function<void(const cb::mcbp::Header&)>
             userValidateReceivedFrameCallback;
     std::unique_ptr<cb::json::SyntaxValidator> jsonValidator;
+
+    static folly::Synchronized<std::function<std::string(const std::string&)>,
+                               std::mutex>
+            lookupPasswordCallback;
 };
 
 #include <fmt/ostream.h>

tests/testapp/testapp.cc

@@ -103,8 +103,7 @@ void TestappTest::rebuildAdminConnection() {
     connectionMap.iterate([](const auto& c) {
         if (!adminConnection) {
             adminConnection = c.clone();
-            adminConnection->authenticate(
-                    "@admin", mcd_env->getPassword("@admin"), "PLAIN");
+            adminConnection->authenticate("@admin");
             adminConnection->unselectBucket();
 
             std::vector<cb::mcbp::Feature> features = {
@@ -128,7 +127,7 @@ void TestappTest::rebuildUserConnection(bool tls) {
     connectionMap.iterate([&](const auto& c) {
         if (!userConnection && (c.isSsl() == tls)) {
             userConnection = c.clone();
-            userConnection->authenticate("Luke", mcd_env->getPassword("Luke"));
+            userConnection->authenticate("Luke");
             userConnection->selectBucket(bucketName);
         }
     });
@@ -682,7 +681,7 @@ SOCKET connect_to_server_plain() {
     }
     MemcachedConnection connection("127.0.0.1", port, AF_INET, false);
     connection.connect();
-    connection.authenticate("Luke", mcd_env->getPassword("Luke"));
+    connection.authenticate("Luke");
     connection.selectBucket("default");
     return connection.releaseSocket();
 }
@@ -1166,7 +1165,7 @@ MemcachedConnection& TestappTest::getConnection() {
 
 MemcachedConnection& TestappTest::getAdminConnection() {
     auto& conn = getConnection();
-    conn.authenticate("@admin", "password", conn.getSaslMechanisms());
+    conn.authenticate("@admin");
     return conn;
 }
 
@@ -1333,6 +1332,9 @@ int main(int argc, char** argv) {
         exit(EXIT_FAILURE);
     }
 
+    MemcachedConnection::setLookupUserPasswordFunction(
+            [](const auto& user) { return mcd_env->getPassword(user); });
+
     cb::net::initialize();
     try {
         cb::backtrace::initialize();

tests/testapp/testapp_arithmetic.cc

@@ -124,9 +124,9 @@ TEST_P(ArithmeticTest, TestConcurrentAccess) {
     const int incrDelta = 7;
     const int decrDelta = -3;
 
-    conn1->authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn1->authenticate("Luke");
     conn1->selectBucket(bucketName);
-    conn2->authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn2->authenticate("Luke");
     conn2->selectBucket(bucketName);
 
     // Create the starting point

tests/testapp/testapp_audit.cc

@@ -307,7 +307,7 @@ TEST_P(AuditTest, ValidateAuditLogFileCreated) {
  */
 TEST_P(AuditTest, AuditIllegalPacket) {
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
 
     // A set command should have 8 bytes of extra;
@@ -440,7 +440,7 @@ TEST_P(AuditTest, AuditSelectBucket) {
 // event.
 TEST_P(AuditTest, AuditSubdocLookup) {
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
     conn.store("doc", Vbid(0), "{\"foo\": 1}");
     BinprotSubdocCommand cmd(cb::mcbp::ClientOpcode::SubdocGet,
@@ -467,7 +467,7 @@ TEST_P(AuditTest, AuditSubdocLookup) {
 // event.
 TEST_P(AuditTest, AuditSubdocMutation) {
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
     BinprotSubdocCommand cmd(cb::mcbp::ClientOpcode::SubdocDictUpsert,
                              "doc",
@@ -493,7 +493,7 @@ TEST_P(AuditTest, AuditSubdocMutation) {
 // event.
 TEST_P(AuditTest, AuditSubdocMultiMutation) {
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
     BinprotSubdocMultiMutationCommand cmd(
             "doc",
@@ -524,7 +524,7 @@ TEST_P(AuditTest, AuditSubdocMultiMutation) {
 // Check that a delete via subdoc is audited correctly.
 TEST_P(AuditTest, AuditSubdocMultiMutationDelete) {
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
     conn.store("doc", Vbid(0), "foo");
 
@@ -611,7 +611,7 @@ TEST_P(AuditTest, MB33603_Filtering) {
     doc.value = "blah blah";
 
     auto jane = userConnection->clone();
-    jane->authenticate("Jane", mcd_env->getPassword("Jane"), "PLAIN");
+    jane->authenticate("Jane");
     jane->selectBucket("default");
     // That should not generate an audit event
     jane->mutate(doc, Vbid{0}, MutationType::Set);
@@ -731,7 +731,7 @@ TEST_P(AuditTest, MB41183_UnifiedConnectionDescription) {
 TEST_P(AuditTest, MB51863) {
     auto& conn = getConnection();
 
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     conn.selectBucket(bucketName);
     std::vector<cb::mcbp::Feature> features = {
             {cb::mcbp::Feature::MUTATION_SEQNO,

tests/testapp/testapp_bucket.cc

@@ -64,7 +64,7 @@ static void deleteBucket(
         const std::string& name,
         std::function<void(const std::string&)> stateCallback) {
     auto clone = conn.clone();
-    clone->authenticate("@admin", "password", "PLAIN");
+    clone->authenticate("@admin");
     const auto timeout =
             std::chrono::system_clock::now() + std::chrono::seconds{5};
     conn.sendCommand(
@@ -109,7 +109,7 @@ TEST_P(BucketTest, DeleteWhileClientSendCommand) {
     adminConnection->createBucket("bucket", "", BucketType::Memcached);
 
     auto& second_conn = getConnection();
-    second_conn.authenticate("Luke", mcd_env->getPassword("Luke"), "PLAIN");
+    second_conn.authenticate("Luke");
     second_conn.selectBucket("bucket");
 
     // We need to get the second connection sitting the `conn_read_packet_body`
@@ -146,7 +146,7 @@ TEST_P(BucketTest, DeleteWhileClientConnectedAndEWouldBlocked) {
     for (int jj = 0; jj < 5; ++jj) {
         connections.emplace_back(conn.clone());
         auto& c = connections.back();
-        c->authenticate("Luke", mcd_env->getPassword("Luke"), "PLAIN");
+        c->authenticate("Luke");
         c->selectBucket("bucket");
 
         auto testfile =
@@ -212,7 +212,7 @@ TEST_P(BucketTest, DeleteWhileSendDataAndFullWriteBuffer) {
                                   BucketType::Memcached);
 
     auto& conn = getConnection();
-    conn.authenticate("Luke", mcd_env->getPassword("Luke"));
+    conn.authenticate("Luke");
     const auto id = conn.getServerConnectionId();
     conn.selectBucket("bucket");
 
@@ -291,7 +291,7 @@ TEST_P(BucketTest, TestNoAutoSelectOfBucketForNormalUser) {
     adminConnection->createBucket("rbac_test", "", BucketType::Memcached);
 
     auto& conn = getConnection();
-    conn.authenticate("smith", "smithpassword", "PLAIN");
+    conn.authenticate("smith");
     auto response = conn.execute(
             BinprotGenericCommand{cb::mcbp::ClientOpcode::Get, name});
     EXPECT_EQ(cb::mcbp::Status::NoBucket, response.getStatus());
@@ -311,7 +311,7 @@ TEST_P(BucketTest, TestListSomeBuckets) {
 
     // Reconnect and authenticate as a user with access to only one of them
     auto& conn = getConnection();
-    conn.authenticate("smith", mcd_env->getPassword("smith"));
+    conn.authenticate("smith");
     const std::vector<std::string> expected = {"rbac_test"};
     EXPECT_EQ(expected, conn.listBuckets());